Professional Documents
Culture Documents
MD 100T00A ENU TrainerHandbook
MD 100T00A ENU TrainerHandbook
Official
Course
MD-100T00
Windows 10
MD-100T00
Windows 10
II Disclaimer
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is
not responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2019 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/trademarks 1are trademarks of the
Microsoft group of companies. All other trademarks are property of their respective owners.
1 http://www.microsoft.com/trademarks
EULA III
13. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic
device that you personally own or control that meets or exceeds the hardware level specified for
the particular Microsoft Instructor-Led Courseware.
14. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led
Courseware. These classes are not advertised or promoted to the general public and class attend-
ance is restricted to individuals employed by or contracted by the corporate customer.
15. “Trainer” means (i) an academically accredited educator engaged by a Microsoft Imagine Academy
Program Member to teach an Authorized Training Session, (ii) an academically accredited educator
validated as a Microsoft Learn for Educators – Validated Educator, and/or (iii) a MCT.
16. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and
additional supplemental content designated solely for Trainers’ use to teach a training session
using the Microsoft Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint
presentations, trainer preparation guide, train the trainer materials, Microsoft One Note packs,
classroom setup guide and Pre-release course feedback form. To clarify, Trainer Content does not
include any software, virtual hard disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed, not sold. The Licensed Content is licensed on a one
copy per user basis, such that you must acquire a license for each individual that accesses or uses the
Licensed Content.
●● 2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
1. If you are a Microsoft Imagine Academy (MSIA) Program Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User who is enrolled in the Authorized Training Session, and only immediately
prior to the commencement of the Authorized Training Session that is the subject matter
of the Microsoft Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they
can access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure each End User attending an Authorized Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Authorized Training Session,
3. you will ensure that each End User provided with the hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
EULA V
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified Trainers who have in-depth knowledge of and experience with
the Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware
being taught for all your Authorized Training Sessions,
6. you will only deliver a maximum of 15 hours of training per week for each Authorized
Training Session that uses a MOC title, and
7. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer
resources for the Microsoft Instructor-Led Courseware.
2. If you are a Microsoft Learning Competency Member:
1. Each license acquire may only be used to review one (1) copy of the Microsoft Instruc-
tor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Course-
ware is in digital format, you may install one (1) copy on up to three (3) Personal Devices.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or
control.
2. For each license you acquire on behalf of an End User or MCT, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Authorized Training Session and only immediately prior to
the commencement of the Authorized Training Session that is the subject matter of the
Microsoft Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) MCT with the unique redemption code and instructions on how
they can access one (1) Trainer Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure that each End User attending an Authorized Training Session has their
own valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of
the Authorized Training Session,
3. you will ensure that each End User provided with a hard-copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
VI EULA
4. you will ensure that each MCT teaching an Authorized Training Session has their own
valid licensed copy of the Trainer Content that is the subject of the Authorized Training
Session,
5. you will only use qualified MCTs who also hold the applicable Microsoft Certification
credential that is the subject of the MOC title being taught for all your Authorized
Training Sessions using MOC,
6. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
7. you will only provide access to the Trainer Content to MCTs.
3. If you are a MPN Member:
1. Each license acquired on behalf of yourself may only be used to review one (1) copy of the
Microsoft Instructor-Led Courseware in the form provided to you. If the Microsoft Instruc-
tor-Led Courseware is in digital format, you may install one (1) copy on up to three (3)
Personal Devices. You may not install the Microsoft Instructor-Led Courseware on a device
you do not own or control.
2. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one
(1) End User attending the Private Training Session, and only immediately prior to the
commencement of the Private Training Session that is the subject matter of the Micro-
soft Instructor-Led Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the
unique redemption code and instructions on how they can access one (1) Trainer
Content.
3. For each license you acquire, you must comply with the following:
1. you will only provide access to the Licensed Content to those individuals who have
acquired a valid license to the Licensed Content,
2. you will ensure that each End User attending an Private Training Session has their own
valid licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the
Private Training Session,
3. you will ensure that each End User provided with a hard copy version of the Microsoft
Instructor-Led Courseware will be presented with a copy of this agreement and each End
User will agree that their use of the Microsoft Instructor-Led Courseware will be subject
to the terms in this agreement prior to providing them with the Microsoft Instructor-Led
Courseware. Each individual will be required to denote their acceptance of this agree-
ment in a manner that is enforceable under local law prior to their accessing the Micro-
soft Instructor-Led Courseware,
4. you will ensure that each Trainer teaching an Private Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Private Training Session,
EULA VII
5. you will only use qualified Trainers who hold the applicable Microsoft Certification
credential that is the subject of the Microsoft Instructor-Led Courseware being taught
for all your Private Training Sessions,
6. you will only use qualified MCTs who hold the applicable Microsoft Certification creden-
tial that is the subject of the MOC title being taught for all your Private Training Sessions
using MOC,
7. you will only provide access to the Microsoft Instructor-Led Courseware to End Users,
and
8. you will only provide access to the Trainer Content to Trainers.
4. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for
your personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you
may access the Microsoft Instructor-Led Courseware online using the unique redemption code
provided to you by the training provider and install and use one (1) copy of the Microsoft
Instructor-Led Courseware on up to three (3) Personal Devices. You may also print one (1) copy
of the Microsoft Instructor-Led Courseware. You may not install the Microsoft Instructor-Led
Courseware on a device you do not own or control.
5. If you are a Trainer.
1. For each license you acquire, you may install and use one (1) copy of the Trainer Content in
the form provided to you on one (1) Personal Device solely to prepare and deliver an
Authorized Training Session or Private Training Session, and install one (1) additional copy
on another Personal Device as a backup copy, which may be used only to reinstall the
Trainer Content. You may not install or use a copy of the Trainer Content on a device you do
not own or control. You may also print one (1) copy of the Trainer Content solely to prepare
for and deliver an Authorized Training Session or Private Training Session.
2. If you are an MCT, you may customize the written portions of the Trainer Content that are
logically associated with instruction of a training session in accordance with the most recent
version of the MCT agreement.
3. If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private
Training Sessions, and (ii) all customizations will comply with this agreement. For clarity, any
use of “customize” refers only to changing the order of slides and content, and/or not using
all the slides or content, it does not mean changing or modifying any slide or content.
●● 2.2 Separation of Components. The Licensed Content is licensed as a single unit and you
may not separate their components and install them on different devices.
●● 2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights
above, you may not distribute any Licensed Content or any portion thereof (including any permit-
ted modifications) to any third parties without the express written permission of Microsoft.
●● 2.4 Third Party Notices. The Licensed Content may include third party code that Micro-
soft, not the third party, licenses to you under this agreement. Notices, if any, for the third party
code are included for your information only.
●● 2.5 Additional Terms. Some Licensed Content may contain components with additional
terms, conditions, and licenses regarding its use. Any non-conflicting terms in those conditions
and licenses also apply to your use of that respective component and supplements the terms
described in this agreement.
VIII EULA
laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property
rights in the Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regula-
tions. You must comply with all domestic and international export laws and regulations that apply to
the Licensed Content. These laws include restrictions on destinations, end users and end use. For
additional information, see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is provided “as is”, we are not obligated to
provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you
fail to comply with the terms and conditions of this agreement. Upon termination of this agreement
for any reason, you will immediately stop all use of and delete and destroy all copies of the Licensed
Content in your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible
for the contents of any third party sites, any links contained in third party sites, or any changes or
updates to third party sites. Microsoft is not responsible for webcasting or any other form of trans-
mission received from any third party sites. Microsoft is providing these links to third party sites to
you only as a convenience, and the inclusion of any link does not imply an endorsement by Microsoft
of the third party site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.
1. United States. If you acquired the Licensed Content in the United States, Washington state law
governs the interpretation of this agreement and applies to claims for breach of it, regardless of
conflict of laws principles. The laws of the state where you live govern all other claims, including
claims under state consumer protection laws, unfair competition laws, and in tort.
2. Outside the United States. If you acquired the Licensed Content in any other country, the laws of
that country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the
laws of your country. You may also have rights with respect to the party from whom you acquired the
Licensed Content. This agreement does not change your rights under the laws of your country if the
laws of your country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS AVAILA-
BLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE AFFILIATES GIVES NO
EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY HAVE ADDITIONAL CON-
SUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT CANNOT CHANGE. TO
THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND ITS RESPECTIVE AFFILI-
ATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICU-
LAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO
US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST
PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
X EULA
Welcome to Windows 10
Course Introduction
Welcome to MD-100 - Windows 10!
Windows 10 is Microsoft's latest version of its OS and the most widely-adopted version in use today.
Unlike previous Windows OS versions, Windows 10 is continuously updated with new features and
capabilities, and offers new methods of deployment, management, and integration with today's cloud
technologies.
In this course, students will learn the tasks needed to install, configure, protect, and maintain the Win-
dows 10 desktop. The tasks and information covered is designed for IT professionals supporting clients
and devices within an organization.
In this series, you will learn how to:
●● Install, personalize and update Windows 10
●● Configure networking and storage
●● Install and manage applications
●● Configure authentication and permissions
●● Protect the OS and data
●● Support and troubleshoot common issues
This course contains the following modules:
●● Installing Windows
●● Post-installation Configuration and Personalization
●● Updating Windows
●● Configuring Networking
●● Configuring Storage
2 Module 0 Welcome to Windows 10
Lab Introduction
Throughout the course you will be provided with the opportunity of completing a series of hands-on labs
that will test your ability to perform tasks in the software. Practice labs appear embedded throughout the
course near where you learned a skill. These labs allow you to practice what you just learned through a
hosted virtual software environment accessed through a web-browser.
The lab environment consists of VMs configured as follows:
●● SEA-DC1 - Windows Server 2016 Domain Controller for adatum.com domain
●● SEA-CL1- Windows 10 client joined to adatum.com domain
●● LON-CL2 - Windows 10 client joined to adatum.com domain
●● LON-CL3 - WIndows 10 client WORKGROUP member
●● LON-CL4 - Windows 10 client WORKGROUP member
●● LON-HOST1 - Windows Server 2016 Hyper-V Host
●● LON-CL5 - Windows 10 client nested virtual machine on LON-HOST1
●● LON-CL6 - Windows 7 client WORKGROUP member
Note: Some VMs not listed above may be visible in the environment, but are not used for this course.
The password for all accounts (unless otherwise noted) is Pa55w.rd - ths includes the local and domain
Administrator accounts.
The labs are located at the end of a module, however your instructor may choose to perform them at
different points during the course. The student manual includes a high-level summary and lab scenario.
Lab steps are either located in the lab environment itself of provided by the instructor. Your instructor will
provide instructions for how to connect to the lab environment.
Welcome to Windows 10 3
While the lab environment is intended as a tool for practicing, keep in mind the lab environment is
persistent throughout the course. Should the labs need to be reset, you should consult the instructor
before doing so. Note that resetting the labs in the middle of the course may require some steps from
previous labs. While most exercises are independent, there are a small number that are dependant on
steps of another lab being complete. These dependencies are noted in the content.
WARNING – Be prepared for UI changes
Given the dynamic nature of Microsoft cloud tools, you may experience user interface (UI) changes that
were made following the development of this training content. This will manifest itself in UI changes that
do not match up with the detailed instructions presented in this lab manual. The Microsoft World-Wide
Learning team will update this training course as soon as any such changes are brought to our attention.
However, given the dynamic nature of cloud updates, you may run into UI changes before this training
content is updated. If this occurs, you will have to adapt to the changes and work through them in the lab
exercises as needed.
Module 1 Installing Windows
Introducing Windows 10
Lesson Introduction
Windows 10 operates across a wide range of devices, including desktop computers, laptops, tablets, and
other touch-enabled devices and phones. To optimize your users’ experience, you can choose between
several Windows 10 editions, each of which has slightly different features. This lesson describes the new
features in Windows 10 and provides guidance with respect to navigating and customizing the user
interface.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe Windows 10.
●● Explain the new features available in Windows 10.
●● Explain the benefits of using Windows 10 for small and medium-sized organizations.
●● Discuss managing Windows 10 in an enterprise environment.
●● Describe the elements of the new Windows 10 user interface.
were typically maintenance related. They generally focused on enhancing security, performance, and
minor feature improvements.
With Windows 10, Microsoft has shifted from releasing a new version every few years to releasing new
capabilities at regular intervals. Instead of replacing or upgrading the previous OS with a new version,
new capabilities and features are delivered similarly to how OS updates are delivered. This is also known
as Windows as a service, which is covered more in-depth later in this course.
In recent years, Microsoft sought to expand the range of devices that its client operating system sup-
ports. Windows 8 had introduced a touch-centric interface that enabled users to utilize the operating
system on handheld devices, such as tablets, as well as more traditional computing platforms, such as
desktop computers and laptops. At the same time, modifications to the operating system’s architecture
enabled support for non-Intel, processor-based devices, including devices installed with ARM processors.
Note: ARM provides a lightweight form factor with excellent battery life specifically for mobile devices.
However, please note that Windows 10 does not support ARM.
Windows 8 also supported touch-enabled versions of Microsoft apps, including Microsoft Office. Addi-
tionally, the operating system allowed users to install small, more task-focused apps from an online store,
similar to what users might do with their other computing devices, such as Android phones and tablets,
or the Apple iPhone.
Windows 10 is the latest version of Microsoft’s client operating system. It offers many improvements over
Windows 7 and provides numerous important enhancements and functional improvements over Win-
dows 8.1. You can install and run it on a variety of hardware platforms, ranging from traditional desktop
and laptop computers to tablets, phones, and other devices, such as the Xbox.
The release of Windows 10 incorporates feedback that Microsoft received from Windows 8.1 users
regarding interacting with the user interface when users installed the operating system on desktop
computers. The operating system now senses its own environment. When it discovers a desktop comput-
er, Windows 10 runs in desktop mode. In this mode, apps are resizable, and a more familiar, although
enhanced, Start menu is available to navigate the operating system. When running on a tablet, Windows
10 runs in the tablet mode with apps defaulting to a full-screen layout, and the Start menu becomes a
full-screen app. These subtle changes greatly increase the usability of the operating system.
Introducing Windows 10 7
Recovery tools
●● Reset this PC. By using the Reset this PC feature, you can return a device to its initial state, or recover
Windows 10 from corrupted operating system files and other errors. When you launch Reset this PC,
you can choose to:
●● Keep my files. This option retains your personal files, but removes apps and settings, and reinstalls
Windows.
●● Remove everything. This option removes all personal data, apps, and settings from the device, and
reinstalls Windows.
●● Advanced start-up options. These recovery features enable you to recover Windows 10 from
common errors. Options include:
●● Use a device. Enables you to recover Windows by using a universal serial bus (USB) drive, network
connection, or recovery disk.
●● Troubleshoot. Enables you to access Advanced options, including System Restore, System Image
Recovery, Startup Repair, Command Prompt, and Unified Extensible Firmware Interface (UEFI)
settings.
Virtualization
●● Client Hyper-V. on Windows 10 provides a flexible and high-performing client virtualization environ-
ment. You can use this environment to use a single device to test applications and IT scenarios in
multiple operating system configurations. By using Client Hyper-V, IT departments can provide a
consolidated and efficient virtual environment through virtual-machine compatibility with Windows
Server.
●● Windows Sandbox provides a lightweight desktop environment for temporarily running applications
in an isolated environment. Launching Sandbox creates a pristine installation of Windows, isolated
from the host and without the need to download or create a separate VHD. When the application is
closed, everything is discarded.
Mobility Improvements
●● Support for multiple device types. Windows 10 runs on desktop and laptop computers, tablets and
similar devices, phones, the Xbox platform, and Microsoft HoloLens, thereby providing users with very
extensive access to the Windows 10 environment.
●● Bring Your Own Device support. Many users have their own personal computing devices, and they
might wish to connect these devices to their corporate networks so that they can access apps and
services, and work with data files. Bring Your Own Device (BYOD) is the ability to connect users’
personal devices to a corporate network. Windows 10 introduces a number of features that improve
the support of users who wish to bring their own devices.
●● Mobile broadband. Windows 10 provides support for embedded wireless radio. This support helps
to improve power efficiency and reduce the size of some devices.
●● Broadband tethering. You can turn your Windows 10 device into a Wi-Fi hotspot.
●● Auto-triggered VPN. If an app requires access to your company’s intranet, Windows 10 can auto-
matically trigger a virtual private network (VPN) connection.
Introducing Windows 10 9
Security Enhancements
●● Remote Business Data Removal. With Windows 10 and Windows Server, you can use Remote
Business Data Removal to classify and flag corporate files, and to differentiate between these files and
user files. With this classification, the remote wipe of a Windows 10 device will not remove us-
er-owned data when securing or removing corporate data on the device.
●● Improved biometrics. Windows 10 provides a number of improvements in the area of biometrics,
including the use of Windows sign-in, remote access, and user account control (UAC). Furthermore,
you can configure biometric authentication to enable Windows Store access.
●● Pervasive device encryption. On Microsoft Surface devices, device encryption is enabled by default,
and you can configure additional BitLocker Drive Encryption protection. You also can enable addition-
al management capability on the Windows 10 Pro and Enterprise editions.
●● Malware resistance. Windows Defender now includes network-behavior monitoring that can help to
detect and prevent the execution of known and unknown malware.
●● Device lockdown. The Assigned Access feature enables you to restrict the Windows Store app
experience on a device to a specific subset of apps, or even to a single app. This could be a line-of-
business (LOB) app in a kiosk scenario, or a set of educational apps for children in a school setting.
●● Virtual secure mode. This is a secure process-execution environment that Windows 10 introduces.
This execution environment helps protect system processes by running them in a separate, virtualized
container, known as a trustlet, rather than in the operating system itself. Because the Windows operat-
ing system does not have access to these trustlets, processes and data within them are safer.
●● Nearby Sharing. Nearby Sharing lets you instantly share your videos, photos, documents, and
websites with people and devices near you over Bluetooth or Wi-Fi.
Windows as a Service
Windows 10 will use a new method of delivering new features and functional changes. This method is
known as Windows as a Service. This is a major change from the past, when new Windows versions
arrived approximately every three years. This new way of delivering new functionality is comparable to
when the Windows 8.1 update came one year after the Windows 8 release.
With Windows 10, you can expect shorter release cycles, with bigger changes happening once a year.
Updates will no longer just be available on the second Tuesday of each month. Security and driver
updates will automatically download and install as soon as they become available for some Windows 10
editions. Other editions can defer some updates for a non-configurable period.
For more information about the new features in Windows 10, refer to What's new in Windows 10 at:
http://aka.ms/sfakvk
Furthermore, many of these devices might belong to the users themselves, and they might desire to
connect to their corporate network from these devices.
Despite the investment required, both in terms of software licenses, as well as increasing employees’
knowledge and skills with new hardware, there are compelling reasons for small and medium organiza-
tions to update to Windows 10 from Windows 7, including:
●● Easier to use. Windows 10 is easier to use, which means fewer calls to your support desk. The features
that make Windows 10 more easy to use include:
●● Support for touch. Using a touch device is intuitive. For example, working with images and
navigating an operating system is easier when you are using touch rather than a mouse and
keyboard, especially if the user is not in a traditional office environment. Windows 10 supports
touch-enabled devices and optimizes itself for this environment, while continuing to support more
traditional input methods where required. An intuitive, user-friendly interface helps to reduce calls
for support.
●● A consistent user interface. If your users are using phones, tablets, and computers, they can work
more effectively and efficiently if you provide a consistent interface and access to Windows
Universal apps that they can use on any device.
●● Performance improvements. Windows 10 starts up more quickly, and due to improvements in
the architecture, navigating the operating system is faster, as well.
●● Continuous updates. Microsoft plans to provide updates on a continuous basis. This means that
rather than periodic upgrades, such as from Windows 7 to Windows 10, there will be a constant
process of smaller updates. Therefore, you will not have to perform wipe-and-load upgrades when a
new Windows version arrives. This reduces support efforts and costs.
●● Improved device management. You can choose to manage your Windows 10 devices by using
Configuration Manager or Microsoft Intune, which are part of Microsoft Endpoint Manager platform.
The method that you choose depends on your needs, the number of devices you have, and the
complexity of your environment. For example, with Microsoft Intune, you can provide for cloud-based
management of mobile devices, apps, and PCs. You can provide your users with access to your
corporate apps, data, and resources from virtually anywhere and on almost any device.
●● Distribution of apps by using the Windows Store. Microsoft will provide organizations with the
ability to acquire Windows Store apps, and then by using a web portal, make those apps available to
their users. Additionally, Microsoft will allow organizations to create an organizational private app
repository within Windows Store for Business. These changes will allow you to deploy and manage
apps within your organization more easily.
●● More secure. Several new and improved Windows 7 features make Windows 10 more secure. Keep-
ing users’ devices safe and secure helps reduce supports costs.
By allowing users to manage their own computers, the following problems could occur:
●● Software update problems. Many users are unaware of the need to keep operating system and
application software up-to-date with security and operating system patches. Without centralized
update management, some users will not maintain software updates.
●● Anti-malware problems. Unless managed centrally, many users do not ensure that anti-malware
software is enabled and up-to-date.
●● Application management. Without centrally managed “locked down” configurations, users could
install unauthorized software. Users often install unauthorized applications as an alternative to going
through cumbersome organizational processes for requisitioning software.
●● Hardware support. When enterprises purchase hardware, they often sign contracts for extended
support. Should hardware fail, it is often relatively straightforward to obtain replacement parts, even
entire replacement computers, within the support period. When users purchase their own hardware,
they often are left to determine how best to repair the hardware should a failure occur.
To more efficiently manage a large fleet of computers, enterprises often use one or more standard
operating environments (SOEs). An SOE is a set operating system, application, and hardware configura-
tion. SOEs have the following benefits:
●● Simplified deployment of new and replacement computers. Should new computers be required,
deploying an SOE is more straightforward than building a configuration from scratch. You often can
deploy an SOE from images using products such as Windows Deployment Services or Microsoft
Endpoint Configuration Manager.
●● Consistent applications and hardware across the organization. Should a failure occur, information
technology (IT) employees can replace the computer more quickly, enabling the user to remain
productive. The replacement computer will have the same applications as the original computer,
thereby ensuring that the user will have fewer adjustments to make to the replacement system.
●● Simplified inventory. Organizations must keep track of hardware and software assets. It is far simpler
to track hardware and software assets when all employees are using similarly configured computers,
than it is to track hardware and software assets when each person has a uniquely configured comput-
er, operating system, and application suite.
●● Simplified updating. SOEs make the process of managing operating system and application updates
simpler as the updates only need to be tested against a limited set of configurations.
●● Simpler software deployment. Products such as Intune or Configuration Manager help simplify the
process for deploying new or updated applications to computers.
navigate. However, when you use touch, you must use gestures to complete the same tasks. Therefore, to
select an item, you tap it. To open an item, use double-tap. To access an item's context menu, use tap and
hold.
Action Center
The Action Center consolidates notifications from the operating system with shortcut tiles that enable
you to perform common or frequently accessed tasks. To access the Action Center, select the Notifica-
tions icon in the notification area in the Desktop mode, or swipe from the right in the Tablet mode.
Available tiles include:
●● Tablet mode. Switches between Desktop and Tablet modes. In the Tablet mode, all apps run full
screen, and Start displays as a full-screen app. The Desktop mode runs apps in resizable windows, with
Start appearing as a menu.
●● Rotation lock. Enables you to lock the display in either portrait or landscape modes.
●● Connect. Searches for and allows you to connect to wireless display and audio devices in the local
area.
●● Note. Opens a new note in Microsoft OneNote.
●● All settings. Launches the Settings app, which provides access to options for the device's configura-
tion and settings.
Introducing Windows 10 13
●● Battery saver. Toggles into battery saver mode. This reduces power consumption by reducing display
brightness and configuring other power-intensive operating-system components. Note: You can
configure Battery saver settings by using All settings, accessing System, and then Battery saver.
●● VPN. Enables you to configure and connect to a VPN.
●● Bluetooth. Enables you to toggle the Bluetooth radio on or off.
●● Brightness. Use this tile to step up or down the brightness range.
●● WiFi. Enables you to toggle the Wi-Fi radio on or off.
●● Flight mode. Enables you to disable all radios so that your device can safely be used onboard an
aircraft.
●● Quiet hours. Toggles into a setting that reduces the notifications that you receive.
●● Location. Toggles the location setting. Many apps use location to customize behavior and to provide
geographically pertinent information to the user.
●● Settings. You can access Settings from the All settings tile in the Action Center or by tapping Settings
in Start. You can configure almost all device settings within the Settings app.
Note: The specific tiles that you see vary depending upon the type of device that you are using. For
example, a desktop computer does not display the Rotation lock tile.
14 Module 1 Installing Windows
Lesson Objectives
After completing this lesson, you will be able to:
●● Explain the differences between the different editions of Windows 10.
●● Select the most suitable Windows 10 device for your needs.
●● Describe the minimum recommended hardware requirements for installing Windows 10.
Windows 10 Home
Windows 10 Home is the consumer-oriented desktop edition of Windows 10. It offers the familiar
Windows experience for PCs, tablets, and the new hybrid laptop/tablets. Windows 10 Home includes
several new features:
●● Cortana, the new personal digital assistant
Windows 10 Editions and Requirements 15
Windows 10 Pro
Windows 10 Pro builds on the features of Windows 10 Home, with many extra features to meet the needs
of small and medium-sized businesses. Windows 10 Pro is also suitable for advanced consumers who are
looking for features such as BitLocker and virtualization.
Some of the features Windows 10 Pro provides:
●● Windows Autopilot. Leverages an existing Windows 10 installation to transform or reset the device to
a “business-ready” state, applying settings, policies, apps, and edition changes, without the need to
re-image.
●● Windows Update for Business. Manage Windows Update deployments for domain and non-domain
joined clients using tools such as Group Policy, an MDM, or Configuration Manager.
●● Domain Join. Computers that support domain join can be joined to an Active Directory domain.
●● Ability to join Azure Active Directory. This enables them to perform single sign-on (SSO) to
cloud-hosted apps.
●● Group Policy Management. Computers that support the Group Policy Management feature can be
managed using Group Policy when they are joined to an Active Directory domain.
●● BitLocker. BitLocker functions as a full volume encryption and boot environment protection solution.
●● Enterprise Mode Internet Explorer. A compatibility mode for Microsoft Internet Explorer enables
Internet Explorer 11 to emulate Internet Explorer 7 or Internet Explorer 8.
●● Assigned Access. This feature enables administrators to restrict a specific user account to use of a
single, specific Windows Store app. This feature is useful in kiosk scenarios where you want to allow
use of only a single app rather than all possible apps that are available to the computer or user.
●● Remote Desktop. This feature enables Remote Desktop connections from compatible Remote Desktop
Connection clients.
●● Client Hyper-V. Client Hyper-V enables you to host virtual machines on a client computer that has
sufficient hardware resources.
●● Windows Store for Business. Using Windows 10 Enterprise, you can use special Windows Store for the
organization in addition to the normal Windows Store for apps.
●● Windows Update for Business. A cloud-based Windows Update solution that includes the ability to
configure distribution rings, maintenance windows, peer-to-peer delivery, and integration with
existing tools such as Microsoft System Center and Intune.
●● Enterprise Data Protection. This new Windows 10 feature enables organizations to control which
applications can access sensitive data.
16 Module 1 Installing Windows
●● Granular UX Control. This feature enables administrators to lock the user interface so that users can
perform specific tasks only. This feature is useful when deploying Windows 10 as a kiosk.
Note: Group Policy settings that affect features found in the Enterprise edition, but not in the Pro edition,
will have no effect on devices running Windows 10 Pro.
Windows 10 Enterprise
Windows 10 Enterprise builds on the features of Windows 10 Pro, with additional features that meet the
needs of large enterprises. Windows 10 Enterprise is available to Volume Licensing customers only. They
can choose the pace at which they adopt new technology, including the option to use the new Windows
Update for Business.
Windows 10 Enterprise also supports a broad range of options for operating system deployment and
device and app management.
Some of the features Windows 10 Enterprise provides:
●● DirectAccess. DirectAccess is a computer authenticated persistent virtual private network (VPN)
connection using IPSec. It allows remote computers to access internal network resources. It also allows
remote management of client computers. Note: Always On VPN, which was introduced in the Win-
dows 10 Anniversary Update and offers a similar experience to Direct Access, is supported by Win-
dows 10 Home, Professional and Enterprise.
●● Windows To Go Creator. The Windows To Go Creator enables you to create a bootable installation of
Windows 10 on a supported USB storage device.
●● AppLocker. AppLocker is a feature of Windows 10 that enables administrators to control which
applications can act on a computer, including limiting access so that only specific versions of an
application can run.
●● Start Screen Control with Group Policy. This feature enables you to use Group Policy to customize the
appearance and content of the start menu or start screen.
●● Windows Defender Credential Guard. Virtualization based security isolates secrets so only privileged
users can access them.
●● Windows Defender Application Control. Controls what applications run within your environment to
help block against malware and untrusted apps.
●● Windows Defender Application Guard. Opens untrusted websites in a Hyper-V container to isolate in
case the site is malicious.
Windows 10 Editions and Requirements 17
Form factors
Prior to Windows 8, Microsoft had three types of devices: traditional PCs, mobile phones, and Xbox. The
release of Windows 8 saw new device types emerge, including tablets and other touch-enabled devices.
With Windows 10, Microsoft introduces two new types of devices: Microsoft Surface Hub and Microsoft
HoloLens. Here is a list of the different form factors and their typical use in a work environment:
●● Desktop PC. The desktop PC is the form factor of choice in businesses where the need for high
performance is predominant, such as computer-aided design (CAD).
●● Laptop. Traditionally, travelling users were the primary users of laptops. However, recently laptop sales
have surpassed desktop PC sales, perhaps due to increasing workforce mobility and superior laptop
18 Module 1 Installing Windows
performance. When a consumer uses a laptop as an office computer, the addition of an external
keyboard, mouse, and monitor can remedy the lack of workplace ergonomics.
●● Tablet. Tablets are popular for reading emails, doing presentations, or as entertainment devices. The
latest developments bring improved performance, but still lack in expansion possibilities.
●● Hybrid. The popularity of the tablet has led to the innovation of a hybrid device that converts from a
normal laptop to a tablet. Hybrid devices are more popular than tablets among users whose work
involves more typing. These devices also offer better performance than typical tablets.
●● Xbox. The Xbox is a device that is most popular for gaming and entertainment.
●● HoloLens. The HoloLens is one of the first holographic computers. It has many uses for educational
purposes, design, and constructing businesses.
●● Surface Hub. The Surface Hub is a large-format, touch friendly monitor used in meetings.
Scenarios
●● Scenario 1. Contoso Pharmaceuticals considers purchasing new computers to control and supervise its
production lines. The production lines require special hardware with sensors in the computers that
employees will use to perform the supervision. The production line software is sensitive to major
changes in the operating system. Which edition of Windows 10 would you recommend for purchase
by Contoso Pharmaceuticals for supervision of its production lines?
●● Scenario 2. Samuel is an independent contractor. He travels often with his laptop, which contains
sensitive customer financial data. He is concerned about the impact to his business if his laptop is lost
or stolen. Which edition of Windows 10 would be best suited to protect his data?
●● Scenario 3. Contoso Pharmaceuticals is trying to secure their information technology (IT) infrastructure
by limiting the apps that users can run. Some employees install unauthorized apps on their devices.
Windows 10 Editions and Requirements 19
Contoso wants to limit users to apps that are on the company’s list of approved apps. Which edition
of Windows 10 would you recommend that Contoso Pharmaceuticals use?
Scenario Answers
●● Scenario 1: Windows 10 Enterprise LTSC. As it does not receive feature updates, this minimize changes to
the OS that may impact the sensitive application.
●● Scenario 2: Windows 10 Pro. While he can leverage any edition of Windows to take advantage of
features such as OneDrive to minimize losing data, or Windows Hello for biometric authentication,
features like BitLocker found in Windows Pro can protect his data from being accessed in the event his
device is stolen.
●● Scenario 3: Windows 10 Enterprise. With Enterprise edition, AppLocker can be used to limit users to run
only authorized apps.
OS requirements
The following section lists the minimum recommended hardware requirements for Windows 10. Windows
10 will install if some of these requirements are not met. However, user experience and operating system
performance might be compromised if the computer does not meet or exceed the following specifica-
tions:
●● Processor: 1 gigahertz (GHz) or faster processor, or system on a chip (SOC)
●● RAM: 1 GB for 32-bit or 2 GB for 64-bit
●● Hard disk space: 16 GB for 32-bit or 20 GB for 64-bit
●● Graphics card: DirectX 9 or newer with Windows Display Driver Model (WDDM) 1.0 driver
●● Display: 800x600 pixels
Feature-specific requirements
Windows 10 offers additional features if the correct hardware is present. The following are some of the
hardware and software requirements for various additional features:
●● Windows Hello requires a specialized illuminated infrared camera for facial recognition or iris detec-
tion, or a fingerprint reader that supports the Windows Biometric Framework.
●● Two factor authentication requires the use of a PIN, fingerprint reader, or illuminated infrared camera,
or a phone with Wi-Fi or Bluetooth capabilities.
●● Depending on the resolution of the monitor, the number of simultaneously snapped applications
might be limited.
●● Touch requires a tablet or a monitor that supports multi-touch for full functionality.
●● Secure boot requires firmware that supports Unified Extensible Firmware Interface (UEFI) and has the
Microsoft Windows Certification Authority in the UEFI signature database. The secure boot process
takes advantage of UEFI to prevent the launching of unknown or potentially unwanted operating-sys-
tem boot loaders between the system’s BIOS start and the Windows 10 operating system start. While
20 Module 1 Installing Windows
the secure boot process is not mandatory for Windows 10, it greatly increases the integrity of the
boot process.
●● Some applications might require a graphics card that is compatible with DirectX 10 or newer versions
for optimal performance.
●● BitLocker requires either Trusted Platform Module (TPM) or a USB flash drive (Windows 10 Pro,
Windows 10 Enterprise, and Windows 10 Education).
●● Client Hyper-V requires a 64-bit system with second level address translation capabilities and an
additional 2 GB of RAM (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education).
Second level address translation reduces the overhead incurred during the virtual-to-physical address
mapping process performed for virtual machines.
●● Miracast requires a display adapter that supports WDDM, and a Wi-Fi adapter that supports Wi-Fi
Direct.
●● Wi-Fi Direct Printing requires a Wi-Fi adapter that supports Wi-Fi Direct and a device that supports
Wi-Fi Direct Printing.
●● InstantGo works only with computers designed for connected standby. InstantGo allows network
connectivity in standby mode and allows for receiving updates, mail, and Skype calls with the screen
turned off.
Device drivers
Windows will detect most hardware and install the appropriate driver needed to support the device.
Many companies producing hardware have their drivers tested and certified at the Windows Hardware
Quality Labs and are delivered through Windows update.
However, you might not be able to find a built-in driver for a specific piece of hardware. Depending on
your deployment method, there may be a need to deploy the driver as part of the OS installation. The
best way to find drivers for hardware is to search the manufacturer’s website.
If Hyper-V is already enabled on the system, you will see the following message from systeminfo.exe:
Windows 10 Editions and Requirements 21
Installation Methods
Lesson Introduction
Windows has several different methods of installation. Scenarios such as whether you are deploying for a
new or existing user, replacing a machine, or upgrading the OS are some of the factors that can deter-
mine installation method.
In this lesson, you will also learn about the different methods for installing Windows 10 and describe the
process of installing Windows 10.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the options available for installing and deploying Windows 10.
●● Understand the process of installing Windows 10
●● Describe the methods of activation for Windows 10.
●● Describe the factors to consider in a new machine deployment.
In-place upgrade
Perform an upgrade, which also is known as an in-place upgrade, when you want to replace an existing
version of Windows 7 or Windows 8.1 with Windows 10, and you wish to retain all user applications, files,
and settings. For the home or small business user, you can run Setup.exe from a product media or from a
network share. During an in-place upgrade, the Windows 10 installation program automatically retains all
user settings, data, hardware device settings, apps, and other configuration information. We recommend
this method for existing Windows 7 and 8.1 devices. An in-place upgrade has four phases:
●● Checking the system
●● Installing Windows 10 with the Windows Preinstallation Environment (PE)
●● The first startup
●● Installing the Windows operating system and the second startup
You can stop and roll back an installation during any of these four phases. However, we recommend that
you always back up any important data, whether performing an upgrade, or as a periodic maintenance
function.
New deployments
A new deployment of Windows 10 involves performing a clean installation. With Windows 10, there are a
few different approaches to this.
●● Install Media. To perform a clean installation on a computer without an operating system (also
known as a “bare-metal” installation), start the computer directly from the media. If the computer
already has an operating system, run Setup.exe to start the installation. You can run Setup.exe from
either a DVD, USB, or network share.
●● System Image. This is typically a file that contains a “snapshot” of a generic computer with the OS
installed, including configurations and even apps already installed, that is essentially copied to the
24 Module 1 Installing Windows
target system’s hard drive. There are various tools available for creating and deploying images and
has traditionally been the preferred method used in medium and large organizations, as deployment
is faster than installing with media, and typically automated.
●● Windows Autopilot. If the computer already has Windows 10, Windows Autopilot can be used to
achieve the same state as a new deployment. It leverages the existing Windows 10 installation to
restore the machine to a “first-run” experience, but allows administrators to apply organization-specif-
ic configurations and even some types of apps. As most new computers come with Windows pre-in-
stalled, this enables organizations to achieve the same result as re-imaging for some scenarios,
without the need to deploy an entire image over a network and reduce the number of custom images.
Note: If you perform a clean installation on a hard disk partition that contains a Windows operating
system, existing Windows files are moved to a \Windows.old directory. This includes files in the Users and
Program Files folders and the Windows directory.
Migration
You perform a migration when you have a computer that is running Windows 7, Windows 8, or Windows
8.1, and you need to move files and settings from that operating system (the source computer) to the
Windows 10 computer (the destination computer). Perform a migration by doing the following:
●● Back up user settings and data.
●● Perform a clean installation.
●● Reinstall the apps.
●● Restore user settings and data.
There are two migration scenarios, side-by-side and wipe-and-load. In side-by-side migration, the source
computer and the destination computer are two different computers. In wipe-and-load migration, the
target computer and the source computer are the same. In a wipe and load migration, migration data is
captured and moved to a location off the computer, usually a network shared folder. After this, the
source operating system is wiped from the host. The destination operating system replaces the source
operating system and the migration data then is restored from the safe location.
Provisioning
Using the Windows Configuration Designer tool, you can create provisioning packages with specific
configurations and settings. This package can be applied to a target Windows 10 device quickly, without
the need for installing a new image. Provisioning can be useful in small to mid-size organizations and
BYOD scenarios.
Refresh
When a Windows 10 device begins having problems such as not responding, frequent errors, or just runs
slow, refreshing the OS can often be easier than spending significant time trying to troubleshoot the root
cause. Windows 10 offers two different methods of easily refreshing to OS:
●● Reset the PC. This method essentially reverts the machine back to it's original state of the image that
was used to install Windows, which can included third-party software if it was included in the image.
While technically not a deployment, as the PC uses the existing Windows installation, this option can
be an alternative to the traditional method of wiping and reloading the OS.
●● Fresh Start. This option installs a clean version of Windows 10. This removes any pre-installed
manufacturer apps, Microsoft apps such as Office, support apps, and third-party drivers, leaving only
Installation Methods 25
what is included with a standard installation of Windows 10 and any Microsoft Store apps that the
manufacturer may have installed. Apps removed must be re-installed. This may also cause the loss of
digital licenses and and entitlements associated with the PC. Fresh start is only available on Windows
10 Home and Pro.
Both options allow the option to keep user data. However, the Reset PC option also offers the option to
wipe all data, making this an effective option for retiring the device or transferring ownership.
You can perform an automated installation when you use any of the above installation methods in
combination with an automation tool to make the installation more seamless or to remove repetitive
tasks from the installation process. Automated installations can take many forms, including pushing
pre-made images to computers by using an enterprise-level tool such as the Microsoft Deployment
Toolkit (MDT), Windows Deployment Services (DS), and System Center Configuration Manager, or even by
creating an answer file manually to provide information directly to the installation process.
Activating Windows 10
All editions of Windows 10 require activation. Activation confirms the licensing status of a Windows
product and ensures that the product key has not been compromised. The activation process links the
software’s product key to a particular installation of that software on a device. If the device hardware
changes considerably, you need to activate the software again. Activation assures software integrity and
provides you with access to Microsoft support and a full range of updates. Activation is also necessary if
you want to comply with licensing requirements. Depending on the license type, you may find that the
Installation Methods 27
license is locked to that particular hardware. In this case, you may not install Windows 10 on another
computer with the same license.
Unlike Windows 7, Windows 10 does not have a grace period. You must activate Windows 10 immediate-
ly upon installation. Failure to activate a Windows operating system will prevent users from completing
customization. In older versions of the Windows operating system, activation and validation with the
Windows Genuine Advantage tool occurred separately. This caused confusion for users who thought the
terms were interchangeable. In Windows 10, activation and validation occur at the same time. If you wish
to evaluate Windows 10, Microsoft provides a separate evaluation edition that is available as an .iso
image file to Microsoft Developer Network (MSDN) subscribers and Microsoft partners.
Activation methods
There are three main methods for activation:
●● Retail. Any Windows 10 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete activation after installing the
operating system.
●● OEM. OEM system builders typically sell computer systems that include a customized build of Win-
dows 10. You can perform OEM activation by associating the operating system to the computer
system.
●● Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization. Volume
customers set up volume licensing agreements with Microsoft. These agreements include Windows
upgrade benefits and other benefits related to value-added software and services. Microsoft Volume
Licensing customers use Volume Activation Services to assist in activation tasks, which consist of
Active Directory–based activation, Key Management Service (KMS), and multiple activation key (MAK)
models.
You can view the Windows 10 activation status on the System properties page or by running the
following command:
cscript C:\windows\system32\slmgr.vbs -dli
Activation troubleshooter
You can use the Activation troubleshooter in the Settings app to fix problems related to licensing and
version conflicts, and hardware changes that can affect your device’s activation status. To open the
Activation troubleshooter, perform the following steps:
1. Select Start, and then select Settings.
2. In the Settings app, select Updates and Security, and then select Activation.
3. On the Activation page, select Troubleshoot to begin.
Note: You must have Administrator privileges to use the troubleshooter.
28 Module 1 Installing Windows
their Windows-based mobile devices. You can customize your deployment process to enable BitLock-
er after deployment.
●● Identify how you will handle licensing and activation. Smaller organizations usually have an individual
product key per user, while larger organizations might use Active Directory activation, Key Manage-
ment Service (KMS), or multiple activation keys (MAKs).
●● Identify critical apps that you must maintain post-deployment. You need to ensure that apps are
compatible with new operating systems or that you can mitigate any incompatibilities. You will learn
how to handle application compatibility issues in a later module.
●● Document your environment and choose the appropriate strategy based on the identified informa-
tion.
30 Module 1 Installing Windows
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the process of upgrading Windows 10.
●● Describe the factors to consider when deciding to upgrade to Windows 10.
●● Describe the process of migrating to Windows 10.
●● Understand the considerations when choosing between the upgrade and migration processes.
●● Upgrade a device to Windows 10.
Evaluate
Before starting the upgrade, you must evaluate whether your computer meets the requirements needed
to run Windows 10. If you are upgrading more than one computer, you should consider using the
Application Compatibility Toolkit (ACT) and Microsoft Assessment and Planning Toolkit (MAP) to assess
your organization’s readiness. You must determine whether any installed applications will have compati-
bility problems while running on Windows 10. ACT, which is a part of the Windows ADK for Windows 10,
provides several tools that can assist with evaluating potential compatibility problems.
Back up
To prevent data loss during the upgrade process, back up any data and personal settings before starting
the upgrade. You can back up data to any appropriate media, such as tape, removable storage, writable
disc media, or a network shared folder.
Upgrade
After evaluating your computer requirements, and backing up your data and personal settings, you are
ready to perform the actual upgrade. To perform the upgrade, run the Windows 10 installation program
(setup.exe) from the product DVD, removable media, or a network share. If your computer supports an
in-place upgrade to Windows 10, you can select Upgrade during the installation process. The installation
program prevents you from selecting the upgrade option if an in-place upgrade is not possible. This
might occur for several reasons, such as your computer lacking sufficient disk space, or your current
Windows edition not supporting a direct upgrade to the Windows 10 edition that you want to install. In
this case, stop the upgrade process and resolve the indicated problem before attempting the upgrade
again.
32 Module 1 Installing Windows
Note: We recommend that you disable antivirus programs before attempting an upgrade.
Verify
When the upgrade completes, sign in to your computer, and verify that all of the applications and
hardware devices function correctly.
Update
Finally, determine whether there are any relevant updates to the Windows 10 operating system, and
apply them to your computer. It is important to keep the operating system up to date to protect against
security threats. You also can check for updates during the upgrade process. Dynamic Update is a feature
of Windows 10 Setup that downloads any critical fixes and drivers that the setup process requires. With
Windows as a Service, it is more important than ever to make sure your Windows-based computer is up
to date, because you m also receive new functionality via Windows Update.
Deprecated features
When you upgrade to Windows 10, there may be some features in your old operating system that will no
longer be available. The following list details the deprecated features that are not a part of Windows 10:
●● If you are running Windows 8.1 Pro with Media Center, Windows 8 Pro with Media Center, Windows 7
Home Premium, Windows 7 Professional, or Windows 7 Ultimate, Windows Media Center will no
longer be available.
●● You require separate software to play DVDs.
●● Windows 7 desktop gadgets will no longer be available when you install Windows 10.
●● Windows 10 Home users will have updates from Windows Update automatically available.
●● Solitaire, Minesweeper, and Hearts Games that come preinstalled on Windows 7 will no longer be
available when you upgrade to Windows 10. Microsoft has released universal apps called the Micro-
soft Solitaire Collection and Microsoft Minesweeper.
●● If you have a USB floppy drive, you can download the latest driver from Windows Update or the
manufacturer's website.
●● If you have Windows Live Essentials installed, the installation of Windows 10 will replace the Microsoft
OneDrive application with the inbox version of OneDrive.
Back up
Before installing the new operating system, you must back up all user-related settings and program
settings with USMT. Additionally, you should consider backing up the user data. Although the Windows
10 installation will not erase user data by default, it is a good practice to back up your data to protect
against accidental loss or damage during installation.
Note: Before the installation begins, you can choose to repartition or reformat the hard disk. If you
choose one of these actions, all user data will be deleted from the hard disk.
Note: When you do a clean installation of Windows 10 without reformatting the hard disk, the existing
Windows installation will be moved to a windows.old directory containing the Windows, Program Files,
and Users directories. All remaining directories and files stay in place.
Install Windows 10
Run the Windows 10 installation program (setup.exe) from the product DVD, removable media, or a
network share, and perform a clean installation by selecting Custom (advanced) during the installation
process. Then follow the on-screen instructions to complete the installation.
Update
If you chose not to check for updates during the installation process, it is important to do so after
verifying the installation. Keep your computer protected by ensuring that you have the most current
updates installed.
Install applications
Upgrading and Migrating to Windows 10 35
Performing an upgrade by using a clean installation and migration process does not migrate the installed
applications. When you complete the Windows 10 installation, you must reinstall all applications. Win-
dows 10 may block the installation of any incompatible programs. To install any of these programs,
contact the software vendor for an updated version that is compatible with Windows 10.
Restore
After installing your applications, application settings and user-related settings must be migrated to the
new device.
●● The User State Migration Tool (USMT) can be used to migrate application and user settings from one
Windows 10 device to another. USMT is covered in more detail later in this course.
●● OneDrive can be used to synchronize user files and settings between devices. OneDrive is also
covered later in this course.
In-place upgrade
The in-place upgrade is now the recommended way to move from an existing Windows operating system
to Windows 10. You perform an in-place upgrade when you want to replace an existing Windows version
with Windows 10, and you need to retain all user applications, files, and settings. To perform an in-place
upgrade to Windows 10, run the Windows 10 installation program (setup.exe), and select Upgrade. You
can run setup.exe from the product media or from a shared folder on the network. During an in-place
upgrade, the Windows 10 installation program retains all user settings, data, hardware device settings,
applications, and other configuration information automatically.
Best Practice: Always back up all of your important data before performing an upgrade.
Migration
You perform a migration when you have a computer already running the Windows operating system, and
you need to move files and settings from your old operating system (source computer) to the Windows
10–based computer (destination computer). Perform a migration by doing the following:
●● Back up the user’s settings and data
●● Perform a clean installation
●● Reinstall the applications
●● Restore the user’s settings and data
There are two migration scenarios: side-by-side, and wipe-and-load. In side-by-side migration, the source
computer and the destination computer are two different computers. In wipe-and-load migration, the
destination computer and the source computer are the same. To perform wipe-and-load migration, you
perform a clean installation of Windows 10 on a computer that already has an operating system, by
running the Windows 10 installation program, and then selecting Custom (advanced).
Note: Previously, migration was the recommended way to do upgrades, but now the in-place upgrade is
preferable.
In the previous topic, you learned about the difference between an in-place upgrade and a migration.
Each upgrade project is different, with circumstances that might support one over the other.
Considering in-place upgrade
In any potential upgrade scenario, there may be certain circumstances that favor an in-place upgrade.
However, there are also disadvantages to this process. The following table outlines the advantages and
disadvantages of in-place upgrades.
Advantages Disadvantages
Retains user settings, application settings, and files Does not take advantage of the opportunity to
with no additional effort. start fresh with standardized reference configura-
tions.
Preserves installed applications, and typically does Preserved applications may not work correctly
not require reinstallation of applications after upgrading from an older Windows version
Does not require additional storage space for Remnant files or settings from in-place upgrade
migration files may contribute to performance and security issues
Affects user productivity minimally, and preserves Does not allow for edition changes
user settings and data just as in the source
computer
Provides a simpler setup process Is only available on supported operating systems
Upgrading and Migrating to Windows 10 37
Advantages Disadvantages
Rollback is available in case of a problem Computer has to meet the minimum hardware
requirements
Considering migration
As an alternative, you might consider using the migration process. The following table outlines the
advantages and disadvantages of migrations.
Advantages Disadvantages
Offers a fresh start with the opportunity to clean Requires the use of migration tools, such as USMT,
up existing computers and create more stable and to capture and restore user settings and data
secure desktop environments, a significant
advantage when creating a managed environment
Allows for installation of any edition regardless of Requires reinstallation of applications
what edition was running previously on the
computers
Provides the opportunity to reconfigure hard- Requires storage space for user settings and files
ware-level settings, such as disk partitioning, to be migrated
before installation
Viruses, spyware, and other malicious software do May have an impact on user productivity because
not migrate to the new installation of Windows of the reconfiguration of applications and settings
Contoso Pharmaceuticals discovers that not all computers will have hardware drivers for Windows 10.
They will need to purchase 50 new computers. What is the best upgrade method for the 50 users who are
getting new computers?
Deployment Methods 39
Deployment Methods
Lesson Introduction
While a manual installation might be suitable for a small organization with a few devices to support, this
quickly becomes tedious with many devices, not to mention, difficult to maintain.
Fortunately, Windows supports several different methods of automating the deployment process and
managing a large number of devices at scale. There are also various different tools for performing these
tasks.
Given the breadth of methods and tools for automating and performing large scale deployments, training
for these skills goes beyond the scope of this course. They are covered in further detail in the Managing
Modern Desktops course, MD-101. However, this lesson will provide an overview of what those tools and
processes are, as it's important for any IT professional supporting Windows 10 to be aware of these
methods and tools.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the different methods of automated desktop deployments.
●● Describe common tools used to perform automated steps.
●● Describe how to leverage virtualization in Windows 10.
●● Configure a Hyper-V virtual machine.
●● Azure Active Directory (AAD), and mobile device management (MDM). You can automatically
join a device to AAD and enroll it in your management solution with no additional user interaction.
●● Provisioning packages. Using the Windows Imaging and Configuration Designer tool, create provi-
sioning packages, the collection of apps and settings customized for your deployment, to apply to
devices.
Traditional
Sometimes, deployment cannot be achieved through modern or dynamic methods. An organization
existing infrastructure or configuration requirements may require the need to deploy using operating
system images. You'll employ one of these methods:
●● Bare metal - Deploy to a new device with no operating system or wipe the existing device and deploy
with a fresh image.
●● Refresh - Also called wipe and load, redeploy a device by saving the user state, wiping the disk, then
restoring the user state.
●● Replace - Replace an existing device with a new one by moving the user state from the old device
and to the new device.
Client Virtualization
Most modern computers now include hardware to support virtualization. Virtualization (in the desktop
context) is the ability to install an OS and applications into a logical device (as opposed to a physical
machine). The most common use of this technology is to run multiple “instances” of computers on a
single computer and it is extensively used in server deployments. However, Windows 10 includes features
that allow clients to take advantage of virtualization as well.
Client Hyper-V
Client Hyper-V is the virtualization technology built into Windows 10 and Windows 8.x. It is the same
virtualization technology previously available only in Windows Server. Client Hyper-V enables you to run
one or more 32-bit or 64-bit x86 operating systems at the same time on the same host computer.
Instead of working directly with the computer’s hardware, the guest operating systems run inside a virtual
machine (VM). A virtual machine is a computing environment that is implemented in software and that
abstracts the hardware resources of the physical computer so that multiple operating systems can run
simultaneously on a single computer. Each operating system runs in its own virtual machine and is
allocated logical instances of the computer’s processors, hard disks, network cards, and other hardware
resources. An operating system that is running in a virtual machine is unaware that it is executing in a
virtual environment and behaves as if it exclusively controls the underlying physical computer’s hardware.
When discussing virtualization, the term Hypervisors is often used. A hypervisor is a virtualization platform
(like Hyper-V) that enables you to run multiple operating systems on a single physical computer called
the host computer. The main function of the hypervisor is to provide isolated execution environments for
each virtual machine and to manage access between the guest operating systems running in virtual
machines and the underlying hardware resources on the physical computer.
Windows 10 and Applications can be deployed to virtual machines running a hypervisor host just like a
traditional installation. Client Hyper-V is useful for scenarios such as running an app that may require a
different OS or version than the primary OS must be used or scenarios that require an isolated environ-
ment, such as driver testing or application compatibility.
Deployment Methods 41
Windows Sandbox
Windows Sandbox is a new feature introduced in v1903 allows Windows clients to setup an isolated
environment without the need to configure Hyper-V or create a Windows 10 VM or setup a VHD. This
enables the user to quickly start an isolated, pristine Windows 10 environment for temporary use scenari-
os such as launching a downloaded executable that you may not fully trust.
Windows Sandbox features the following:
●● Included with Windows 10 Pro and Enterprise.
●● Pristine. Every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
●● Disposable. Nothing persists on the device. When Sandbox is closed, everything is discarded.
●● Secure. uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervi-
sor to run a separate kernel which isolates Windows Sandbox from the host.
●● Efficient. Eses integrated kernel scheduler, smart memory management, and virtual GPU
To use Windows Sandbox, virtualization must be enabled on physical hardware. If using a virtual machine,
nested virtualization must be enabled. Windows Sandbox must also be enabled in Windows Features.
Deployment Strategies
You can use a number of different methods to install Windows 10. However, regardless of the method,
the image-based nature of the installation process and the desired result—a properly functioning
Windows 10 device—remain consistent. Determining which method to use and how to best implement
that method are important parts of the planning process for a Windows 10 installation.
In this topic, you will learn to analyze the reasons for using certain installation methods and implement
those methods. You will also learn about the new provisioning method in Windows 10 that you can use
to customize an existing Windows 10 installation with a provisioning package.
42 Module 1 Installing Windows
High-touch Deployment
The high-touch with retail media deployment strategy is suitable for small organizations that do not have
information technology (IT) staff, or have IT staff members without deployment experience. Such organi-
zations typically have fewer than 100 client computers. This strategy is the simplest way to deploy
Windows 10. Insert the Windows 10 media and run the setup program. It is a manual installation that
requires you to answer each prompt in the setup program.
Organizations with 100-200 client computers should consider high-touch with a standard image. This
strategy involves the creation of a standard image, by using the available tools in the Windows ADK,
which you can customize. It requires an IT professional with imaging knowledge and is ideal for small or
distributed networks with minimal configuration requirements.
Lite-touch Deployment
The Lite-touch Installation (LTI) deployment strategy is suitable for medium-sized organizations with
200–500 client computers. This strategy uses management tools such as Microsoft Deployment Toolkit
(MDT) or Microsoft Intune. It is an easier deployment strategy, because Administrators use a centrally
managed console to automate the delivery of the OS, configurations, and applications. MDT also requires
minimal infrastructure and Intune is a cloud-based solution.
Deployment Methods 43
Zero-touch Deployment
The Zero-touch Installation (ZTI) deployment strategy is suitable for large organizations that typically
have more than 500 client computers. This deployment strategy uses MDT and/or Intune together with
Microsoft System Center Configuration Manager to deliver a more streamlined, fully automated deploy-
ment that does not require user interaction.
44 Module 1 Installing Windows
What is Imaging?
Imaging is the process of creating a “snapshot” of a reference computer with the desired OS, configura-
tions, and apps pre-installed, and then deploying that snapshot to multiple computers. When the image
is deployed, it essentially copying the reference computer configuration to the target computer. This has
been the preferred method used in medium and large organizations for years.
Benefits of Imaging
●● Eliminates the manual process of installing the OS and configuring the device (and included apps) on
each target device.
●● Ensures devices have a consistent configuration. The reduces the chance for human error during the
deployment and helps ensure devices are compliant and secure.
●● Imaging, along with a management tool such as MDT or Configuration Manager can make the
deployment process completely automated, with little to no action needed by IT or the end user, once
the device is plugged in.
Disadvantages of Imaging
●● Creating and managing images takes effort. Scenarios such as different requirements within the
organization, updates to apps and the operating system, and hardware architecture, can be contribut-
ing factors to the number of images needed. More images increase the overhead needed to maintain
the images.
●● Creating and deploying images is more complex and requires advanced tools to manage the process
than manual deployment.
●● Deploying images can consume considerable bandwidth during the process, and additional consider-
ations are required when target clients have limited bandwidth and connectivity.
Autopilot
Autopilot is a new feature in Windows 10. The concept behind autopilot was to reduce the need to
reimage machines. Typically, when a new device is purchased, Windows is pre-installed on it by the
Deployment Methods 45
hardware vendor, with the vendors preferred configuration. Autopilot reconfigures the device to a clean
Windows install, providing an out-of-box experience while applying the organizations desired configura-
tion and applications. Configuring a device using Autopilot is typically easier than creating and managing
images.
In addition to deployments, Autopilot can also help with refreshing and troubleshooting scenarios.
Support staff dealing with a troublesome device with frequently opt to wipe and reimage the device.
Autopilot Reset enables a similar result, reverting to a clean install of Windows 10 with configurations
applied and applications reinstalled.
Beginning with Windows 10 version 1809, customers can use System Center Configuration Manager
version 1806 or later to convert existing Windows 7 and Windows 8.1 devices to Windows 10 devices
using Windows Autopilot.
Deployment Tools
Microsoft provides several tools for facilitating deployments
and managing devices when using imaging to deploy an OS.
To successfully deploy the Windows 10 operating system and
applications for your organization, it is essential that you
know about the available tools to help with the process. In
this topic, you will learn about the most commonly used
tools for Windows 10 deployment.
Windows ADK contains core assessment and deployment tools and technologies, including Deployment
Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD),
Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation
Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment
Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL
Server 2012 Express.
For example, if you need to add a driver to an existing image, you first mount the image, then
DISM /Mount-Image /ImageFile:C:\test\images\install.wim /MountDir:C:\test\
offline
DISM /Image:C:\test\offline /Add-Driver /Driver:C:\drivers\mydriver.inf
DISM /Unmount-Image /MountDir:C:\test\offline /Commit
Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the
creation of provisioning packages that can be used to dynamically configure a Windows device (PCs,
tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imag-
ing the device with a custom image.
48 Module 1 Installing Windows
VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based
activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell
(instead of the old command-line tool). For example, if you want to get information from the VAMT
database, you can type:
Get-VamtProduct
Windows PEis a minimal 32 bit or 64-bit operating system with limited services, built on the Windows 10
kernel. Windows PE replaces the DOS or Linux boot disks that were once used. Use Windows PE during
Windows installation and deployment to boot the computer and start the setup program. Windows PE
provides read and write access to Windows file systems, and supports a range of hardware drivers,
including network connectivity, which makes it useful for troubleshooting and system recovery. You can
run Windows PE from the CD/DVD, USB flash drive, or a network, by using the Pre-Boot Execution
Environment (PXE). The Windows ADK includes the tools to build and configure Windows PE. The key
thing to know about Windows PE is that, like the operating system, it needs drivers for at least network
and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10
operating system, which means much of your hardware will work out of the box.
50 Module 1 Installing Windows
The Windows PE is no longer part of the ADK install, and is now a separate download that can be found
at https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/download-winpe–
windows-pe1.
A machine booted with the Windows ADK default Windows PE boot image.
1 https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/download-winpe--windows-pe
Deployment Methods 51
WDS requires AD DS, DHCP, and DNS. WDS can be managed using the WDSUTIL command-line tool,
Windows PowerShell, or an MMC snap-in. WDS also has the capability to manage drivers; however, driver
management through MDT and Configuration Manager is more suitable for deployment due to the
flexibility offered by both solutions, so you will use them instead.
The Desktop Deployment Center is a consolidated collection of resources for deploying Windows 10 and
Microsoft 365 Apps. It provides step-by-step planning guidance, videos tutorials on processes and
concepts, links to deployment tools, best-practices and more.
The Desktop Deployment Center is located at https://docs.microsoft.com/en-us/microsoft-365/
enterprise/desktop-deployment-center-home
Using USMT
The components of USMT include:
●● ScanState.exe. The ScanState tool scans the source computer, collects the files and settings, and then
creates a store.
●● LoadState.exe. The LoadState tool migrates the files and settings, one at a time, from the store to a
temporary location on the destination computer.
Specifying MigApp.xml, MigUser.xml, and MigDocs.xml with both the ScanState and LoadState com-
mands to migrate application settings, user profile data, and user folder/files respectively, to computers
that are running Windows 10.
54 Module 1 Installing Windows
Summary
In this lab, you will identify the tools included in the Windows ADK, create bootable Windows PE media,
prepare a Windows 10 computer to be imaged, capture a reference Windows 10 image, and deploy a
captured Windows 10 image.
Scenario
As part of the Desktop Administration team at Contoso, you have been tasked with creating and testing a
Windows 10 image to be used for a future Windows 10 desktop deployment project. You have already
used Hyper-V to create a virtual machine named GoldImage1 and installed Windows 10 to be used as the
reference image. You now need to capture GoldImage1 and validate that the image can be deployed to a
new computer.
Summary
In this lab you will learn how to migrate user state from one computer to another using the User State
Migration Tool (USMT).
Scenario
You have deployed a new Windows 10 computer named Computer1. You need to migrate the user state
from a source computer named Win81Source to Computer1. The best way to do so is using the User
State Migration Tool (USMT). The USMT install files are located at \\SEA-SVR2\Labfiles\Install\USMT. A
location to store migration data has been provided at \\SEA-SVR2\Labfiles\Install\MigrationStore. For this
lab, you will use the IP address 10.10.0.10 to reference SEA-SVR2.
Module Review
Check Your Knowledge
1. You are the IT Support professional for your organization. Your organization needs to deploy a set of
computers for an isolated office that will not be managed for at least six months. Which edition would
be best to deploy?
A. Windows 10 Pro
B. Windows 10 Enterprise
C. Windows 10 Home
D. Windows 10 Enterprise LTSB
Practice Labs and Module Review 55
E. Windows 10 Education
F. Windows 10 Mobile
2. The process for upgrading to Windows 10 includes which steps?
A. Evaluate, Back up, Upgrade, Verify, Update
B. Back up, Upgrade, Verify, Update
C. Back up, Upgrade, Update
D. Evaluate, Back up, Upgrade, Update
3. You support a group of software developers in your organization. The developers need to be able to
run Linux and Windows virtual machines on their client computers. Which Windows 10 editions will
allow them to do this?
A. Windows 10 Home
B. Windows 10 Pro
C. Windows 10 Enterprise
D. Windows 10 Education edition
E. Windows 10 IoT
F. Windows 10 Hyper-V edition
4. Your organization is in the process of migrating users to Office 365 E3. You have a mix of Windows 10
editions deployed. You are required to provide conditional access and SSO from anywhere for the
Office 365 E3 users using Domain Join with Azure Active Directory. Which of the following will support
this?
A. Windows 10 Home
B. Windows 10 Pro
C. Windows 10 Enterprise
D. None mentioned
5. D 2) A 3) B,C,D 4) B,C
Module 2 Configuring Authorization and Au-
thentication
Authentication
Lesson Introduction
In this lesson you will learn about the differences between authentication and authorization. You will learn
about the different logon and service accounts and how to configure these accounts. You will also learn
how Credential Manager can be used to manage and store credentials for users. Lastly, you will be
introduced to Windows Hello used to simply the user logon process.
Lesson Objectives
After completing this lesson, you will be able to:
●● Configure a service account.
However, password authentication is inherently weak when you use it for certain critical transactions, such
as payment processing, and user name and password authentication. Passwords can be stolen or re-
vealed inadvertently. Therefore, most Internet businesses implement digital certificates that a certification
authority (CA) issues and verifies. Logically, authentication comes before authorization, through which an
operating system can determine if an authenticated user has the required permissions to access and
update secured system resources. Authorized permissions include access to files and folders, hours of
access, amount of allocated storage space, and other specifications. Authorization has two facets:
●● A system administrator defines permissions for system resources initially.
●● A system or application verifies users’ permission values when users attempt to access or update a
system resource.
You can provide authorization and access without implementing authentication, such as when granting
permissions for anonymous users that have not been authenticated. However, these permissions typically
are limited.
●● NTLM. This method provides backward compatibility with pre-Windows 2000 operating systems and
some applications. However, it is less flexible, less efficient, and not as secure as the Kerberos proto-
col.
●● Certificate mapping. Typically, users utilize this method in conjunction with smart cards. The certificate
that a smart card stores can link to a user account. Users utilize a smart card reader, which scans the
card’s chip to authenticate a user.
●● Microsoft Account
●● Domain Account
When installing or starting up Windows 10 for the first time, you will make a choice between the use of a
domain, local or Microsoft Account.
Local accounts
A local user account resides on the local device only. It does not allow a user to access resources on other
Windows 10 computers. Typically, you use local user accounts for workgroup environments in which you
have networked only a few computers, and in which users typically work with resources attached to their
own devices.
Microsoft accounts
A Microsoft Account (formerly Windows Live ID) will enable you to have easier access to Microsoft’s
services. If you have ever used services such as Xbox Live, Hotmail, Outlook.com, OneDrive or Windows
Messenger, you already have a Microsoft Account. Microsoft has simply combined all of their services
together allowing you to access them with a single account. Just one email address and password is used
for all these purposes.
Domain accounts
Domains are used in organizations. Domain accounts enable users to access resources to other resources
that are also in the domain, such as other clients, servers, printers, etc, using a service called Active
Directory. One major benefit of Domain accounts, is that they are centrally managed. Instead of creating
accounts and setting passwords and persmissions for each user on each device, a single user (or comput-
er) domain account is created and used to grant access.
60 Module 2 Configuring Authorization and Authentication
Organizations typically use Active Directory, and thus, Active Directory or Azure AD accounts would used.
For home or personal use, a Microsoft Account offers a lot of features that a local account does not.
However, If you don’t need Windows Store apps, or only have one computer and don’t need access to
your data anywhere else, then a local account will be sufficient. A local account will login to Windows and
provide the user with their own space on the PC. If you’re interested in the new features that Windows 10
have to offer though, then users need a Microsoft Account to take full advantage of them.
Administrator account
The default local Administrator account is a user account for the system administrator. The Administrator
account has full control of the files, directories, services, and other resources on the local computer. The
Administrator account can create other local users, assign user rights, and assign permissions. The
Administrator account can take control of local resources at any time simply by changing the user rights
and permissions.
The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.
Because the Administrator account is known to exist on many versions of the Windows operating system,
it is a best practice to disable the Administrator account when possible to make it more difficult for
malicious users to gain access to the server or client computer.
In a typical install, Windows disables the built-in Administrator account and creates another local account
that is a member of the Administrators group. Members of the Administrators groups can run apps with
elevated permissions without using the Run as Administrator option. As a security best practice, use a
non-administrator account to sign in and then use Run as administrator to accomplish tasks that require
Authentication 61
a higher level of rights than a standard user account. Do not use the Administrator account to sign in to
your computer unless it is entirely necessary.
Guest account
The Guest account is disabled by default on installation. The Guest account lets occasional or one-time
users, who do not have an account on the computer, temporarily sign in to the local server or client
computer with limited user rights. By default, the Guest account has a blank password. Because the Guest
account can provide anonymous access, it is a security risk. For this reason, it is a best practice to leave
the Guest account disabled, unless its use is entirely necessary.
Default Account
The DefaultAccount is a built-in account. It is a user neutral account that can be used to run processes
that are either multi-user aware or user-agnostic, such as apps that launch, but have the option to
sign-in. This account should be left at it's default disabled state (which does not prevent the account from
serving it's purpose).
The NETWORK SERVICE and LOCAL SERVICE accounts are also predefined local accounts. Unlike the
SYSTEM account, these accounts have minimum privileges, and are used by Windows to perform services
that do not need full permissions. Using least privilege accounts is part of defense-in-depth security
strategy that helps limit malicious damage, in the event a particular service is compromised.
The Settings app does not display default accounts or account groups. To manage these, use the local
Computer Management Microsoft Management Console (MMC).
1. Right-click on Start and select Computer Management.
2. Under System Tools, expand the Local Users and Groups option and select either Users or Groups to
show the respective accounts objects.
You can also manage local users in a command prompt using NET.EXE, or by using a variety of PowerShell
cmdlets.
Using Groups
Within the settings app, you can switch an account type between Standard User and Administrator, which
adds or removes the user from the Administrators group.
Alternatively, you can use Local Users and Groups to assign rights and permissions on a more granular
level. Windows comes with several built-in groups that grant various permissions to resources and
services. Some examples of these built-in groups include:
●● Administrators
●● Users
●● Guests
●● Device Owners
●● Event Log Readers
●● Hyper-V Administrators
●● Network Configuration Operators
●● Remote Desktop Users
By using these groups, administrators are able to grant privileges to what the user needs access to,
without granting privileges to services they don't need. One of the main reasons for doing this, is to limit
the damage in the event a device is compromised by a threat such as malware. The malware, which
typically might run at the user level, is not capable of leveraging services the user doesn't have permis-
sion to use.
For example, Elyssa works for a company that has a policy where users do not have administrative
privileges to their computer. In her position, however, she needs to frequently change the network
settings on here device. As a standard user, she would not be able to do this. By making her a member of
the Network Configuration Operators group, she now has the ability to change her network settings,
without IT having to grant her full administrative privileges to the device. If her account or device is
compromised, her credentials cannot be used to perform malicious attacks such as logging onto the
device remotely.
What is a Workgroup?
Windows 10 creates a Workgroup by default when installed called “WORKGROUP”. A Workgroup can
share files, network storage, printers and any connected resource. There is no centralization of user
accounts and related security policies and settings. It is a peer-to-peer network, in which each device has
its own set of user and group accounts, its own security policy, and its own resources that you can share
with others.
The workgroup name can be changed by opening the Control Panel, selecting System and Security,
then System and selecting Change settings.
Workgroups include the following attributes:
●● All computers have equal rights.
●● Cannot be password protected.
●● Has a limit of 20 computers.
●● All computers must be on same local network.
●● Works on all windows versions.
●● works on both IP versions: IPv4 and IPv6.
●● Every computer must have the same workgroup name to communicate.
●● Requires security and sharing permissions to be set.
You must set up user accounts on each computer. This step is necessary because there is no centraliza-
tion of user accounts in a workgroup. When users map a network drive to a folder that you have shared
on your computer, they must provide credentials to connect to the resource; the sharing computer stores
these credentials.
What is a Domain?
Active Directory and Azure Active Directory Domain Services domains are also a collection of re-
source-sharing computers with the following characteristics:
●● A domain is an administrative boundary. All domains host an Administrator user account that has full
administrative capabilities over all objects within the domain. Although the administrator can delegate
administration on objects within the domain, the account retains full administrative control of all
objects within the domain.
●● A domain is a replication boundary. In the case of AD DS, it consists of three elements, or partitions:
the schema, the configuration partition, and the domain partition. Generally, it is only the domain
partition that changes frequently. The domain partition contains objects that are likely to be updated
often; these include users, computers, groups, and organizational units (OUs). AD DS replication
updates objects and synchronizes information between domain controllers.
In the case of Azure AD, it is hosted in the cloud. Replicas of the Azure AD architecture are synchro-
nized between Microsoft Datacenters, which is transparent to the customer. When using AD DS and
Azure AD together, Azure AD Connect synchronizes information between the two environments.
●● A domain is an authentication boundary. Domain controllers from each domain or the Azure AD
service can authenticate each user account in that domain. Domains in an AD DS forest trust one
another, and it is these trusts that enable a user from one domain to access resources held in another
domain.
You can add a computer by joining it to a domain. The computer can belong to one domain only. A
computer can belong to a domain or a workgroup, but not both.
64 Module 2 Configuring Authorization and Authentication
The most significant benefit of adding a computer to an AD DS domain is that users can enjoy access to
resources throughout the AD DS forest, assuming that they have the necessary permissions. They can do
this without needing to remember multiple user accounts and passwords. The major benefit for the
administrator is that the domain provides a single store for user and group accounts, a domain-wide
security policy, and the ability to configure and manage domain-joined computers from a single point.
Note: Before you can add a computer to a domain, the computer must be able to locate a domain
controller or be connected to the internet to access the Azure AD service. This requires proper configura-
tion of the computer’s name resolution settings.
Credential Manager
Windows 10 includes Credential Manager which helps manage and maintain passwords. The Credential
Manager utility is built into Windows 10 Control Panel. Credential Manager saves credentials users enter
when accessing other computers and resources on local networks, and it can also be used to backup and
restore these credentials.
Consider a scenario where you access another computer in a workgroup everyday. It would be time
consuming to continually enter in your credentials when you access that other computer. Credential
Manager can save those credentials so that you are not prompted each time you access other computers
or websites. Credential Manager is enabled by default on non-domain computers. Web Credentials is the
web component of Credential Manager and it remembers web login passwords.
network address, username and password. You can also add generic credentials such as this Microsoft
user account.
Windows Hello
Windows Hello is a more personal way to sign in to your Windows 10 devices with just a look or a touch.
You will get enterprise-grade security without having to type in a password.
Windows Hello introduces system support for biometric authentication – using your face, iris, or finger-
print to unlock your devices – with technology that is much safer than traditional passwords. You–
uniquely you– plus your device are the keys to your Windows experience, apps, data and even websites
and services – not a random assortment of letters and numbers that are easily forgotten, hacked, or
written down and pinned to a bulletin board. Modern sensors recognize your unique personal character-
istics to sign-you-in on a supporting Windows 10 device.
1 https://go.microsoft.com/fwlink/p/?LinkId=615673
2 https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing
66 Module 2 Configuring Authorization and Authentication
Setting Description
User logon name This is the user name that users should use when
signing in.
Unlock account If a user locks an account because of invalid
sign-in attempts, use this check box to unlock the
account.
User must change password at next logon When you enable on this setting, the user must
change their password during the next sign in. If
the user does not change their password, he or
she might not be able to sign in.
User cannot change password If you enable this setting, the user cannot change
their password. This setting overrides any require-
ments to change a password in the domain
password policy. You typically use this setting only
for service accounts.
Password never expires When you enable this setting, users are not
required to change their password. This setting
overrides any requirements to change a password
in the domain password policy. You typically use
this setting for service accounts, and you also
might use it for users who are exempt from chang-
ing passwords.
Authentication 69
Setting Description
Account is disabled Enabling this setting prevents users from signing
in and using this account. You typically use this
setting when an employee is out of the office for a
long period, or when your organization terminates
an employee.
Smart card is required for interactive logon When you enable this setting, a user is required to
use a smart card to perform sign ins. Requiring a
smart card enhances security in environments with
infrastructure to support smart card-based sign
ins.
Account expires This setting allows configuration of a date after
which an account is disabled. You typically use this
setting only for contract employees or other
temporary staff.
Like local accounts, domain user accounts can also be used as dedicated service accounts for applications
or services..
There are several built-in groups that are created by default when Active Directory is installed. The follow-
ing list is some of the commonly used groups:
●● DnsAdmins - Members of this group have administrative access to the DNS Server service.
●● Domain Admins - Designated administrators of the domain; Domain Admins is a member of every
domain-joined computer's local Administrators group and receives rights and permissions granted to
the local Administrators group, in addition to the domain's Administrators group.
●● Domain Computers - All workstations and servers that are joined to the domain are by default
members of this group.
●● Domain Users - All users in the domain
●● Enterprise Admins - Enterprise Admins are like Domain Admins, but have permissions to change
forest-wide configuration settings; Enterprise Admins is a member of every domain's Administrators
group and receives rights and permissions granted to that group.
Managing Users and Groups 73
●● Remote Desktop Users - Members of this group are granted the right to log on remotely using RDP.
Characteristics of AD DS
AD DS is the traditional deployment of Windows Server-based Active Directory on a physical or virtual
server. Although AD DS is commonly considered to be primarily a directory service, it’s only one compo-
nent of the Windows Active Directory suite of technologies, which also includes Active Directory Certifi-
cate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federa-
tion Services (AD FS), and Active Directory Rights Management Services (AD RMS).
When comparing AD DS with Azure AD, it’s important to note the following characteristics of AD DS:
●● AD DS is a true directory service, with a hierarchical X.500-based structure.
●● AD DS uses Domain Name System (DNS) for locating resources such as domain controllers.
●● You can query and manage AD DS by using Lightweight Directory Access Protocol (LDAP) calls.
●● AD DS primarily uses the Kerberos protocol for authentication.
●● AD DS uses OUs and GPOs for management.
●● AD DS includes computer objects, representing computers that join an Active Directory domain.
●● AD DS uses trusts between domains for delegated management.
You can deploy AD DS on an Azure virtual machine to enable scalability and availability for an on-premis-
es AD DS. However, deploying AD DS on an Azure virtual machine does not make any use of Azure AD.
Note that deploying AD DS on an Azure virtual machine requires one or more additional Azure data
disks, because you should not use drive C for AD DS storage. These disks are needed to store the AD DS
database, logs, and SYSVOL. The Host Cache Preference setting for these disks must be set to None.
Characteristics of Azure AD
Although Azure AD has many similarities to AD DS, there are also many differences. It’s important to
realize that using Azure AD isn’t the same as deploying an Active Directory domain controller on an
Azure virtual machine and adding it to your on-premises domain.
When comparing Azure AD with AD DS, it’s important to note the following characteristics of Azure AD:
●● Azure AD is primarily an identity solution, and it’s designed for internet-based applications by using
HTTP (port 80) and HTTPS (port 443) communications.
●● Azure AD is a multi-tenant directory service.
●● Azure AD users and groups are created in a flat structure, and there are no OUs or GPOs.
74 Module 2 Configuring Authorization and Authentication
●● You cannot query Azure AD by using LDAP; instead, Azure AD uses the REST API over HTTP and
HTTPS.
●● Azure AD does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as
SAML, WS-Federation, and OpenID Connect for authentication, and uses OAuth for authorization.
●● Azure AD includes federation services, and many third-party services such as Facebook are federated
with and trust Azure AD.
Signing in to a Domain
When a user signs in with a domain account, they are typically authenticating to either an Active Directo-
ry Domain Service (AD DS) or Azure Active Directory (Azure AD).
Azure AD Authentication
When users try to access cloud-based services, such as Microsoft 365, authentication must occur as it
does in an on-premises AD DS environment. However, the process is different because the services that
provide the authentication are not located locally. Therefore, the client computer must locate where the
authentication services reside by using DNS.
Once the client computer locates the authentication services, the user typically receives a prompt to sign
in by providing a user name and password that the client computer securely exchanges with the authen-
tication service.
Obviously, if users provide incorrect sign-in information, authentication fails. Other reasons for failure
include:
●● Name-resolution issues. These issues occur if Windows 10 cannot determine where the authentication
service resides. This can occur because of a configuration error or local DNS service failure on your
site, or with the Internet service provider (ISP) that provides your Internet service.
●● Internet connectivity is not available. Without an Internet connection, your computer cannot locate
the authentication services, and it cannot connect to Microsoft 365 or any other cloud-based applica-
tions.
●● Synchronization issues between on-premises AD DS and Azure AD. In environments that use both
cloud-based and on-premises directories, it is necessary to synchronize accounts between both
platforms. Occasionally, it is possible for the two directories to be out of synchronization, which can
lead to sign-in issues.
76 Module 2 Configuring Authorization and Authentication
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe User Account Control (UAC).
●● Explain how UAC works.
●● Explain how to configure UAC notification settings.
What is UAC
UAC is a security feature that provides a way for users to elevate their status from a standard user
account to an administrator account, without having to sign out or switch user profiles. UAC is a collec-
tion of features rather than just a prompt. These features, which include File and Registry Redirection,
Installer Detection, the UAC prompt, the ActiveX Installer Service, and more, allow Windows users to
operate with user accounts that are not members of the Administrators group. These accounts, typically
referred to as standard users, are broadly described as operating with least privilege. The most important
fact is that when users sign in with standard user accounts, the experience typically is much more secure
and reliable.
In Windows 10, the number of operating system applications and tasks that require elevation is fewer
when compared to older operating systems. This allows standard users to do more while experiencing
fewer elevation prompts, and this improves interaction with UAC while upholding high security standards.
When you need to make changes to your computer that require administrator-level permissions, UAC
notifies you as follows:
●● If you are an administrator, select Yes to continue.
●● If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing administrative credentials gives you administrator rights to complete
the task. When you complete the task, permissions will revert to those that a standard user has. This
ensures that even if you are using an administrator account, no one can make changes to your computer
without your knowledge. This helps prevent malicious users from installing malware and spyware on, or
making changes to, your computer.
Configuring User Account Control 77
Standard users
In previous versions of the Windows operating system, many users were configured to use administrative
permissions rather than standard user permissions. This was because previous Windows versions required
that users have administrator permissions to perform basic system tasks, such as adding a printer or
configuring a time zone. In Windows 10, many of these tasks no longer require administrative permis-
sions.
When users have administrative permissions on their computers, they can install additional software.
Despite organizational policies against installing unauthorized software, many users still do it, which can
make their systems less stable and drive up support costs. When you enable UAC, and a user needs to
perform a task that requires administrative permissions, UAC prompts the user for administrative creden-
tials. In an enterprise environment, the help desk can give a user temporary credentials that have local
administrative permissions to complete a task. The default UAC setting allows a standard user to perform
the following tasks without receiving a UAC prompt:
●● Install updates from Windows Update.
●● Install drivers from Windows Update or those that are included with the operating system.
●● View Windows settings. However, a standard user is prompted for elevated permissions when chang-
ing Windows settings.
●● Pair Bluetooth devices with the computer.
●● Reset the network adapter and perform other network-diagnostic and repair tasks.
Administrative users
Administrative users automatically have:
●● Read/write/enact permissions for all resources.
●● All Windows permissions.
While it might seem clear that all users will not be able to read, alter, and delete any Windows resource,
many enterprise IT departments that run older versions of Windows operating systems had no other
option but to assign all of their users to the local Administrators group.
One of the benefits of UAC is that it allows users with administrative permissions to operate as standard
users most of the time. When users with administrative permissions perform a task that requires adminis-
trative permissions, UAC prompts the user for permission to complete the task. When the user grants
permission, the task is performed by using full administrative rights, and then the account reverts to a
lower level of permission.
The following list details some of the tasks that a standard user can perform:
●● Establish a local area network (LAN) connection.
●● Establish and configure a wireless connection.
●● Modify display settings.
●● Users cannot defragment the hard drive, but a service does this on their behalf.
●● Play CD/DVD media (configurable with Group Policy).
●● Burn CD/DVD media (configurable with Group Policy).
●● Change the desktop background for the current user.
●● Open Date and Time in Control Panel, and change the time zone.
●● Use Remote Desktop to connect to another computer.
●● Change a user’s own account password.
●● Configure battery power options.
●● Configure accessibility options.
●● Restore a user’s backup files.
●● Set up computer synchronization with a mobile device, including a smartphone, laptop, or personal
digital assistant (PDA).
●● Connect and configure a Bluetooth device.
The following list details some of the tasks that require elevation to an administrator account:
●● Install and uninstall applications.
●● Install a driver for a device, such as a digital camera driver.
●● Install Windows updates.
●● Configure Parental Controls.
●● Install an ActiveX control.
●● Open Windows Defender Firewall in Control Panel.
●● Change a user’s account type.
●● Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the Microsoft Management
Console (MMC).
●● Configure Remote Desktop access.
●● Add or remove a user account.
●● Copy or move files into the Program Files or Windows directory.
●● Schedule Automated Tasks.
●● Restore system backup files.
●● Configure Automatic Updates.
●● Browse to another user’s directory.
When you enable UAC, members of the local Administrators group run with the same access token as
standard users. A process can use an administrator’s full access token only when a member of the local
Administrators group gives approval.
Configuring User Account Control 79
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that
require an administrator access token. When a standard user attempts to perform an administrative task,
UAC prompts the user to enter valid credentials for an administrator account. This is the default for
standard user-prompt behavior.
The elevation prompt displays contextual information about the executable that is requesting elevation.
The context is different, depending on whether the application is signed by Authenticode technology.
The elevation prompt has two variations that the following table describes: the consent prompt and the
credential prompt.
The following table identifies the four settings that enable customization of the elevation-prompt
experience.
Prompt Description
Never notify me UAC is off.
Configuring User Account Control 81
Prompt Description
Notify me only when apps try to make changes to When a program makes a change, a prompt
my computer (do not dim my desktop) appears, but the desktop does not dim. Otherwise,
the user is not prompted.
Notify me only when apps try to make changes to When a program makes a change, a prompt
my computer (default) appears, and the desktop dims to provide a visual
cue that an installation is being attempted.
Otherwise, the user is not prompted.
Always notify me The user always is prompted when changes are
made to the computer.
You can configure varying user experiences by using different Group Policy settings. The configuration
choices that you make for your environment affect the prompts and dialog boxes that standard users,
administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. When you configure this type of configuration, a
yellow notification appears at the bottom of the User Account Control Settings page, indicating the
requirement.
82 Module 2 Configuring Authorization and Authentication
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the challenges that BYOD introduces.
●● Describe Device Registration and its uses.
●● Describe how Device Registration works.
●● Describe the infrastructure requirements for Device Registration.
●● Describe how to register and enroll a device.
Users more often no longer utilize traditional desktop computers, and instead rely on devices. Devices
come in various form factors such as smartphones and tablets, and they typically are not domain mem-
bers. Sometimes devices are not domain members because the company does not own them, and
sometimes because their operating system, such as iOS or Android, could not be joined to the domain.
However, users who are more familiar with their personal devices want to use them for work purposes.
This is known as the BYOD scenario.
Previously, only domain member computers and domain accounts could access apps and data. Today,
this is no longer the case. Users still have a domain account as proof of their identity, but they now
require access to the same company apps and data from various types of devices with different displays
and that are running on different hardware architecture. Furthermore, these users do not want to provide
credentials each time they need access. In summary, they want the same experience on their personal
devices as they have when working in a domain environment.
Companies typically store data on servers, and users expect to access the data securely from anywhere
and from any device. This presents new challenges for companies because users are accessing and
storing local copies of the data on their personal devices. Administrators must be able to control which
data users can access, and which data can be cached locally. In addition, administrators must know how
to wipe company data remotely if users leave the company or lose their devices. Furthermore, adminis-
trators must have the ability to wipe company data off users’ personal devices without affecting their
personal data.
New challenges to IT departments include:
●● Allowing users to work on devices of their choice, while providing consistent access to corporate
resources.
●● Allowing users to access resources remote locations, such as work-at-home.
●● Unifying the environment and providing unified applications and device management of the compa-
ny-owned and domain-owned devices along with BYOD devices.
●● Protecting company data, enforcing company policies and compliance requirements, and managing
risks regardless from where data is accessed, or from which device.
84 Module 2 Configuring Authorization and Authentication
●● Here’s your own device In this model, the company has one device approved for the company’s
mobile platform and this device is provided to employees.
The landscape for enterprise mobility extends well beyond BYOD; you cannot assume enterprise mobility
means BYOD only. There are many more elements that must be covered to completely embrace mobility
and enable a mobile workforce. Each scenario has advantages and disadvantages that vary according to
company requirements and goals.
Mobile users today expect to move easily across devices, on their own terms, without having to learn new
tools or interrupt their familiar work practices. We have seen in our enterprise engagements that consum-
er and employee expectations are driving these changes and forcing businesses to rethink how they win,
serve, and retain customers and how they enable their mobile and work-at-home employees to stay
productive. Your customers spend a good deal of their time on mobile apps and devices, and they expect
you to meet them there in ways that accommodate their mobile lifestyle. This requires that you anticipate
their needs and engage them at key moments with the right content and services.
Your employees require mobile access to their team members, resources, and core business processes to
stay productive, and they expect you to make that a seamless experience. This requires that you enable
new work processes and understand the expectations that mobile employees bring to the workplace. The
commonality here is the concept of user-centric experiences. Mobile devices are already well-tuned to
personal preferences; the next step is to extend this personalization into business processes. Companies
today are redesigning their operations to accommodate the mobile mind set of both customers and
employees in order to achieve top line and bottom line business impact. The combination of engaging,
personalized apps on the front end and a scalable, secure cloud infrastructure on the back end makes
that a reality.
The result will be a transformed enterprise, with opportunities for cost containment, new revenue
streams, and potential new business models.
After you enable the device for Device Registration, the device is used as a second form of authentication.
If multiple users use the same device, each user can enable the device for Device Registration inde-
pendently. Administrators can configure which apps users then can access from the device without
entering credentials, and they can then ensure that company policies and security applies to those
devices by configuring a device policy. Be aware that a company Group Policy applies only to do-
main-joined devices and not to devices enabled for Device Registration. If a device enabled for Device
Registration is compromised, or if a device owner leaves the company, an administrator can remove the
device object from the domain, and by doing so, the administrator revokes the device’s ability to access
domain resources through SSO.
A device that is enabled for the Device Registration feature is used as a second authentication factor
when accessing claims-based company apps. For such apps, administrators can control who can access
them, from which devices they can be accessed, and whether they can be accessed only from the compa-
ny network or from the Internet as well. Devices enabled for Device Registration trust the company
certification authority (CA), which makes it easier to configure them for additional features such as Work
Folders.
By implementing the Web Application Proxy component, you also can enable registered devices to access
company resources from external networks such as the Internet. A user can be in a coffee shop or at
home, and if their device is registered, it can access internal applications through Web Application Proxy
and AD FS. If the user is using their registered device in an internal network, it will communicate directly
to AD FS and AD DS to authenticate. For devices that are registered, you also can enable SSO for some
applications. By doing this, the user is not prompted for credentials each time they try to access the
resource.
●● Public key infrastructure. The Device Registration feature requires that public key infrastructure (PKI) is
deployed and properly configured. Devices must trust the CA, which is true by default for do-
main-joined devices, but requires manual configuration on devices that are not domain members.
Certificates must include information on both the following:
●● Where the list of revoked certificates is available, such as the certificate revocation list (CRL), and
CRL distribution point (CDP)
●● Where up-to-date certificates for the CA are available, such as authority information access (AIA).
Devices must be able to access the CRL, delta CRL, and AIA before they can use Device Registration. Delta
CRL is published in a file, which by default includes the plus sign (+) in its name. The Internet Information
Services (IIS) Web server (also by default) does not allow access to files with special characters in their
names, and you must enable double escaping to allow it. You can verify that you can access CRL, delta
CRL, and AIA by running Pkiview.msc on the server where Active Directory Certificate Services (AD CS) is
installed.
●● AD FS. A company must set up AD FS before users can use the Device Registration feature on their
devices. You must configure AD FS with a Secure Sockets Layer (SSL) certificate from a trusted CA, and
the SSL certificate must have properly configured Subject Name and Subject Alternative Name
attributes.
●● Device Registration Service. When you perform Device Registration, Device Registration Service
registers the device in AD DS. It also provides the certificate to the user who enables their device for
Device Registration.
●● A DNS record for the host named Enterpriseregistration. The name Enterpriseregistration is mandato-
ry, and you cannot change it. The DNS server must resolve this name to the IP address of the AD FS
server, and the AD FS server must use it as one of its Subject Alternative Name attributes in the SSL
certificate.
●● Web Application Proxy. This is an optional component that is not required when you enable Device
Registration on devices that are connected to the company network. If you want to enable Device
Registration on devices that are not connected to the company network, but which are connected to
the Internet, you must set up Web Application Proxy.
●● A supported operating system on the device. The device that you want to enable for Device Registra-
tion must be running a supported operating system. Currently, you can enable Device Registration
only on devices that are running Windows 10, Windows RT 8.1, Windows 8.1, and iOS operating
systems.
When users enable Device Registration on their devices, they can access a company’s internal web
applications and company apps without entering credentials again. To use SSO, administrators must
configure claims-based web applications and create a relying party trust between the AD FS server and
the web server on which the web application is running.
Additional Reading: For additional information on Device Registration, visit: http://aka.ms/en89rh
Summary
In this lab you will configure and manage local accounts and assign a Microsoft account to a Windows 10
device.
Scenario
You need to create two new local user accounts on SEA-WS1. User1 will be a local administrator and
User2 will be a standard user. User1 will also assign a Microsoft account to SEA-WS1 and configure
Windows Hello with a PIN.
Summary
In this lab you will join a device to a Windows Active Directory domain.
Scenario
You need to join SEA-WS1 to the Contoso.com domain. This will enable central management of the
device and enable users to sign in using their domain credentials.
Summary
In this lab you will learn how to create and manage domain password policies, account options, and User
Account Control.
Scenario
You have been delegated the task to configure the domain password policy for Contoso.com. Part of your
task is to implement a new security requirement that specifies a longer password and a 20 minute
account lockout if a user incorrectly enters their password more than twice in succession.
Practice Labs and Module Review 91
Scenario
After configuring a more strict set of password policies you will then ask Jane Dow to test the policy
settings.
Scenario
You need to configure UAC so that when the UAC dialog box prompts a standard user, he or she can
enter the credentials of an administrator account to gain elevated privileges. You also need to restrict the
execution of unsigned applications.
Summary
In this lab you will create a new user and then join a Windows 10 device to an Azure AD tenant.
Scenario
You have a new Windows 10 device that you would like to join to your Azure AD tenant. You will create a
new Azure AD user account for User2 and then join SEA-WS3 to Azure AD.
Module Review
Check Your Knowledge
1. Your organization is going to start allowing employees to work remotely. Employees will also be able
to work from their own devices. The devices will have access to sensitive business information. As the
IT Support professional, which of the following must you be able to do? (select three)
A. Control which data users can access
B. Initiate a remote wipe of a lost or stolen device
C. Setup a VPN
D. Have the ability to wipe business data off users’ personal devices without affecting their personal
data
E. Enable Windows Remoate Management Server
F. Access Device Manager on the remote PCs
2. To prevent users from installing unauthorized software, you enabled UAC on all of your Windows 10
computers. However, some of the users are local Administrator on their computers. Which of the
following tasks will generate a UAC prompt for these users? (select three)
A. Configure accessibility options
B. Set up computer synchronization with a mobile device
C. Add or remove a user account
92 Module 2 Configuring Authorization and Authentication
D. Install an application
E. Restore a user’s backup files
F. Install a driver for a device
3. Which variation of the UAC elevation prompt is displayed to standard users when they attempt to per-
form an administrative task?
A. Consent prompt
B. Credential prompt
C. Approval prompt
D. Admin prompt
4. Your organization requires control over the web apps that users can access from devices. You deploy
Device Registration. Which of the following will take place after you register and enroll a device?
(select three)
A. The device is associated with a user account in the company directory
B. A device object is created in AD DS
C. An email is sent to the user.
D. A user certificate is installed on the device
E. The user will be able to register any other devices on the network.
5. As an IT Support professional, you are helping to configure the company’s infrastructure to allow
Device Registration. Which of the following must be taken into account when configuring the environ-
ment? (select four)
A. A DNS record for the host named Enterpriseregistration.
B. At least one domain controller must be running Windows Server 2012 or later.
C. The machine must be using a 64-bit operatin system.
D. A Public key infrastructure trusted by the devices.
E. AD FS must be deployed.
F. A VPN will no longer be able to be used.
G. The type of IP configuration.
6. You are an IT Support professional setting up a new PC with Windows 10. Which of the following is
not a type of account you can use when signing in the first time?
A. Domain Account
B. Local Account
C. Microsoft Account
D. Administrator Account
7. You need to set up an account that will be used to logon to a Windows 10 PC. This account needs to
be able to synchronize files with OneDrive. What type of account do you need to create?
A. Domain Account
B. Local Account
C. Microsoft Account
D. Online Service Account
E. None mentioned
8. A 2) A,B,D 3) B,C,E 4) B 5) A,B,D 6) A,B,D,E 7) D 8) C
Module 3 Post-Installation Configuration and
Personalization
Lesson Objectives
After completing this lesson, you will be able to:
●● Use advanced startup options.
●● Customize desktop settings.
●● Configure Cortana in Windows 10.
●● Pin to the taskbar. You also can pin apps to the taskbar, in addition to (or rather than) pinning them to
Start. To do this, tap All apps. When a list of all installed apps appears, tap and hold (or right-click) the
desired app, and then tap Pin to taskbar. The app appears as an icon on the taskbar. Administrators
also can pin apps to a user’s taskbar when configuring the user environment.
Note:- The taskbar is visible only in desktop mode.
●● Resize tiles. To resize a tile, tap and hold the tile, tap Resize, and then tap the desired size. You can
resize most tiles as Small, Medium, Wide, and Large.
●● Live tiles. You can make many tiles, such as News and Weather, update automatically. Live tiles display
content relevant to the app, such as continuously updated news in the News tile or weather informa-
tion in the Weather tile. To enable live tiles, tap and hold the relevant tile, and then tap Turn live tile
on. To disable a live tile, tap and hold the tile, and then tap Turn live tile off.
●● Grouping tiles. You can group tiles into specific categories. Windows creates two default groups
during installation: Life at a glance, and Play and explore. You can rename groups by tapping the title
bar of the group and entering a new name. To create new groups, drag tiles to a new area on the Start
screen. Windows creates a new, unnamed group for the moved tile. You then can add tiles to the
group, and rename it as applicable.
Note:- In Windows 10 Enterprise and Windows 10 Education, a network administrator can use Group
Policy Objects (GPOs) to configure and control the Start screen and other aspects of the user interface.
Synchronizing settings
For those that use more than one Windows device, Windows 10 has the ability to synchronize common
settings across multiple devices. This provides a consistent experience for the user, without having to
re-apply personalization settings when they use another device. For example, if a user bookmarks a
website in Microsoft Edge, that bookmark will persist in the Favorites list when moving to another device.
Settings are persistent using a Microsoft Account. This facilitates a common identity across devices.
Settings are maintained as part of the Microsoft Account's profile data and are applied when signing into
a device.
Settings that can be synchronized across devices include:
●● Theme: desktop background, user tile, taskbar position, etc.
●● Passwords: Windows credential manager, including Wi-Fi profiles
●● Language Preferences: spelling dictionary, system language settings
●● Ease of Access: narrator, on-screen keyboard, magnifier
●● Microsoft Edge browser setting: Microsoft Edge favorites, reading list, and other settings
●● Internet Explorer Settings: browsing history, typed URLs, favorites, etc.
For a complete list of setting, see https://aka.ms/AA65f81.
Settings can also be synchronized using Enterprise Sate roaming and Azure Active Directory. This pro-
vides additional features such as separation of personal and corporate data, enhanced security, and
monitoring capabilities. Azure AD is covered later in this course.
Action Center
The Action Center consolidates notifications from the operating system with shortcut tiles that enable
you to perform common or frequently accessed tasks. You can find the action center by selecting the
Configure and Customize the Windows Start Menu 95
dialogue box at the bottom right corner of your screen, by using the keyboard shortcut Windows key +
A, by swiping left from the screen edge on touch devices or by tapping four fingers on the track pad.
There you will see the new, fully customizable quick actions – settings you can change quickly, without
going through the settings panel.
The action center is also your one-stop shop for notifications to see what’s going on with apps and other
programs from across your device. Plus, now you can also get web notifications in your action center via
Microsoft Edge sites. As always, the action center is fully customizable – check out the Settings App, then
System, then Notifications and actions. There, you can enable and disable what notifications you see in
the action center, as well as select which quick actions are available.
On the Notifications & actions tab, you can:
●● Configure Quick actions. This enables you to configure which tiles appear in the Action Center. Select
Add or remove quick actions to configure a particular tile.
●● Get notifications from apps and other senders.
●● Show notifications on the lock screen.
●● Show reminders and incoming VoIP calls on the lock screen.
●● Hide notifications when I’m duplicating my screen.
●● Show me the Windows welcome experience after updates and occasionally when I sign in to highlight
what’s new and suggested.
●● Get tips, tricks, and suggestions as you use Windows.
You can also configure individual apps and how they will notify you. Under the Get notifications from
these senders heading, enable or disable notifications for each listed app.
Focus Assist
While notifications can be helpful in managing the users day, they can be distracting in scenarios such as
focusing on a particular task or giving a presentation. Focus Asset allows users to suppress these notifica-
tions. Focus Assist can be enabled as needed using the Action center, or can be configured to automati-
cally enable during certain times. It can also be configured to activate during certain scenarios, such as
activating automatically when the display is duplicated, for presentation scenarios.
You can also configure priority notifications. These notifications will still occur, even if Focus Asset is
enabled. Examples include communications from specific people in your contact list, telephone calls, and
notifications from specific apps.
Configure Cortana
Cortana is a digital agent, which is designed to use natural language voice commands to interact with
Windows 10 to accomplish task faster. You can use Cortana to find out information, such as the weather,
or complete tasks such as setting a reminder.
96 Module 3 Post-Installation Configuration and Personalization
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the various display settings in Windows 10.
●● Configure display options.
●● Describe how to manage mobile-device settings in Windows 10.
●● Describe power plans.
●● Configure power options.
Note: One of the key differences between Windows 8.1 and Windows 10 is that the latter features the
return of the Start menu. However, you can retain or reapply the Start screen functionality if you want to.
You can access the Settings app in any of the following ways:
●● Open the Action Center, and in the lower portion, select the All Settings tile.
●● Select the Start menu icon, and then select Settings on the menu.
●● Type Settings in the search box located on the taskbar, and then press the Enter key.
The Settings app page has nine separate icons that represent the main categories that you can configure.
When you select any of these icons, you will access a page with subcategories that appear in a console
tree on the left of the page. Depending on the subcategory that you select, more items and configurable
settings appear in the details pane.
Desktop Administrators may wish to restrict users from accessing certain settings within the settings app.
This can be controlled by group policy as either a user or computer policy in the Administrative Tem-
plates > Control Panel > Settings Page Visibility path. Policies can either specify settings pages that
are only shown, or alternatively, specify a list of settings pages that are hidden.
Note: Group Policy is covered in more depth in the next lesson.
The Control Panel appears as a File Explorer folder. You also can open Control Panel by selecting Start
typing “Control Panel”. By default, items in the Control Panel appear in the Category view. However, you
also can display items in the Large or Small icon views.
Display Options
Most of the display settings in Windows 10 are new, but some of the settings still use the same configu-
ration options available in older Windows versions. For many people, changing the display options starts
with right-clicking the desktop, and then selecting the Display settings menu item. This procedure
remains the same in Windows 10. However, by doing so, you open the new Display item in the System
category of the Settings app. Here, you can configure a wide variety of settings. The Display item
contains the following configurable items:
●● Large Display icon. A large rectangle or multiple large rectangles at the top of the Display area
represent your displays. When you have more than one display, you can change the placement of
these display rectangles. For example, you can move one rectangle to the left and the other to the
right. However, if you extend these displays, the mouse cursor will not necessarily move from left to
right across the gap between displays as expected. To fix this issue, you can switch the two display
rectangles–or more if you have them–so that the mouse’s cursor moves between them.
●● Identify. If you have more than one display, each display rectangle will have a number on it, starting
with the number 1. Even if you only have one display, you will see the rectangle with the number 1 on
it. If you select the Identify hyperlink under the rectangle, a large number will appear in a pop-up
window on your screen, corresponding to the displays you have. Therefore, if you have one display,
you will see a pop-up window with a large number 1 on your only display. If you have two displays,
one display will have a large number 1 in a pop-up window, while the other display will have a large
number 2 in a pop-up window.
100 Module 3 Post-Installation Configuration and Personalization
●● Detect. When you select this hyperlink, it detects other displays that are connected, but which have
not come up in the Display settings. However, any connected displays should show automatically.
●● Change the size of text, apps, and other items. You can use this slider bar to edit the size from 100
percent, on the far left, to 125 percent on the far right.
●● Orientation. Not all Windows 10 devices will have this drop down option. Virtual machines and
desktops normally do not, because this is primarily a mobility function. Tablets and certain laptops will
change automatically from landscape to portrait view based on how users hold them, due to a
gyroscopic sensor in the device. Not every device has such sensors, and the Display settings provide
the orientation drop down to manage this manually.
●● Brightness level. You can move the toggle on this slider bar from left to right to set the brightness
level from 0 at 100 percent. A corresponding number will appear right above the slider toggle as you
move it, to show the brightness percentage.
●● Multiple displays. This drop-down list box is unavailable if you only have one display. The choices
you can make include Duplicate these displays, Extend these displays, Show only on 1, Show only on
2, and more if you have more than two connected displays.
●● Make this my main display. This check box is only available when you have two or more displays.
You must select one of the large rectangular Display icons to make the change. Otherwise, the main
display will be the monitor you are on, and because that is already the main display, it will be grayed
out. The display that you select will be the display on which you sign in and get the first items on the
desktop.
●● Apply. Some of the changes will not take place until you select Apply. When you do so, the changed
display appears with an overlay screen with a Keep these display settings? Reverting to previous
display in x seconds message. The overlay screen also includes two options: Keep changes and Revert.
If you select Keep changes, you will return to the Display Settings page with the new settings applied.
If you select Revert—or wait for the seconds to elapse—the display reverts back to the way it was
before you selected Apply. The Display Settings page appears again.
●● Cancel. Removes any changes you may have made previously.
●● Advanced Display Settings. This hyperlink takes you to another page that is virtually identical to the
Display page but with the Resolution check box described below. The page also has an Apply option
and a Cancel option at the bottom.
●● Resolution. This drop-down box contains all the resolution sizes that are available to the graphics
device and monitor that make up your display(s). Sizes will vary, but the drop down box normally has
several choices, including the recommended choice for a particular display and that setting, such as
1366X768 (Recommended).
Other display settings
At the bottom of the console tree of the Advanced Display Settings page there is an Advanced sizing of
text and other items hyperlink, which you can select to access the Display area in the Control Panel’s
Appearance and Personalization area. The Display area has several more advanced display settings that
you can modify, which are either duplicates of the Windows 10 Settings app or are not available there.
Many of these settings take you back to the appropriate Settings app page for that functionality.
The Personalization category of the Settings app contains several configurable items that affect the
display, such as background, colors, and other functions such as Themes, Lock screen, and Start menu.
Common Configuration Options 101
The Action Center can help you manage many of the mobile-device settings with simple tiles referred to
as Quick Actions. To open the Action Center, select the Notifications balloon icon on the taskbar’s
notification area. You can select the Quick Actions tiles, or touch them on a touch capable device. The
Quick Actions tiles let you edit different settings quickly. These tiles are:
●● Tablet mode. Enables you to go into tablet mode with one select, and back to normal mode by
selecting or touching it again. When tablet mode is in effect, this tile is live.
102 Module 3 Post-Installation Configuration and Personalization
●● Connect. Connects searches for wireless display and audio device by using Bluetooth, wireless,
Miracast, or WiGig capable components. In the computing industry, WiGig refers to Wireless Gigabyte
Alliance, Institute of Electrical and Electronics Engineers (IEEE) standard 802.11ah.
●● Note. Brings up Microsoft OneNote for Windows 10.
●● All Settings. Takes you to the Settings app.
●● VPN. Connects a VPN connection, if you have one.
●● Quiet hours. Turns off all Windows notifications during the time that you configure. This means that a
new email or friend’s Skype status will not trigger an audio alarm and a pop-up notification. The
benefit of this Quick Action is that you do not have to turn off all notifications manually, and when
you disable Quiet hours, you then see all your notifications.
●● Location. Turn on or off the location based settings that many apps use.
●● Battery saver. Switches the Battery saver mode on and off, which lowers the screen brightness and
limits background tasks, and adjusts other settings to reduce your device’s power consumption.
●● Airplane mode. Turns airplane mode on or off. Airplane mode turns off wireless, cellular, and Blue-
tooth transmissions while keeping the device running for local tasks.
●● WiFi. Turns your wireless adapter on or off.
●● Bluetooth. Turns your Bluetooth adapter on or off.
Note: Not all Quick Actions tiles will be available on your device. Some of these tiles require that your
device has specific hardware or software installed.
Power Plans
Computing devices need electrical power, regardless of whether they are stationary or mobile. One of the
main concerns with mobile devices that use stored electrical power is that the power in the battery is
limited and depletes over time. Another issue for many organizations is the power consumption by all of
the different devices that they may own. Conserving power helps to reduce business expenses and
benefits the environment.
Power plans
You can create power plans in Windows 10 that govern power consumption and operations. By default,
there are three preconfigured power plans: Balanced, Power saver, and High performance. You can adjust
and save any of these power plans, or create your own power plan. The following table provides details
about each plan.
section on the Define Power buttons and turn on password protection page, which includes check
boxes for
●● Turn on fast startup. Allows the Windows operating system to save system information into a file
that it uses to start up when you reapply power.
●● Sleep. Suspends power to the hard drive and display, but continues supplying power to the
processor and memory.
●● Hibernate. Writes all activity in memory to a file and shuts down all power, but allows the file to
reanimate memory with the same values once you supply power.
●● Lock. Locks the screen, and requires the user to reenter credentials before resuming operations.
●● Choose what closing the lid does. Use this setting to access the Define power buttons and turn on
password protection page, and drop-down list boxes for On Battery and Plugged in. You also can
select an option for Choose what closing the lid does, including Do nothing, Sleep, Hibernate, and
Shut down.
●● Create a power plan. When you select this setting, the Create a Power Plan Wizard appears, in which
you can select one of the three default power-plan options: Turn off the display, Put the computer to
sleep, and Adjust plan brightness. You can save one of these options to a custom name, and then
change the default plan settings on the wizard’s Edit Plan Settings page. If you select the Turn off the
display and Put the computer to sleep values from a drop-down menu that has options from 1 minute
to five hours, or never. You also can configure the Adjust plan brightness setting from fully dim to the
highest brightness setting by using its slider bar.
●● Choose when to turn off the display. Use this setting to access the Edit Plan Settings page, which is
identical to the one in the Create a Power Plan Wizard.
●● Change when the computer sleeps. This setting is identical to the Choose when to turn off the
display setting.
The Power Options screen also lists the default and custom power plans. When you select the Change
plan settings setting and access a particular power plan, the Change advanced power settings setting
becomes available. This setting opens the Power Options window, with a list of options that you can
expand and individually select. These options include settings for the battery, hard disk, graphics settings,
multimedia settings, and USB, which refers to universal serial bus.
Windows 10 Privacy
Windows 10 introduces a new set up experience for you to choose the settings that are right for you. This
experience, which replaces previous Express Settings, will look slightly different depending on the version
of Windows you are using. If you are moving from Windows 7 or Windows 8, or doing a fresh install of
Windows 10, the new set up experience will clearly show you simple but important settings and you will
need to choose your settings before you can move forward with setup.
Privacy settings allow to you control personal information that is used by the OS, apps, or shared with
Microsoft. It also allows the users to control which settings and apps have access to certain hardware on
the device such as the devices camera.
Privacy controls allow you to configure Windows and apps permission to access:
●● The location of the device
●● The device camera or microphone
●● Access to your account information
●● Access to e-mail, contacts, calendar
Common Configuration Options 105
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe Active Directory
●● Describe the benefits of using Group Policy
●● Configure and apply a Group Policy Object
●● Describe Windows PowerShell
●● Explain how to use Windows PowerShell cmdlets
Activation Overview
All Windows 10 editions require activation. Activation confirms the status of a Windows product and
ensures that the product key has not been compromised. The activation process links the software’s
product key to a particular installation of that software on a device. Unlike Windows 7, Windows 10 does
not have a grace period. You must activate Windows 10 immediately upon installation. Failure to activate
a Windows operating system prevents users from completing customization. If you want to evaluate
Windows 10, Microsoft provides a separate evaluation edition that is available as an .iso image file.
Windows 10 has three main methods for activation:
●● Retail. Any Windows 10 product purchased at a retail store comes with one unique product key that
you type in during product installation. You use the product key to complete activation after installing
the Windows 10 operating system.
●● OEM. OEM system builders typically sell computer systems that include a customized build of Win-
dows 10. You can perform OEM activation by associating the Windows operating system to the
computer system BIOS, which means that you cannot transfer this license to another computer.
●● Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization. Volume
customers set up volume licensing agreements with Microsoft. These agreements include Windows
upgrade benefits and other benefits related to value-added software and services. Microsoft Volume
Licensing customers use Volume Activation Services to assist in activation tasks, which consist of
Active Directory–based activation, KMS, and multiple activation key (MAK) models.
You can view the Windows 10 activation status either on the System properties page, or by running the
following command at a command prompt:
cscript C:\windows\system32\slmgr.vbs –dli
Advanced Configuration Methods 107
When you activate your Windows 10 Home and Pro editions, Windows 10 generates a unique ID based
on the hardware present in your computer. This ensures that you cannot use your Windows 10 license on
another computer. If you change a significant amount of hardware, you could have to reactivate Windows
10.
If you plan to implement KMS, MAK, or Active Directory–based activation, you must consider certain
aspects, limitations, and requirements. The following factors are applicable for each of these three
volume activation methods.
Group Policy
Group Policy is a system that you can use to apply configuration settings to Windows clients and servers.
You create Group Policy Objects (GPOs) that contain Group Policy settings. The settings can be applied to
the local client individually. With domain-joined clients, Windows-based computers download and apply
the settings in GPOs.
configurable settings. These settings can affect nearly every area of the computing environment. Not all
settings can be applied to all older versions of Windows Server and Windows operating systems. Each
new version introduces new settings and capabilities that only apply to that specific version. If a comput-
er has a Group Policy setting applied that it cannot process, it simply ignores it.
For example, in Windows 7 you do not use Group Policy to configure a Start menu layout, so Windows 7
computers ignore the Start menu layout. However, Windows 10 devices will process the setting.
Most Group Policy settings have three states:
●● Not Configured. The GPO does not modify the existing configuration of the setting for the user or
computer.
●● Enabled. The GPO applies the policy setting.
●● Disabled. The GPO reverses the policy setting.
Note: By default, most Group Policy settings are set to Not Configured.
Note: Some settings are multivalued or have text string values. These typically provide specific configura-
tion details to applications or operating system components. For example, a setting might provide the
URL of the home page for internet Explorer or for blocked applications.
The effect of the configuration change depends on the Group Policy setting. For example, if you enable
the Prohibit Access to Control Panel Group Policy setting, users will be unable to open Control Panel. If
you disable the Group Policy setting, you ensure that users can open Control Panel. Notice the double
negative in this Group Policy setting: you disable a policy setting that prevents an action, thereby allow-
ing the action.
Section Description
Software settings Contains software settings that can deploy to
either the user or the computer. Software that
deploys or publishes to a user is specific to that
user. Software that deploys to a computer is
available to all users of that computer.
Windows operating system settings Contains script settings and security settings for
both user and computer, and Internet Explorer
maintenance for the user configuration.
Administrative templates Contains hundreds of settings that modify the
registry to control various aspects of the user and
computer environment. Microsoft or other
vendors might create new administrative tem-
plates. You can add these new templates to the
GPMC. For example, Microsoft has Microsoft
Office 2013 templates that are available for
download that you can add to the GPMC.
110 Module 3 Post-Installation Configuration and Personalization
Local GPOs
Each Windows 10–based computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default local
GPO, you can create custom local user GPOs.
A local GPO is the least influential object in an AD DS environment because its settings can be overwrit-
ten by GPOs that are associated with sites, domains, and OUs. In a non-networked environment, or in a
networked environment that does not have a domain controller, local GPO settings are important
because other GPOs do not overwrite them. Stand-alone computers only use local GPOs to control the
environment.
Windows Vista and newer Windows client operating systems, and Windows Server 2008 and newer
Windows Server operating systems, have an added feature: multiple local GPOs. Since Windows 8 and
Windows Server 2012, you also can have different user settings for different local users, but this is only
available for users’ configurations that are in Group Policy. In fact, there is only one set of computer
configurations available that affects all users of the computer.
Computers that run Windows 7 and newer versions provide this ability with the following three layers of
local GPOs:
●● Local Group Policy (contains the computer configuration settings)
●● Administrators and Non‑Administrators Local Group Policy
●● User‑specific Local Group Policy
Domain GPOs
You can use Group Policy in an AD DS environment to provide centralized configuration management.
Domain GPOs are created and linked to objects within an AD DS infrastructure. The settings in the GPO
112 Module 3 Post-Installation Configuration and Personalization
then affect the computers and users that are within those objects, depending on how you configure the
application of the GPO.
Windows PowerShell has several characteristics that make it ideal for local and remote management of
one or more Windows 10 devices, including:
●● Windows operating-system integration. Microsoft introduced Windows PowerShell 1.0 was as an
installable option for Windows Vista and as a feature for Windows Server 2008. Every Windows
operating-system version since Windows 7 and Windows Server 2008 R2 has included native support
for Windows PowerShell. Windows PowerShell 2.0 was part of Windows 7 and Windows Server 2008
R2. Windows PowerShell 3.0 is part of Windows 8 and Windows Server 2012. Windows PowerShell 4.0
Advanced Configuration Methods 113
is part of Windows 8.1 and Windows Server 2012 R2, and Windows PowerShell 5.0, the most recent
version, is part of Windows 10.
●● Remote management capability. You can use Windows PowerShell to manage remote computers,
provided remote management is enabled and the user who is performing the remote management
has the proper authorization.
●● Script-based execution. You can use Windows PowerShell scripts to build automation and complex
logic into management tasks.
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to
retrieve a list of services, you would use the Get-Service cmdlet. This standardization makes it easier to
learn how to accomplish administrative tasks. Some common cmdlet verbs are:
●● Get. Retrieves data.
●● Set. Establishes or modifies data.
●● New. Creates a new object.
Each cmdlet has options called parameters. Some parameters are required and some are optional. The
parameters vary for each cmdlet. The following example shows how to start the Application Identity
service by using the –Name parameter:
Start-Service –Name “Application Identity”
Note: The cmdlets that are available for use on a computer system vary depending on its Windows
PowerShell version and the snap-ins with cmdlets that are installed.
Another useful cmdlet is Get-Command. This cmdlet shows a list of all cmdlets, aliases, functions,
workflows, filters, scripts, and applications installed on your version of Windows PowerShell.
There are numerous websites that can help you learn Windows PowerShell. Microsoft TechNet has the
Microsoft Script Center, where you can search for Windows PowerShell scripts based on what you want
the script to do. Examples include deleting files older than X number of days, controlling Windows
Update on your computer, and a wide variety of other functions.
Microsoft Script Center for PowerShell: http://aka.ms/ipge1q
Managing Drivers and Device Peripherals 117
Lesson Objectives
After completing this lesson, you will be able to:
●● Explain the use and importance of device drivers.
●● Explain how to manage device peripherals.
●● Describe Windows 10 printer features.
●● Describe printing components.
●● Describe benefits of Type 4 printer drivers.
●● Describe how to manage client-side printing.
●● Describe how to manage print server properties.
●● Install and share a printer.
In cases such as these, most manufacturers make their drivers available for download on their website.
These are typically referred to as driver packages. A driver package is a set of files that make up a device
driver. A driver package is device-specific and enables Windows 10 to communicate with the device. A
driver package includes:
A driver package is a set of files that make up a driver. A driver package includes:
●● The .inf file.
●● Any files that the .inf file references.
●● The catalog (.cat) file that contains the digital signature of the device driver.
How the driver is installed depends on how the driver was packaged. Some are provided with an executa-
ble, while allows the driver to be installed in the driver store, just like installing an app. When the respec-
tive hardware is detected, Windows uses that driver to communicate with the hardware. If the driver
package isn't self-installed, when the hardware is connected, Windows will search several locations for
the matching driver or the user may specify the location of the driver package.
Once the driver is installed, it's located in the driver store at %SystemRoot%\System32\DriverStore. When
managing drivers at scale, Administrators can include driver packages in the OS image or deploy then
separately using methods such as Group Policy or management tools like MDT or Configuration Manag-
er. Once drivers are in the driver store, the end user experience is still seamless when they attach the
hardware.
been altered since it was digitally signed. The 32-bit versions of Windows 10 check for a driver's digital
signature during driver installation and prompt the user if the driver is unsigned. The 64-bit versions of
Windows 10 require that all drivers have a digital signature, and do not allow you to install unsigned
device drivers.
Driver store
The driver store is the Windows 10 driver package repository. Because the driver store is a trusted
location, when you connect compatible hardware, Windows 10 installs the driver for the appropriate
device automatically from the driver store. Standard users can install any device driver from the driver
store. Therefore, users can attach and use new devices without help from the IT helpdesk, if their driver
package is in the driver store. Information technology (IT) administrators can preload the driver store with
the necessary driver packages for commonly used devices. The driver store is located at %SystemRoot%\
System32\DriverStore.
Device Manager
You can use Device Manager to install and update device drivers; disable or enable devices; use the Driver
Roll Back feature; change resources that devices use, such as interrupt requests (IRQs); and troubleshoot
device problems. You also can use Device Manager to view devices that are connected currently to your
network, and the resources that they are using. You can sort these items by device type or connection.
The Device Manager view updates dynamically when the status of a connected device changes, or you
can update it manually, by selecting the option to scan for hardware changes.
120 Module 3 Post-Installation Configuration and Personalization
Setting Up Printers
Like most modern peripherals for a computer, when you attach a printer directly to the device, Windows
10 will automatically discover and download the appropriate driver needed. However, there are several
unique factors related to managing printers that require additional discussion on the topic.
The most significant factor is that most printers used are not intended for use by a single device. In
organizations, most printers are attached directly to the network or a printer server, and not directly to
the end user computer. Even in the home with a printer connected to one computer, there is often a
desire to enable other devices to print to it.
When you install and share a printer in Windows 10, you must define the relationship between the
printing device, which is the physical printer, and the Windows 10–based computer. You can do this by
adding a printer in Windows 10, and then specifying which driver will be used for communicating with
the printing device and processing print jobs, and which port will be used for connecting with the
physical printing device. Typically, locally attached Plug and Play printing devices install automatically.
However, when you add a wireless printing device or a network-printing device in Devices and Printers by
using the Add printers button, Windows 10 must be able to communicate with the printing device or the
print server to which the printing device is connected.
Managing Drivers and Device Peripherals 121
Printing device
A printing device is a physical device that is available locally, connected to the network, or connected to
the print server. You use it to produce the print job output, which is typically a printed document. By
default, Windows 10 supports many printing devices and includes drivers for communicating with those
devices. You can add support for additional devices if needed.
Printer port
Windows 10 can automatically detect printers when you connect them to your computer, and it installs
the printer driver without interaction if the driver is available in the driver store. However, a Windows
operating system might not detect printers that you connect by using older ports, such as serial (COM) or
parallel (LPT) ports, or network printers. In these cases, you must configure a printer port manually.
printer. The drawback to this method is that it relies on users knowing which print server is sharing the
printer, which is not the case in most companies.
●● Find a printer in the directory. When a printer is shared in an AD DS environment, the print adminis-
trator has the option to publish the printer in AD DS. Users can search the directory to locate the
printer based on the location or printer feature. That makes it easier to locate an appropriate printer,
as you can search only among printers that are available in the same location and support the
required features, such as support color printing.
●● Deploy printers by using Group Policy settings. When you deploy printers by using Group Policy,
you can deploy printers centrally to users and computers, and make them available when users sign
in. You can use Group Policies to deploy printers based on different criteria, such as group member-
ship, or the organizational unit of the user account or computer location. One of the ways to deploy
printers by using Group Policy is to right-click a printer in the Print Management console, and then
select the Deploy with Group Policy option.
●● Deploy printers by using Group Policy preferences. You can use Group Policy preferences to
distribute printers to users and computers. Group Policy preferences are more flexible than Group
Policy settings because you can deploy printers based on additional criteria, such as whether users are
using laptops, the IP address range of computers, time ranges, or Lightweight Directory Access
Protocol (LDAP) queries. You can use Group Policy preferences to create, update, replace, or delete a
printer.
Manual methods for printer installation generally are not scalable in mediums-sized organizations, as it is
too time-consuming to add and remove required printers manually to users’ computers.
Note: Ensure that you download and use the printer driver for the appropriate architecture. You should
use x86 driver for 32-bit versions of Windows 10 and x64 driver for 64-bit versions of Windows 10. Be
particularly careful when adding older printers. A 64-bit driver might not be available for some older
printers.
Microsoft introduced Type 4 printer drivers in Windows 8 and Windows Server 2012. By following the
Type 4 printer driver model, printer manufacturers can create a single Print Class Driver that supports
similar printing features and printing language that are common to a large number of printer models.
Common printing languages include PCL, and PostScript or XPS.
Type 4 printer drivers typically are delivered by using Windows Update or Windows Software Update
Services (WSUS). Unlike Type 3 drivers, Type 4 drivers do not download from a print server.
A Type 4 printer driver model provides the following benefits:
●● Sharing a printer does not require adding additional drivers that match the client architecture.
●● A single Type 4 driver can support multiple printer models.
●● Driver files are isolated on a per-driver basis, which prevents potential driver file-naming conflicts.
●● Driver packages are smaller and more streamlined than Type 3 drivers, and Type 4 drivers install faster
than Type 3 drivers.
●● Printer driver and the printer user interface can be deployed independently with Type 4 drivers.
Additional Reading: For more information about Type 4 printer drivers, refer to: “Print and Document
Services Architecture” at: http://aka.ms/vjupv8
You can manage client-side printing by using various tools, such as Devices and Printers, Print Manage-
ment console, and Windows PowerShell cmdlets, from the Print Management module. Typical operations
include the following tasks:
●● Modifying printer properties, such as sharing, security, and advanced properties.
●● Selecting your default printer.
●● Viewing and managing your print queue.
●● Pausing or resuming a printer’s operation.
●● Pausing, resuming, restarting, or canceling print jobs.
●● Reordering print jobs in your print queue.
what, and how many unprinted pages remain. From the print queue, you can view and maintain the print
jobs for each printer.
You can access the print queue from Devices and Printers by right-clicking a printer, and then selecting
the See what’s printing option or by running the Get-PrintJob cmdlet, as the following example shows
for the Printer1 queue: Get-PrintJob –PrinterName Printer1
You can view all printer-related cmdlets by running Get-Command –Module PrintManagement.
Summary
In this lab you will learn how to configure computer settings using Windows Settings, the Control Panel,
and Windows PowerShell. You also learn how to customize and deploy a custom Windows 10 Start page
layout.
Scenario
You need to use Windows Settings to validate protection settings, device specifications, and Windows
specifications. You also need to determine which applications are slowing down the startup process for
Windows 10. Finally, you need to create a new power plan that minimizes power usage, but does not
impact multimedia presentations while the device is running on battery.
Scenario
You need to use Windows PowerShell to test the scripting environment. To become familiar with Power-
Shell you will run several commands and the use PowerShell ISE to create a script to list all running servic-
es on the device.
Scenario
You need to ensure that all Windows 10 devices contain the Contoso utilities apps on the Start menu. To
do this, you decide to create and export a custom Start layout that only locks down the specified groups
in the XML file. Users will still be able to customize other areas of the Start menu as needed.
Summary
In this lab you will learn how to synchronize settings to support users working on multiple devices.
Practice Labs and Module Review 129
Scenario
You frequently use two devices, SEA-WS1 and SEA-WS2, and would like to ensure that Windows settings
and Microsoft Edge favorites are synchronized between the two devices. You need to add your Microsoft
account to both devices and configure synchronization settings between the devices.
Summary
In this exercise, you will perform basic printer configuration. You will add a local printer by using Devices
and Printers. You then will configure printer security, and use the Print Management tool to add a printer
on a remote computer. You also will connect to a remote printer, and then manage a print job.
Scenario
The Contoso Marketing department has purchased a new printer that uses a Microsoft PCL6 Class Driver
that’s attached to SEA-SVR1. Marketing wants to share the printer but restrict use to just the Managers
group. There is a another printer attached to SEA-SVR2 that uses the Microsoft PS Class Driver, which is
also to be shared with access for everyone to print. You need to configure these printers as requested.
After you configure the printers you will have a user named Terry test that she can only print to the
printer on SEA-SVR2, and that print jobs initiated from SEA-SVR2 can be seen in the queue on SEA-SVR1.
Module Review
Check Your Knowledge
1. To customize the available icons in the Action Center:
A. Right-click on the Action Center and select “Customize”
B. Select on the Action Center and select the "Customize" option
C. Select on the Action Center, and select the “All Settings” option
D. Open the Settings App and select "System" and then “Notifications and actions”
2. You have a Windows 10 computer and need to adjust the settings. You need to access advanced
settings that are not available in the Settings app. What could you do? (select two)
A. press CTRL + ALT + DEL
B. By selecting the Windows Start icon, and typing “Control Panel”
C. By opening the Settings App and selecting the "Advanced Options" icon
D. From the File Explorer folder navigate to Control Panel
E. Delete all users and start over
3. As an IT Support professional, you are working on becoming more proficient with Windows Power-
Shell. You are using the *Get-Command to look for commands and discover their purpose. Which of
the following command types can this cmdlet show? (select four)
A. Aliases
B. Functions
C. Cmdlets
D. Filters
E. Modules
F. Providers
130 Module 3 Post-Installation Configuration and Personalization
4. Setting what happens when the lid closes in Windows 10 is a configuration option in:
A. Display options
B. Power plans
C. Ease of Access
D. USB Setting
5. You want to remove the “Gaming” option from the Windows Settings App. You would accomplish this
by:
A. Uninstalling Solitaire
B. Creating a group policy the hides the "Gaming" option.
C. Right-clicking on the “Gaming” option and selecting "Hide from view"
D. Removing the “Gaming” tile in the Notification and actions page
E. Login with a work or school account
6. D 2) B,D 3) A,B,C,D 4) B 5) B
Module 4 Updating Windows
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the Windows 10 Service Model.
●● Describe the different Windows Service Channels.
●● Describe the available methods for applying updates to Windows 10.
Windows as a service
Instead of new features being added only in new releases that happen every few years, the goal of
Windows as a service is to continually provide new capabilities. New features are provided or updated
two to three times per year, while maintaining a high level of hardware and application compatibility. The
key to enabling significantly shorter product cycles while maintaining high quality levels is an innovative
132 Module 4 Updating Windows
community-centric approach to testing that Microsoft has implemented for Windows 10. The community,
known as Windows Insiders, is comprised of millions of users around the world.
When Windows Insiders opt in to the community, they test many builds over the course of a product
cycle, and provide feedback to Microsoft through an iterative methodology called flighting. Builds
distributed as flights provide the Windows engineering team with significant data regarding how good
builds are performing in actual use. Flighting with Windows Insiders also enables Microsoft to test builds
in much more diverse hardware, application, and networking environments than in the past, and to
identify issues far more quickly. As a result, Microsoft believes that community-focused flighting will
enable both a faster pace of innovation delivery, and better public release quality than ever.
Although Microsoft releases flight builds to Windows Insiders, Microsoft will publish two types of Win-
dows 10 releases broadly to the public on an ongoing basis:
●● Feature updates that install the latest new features, experiences, and capabilities on devices that are
already running Windows 10. Because feature upgrades contain an entire copy of Windows, they are
also what customers can use to install Windows 10 on existing devices running Windows 7 or Win-
dows 8.1, and on new devices where no operating system is installed.
●● Quality updates that focus on the installation of security fixes and other important updates. Microsoft
expects to publish an average of two to three new feature upgrades per year, and to publish servicing
updates as needed for any feature upgrades that are still in support. Microsoft will continue publish-
ing servicing updates on Update Tuesday (sometimes referred to as Patch Tuesday). Additionally,
Microsoft may publish additional servicing updates for Windows 10 outside the Update Tuesday
process when required to address customer needs.
It is important to note that, to improve release quality and simplify deployments, all new releases that
Microsoft publishes for Windows 10 will be cumulative. This means new feature upgrades and servicing
updates will contain the payloads of all previous releases (in an optimized form to reduce storage and
networking requirements), and installing the release on a device will bring it completely up to date. Also,
unlike earlier versions of Windows, you cannot install a subset of the contents of a Windows 10 servicing
update. For example, if a servicing update contains fixes for three security vulnerabilities and one reliabili-
ty issue, deploying the update will result in the installation of all four fixes.
This new model uses simpler deployment methods, reducing the overall amount of effort required for
Windows servicing. By combining these simpler methods (such as in-place upgrade) with new techniques
to deploy upgrades in phases to existing devices, the effort that used to be performed as part of a
traditional deployment project is spread across a broad period.
The following terms are used when discussing the new Windows 10 servicing model:
Term Description
Feature updates A new Windows 10 release that contains addition-
al features and capabilities, released two to three
times per year.
Quality updates In Windows 10 rather than receiving several
updates each month and trying to figure out
which the organization needs, which ultimately
causes platform fragmentation, administrators will
see one cumulative monthly update that super-
sedes the previous month’s update, containing
both security and non-security fixes.
Widows Servicing Model 133
Term Description
Channel The windows servicing channel is one of three
choices: Windows Insider, Semi-Annual Channel,
or Long-Term Servicing Channel. Channels allow
customers to designate how frequently their
individual devices are updated.
Ring These are simply a method by which to separate
machines into a deployment timeline. The win-
dows servicing rings are Preview, Targeted, Broad,
and Critical.
For more information on Windows as a service, you can see: https://aka.ms/Eisrck
Servicing Tools
There are many tools with which IT pros can service Windows as a service. Each option has its pros and
cons, ranging from capabilities and control to simplicity and low administrative requirements. The
following are examples of the servicing tools available to manage Windows as a service updates:
●● Windows Update is a service that provides software updates that keep your computer up to date and
protected. In the Settings app, in Update & security, on the Windows Update tab, you can view the
updates that are available for your Windows 10 device. Under Advanced options, you can configure
how Windows Update downloads and installs updates for your computer. Generally, you must
configure computers that are running Windows 10 to download and install updates automatically to
ensure that the computer has the most up-to-date and protected configuration possible. Windows
Update also can update non-Microsoft software components including drivers. Note: By default,
Windows 10 will download and install updates automatically.
●● Windows Server Update Services (WSUS) provides extensive control over Windows 10 updates and
is natively available in the Windows Server operating system. In addition to the ability to defer
updates, organizations can add an approval layer for updates and choose to deploy them to specific
computers or groups of computers whenever ready.
●● Windows Update for Business is the second option for servicing Windows as a service. This servicing
tool includes control over update deferment and provides centralized management using either
Group Policy or Microsoft Intune. Windows Update for Business can be used to defer updates by up
to 365 days, depending on the version. These deployment options are available to clients in the
Semi-Annual Channel.
●● Configuration Manager provides the greatest control over servicing Windows as a service. IT pros
can defer updates, approve them, and have multiple options for targeting deployments and manag-
ing bandwidth usage and deployment times.
With all these options, which an organization chooses depends on the resources, staff, and expertise its IT
organization already has. For example, if IT already uses Configuration Manager to manage Windows
updates, it can continue to use it. Similarly, if IT is using WSUS, it can continue to use that.
For a consolidated look at the benefits of each tool see the following table:
back, any changes will be lost, including installed apps, and it’s recommended that user data be backed
up prior to a rollback.
To roll back to the previous version, open the Settings app, select the Update & security category, and
then select Recovery. Here, you have the option to go to the previous version.
Updating Windows 137
Updating Windows
Lesson Introduction
To utilize Windows Update effectively, you must be aware of the configuration options that it provides,
and you must be able to guide users on how to configure these options.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the available methods for applying updates to Windows 10.
●● Explain the Windows Update configuration options.
●● Explain the Group Policy Object (GPO) settings available for configuring Windows Update.
●● Configure Windows Update.
●● Describe how to use Windows Server Update Services (WSUS) to provide updates to Windows 10.
From the Windows Update tab, you can configure the following settings:
●● Check for updates. Here you can check whether new updates are available.
●● Update history. You can use this option to view both updates that are applied, and those that failed
to apply. Here you also can tap the Uninstall updates option to open the Installed Updates node of
138 Module 4 Updating Windows
Programs and Features in Control Panel. You then can choose to remove any unwanted updates. In
this page, there is also a Recovery Options link, which you can use to reset the computer to a previous
build, or to use advanced startup.
●● Change active hours. You can use this setting to ensure that Windows 10 will not restart during
active hours, which by default is set between 8:00 AM and 5:00 PM.
●● Restart options. From here, you can configure a custom restart time, if you want Windows 10 to
restart at a certain time.
From the Advanced options, you can configure the following settings:
●● Receive updates for other Microsoft products when I update Windows. If you have Microsoft
Office or other Microsoft products installed, selecting this option enables Windows Update to keep
those products up to date simultaneously.
●● Pause Updates. This option allows the user to defer updates for up to 35 days, including security
updates.
●● Defer feature updates. Some Windows 10 editions allow you to defer updates to your computer.
When you defer updates, Windows 10 does not download or install new Windows 10 features for
several months. Note: Deferring feature updates does not affect security updates, but it does prevent
you from receiving the latest Windows features as soon as they are available. Deferring updates is
covered in more detail in the Windows Update for Business topic later in this lesson.
●● Choose when updates are installed. These options allow you to set the number of days to defer
when feature and quality updates are installed. Note: Prior to Windows 10 version 1903, there was an
option to choose between Semi-Annual Channel (Targeted) and Semi-Annual Channel, as a way of
defining which devices would receive updates sooner rather than later. This option has been removed,
and deferrals are configured by setting the number of days to defer quality and feature updates.
From the Delivery Optimization tab, you can configure the following:
●● Allow downloads from other PCs. Windows Update enables you to obtain updates from more than
one place. By default, this is enabled. This setting means that Windows obtains updates from Micro-
soft, but also from computers on the local network. The advantage of this scenario is that Windows
can apply settings more quickly. Once one device has updates installed, other devices can obtain the
same updates without needing to download from Microsoft. You can configure the additional sources
as either:
●● PCs on my local network
●● PCs on my local network, and PCs on the Internet
Turning this option off will mean the client will only download updates from Microsoft.
●● Selecting Advanced options on the Delivery Optimization page allows you to restrict the bandwidth
available for downloading updates and uploading updates to other PCs.
The WSUS role provides a central management point for updates to your computers running the Win-
dows operating system. By using WSUS, you can create a more efficient update environment in your
organization, and stay better informed about the overall update status of the computers on your net-
work.
WSUS is a server role included in the Windows Server operating system that downloads and distributes
updates to Windows clients and servers. WSUS can obtain updates that are applicable to the Windows
operating system and common Microsoft programs, such as the Microsoft Office suite and Microsoft SQL
Server.
In the simplest configuration, a small organization can have a single WSUS server that downloads
updates from the Microsoft Update website. The WSUS server then distributes the updates to computers
that you have configured to obtain automatic updates from the WSUS server. You must approve the
updates before clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS
server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the central-
ized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can
configure a pilot group to be the first set of computers that you use for testing updates.
WSUS can generate reports to help monitor update installation. These reports can identify which com-
puters have not applied recently approved updates. Based on these reports, you can investigate why this
is happening.
140 Module 4 Updating Windows
Note: There are several settings for earlier Windows versions. Please note, this section lists only those
that are relevant to Windows 10.
The first of these nodes is the Windows Update node. Open the Group Policy Management Editor on a
domain controller, and then navigate to Computer Configuration/Administrative Templates/Windows
Components/Windows Update. You can configure the following settings:
●● Configure Automatic Updates. This policy setting specifies whether the computer will receive
security updates and other important downloads through the Windows automatic updating service.
This setting lets you specify whether to enable automatic updates on your computer. If you enable
this service, you must select one of the four options in the Group Policy setting:
●● 2 - Notify for download and notify for install. When Windows finds updates that apply to your
computer, an icon displays in the status area, with a message that updates are ready for download.
Selecting the icon or the message provides the option to select the specific updates that you want
to download. Windows then downloads your selected updates in the background. When the
download completes, the icon displays in the status area again, with notification that the updates
are ready for installation. Selecting the icon or message provides the option to select which
updates to install.
●● 3 - Auto download and notify for install. Windows finds updates that apply to your computer,
and then downloads these updates in the background, without notifying or interrupting the user
during this process. When the download completes, the icon displays in the status area, with a
notification that the updates are ready for installation. Selecting the icon or message provides the
option to select which updates to install.
●● 4 - Auto download and schedule the install. Specify the schedule by using the options in the
Group Policy setting. If you do not specify a schedule, the default schedule for all installations will
be every day at 03:00. If any of the updates require a restart to complete the installation, the
Windows operating system will restart the computer automatically. If a user is signed in to the
computer when the Windows operating system is ready to restart, it will notify the user and give
the option to delay the restart.
●● 5 - Allow local admin to choose setting. With this option, the local administrators will be
allowed to use the Automatic Updates control panel to select a configuration option. For example,
administrators can choose their own scheduled installation time. Local administrators cannot
To use the Configure Automatic Updates setting, select Enabled, and then select one of the options
(2, 3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all
installations will occur every day at 03:00. If you set the status to Enabled, Windows recognizes when
the computer is online, and then uses its Internet connection to search Windows Update for updates
that apply to your computer. If you set the status to Disabled, you must manually download and
install any updates that are available on Windows Update. If you set the status to Not Configured,
the use of Automatic Updates is not specified at the Group Policy level. However, an administrator can
still configure Automatic Updates through Control Panel.
●● Specify intranet Microsoft update service location. This setting specifies an intranet server to host
updates from Microsoft Update. You then can use this update service to update your network’s
computers automatically. This setting lets you specify a server on your network to function as an
internal update service. The Automatic Updates client will search this service for updates that apply to
the computers on your network. To use this setting, you must set two server name values, including
the:
●● Server from which the Automatic Updates client detects and downloads updates
●● Server to which updated workstations upload statistics
You can set both values to be the same server. If you set the status to Enabled, the Automatic Up-
dates client connects to the specified intranet location, instead of Windows Update, to search for and
download updates. Enabling this setting means that end users in your organization do not have to go
through a firewall to get updates, and it gives you the opportunity to test updates before deploying
them. If you set the status to Disabled or Not Configured, and if Automatic Updates is not disabled
by policy or user preference, the Automatic Updates client connects directly to the Windows Update
site on the Internet. Note: The preceding settings do not have an obvious effect on the user interface,
because in Windows 10, these options are not visible in the Advanced options pane of Windows
Update. They are visible in Windows 8.1. However, these settings do affect the way in which Windows
Update delivers updates.
●● Do not connect to any Windows Update Internet locations. This policy is applicable only when you
have configured the Specify intranet Microsoft update service location setting. When enabled, this
policy will prevent users from downloading updates that you have not authorized in the Windows
Server Update Services console. It may disrupt users’ connection to the Windows Store.
●● Do not include drivers with Windows Updates. When you enable this setting, targeted devices will
not install drivers with quality updates.
●● Specify deadline before auto-restart for update installation. By using this setting, you can config-
ure a deadline before which users have to restart their computer after installing updates. The default
deadline is 7 days, but you can configure a deadline between 2 and 14 days.
●● Turn off auto-restart for updates during active hours. With this setting, you can configure the
active hours and prevent users from changing them. The span of active hours can be up to 12 hours.
●● Windows Update for Business. In this node, you can configure one or both of the following policy
settings:
●● Select when Preview Builds and Feature Updates are received. This policy configures whether
the targeted Windows 10 devices will be in the Windows Insider build – Fast, Windows Insider
build – Slow, Release Windows Insider build, or Semi-annual Channel. You can further delay feature
updates up to 365 days. You also can prevent feature updates from being received for up to 35
days by selecting the Pause feature updates check box.
144 Module 4 Updating Windows
●● Select when Quality Updates are received. With this policy, you can configure deferral of quality
updates for up to 30 days. You also can prevent quality updates from being received for up to 35
days, by selecting the Pause quality updates check box.
In addition to the Windows Update node, you also can configure update settings in Computer Configu-
ration/Administrative Templates/Windows Components/Data Collection and Preview Builds. You
can configure the following settings:
●● Toggle user control over Insider builds. This policy setting determines whether users can access the
Insider build controls in the Update & security section in the Settings app. It also enables users to
choose whether to make their devices available for downloading and installing Windows preview
software. These controls are located under Windows Insider Program. If you enable or do not config-
ure this policy setting, users can download and install Windows preview software on their devices. If
you disable this policy setting, the users cannot install Windows Insider builds.
●● Allow Telemetry. This policy setting determines the amount of diagnostic and usage data reported to
Microsoft. A value of 0 indicates that operating system (OS) components will send no telemetry data
to Microsoft. Setting a value of 0 is applicable for enterprise and server devices only. Setting a value of
0 for other devices is equivalent to choosing a value of:
●● A value of 1 sends only a limited amount of diagnostic and usage data. Note that setting values of
0 or 1 will degrade certain experiences on the device.
●● A value of 2 sends enhanced diagnostic and usage data.
●● A value of 3 sends the same data as a value of 2, plus additional diagnostics data, such as the
system state at the time of a system halt or crash, and the files and content that may have caused
the problem.
If you disable or do not configure this policy setting, users can configure the Telemetry level in
Settings.
●● Disable pre-release features or settings. This policy setting determines the level to which Microsoft
can experiment with the product to study user preferences or device behavior. A value of 1 permits
Microsoft to configure device settings only. A value of 2 allows Microsoft to conduct full experimenta-
tions. If you disable this policy setting, no experimentations will occur. If you do not configure this
policy setting, user can configure the Let Microsoft try features on this build option in Settings.
Finally, the Computer Configuration/Administrative Templates/Windows Components/Delivery
Optimization node contains the following settings:
●● Download Mode. Set this policy to configure the use of Windows Update Delivery Optimization in
downloads of Windows apps and updates. Available modes are: Bypass, Group, HTTP only, Internet,
LAN, and Simple.
●● Group ID. Set this policy to specify an arbitrary group ID to which the device belongs. Use this if you
need to:
●● Limit the number of devices participating in peering in a domain network with many users.
●● Create a single group for Local Network Peering for branches that are on different domains or are
not on the same network address translation (NAT).
Note: This is a best effort optimization. You should not rely on it for an authentication of identity. You
must use a globally unique identifier (GUID) as the group ID.
●● Max Upload Bandwidth Set this policy to define a limit for the upload bandwidth that a device will
utilize for all concurrent upload activity via Delivery Optimization (set in kilobytes per second).
Updating Windows 145
●● Max Cache Size Set this policy to define the maximum cache size Delivery Optimization can utilize as
a percentage of the internal disk size.
●● Max Cache Age Set this policy to define the maximum time that the Delivery Optimization cache
holds each file.
146 Module 4 Updating Windows
Summary
In this lab you will learn how to manage Windows Update settings for a single device and how to manage
feature and quality updates for multiple devices using Windows Update for Business Group Policy
settings.
Scenario
You need to validate the Windows Update settings for SEA-WS3. You have also been asked to ensure that
the following Windows update settings are applied to the device:
Scenario
You have been delegated the task to create Group Policy Objects to configure Windows Update for
Business. Your first task is to determine how many deployment rings you will need and the associated
Windows update settings based upon business requirements. You then need to configure a Group Policy
object for each deployment ring. The Group Policy Objects will then be applied to organizational units by
the Active Directory administrators at a later time.
Module Review
Check Your Knowledge
1. Your organization needs to separate machines into different deployment timelines. You decide to use
the Ring update method. Which of the following are Windows service rings? (select four)
A. Preview
B. Line of Business
C. Mission Critical
D. Targeted
E. Broad
F. Critical
2. Your organization has a number of custom applications. You need additional time to test application
compatibility before deployment. Which Windows 10 servicing option provides you the ability to do
this?
A. Windows Insider
Practice Labs and Module Review 147
B. Monthly Channel
C. Semi-Annual Channel
D. Long-Term Servicing Channel
E. Annual Channel
3. You need to make new feature upgrades available to some of the desktop support team members
before they are released to users. Which Windows 10 Servicing option allows you to do this?
A. Sandbox Channel
B. Windows Insider
C. Monthly Channel
D. Semi-Annual Channel
E. Long-Term Servicing Channel
F. Annual Channel
4. Your organization requires that updates are controlled and deferred. You want to utilize the service
updates with Windows 10. Which servicing tool will allow you to perform centralized management
using Group Policy?
A. Windows Update
B. Windows Update for Business
C. Configuration Manager
D. Windows Server Update Service
E. None mentioned
5. Which of the following is not a node in Group Policy that contain Windows Update settings that are
relevant for Windows 10 devices?
A. Windows Update
B. Windows Update for Business
C. Configuration Manager
D. Windows Server Update Service
E. None mentioned
6. Which are the four phases in the update management process? (select four)
A. Evaluate
B. Plan
C. Assess
D. Identify
E. Support
F. Evaluate and plan
G. Deploy
7. The network for your company doesn't provide a bandwidth that can handle quick update delivery.
You decide to take advantage of a peer to peer delivery mechanism for updates. With this approach,
how long can you defer Quality Updates for?
A. up to 14 days
B. up to 30 days
C. up to 35 days
D. up to 180 days
8. A,D,E,F 2) C 3) B 4) B 5) D 6) C,D,F,G 7) B
Module 5 Configuring Networking
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe IPv4.
●● Describe IPv4 subnets.
●● Explain the difference between public and private IPv4 addressing.
●● Implement automatic IPv4 address allocation.
●● Describe the tools available to configure network settings in Windows 10.
●● Describe the tools available to troubleshoot network connections.
●● Configure an IPv4 network connection.
●● Describe IPv6.
150 Module 5 Configuring Networking
By default, you will see the Network Status page, which will indicate your current connection state. You’ll
also notice additional sub-menus on the left side, such as Wi-Fi, Airplane mode, Data usage, VPN,
Dial-up, Ethernet, and Proxy. These are the various methods available for connecting to a network – and
will vary depending on what type of connections the individual device will support.
From within Ethernet or Wi-Fi, you can:
●● Change adapter options. You can configure the network adapter settings. A list of network adapters
displays, and you can then configure the properties for each, including:
●● Internet Protocol Version 6 (TCP/IPv6). Enables you to manually configure the IPv6 settings for a given
adapter.
●● Internet Protocol Version 4 (TCP/IPv4). Enables you to manually configure the IPv4 settings for a given
adapter.
●● Change advanced sharing options. You can configure network discovery, file and print sharing, public
folder sharing, media streaming options, and the encryption level to use for file sharing connections.
Configure IP Network Connectivity 151
●● Launch the Network and Sharing Center. You can use this tool to configure most network settings. You
will learn more about it below.
●● Enable and configure a homegroup. You can enable and configure homegroups, which are collections
of computers that you deploy on a home network and that share resources such as files and printers.
When your computer is part of a homegroup, you can share images, media files, documents, and
printer devices with others in your homegroup. Once you enable a homegroup, you can then define
which libraries you will share, such as Pictures, Documents, or Videos. You can enable a homegroup
only on network interfaces that are defined as part of a private network location profile. To provide for
basic security, you can enable a password on your homegroup.
●● Note: Although domain-joined computers cannot create homegroups, they can connect to existing
homegroups.
●● Configure Internet options. You can configure the options your web browsers use.
●● Configure Windows Firewall. You can launch the Windows Firewall tool and configure Windows
Firewall rules, notifications, and advanced settings.
●● From within Wi-Fi, you also can:
●● View available networks. You can use this setting to view available networks, but not explicitly hidden
wireless networks.
●● View hardware properties. You can use this setting to view properties of your Wi-Fi connection such as
its Service Set Identifier (SSID), protocol, and security type, in addition to the manufacturer and the
physical MAC address of your Wi-Fi adapter.
●● Manage known networks. You can use this setting to display the properties of the wireless networks
you have connected to and remove (or forget, as referenced in the graphical user interface (GUI)) their
settings.
●● Configure Hotspot 2.0 networks. You can use this setting to use Online Sign-Up to connect to Hotspot
2.0 networks.
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in
decimal form, as the following example shows:
192.168.1.200
Defining Subnets
A subnet is a network segment. Single or multiple routers separate the subnet from the rest of the
network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range,
you often must subdivide the range to match the network’s physical layout. Subdividing enables you to
break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you
derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to
the network ID. By doing so, you can create more networks.
154 Module 5 Configuring Networking
octet for subnetting, this is classless addressing, or Classless Interdomain Routing (CIDR). You use more or
less of the octet. This type of subnetting uses a different notation, which the following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called
CIDR. This subnet mask in binary notation would look like this:
11111111.11111111.11110000.00000000
The first 20 bits are set to 1 and indicate the subnet ID, and the last 12 zero placeholders represent how
many bits are used to identify the host.
Static configuration
You can configure static IPv4 configuration manually for each of your network’s computers. When you
perform IPv4 configuration, you must configure the:
●● IPv4 address
●● Subnet mask
●● Default gateway
●● Domain Name System (DNS) server
Static configuration requires that you visit each computer and input the IPv4 configuration. This method
of computer management is time-consuming if your network has more than 10 to 12 computers. Addi-
tionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large number of computers
without having to assign each one individually. The DHCP service receives requests for IPv4 configuration
from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 informa-
tion from scopes that you define for each of your network’s subnets. The DHCP service identifies the
subnet from which the request originated, and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process. However, keep in mind that if you use DHCP to assign
IPv4 information and the service is business-critical, you must:
●● Include resilience in your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
●● Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network, and it can prevent communication.
Windows PowerShell
Although you can use the graphical tools previously described to perform all network configuration and
management tasks, sometimes it can be quicker to use command line tools and scripts. Windows has
always provided the command prompt for certain network management tools. However, Windows
PowerShell provides a number of network-specific cmdlets that you can use to configure, manage, and
troubleshoot Windows network connections.
The following table lists some of the network-related Windows PowerShell cmdlets and their purposes.
Cmdlet Purpose
Get NetIPAddress Retrieves information about the IP address
configuration.
Get NetIPv4Protocol Retrieves information about the IPv4 protocol
configuration (the cmdlet Get-NetIP6Protocol
returns the same information for the IPv6 proto-
col).
Get NetIPInterface Obtains a list of interfaces and their configura-
tions. This does not include IPv4 configuration of
the interface.
Set NetIPAddress Sets information about the IP address configura-
tion.
Set NetIPv4Protocol Sets information about the IPv4 protocol configu-
ration (the cmdlet Set-NetIP6Protocol returns the
same information for the IPv6 protocol.)
Set NetIPInterface Modifies IP interface properties.
Get NetRoute Obtains the list of routes in the local routing table.
Test-Connection Runs similar connectivity tests to that used by the
Ping command. For example, test-connection
lon-dc1.
Resolve-Dnsname Provides a similar function to the NSLookup tool.
Get NetConnectionProfile Obtains the type of network (public, private, or
domain) to which a network adapter is connected.
Clear-DnsClientCache Clears the client’s resolver cache, similar to the
IPConfig /flushdns command.
Get-DnsClient Retrieves configuration details specific to the
different network interfaces on a specified com-
puter.
Configure IP Network Connectivity 159
Cmdlet Purpose
Get-DnsClientCache Retrieves the contents of the local DNS client
cache, similar to the IPConfig /displaydns
command.
Get-DnsClientGlobalSetting Retrieves global DNS client settings, such as the
suffix search list.
Get-DnsClientServerAddress Retrieves one or more DNS server IP addresses
associated with the interfaces on the computer.
Register-DnsClient Registers all of the IP addresses on the computer
onto the configured DNS server.
Set-DnsClient Sets the interface-specific DNS client configura-
tions on the computer.
Set-DnsClientGlobalSetting Configures global DNS client settings, such as the
suffix search list.
Set-DnsClientServerAddress Configures one or more DNS server IP addresses
associated with the interfaces on the computer.
For example, to configure the IPv4 settings for a network connection by using Windows PowerShell, use
the following cmdlet:
Set-NetIPAddress –InterfaceAlias Wi-Fi –IPAddress 172.16.16.1
Netsh
You also can use the Netsh command ¬line tool to configure network settings. For example, to configure
IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection"
source=static addr=172.16.16.3 mask=255.255.255.0 gateway=172.16.16.1
160 Module 5 Configuring Networking
Note: Functionality in the Windows PowerShell network-related cmdlets has largely replaced Netsh.
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. IP conflicts are reflected in the system log and might prevent services from starting. When these
events occur, Windows records the event in an appropriate event log. You can use Event Viewer to read
the log. When you troubleshoot errors on Windows 10, you can view the events in the event logs to
determine the cause of the problem.
Configure IP Network Connectivity 161
You can use Event Viewer to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings related to
network services in the System log.
IPConfig
The IPConfig command displays the current TCP/IP network configuration. Additionally, you can use
IPConfig to refresh DHCP and DNS settings. For example, you might need to flush the DNS cache. The
following table provides a brief description of some of the IPConfig command switches.
Command Description
ipconfig /all View detailed configuration information.
ipconfig /release Release the leased configuration back to the DHCP
server.
ipconfig /renew Renew the leased configuration.
ipconfig /displaydns View the DNS resolver cache entries.
ipconfig /flushdns Purge the DNS resolver cache.
ipconfig /registerdns Register/update the client’s host name with the
DNS server.
Ping
You use the Ping command to verify IP-level connectivity to another TCP/IP computer. This command
sends and receives Internet Control Message Protocol (ICMP) echo request messages, and displays the
receipt of corresponding echo reply messages. The Ping command is the primary TCP/IP command used
to troubleshoot connectivity.
Note: Firewalls might block the ICMP requests. As a result, you might receive false negatives when using
Ping as a troubleshooting tool.
Tracert
The Tracert tool determines the path taken to a destination computer by sending ICMP echo requests.
The path displayed is the list of router interfaces between a source and a destination. This tool also
determines which router has failed, and what the latency, or speed, is. These results might not be accu-
rate if the router is busy, because the router will assign the packets a low priority.
Pathping
The Pathping command traces a route through the network in a manner similar to the Tracert tool.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the
network. The command can provide greater detail because it sends 100 packets for each router, which
enables it to establish trends.
162 Module 5 Configuring Networking
NSLookup
The NSLookup tool displays information that you can use to diagnose the DNS infrastructure. You can
use the tool to confirm connection to the DNS server, in addition to the existence of the required records.
Windows PowerShell
You can use Windows PowerShell to configure network connection settings. In addition to this, you can
use Windows PowerShell cmdlets for troubleshooting network settings.
Benefits of IPv6
The IPv6 protocol provides the following benefits:
●● Large address space. A 32-bit address space can have 4,294,967,296 possible addresses. IPv6 uses
128-bit address spaces, which can have 340,282,366,920,938,463,463,374,607,431,768,211,456 (or
3.4x10^38 or 340 undecillion) possible addresses.
●● Hierarchical addressing and routing infrastructure. The IPv6 address space is more efficient for routers,
which means that even though there are many more addresses, routers can process data much more
efficiently because of address optimization.
●● Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP, and
it can discover router information so that hosts can access the Internet. This is a stateless address
configuration. A stateful address configuration is when you use the DHCP version 6 (DHCPv6) proto-
col. Stateful configuration has two additional configuration levels: one in which DHCP provides all the
information, including the IP address and configuration settings, and another in which DHCP provides
just configuration settings.
●● Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the
Authentication Header (AH) and encapsulating security payload (ESP) headers that IPsec defines.
Although IPsec does not define support for its specific authentication methods and cryptographic
algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
●● Note: IPsec provides for authentication and, optionally, encryption for communications between
hosts.
●● Restored end-to-end communication. The global addressing model for IPv6 traffic means that
translation between different types of addresses is not necessary, such as the translation done by NAT
devices for IPv4 traffic. This simplifies communication because you do not need to use NAT devices
for peer-to-peer applications, such as video conferencing.
Configure IP Network Connectivity 163
●● Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that the
packet processing should occur at a rate that you specify. This enables traffic prioritization. For
example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner.
You can set this field to ensure that network devices determine that the packet delivery is time-sensi-
tive.
●● Support for single-subnet environments. IPv6 has much better support of automatic configuration
and operation on networks consisting of a single subnet. You can use this to create temporary, ad hoc
networks through which you can connect and share information.
●● Extensibility. The design of IPv6 enables you to extend it with less constraint than IPv4.
IPv6 in Windows 10
Windows 10 uses IPv6 by default. Windows 10 includes several features that support IPv6, as described
below.
(four octets = 32 bits) The size of an address in IPv6 is four times larger than an IPv4 address. IPv6
addresses are expressed in hexadecimal, as the following example shows:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
This might seem complex for end users, but the assumption is that users will rely on DNS names to
resolve hosts, meaning they will rarely type IPv6 addresses manually. The IPv6 address in hexadecimal
also is easier to convert to binary. This makes it simpler to work with subnets and calculate hosts and
networks.
Interface identifiers
The last 64 bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface
Configure IP Network Connectivity 165
identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify
hosts uniquely.
166 Module 5 Configuring Networking
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe name resolution.
●● Describe DNS.
●● Explain how to troubleshoot name resolution.
●● Configure and test name resolution settings in Windows 10.
Computer names
A host name is a user-friendly name that is associated with a host’s IP address and identifies it as a TCP/IP
host. A host name can be no more than 255 characters in length, and must contain only alphanumeric
characters, periods, and hyphens. A host name is an alias or a fully qualified domain name (FQDN).
Note: An alias is a single name associated with an IP address, and the host name combines an alias with
a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet. An example of an FQDN is payroll.contoso.com.
A NetBIOS name is a nonhierarchical name that some older apps use. A 16-character NetBIOS name
identifies a NetBIOS resource on a network. A NetBIOS name represents a single computer or a group of
computers. NetBIOS uses the first 15 characters for a specific computer’s name and the final sixteenth
character to identify a resource or service on that computer. An example of a NetBIOS name is NYC-
SVR2[20h].
Overview of DNS
DNS is a service that manages the resolution of host names to IP addresses. Microsoft provides a DNS
Server role on Windows Server 2012 R2 that you can use to resolve host names in your organization.
Typically, you will deploy multiple DNS servers in your organization to help improve both the perfor-
mance and the reliability of name resolution.
168 Module 5 Configuring Networking
Note: The Internet uses a single DNS namespace with multiple root servers. To participate in the Internet
DNS namespace, you must register a domain name with a DNS registrar. This ensures that no two
organizations attempt to use the same domain name.
Structure of DNS
The DNS namespace consists of a hierarchy of domains and subdomains. A DNS zone is a specific portion
of that namespace that resides on a DNS server in a zone file. DNS uses both forward and reverse lookup
zones to satisfy name resolution requests.
Best Practice: Be sure to clear the DNS resolver cache between resolution attempts.
Note: Alternately, you can use the Windows PowerShell cmdlet Clear-DnsClientCache.
2. Attempt to verify connectivity to a remote host by using its IP address. This helps you identify whether
the issue is due to name resolution. You can use the Ping command or the test-connection Windows
PowerShell cmdlet. If the Ping command succeeds with the IP address but fails by the host name, the
problem is with name resolution. Note: Remember that the remote host must allow inbound ICMP
echo packets through its firewall for this test to be viable.
3. Attempt to verify connectivity to the remote host by its host name, by using the FQDN followed by a
period. For example, type the following command at the command prompt:
Test-connection LON-cl1.adatum.com
6. Perform the test-by-host-name procedure again. Name resolution should now be successful.
7. Examine the DNS resolver cache to verify that the name resolved correctly. To examine the DNS
resolver cache, type the following command at a command prompt:
IPConfig /displaydns
Note: You also can use the Windows PowerShell cmdlet Get-DnsClientCache.
8. Remove the entry that you added to the Hosts file, and then clear the resolver cache once more. At
the command prompt, type the following command, and then examine the contents of the filename.
txt file to identify the failed stage in name resolution:
NSLookup.exe –d2 LON-cl1.adatum.com. \> filename.txt
SendRequest(), len 41
HEADER:
QUESTIONS:
\------------
\------------
HEADER:
QUESTIONS:
ANSWERS:
\-\> 10.0.16.172.in-addr.arpa
name = LON-dc1.adatum.com
\------------
Server: LON-dc1.adatum.com
Address: 172.16.0.10
Implement Wireless Network Connectivity 173
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe wireless technologies.
●● Configure wireless settings in Windows 10.
●● Discuss the considerations for implementing wireless networks within organizations.
Specification Description
802.11a This is the first extension to the original 802.11
specification. It provides up to 54 megabits per
second (mbps) and operates in the 5 gigahertz
(GHz) range. It is not compatible with 802.11b.
802.11b This specification provides 11 mbps and operates
in the 2.4 GHz range.
802.11e This specification defines Quality of Service and
multimedia support.
802.11g This specification is for transmission over short
distances at speeds up to 54 mbps. It is backward
compatible with 802.11b, and operates in the 2.4
GHz range.
802.11n This specification adds multiple-input and multi-
ple-output, thereby providing increased data
throughput at speeds up to 100 mbps. It vastly
improves speed over previous specifications, and it
supports both 2.4 GHz and 5 GHz ranges.
802.11ac This specification builds on 802.11n to attain data
rates of 433 mbps. 802.11ac operates only in the 5
GHz frequency range.
Wireless security
Wireless security has been the biggest consideration by organizations planning a wireless implementa-
tion. Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers.
Therefore, organizations utilize several security technologies to address these concerns. Most Wi-Fi
devices support multiple security standards. The following table describes the current security methods
available for wireless networks.
Implement Wireless Network Connectivity 175
Wi Fi Sense
Windows 10 supports a new feature called Wi-Fi Sense. This feature is not available on earlier versions of
Windows. Wi Fi Sense automatically connects you to Wi Fi, so you can get online quickly in more places.
It can connect you to open Wi Fi hotspots it knows about through crowdsourcing, or to Wi Fi networks
your contacts have shared with you by using Wi Fi Sense. These are typically open Wi Fi hotspots you see
when you're out and about. The initial settings for Wi Fi Sense are determined by the options you chose
when you first set up your PC with Windows 10 or your phone with Windows 10 Mobile. You can change
your Wi Fi Sense settings any time by selecting Settings > Network & Internet > Wi Fi > Manage Wi
Fi settings on your PC, and then changing one or both of these settings under Wi Fi Sense.
Additional Reading: For more about Wi-Fi Sense select here: https://aka.ms/Whzu4q
Miracast
Windows 10 has built-in support for the Wi-Fi Alliance Miracast devices. Miracast is a protocol that will
transmit audio and video between devices via Wi-Fi. It is peer-to-peer and uses Wi-Fi Direct for the
connection. It is not necessary that both devices are connected to the Internet. They only need to share
the same local wireless network. The shared information is sent by the device via Wi-Fi through a Wi-Fi
Direct connection to a receiver connected to the display device. The receiver then decodes the video
signal and passes it to the TV display (or other display device). Miracast supports WPA2-PSK encryption,
so all you share is safe.
●● Optionally, use the PowerShell cmdlet Write-PrinterNfcTag to provision an NFC tag with information
about a printer.
●● Although NFC built-in support is provided by Windows 10, this is available for OEMs and ISVs to
produce NFC-enabled hardware. NFC offers mobile devices significant opportunities to access
resources by using proximity alone. Other emerging technologies include Windows 10 support for the
Windows Sensor and Location platform, and support for the Windows Biometric Framework (WBF).
These frameworks enable developers to utilize support for sensors, which can be attached or embed-
ded within modern Windows devices (phone, tablets, Internet of Things, PCs), and include capabilities
such as:
●● Speed, motion, acceleration, gyrometer
●● GPS location, elevation, inclinometer, compass orientation
●● Humidity, temperature, light, atmospheric pressure
●● Biometric human proximity, human presence
Additional Reading: For more information on NFC Printing select here: https://aka.ms/Oid2f9
Fix problems
You can solve many problems by installing the latest drivers for your PC and the latest firmware for your
wireless display or Miracast adapter. To update firmware on your wireless display or adapter, go to the
Support section of the manufacturer's website, search on your specific device, and follow their instruc-
tions to download and install that firmware. You can also check the Windows Store to see if there’s an
app from the manufacturer of your wireless display or Miracast adapter that updates firmware.
180 Module 5 Configuring Networking
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe how to use VPNs to connect to a remote network.
●● Explain how DirectAccess can help remote users connect.
●● Discuss the considerations of enabling remote access for your users.
Overview of VPNs
A VPN provides a point-to-point connection between components of a private network, through a public
network such as the Internet. Tunneling protocols enable a VPN client to establish and maintain a
connection to the listening virtual port of a VPN server. To emulate a point-to-point link, the data is
encapsulated, or wrapped, and prefixed with a header. This header provides routing information that
enables the data to traverse the public network to reach its endpoint.
Remote Access Overview 181
To emulate a private link, the data is encrypted to ensure confidentiality. Packets that are intercepted on
the public network are indecipherable without encryption keys. Two types of VPN connections exist:
●● Remote access. Remote access VPN connections enable users who are working at home, at customer
sites, or from public wireless access points to access a server that exists in your organization’s private
network. They do so by using the infrastructure that a public network, such as the Internet, provides.
From the user’s perspective, the VPN is a point-to-point connection between the computer, the VPN
client, and your organization’s server. The exact infrastructure of the shared or public network is
irrelevant, because it logically appears as if the data is sent over a dedicated private link.
●● Site-to-site. Site-to-site VPN connections, which also are known as router-to-router VPN connections,
enable your organization to have routed connections between separate offices or with other organi-
zations over a public network, while maintaining secure communications.
leakage and unauthorized use. It relies on Microsoft Intune, Microsoft System Center Configuration
Manager, or another third-party MDM solution to create and deploy policies that you use to specify
protected apps, and to apply desired protection levels to your data.
With the new VPNv2 configuration service provider, you have the ability to use an MDM solution to
configure VPN profiles on managed devices. In case of Microsoft Intune, you have access to pre-defined
policy templates that include built-in support for VPN plug-ins.
Windows 10 version 1607 also includes a number of remote access usability improvements that you can
configure via VPN profiles, including:
●● Always On. This feature triggers automatic connections following a user sign-in or a network change.
●● App-triggered VPN. This feature triggers automatic connections following a launch of applications
that you specify, based on a Universal Windows Platform package family name or a file path.
●● Note: Note that this functionality is available on both workgroup and domain-joined computers,
unlike Windows 8.1, which is limited it to workgroup computers only.
●● Traffic filters. With this feature, you can control the types of network traffic that will be able to reach
your corporate network. You can accomplish this by defining either app-based or traffic-based rules.
With app-based rules, you specify a list of allowed applications. The definition of traffic-based rules
consists of 5-tuple policies, that take into account the source and destination IP addresses, the source
and destination ports, and the network protocol.
●● LockDown VPN. This feature enforces a number of VPN device settings that affect its connectivity. For
example, you can ensure that a user cannot modify the VPN profile or disconnect an active VPN
connection. You also can implement forced tunneling and block outbound traffic if the VPN connec-
tion is not available.
Note: Your VPN connection will appear on the list of available networks when you tap the network icon
in the notification area.
Always On VPN
With traditional VPNs, the end user typically initiates the VPN connection by launching the VPN client
and authenticating. There are two common disadvantages with this:
●● Users have to be aware of what resources require VPN access and the additional steps the user must
perform every time they need to connect over VPN.
●● Traditional VPNs are an “all or nothing” solution. Once connected, all network traffic is tunneled over
the VPN. This can lead to large amounts of bandwidth on the organization’s network being consumed
when it isn’t necessary. The most notable example being remote users who frequently use publicly
accessible websites and resources. They might need VPN access for one or two tasks, but inadvertent-
ly pass all internet traffic over the organization’s network instead of directly through the end user’s
ISP.
Always On VPN provides a more seamless experience for end users. It supports remote access for
domain-joined, nondomain-joined (workgroup), or Azure AD–joined devices, and personally owned
devices. Administrators configure routing policies to determine when the client should direct traffic over
the VPN. Policies can be based on user, hardware, or software criteria. For example, you could enable
device authentication for remote device management, and then enable user authentication for connectiv-
ity to internal company sites and services. Because it’s controlled by policies, the user no longer has to be
concerned with when to connect or disconnect from the VPN, whether they are remote or on the internal
network.
Most organizations supporting VPN access typically have the technologies deployed that are needed for
Always On VPN. Other than your Domain Controller and DNS servers, the Always On VPN deployment
requires an NPS (RADIUS) server, a Certification Authority (CA) server, and a Remote Access (Routing/
VPN) server. Once the infrastructure is set up, you must enroll clients and then connect the clients to your
on-premises securely through several network changes.
The settings and XML file are typically created by the Administrator responsible for the VPN infrastruc-
ture. Once the XML file is created, it can be deployed to clients with either a device profile in Intune or as
a package in Configuration Manager. It can also be deployed using PowerShell.
Remote Management 185
Remote Management
Lesson Introduction
Windows desktops and apps from the datacenter or from the Azure cloud can run on a variety of devices.
Employees install Microsoft Remote Desktop clients and run desktops and apps on their laptops, tablets
or phones and stay productive on the go. This lesson also discusses remote assistance features to help
users remotely.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe Remote Desktop in Windows 10.
●● Enable and use Remote Assistance including Easy Connect.
●● Describe Azure Remote Desktop Services.
You can also add other Azure AD users to the Administrators group on a device and restrict remote
credentials to Administrators.
sitting in front of them. Remote Assistance is a bundled service with Windows 10. It enables a technician
to take control of a computer to troubleshoot and perform maintenance tasks without having to physi-
cally travel to the problematic machine. This enables the technician to resolve problems without leaving
their home or office. The end user must be there to authorize this, and the user can end the session at
any time. This technology is generally used only to troubleshoot remote computers and is not used for
telecommuting or accessing files or folders.
For security reasons, consider turning this feature off till it is needed.
Quick Assist
Microsoft Quick Assist is a Windows 10 app that enables two people to share a computer over a remote
connection so that one person can help solve problems on the other person’s computer just like Remote
Assistance. In fact, depending on which version of Windows 10 is on a PC may determine whether Quick
Assist or Remote Assistance is installed.
Select the Start button > Windows Accessories > Quick Assist, or select the search box on the taskbar and
type Quick Assist, and then select Quick Assist in the list of results.
Remote Management 189
Remote desktops
Remote Desktop Services (RDS), formerly Terminal Services, provide users with access to a full remote
desktop experience. In this scenario, users securely connect to a remote session via their local Remote
Desktop Connection (RDC) client. After they authenticate, users are presented with a full desktop just as if
they were signed in locally. The client machines send keystrokes and mouse movements to the server,
and screen images are delivered back to the client machines. Users have access to applications as if the
applications are running locally, even though they are running on a Remote Desktop Session Host (RD
Session Host) server. Each user establishes his or her own private session that does not affect any other
users who are connected to the same RD Session Host server.
To access any remote desktop, the user account (or domain global group) of the connecting user must be
added to the Remote Desktop Users group on the computer to which they are connecting. By default,
this group has no members, and therefore, users cannot make a remote desktop connection until their
account has been added to the local Remote Desktop Users group. However, this can be configured
during the initial RDS deployment.
Note: Standard users do not have the right to sign in to domain controllers either locally or remotely.
Being added to the Remote Desktop Users group on a domain controller does not change this. A stand-
ard user still needs to be given the right to sign in to a domain controller and must be added to the
Remote Desktop Users group to connect to a domain controller remotely.
Installing the RD Session Host role on a server automatically enables remote desktop connections to the
local computer and adds users who have been granted access to the local Remote Desktop Users group.
If you do not install the RD Session Host role, you can still enable remote desktop access to any Win-
dows-based operating system by modifying the system properties to allow remote connections. Connect-
ing this way is limited to Administrators by default, and only two concurrent connections are allowed. You
can allow remote connections and select the users who can connect remotely by using the System
Properties item in Control Panel.
Remote desktops are well‑suited for single‑task workers, such as point-of-sale terminals or data‑entry
workers. In such scenarios, it is important to provide a consistent desktop experience for all workers.
Remote desktops also perform well over limited bandwidth, making this a suitable solution for branch
offices where information technology (IT) support might be limited. Remote desktops are typically
employed with thin clients. Another common use for remote desktops is to enable users to access their
organizational desktop. For example, users can work from home by connecting to their workstations.
In many cases, you will be able to work with remote computers in other domains. However, if the remote
computer is not in a trusted domain, the remote computer might not be able to authenticate your
credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts
for the local computer in WinRM. To do so, type:
winrm s winrm/config/client '\@{TrustedHosts="RemoteComputer"}'
Here, RemoteComputer should be the name of the remote computer, such as:
winrm s winrm/config/client '\@{TrustedHosts="CorpServer56"}'
When you are working with computers in workgroups or homegroups, you must either use HTTPS as the
transport or add the remote machine to the TrustedHosts configuration settings. If you cannot connect to
a remote host, verify that the service on the remote host is running and is accepting requests by running
the following command on the remote host:
winrm quickconfig
Summary
In this lab, you will identify IPv4 settings and validate connectivity on a Windows 10 device. You will also
configure a Windows 10 device to automatically obtain IPv4 settings from a DHCP service.
Scenario
You need to identify the current static IPv4 settings on SEA-CL1. You also need to test connectivity from
SEA-CL1 to SEA-DC1.
Scenario
Your network administrative team has configured DNS and DHCP services located on SEA-DC1. You need
to reconfigure SEA-CL1 to obtain its IPv4 settings using the DHCP service. You will then test and verify the
connectivity between SEA-CL1 and SEA-DC1 using the newly obtained IPv4 address settings.
Summary
In this lab, you will verify and manage name resolution for a Windows 10 network client. You will also test
and troubleshoot name resolution by using command line tools, DNS, and a hosts file entry.
Scenario
You need to check and verify current DNS settings on SEA-CL1. You will also test out command line tools
used to view and clear the DNS client cache.
192 Module 5 Configuring Networking
Scenario
A user reports that SEA-CL1 cannot connect to www.Contoso.com or intranet.Contoso.com. To address
the issue, you decide to add www to the hosts file along with the SEA-SVR1.contoso.com IP address. You
will also add an alias DNS record for intranet.Contoso.com that resolves to SEA-SVR1.contoso.com. Finally
you will verify name resolution and connectivity.
Summary
In this lab you will learn how to perform remote Windows administration using Remote PowerShell,
Remote Desktop, and Windows Admin Center.
Scenario
Your company is planning to open a new branch office. To manage the devices in the new branch office
you need to use Remote PowerShell and Remote Desktop. You need to test remote administration by
running remote PowerShell commands on SEA-SVR2 and you need to enable Remote Desktop on
SEA-CL1.
Scenario
You need to test remote administration capabilities of the Windows Admin Center. For this scenario, you
will install Windows Admin Center on SEA-CL1 and then perform remote administration tasks on SEA-
SVR1.
Module Review
Discussion
What are some considerations for enabling Wi‑Fi access for your users?
available IPv4 addresses. What do you have to configure in addition to the IP address?
A. Subnet mask
B. Default gateway
C. Domain Name System (DNS) server
D. MAC address [ ] Activation key
2. You are configuring static IPv4 configuration manually for each of your network’s computers. Your
network is configured to use a simple Class B subnet mask of 255.255.0.0. Which of the following IP
addresses is a valid address for you network?
A. 120.1.0.21
B. 150.0.10.100
C. 192.168.0.11
D. 169.254.245.2
3. Your organization recently upgraded to Windows 10 from Windows 8.1. You want to use a familiar,
wizard driven, tool to configure wired and wireless connections. Which tool should you use?
A. Network & Internet
B. Network and Sharing Center
C. Network Setup Wizard
D. Windows PowerShell
4. Your network administrator has asked you to verify that a Windows 10 computer in your Houston
office has network connectivity to a file server at the Chicago office. You need to provide detailed
statistics on the individual steps, or hops, through the network routers. Which command or tool
should you use?
A. The Pathping command
B. The Ping command
C. The Tracert tool
D. NSLookup
E. Microsoft Message Analyzer
5. Your organization has recently upgraded the network to support IPv6. You are part of a team that
supports the Windows 10 devices. Which of the following are IPv6 benefits? (select 4)
A. Large address space
B. Hierarchical addressing and routing infrastructure
C. Converts IPv4 addresses into IPv6 addresses automatically
D. IPv6 and IPv4 can run together (dual stack)
E. Supports DirectAccess for remote access clients
F. Uses 256-bit addresses
G. Provides URL filtering
6. Your organization is deploying Always On VPN. You need to deploy the necessary configuration to
clients. Which methods can you use to do this? (Select three)
A. Configuration Manager
B. Group Policy
C. Microsoft Intune
D. PowerShell
7. You are an IT Support Professional for you organization's business applications. A home-based user
has requested support with an application. You ask the user to send you an invitation using Quick
Assist. Which options will the user have? (select three)
A. Save this invitation as a file
B. Send invitation to phone
C. Use email to send an invitation
194 Module 5 Configuring Networking
Managing Storage
Lesson Introduction
Although you can save files to the local hard disk in Windows 10, several additional storage options are
available. This lesson describes some of the different storage technologies, including different types of
server-based and cloud-based storage.
This lesson will also cover considerations for configuring storage for use in Windows 10. While the default
settings for a disk drive will be sufficient for most scenarios when installing Windows, there are additional
options available for advanced configurations, such as clients with multiple storage drives or specific
partition requirements.
You can use disk management tools to perform disk-related tasks, such as creating and formatting
partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the different ways to access storage.
●● Explain the difference between network-attached storage (NAS) and storage area networks (SANs).
●● Compare MBR and GUID partition table (GPT) disks.
●● Describe how to convert a basic disk to a dynamic disk.
●● Describe the tools available for managing disks.
●● Describe a simple volume.
●● Describe mirrored, spanned, and striped volumes.
●● Create volumes, resize, and manage volumes.
196 Module 6 Configuring Storage
Storage Options
Local hard disk
A locally attached hard disk is also known as direct-attached storage (DAS). Depending on the hard disk
type and the type of hard disk controller, you might get varying performance of the local hard disk. The
solid-state drives (SSDs), which use flash card technology, are the fastest hard disks, but they are more
expensive than older technologies. SSDs are also often smaller in capacity compared to the normal hard
disk drives.
All tablets use some kind of flash card technology. They use SSDs when they require more capacity for
local storage. In rare occasions, you may need to acquire a driver for the hard disk before you can install
Windows 10.
Advantages of using local hard disks include:
●● Availability. The local hard disk is always available, including in situations where there is no network
connectivity.
●● Performance. Only a single user uses the local hard disk. In addition, the bandwidth of your network
connection does not limit you.
●● Disadvantages of using local hard disks include:
●● Backup. You will not automatically have a backup of your data.
●● Physical failures. If your local hard disk fails, you will not be able to start your computer.
are limited to 2 TB of storage, whereas the new .vhdx format is suitable for virtual disks up to a supported
maximum size of 64 TB.
Server-based storage
Using Windows Server 2016 as a file server gives you central access to your files. Although the file server
contains local storage, larger organizations will often acquire separate storage systems optimized for
performance and security. You connect these separate storage systems to the server, like a NAS and a
SAN, which you will learn about later in this module. Windows Server 2012 R2 adds functionality, such as
Work Folders, offline files, and failover clustering, that makes it suitable as a file server for both small,
medium, and large enterprises.
Advantages of using server-based storage include:
●● Redundancy. Because most server-based storage protects data by using redundant disk systems, you
will not suffer data loss due to the failure of a single hard disk.
●● Backup. Automatic backup is in place for most server-based storage.
●● Performance. Server-based storage is often faster than local hard disks because it uses faster disks,
which you configure in a performance-optimized way.
Disadvantages of using server-based storage include:
●● Availability. You need a network connection to access server-based storage. If you are outside your
company’s network, you might not be able to access the storage remotely, unless you use some kind
of caching technique, such as offline files.
●● Performance. You can experience bottlenecks in both network connectivity and access to server-based
storage because many users are accessing the same storage simultaneously.
NAS
NAS is storage that is connected to a dedicated storage device. You can access it over the network. Unlike
DAS, NAS is not directly attached to a computer or server, and users access it over the network. NAS has
two distinct solutions: a low-end appliance (NAS only), and an enterprise-class NAS that integrates with
SAN.
Each NAS device has a dedicated operating system that controls access to the data on the device, which
reduces the overhead associated with sharing the storage device with other server services. An example
of NAS software is Windows Storage Server, a special edition of Windows Server 2012 R2.
NAS devices typically provide file-level access to the storage, which means that you can access the data
on the storage only as files. You must use protocols such as Common Internet File System (CIFS), Server
Message Block (SMB), or network file system (NFS) to access the files.
To enable NAS storage, you need a storage device. Frequently, these devices do not have any server
interfaces such as keyboards, mice, and monitors. To configure the device, you need to provide a network
configuration, and then access the device across the network. You can then create network shares on the
device by using the name of the NAS and the share created. The network’s users can then access these
shares.
SAN
SAN is a high‐speed network that connects computer systems or host servers to high-performance
storage subsystems. A SAN usually includes various components such as host bus adapters (HBAs),
special switches to help route traffic, and storage disk arrays with logical unit numbers (LUNs) for storage.
Managing Storage 199
A SAN enables multiple servers to access a pool of storage in which any server can potentially access any
storage unit. Because a SAN is a network, you can use a SAN to connect many different devices and hosts
and provide access to any connected device from anywhere.
SANs provide block-level access. This means that, rather than accessing the content on the disks as files
by using a file access protocol, SANs write blocks of data directly to the disks by using protocols such as
Fibre Channel over Ethernet or Internet Small Computer System Interface (iSCSI).
Today, most SAN solutions offer SAN and NAS together. The backend head units, disks, and technologies
are identical, and only the access method differs. Enterprises often provision block storage from the SAN
to the servers by using Fibre Channel over Ethernet or iSCSI. NAS services use the CIFS and NFS proto-
cols. If you want to use a SAN, Windows 10 supports the iSCSI protocol with the iSCSI initiator.
OneDrive
OneDrive offers the benefits of making files accessible by any device, while offering a seamless end user
experience in the desktop client. OneDrive is covered in more detail in the next topic.
Azure Storage
Microsoft Azure Storage is a cloud storage solution that developers and IT professionals use to build
applications. Azure Storage saves data in the cloud. You can access Azure Storage by using any type of
device and by using any type of application, from the smallest app to applications with terabytes of data.
Azure Storage can handle four types of storage:
●● Blob storage stores any type of text or binary data. This includes documents and media files.
●● Table storage stores structured datasets. Table storage is a NoSQL key-attribute data store.
●● Queue storage provides messaging for workflows. Communication between different components of
cloud services is also one of the uses of queue storage.
●● File storage uses the standard SMB protocol. Azure virtual machines and cloud services can share file
data with file storage. On-premises applications can also access file data in a share via file storage.
MBR disks
The MBR contains the partition table for a disk and a small amount of executable code called the master
boot code. Partitioning a disk creates the MBR automatically on the first sector of the hard disk. The MBR
contains a four-partition entry table that describes the size and location of a disk partition by using 32-bit
logical block addressing (LBA) fields. Most Windows 10 editions, such as the 32-bit and 64-bit versions
that run on motherboards with BIOS firmware, require an MBR-partitioned system disk and are not
bootable with a larger capacity disk. Newer motherboards enabled with Unified Extensible Firmware
Interface (UEFI) can read both MBR and the newer Grid Partition Table (GPT) disks.
GPT disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a
disk. Each GPT partition has a unique GUID and partition-content type. Each LBA that the partition table
describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI systems.
Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems. Howev-
er, they cannot boot from them. 64-bit Windows operating systems support GPT for boot disks on UEFI
systems.
●● You can implement GPT disks on Windows Server 2008 and newer versions, Windows 10, Windows
8.1, Windows 8, Windows 7, and Windows Vista. You cannot use the GPT partition style on removable
disks.
GPT architecture
A GPT-partitioned disk defines the following sectors:
●● Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire
disk:
●● The protective MBR protects GPT disks from previously released MBR disk tools, such as the MS-DOS
fdisk or Windows NT Disk Administrator. These tools view a GPT disk as a single encompassing
(possibly unrecognized) partition by interpreting the protected MBR, rather than mistaking the disk
for one that does not have any partitions. This means that the tools will not view a GPT-initialized disk
as having no partitions, making it less vulnerable to incidental data loss.
●● Legacy software that is not aware of GPT interprets only the protected MBR when it accesses a GPT
disk.
●● Sector 1 contains a partition table header. The partition table header contains the unique disk GUID,
the number of partition entries (usually 128), and pointers to the partition table.
●● The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 10 creates when you install it on a GPT disk.
Dynamic Disks
Dynamic disks provide features that basic disks do not. You can create volumes that span multiple disks
and fault-tolerant volumes. Dynamic disks can also use the MBR or GPT partition styles.
Dynamic disks use a database to track information about volumes on dynamic disks in the computer.
Each dynamic disk in a computer stores a replica of the dynamic disk database, which is useful if you
experience a corrupted dynamic disk database. Windows can repair the corrupted dynamic disk by using
the database on another dynamic disk. The partition style of the disk determines the location of the
database. On MBR partitions, Windows 10 stores the database in the last 1 MB of the disk. On GPT
partitions, the database is located in a 1-MB reserved and hidden partition.
You can perform the following operations only on dynamic disks:
●● Create and delete spanned, striped, and mirrored volumes.
●● Extend a simple volume to a noncontiguous space or spanned volume.
●● Remove a mirror from a mirrored volume.
●● Repair mirrored volumes.
●● Reactivate a missing or offline disk.
You should be aware of the following considerations regarding dynamic disks:
●● You cannot convert a basic disk to a dynamic disk unless there is at least 1 MB of unused space on the
disk because of the Logical Disk Manager database.
●● You cannot convert a dynamic disk to a basic disk without losing data. You need to delete all dynamic
volumes on the disk. Disk Management automatically converts the disk to basic when you delete the
last volume.
●● You cannot use Windows PowerShell to manage dynamic disks. The storage cmdlets will not recog-
nize dynamic disks.
Managing Storage 203
Disk Management
By using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators
can manage volumes quickly and confirm the health of each volume. Disk Management in Windows 10
provides the same features as previous versions, including:
●● Simpler partition creation. When you right-click a volume, you can choose whether to create a basic,
spanned, or striped partition directly from the menu.
●● Disk conversion options. When you try to extend a partition to a noncontiguous area on the same or
another disk, Disk Management prompts you to convert the disk to dynamic. You also can convert
basic disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic
is not possible without first deleting all of the volumes.
●● Extend and shrink partitions. You can extend and shrink partitions from Disk Management.
To open Disk Management, use this procedure:
1. Select Start and type disk. This will display the search window.
2. Continue typing diskmgmt.msc in the search box, and then select diskmgmt.msc in the results list.
DiskPart
By using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the
command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart
command prompt. The following are common DiskPart actions:
●● To view a list of DiskPart commands, at the DiskPart command prompt, type commands.
●● To create a DiskPart script in a text file and then run the script, type a script similar to diskpart /s
testscript.txt.
●● To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently.
Command Description
list disk Displays a list of disks and related information,
including: Disk size The amount of available free
space on the disks Whether the disks are basic or
dynamic Whether the disks use the MBR or GPT
partition style The disks marked with an asterisk (*)
are the ones against which the commands will
execute.
select disk disknumber Selects the specified disk, where disknumber is the
disk number, and gives it focus.
convert gpt Converts a disk with the MBR partition style to a
basic disk with the GPT partition style.
Windows PowerShell
Prior to Windows PowerShell 3.0, if you wanted to script disk management tasks, you had to make calls to
Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows
PowerShell 3.0 and newer versions include commands for natively managing disks. The following table
details some Windows PowerShell commands.
Managing Storage 205
Simple Volumes
The most commonly used disk arrangement is a simple volume. This volume is a contiguous, unallocated
area of a physical hard disk that you format to create a file system. You then assign a drive letter to it or
mount it in an existing volume by using a volume mount point.
206 Module 6 Configuring Storage
Scenario Description
Business desktop computer with one disk Most business users require a basic disk and one
basic volume for storage, but do not require a
computer with volumes that span multiple disks or
that provide fault tolerance. This is the best choice
for those who require simplicity and ease of use.
Managing Storage 207
Scenario Description
Business desktop computer with one disk and If small business users want to upgrade their
more than one volume operating systems and reduce the impact on their
business data, they must store the operating
system in a separate location from business data.
This scenario requires a basic disk with two or
more simple volumes. Users can install an operat-
ing system on the first volume, creating a boot
volume or system volume, and use the second
volume to store data. When a new version of an
operating system releases, users can reformat the
boot or system volume, and then install the new
operating system. The business data, located on
the second volume, remains untouched.
A simple volume might provide better performance than striped data layout schemes. For example, when
serving multiple, lengthy, sequential streams, performance is best when a single disk services each
stream. Workloads composed of small, random requests do not always result in performance benefits
when you move them from a simple to a striped data layout.
The emergence of SSDs, which offer extremely fast data transfer rates, offers the Windows 10 user
another decision related to storing data. SSDs currently are more expensive and have smaller capacities
compared to traditional magnetic hard disk drives. This combination of performance, size, and cost is an
acceptable compromise when used in small form factor devices. However, a desktop PC might benefit
from a combination of an SSD for Windows system files and a large capacity hard disk drive for business
data.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific
disk. For example, if a spanned volume consists of three 100-MB partitions on each of three disks, you
cannot delete the third element.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of
unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk
limit for spanned volumes.
When you shrink a volume, unmovable files (for example, a page file) do not relocate automatically. It is
not possible to decrease the allocated space beyond the point where the unmovable files are located. If
you need to shrink a partition further, transfer the unmovable file to another disk, shrink the volume, and
then transfer the unmovable file back to the disk. You can shrink simple and spanned volumes, but not
others. You can increase the size of a simple volume in the following ways:
●● Extend the simple volume on the same disk. The disk remains a basic disk if the free space is adjacent
to the volume you want to extend. If it is not contiguous space, then the disk will convert to a dynamic
disk.
●● Extend a simple volume to include unallocated space on other disks on the same computer. This
creates a spanned volume.
Maintaining Disks and Volumes 211
Lesson Objectives
After completing this lesson, you will be able to:
●● Explain the primary characteristics of the Storage functionality in Windows 10.
●● Describe how to use the Storage functionality.
●● Describe how files stored on disks might fragment.
●● Describe how to defragment volumes.
●● Explain folder compression.
●● Describe how to compress folders.
●● Describe what disk quotas are.
●● Describe how to configure disk quotas.
●● Music
●● Videos
●● Mail
●● OneDrive
●● Desktop
●● Maps
●● Other people
●● Temporary files
●● Other
Depending on the drive and category that you select, you will have different management options. If you
select one of the file type categories on drives other than This PC, you will see a list of directories con-
taining files from that category. For This PC, you have a choice to open File Explorer with that particular
file type’s folder within the user’s profile.
System and Reserved
This category gives you a list of disk space used by Windows system files, virtual memory, hibernation file,
and System Restore. You can select Manage System Restore to configure System Restore and decide how
much disk space System Restore can use.
Apps and Games
You can sort the application list by size, name, and install date. You can also search for an app by name,
and when you select the app, you have easy access to uninstall the app.
OneDrive
You will be able to select which folders synchronize to this device to save disk space. This is particularly
useful on devices with limited storage space, such as tablets.
Temporary Files
This category gives you a list of disk space used by temporary files, downloads, the recycle bin, and
previous versions of Windows. For each item, there is an option to delete the files.
Save Locations
Storage usage also allows you to choose the drive to save new files. You can choose between the drives
connected to your computer. If you are signed in with a Microsoft account, you can also choose
OneDrive.
Disk Optimization
By default, Windows 10 will optimize internal storage devices automatically. The method of optimization
depends on whether the drive is hard disk drive or a solid state drive.
As the volume fills with data and other files, contiguous areas of free space become harder to find. File
deletion also causes fragmentation of available free space. Additionally, when you extend and save a file,
such as editing a document or spreadsheet, there might not be contiguous free space following the
existing file blocks. This forces the I/O manager to save the remainder of the file in a noncontiguous area.
Over time, contiguous free space becomes more scarce, leading to fragmentation of newly stored
content. The incidence and extent of fragmentation varies depending on available disk capacity, disk
consumption, and usage patterns.
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this fragmenta-
tion still presents a potential performance problem. Combined hardware and software advances in the
Windows operating system help to mitigate the impact of fragmentation and deliver better responsive-
ness.
Optimizing a disk
When you optimize a disk, files are relocated optimally. This ability to relocate files is beneficial when you
are shrinking a volume, because it frees up space that you can later reclaim. Windows 10 defragments
drives automatically on a scheduled basis, running weekly in the background to rearrange data and
reunite fragmented files. You can check the status of a defragmentation or perform a manual optimiza-
tion at any time by launching the Optimize Drives tool.
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a
volume in File Explorer, select Properties, select the Tools tab, and then select Optimize. You can perform
the following tasks:
●● Change settings, which allows you to:
●● Enable or disable the automated optimization.
●● Specify the automated optimization frequency.
●● Set a notification for three consecutive missed optimization runs.
●● Select which volumes you want to optimize.
●● Analyze the disk to determine whether it requires optimization.
214 Module 6 Configuring Storage
Configuring compression
You set compression from the properties of a file or folder on the General tab. You select Advanced and
set or clear the compression attribute. You can also configure compression from the command line by
using the compact command.
●● When the file closes, the Windows operating system compresses it again.
●● NTFS-compressed file and folder names display in a different color, by default, to make them easier to
identify.
●● NTFS-compressed files and folders only remain compressed while an NTFS volume is storing them.
●● You cannot encrypt an NTFS-compressed file.
●● The compressed bytes of a file are not accessible to applications, which see only the uncompressed
data:
●● Applications that open a compressed file can perform tasks on it as if the file was not compressed.
●● If you copy compressed files to a file allocation table (FAT) or Resilient File System (ReFS) volume, the
copy of the file will not be compressed because those file systems do not support NTFS compression.
●● Compressing folders by using Compressed (zipped) Folder does not affect a computer’s overall
performance. Central processing unit (CPU) utilization increases only when you use Compressed
(zipped) Folder to compress a file. Compressed files take up less storage space, and you can transfer
them to other computers more quickly than uncompressed files. You can work with compressed files
and folders the same way you work with uncompressed files and folders.
●● Comparing zipped folder compression and NTFS folder compression
●● You should be aware of the differences between zipped folder compression and NTFS folder compres-
sion. A zipped folder is a single file inside which Windows allows you to browse. Some applications
can access data directly from a zipped folder, while other applications require that you first unzip the
folder contents before the application can access the data.
●● In contrast, NTFS compression compresses individual files within a folder. Therefore, NTFS compres-
sion does not affect data access as zipped folders do, because it occurs at the individual file system
level and not the folder level. Additionally, zipped folders are useful for combining multiple files into a
single email attachment, whereas NTFS compression is not.
●● File and folder compression that uses the Send To Compressed (zipped) Folder command is different
from NTFS file and folder compression:
●● For selected files or folders, the Send To Compressed (zipped) Folder command compresses the
selected content into a portable zip file. The original file or folder does not change, and a new,
compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the
size of the selected file, folder, or volume by compressing its content.
Managing Storage Spaces 217
Lesson Objectives
After completing this lesson, you will be able to:
●● Explain what the Storage Spaces feature is.
●● Describe the features of Storage Spaces.
●● Discuss in which scenarios to use Storage Spaces.
●● Show how to configure Storage Spaces.
●● Creating a virtual disk with resiliency through parity requires a minimum of three physical disks.
●● Three-way mirroring requires at least five physical disks.
●● Disks must be blank and unformatted; no volume must exist on them.
●● Disks attachment can use a variety of bus interfaces including SAS, SATA, small computer system
interface (SCSI), and USB.
●● Storage pool. A storage pool is a collection of one or more physical disks that you can use to create
virtual disks. You can add all nonformatted physical disks and disks that do not have an attachment to
another storage pool to a storage pool.
●● Storage space. This is similar to a physical disk from the perspective of users and programs. However,
storage spaces are more flexible because they include thin provisioning or just-in-time (JIT) alloca-
tions, and they include resiliency to physical disk failures with built-in functionality such as mirroring.
●● Disk drive. You can access this volume from your Windows operating system, for example, by using a
drive letter.
Storage layout
Configure this feature to define the number of disks from the storage pool that you allocate to a virtual
disk. Valid options include:
●● Simple. A simple space has data striping but no redundancy. In data striping, logically sequential data
is segmented across all disks in such a way that provides access for these sequential segments to
different physical storage drives. Striping makes it possible to access multiple segments of data
concurrently. Do not host important data on a simple volume, because it provides no failover capabili-
ties when the disk that is storing the data fails. This is similar to the striped volumes discussed earlier.
●● Two-way and three-way mirrors. Mirror spaces maintain two or three copies of the data that they host
(two data copies for two-way mirrors and three data copies for three-way mirrors). Data duplication
happens with every write to ensure that all data copies are always current. Mirror spaces also stripe
the data across multiple physical drives. Mirror spaces provide the benefit of greater data throughput
and lower access latency. They also do not introduce a risk of corrupting at-rest data, and do not
require the extra journaling stage when writing data. Two-way mirrors are similar to the mirrored
volumes discussed earlier.
●● Parity. A parity space is similar to RAID 5. Storage Spaces stores data, along with parity information,
striped across multiple physical drives. Parity enables Storage Spaces to continue servicing read and
write requests even when a drive has failed. Parity always rotates across available disks to enable I/O
optimization. Storage Spaces require a minimum of three physical drives for parity spaces. Parity
spaces have increased resiliency through journaling. There is no equivalent to parity in volumes on
dynamic disks.
Managing Storage Spaces 219
Provisioning schemes
You can provision a virtual disk by using two different schemes:
●● Thin provisioning space. Thin provisioning is a mechanism that enables you to allocate storage when
the storage space needs it. The storage pool organizes the storage capacity into provisioning slabs.
The allocation does not happen until the point when datasets grow to require the storage. As op-
posed to the traditional fixed storage allocation method, in which you might allocate large pools of
storage capacity that remain unused, thin provisioning optimizes utilization of available storage.
Organizations also can save on operating costs, such as electricity and floor space, associated with
keeping the unused drives operating. The disadvantage of using thin provisioning is lower disk
performance because storage allocation occurs when the pool needs extra storage.
●● Fixed (or “thick”) provisioning space. With Storage Spaces, fixed provisioned spaces also employ the
flexible provisioning slabs. The difference between thin provisioning and a fixed provisioning space is
that the storage capacity allocation in the fixed provisioning space happens at the same time as
storage space creation.
Reliable storage
Small businesses often do not have the funds for acquiring enterprise-grade storage solutions. Storage
Spaces can help these companies get fault-tolerant storage for an affordable price. Storage Spaces has
two resiliency types that provide fault tolerance. These will help to make the storage highly available in
case of disk failures. Two-way mirror and parity can function even when one drive fails. Three-way mirror
can function with two drive failures.
High-performance storage
Users who have computing needs with high-performance storage, such as video editing, might also
benefit from Storage Spaces. When you create a storage space with parity resilience, the striping will give
a better performance reading and writing to the storage. When you use SSDs as the physical drives, you
should be able to get the required disk I/O.
220 Module 6 Configuring Storage
Summary
In this lab you will learn how to manage local disk storage using Disk Management and PowerShell.
Scenario
You need to add storage to SEA-WS2. Additional disks have been installed and you now have to create
two new partitions to store data.
Summary
In this lab you will configure a storage space that will combine multiple disk drives to one large single
disk.
Scenario
The sales department requires a new file share on SEA-WS2 that requires a mirror for resiliency. You have
added three new disk drives to SEA-WS2, and have decided to configure a storage space. You will remove
the partition from Disk 1 first and then use Disk 1, Disk 2, and Disk 3 to create a two-way mirror storage
pool inside a newly created storage space.
Module Review
Check Your Knowledge
1. Which of the following is not true when describing NAS devices?
A. NAS is storage that is connected to a dedicated storage device.
B. You can access it over the network.
C. NAS is directly attached to a computer or server.
D. Each NAS device has a dedicated operating system that controls access to the data on the device.
E. NAS devices typically provide file-level access to the storage.
F. All are true.
2. You are upgrading the local storage for a Windows 10 computer to a 6 TB disk. You have decided to
configure it as a GPT disk. Which of the following is a benefit of GPT disks? (select three)
A. 128 partitions per disk.
B. 18 exabytes of volume size.
Practice Labs and Module Review 221
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the features of the FAT file system.
●● Explain the features of the NTFS file system.
●● Describe the features of the ReFS file system.
●● Work with the file systems available in Windows 10.
number of files and folders that you can create on the volume. The following table lists the differences
between the three FAT versions.
The NTFS file system provides performance, reliability, and advanced features that are not available in any
version of FAT, including:
●● Reliability. The NTFS file system uses log-file and checkpoint information to restore the consistency of
the file system when the computer restarts. In the event of a bad-sector error, the NTFS file system
dynamically remaps the cluster that contains the bad sector, and it allocates a new cluster for the data.
The NTFS file system also marks the cluster as bad, and no longer uses it.
●● Security. You can set permissions on a file, folder, or the entire NTFS volume, which enables you to
control which users, groups, or computers can read, modify, or delete data. You also can enable
auditing to log activities on the NTFS volume.
●● Data confidentiality. The NTFS file system supports EFS to protect file content. If you have enabled
EFS, you can encrypt files and folders for use by single or multiple users. The benefits of encryption
are data confidentiality and integrity, which can protect data against malicious or accidental modifica-
tion.
●● Limit storage growth. The NTFS file system supports the use of disk quotas, which enable you to
specify the amount of disk space that is available to a user. When you enable disk quotas, you can
track and control disk-space usage. You can configure whether to allow users to exceed their limits
and configure Windows 10 to log an event when a user exceeds a specified warning level or quota
limit.
●● Provide additional space. The NTFS file system allows you to create extra disk space by compressing
files, folders, or whole drives. You also can extend an NTFS volume by mounting an additional volume
to an empty folder.
●● Support for large volumes. You can format a volume up to 256 TB by using the NTFS file system with a
64 KB cluster size. The NTFS file system supports larger files and a larger number of files per volume
compared with any FAT version. The NTFS file system also manages disk space efficiently by using
smaller cluster sizes. For example, a 30-GB NTFS volume uses 4-KB clusters. The same volume format-
ted with FAT32 uses 16-KB clusters. Using smaller clusters reduces space wastage on hard disks.
●● Advanced features. The NTFS file system includes multiple advanced features, such as distributed link
tracing, sparse files, and multiple data streams.
226 Module 7 Configuring Data Access and Usage
Note: By using the Convert.exe utility, you can convert FAT or FAT32 to NTFS file system on data volumes
without downtime or data loss.
You cannot convert NTFS to FAT. You first must back up data, and then format the volume by using the
NTFS system and restore the data.
Additional Reading: For more information on ReFS, refer to: “Resilient File System Overview” at:http://
aka.ms/m3p37a
228 Module 7 Configuring Data Access and Usage
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the tools for managing files and folders.
●● Describe how to configure file and folder permissions.
●● Describe the concept of permission inheritance.
●● Implement conditions to limit file and folder access.
●● Secure files and folders by using file permissions.
●● Use the effective permissions feature.
●● Describe how copying and moving files and folders affect permissions.
File Explorer
File Explorer, called Windows Explorer in previous Windows versions, is a tool that you typically use to
manage files and folders. File Explorer provides a simple interface that is familiar to most Windows users.
You can use File Explorer to perform several functions, including:
●● Creating files and folders.
●● Accessing files and folders.
●● Managing properties of files and folders.
●● Searching for content in files and folders.
●● Previewing contents of files and folders.
By default, File Explorer is pinned to the Windows 10 taskbar. It includes the navigation and the details
pane, in addition to the address bar and ribbon, which makes it easier to use on touch devices. Depend-
ing on your permissions, you can right-click or use the ribbon option in File Explorer to access the
properties of any file or folder. You also can manage file permissions, and create, open, and delete files.
The ribbon is case-sensitive, and it provides fast access to common options. For example, you can map a
network drive from the ribbon when you have This PC selected and you can create a new folder when
you have Local Disk (C:) selected. If you need to access the same folder often, you can pin it to Quick
access, and it will appear in the navigation pane.
If you need to manage file permissions in File Explorer, right-click the object, and then select Properties,
or select the object, and then select Properties on the Home tab of the ribbon. You can configure
permissions on the Security tab of the Properties dialog box.
230 Module 7 Configuring Data Access and Usage
Command prompt
If you prefer, you can use a command prompt to access files and folders. You can access a command
prompt by right-clicking Start or by typing cmd in the Search the web and Windows text box on the
taskbar. The following table lists some common commands for managing files and folders.
Command Purpose
cd, chdir Changes the parent directory.
md, mkdir Creates a directory.
del, erase Deletes one or more files.
Move Moves one or multiple files.
Dir Displays a list of files and subdirectories in a
directory.
icacls Displays or modifies permissions by using access
control lists (ACLs).
Additional Reading: For more information on the icacls tool, refer to: “icacls” at: http://aka.ms/e898bk
Windows PowerShell
You can access Windows PowerShell by typing PowerShell in the Search the web and Windows text
box on the taskbar. Windows PowerShell provides multiple cmdlets that you can use to manage files and
folders, such as Get-Childitem, which displays a directory’s list of files and subdirectories, or Set-Location,
which changes the parent directory. It also includes many aliases, which are the same as the familiar tools
in command prompt, such as dir and cd, and you can use them instead of the Windows PowerShell
cmdlets. Run the Get-Alias cmdlet to view the list of all aliases.
To manage file permissions, you can use the Get-ACL and Set-ACL cmdlets. For example, to see the
current ACL on the C:\Perflogs directory, with the output in list format, run the following command:
Get-ACL C:\\perflogs \| Format-List
To modify a file or folder’s ACL, use the Set-ACL cmdlet. You also can use the Get-ACL cmdlet in conjunc-
tion with the Set-ACL cmdlet. You can use the Get-ACL cmdlet to provide the input by getting the object
that represents the file or folder’s ACL, and then use the Set-ACL cmdlet to change the ACL of the target
file or folder to match the values that the Get-ACL cmdlet provides.
For example, to set the ACL on the C:\Folder2 folder to be the same as the permissions on CL\Fold-
er1,including inheritance settings, you would run the following command:
Get-ACL C:\\Folder1 \| Set-ACL C:\\Folder2
Additional Reading: For more information on the Set-ACL cmdlet, refer to: “Set-Acl” at: http://aka.ms/
xxgj91
overhead. If you assign permissions to a group, every group member has the assigned permission. You
can also assign permissions to individual users and computers. If you assign permissions to a group and
to individual group members, they are cumulative. This means that a user has the permissions that you
assign to him or her, in addition to those you assign to the group.
Permissions example
Consider the following example. Adam is a member of the Marketing group, which has Read permission
to the Pictures folder. If an administrator assigns Write permissions to Adam for the Pictures folder, Adam
will have Read permissions, because he is a member of the Marketing group, and Write permissions,
because the administrator assigned them directly to him.
Types of permissions
You can configure two types of permissions for files and folders on NTFS and ReFS volumes: basic and
advanced. The difference is that:
●● Basic permissions are the most commonly used permissions. You most often will work with basic
permissions and assign them to groups and users. Each basic permission is built from multiple special
permissions.
●● Advanced permissions provide a finer degree of control. However, advanced permissions are more
complex to document and manage than basic permissions.
ease the task of managing permissions, and they ensure the consistency of permissions among all of a
container’s objects.
Permission inheritance allows the permissions that you set on a folder to apply automatically to files that
users create in that folder and its subfolders. This means that you can set permissions for an entire folder
structure at a single point. If you have to modify permissions, you then have to perform the change at
that single point only.
For example, when you create a folder called Folder1, all subfolders and files created within Folder1
automatically inherit that folder’s permissions. Therefore, Folder1 has explicit permissions, while all
subfolders and files within it have inherited permissions.
Permissions on a file are a combination of inherited and explicit permissions. For example, if you assign
Group1 Read permissions on a folder and Write permissions on a file in the folder, members of Group1
can read and write in the file. If inherited and explicit permissions conflict, explicit permissions take
precedence.
Inheritance for all objects
If the Allow or Deny check boxes that are associated with each of the permissions appear shaded, a file
or folder has inherited permissions from one of its parent folders. There are two ways that you can make
changes to inherited permissions:
●● Make changes to a parent folder at which you set permissions explicitly. The file or folder will inherit
these modified permissions.
●● Choose not to inherit permissions from a parent object. You then can make changes to the permis-
sions or remove a user or group from the permissions list of the file or folder.
234 Module 7 Configuring Data Access and Usage
Note: You can make changes to inherited permissions also by selecting the opposite permission (Allow or
Deny) to override the inherited permission. You should be aware that this might cause a different result
than many users expect, because when you set both the Deny and the Allow permissions at the same
level, Deny has a higher precedence than Allow. Therefore, we recommend that you avoid using this
option.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file, even though he is a member of the Marketing group, which has Read permissions. She can exclude
Bob by explicitly denying him permission to read the file. Typically, you use explicit denial to exclude a
subset, such as Bob, from a larger group, such as Marketing, that has permission to perform an operation.
Please note that although explicit denials are possible, their use increases the complexity of the authori-
zation policy, which can create unexpected errors. For example, you might want to allow domain adminis-
trators to perform an action, but deny domain users the ability to perform it. If you attempt to implement
this by explicitly denying domain users, you also deny any domain administrators who are domain users.
Though it is sometimes necessary, you should avoid the use of explicit denials.
In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In
that case, the setting inherited from the parent closest to the object in the subtree takes precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an explicit Allow
permission entry. Explicit permissions take precedence over inherited permissions, including inherited
Deny permissions.
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a
parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the
following procedure to assign permissions that child objects can inherit:
1. In File Explorer, right-click the file or subfolder, select Properties, select the Security tab, and then
select Advanced.
2. In the Advanced Security Settings for file or folder dialog box, the Inherited From column lists
from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files
to which the permissions are applied.
3. Double-click the user or group for which you want to adjust permissions.
4. In the Permissions Entry for name dialog box, select the Applies to drop-down list, and then select
one of the following options:
●● This folder only
●● This folder, subfolders, and files
●● This folder and subfolder
●● This folder and files
●● Subfolders and files only
●● Subfolders only
●● Files only
5. Select OK in the Permission Entry for name dialog box, select OK in the Advanced Security Set-
tings for name dialog box, and then select OK in the Properties dialog box.
If the Special permissions entry in Permissions for User or Group box is shaded, it does not imply that
this permission is inherited. Rather, this means that a special permission is selected.
Note: If you add permissions for CREATOR OWNER at the folder level, those permissions will apply to the
user who created the file in the folder.
Configuring and Managing File Access 235
Preventing inheritance
After you set permissions on a parent folder, new files and subfolders that users create in the folder
inherit these permissions. You can block permission inheritance to restrict access to these files and
subfolders. For example, you can assign all Accounting users the Modify permission to the Accounting
folder. On the subfolder Invoices, you can block inherited permissions and grant only a few specific users
permissions to the folder.
Note: When you block permission inheritance, you have the option to convert inherited permissions into
explicit permissions, or you can remove all inherited permissions. If you want to restrict a particular group
or user, you can convert inherited permissions into explicit permissions to simplify configuration.
To prevent a child file or folder from inheriting permissions from a parent folder, select This folder only in
the Applies to drop-down list box when you configure permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following
procedure:
1. In File Explorer, right-click the file or subfolder, select Properties, select the Security tab, and then
select Advanced.
2. In the Advanced Security Settings for file or folder dialog box, select Disable inheritance.
3. In the Block Inheritance dialog box, select any of the following options:
●● Convert inherited permissions into explicit permissions on this object
●● Remove all inherited permissions from this object
●● Cancel
4. Select OK in the Advanced Security Settings for name dialog box, and then select OK in the
Properties dialog box.
Forcing permission inheritance
The Advanced Security dialog box for folders includes a Replace all child object permission entries
check box with inheritable entries from this object. Selecting this check box will replace the permissions
on all child objects for which you can change permissions, including child objects that had Block inher-
itance configured. This is useful if you need to change permissions on a large number of subfolders and
files, especially if you set the original permissions incorrectly.
Even if an administrator does not specify in AD DS which properties to use as claims, you can use condi-
tions to limit access to files or folders based on user or device-group membership. When viewing the
permissions for a file or folder, the Condition column in the Advanced Security Settings lists the applied
conditions. Please note that when you specify conditions:
●● You use a Group condition so that you can specify that the permission will apply to the user based on
the following group-membership rules:
●● Member of Any of the specified groups.
●● Member of Each of the specified groups.
●● Not Member of Any of the specified groups.
●● Not Member of Each of the specified groups.
●● You use a Device condition so that you can specify that the permission will apply if a user accesses the
file from a specified computer or computers. The following topic provides more detail about this
condition.
You can specify multiple conditions for the configured permission to apply. For example, you can create a
permission that would give members of the Financial group Full Control permissions if they also are
members of the Managers group and are accessing the folder from Computer1.
Effective Permissions
Each file or folder on the NTFS file system or ReFS has inherited or explicit permissions assigned, or both.
Windows 10 determines effective permissions by combining the user and group permissions and com-
paring them to the permissions of the selected user.
You also can evaluate what the effective permissions will be if you add a user or a device to additional
groups, and configure whether to include user and device claims. For example, if you assign a user Read
Configuring and Managing File Access 237
permission and assign the Modify permission to a group of which the user is a member, the effective
permissions are a superset of the Read and Modify permissions. This superset is the Modify permission,
because Modify permission also includes Read permission.
You also can evaluate what type of permissions the user would have if you add the user to the IT and
Managers groups (without actually doing so) and whether the effective permissions should be different if
the user’s token includes a Country = US user claim.
Note: When you combine permissions, Windows 10 evaluates the Deny permissions before the Allow
permissions that are set at the same level. Therefore, the Deny permission takes precedence and over-
rides the Allow permission set on the same level.
If you set Deny and Allow permissions at different levels (for example, if Deny is set at the folder and
Allow is set at its subfolder) Allow can take precedence and override Deny.
Note: The Effective Access feature always includes the Everyone group when calculating effective permis-
sions, as long as the selected user or group is not a member of the Anonymous Logon group.
238 Module 7 Configuring Data Access and Usage
The Effective Access feature only produces an approximation of the permissions that a user has. The
actual permissions a user has might be different, because permissions can be granted or denied based on
how a user signs in. The Effective Permissions feature cannot determine this information specific to the
sign-in, because the user might not sign in. Therefore, the effective permissions it displays reflect only
those permissions that a user or group specifies, not the permissions that the sign-in specifies. For
example, if a user connects to a computer through a file share, the sign-in for that user is marked as a
Network Logon. You then can grant or deny permissions to the well-known security identifier Network
that the connected user receives. This way, users have different permissions when they sign in locally than
when they sign in over a network.
You can view effective access permissions in the Advanced Security Settings dialog box for files or
folders stored on the NTFS or ReFS file system. You can access this dialog box from a folder’s Properties
dialog box by using the Advanced button on the Security tab, or directly from the Share menu on the
ribbon.
Note: Windows 10 supports claims, so you can include the user and device claims when evaluating
effective access. A claim is information about a user or device that a domain controller published, and
you can use it to evaluate if a user has access to data.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe shared folders.
●● Describe methods for sharing folders.
●● Describe the effect of combining file permissions and share permissions.
slashes (\). For example, the UNC name for the Sales shared folder on the LON-CL1 computer in the
Adatum.com domain would be \LON-CL1.Adatum.com\Sales.
You can share folders in several ways, including by using:
●● The Shared Folders snap-in.
●● File Explorer.
●● A command prompt.
●● Windows PowerShell cmdlets.
Using the Share with option (Network File and Folder Shar-
ing)
The Share with option is a quick and easy way to share a folder. When you right-click a folder, and then
select Share with, you see a submenu that allows you to stop sharing the folder or share the folder with
specific people. When you share with specific people, you can select Everyone or use Find people to
share the folder with specific groups.
After selecting the users with whom you want to share with a folder, you can set Read or Read/Write
permissions. You cannot remove a folder’s owner. You also might notice users or groups that have
Permission Level value Custom. This is because they have file-specific file permissions.
Be aware that Network File and Folder Sharing will set share permissions and file permissions. The Share
permissions will be set as Everyone – Full Control, and the file permissions will be set based on what you
select. The share name will be the same as the folder name. You cannot share the same folder multiple
times by using Network File and Folder Sharing.
er. You also can configure the number of users that can access a shared folder simultaneously, specify
caching settings, and define share permissions, which can be Full Control, Change, or Read. When you
use Advanced Sharing, you are configuring only share-folder permissions. You must configure file
permissions separately. However, you must be careful when you do this to ensure you are setting the
permissions exactly as you require. For example, if group does not have Read permissions to a folder, you
still can grant that group Full Control share permissions. However, when a group member tries to connect
to the share, an error returns, even if that user has sufficient share permissions. This is because the user
does not have file permissions, and therefore cannot access the share’s files.
Option Description
/Grant:user permission Allows you to specify Read, Change, or Full share
permissions for the specified user.
/Users:number Allows you to limit the number of users who can
connect to the share.
/Remark:”text” Allows you to add a comment to the share.
/Cache:option Allows you to specify the caching options for the
share.
sharename /Delete Allows you to remove an existing share.
Command Description
Get-SmbShare Retrieves a list of the computer’s existing shares.
Set-SmbShare Modifies an existing share.
Remove-SmbShare Removes an existing share.
Get-SmbShareAccess Retrieves a share’s permissions.
Grant-SmbShareAccess Sets share permissions.
●● Which share permissions will be effective when users access the data through a share.
●● The offline settings for the share data.
You can configure these four properties in several ways, including by using Advanced Sharing, the Shared
Folders snap-in, the net use command, and the New-SmbShare or Set-SmbShare Windows PowerShell
cmdlets. However, if you want to modify more advanced share properties, such as by using access-based
enumeration or Server Message Block (SMB) encryption, you can do that only by using the Set-SmbShare
cmdlet.
You can configure the following basic properties for a share by using Advanced Sharing:
●● Share name. Each share must have a share name, and it must be unique for each Windows 10–based
computer. The share name can be any string that does not contain special characters, and it is part of
the UNC path, which Windows users use when connecting to a share. You can share the same folder
multiple times and with different properties, but each share name must be unique. If the share name
ends with a dollar sign ($), the share is hidden and not visible on the network. However, you can
connect to it if you know the share name and have appropriate permissions.
●● Number of simultaneous users. This limits the number of users that can have an open connection to
the share. The connection to the share is open when a user accesses the share for the first time, and it
closes automatically after a period of inactivity. The default value in Windows 10 is no more than 20
users. However, you can configure this to a lower number.
●● Caching/offline settings. You can control which of the share’s files and programs are available to
offline users, or those who do not have network connectivity. You can configure files to:
●● Cache on the client computer automatically when a user has network connectivity and opens them
for the first time.
●● Cache offline, only if the user manually configures this and has the necessary permissions.
Configuring and Managing Shared Folders 245
When you configure shared folder permissions per shared folder, you can allow or deny only Read,
Change, and Full Control permissions, and these permissions apply to content in all folders and subfold-
ers. You have much more granularity when you configure file-system permissions. You can configure
permissions for each file, and you can allow or deny many more file-system permissions than share
permissions.
Note: If you enable the Guest user account on your computer, the Everyone group includes anyone.
Therefore, as a best practice, remove the Everyone group from any permission lists, and replace it with
the Authenticated Users group.
The following analogy can help you understand what happens when you combine file system and share
permissions:
●● If you want to access a shared folder’s files over a network, you must go through the shared folder.
●● If a share permission is set to Read, the most that you can do when connecting through a shared
folder is read the file, even if the individual file system permission is set to Full Control. All file system
permissions that are less restrictive than the share permissions filter out, so that only the most
restrictive permissions remain – in this case, the Read permission
●● ‘If you configure the share permission to Change, you are allowed to read or modify the share’s data.
If the file system permission is set to Full Control, the share permissions filter the effective permission
to Modify.
●● Alternatively, if the share permission is set to Full Control, but the users NTFS permissions for the
folder are set to Read, the effective permission is Read.
Managing User Files 247
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe Windows Libraries.
●● Describe the capabilities of OneDrive.
●● Configure Windows 10 to synchronize files and settings using OneDrive.
●● Describe Work Folders and how they contrast to OneDrive.
●● Configure a client to use Work folders.
Windows Libraries
The libraries feature in Windows 10 provides a central place to manage files that are located in multiple
locations throughout your computer. Instead of selecting through many directories to find your files,
including them in a library provides faster access.
To view libraries in File Explorer select View then select Navigation pane and select Show libraries.
Using Libraries
By default certain libraries will already exist depending on which version of Windows you are using and
which version you may have migrated from. These libraries may include:
●● Documents
●● Saved Pictures
●● Videos
248 Module 7 Configuring Data Access and Usage
●● Music
●● Camera Roll
●● Pictures
You can create or delete libraries by right-clicking on one. Adding a folder to a library does not physically
move the folder on the computer it simply associates the folder with a certain library. To add a folder to a
library right-click the folder and select Include in library and select a library.
Users may add network folder locations to libraries. However, users will only be accessible when the
computer can connect to that networked location. They cannot be accessed in offline scenarios.
Note: Homegroups, first introduced in Windows 7, are retired, and no longer available as of v1803.
features inherit with SharePoint, yet still provides a seamless experience in File Explorer that end users are
already accustomed to.
OneDrive and OneDrive for Business can co-exist on the same device. Users can manage and access their
personal files stored in their OneDrive account, as well as work with business files managed with
OneDrive for Business.
Accessing OneDrive
There are several different methods and operating systems that you can use to access OneDrive. You can
access it from any currently supported device, as well as through a web browser at http://www.OneDrive.
com.
The OneDrive Sync client is already installed with Windows 10. OneDrive supports Windows 7 and higher,
and the latest sync client can be installed from the download page of the OneDrive website. The
OneDrive client is also available for Mac OS X 10.12 or later, and supported versions of Android and iOS
from their respective app stores. Both OneDrive and OneDrive for Business use the same client (OneDrive.
exe).
Note: Older versions of Windows may have the previous OneDrive for Business client (groove.exe)
installed. Administrators should consult OneDrive documentation for transition guidance.
Additional reading: To learn more about OneDrive select here: http://aka.ms/lv5n2s
250 Module 7 Configuring Data Access and Usage
Enabling OneDrive
Before you can use OneDrive from the Windows 10 OneDrive tile, you must connect your domain or local
account with your Microsoft account. To begin the process, select the OneDrive item in the File Explorer
console tree. You then will receive a prompt to sign in with your Microsoft account or to create an
account if you do not have one.
If you want to configure your synchronization settings, you will need to connect OneDrive to your
Microsoft account by performing the following procedure:
1. From the taskbar, open File Explorer, and then select the OneDrive node.
2. In the Welcome to OneDrive Wizard, select Get started.
3. In the Sign in page, type your Microsoft account and password.
4. After you successfully sign in, in the Introducing your OneDrive folder page, you can apply the
default local folder location, which is C:\users\username\OneDrive. Alternatively, you can select
another location by selecting Change. However, if you accept the default location, simply select Next.
5. If you select Change, the Browse for folder window appears, where you can select a different
location from a file tree or create a new folder. After selecting the location, select OK, and then Next.
6. The Sync your OneDrive files to this PC page shows all your OneDrive folders, with a check box next
to each. You can leave the folder check boxes selected to sync them, or clear the folder check boxes to
skip syncing. The bottom of the window indicates how much free space you have remaining on the
local hard drive. After making your selections, select Next.
7. On the Fetch your files from anywhere page, select Done to sync your OneDrive contents to your
hard drive.
You can manage, share, and synchronize your OneDrive files and folders from the OneDrive node in File
Explorer. To do so, right select any of the OneDrive folders in the node, and then select one of the
following options:
●● Share a OneDrive link. This option creates and saves a link in the Clipboard. To provide others with
instant access, you need to paste the link into an email, instant message, or document.
●● More OneDrive sharing options. This option opens the OneDrive webpage, which provides more
traditional OneDrive web-based sharing functionality.
●● View online. This option opens the OneDrive.com web-based version of the folder that you right-
click within File Explorer.
●● Always Keep On This Device (Checked). This will maintain a synchronization between OneDrive and
the device’s local storage, making files available for offline use. In Windows Explorer, the Status icon
will show a solid green checkmark.
●● Always Keep On This Device (Unchecked). This will essentially become a one-way sync. Existing and
new files on the local device will remain on the local device and synchronized with OneDrive. Their
status will show an open green checkmark. Files and folders added directly to OneDrive will show in
Windows Explorer and the status will indicate this with a cloud icon. This means they are available, but
are not stored locally. Theywill only be downloaded to the local device when opening (which will then
change the status to an open checkbox).
●● Free Up Space. Selecting on this option will delete the file/folder from the local device, making them
available in the cloud for download on demand.
Managing User Files 251
Work Folders
With Work Folders users can store and access work files on personal computers and devices, often
referred to as bring-your-own device (BYOD), in addition to corporate PCs. Users gain a convenient
location to store work files, and they can access them from anywhere. Organizations maintain control
over corporate data by storing the files on centrally managed file servers, and optionally specifying user
device policies such as encryption and lock-screen passwords.
Work Folders can be deployed with existing deployments of Folder Redirection, Offline Files, and home
folders. Work Folders stores user files in a folder on the server called a sync share. You can specify a folder
that already contains user data, which enables you to adopt Work Folders without migrating servers and
data or immediately phasing out your existing solution.
can have permissions to access multiple sync shares, they can access a single sync share only. By
default, you can access a sync share only by using the Work Folders feature, but an administrator also
can create a SMB share that uses the same folder as a sync share. If users can access sync share
content by using SMB access, they can view synced content from devices that do not use Work
Folders. A file server stores the sync share, so you can use features such as dynamic access control,
quotas, and file screening when managing the sync share’s content.
●● User devices. These are the devices from which you can access, modify, and sync content that Work
Folders are storing. You can access Work Folders from workgroup devices, devices that are work-
place-joined, or domain-member devices. Windows 10 and Windows 8.1 devices support Work
Folders by default, and you can add Work Folders support to Windows 7, Android, iPad, and iPhone
devices. Devices also must trust the SSL certificate that the Work Folders server is using. If you
configure devices to use Work Folders, Windows detects the changes to the local copies of data, and
then synchronizes them with the server. By default, devices check the Work Folders server every 10
minutes and sync changes with local copies of the Work Folders data.
Practical applications
Administrators can use Work Folders to provide users with access to their work files while keeping
centralized storage and control over the organization's data. Some specific applications for Work Folders
include:
●● Provide a single point of access to work files from a user's work and personal computers and devices
●● Access work files while offline, and then sync with the central file server when the PC or device next
has Internet or intranet connectivity
●● Deploy with existing deployments of Folder Redirection, Offline Files, and home folders
●● Use existing file server management technologies, such as file classification and folder quotas, to
manage user data
●● Specify security policies to instruct user's PCs and devices to encrypt Work Folders and use a lock
screen password
●● Use Failover Clustering with Work Folders to provide a high-availability solution
Comparing Solutions
The following table discusses how various Microsoft sync technologies are positioned and when to use
each.
Summary
In this lab you will learn how to create folders and manage local and share permissions.
Scenario
You need to create file shares for the Marketing and IT department to enable users to store their shared
files. You have to ensure that only people from the specific departments have access to the files. You
decide to create both shares on SEA-CL1 in the E:\Data folder. The IT department requires that the share
and local folder is only accessible to members of the IT group. You advise Bruce Keever and Briana
Hernandez to test the file shares and local access to the files.
Summary
In this lab you will learn how to use conditions to dynamically control access to files based on specific
criteria.
Scenario
Members of the IT, Marketing, and Research departments all require access to file shares located on
SEA-CL1, but require different permissions for the data they use. You've been instructed to create a new
shared folder in E:\Data named Research. The Research shared folder should only be accessible by users
in the Research Department. The IT shared folder should only by accessible by employees located in the
United States who are members of the IT Department. The Active Directory administrator has already
configured Dynamic Access Control to allow for you to assign Department and Country based Claim
Types to permissions on shared folders.
Summary
In this lab you will learn how to configure Work Folders as a method of synchronizing files to provide
access from multiple devices.
Practice Labs and Module Review 255
Scenario
Members of the Marketing group often use multiple devices for their work. To help manage file access
you decide to implement Work Folders. This allows for files to be stored in a central location and syn-
chronized to each device automatically. To implement this solution, first you will install and configure the
Work Folders server role on SEA-SVR1 and store the content in a shared folder named C:\syncshare1. To
enable the Work Folders for all marketing users, you configure a Group Policy Object to point to https://
SEA-SVR1.Contoso.com. You have asked Bruce Keever to test the solution on a domain-joined device
named SEA-CL1 and a stand-alone device named SEA-WS3. Bruce will validate synchronization and
identify how synchronization conflicts are handled.
Summary
In this lab you will learn how to synchronize content between devices using OneDrive.
Scenario
Your organization would like to leverage OneDrive as a method for accessing user files from any device.
You test this solution by signing in with your Microsoft account and creating a file on SEA-WS2 and
verifying that the file automatically synchronizes to SEA-WS1.
Module Review
Check Your Knowledge
1. You are configuring the storage on a Windows 10 computer. You format a 32 GB volume with FAT32.
What is the maximum file size supported on this volume?
A. 32 GB
B. 4 GB
C. 8 GB
D. 16 GB
E. 16 exabytes
2. You are configuring a Windows 10 desktop computer. You added a new hard disk drive to the com-
puter. You need to configure the drive to support quotas. Which file system should you format the
new drive with?
A. FAT
B. FAT32
C. exFAT
D. NTFS
E. ReFS
3. As an IT support professional, you need to create a network share that can be used by the Executives.
The folder you are sharing is on a ReFS volume. Which of the following are features you can take
advantage of? (select two)
A. Auditing
B. Quota
C. Compression
D. EFS encryption
256 Module 7 Configuring Data Access and Usage
E. Security
F. Volume shrinking
4. Your organization has created a number of security groups. You need to assign permissions to one of
the security groups that will allow the group members to:
●● see folder content
●● read files
●● start programs
E. Device Manager
F. Windows Recovery
G. A Command prompt
H. Windows PowerShell
9. B 2) D 3) A,E 4) B 5) A,B,D,E 6) A,B,C,E 7) A 8) A,B,G,H
Module 8 Managing Apps in Windows 10
Lesson Objectives
After completing this lesson, you will be able to:
●● Differentiate between the types of apps in Windows 10.
●● Describe manual app installation.
●● Explain the methods for automating installation of desktop apps.
Desktop apps
Desktop apps are traditional apps, such as Microsoft Office. Most users and network administrators are
familiar with desktop apps (sometimes referred to as Win32 apps). An administrator can install desktop
apps on Windows 10 computers locally by using one of two methods:
●● Launching an .exe or .msi file from either product media, network location share, or downloaded from
a website.
260 Module 8 Managing Apps in Windows 10
●● As a package distributed from application management solution such as System Center Configuration
Manager, typically used to automate & manage installations in an organization.
App-V apps
Like UWP apps, application virtualization is designed to achieve similar goals such as simplified applica-
tion installations and minimizing the impact to the OS. However, the architecture of an App-V app is
quite different. App-V is used to deliver Win32 apps virtually to clients - either automatically, or on-de-
mand. Unlike UWP or desktop apps, the application is never installed on the client OS.
The App-V client simulates an operating system environment and specially prepared virtualized applica-
tions run within that simulated environment. Virtualized applications do not interact directly with the
client operating system but instead interact with the App-V client. The App-V client functions as a proxy
through which the application uses operating system resources.
The end user experience is no different than a traditionally installed app, and since the application uses
the local client hardware, performs no differently either.
App-V provides the following benefits over traditionally-deployed, locally-installed applications:
●● Run multiple versions of applications. You can use App-V to run different versions of applications
concurrently on the same client computer without conflicts.
●● Minimize application conflict. When you install applications as App-V applications, there are no
application conflicts, because each App-V application runs in its own isolated environment.
●● Simplify application removal. App-V applications are not installed locally, which means that you can
remove them completely and more easily.
●● Simplify application upgrades. The modular nature of virtualized applications means that you can
replace one version of an application with an updated version with less effort. The App-V client is
Providing Apps to Users 261
included in Windows Enterprise and Education editions, however it must still be enabled using either
Group Policy or PowerShell using the Enable-Appv command. While most Win32 applications can be
virtualized, this is not always practical. Because they run in an isolated environment by design, and
many apps can be dependant on services provided by the OS or other applications. While there are
methods and considerations for this, not all applications are suited to be virtualized.
RemoteApp apps
Windows Server RemoteApp apps display locally but run remotely. Instead of apps being installed on the
client, they are only installed on a server. The RemoteApp apps uses the resources of the server where it's
installed, while using minimal client resources. From a user's perspective, a RemoteApp app appears and
functions as if it were installed on the local client. RemoteApp scenarios include:
●● Insufficient client hardware. Thin clients or devices that do not meet the minimum hardware
requirements for an application.
●● Incompatible OS. Devices that do not have the OS required for the app, such as a tablet, or devices
that run a different architecture, such as an x86 OS that needs to run an x64 app.
●● BYOD scenarios. Organizations want to allow access to corporate apps from personal devices, but do
not want the app installed on the device. Because it is a remote connection, it's not suitable for
scenarios where offline access to apps is required.
●● Remote applications. With the RemoteApp feature in Windows Server 2012 R2, you can avoid having
applications installed on desktop computers. An icon on the user’s desktop opens a Remote Desktop
Protocol (RDP) session to a server that hosts the application. The application is remote controlled in a
window. This simplifies updates, because you must update only a single central copy of the applica-
tion. This method works best with desktop apps that need to access data in a central location.
●● Inclusion in a Windows operating system image. Many organizations include common applications
in the base Windows operating system image that they deploy to desktop computers. With this
method, you can avoid having a specific deployment process for the desktop app. However, this
method also results in increased image maintenance over time as your organization releases updates
and new versions of the desktop app.
Note: You also can install desktop apps by using Control Panel. If a network administrator has made apps
available for network installation, you can open Control Panel, and then select Get Programs. A list of
apps that are available for network installation displays. Windows 10 makes these apps available by using
Group Policy Objects (GPOs) and software distribution points.
The installation process for a desktop app begins, and the app installs. By default, all users run as stand-
ard users. Windows 10 prompts you to elevate to full administrator privileges through User Account
Control (UAC) to install the app.
Providing Apps to Users 263
Note: Apps that you install across a network can install automatically without your intervention, depend-
ing on the app package’s configuration.
Administrators also can use Windows Installer to update and repair installed desktop apps.
them, enabling you to determine if any factors that you have not considered might block a successful
app deployment.
●● Wake on LAN (WOL). Instead of interrupting a user with an app installation that might require a
restart, which could disrupt his or her current productivity WOL functionality allows you to schedule
app deployment to occur after normal business hours. Typically, users are done working during this
time, and compatible computers are in a low power state.
●● Software inventory, software metering, and Asset Intelligence. A software inventory provides you with
a list of which apps are installed on your organization’s computers. You can use software metering to
monitor how often particular apps are used. You can use the Asset Intelligence feature to check
software-licensing compliance. This helps you ensure that the number of apps deployed in your
organization equals the number of software licenses that you have available.
Office 365
Microsoft 365 is a subscription version of Office. Whether your business is small or large, there are
monthly or annual subscription plans to fit your organization's needs. Office 365 is also available for
home users, education, government, and non-profit organizations.
Microsoft 365 Apps includes productivity services that require an Internet connection, such as Teams web
conferencing, Exchange Online hosted email for business, SharePoint, and online storage with OneDrive.
Not all Microsoft 365 plans include all productivity services.
Most Microsoft 365 plans also include a version of the Office apps that you can install. The list of applica-
tions includes Microsoft Word, Microsoft Excel, Microsoft PowerPoint, Microsoft OneNote, and Microsoft
Outlook, as well as Microsoft Access and Microsoft Publisher for PCs.
You can install Microsoft 365 on up to 5 personal computers (PCs) or Macs per user. You can also install
the Office Mobile apps for iOS and Android on up to five tablets and phones per user. When you have an
active Microsoft 365 subscription that enables you to install the desktop version of Office, you will receive
updates, which provide you with up-to-date versions of the applications.
Many plans that enable installed applications are limited to five installations on a PC or Mac, and five
tablets and five phones per user. Other plans only allow access to web-based Office apps.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the Universal Windows apps, Windows Store, and Windows Store for Business.
●● Explain how to manage and restrict access to Windows Store.
●● Explain how to resolve issues related to Universal Windows apps.
●● Explain how to configure assigned access to a Universal Windows app.
●● Describe the process of using AppLocker to control Universal Windows apps.
Note: To access the Microsoft Store, users must sign in by using a Microsoft account. Users can create
this account during the Windows 10 installation, or after installation. You also can access the Microsoft
Store by connecting your Microsoft account to your AD DS user account. The built-in administrator
account cannot access the Microsoft Store or run any Universal Windows apps by default.
Managing Universal Windows Apps 269
Managing updates
IT administrators have limited control over updates for installed Universal Windows apps. You cannot
control which updates are available. By default, applications installed from the Microsoft Store update
automatically.
To restrict a user account to run a single Universal Windows app, perform the following procedure:
1. From the Start menu, select Settings.
2. Select Accounts, and then select Other people.
3. In the right pane, select Set up assigned access.
4. Select Choose an account, and then select the account that you want to restrict.
5. Select Choose an app, and then select the installed application to which you want to restrict the
account.
6. Sign out from the computer to make the changes effective.
When the user signs in to the computer, they will be able to access only the assigned application. You can
assign access only to users that have previously signed in to that computer and have the application
installed.
Note: For large-scale deployment of sideloaded apps, an enterprise organization can use Microsoft
Intune to deploy Windows Store apps by using the Self-Service Portal. They could also use Microsoft
System Center Configuration Manager.
To prevent malware from deploying through the sideloading process, Windows 10 only allows installation
of apps that the developer has signed by using a trusted root certificate. If your organization creates a
line of business (LOB) app, it must be signed by using the organizational trusted root certificate.
Note: You can use a self-signed certificate to sideload an app, but this is not a best practice in a produc-
tion environment.
2. Locate the certificate that came with the app. Tap and hold the certificate, and then tap Install
Certificate.
3. On the Certificate Import Wizard page, tap Local Machine, and then tap Next.
4. On the Certificate Store page, tap Place all certificates in the following store, tap Browse, tap
Trusted Root Certification Authorities, tap OK, tap Next, and then tap Finish.
5. In the Certificate Import Wizard dialog box, confirm that the import was successful, and then tap
OK.
You now can install the app by performing the following procedure:
1. Open Windows PowerShell.
2. Run the add-appxpackage PATH\APP.appx cmdlet, replace PATH with the full pathname to the app,
and then replace APP.appx with your app’s name.
The app now should appear in Start.
Web Browsers in Windows 10 275
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe Internet Explorer 11.
●● List and explain the Internet Explorer 11 privacy features.
●● List and explain the Internet Explorer 11 security features.
●● Explain how to manage add-ons in Internet Explorer 11.
●● Use the Compatibility View feature in Internet Explorer 11.
●● Configure and use Internet Explorer.
●● Describe the features of Microsoft Edge.
●● Configure and use Microsoft Edge.
●● Discuss the appropriate browser to use in your organization.
●● List the productivity features in Microsoft Edge.
tracking prevention and collections, Edge Chromium offers better website viewing compatibility and
supports the large ecosystem of plugins available to chrome-based browsers.
Microsoft is distributing Chromium-based edge to all Windows Update-connected devices running
Windows 10 version 1803 and newer. Devices that are Windows Server Update Services (WSUS) or
Windows Update for Business (WUfB) managed will be excluded from this automatic update, and can
manage the rollout of the newer Edge browser in their environment.
Internet Explorer 11
Internet Explorer 11 is the web browser that you can run on all supported versions of the Windows
operating system. Using Internet Explorer 11 makes the transition to Windows 10 easier, because there is
no change in the browsing or managing experience. Internet Explorer 11 still supports Microsoft Silver-
light, ActiveX, and other non-Microsoft extensions, and provides compatibility support for previous
versions of Internet Explorer. Internet Explorer 11 is the preferred browser when you need to support
legacy web applications, for example by using Internet Explorer Enterprise Mode.
Most companies will use both browser types: one for current websites, and one for legacy web applica-
tions. The following table compares the two browsers in Windows 10.
Managing Extensions
When you use Microsoft Edge without any add-ons or modifications, most websites will display normally.
Beginning with Windows 10 Anniversary Update, Microsoft Edge can use only those extensions that are
installed from the Windows Store. However, because you install extensions from the Windows Store, you
must have a Microsoft account to install the extensions.
Web Browsers in Windows 10 279
Extensions are web add-ons that you can use to customize your browser. Microsoft and other software
vendors have released extensions in various categories. Some of the categories of extensions include:
●● Translation
●● Password management
●● Ad blocking
●● Web clippers
●● Page analyzing
●● Web shop improvements
You can install extensions by performing the following steps:
1. Open Microsoft Edge.
2. On the Settings and More menu (the ellipsis, ... , in the top-right corner), and select Extensions.
3. In the Extensions dialog box, select Get extensions from Microsoft Store.
4. In the Edge Add-ons site, select the extension that you want to install.
Pinned tabs
In Microsoft Edge, you can pin tabs to the tab row. Pinned tabs take up less space because they only
display the site icon, and they reappear when you close and reopen Microsoft Edge.
Paste and go
If you copy a link to the clipboard, you can right-click in the Microsoft Edge address bar, and then select
Paste and go. This will make Microsoft Edge instantly go to the site. If the text that you have in the
clipboard is not a link, then the option that appears will be Paste and search. Microsoft Edge will then
use the default search engine to search for the clipboard text.
Web notifications
Notifications in the Action Center can be from sites that support notifications. Notifications will make it
possible for you to respond more quickly. You can configure which sites display notifications. If you have
a site open in an InPrivate window, then notifications from that site will not display in the Action Center
due to security reasons.
Collections
New with Edge Chromium is Collections, which allow you to easily collect, organize and share content
that you find across the web. Collections provides a side panel that allows you to add pages or drag
objects into the panel. This provides an easy way to perform actions such as comparing items when
shopping or collecting information for planning a trip or event.
Synchronization of settings
By default, Microsoft Edge (HTML-based) favorites will synchronize to OneDrive, if you have a Microsoft
account. This will help in easier management of favorites, and in transferring favorites between devices
and computers. In organizations using Azure AD, customers can use Enterprise State Roaming to sync
Windows settings, which include browser settings.
With the new Microsoft Edge Chromium, the sync solution isn’t tied to Windows sync ecosystem. This
enables us to offer Microsoft Edge across all the platforms, such as Windows 7, Windows 8.1, iOS,
Web Browsers in Windows 10 281
Android and macOS. This also enables us to offer sync for non-primary accounts on Windows. The data
supported by sync includes:
●● Favorites
●● Passwords
●● Addresses and more (form-fill)
●● Collections
●● Settings
Internet Explorer 11
Windows 10 includes Internet Explorer to ensure that any legacy or LOB apps that your organization uses
can continue to function.
Internet Explorer includes a number of security and compatibility features that enable users to browse
with safety and confidence. This in turn helps maintain customer trust in the Internet and the apps based
on Internet technologies. Additionally, it helps protect your IT environment from the evolving threats that
the web presents.
Internet Explorer 11 specifically helps users maintain their privacy with features such as:
●● InPrivate Browsing
●● InPrivate Filtering
The SmartScreen Filter provides protection against social-engineering attacks by:
●● Identifying malicious websites that try to trick people into providing personal information or installing
malware.
●● Blocking malware downloads.
282 Module 8 Managing Apps in Windows 10
From an enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using the Delete Browsing history option to maintain privacy. This is there are no logs kept or tracks
made during browsing. InPrivate Browsing is a proactive feature that allows users to control what is
tracked in a browsing session. InPrivate Browsing is also useful when credentials are cached, and you wish
to sign-in with different credentials without clearing the cached credentials.
Note: Some users might attempt to use InPrivate Browsing to conceal their tracks when browsing prohib-
ited or websites that do not pertain to work. However, you can use Group Policy to configure how your
organization uses InPrivate Browsing, to provide you with full manageability control on users’ work
devices.
●● Per-site ActiveX. When a user navigates to a website that contains an ActiveX control, Internet Explor-
er 11 performs a number of checks, including a determination of where a control has permission to
run. If a control is installed, but does not have permission to run on a specific site, an information bar
appears that asks the user’s permission to run on the current website or on all websites. Administra-
tors can use Group Policy to preset Internet Explorer configurations with allowed ActiveX controls and
their related trusted domains.
use different security settings. For example, some zones enable Protected Mode or do not allow ActiveX
controls.
The security zones in Internet Explorer 11 include the following zones:
●● Internet. This zone is the default zone for all websites. It has medium-high security settings, which
enables users to perform most tasks. However, users might receive prompts to accept some riskier
behaviors such as downloading signed ActiveX controls and submitting unencrypted form data.
●● Local intranet. This zone is only for websites that have a single label name. It has medium-low
security settings that allow most websites to run without any end-user prompts, because it assumes
the sites are trustworthy. Additionally, this zone does not use Protected Mode.
●● Trusted sites. This zone has no websites, by default. You must add sites manually to the Trusted sites
zone. This zone has medium security settings, which enables users to run most web-based applica-
tions. It does not use Protected Mode. Typically, you use this zone for web-based applications that are
hosted externally.
●● Restricted sites. This zone has no websites, by default. You must add sites manually to the Restricted
sites zone. This zone has high security settings, and is suitable for browsing websites that you are
concerned might contain malware.
Other Internet Explorer settings that you should consider regarding web-based applications include:
●● InPrivate Browsing. This setting helps protect data and privacy by preventing browsing history,
temporary Internet files, form data, cookies, usernames, and passwords from being stored or retained
locally by the browser. This leaves virtually no evidence of browsing or search history because the
browsing session does not store session data after the InPrivate window is closed. From the enterprise
and IT professional perspective, InPrivate Browsing is inherently more secure than using Delete
Browsing History to maintain privacy, because there are no logs kept or tracks made during browsing.
InPrivate Browsing is a proactive feature, because it enables you to control what is tracked in a
browsing session. However, some users might use InPrivate Browsing in an attempt to conceal their
tracks when browsing to prohibited or non-work websites. Nonetheless, you have full manageability
control, and you can use Group Policy to configure how InPrivate Browsing is used in your organiza-
tion.
●● Pop-up Blocker. The purpose of the Pop-up Blocker in Internet Explorer is to prevent unsolicited
advertisements from displaying. However, some web-based applications use these pop-ups, so you
might need to allow them for websites that are hosting a web-based application.
●● Advanced settings. Individual web-based applications might require unusual security settings that
you can adjust only in Advanced settings. For example, an externally-hosted website might require the
use of an older version of Secure Sockets Layer (SSL).
Add-ons
Most websites will display normally when you use Internet Explorer without any add-ons or modifications.
Internet Explorer 11, which Windows 10 includes by default, provides an experience that is free from
add-ons. Add-ons that enhance the browsing experience by providing multimedia content also are
referred to as:
●● ActiveX controls
●● Plug-ins
●● Browser extensions
●● Browser helper objects
Web Browsers in Windows 10 287
●● Toolbars
●● Explorer bars
●● Search providers
●● Accelerators
●● Tracking Protection Lists
The following are examples of plug-in based technology:
●● Microsoft Silverlight
●● Apple QuickTime
●● Java applets
●● Adobe Flash Player
●● Skype Select to Call
Two popular multimedia extensions–HTML5 and Adobe Flash–are supported out-of-box as a platform
feature on Internet Explorer. In previous Internet Explorer versions, some multimedia add-ons could cause
security concerns, which Internet Explorer 11 addresses with the Automatic Updates feature, which
provides updates to help remediate problems quickly when identified.
Sometimes an add-on, such as a pop-up advertisement, can annoy users or create problems that affect
browser performance. A user can disable an individual add-on or all add-ons within Internet Explorer 11
by using the Manage Add-ons dialog box. To do this, a user would perform the following steps:
1. Open Internet Explorer.
2. On the Tools menu, select Manage add-ons.
3. In the Manage Add-ons dialog box, in the Show list, select All add-ons.
4. Find the name of the add-on that you want to modify in the reading pane. To disable an add-on, tap
or select it, and then select Disable. To enable an add-on, tap or select it, and then select Enable.
Close the Manage Add-ons dialog box.
The Compatibility View feature in Internet Explorer 11 helps display a webpage as the web developer
intended. This view provides a straightforward way to fix display problems, such as out-of-place menus,
images, and text. The main benefits of the Compatibility View feature include:
●● Internet websites display in Internet Explorer 11 standards mode by default. You can use the Compati-
bility View button to fix sites that render differently than expected.
●● Internet Explorer 11 remembers sites that have been set to Compatibility View so that a user only
needs to press the button once for a site. After that, the site always renders in Compatibility View
unless users remove it from the list.
●● Intranet websites display in Compatibility View by default. This means that internal websites that were
created for older Internet Explorer versions will work correctly.
●● You can use Group Policy to set a list of websites to render in Compatibility View.
●● Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button displays only if is not stated clearly how the website is to render. In other
cases, the button is hidden. These cases include viewing intranet sites or viewing sites with a tag or a /
HTTP header that indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet
Explorer 10 standards.
When you activate Compatibility View, the page refreshes, and a balloon tip in the taskbar notification
area indicates that the site is now running in Compatibility View.
Summary
In this lab you will learn how install and update Microsoft Store Apps and how to install Microsoft 365
Apps for enterprise from Microsoft 365.
Dependency Note: To complete this lab, you need to have a Microsoft account. You can use the Microsoft
Account that you configured previously in the Module 3 lab: Synchronizing settings between devices lab. You
will also use the User2 Microsoft 365 user account, which was created in Module 2 lab: Managing Azure AD
Authentication.
Scenario
You need to test the download and update functionality of the Microsoft App Store. You will download
and install an app named the Microsoft To Do: Lists, Tasks & Reminders. You also need to validate how
Microsoft Store apps are updated and uninstalled.
Scenario
You have been asked to configure the deployment of the Office 365 apps included in your subscription.
You will first assign an Office 365 E5 license to User2 and configure Office installation options. Finally
User2 will validate that Office 365 can be downloaded and installed from the Microsoft 365 portal.
Summary
In this lab you will learn how to configure the Internet Explorer Enterprise Mode to provide compatibility
for Microsoft Edge to open legacy web sites.
Dependency Notice: This lab requires that a DNS CNAME entry for intranet.Contoso.com be added which
resolves to SEA-SVR1.Contoso.com, as instructed in the Module 5: Configuration and Testing Name Resolu-
tion lab. If you did not complete the module 5 lab, complete Exercise 2: Task 2 from that lab before continu-
ing. Also note that Microsoft Edge .admx templates have already been installed to allow for the creation of
Microsoft Edge Chromium group policy settings.
Practice Labs and Module Review 291
Scenario
Contoso uses a web site located at intranet.contoso.com. This site currently only works properly using
older Internet Explorer versions. As you recently upgraded all devices to Windows 10 and Microsoft Edge
Chromium, you must ensure that this web site still opens and works with compatibility mode.
Module Review
Check Your Knowledge
1. You are an IT Support professional for a small start-up company. You need to install desktop apps on
Windows 10 computers locally.
A. Which methods can you use? (select three)
B. Using a product DVD that contains a desktop app
C. Connecting to a network share
D. Downloading an app from a vendor’s website
E. Using Windows Store
F. Connecting to the Azure Content Delivery Network (CDN)
2. Which of the following statements is true regarding RemoteApp apps?
A. Windows Server RemoteApp apps require a separate user name and password.
B. Users can differentiate between a RemoteApp app and other apps that runs on a computer.
C. You should consider deploying RemoteApp in situations where an app does not run on a client
computer.
D. All statements are true.
3. You need to plan and perform an automated desktop-app deployment. You want to determine the
best method for your organization. What is the potential drawback for using Group Policy? (select
three)
A. It can be difficult to determine whether a deployment is successful.
B. There is no prerequisite checking. C. Group Policy is difficult to implement.
D. There is no installation schedule.
E. It takes to long to implement.
4. You are an IT Support Professional in an organization with over 10,000 computers. Your organization
has just recently implemented Configuration Manager to replace Group Policy for deploying software.
Which are some of the benefits that Configuration Manager provides?. (select five)
A. Collections
B. Multiple deployment types
C. Publish
D. Wake on LAN
E. Software inventory
F. Reports
G. Lite-touch installation (LTI)
H. Scheduling
5. As an IT Support Professional, you have been tasked with supporting the HR department's computers
in your organization. All HR computers run Windows 10 with Internet Explorer 11. The HR department
requires the highest level of privacy. Which Privacy Features should the department use? (select three)
A. InPrivate Browsing
B. Tracking Protection
C. The Delete Browsing History dialog
292 Module 8 Managing Apps in Windows 10
D. Search Providers
E. Compatibility View Settings
6. The Compatibility View feature in Internet Explorer 11 helps display a webpage as the web developer
intended. The webpage will refresh after you activate the Compatibility View. After this, how do you
know that the site is running in Compatibility View?
A. By pressing the F4 key
B. Check IE Settings
C. No errors on the website
D. The balloon tip in the taskbar notification area
7. Internet Explorer Enterprise Mode features include: (Select two)
A. Users choose when to enable it
B. Emulates a specific version of Internet Explorer
C. Is configured using an XML file
D. Automatically enables when a site header specifies a specific version of Internet Explorer.
8. A,B,D 2) C 3) A,B,D 4) A,B,D,E,F 5) A,B,C 6) D 7) B,C
Module 9 Configuring Threat Protection
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe malware.
●● Understand the sources of malware.
●● Describe ways of mitigating malware.
●● Identify common network-related security threats.
●● Describe the methods by which you can mitigate these common security threats.
●● Describe tools for securing users identity.
●● Describe tools for securing data on Windows 10.
●● Describe tools for securing Windows 10 devices.
What Is Malware
Malicious software, or malware, is software that attackers design to harm computer systems. Malware can
do many things, from causing damage to the computer, to allowing unauthorized parties remote access
294 Module 9 Configuring Threat Protection
to the computer, to collecting and transmitting sensitive information to unauthorized third parties. There
are several types of malware, including:
●● Computer viruses. This type of malware replicates by inserting a copy of its executable code into
other applications, operating-system files, data files, or hardware components, such as the BIOS or
boot sector files.
●● Computer worms. Worms are a special form of malware that replicate without direct intervention.
Worms spread across networks and can infect other computers on a network, without requiring a user
to open an email attachment or file.
●● Trojan horses. This type of malware provides an attacker with remote access to the infected comput-
er.
●● Ransomware. This type of malware encrypts user data, and you can recover your data only if you pay
a ransom to the malware authors.
●● Spyware. This type of malware tracks how a computer is used without the user’s consent.
Phishing Scams
Phishing
Phishing (pronounced “fishing”) is a type of online identity theft. It uses email, phone calls, texts, and
fraudulent websites that are designed to steal your personal data or information such as credit card
numbers, passwords, account data, or other information.
- Hover over links to uncover the URL. Always check a URL before you select on the link—sometimes
bad links are embedded into an email as a way to trick the reader.
- Check for poor grammar and spelling errors. Companies rarely send out messages without proof-
reading content, so multiple spelling and grammar mistakes can signal a scam message.
- Look for company contact information and brand accuracy. Most companies will have a brand
identity that is recognizable in their emails. Look for logos, brand colors and contact information in the
message.
attackers identify an open port, they can use other attack techniques to access the services that are
running on the computer.
●● Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legiti-
mate host on the network with which your computers are communicating. The attacker intercepts all
of the communications that are intended for a destination host. The attacker might wish to view the
data in transit between the two hosts, but also can modify that data before forwarding the packets to
the destination host.
You can use any, or all, of the following defense mechanisms to help protect your network from malicious
attacks:
●● Internet Protocol security (IPsec), which authenticates IP-based communications between two hosts
and, where desirable, encrypt that network traffic.
●● Firewalls, which allow or block network traffic based on the type of traffic.
●● Perimeter networks, which are isolated areas on your network to and from which you can define
network traffic flow. When you need to make network services available on the Internet, it is not
advisable to connect hosting servers directly to the Internet. However, by placing these servers in a
perimeter network, you can make them available to Internet users without allowing those users access
to your corporate intranet.
●● VPNs and DirectAccess. It is important that users have the ability to connect to their organization’s
intranet from the Internet as securely as possible. The Internet is a public network, and data in transit
across the Internet is susceptible to eavesdropping or MITM attacks. However, by using virtual private
networks (VPNs) or DirectAccess, you can authenticate and encrypt connections between remote
users and your organization’s intranet. This can help to mitigate risk.
Malware and Threat Protection 297
●● Server hardening. When you run only the services that you need, you can make servers inherently
more secure. To determine what services you require, you must establish a security baseline among
your servers. To determine precisely which Windows Server services you need to support the function-
ality that you or your enterprise requires, you can use tools such as the Security Configuration Wizard
or the Microsoft Baseline Security Analyzer.
●● Intrusion detection. It is important to implement the preceding techniques to secure your network,
and it also is sensible to monitor your network regularly for signs of attack. You can use intrusion-de-
tection systems to do this by implementing them on perimeter devices, such as Internet-facing
routers.
●● Domain Name System Security Extensions (DNSSEC), which use digital signatures for validation, so
that DNS servers and resolvers can trust DNS responses. The DNS zone contains all signatures that are
generated in the new resource records. When a resolver issues a query for a name, the DNS server
returns the accompanying digital signature in the response. The resolver then validates the signature
by using a preconfigured trust anchor. Successful validation proves that no data modification or
tampering has occurred.
298 Module 9 Configuring Threat Protection
Microsoft Defender
Lesson Introduction
Malware might show up on your organization’s computers and devices, despite your efforts to prevent it.
Unwanted traffic often comes from Internet-based sources, but traffic from a local area network (LAN) or
wide area network (WAN) also can compromise your network.
Windows 10 includes components that can help you identify and remove malware from your environ-
ment’s computers and protect Windows 10 computers from unauthorized access attempts through
blocking and filtering of unwanted incoming or outgoing network traffic.
Lesson Objectives
After completing this lesson, you will be able to:
●● Use Windows Defender to detect and quarantine malware.
●● Describe the purpose of a firewall.
●● Describe Windows Defender Firewall functionality.
●● Explain network-location profiles.
●● Explain the increased functionality of Windows Defender Firewall with Advanced Security.
You can use Microsoft Defender to run a Quick, Full, or Custom scan. If you suspect spyware has infected
a specific area of a computer, you can customize a scan by selecting specific drives and folders. You also
can configure the schedule that Microsoft Defender will use.
You can choose to have Microsoft Defender Antivirus exclude processes in your scan. This can make a
scan finish more quickly, but your computer will have less protection. When Microsoft Defender Antivirus
detects potential spyware activity, it stops the activity, and then it raises an alert.
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Microsoft Defender Antivirus behavior when a scan identifies unwanted software. You also receive an alert
if software attempts to change important Windows operating system settings.
To help prevent spyware and other unwanted software from running on a computer, turn on Microsoft
Defender Antivirus real-time protection.
Microsoft Defender includes automatic scanning options that provide regular scanning and on-demand
scanning for malware. The following table identifies scanning options.
and to maintain the Allowed list, and then a list of Quarantined items is available from the Settings page.
Select View to see all items. Review each item, and then individually Remove or Restore each. Alterna-
tively, if you want to remove all Quarantined items, select Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your privacy and your
computer’s security at risk.
If you trust detected software, stop Microsoft Defender from alerting you to risks that the software might
pose by adding it to the Allowed list. If you decide to monitor the software later, remove it from the
Allowed list.
The next time Microsoft Defender alerts you about software that you want to include in the Allowed list,
you can perform the following steps. In the Alert dialog box, on the Action menu, select Allow, and then
select Apply actions. Review and remove software that you have allowed from the Excluded files and
locations list on the Settings page.
By using Microsoft Defender Offline, you can boot and run a scan from a trusted environment, rather
than running Microsoft Defender Antivirus from a fully booted Windows 10 environment. Microsoft
Defender Offline runs separate from the Windows kernel and can target malware that bypasses the
Windows shell, including malware that may infect or overwrite a computer’s master boot record (MBR).
Beginning with Windows 10 Anniversary Update, you can run Microsoft Defender Offline with one select
from the Microsoft Defender Antivirus client.
Microsoft Defender Antivirus includes 12 Windows PowerShell cmdlets that you can use to perform a
variety of tasks. The following table lists these cmdlets.
Cmdlet Function
Add-MpPreference Modify Microsoft Defender Antivirus settings.
Get-MPComputerStatus View status of antimalware software.
Get-MPPreference View Microsoft Defender Antivirus scan and
update preferences.
Get-MpThreat View threat detection history.
Get-MpThreatCatalog View list of known threats from the definitions
catalog.
Get-MpThreatDetection View active and previous detected malware
threats.
Remove-MpPreference Remove default actions or exclusions.
Remove-MpThreat Remove an active threat.
Set-MpPreference Configure Microsoft Defender Antivirus scan and
update preferences.
Start-MpScan Trigger a scan on the computer.
Start-MpWDOScan Trigger a Microsoft Defender Offline scan.
Update-MpSignature Update a computer’s antimalware definitions.
In addition to using Windows PowerShell to trigger a Microsoft Defender Antivirus scan, you also can use
the mpcmdrun.exe command from the cmd.exe environment to trigger a scan. For example, to trigger a
quick scan, run the following command:
mpcmdrun.exe -scan -scantype 1
To discover all command line options for this tool, use the following command:
mpcmdrun.exe /?
Microsoft Defender 301
What Is a Firewall
Firewalls block or allow network traffic, based on the traffic’s properties. You can utilize hardware-based
firewalls or software firewalls that run on a device.
Depending on your firewall’s sophistication, you can configure it to block or allow traffic based on the:
●● Traffic source address.
●● Traffic destination address.
●● Traffic source port.
●● Traffic destination port.
●● Traffic protocol.
●● Packet contents.
For example, a sophisticated firewall analyzes network traffic and filters out harmful traffic, such as
attempts to cause a denial-of-service attack or an SQL injection attack.
Administrators often place firewalls at a network perimeter, between an organization’s screened subnet
and the Internet, and between the screened subnet and the internal network. Today, it also is common for
each host to have its own additional firewall.
302 Module 9 Configuring Threat Protection
Firewall exceptions
When you add a program to the list of allowed programs, or open a firewall port, you are allowing that
program to send information to or from your computer. Allowing a program to communicate through a
firewall is like making an opening in the firewall. Each time that you create another opening, the comput-
er becomes less secure.
Generally, it is safer to add a program to the list of allowed programs than to open a port for an app. If
you open a port without scoping the port to a specific app, the opening in the firewall stays open until
you close the port, regardless of whether a program is using it. If you add a program to the list of allowed
programs, you are allowing the app itself to create an opening in the firewall, but only when necessary.
The openings are available for communication only when required by an allowed program or computer.
Microsoft Defender 303
To add, change, or remove allowed programs and ports, you should perform the following steps. Select
Allow an app or feature through Windows Defender Firewall in the left pane of the Windows Defend-
er Firewall page, and then select Change settings. For example, to view performance counters from a
remote computer, you must enable the Performance Logs and Alerts firewall exception on the remote
computer.
To help decrease security risks when you open communications:
●● Only allow a program or open a port when necessary.
●● Remove programs from the list of allowed programs, or close ports when you do not require them.
●● Never allow a program that you do not recognize to communicate through the firewall.
You can modify the firewall settings for each type of network location from the main Windows Defender
Firewall page. Select Turn Windows Defender Firewall on or off, select the network location, and then
make your selection. You also can modify the following options:
●● Block all incoming connections, including those in the list of allowed programs.
●● Notify me when Windows Defender Firewall blocks a new program.
The Public networks location blocks certain programs and services from running, which protects a
computer from unauthorized access. If you connect to a Public network, and Windows Defender Firewall
is on, some programs or services might ask you to allow them to communicate through the firewall so
that they can work properly.
Windows Defender Firewall with Advanced Security is an example of a network-aware app. You can create
a profile for each network location type, and each profile can contain different firewall policies. For
example, you can allow incoming traffic for a specific desktop management tool when a computer is on a
domain network, but block traffic when the computer connects to public or private networks.
Network awareness enables you to provide flexibility on an internal network without sacrificing security
when users travel. A public network profile must have stricter firewall policies to protect against unau-
thorized access. A private network profile might have less restrictive firewall policies to allow file and print
sharing or peer-to-peer discovery.
Microsoft Defender 305
Inbound rules
Inbound rules explicitly allow or block traffic that matches the rule’s criteria. For example, you can
configure a rule to allow traffic for Remote Desktop from the local network segment through the firewall,
but block traffic if the source is a different network segment.
When you first install the Windows operating system, Windows Defender Firewall blocks all unsolicited
inbound traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule
that describes that traffic. For example, if you want to run a Web server, you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows
Defender Firewall with Advanced Security takes, which is whether to allow or block connections when an
inbound rule does not apply.
Outbound rules
Windows Defender Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly
allow or deny traffic originating from a computer that matches a rule’s criteria. For example, you can
configure a rule to explicitly block outbound traffic to a computer by IP address through the firewall, but
allow the same traffic for other computers.
two computers. Connection security rules specify how and when authentication occurs, but they do not
allow connections. To allow a connection, create an inbound or outbound rule. After a connection security
rule is in place, you can specify that inbound and outbound rules apply only to specific users or comput-
ers.
You can create the following connection security rule types:
●● Isolation rules. These isolate computers by restricting connections based on authentication criteria,
such as domain membership or health status. Isolation rules allow you to implement a server or
domain isolation strategy.
●● Authentication exemption rules. These designate connections that do not require authentication. You
can designate computers by specific IP address, an IP address range, a subnet, or a predefined group,
such as a gateway. You typically use this type of rule to grant access to infrastructure computers, such
as Active Directory domain controllers, certification authorities (CAs), or Dynamic Host Configuration
Protocol (DHCP) servers.
●● Server-to-server rules. These protect connections between specific computers. When you create this
type of rule, you must specify the network endpoints between which you want to protect communica-
tions. You then designate requirements and the type of authentication that you want to use, such as
the Kerberos version 5 protocol. A scenario in which you might use this rule is if you want to authenti-
cate traffic between a database server and a business-layer computer.
●● Tunnel rules. These secure communications that travel between two computers by using tunnel mode
in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you
route between two defined endpoints. For each endpoint, specify a single computer that receives and
consumes the sent network traffic, or specify a gateway computer that connects to a private network
onto which the received traffic is routed after extracting it from the tunnel.
●● Custom rules. Configure these as necessary. Custom rules authenticate connections between two
endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Defender Firewall uses the monitoring interface to display information about current firewall
rules, connection security rules, and security associations (SAs). The Monitoring page displays which
profiles are active (domain, private, or public), and the settings for the active profiles. The Windows
Defender Firewall with Advanced Security events also is available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The
operational log is always on, and it contains events for connection security rules.
Windows PowerShell commands
You can use the following Windows PowerShell cmdlets to manage Windows Defender Firewall rules:
●● Get-NetFirewallRule. Use this cmdlet to display a list of available firewall rules.
●● Copy-NetFirewallRule. Use this cmdlet to copy an existing firewall rule.
●● Enable-NetFirewallRule. Use this cmdlet to enable an existing firewall rule.
●● Disable-NetFirewallRule. Use this cmdlet to disable an existing firewall rule.
●● New-NetFirewallRule. Use this cmdlet to create a new firewall rule.
●● Remove-NetFirewallRule. Use this cmdlet to delete a firewall rule.
●● Rename-NetFirewallRule. Use this cmdlet to rename a firewall rule.
●● Set-NetFirewallRule. Use this cmdlet to configure the properties of an existing firewall rule.
308 Module 9 Configuring Threat Protection
●● Show-NetFirewallRule. Use this cmdlet to view all firewall rules in the policy store.
Connection Security Rules 309
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the purpose and functionality of IPsec.
●● Describe how to configure IPsec.
●● Describe connection security rules.
●● Explain authentication options.
●● Monitor connections.
What is IPSec
You can use IPsec to ensure confidentiality, integrity, and authentication in data transport across channels
that are not secure. Though its original purpose was to secure traffic across public networks, many
organizations have chosen to implement IPsec to address perceived weaknesses in their own private
networks that might be susceptible to exploitation.
If you implement IPsec properly, it provides a private channel for sending and exchanging potentially
sensitive or vulnerable data, whether it is email, FTP traffic, news feeds, partner and supply-chain data,
medical records, or any other type of TCP/IP-based data.
IPsec:
●● Offers mutual authentication both before and during communications.
●● Forces both parties to identify themselves during the communication process.
●● Enables confidentiality through IP traffic encryption and digital-packet authentication.
IPsec modes
IPsec has two modes:
●● Encapsulating security payload (ESP). This mode encrypts data using one of several available algo-
rithms.
●● Authentication Header (AH). This mode signs traffic, but does not encrypt it.
specifies the tunnel endpoints’ source and destination addresses. ESP can make use of Data Encryption
Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES) encryp-
tion algorithms in Windows Server 2012 R2 and Windows 10. As a best practice, you should avoid using
DES unless clients cannot support the stronger encryption that AES or 3DES offer.
Authentication Options
When you use the New Connection Security Rule Wizard to create a new rule, you can use the Require-
ments page to specify how you want authentication to apply to inbound and outbound connections. If
you request authentication, this enables communications when authentication fails. If you require authen-
tication, this causes the connection to drop if authentication fails.
Default
Select the Default option to use the authentication method that you configured on the IPsec Settings tab
of the Windows Defender Firewall with Advanced Security Properties dialog box.
Computer certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and
you must have certificates from a CA trusted by both computers. s. Use this method if the computers are
not part of the same AD DS domain.
Advanced
You can configure any available method, and you can specify methods for first authentication and second
authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and a
Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User
NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates issued by
trusted CAs. Only computers that are running Windows Vista, Windows 7, Windows 8, Windows 10,
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2
support second authentication methods.
Connection Security Rules 313
Monitoring Connections
Windows Defender Firewall with Advanced Security is a stateful, host-based firewall that blocks incoming
and outgoing connections based on its configuration. Although you can perform a typical end-user
configuration for Windows Defender Firewall by using the Windows Defender Firewall control panel item,
you can perform advanced configuration in the Microsoft Management Console (MMC) snap-in named
Windows Defender Firewall with Advanced Security.
The inclusion of this snap-in not only provides an interface for configuring Windows Defender Firewall
locally, but also for configuring Windows Defender Firewall on remote computers and by using Group
Policy. You also can use Windows PowerShell to configure Windows Defender Firewall policies through-
out your environment. Windows Defender Firewall functions now integrate with settings for connec-
tion-security protection, which reduces the possibility of conflict between the two protection mecha-
nisms.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information
about their settings and endpoints.
Connection Security Rules 315
Main Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode
Quick Mode provides more-detailed information about connections. If you are having issues with an
IPsec connection, Quick Mode statistics can provide insight into the problem.
316 Module 9 Configuring Threat Protection
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the features and use of the Security Compliance Toolkit
●● Describe the benefits of drive encryption with Bitlocker
●● Describe the features of AppLocker
●● Describe methods of securing data in the enterprise
●● Describe the benefits and features of Windows Defender Advanced Threat Protection
Windows 10, which does not include over 1,800 Internet Explorer 11 settings. Of these 4,800 settings,
only some are security-related. Although Microsoft provides extensive guidance on different security
features, exploring each one can take a long time. You would have to determine the security impact of
each setting on your own. Then, you would still need to determine the appropriate value for each setting.
In modern organizations, the security threat landscape is constantly evolving, and IT pros and poli-
cy-makers must keep up with security threats and make required changes to Windows security settings
to help mitigate these threats. To enable faster deployments and make managing Windows easier,
Microsoft provides customers with security baselines that are available in consumable formats, such as
Group Policy Objects backups.
Note: Security baselines are included in the Security Compliance Toolkit (SCT) which can be accessed
here: https://aka.ms/L0omxs
Overview of BitLocker
BitLocker provides additional protection for a computer’s operating system and any data that is stored on
that operating system or in other volumes. BitLocker helps ensure that data stored on a computer
remains encrypted, even if someone tampers with the computer while the operating system is not
running.
BitLocker provides a closely integrated solution in Windows 10 to help address the threats of data theft
or exposure from lost, stolen, or inappropriately decommissioned computers. Data on these types of
computers can become vulnerable to unauthorized access when a hacker either runs a software attack
tool against it or transfers the computer’s hard disk to a different computer.
BitLocker helps mitigate unauthorized data access by enhancing Windows file and system protections.
BitLocker also helps render data inaccessible when you decommission or recycle BitLocker-protected
computers.
BitLocker performs two functions that provide both offline data protection and system-integrity verifica-
tion:
●● It encrypts all data that is stored on the Windows operating system volume (and configured data
volumes). This includes the Windows operating system, hibernation files and paging files, applications,
and data that applications use. BitLocker also provides an umbrella protection for non-Microsoft
applications, which benefits the applications automatically when they are installed on the encrypted
volume.
●● It is configured, by default, to use a Trusted Platform Module (TPM) chip to help ensure the integrity
of early startup components by ensuring that no modifications have been made to the trusted boot
path, such as BIOS, boot sector, and boot manager. Once the TPM has verified that there are no
changes, it releases the decryption key to the Windows OS Loader. If TPM does detect changes, it
locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the
computer when the operating system is not running.
Note: The Windows 10 installation process partitions the computer’s hard disk to enable the use of
BitLocker.
318 Module 9 Configuring Threat Protection
Windows 10 now offers a newer encryption algorithm, XTS-AES, for BitLocker. BitLocker Organizations
concerned with brute-force attacks of their devices given physical access may want to consider migrating
their BitLocker default encryption to XTS-AES. This option can be configured using Group Policy. Micro-
soft recommends that customers enable this level of encryption on newly provisioned devices.
If an attacker can gain access to the startup process components, they can change the code in these
components and gain access to the computer even though the data on the disk is encrypted. Once the
attacker gains access to confidential information such as BitLocker keys or user passwords, they can
circumvent BitLocker and other Windows security protections.
BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional
security of prestartup system-integrity verification. To determine if a computer has a TPM version 1.2
chip, perform the following steps:
1. Open Control Panel, select System and Security, and then select BitLocker Drive Encryption.
2. In the lower left corner, select TPM Administration. The TPM Management on the Local Computer
console opens. If the computer does not have the TPM 1.2 chip, the “Compatible TPM cannot be
found” message displays.
Note: On computers that do not have TPM 1.2, you can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation does not include a TPM, and requires the user
to insert a USB startup key to start the computer or resume from hibernation. It also does not provide the
prestartup system integrity verification that BitLocker provides when working with a TPM.
What is EFS?
EFS is a built-in file encryption tool for Windows-based systems. EFS is a component of the NTFS file
system, and it uses advanced, standard cryptographic algorithms to allow transparent file encryption and
decryption. Through the Windows Information Protection functionality of Windows 10, EFS functionality
is also simulated on volumes that use the FAT32 file system. Any individual or app that does not have
access to a certificate store that holds an appropriate cryptographic key cannot read encrypted data. You
can protect encrypted files even from those who gain physical possession of a computer on which files
are stored. Even people who have the authorization to access a computer and its file system cannot view
the encrypted data.
320 Module 9 Configuring Threat Protection
AppLocker benefits
You can use AppLocker to specify which software can run on user PC’s and devices. AppLocker enables
users to run the applications, installation programs, and scripts that they require to be productive, while
still providing the security and compliance benefits of application standardization.
AppLocker can be useful for organizations that want to:
●● Limit the number and types of applications that can run. This can be done by preventing unlicensed
software or malware from running, and by restricting the ActiveX controls that are installed.
●● Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise, and that users run only the software and applications that the enterprise approves.
●● Reduce the security risks and possibility of information leaks from running unauthorized software.
AppLocker rules
You can prevent many problems in your work environment by controlling which applications a user can
run. AppLocker enables you to do this by creating rules that specify exactly which applications a user can
run. AppLocker continues to function even when applications are updated.
322 Module 9 Configuring Threat Protection
Because you configure AppLocker with Group Policy, you need to understand Group Policy creation and
deployment. This makes AppLocker ideal for organizations that currently use Group Policy to manage
their Windows 10 computers or have per-user application installations.
To author AppLocker rules, you use a new AppLocker Microsoft Management Console (MMC) snap-in in
the Group Policy Management Editor window. AppLocker provides several rule-specific wizards. You can
use one wizard to create a single rule and another wizard to generate rules automatically, based on your
rule preferences and the folder that you select. The four wizards that AppLocker provides administrators
with to author rules are:
●● Executable Rules Wizard
●● Windows Installer Rules Wizard
●● Script Rules Wizard
●● Packaged App Rules Wizard
At the end of each wizard, you can review the list of analyzed files. You then can modify the list to remove
any file before AppLocker creates rules for the remaining files.
The Event Viewer stores events for AppLocker on the local computer. You can review these events if you
want to check whether your AppLocker rules apply as designed. You can use the events in the following
table to troubleshoot AppLocker from the client.
can help to protect data at rest on the users' devices; however, you should also use built-in features in
the client device's platform to enhance this data protection.
Windows 10 includes many security features specifically targeted at large organizations. Among other
features, this version implements new user identity technologies to reduce dependence on user-chosen
passwords, improved credential storage to limit the impact of compromised PCs on other systems, and
improved software allow/block to secure locked-down devices such as point-of-service terminals against
malware. However, organizations must select the Enterprise edition of the OS; deploy prerequisite
hardware, software, and services; and invest time and money to deploy the improved protection success-
fully.
VPN Profiles
Windows 10 offers finer-grained control of virtual private network (VPN) software on the client through
VPN profiles. Windows 10 offers configuration of Microsoft and select third-party VPN profiles on client
computers using Group Policy, Intune, or third-party MDM. Centrally configuring VPN profiles can help
Advanced Protection Methods 325
provide good defaults for network traffic from applications and devices that the organization would like
to protect.
With the November update, VPN profiles can be set to be always on when a user is logged on or trig-
gered by a specified Windows application. VPN traffic can also be configured for specific applications or
network traffic, or the administrator can specify that a device is locked down, meaning that all network
traffic should occur over a VPN.
Summary
In this exercise you will learn how to configure Microsoft Defender Antivirus and Windows Security
settings.
Scenario
You've been asked to configure and test Microsoft Defender Antivirus on SEA-CL1. You need to configure
protection settings to enable controlled folder access and to exclude E:\Labfiles\Tools from scanning.
You've decided to simulate a virus using a test file, sample.txt, located at C:\Files, to validate successful
threat detection.
Scenario
You need to verify that Microsoft Defender SmartScreen has been enabled and is configured on SEA-CL1.
You also need to verify that Exploit Protection settings are On by default.
Summary
In this exercise you will learn how to create and configure firewall rules to block and allow specific service
connections to a device. In this exercise you will learn how to create and configure connection security
rules to encrypt network traffic between Windows devices.
Scenario
Users that work on SEA-CL2 are not allowed to remote desktop into SEA-CL1. You need to verify that
remote desktop currently is allowed and then configure a firewall rule on SEA-CL1 that will block remote
desktop connections. You will leave the Remote desktop service enabled to allow for other device
connections to be configured at a later time.
328 Module 9 Configuring Threat Protection
Scenario
SEA-SVR1 also needs to be configured to allow remote desktop connections, however SEA-CL1's firewall
configuration should not allow any user to use a remote desktop connection to SEA-SVR1 from SEA-CL1.
You will configure an outbound firewall rule on SEA-CL1 to prevent remote desktop connections to the
server.
Scenario
Your manager wants you to ensure that all network traffic between SEA-CL1 and SEA-CL2 is encrypted.
You need to configure a connection security rule with the setting “Require authentication for inbound
connections and request authentication for outbound connections” enabled on both devices.
Summary
In this exercise you will learn how to encrypt a local disk drive using BitLocker.
Scenario
You have a Windows 10 computer that has sensitive data stored on the E drive. You decide to configure
and test BitLocker to see how it can be used to protect the data files that are stored on the local drive (E:).
Module Review
Check Your Knowledge
1. A hacker has captured network packets that workstations connected to your network send and
receive. You have concerns that your organization’s sensitive data has been compromised. What is this
kind of network-based security threat known as?
A. Man-in-the-middle attack
B. Port scanning
C. Denial of service attack
D. Eavesdropping
E. None mentioned
2. You have deployed several defense mechanisms to protect users from Phishing attacks. However,
some users are still falling prey to these attacks. Which of the following statements will not help
educate your users about Phishing?
A. Always check a URL before you select on the link.
B. Multiple spelling and grammar mistakes can signal a scam.
C. Look for company contact information and brand accuracy.
D. Phishing scams are exclusively perpetrated in email.
E. All statements are accurate and will help users
Practice Labs and Module Review 329
3. You are configuring a 64-bit Windows 10 Enterprise computer. Your organization discourages the use
of weak password and storing passwords insecurely. Which of the following features can securely
store OS secrets and prevent hackers from accessing them even if the machine is already compro-
mised?
A. Windows Hello
B. Microsoft Passport
C. Credential Guard
D. Encrypted File System (EFS)
E. None mentioned
4. You are an IT support professional for a power company. Ninety percent of the company's workforce
uses mobile devices. Which of the following Windows 10 data protection features is especially
valuable if one of their devices is stolen?
A. Windows Information Protection
B. Windows Device Health Attestation
C. BitLocker
D. VPN Profiles
E. None mentioned
5. You are configuring a Window 10 computer's firewall. You need to keep the computer from being
visible to other computers? Which network location profile should you select?
A. Domain networks
B. Guest or public networks
C. Private networks D. None mentioned
6. You are configuring a Windows 10 computer in your organization. You need to prevent computers
from connecting to this computer if they are not a member of the same domain. You decide to create
a connection security rule. Which of the following will you need to create?
A. Authentication exemption rules
B. Server-to-server rules
C. Isolation rules
D. Custom rules
7. Your organization has identified potential weaknesses in their private networks that might be suscep-
tible to exploitation. As an IT support professional for your organization, you are tasked to implement
IPsec. Which of the following statements is true when referring to IPsec?
A. Offers self authentication before and during communications.
B. IPsec has two modes: Basic and Advanced
C. The Advanced mode encrypts data using one of several available algorithms.
D. Enables confidentiality through IP traffic encryption and digital-packet authentication.
8. BitLocker has entered a locked state on a user's computer in your domain environment. You need the
recovery password to unlock the encrypted data on the volume. What condition must be met in order
to locate the password? (select four)
A. You must be a domain administrator.
B. Computer must be quarnteened from the network. C. BitLocker must be configured to store
recovery information in AD DS.
D. Computer must be joined to the domain.
E. BitLocker must be enabled on the computer that is locked.
F. You must be a BitLocker administrator.
Answers 1) D 2) D 3) C 4) C 5) B 6) C 7) D 8) A,C,D,E
Module 10 Supporting the Windows 10 Envi-
ronment
Windows Architecture
Lesson Introduction
You can use Windows 10 on a range of devices, including tablets and other touch-enabled computers. To
optimize your users’ experience, you can choose between several editions of Windows 10.
This lesson provides you with information about the operating system’s architecture and supported
devices. It also describes the desktop support environment and troubleshooting terminology.
Lesson Objectives
●● After completing this lesson, you will be able to:
●● Describe Windows 10 devices.
●● Explain the Windows 10 operating system architecture.
●● Describe the desktop support environment.
●● Explain the key stages and terminology of a troubleshooting methodology.
Windows 10 Devices
In present-day enterprise environments, not all users want to work on a single desktop computer that has
a wired connection to the corporate network. Today, many users prefer wireless connectivity and remote
access to their work environments. When you use wireless connectivity, you can work on different devices
and from different locations.
Diagram showing images that represent Windows devices.
332 Module 10 Supporting the Windows 10 Environment
The type of device that the user wants to utilize to connect to a corporate network might vary depending
on the user’s requirements. Some users want the portability of a laptop computer, while others want to
use a touch-capable device, such as a tablet. Windows 10 is designed to operate across many device
types, and its use is not restricted to only desktop and laptop computing devices.
Form factors
Windows 10 supports several types of devices, including:
●● Desktop computers. This is the traditional computing platform that offers powerful performance but
limited mobility. To improve user productivity, you can combine desktop computers with touch
screens.
●● Laptop computers. Modern laptop computers can come with a touch screen, which allows users to
perform tasks much more quickly than they would by using a traditional mouse. You can convert
some laptop computers into tablets through screen rotation, although these types of device are not
as portable as standard tablets.
●● Convertible laptops. These devices are tablet computers that come with a docking station that has a
keyboard and additional ports, such as universal serial bus (USB) and video expansion ports. When
you separate a convertible laptop from its docking station, it provides all of the convenience of a
tablet. When on its docking station, this type of device enables users to work in a more traditional
fashion. Some docking stations also have an additional battery.
●● Tablets. Tablets come in a variety of sizes and with different specifications and features:
●● 12 inch tablets These tablets are comparatively large, and you might find them more often on
convertible laptops with some kind of docking station. The Microsoft Surface Pro 6 is an 11.5 inch
tablet, and supports the attachment of optional keyboard covers.
Windows Architecture 333
●● 10-inch tablets. Comparable in size with the Apple iPad, these tablets often are stand-alone
devices, although they sometimes include a keyboard cover. These types of devices offer the best
portability.
●● 8-inch tablets. This type of device, which is similar to the Apple iPad Mini, provides optimum
portability. However, it might pose challenges for certain types of use. For example, using an 8
inch tablet for a great deal of typing typically is not an easy task, and you can find better devices
for this purpose.
Note: These are broad device categories, and some devices do not fall into one category only.
Support Considerations
The type of support issues that you encounter could vary based on the type of device that the user is
using. Storage issues are more prevalent with tablet computers, since they have less storage space than a
laptop or desktop computer. Additionally, users might choose to use cloud-based storage with their
tablets. Using cloud-based storage introduces complexities, such as file synchronization and user authen-
tication to the storage platform. Desktop computer users are less likely to need to use cloud-based
334 Module 10 Supporting the Windows 10 Environment
storage as these devices tend to have larger internal drives and generally are always connected to
corporate networks.
Another consideration is that increasingly, users want to connect their own devices to corporate net-
works. This practice increases an organization’s support concerns by introducing security issues and
device management issues. In addition, as devices become more mobile, the ability for IT departments to
manage those devices becomes a challenge.
Windows 10 Architecture
It is important to understand the differences between software applications, operating system services,
and hardware devices and their associated device drivers in the operating system kernel. The Windows 10
operating system architecture comprises the operating system kernel, system services, and applications.
System services
Operating system services are part of the operating system rather than components that you install after
the operating system deploys. Additionally, operating system services function with no user action. In
fact, they start before a user signs in to the computer.
Windows Architecture 335
Both operating system services and device drivers are software. However, the difference between them is
that device drivers interact directly with hardware devices or components. Generally, a system service
interacts with other software components in the operating system.
Note: From a management perspective, the difference between device drivers and services is more
obvious. You can use the Device Manager tool to manage device drivers, and you use the services
Microsoft Management Console (MMC) snap-in tool to manage system services.
System services include various executive services that provide distinct functions within the operating
system, including:
●● The I/O Manager manages I/O.
●● The virtual memory manager controls virtualization of memory within the operating system.
●● Other components within the executive control other aspects of the operating system.
●● The application programming interface (API) sets enable Windows 10 to support different types of
apps. The Windows RT APIs enable the operating system to run Windows Store apps, whereas Win32
and related API sets enable the operating system to run traditional desktop apps.
Understanding apps
At the upper level of the operating system, apps operate by interacting with the computer user, and at a
lower level by integrating with the operating system services. You install apps after you install the operat-
ing system, and you must start apps manually to use them.
Microsoft engineered Windows 8.1 to support two different styles of apps. This involved modifying the
architecture of the Windows operating system to provide dual stacks of APIs as follows:
●● Traditional desktop apps, such as Office apps, use the Win32 APIs and Microsoft .NET Framework.
●● Windows Store apps use the Windows RT APIs.
The benefit of this dual stack approach is that the same operating system can support these two different
application platforms.
Windows 10 introduces the Universal Windows Platform (UWP), which is an evolution of the Windows
Runtime model that provides a common app platform across every device that is capable of running
Windows 10. Apps that are designed for the UWP can call both the Win32 APIs and Microsoft .NET
Framework, and can call the Windows RT APIs. This means developers can create a single app that can
run across all devices.
Workgroups
Workgroups, or peer-to-peer networks, are logical groupings of networked computers that share re-
sources. Workgroups are the easiest networks to set up and maintain, but they also are the least secure.
Each computer maintains its own local security database, which contains the valid user accounts for
336 Module 10 Supporting the Windows 10 Environment
signing in to that computer. The user accounts secure the data on each computer, and protect the
computer from unwanted access. However, the network is decentralized, which means that no single
computer provides centralized security of user accounts for all of the network’s computers.
Note: You typically would configure workgroups for home networks, small home offices, and small
businesses in which the computers are in close proximity to one another and often are connected by
using a hub, switch, or router. Larger corporations typically do not use workgroups, because they are not
as secure as other network options.
Domains
Domains are logical groupings of networked computers that share a common user database. In addition,
they manage security centrally on a single server, known as a domain controller, or on a group of servers
(domain controllers). A single domain must have one or more domain controllers. These computers
provide Active Directory Domain Services (AD DS), helping to secure access to resources, and providing a
single point of administration.
Domains are logical groupings, which you configure independent of the network’s actual physical
structure. Domains can span a building, city, state, country/region, or even the globe. You also can
configure them for a small office. You can connect a domain’s computers by DirectAccess, virtual private
network (VPN), Ethernet, broadband, satellite, or wireless connections.
Note: Larger companies and corporations typically configure domains because they are the most secure
network option. They also are extensible and offer centralized security and management. Smaller compa-
nies generally do not use domains because they are more expensive, and require more attention than
workgroups.
Classification
When an end user first discovers and reports a computer problem, a series of classification processes
begins. During these processes, you gather information from the end user in an attempt to establish the
problem’s nature and scope. The initial discussion might reveal information that results in an immediate
resolution to the problem, but with more complex or serious problems, you must continue to trouble-
shoot the issue to resolve it.
Problems that affect many end users are more serious in terms of their impact on organizational produc-
tivity, and you must resolve them more quickly. Classification allows you time to determine the scope and
impact of problems so that you can prioritize them.
Even if you are immediately able to resolve a problem, you must log the problem by using your organiza-
tion’s methodology. Appropriate logging procedures ensure that you do not lose any incident reports.
Access to detailed incident reports allows organizations to monitor their IT systems more effectively and
make informed decisions about those systems.
Testing
When you have prioritized and logged a reported incident, the testing phase starts. During the testing
phase, you use a number of processes to determine the probable cause of a reported problem. You might
start by listing the possible causes. Typically, you might try to divide and isolate these possible causes.
In computer systems, dividing and isolating possible causes might mean making a distinction between:
●● Server and workstation-related issues
●● Hardware and software
●● Operating systems and applications
You can eliminate possible causes with this process, which in turn allows you to determine probable
causes.
When you reduce the list of possible causes to a manageable number, you can start a testing process.
The testing process helps you determine the probable cause of the problem as you work through your
list of potential causes.
One way to troubleshoot an issue is to reproduce the problem in a test environment. If you can repro-
duce a problem easily, you likely can determine the probable cause. If a problem is more difficult to
reproduce, you must study your results, and perhaps modify your initial thoughts about the problem’s
probable cause.
Escalation
If you cannot determine a resolution during the initial testing phase, you must either consult additional
documentation or escalate the problem. If you suspect that the issue stems from a component, you can
escalate the problem to the component’s manufacturer. For other issues, you can escalate the issue
338 Module 10 Supporting the Windows 10 Environment
within your organization, if you have the requisite internal resources. Your organization should have an
established process for escalating reported incidents to your organization’s second-tier support staff. The
second-tier support staff then asks questions to classify the problem’s scope and assign it a priority level.
Reporting
When you resolve an incident, you must document the resolution. Recording any changes to your IT
system’s configuration is an important step. Problems often reoccur, and when you document them
properly, you can save time resolving subsequent occurrences of the same problem.
Support and Diagnostic Tools 339
Lesson Objectives
After completing this lesson, you will be able to:
●● Explain how to use the Task Manager tool.
●● Use Event Viewer to identify problems.
●● Explain how to use the Reliability Monitor.
●● Use the Diagnostics and Recovery Toolset.
●● Use the Steps Recorder to record details of a problem.
●● Use the Microsoft Management Console
●● Understand the Windows Registry
Task Manager
The Task Manager tool is one of the tools that end users and administrators use most for viewing system
performance and resource utilization on a device. Task Manager primarily is a performance-monitoring
tool, and not a reliability-monitoring tool.
340 Module 10 Supporting the Windows 10 Environment
Resource Monitor
You can access Resource Monitor from Task Manager or by running the perfmon /res command at a
command prompt. Similar to Task Manager, the primary goal of Resource Monitor is to monitor system
performance and utilization of CPU, disk, network, and memory resources. However, you also can use it
to help you to identify reliability problems, such as excessive use of system resources or unresponsive
apps.
Support and Diagnostic Tools 341
Resource Monitor provides a snapshot of system performance, including a summary and tab with
detailed information for the four key system components: processor, memory, disk, and network. If a
Windows 10 computer runs slowly, you can use Resource Monitor to view current activity in each of the
four component areas, and determine which is causing a performance bottleneck. However, Resource
Monitor can show only resource utilization for the local computer, not remote or virtual computers.
Event Viewer
Windows Event Viewer provides access to the Windows 10 event logs. Event logs provide information
regarding system events that occur within the Windows operating system. These events include informa-
tion, warning, and error messages about Windows components and installed applications.
342 Module 10 Supporting the Windows 10 Environment
Event Viewer provides categorized lists of essential Windows log events, including application, security,
setup, and system events, in addition to log groupings for individual installed applications and specific
Windows component categories. Individual events provide detailed information regarding the type of
event that occurred, when the event occurred, the source of the event, and technical detailed information
to assist in troubleshooting the event.
Additionally, Event Viewer enables you to consolidate logs from multiple computers onto a centralized
computer when you use subscriptions. Finally, you can configure Event Viewer to perform an action when
specific events occur. This could include sending an email message, launching an app, running a script, or
performing other maintenance actions to notify you or attempt to resolve a potential issue.
Event Viewer in Windows 10 includes the following features:
●● The ability to view multiple logs. You can filter for specific events across multiple logs, making it
quicker to investigate issues and troubleshoot problems that might appear in several logs.
●● Inclusion of customized views. You can use filtering to narrow searches to only those events in which
you are interested, and you then can save these filtered views.
●● The ability to configure tasks scheduled to run in response to events. You can automate responses to
events. To do this, Event Viewer is integrated with Task Scheduler.
●● The ability to create and manage event subscriptions. You can collect events from remote computers,
and then store them locally.
Note: To collect events from remote computers, you must create an inbound rule in Windows Firewall to
permit Windows Event Log Management.
Event Viewer tracks information from several different logs. These logs provide detailed information that
includes:
●● A description of the event.
●● An event ID number.
Support and Diagnostic Tools 343
Windows logs
Event Viewer has many built-in logs, including those listed in the following table.
The Applications and Services logs also contain the Microsoft node. This node contains the Windows
subnode, which includes several nodes that contain granular log information.
Managing logs
If you want to clear a log manually, you must sign in as a local administrator. If you want to configure
event logs settings centrally, you can do so when you use Group Policy. To do this, open the Group Policy
Management Console for your selected Group Policy Object (GPO), and then navigate to Computer
Configuration\Policies\Administrative Templates\Windows Components\Event Log Service.
For each log, you can define:
●● The location of the log file.
●● The maximum size of the log file.
●● Automatic backup options.
●● Permissions on the logs.
●● Behavior that occurs when the log is full.
Custom views
Event logs contain vast amounts of data, which can make it challenging to narrow your search to only
those events that interest you. To accommodate this, you can customize views in Windows 10 so that you
can query and sort only the events that you want to analyze. You also can save, export, import, and share
these custom views.
Event Viewer allows you to filter for specific events across multiple logs, and display all events that could
relate to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create
a custom view. You create custom views in the Action pane in Event Viewer. You can filter custom views
based on multiple criteria, including:
●● The time that the event was logged.
●● Event level to display, such as errors or warnings.
●● Logs from which to include events.
●● Specific event IDs to include or exclude.
●● User context of the event.
●● Computer on which the event occurred.
Subscriptions
Event Viewer enables you to view events on a single computer. However, troubleshooting an issue might
require you to examine a set of events that are stored in multiple logs on multiple computers. For this
purpose, Event Viewer enables you to collect copies of events from multiple remote computers, and then
store them locally. To specify which events to collect, create an event subscription. After a subscription is
active and events are being collected, you can view and manipulate these forwarded events as you would
any other locally stored events.
Support and Diagnostic Tools 345
To use the event-collecting feature, you must configure the forwarding and the collecting computers. The
event-collecting functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are
participating in the forwarding and collecting process.
Enabling subscriptions
To enable subscriptions, perform the following steps:
1. On each source computer, to enable Windows Remote Management, type the following command
at an elevated command prompt, and then press Enter:
winrm quickconfig
2. On the collector computer, to enable the Windows Event Collector service, type the following
command at an elevated command prompt, and then press Enter:
wecutil qc
3. Add the computer account of the collector computer to the local Event Log Readers group on each of
the source computers.
346 Module 10 Supporting the Windows 10 Environment
Performance Monitor
The Performance Monitor is a Microsoft Management Console (MMC) snap-in that you can use to obtain
system performance information. You can use this tool to analyze the performance effect that applica-
tions and services have on a computer, and you can use it to obtain an overview of system performance
or collect detailed information for troubleshooting. The Performance Monitor includes the following
features:
●● Monitoring Tools. The Monitoring Tools section contains the Performance Monitor, which provides a
visual display of built-in Windows performance counters, either in real time or as historical data. The
Performance Monitor includes the following features:
●● Multiple graph views
●● Custom views that you can export as data collector sets
●● The Performance Monitor uses performance counters to measure the system’s state or activity. The
operating system includes some performance counters and individual applications might include
additional performance counters. The Performance Monitor requests the current value of performance
counters at specified time intervals, by default every second. You can add performance counters to the
Performance Monitor by dragging and dropping the counters, or by creating a custom data collector
set. The Performance Monitor features multiple graph views that enable you to have a visual review of
performance log data. You can create custom views in the Performance Monitor that you then can
export as data collector sets for use with performance and logging features.
●● Data collector sets. The data collector set is a custom set of performance counters, event traces, and
system configuration data. After you create a combination of data collectors that describe useful
system information, you then can save them as a data collector set, and then run and view the results.
A data collector set organizes multiple data collection points into a single, portable component. You
can use a data collector set on its own, group it with other data collector sets and incorporate it into
logs, or view it in the Performance Monitor. You can configure a data collector set to generate alerts
when it reaches thresholds. You also can configure a data collector set to run at a scheduled time, for
a specific length of time, or until it reaches a predefined size. For example, you can run the data
collector set for 10 minutes every hour during working hours to create a performance baseline. You
also can set the data collector to restart when the collection reaches a set limit, so the Performance
Monitor creates a separate file for each interval. Scheduled data collector sets collect data regardless
of whether the Performance Monitor is started.
●● Reports. Use the Reports feature to view and generate reports from a set of counters that you create
by using data collector sets. The Performance Monitor creates a new report automatically every time a
data collector set runs.
Reliability Monitor
The Reliability Monitor reviews a computer’s reliability and problem history. You can use the Reliability
Monitor to produce several kinds of reports and charts that can help you identify the source of reliability
issues. You can access Reliability Monitor when you select the View reliability history in the Maintenance
section of the Action Center.
Support and Diagnostic Tools 347
The following section explains the main features of the Reliability Monitor in more detail.
Note: To access Reliability Monitor, in the Search box, type Reliability, and then select View reliability
history.
●● Hotfix uninstall. Use this tool to remove hotfixes or service packs from a computer.
●● Locksmith. Use this tool to set or reset the password for any local account.
●● Registry editor. Use this tool to edit the local registry.
●● SFC scan. Use this tool to launches the System File Repair Wizard, which enables you repair system
files that are preventing the installed operating system from starting.
●● Solution Wizard. Use this tool to present a series of questions, and then based on your answer, the
tool recommends the best tool for the situation.
●● TCP/IP config. Use this tool to configure TCP/IP settings manually for a computer that you are trouble-
shooting.
Note: You can find out more about the Diagnostics and Recovery Toolset 10 and download it from the
TechNet website at: http://aka.ms/lilbki.
Steps Recorder
The Steps Recorder tool can be a useful diagnostic tool for visually recording the steps that lead to a
problem. You can load the Steps Recorder tool from Start in the Windows Accessories folder in All
apps. To record steps, in the Steps Recorder tool, select Start Record. Then, perform the necessary steps
to reproduce a particular problem. When you finish, select Stop Record. You then can save the recording.
Saving the recording creates a MHTML file (stored in a zipped format) that you can later analyze to see
the steps involved in a particular procedure. Aside from troubleshooting, you also can use the recorded
steps to demonstrate particular procedures for your users.
Microsoft Management Console enables system administrators to create special tools to delegate specific
administrative tasks to users or groups. Microsoft provides standard tools with the operating system that
perform everyday administrative tasks that users need to accomplish. These are part of the All Users
profile of the computer and located in the Administrative Tools group on the Startup menu. Saved as
MMC console (.msc) files, these custom tools can be sent by e-mail, shared in a network folder, or posted
on the Web. They can also be assigned to users, groups, or computers with system policy settings. A tool
can be scaled up and down, integrated seamlessly into the operating system, repackaged, and custom-
ized.
Using MMC, system administrators can create unique consoles for workers who report to them or for
workgroup managers. They can assign a tool with a system policy, deliver the file by e-mail, or post the
file to a shared location on the network. When a workgroup manager opens the .msc file, access will be
restricted to those tools provided by the system administrator.
Building your own tools with the standard user interface in MMC is a straightforward process. Start with
an existing console and modify or add components to fulfill your needs. Or create an entirely new
console. The following example shows how to create a new console and arrange its administrative
components into separate windows.
Creating Consoles
The most common way for administrators to use MMC is to simply start a predefined console file from
the Start menu. However, to get an idea of the flexibility of MMC, it is useful to create a console file from
scratch. It is also useful to create a console file from scratch.
To open Microsoft Management Console in Windows 10 select Start then type “MMC” in the search box.
Select the MMC Run command.
Hives
The following table describes the top-level hives, or subtrees.
Hive Description
HKEY_CLASSES_ROOT This hive contains file association information and
defines which application opens when a user
double-clicks a particular file type on the file
system. For example, it defines that the application
for .xlsx files is Microsoft Excel. This hive is popu-
lated from the computer-related and user-related
settings that are stored in HKEY_LOCAL_MACHINE\
Software\Classes and HKEY_CURRENT_USER\
Software\Classes. You typically will not make edits
to this hive.
HKEY_CURRENT_USER This hive contains configuration information for
the currently signed-in user. Items such as the
user’s Windows color scheme and font settings are
stored in relevant values below this hive. When
referencing this hive while editing the registry, this
hive sometimes is referred to as HKCU. This hive is
a shortcut to a key stored in HKEY_USERS.
HKEY_LOCAL_MACHINE This is probably the most important hive and the
one to which you likely will make the most edits.
Sometimes abbreviated to HKLM, this hive stores
all of the computer-related configuration settings.
Support and Diagnostic Tools 353
Hive Description
HKEY_USERS This hive contains a collection of all of the config-
uration information for all users that have signed
in locally to the computer, including the currently
signed-in user. In fact, one of the keys beneath
this hive is the key of the currently signed in user,
which is shown as HKEY_CURRENT_USER hive. It is
important to know that you are likely to make
direct edits to the user settings for the currently
signed-in user only.
HKEY_CURRENT_CONFIG This hive contains information about the current
hardware profile that the local computer used
during system startup. You typically do not make
edits to this hive.
Note: Most likely, you will make direct changes only to the values stored within the hives HKEY_LOCAL_
MACHINE and HKEY_CURRENT_USER.
Note: The registry is a hierarchical database of values structured in hives, keys, and subkeys, but the
actual registry database is stored on the local file system in the C:\Windows\System32\Config file.
There is no requirement for you to access these files directly.
Values
Values define the behavior of the operating system, and they are stored in keys and subkeys. There are
many types of values, depending upon the type of data that each stores. For example, you may wish to
store text values, numerical data, variables, and similar data. The following table lists the more common
types of registry values.
However, if you must make the change across hundreds of computers, you may decide to use Windows
PowerShell or Group Policy. The following sections describe ways in which you can make registry edits.
Note: As a best practice, back up the registry before making any edits to it. You can export the specific
key that you are editing, or you can use a tool, such as System Restore, to capture a restore point.
Incorrectly editing the registry could severely damage your system.
REG files
You also can use a structured text file with a .reg extension (a registry entries file) to merge values into
the registry. The file will look like the following example:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi]
"Start"=dword:00000001
Note: This particular .reg file edits the Start value stored in the HKEY_LOCAL_MACHINE\SYSTEM\
ControlSet001\services\atapi path, and assigns it the DWORD value of 1.
After you have created the .reg file, you can import the when you:
●● Double-click the file and confirm that you want to continue.
●● Run a simple script that loads the file. The following command imports the settings stored in setting1.
reg without prompting the user to confirm:
regedit /s C:\Registry\setting1.reg \> nul
●● Open the Registry Editor, and use the import option to access the appropriate .reg file.
356 Module 10 Supporting the Windows 10 Environment
Windows PowerShell
Windows PowerShell displays a registry provider that represents the registry like a file system, displaying
keys and subkeys as subfolders of the registry hive, the same way as folders and subfolders of the drive C
are displayed. For example, to see the contents of the HKEY_LOCAL_MACHINE hive, open an elevated
Windows PowerShell command prompt, and then type the following command, and press Enter:
Get-ChildItem -Path hklm:\
As cd is the alias for the Get-ChildItem Windows PowerShell cmdlet, you also can type:
cd hklm:
In the preceding code sample, assigned value is assigned to a value called examplevaluename in the
registry path, HKEY_CURRENT_USER\Software\Example.
Additional Reading: For more information about working with registry keys, refer to: https://docs.
microsoft.com/en-us/windows/win32/sysinfo/registry
Group Policy Preferences
You can create, update, replace, and delete registry keys and values when you use Group Policy Prefer-
ence in the domain GPO. This approach is very effective if you need to manage registry updates on many
computers in an Active Directory environment.
Additonal Tools
Microsoft also provides the following tools for improving performance:
Sysinternals
In addition to the built-in performance monitoring tools in Windows 10, you also can download and use
the Sysinternals suite of tools. Sysinternals offers a number of advanced system utilities. You can use a
number of the following tools to monitor performance some of which include:
●● Contig. This tool enables you to defragment your frequently used files quickly.
●● DiskMon. This tool enables the computer to capture all hard disk activity, and acts like a software disk
activity light in the system tray.
●● PageDefrag. This tool enables you to defragment your paging files and registry hives.
●● Process Explorer. This tool enables you to determine which files, registry keys, and other objects
processes have open, which DLLs they have loaded, and more. This tool also displays who owns each
process.
Support and Diagnostic Tools 357
●● Process Monitor. This tool enables you to monitor file system, registry, process, thread, and dynam-
ic-link library (DLL) activity in real time.
●● Autoruns. Extensive scan of programs, drivers, scripts, and extensions that are configured to run
during bootup, login or when certain Windows applications launch.
Additional Reading: For more information, refer to: “Sysinternals Suite” at: http://aka.ms/frah6v
Note: Defragment utilities should not be used on solid-state drives (SSD).
Windows Admin Center is intended to compliment tools like System Center Virtual Machine Manager
(SCVMM), Azure security and management, and RSAT tools. While it's primary function is manging
servers, WIndows Admin Center provides Desktop Administrators a subset of the Server Manager
features for managing Windows 10 client PCs. That subset includes:
●● Displaying resources and resource utilization
●● Certificate Management
●● Managing Devices
●● Event Viewer
●● File Explorer
●● Firewall Management
●● Configuring Local Users and Groups
●● Registry Editing
●● Managing Scheduled tasks
●● Managing Windows Services
Support and Diagnostic Tools 359
●● Managing Storage
●● Virutal Machines
●● Virtual Switches
When Windows Admin Center is installed on a Server as a gateway, WAC defines two roles for access to
the gateway service: gateway users and gateway administrators. Gateway users can access and use the
service, but only gateway administrators can define who can access the gateway. Note that these permis-
sions only grant access to the WAC tool itself. The user must have the appropriate permissions necessary
on the target client or server to mange it.
WIth WAC, a user with full local administrator priviledges will have full permissions to manage the target
client. However, WAC supports role-based access control, to allow users certain permissions that enable
them to perform thier job, without granting full administrative permissions. This is typically more useful
for servers than clients.
The following provides a list of the available roles:
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe key system components in Windows 10.
●● Describe performance monitoring tools in Windows 10.
●● Explain how to establish a performance baseline.
●● Explain how to optimize disk and memory performance in a Windows 10 computer.
●● The workstation role and its workload, to determine which hardware components are likely to restrict
performance.
●● The ability to increase workstation performance by adding power or reducing the number of applica-
tions that the user runs.
Note: Although not considered a core component, the graphics adapter and its driver also can have a
significant impact on the performance of graphics-intensive applications. If your users intend to run
applications that are graphically demanding, ensure that you select a device with a powerful graphics
subsystem, and that you install the latest vendor-specific driver rather than relying on a generic driver.
Processor
One important factor in determining your computer’s overall processor capacity is processor speed.
Processor speed is determined by the number of operations that the processor performs over a specific
time period. Computers with multiple processors or processors with multiple cores generally perform
processor-intensive tasks with greater efficiency, and as a result, are faster than single processor or
single-core processor computers.
Processor architecture is also important. 64-bit processors can access more memory and have a signifi-
cant positive effect on performance. This is true especially when applications that run on users’ worksta-
tions require a large amount of memory.
Disk
Hard disks store programs and data. Consequently, the throughput of a workstation’s disk affects its
speed, especially when the workstation performs disk-intensive tasks. Many hard disks have moving
parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
Most Windows-based tablet devices use solid-state drives (SSDs), which have no moving parts. SSDs have
different read and write performance profiles. Determine the workload profile, and then attempt to match
the disk’s performance profile to optimize the device’s performance.
By selecting faster disks, and by using collections of disks to optimize access times (Storage Spaces or
redundant array of independent disks (RAID)), you can alleviate the potential for the disk subsystem to
create a performance bottleneck. Windows 10 moves information on the disk into memory before it uses
it. Therefore, if a surplus of memory exists, the Windows 10 operating system creates a file cache for
items recently written to, or read from disks. Installing additional memory in a workstation often improves
the disk subsystem performance, because accessing the cache is faster than moving the information into
memory.
Finally, consider the type of work for which users will use the device. Different work profiles use disks in
different ways. For example, some applications read from a disk more frequently that they write to the
disk (read-intensive), and therefore good read performance is important; other applications are more
write-intensive.
Memory
Programs and data load from disk into memory before the program manipulates the data. In worksta-
tions that run multiple programs, or where datasets are very large, installing more memory can improve
workstation performance.
Windows 10 uses a memory model that does not reject excessive memory requests. Instead, Windows 10
manages them by using a process known as paging. During paging, Windows 10 moves the data and
362 Module 10 Supporting the Windows 10 Environment
programs in memory that processes are not currently using, to the paging file on the hard disk. This frees
up physical memory to satisfy the excessive memory requests. However, because a hard disk is compara-
tively slow, it has a negative effect on workstation performance. By adding more memory, and by using a
64-bit processor architecture that supports larger memory, you can reduce the need for paging.
Network
You can easily underestimate how a network that performs poorly can affect workstation performance,
because it is not as easy to see or to measure as the other workstation components. However, the
network is a critical component for performance monitoring, because network devices store so many of
the applications and data processed. In addition, wireless networks share the available bandwidth.
Understanding bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package also might cause a bottleneck.
By using performance-monitoring tools on a regular basis, and by comparing the results to historical
data, you can identify performance bottlenecks before they affect users. Once you identify a bottleneck,
you must decide how to remove it. Your options for removing a bottleneck include:
●● Running fewer applications.
●● Adding additional resources to the computer.
A computer suffering from a severe resource shortage might stop processing user requests. This situation
requires immediate attention. However, if a computer experiences a bottleneck but still operates within
acceptable limits, you might decide to defer any changes until you resolve the situation, or until you have
an opportunity to take corrective action. As you identify and resolve a performance problem that is
affecting one system component, another component might become affected. Therefore, performance
monitoring is an ongoing process.
Performance Monitoring
Task Manager
You can use the Performance tab in Task Manager to help to identify performance problems. The Perfor-
mance tab displays a summary of CPU and memory usage, and network statistics.
Generally, you might consider using Task Manager when a performance-related problem first becomes
apparent. For example, you might examine the running processes to determine if a particular program is
using excessive CPU resources. Remember that Task Manager shows a snapshot of current resource
consumption. You may need to examine historical data to get a better understanding of a server comput-
er’s performance and response under load.
364 Module 10 Supporting the Windows 10 Environment
Resource Monitor
When the Resource Monitor first opens, the initial view is of the Overview tab. On the right side are four
graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for excessive peaks in
CPU, Disk, Network, or Memory activity. In the main pane, you can examine details about each compo-
nent by expanding each component’s information list. It lists each process that is running on the comput-
er, and includes information about resource consumption for each process. For example, the number of
threads and the percentage of CPU capacity in use displays for each running process.
Having determined that a particular component is causing a bottleneck, you can use the appropriate
component tab to view more information. Remember that a snapshot of current activity, which Resource
Monitor provides, tells only a partial story. For instance, you might see a peak in activity, which is not
representative of average performance.
Performance Monitor
Performance Monitor features multiple graph views that give you a visual review of performance log data.
You can create custom views in Performance Monitor that you can export as data collector sets for use
with performance and logging features.
You can use data collector sets and the Performance Monitor tools to organize multiple data collection
points into a single component that you can use to review or log performance. The Performance Monitor
also includes default data collector set templates to help system administrators begin the process of
collecting performance data.
In the Performance Monitor, under the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which objects and counters you want to include in
the set for monitoring. To help you select appropriate objects and counters, you can use the following
templates provided for monitoring:
●● System Diagnostics. This template selects objects and counters that report the status of hardware
resources, system response time, and processes on the local computer, along with system information
and configuration data. The report provides guidance on ways to optimize the computer’s responsive-
ness.
●● System Performance. This template generates reports that detail the status of local hardware resourc-
es, system response times, and processes.
●● WDAC Diagnostics. This template enables you to trace debug information for Windows Data Access
Components.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or
until it reaches a predefined size. For example, you can run the data collector set for 10 minutes every
hour during working hours to create a performance baseline. You also can set the data collector to restart
when set limits are reached, so that a separate file will be created for each interval.
You can use data collector sets and Performance Monitor tools to organize multiple data collection points
into a single component that you can use to review or log performance. Performance Monitor also
includes default data collector set templates to help system administrators begin the process of collect-
ing performance data specific to a server role or monitoring scenario.
In Performance Monitor, beneath the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which specific objects and counters you want to
Monitoring and Troubleshooting Performance 365
include in the set for monitoring. To help you select appropriate objects and counters, you can access
templates to use for monitoring, including:
●● System Diagnostics. Selects objects and counters that report the status of hardware resources, system
response time, and processes on the local computer, along with system information and configuration
data. The report provides guidance on ways to optimize the computer’s responsiveness.
●● System Performance. Generates reports that detail the status of local hardware resources, system
response times, and processes.
●● WDAC Diagnostics. Enables you to trace debug information for Windows Data Access Components.
Note: It is not necessary for Performance Monitor to be running for data to be collected into a data
collector set.
You can add many different performance counters to the Performance Monitor. Some performance
counters are not often used. The following table shows the commonly used performance counters.
Counter Usage
LogicalDisk\% Free Space This counter measures the percentage of free
space on the selected logical disk drive. Take note
if this falls below 15 percent, because you risk
running out of free space for the operating system
to store critical files. One solution is to add more
disk space.
PhysicalDisk\% Idle Time This counter measures the percentage of time the
disk was idle during the sample interval. If this
counter falls below 20 percent, the disk system is
saturated. You should consider replacing the
current disk system with a faster one.
PhysicalDisk\Avg. Disk Sec/Read This counter measures the average time, in
seconds, to read data from the disk. If the number
is larger than 25 milliseconds (ms), that means the
disk system is experiencing latency when it is read-
ing from the disk.
PhysicalDisk\Avg. Disk Sec/Write This counter measures the average time, in
seconds, it takes to write data to the disk. If the
number is larger than 25 ms, the disk system expe-
riences latency when it is writing to the disk.
PhysicalDisk\Avg. Disk Queue Length This counter indicates how many I/O operations
are waiting for the hard drive to become available.
If the value is larger than two times the number of
spindles, it means that the disk itself might be the
bottleneck. If this counter indicates a possible
bottleneck, consider measuring the Avg. Disk Read
Queue Length and Avg. Disk Write Queue Length
to try to determine if read or write operations are
the cause.
Memory\Cache Bytes This counter indicates the amount of memory that
the file-system cache uses. There might be a disk
bottleneck if this value is greater than 300 mega-
bytes (MB).
366 Module 10 Supporting the Windows 10 Environment
Counter Usage
Memory\% Committed Bytes in Use This counter measures the ratio of Committed
Bytes to the Commit Limit, or in other words, the
amount of virtual memory in use. If the number is
greater than 80 percent, it indicates insufficient
memory.
Memory\Available Mbytes This counter measures the amount of physical
memory, in megabytes, available to run processes.
If this value is less than 5 percent of the total phys-
ical random access memory (RAM), that means
there is insufficient memory, which can increase
paging activity.
Memory\Free System Page Table Entries This counter indicates the number of page table
entries not currently in use by the system. If the
number is less than 5,000, there might be a
memory leak.
Memory\Pool Non-Paged Bytes This counter measures the size, in bytes, of the
nonpaged pool. This is an area of system memory
for objects that cannot be written to a disk, but
instead must remain in physical memory for as
long as they are allocated. If the value is greater
than 175 MB (or 100 MB with a /3 gigabyte (GB)
switch), then there is a possible memory leak.
Memory\Pool Paged Bytes This counter measures the size, in bytes, of the
paged pool. This is an area of system memory for
objects that can be written to disk when they are
not being used. There might be a memory leak if
this value is greater than 250 MB (or 170 MB with
the /3 GB switch).
Memory\Pages per Second This counter measures the rate at which pages are
read from or written to the disk to resolve hard-
page faults. If the value is greater than 1,000 as a
result of excessive paging, there might be a
memory leak.
Processor\% Processor Time This counter measures the percentage of elapsed
time that the processor spends executing a
non-idle thread. If the percentage is greater than
85 percent, the processor is overwhelmed, and the
server might require a faster processor.
Processor\% User Time This counter measures the percentage of elapsed
time that the processor spends in user mode. If
this value is high, the server is busy with the
application.
Processor\% Interrupt Time This counter measures the time that the processor
spends receiving and servicing hardware interrup-
tions during specific sample intervals. If the value
is greater than 15 percent, this counter indicates a
possible hardware issue.
Monitoring and Troubleshooting Performance 367
Counter Usage
System\Processor Queue Length This counter indicates the number of threads in
the processor queue. The server does not have
enough processor power if the value is more than
two times the number of CPUs for an extended
period of time.
Network Interface\Bytes Total/Sec This counter measures the rate at which bytes are
sent and received over each network adapter,
including framing characters. The network is
saturated if more than 70 percent of the interface
is consumed.
Network Interface\Output Queue Length This counter measures the length of the output
packet queue, in packets. There is network
saturation if the value is more than 2.
Process\Handle Count This counter measures the total number of
handles that a process currently has open. This
counter indicates a possible handle leak if the
number is greater than 10,000.
Process\Thread Count This counter measures the number of threads
currently active in a process. There might be a
thread leak if this number is more than 500
between the minimum and maximum number of
threads.
Process\Private Bytes This counter indicates the amount of memory that
this process has allocated that it cannot share with
other processes. If the value is greater than 250
between the minimum and maximum number of
threads, there might be a memory leak.
the disk subsystem, you can make the paging process as efficient as possible. If you have a device
with an SSD as the primary disk and a normal hard disk as the secondary disk, moving the paging
file is not likely to improve performance.
●● Configure a fixed-size paging file. A paging file that can grow on the disk might encompass
fragmented areas of the disk volume. By configuring a fixed-size paging file, you can ensure that
the paging file does not encompass fragmented areas.
●● On non-SSD drives, ensure that the disk volume is not fragmented when you create the paging
file. If you want to create a fixed-size paging file on a computer that already has a paging file,
ensure that you do not create a paging file that encompasses fragmented areas of the disk.
Additionally, before you create a fixed-size paging file, you should configure the computer to use
no paging, and then defragment the volumes.
●● When you configure the paging file, ensure that its size is sufficient. Recommendations specify that
an initial paging file should be equivalent to the amount of installed memory, and a maximum
paging file size that is equal to twice the initial value. Consequently, you should create a fixed-size
paging file that is equal to or twice the size of the physical memory.
●● Add physical memory to a computer that is paging excessively. If you investigate performance on
a computer with a memory bottleneck, you often find that disk performance is low as well. By
adding extra physical memory to the computer you can reduce the load on the disk subsystem
and thereby improve both memory and disk performance.
●● Implement faster disks. Disk speed is measured in revolutions per minute (rpm), and average seek
times are measured in milliseconds. Install disks running 7200 rpm or faster, and select disks with the
lowest seek time. On desktop computers, you also can install a disk controller that supports a faster
bus type. The first Serial ATA (SATA) standard supports transfer rates up to 150 megabytes per second
(MBps) whereas the latest SATA standard supports transfer rates up to almost 2000 MBps. Changing
your disk controller and disks that support the new disk controller could improve the disk subsystem
performance considerably.
●● Consider using SSDs. SSDs use flash memory technology and have no moving parts. They can
operate faster than traditional disks, but they are more expensive. Carefully research the specific
vendor and model of disk. Some disks provide higher write performance, and some provide higher
read performance. In systems that support multiple drives where SSD cost is a concern, consider a
smaller SSD drive to store the OS and a SATA drive for apps and data.
●● Defragment volumes that are used heavily. You can use either the built-in disk Optimize Drives tool
or another company’s tools, some of which support the defragmentation of files such as Hiberfil.sys
and Pagefile.sys. Windows 10 optimizes drives automatically once a week and will run the proper
optimization automatically (defragmenting SATA drives or running TRIM on SSDs).
●● Ensure that you enable write-caching. You can use Device Manager to examine the properties of
any installed disks, and to verify that write-caching is enabled.
●● Distribute the memory load across all available disks. If your computer has multiple physical disks,
consider distributing disk-intensive activities across these disks. For example, you can install the
Windows operating system and applications on one disk, the paging file on another disk, and your
data files on a third disk.
Configure Indexes
Indexing is a technology used by Windows search. As the name implies, it is an index, a local database.
Windows uses this index to keep track of files, folders, file types, data properties, and other details about
files so that you can search by those details to locate data more easily. Generally when you search for a
Monitoring and Troubleshooting Performance 369
file, Windows accesses this index first. It is important to personalize the settings for indexing to meet your
needs. You want to make sure the service is indexing all of the areas of your computer that you use and it
does not index unnecessary areas.
Windows Search 4.0 and higher fully supports indexing encrypted files on local file systems, enabling
users to index and search the properties and contents of encrypted files. Users can manually configure
Windows Search to include encrypted files, or administrators can configure this with Group Policy.
Windows Search ensures that only users with the correct permissions can search the content of encrypted
files by honoring ACLs and by restricting access to users with decryption permissions for the files.
Additionally, Windows Search restricts access to encrypted files to local searches only; Windows Search
does not return encrypted files in search results when the query is initiated remotely.
Note: The indexing of encrypted files should not be enabled unless the search index itself is protected
with full volume encryption. While encrypting the index file with EFS is possible, it is not recommended.
Practice Labs and Module Review 371
Summary
In this lab, you will learn how to manage Windows 10 event logs and configure Event log subscriptions.
Scenario
You need to perform maintenance tasks on the Event logs for SEA-CL1. You will first review the event log
entries for the Application, Security, and System logs. You will then configure the Maximum log size for
the Application and System event logs. Finally, you will configure the Security event log to Archive the log
when full and do not overwrite events.
Scenario
SEA-CL2 is a critical workstation that needs to be monitored and maintained on a regular basis. To
efficiently monitor SEA-CL2, you decide to collect its event log entries so that you can review them on
your workstation named SEA-CL1. To perform this task, you need to assign permissions on SEA-CL2. You
will then create a “Collector Initiated” event log subscription on your workstation that connects to
SEA-CL2 and collects the last 30 days of event log entries.
Summary
In this lab, you will learn how to use Task Manager and Reliability Monitor to review Windows 10 reliabili-
ty and performance. You will also learn how to configure and use Performance Monitor to identify
performance issues for a Windows 10 device.
Scenario
A user reports performance and speed issues with a client workstation named SEA-CL1. You first step is to
review the Task Manager and Reliability Monitor on SEA-CL1 to identify any noticeable or consistent
issues that may be reported on the computer.
372 Module 10 Supporting the Windows 10 Environment
Scenario
You need to use Performance Monitory to identify performance bottlenecks on the Windows 10 worksta-
tion named SEA-CL1. You have developed a script named MonitorScenario.vbs that will simulate and
provoke the bad performance on SEA-CL1. While the script runs you plan to monitor the values for
Network Interface Packets per second, PhysicalDisk % Disk Time, PhysicalDisk Avg. Disk Queue Length,
Processor % Processor Time and System Processor Queue Length.
Module Review
Check Your Knowledge
1. An end user reports a problem with an app. You access the Task Manager to gather information to
help you identify and resolve the problems. You determine that you need to disable some programs.
Which feature of Task Manager should you access to disable the programs?
A. Processes
B. Performance
C. Startup
D. Details
E. None mentioned
2. A user reports problems regarding application failures. The user has indicated that this is not the first
time they have experienced issues with this application. Which of the tools provided in Windows 10
can create a problem report that you can use to troubleshoot this?
A. Reliability History
B. Process Explorer
C. Task Manager
D. Event Viewer
E. Message Analyzer
F. None mentioned
3. You are troubleshooting a computer problem. You need access to essential information from applica-
tions, security, setup, and the system. Which of the tools provided in Windows 10 lists and categorizes
this information?
A. Reliability History
B. Task Manager
C. Event Viewer
D. Message Analyzer
E. None mentioned
4. As an IT Support professional for your organization, you need to configure the settings for Windows
Logs. You create a new GPO for all the computers in your domain. Which of the following is some-
thing you can define for each log? (select four)
A. Automatic backup options.
B. Behavior that occurs when the log is full.
C. The location of the log file.
D. The version of the log file.
E. The maximum size of the log file.
F. Which apps should be excluded.
Practice Labs and Module Review 373
5. A user is complaining of decreased computer system performance. Which are the main hardware
components that you should monitor in a Windows 10–based computer? (select four)
A. Processor
B. Battery
C. Disk
D. Cooling Fan
E. Memory
F. Video
G. Network
H. USB Devices
6. Which Windows 10 performance-monitoring tool provides a snapshot of system performance?
A. Resource Monitor
B. Task Manager
C. Performance Monitor
D. Data collector sets
7. You are an IT Support Professional for a law firm. One of the paralegals is having trouble finding files
on their Windows 10 computer. Which files are not included in the Windows Search Index by default?
(select three)
A. Password-protected Office files
B. Network shares
C. Encrypted files
D. E-mail
E. Documents folder
F. Settings folders
8. When troubleshooting hardware and drivers, which of the following registry hives is the one you will
likely edit the most?
A. HKEY_CURRENT_USER
B. HKEY_LOCAL_MACHINE
C. HKEY_USERS
D. HKEY_CLASSES_ROOT
E. HKEY_CURRENT_CONFIG
9. C 2) A 3) C 4) A,B,C,E 5) A,C,E,G 6) A 7) A,B,C 8) B
Module 11 Troubleshooting Files and Apps
Lesson Objectives
After completing this lesson, you will be able to:
●● Explain the Windows 10 file recovery methods and tools.
●● Use File History to recover files.
●● Describe and use the Previous Versions feature.
●● Describe how to configure and use the Azure Backup tool.
●● Troubleshoot File Recovery Options.
●● Explain how and when to use the Reset this PC tool.
376 Module 11 Troubleshooting Files and Apps
to create a schedule for system image creation. You can copy system images to hard disks, sets of
DVDs, or network locations. A system image contains a virtual hard disk (.vhdx file) for each volume of
the computer for which you create the image. You can mount the virtual disk in File Explorer, and
access and restore each file individually. If you want to restore the entire system image, you can use
the System Image Recovery option from Windows RE.
●● Wbadmin.exe tool. You can use this command line tool to create backups and restore backup content.
●● File Explorer or robocopy.exe features. You can use File Explorer or the robocopy.exe tool to copy files
manually to other media or a network location.
Microsoft Azure Backup feature. Windows 10 does not include Azure Backup. However, if you have a
Microsoft Azure subscription, you can create a Backup Vault, download and install the Azure Backup
Agent, and back up Windows 10 to Microsoft Azure.
Note: File History backs up protected folders into a folder hierarchy, and names the top folder after the
user principal name (UPN). It names the first level subfolder after the computer from it is backing up the
stored data, and names the second level subfolders Configuration and Data. File History backs up the
data into subfolders of the Data folder. For example, the folder hierarchy for a user named Don in the
Adatum.com domain from the LON-CL1 computer will be in the Don@Adatum.com\LON-CL1\Data
folder.
Note: Previous versions of OneDrive files and folders accessible through the OneDrive online portal. For
organizations with OneDrive for Business and SharePoint, verify versioning settings with the SharePoint
Administrator.
Azure Backup does not require additional infrastructure, but computers that you want to back up must
have Internet connectivity, and you must perform following steps:
1. You first must create a Recovery Services vault in Microsoft Azure. A Recovery Services vault is a
location in which Windows can store backups, and which you create by using the Microsoft Azure
portal. The Recovery Services vault can store the backups of up to 50 computers. It does not have a
limitation on its storage size, but it does have a limitation of up to 366 backups from the same
computer. You can create up to 25 Recovery Services vaults per Microsoft Azure subscription.
2. After you create a Recovery Services vault, you need a way to connect it with a computer that will use
the backup vault for storing backups. You do this by using vault credentials, which is an XML file that
you can download from the Microsoft Azure portal. It is valid for two days after you download it.
Before the two-day expiration, you should download the Microsoft Azure Backup agent, install it, and
register it with the backup vault. Otherwise, you will need to download new vault credentials. Current
vault credentials always are available on the Microsoft Azure portal.
File Recovery in Windows 10 379
3. You manage Azure Backup by using the Microsoft Azure Backup program, which is a program that
installs during the Microsoft Azure Backup Agent installation. You must install the backup agent on
any computer on which you want to backup or recover data by using Microsoft Azure. You can
download it from the Microsoft Azure portal.
4. Before you can use the Microsoft Azure Backup program, you must register your computer. A wizard
will guide you through the registration process, in which you must provide vault credentials and
encryption settings. Encryption settings include a passphrase, which is string of 16 to 36 characters
that the Azure Backup Agent generates randomly. You will use a passphrase to encrypt a backup
before you transfer it to Microsoft Azure. Never share a passphrase with anyone, and store it securely.
You cannot recover data from Azure Backup without an encryption passphrase.
5. After you register a computer with a backup vault, you can schedule and perform backups. Azure
Backup can include only files and folders that you store on NTFS volumes. Azure Backup can perform
backups three times per day maximum, and you can configure the retention policy, which specifies
how long Microsoft Azure retains daily, weekly, monthly, and yearly backups. A vault does not have a
storage size limitation, but it can store only 366 backups from the same computer.
You can recover files and folders from Azure Backup either from the same computer on which it per-
formed the backup or from a different computer. It is easier to perform a recovery from the same
computer, because you already have the Microsoft Azure Backup program installed and registered with
the backup vault. The recovery from the same computer also can access the same passphrase that you
used for encryption. If you want to recover files from a different computer, you must make sure that it has
the Microsoft Azure Backup program installed. During recovery, you also must provide vault credentials
for the vault in which you are storing the backup. In addition, you must specify which files and folders
you want to recover and the passphrase that you used for encrypting the backup on the computer on
which Azure created the backup.
The Backup and Restore (Windows 7) tool uses the Volume Shadow Copy Service when creating a
backup. It can store multiple versions of the backup on the same location. The first backup contains a
backup of all the selected data (full backup). When the tool performs the next backup, it backs up and
stores only the data that has changed since the previous backup. If only a small amount of data has
changed, then the next backup (incremental backup) will be smaller, and the tool will create it faster than
the first time. You can also use the Backup and Restore (Windows 7) tool to create a system image and
system repair disk. You can include system image in the backup, but you can only create a system repair
disk manually.
After a backup, you can restore files or folders to their original locations or to different locations. If you
performed backups multiple times, you can select from which backup to restore data. You can also
manage the space that the backup is using. The Backup and Restore (Windows 7) tool creates a restore
point each time you run a backup. The Previous Versions tab in File Explorer lists those restore points
for the data that you included in the backup.
Note: The Backup and Restore (Windows 7) tool uses virtual hard disk (.vhdx) files to store backup data.
You can view the backup data by mounting the .vhdx file in File Explorer.
Note: You can only use the Backup and Restore (Windows 7) tool to back up data that is stored on NTFS
volumes.
Note: The Previous Versions tab displays following the text: “Previous versions come from File History or
from restore points.” However, this message does not refer to restore points that System Restore creates.
The message refers to the restore points that the Backup and Restore (Windows 7) tool creates.
The Previous Versions tab for all files is empty until either you run File History for the first time, or you
create the initial backup when you use the Backup and Restore (Windows 7) tool. Data from File History
populates the Previous Versions tab only for the files that File History protects. For example, you can
modify File1.txt in the Folder1 folder, but if File History does not protect Folder1, then the Previous
Versions tab remains empty. The Backup and Restore (Windows 7) tool works in a similar manner. It
enables you to use previous versions for any file that is on an NTFS volume and that the backup includes.
For example, if you use the Backup and Restore (Windows 7) tool to back up Folder1, only the data from
restore points for Folder1 and all of its contents will populate the Previous Versions tab.
If you configure File History and use the Backup and Restore (Windows 7) tool, data from both sources
will populate the Previous Versions tab. Thereafter, each time that File History runs, an additional file
File Recovery in Windows 10 381
version becomes available for any file that File History protects. When the Backup and Restore (Windows
7) tool creates a backup, it also adds an additional file version automatically. If File History or Backup and
Restore (Windows 7) created the backup, you can revert files and folders only to the versions that the
backup includes.
Note: The Previous Versions feature is available in Windows 10, regardless of the file system that you are
using. However, the Backup and Restore (Windows 7) tool can back up data only from NTFS volumes.
Therefore, if you want to use the Previous Versions feature for files on the FAT file system, File History
must protect those files.
Both the Backup and Restore (Windows 7) tool and Azure Backup can recover files and folders on the
same computer on which the backup was created, and on different computers. However, File History can
recover files and folders only on the computer on which the backup was created. If you have permissions,
you can access the File History backup folders and restore files manually from any computer, because the
backup that File History performs is file-based.
The following table lists a comparison of the available file recovery options.
Note: If you cannot access a file backup that is stored remotely, you should use standard network
troubleshooting. You should perform local storage troubleshooting if a file backup is stored locally and
the backup location is not accessible. For example, if the local disk is connected and it displays in Device
Manager and Disk Management, you should look for any disk-related entries in Event Viewer.
File History stores backups in a folder hierarchy. You can restore the backup when you use Previous
Versions or File History only on the computer on which backup was created. If you want to restore files
and folders from a backup, on different computer than that on which you created it, you need to copy
and rename the files and folders manually.
384 Module 11 Troubleshooting Files and Apps
Application Troubleshooting
Lesson Introduction
Most large organizations automate application installations from a central location. However, desktop
support personnel are involved in application deployment during the initial development, and during
troubleshooting of failed installations. Therefore, you must know how to identify why a desktop app
installation fails, and how to resolve any issues that might prevent installation.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe desktop app deployment methods.
●● Discuss desktop app deployment issues.
●● Describe Microsoft 365.
●● Describe the difference between Microsoft 365 apps and desktop apps.
●● Resolve desktop app deployment issues.
●● Troubleshoot Windows Installer issues.
●● Describe how to use AppLocker to control apps.
●● Control desktop app installation with AppLocker policies.
During application installation, you might receive one of the following error messages:
●● “The Windows Installer Service could not be accessed.”
●● “Windows Installer Service could not be started.”
●● “Could not start the Windows Installer service on the Local Computer.”
One source of Windows Installer issues is applications that do not complete installing or uninstalling. In
some cases, restarting the computer might force the operation to proceed. However, you might need to
reinstall or repair the application before you can remove it. In a worst-case scenario, you might need to
remove an application manually, including its registry entries. To troubleshoot Windows Installer issues,
you can use any one of the following methods:
●● Verify that Windows Installer is functioning by running msiexec at a command prompt.
●● Verify that the Windows Installer service is configured to start manually, and that it starts without
errors.
Application Troubleshooting 385
●● Verify that Windows Installer has the latest updates. This currently is not relevant, as no newer version
exists.
●● Reregister Windows Installer by using the following commands:
- Msiexec /unregister
- Msiexec /register
Apps troubleshooter
If you have problems with an application, or if the Windows Store app does not open, you can run the
Apps troubleshooter. This tool can identify and fix problems with Universal Windows apps and the
Windows Store app. It is only available in English, but you can use the tool on PCs that run any language.
Additional Reading: For more information, refer to: “Apps Troubleshooter Download” at: http://aka.ms/
w0hpmh
●● The Standard User Analyzer. This tool identifies any issues that relate to running an application as a
standard user.
●● The Update Compatibility Evaluator (UCE). This tool identifies any issues that relate to implementing
new Windows operating system updates.
The majority of functionality that ACT provides is currently available in the Upgrade Analytics solution,
which is part of Microsoft Operations Management Suite (OMS). After you deploy the OMS agent to the
computers on which you want to analyze the applications and enable Windows telemetry, Upgrade
Analytics collects data that is necessary to detect any potential compatibility issues and provides recom-
mendations regarding their resolution. It also guides you through the process of applying recommended
fixes, provides a searchable inventory of computers and applications, and displays application usage data.
Additional Reading: For details regarding the deployment of the OMS agent, refer to: http://aka.ms/
Cjchkp
Issue Resolution
Users are unable to access a website. Verify that there is proper network connectivity,
and that a firewall or proxy is not blocking the
website.
Users are prompted for credentials when access- Verify that users are accessing the website by
ing an internal website that is configured to use using a single label name without a domain name.
Windows authentication. Also, verify that users are accessing the website
from an internal, domain-joined computer.
Users are unable to use a web-based application If the web-based application is from a trusted
because Internet Explorer security or Protected source, then add the website to Trusted sites. This
Mode is blocking required functionality. disables Protected Mode, and allows many
web-based applications to function properly.
A web-based application is not retaining settings Ensure that privacy settings allow the web-based
properly between screens or between sessions. application to set cookies.
A web-based application is not opening new Ensure that Pop-Up Blocker allows the necessary
windows that are required for proper operation. windows to open by adding the website to the list
of allowed sites.
Internet Explorer runs slower than usual, and Disable any unauthorized add-ons that might be
might be displaying unusual information on malware.
webpages.
Application Troubleshooting 391
Issue Resolution
Users are unable to view embedded content in a Install the necessary add-on that Internet Explorer
website, such as audio or video. requires to display the content.
Internet Explorer is experiencing unusual problems Clear the Internet Explorer browsing history,
authenticating to a website or accessing website including temporary Internet files, cookies, and
content. passwords.
Internet Explorer is not displaying updated website Clear the temporary Internet files, and then press
content that you know has been updated. the F5 key to refresh page, or press Ctrl+F5 to
force a refresh of a single website in the cache.
An older website is not displaying properly in Enable Compatibility View for the website. This
Internet Explorer 11. might also be required for some web-based
applications.
When accessing a secure website with HTTPS, If the website is trusted, users can select Continue
users receive the error “There is a problem with to this website (not recommended). This error
the website’s security certificate.” occurs because the certificate that is installed on
the server is not trusted. This might be as a result
of expired certificates, users accessing websites by
using the wrong Domain Name System (DNS)
name, or by using self-signed certificates. You can
import a self-signed certificate on the client
computer to remove this error.
Malware is installed as an add-on and you cannot Reset Internet Explorer settings. This can resolve
remove it. unexplained problems with Internet Explorer.
However, this also causes the loss of all customiza-
tions (such as Favorites), and changes to other
configuration settings. If malware continues to
remain on the computer, Internet Explorer might
be infected again.
Issue Resolution
Microsoft Edge loads pages slowly. Try to delete cached files and enable InPrivate
Browsing to disable any trackers.
Some webpages display “needs Internet Explorer” Webpages that user ActiveX, Silverlight, Java, and
message. other similar technologies will more often show
this message. You will need to open the webpage
in Internet Explorer to display that webpage.
Users cannot find favorites or downloads. Internet Explorer favorites are not imported
automatically to Microsoft Edge. When you open
Favorites in Microsoft Edge, you can choose to
import favorites from Internet Explorer.
392 Module 11 Troubleshooting Files and Apps
Issue Resolution
Text in reading pane is too small. In Settings in Microsoft Edge, you can configure
the font and size that you want to use for the
reading pane.
Ads are not blocked in Microsoft Edge. Install the AdBlock or Adblock Plus extension from
Windows Store.
Webpages cannot be saved with Microsoft Edge. Microsoft Edge does not have the same Save as
feature as Internet Explorer 11. You can use the
Web Note annotation tool to save the page to
OneNote, or share the page in an email. Windows
10 also includes the Microsoft Print to PDF printer
that you can use to save the webpage as a PDF
file. In the reading view, you have the option of
saving webpages and PDF files to your reading list.
Adobe Flash Player is not working. Microsoft Edge comes with Adobe Flash Player
preinstalled. By default, Microsoft Edge prevents
Adobe Flash content from loading automatically,
requiring action from the user, for example,
selecting the Select-to-Run button.
Practice Labs and Module Review 393
Summary
In this exercise you will learn how configure File History and use it to restore previous versions of a file or
folder.
Scenario
You need to ensure that users can recover deleted files stored in the Documents library on their local
workstations. You decide to validate the File History feature using SEA-CL2. You will create a shared folder
on SEA-SVR1 named FileHistory that will be used as a central location to store file history data.
Scenario
An additional request has been made to protect specific files being added to SEA-CL2. A script has been
provided named CopyUserData.bat to be used to create the intended folders and copy the required data.
The Data folder needs to be added to the document library, but both the Data and Reports folder must
both be protected by File History.
Module Review
Check Your Knowledge
1. You are responsible for ensuring that desktop apps are deployed to the Windows 10 computers in
your organization. You need to automate desktop app installation using Windows Installer packages.
You do not need detailed reporting. Which method would be best?
A. Group Policy
B. Microsoft System Center 2012 R2 Configuration Manager (Configuration Manager)
C. Microsoft Intune
D. Remote applications
E. Inclusion in a Windows operating system image
2. You want to identify any potential desktop app deployment issues. You need to inventory installed
applications and then evaluate whether those applications experience issues when running on
Windows 10. What should you do?
A. Configure each application to Run as administrator
B. Run CompatCheck.exe
C. Install the necessary dependencies for all apps
394 Module 11 Troubleshooting Files and Apps
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the Windows 10 startup architecture.
●● Explain the repair and recovery options available in Windows 10.
●● Describe the available advanced startup recovery tools.
●● Explore the advanced startup environment.
●● Describe the System Restore process in Windows 10.
●● Access the Windows 10 System Restore tool to fix the startup environment.
●● Describe volume activation considerations.
●● Describe the role of the BCD store.
●● Describe BCD configuration settings.
●● The Windows OS Loader (Winload.exe). This file resides in the Windows\System32 folder on the
volume where Windows is installed.
●● The Windows Resume Loader (Winresume.exe). This file is also in the Windows\System32 folder.
Windows OS Loader
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (ntoskrnl.exe) and (BOOT_START) device drivers, which, combined with
BOOTMGR, makes it functionally equivalent to NTLDR. Winload.exe initializes memory, loads drivers that
should start, and then transfers control to the kernel.
Troubleshooting Windows Startup 397
The Windows 10 Secure Boot process requires firmware based on UEFI. The Secure Boot process utilizes
UEFI to prevent unknown or potentially unwanted operating-system boot loaders (such as firmware
rootkits) from launching between the system’s firmware start and the Windows 10 operating system start.
Secure Boot is mandatory for Windows 10, and it greatly increases the integrity of the startup process.
Note: Some desktop computer manufacturers might enable you to disable Windows 10 Secure Boot
through the UEFI. However, this might not be possible on UEFI-based tablet devices that run Windows
10.
this feature, you must create the system image in advance. Unlike the Reset this PC feature, System
Image Recovery does not differentiate between operating system and user data.
●● Command prompt. This is a powerful but nonautomated option. You can start the command prompt
from the recovery environment and then run other built-in commands or third party tools.
After you recover your operating system, you can restore access to your data by doing one of the
following:
●● Signing in to the recovered device, if you use Folder Redirection, Offline Files, or OneDrive for Busi-
ness.
●● Restoring the user data by using Azure Backup or the Backup and Restore (Windows 7) tool.
Windows RE
If your Windows computer fails to start correctly, you can use a number of tools to help resolve the
problem. The following topic discusses these tools.
Windows RE is a recovery platform based on the Windows Preinstallation Environment (Windows PE).
Windows RE provides two main functions:
●● Diagnose and repair startup problems automatically.
●● Provide a centralized platform for additional advanced recovery tools.
Automatic failover
Windows 10 provides an on-disk version of Windows RE. A computer that runs Windows 10 can fail over
automatically to the on-disk Windows RE if it detects a startup failure.
During startup, Windows OS Loader sets a status flag that indicates when the startup process begins.
Winload.exe clears this flag before it displays the Windows sign in screen. If startup fails, the loader does
not clear the flag. Consequently, the next time the computer starts, Windows OS Loader detects the flag,
assumes that a startup failure has occurred, and then launches Windows RE instead of Windows 10.
The advantage of automatic failover to Windows RE Startup Repair is that you might not need to check
the problematic computer when a startup problem occurs.
400 Module 12 Troubleshooting the OS
Note: Note that the computer must start successfully for Windows OS Loader to remove the status flag.
If there is an interruption to the computer’s power during the startup sequence, Windows OS Loader
does not remove the flag, and instead initiates Startup Repair automatically.
Remember that this automatic failover requires the presence of both Windows Boot Manager and
Windows OS Loader. If either of these elements is missing or corrupt, automatic failover cannot function,
and you must initiate a manual diagnosis and repair of the computer’s startup environment.
Note: In older versions of Windows, you could use the Last Known Good Configuration startup option to
revert registry settings to the most recent version that worked correctly. The Last Known Good Configura-
tion startup option is not available in Windows 10.
Note: You do not need Windows 10 media to use the Reset this PC feature.
You can access the Reset this PC tool from the Settings app or from Windows RE. In either case, you can
select the option in the Reset this PC tool to preserve your files or to remove everything from the com-
puter. If you decide to remove everything, you can specify to remove only your files or to clean the drive
fully. When you clean your drive fully, it takes considerably longer. However, it is more secure, since you
cannot recover the deleted files easily. Regardless of your selection, the Reset this PC tool always pre-
serves the size and names of disk partitions, and it always removes apps and drivers that are not part of
the initial Windows 10 installation.
You can run the Reset this PC tool from the Settings app only as a local user. You do not need to provide
credentials if you run it from the Settings app and you select to preserve your files. The Reset this PC tool
will notify you about the apps that it will remove and that you will need to reinstall manually. If you run
Reset this PC from the Windows RE that is available on a local drive, you will need to select the local user
and provide the user’s credentials. However, you will not be notified about the apps that it will remove. In
either case, the Reset this PC tool will add a list of the removed apps to the local user’s desktop after it
completes the operation.
Although Reset this PC operation reinstalls Windows 10, it preserves computer settings such as computer
name, domain membership, and local users. The Reset this PC tool removes device drivers and apps that
were not part of the default Windows 10 installation, but preserves all user settings and files.
402 Module 12 Troubleshooting the OS
If you run the Reset this PC tool and select to remove everything, and if your computer has more than
one drive, you will be prompted to specify if you want to remove all files from all drives or remove all files
only from the drive where Windows 10 is installed. You also will have to specify whether the Reset this PC
operation should remove your files only, or clean the drive fully. If you select to clean your drive fully, the
Reset this PC operation will overwrite all of the disk space several times before installing Windows 10. You
should select this option if you do not want to recover your files, such as before you sell your Windows
10 computer or give it to a family member for personal use. If you select to remove everything, the Reset
this PC operation removes all apps, configuration, and data that the default Windows 10 installation does
not include.
The following table shows which configuration and settings are preserved when you select different Reset
this PC options.
●● You must reinstall any apps and reapply any updates that were made since the computer was first
installed with Windows 10.
●● You do not need a backup or Windows 10 media to perform Reset this PC with the Just remove my
files or Fully clean the drive options, which is different from the System Image Recovery option.
System Restore
As covered in the previous topic, System Restore is also available in the Advanced Options menu.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. The following sections describe the Startup Repair tool functions:
●● Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Automatic Repair then checks, and if necessary, repairs the disk metadata automatically.
Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple
operating systems on a single computer. Another possible cause of metadata corruption is a virus.
●● Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions
stored the boot configuration information in Boot.ini, a simple text file. However, Windows 10 uses a
configuration store that is in the C:\Boot folder.
●● If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup
Repair tool then checks, and if necessary, rebuilds the BCD by scanning for Windows installations on
the local hard disks, and then storing the necessary BCD.
●● Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver
often causes Windows operating systems to start incorrectly.
The Automatic Repair tool performs device driver checks as part of its analysis of your computer. If
Automatic Repair detects a driver problem. It uses System Restore points to attempt a resolution by
rolling back the configuration to a known working state.
Troubleshooting Windows Startup 405
Note: Even if you do not create restore points manually in Windows 10, installing a new device driver
automatically causes Windows 10 to create a restore point prior to the installation.
The Startup Repair tool should be your primary startup recovery mechanism. It is the least invasive and
requires the least manual configuration following recovery.
Command Prompt
Windows 10 uses the Command Prompt window from the Windows RE tool set as its command-line
interface. The Command Prompt tool is more powerful than the Recovery Console command-line
interface from earlier Windows operating system versions. The Windows RE Command Prompt features
are similar to the Command Prompt window that is available when Windows 10 runs normally and
enables you to:
●● Resolve problems with a service or device driver. If a computer runs Windows 10 and experiences
problems with a device driver or a Windows service, use the Windows RE Command Prompt window
to attempt a resolution. For example, if a device driver fails to start, use a command prompt to install
a replacement driver or disable the existing driver from the registry. If the Netlogon service fails to
start, at the command prompt, type Net Start Netlogon. You also can use the SC tool (SC.exe)
command-line tool or the Windows PowerShell start-service and stop-service cmdlets to start and
stop services.
●● Recover missing files. The Windows RE Command Prompt tool enables you to copy missing files to
your computer’s hard disk from original source media, such as the Windows 10 product DVD or USB
flash drive.
●● Access and configure the BCD. Windows 10 uses a BCD store to retain information about the operat-
ing systems that you install on the local computer. You can access this information by using the
command-line tool BCDEdit.exe at the command prompt. You also can reconfigure the store, if
necessary. For example, you can reconfigure the default operating system on a dual-boot computer
with the BCDEdit.exe /default id command.
●● Repair the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that runs Windows 10 will fail to start successfully. You can launch the Bootrec.
exe program at the command prompt to resolve problems with the disk metadata.
●● Run diagnostic and troubleshooting tools. The Command Prompt tool provides access to many
programs that you can access from Windows 10 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can
use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the Command Prompt
tool in Windows RE, remember that not all programs that work in a Windows operating system will work
at the command prompt. Additionally, because there are no sign-in requirements for Windows PE and
Windows RE, Windows restricts the use of some programs for security reasons, including many that
administrators typically run.
affect your personal files, but it will not preserve any changes that you made to applications and settings
since the most recent update.
Test updates
To avoid issues with feature upgrades and servicing updates, you should perform extensive testing before
installing the updates on your Windows 10 devices. If you configure the majority of your devices for
Semi-Annual Channel, you have a period to test upgrades on computers configured for Semi-Annual
Channel (Targeted). The fastest way to test new upgrades is to sign up as a Windows Insider. As a Win-
dows Insider, you have access to new upgrades before devices configured for Semi-Annual Channel get
the upgrades. If you are using a management system such as WSUS to approve upgrades, you can defer
upgrades for an additional time to test the upgrades.
Uninstall updates
The simplest way to remove a problematic update is to uninstall it. To remove an update:
1. Open the Settings app, select Update & security, select Windows Update, select Update history,
and then select Uninstall updates.
2. Right-click the suspect update, and then select Uninstall.
Uninstall drivers
If you suspect a driver to be problematic, you can uninstall the driver. To uninstall a unwanted driver:
1. Open Device Manager.
2. Locate the device driver with the problem driver installed, right select it, and then select Uninstall.
408 Module 12 Troubleshooting the OS
3. In the Uninstall dialog box, select the Delete the driver software for this device check box, if
available.
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe operating system services.
●● Identify failed services by using Windows 10 tools.
●● Explain how to use tools and utilities to disable services.
●● Describe BitLocker.
●● Explain how BitLocker works with Trusted Platform Modules (TPMs).
●● Explain how to recover a BitLocker-encrypted drive.
Event Viewer
Event Viewer provides access to the Windows logs, and to applications and services logs.
The Windows logs files provide the following information:
●● Application log. The application log contains events that applications generate. For example, a
database program records a file error in the application log, and the program developer decides
which events to record.
●● Security log. The security log records security events, such as valid and invalid sign-in attempts, and
events related to resource use such as creating, opening, or deleting files. An administrator specifies
which events Windows 10 records in the security log by creating a domain-wide audit policy.
●● System log. The system log contains events that the system components in Windows 10 generate.
For example, if a driver or other system component fails to load during startup, Windows 10 records
this failure in the system log. Windows 10 predetermines the event types that the system components
log.
When you troubleshoot startup problems with services, pay special attention to error events that the
system log records. All users can access the application and system logs, but only members of the local
Administrators group can use the security log. If you encounter problems with service startup, examine
the system and application logs for related events.
Windows 10 logs the following three events:
●● Information events
●● Warning events
●● Error events
Log files
In addition to the logs accessible from Event Viewer, Windows 10 records other events in other log files.
For example, you can use MSConfig.exe to configure Windows 10 to record a boot log file when it starts.
The boot log file, Ntbtlog.txt, is stored in the Windows folder. It contains a list of all drivers and some
services that start during the boot process. If a problem occurs with a service, activate boot logging, and
then examine the log.
Stop codes
If the Windows 10 operating system experiences a system failure, it might display a stop code on a blue
screen. The stop code might contain the name of the device driver or service that is causing the system
failure and might contain information to help you diagnose the reason for the failure. Windows 10
records contain information related to the system failure in a system log file (called a memory dump file),
Troubleshooting Operating System Service Issues 411
which is located in Windows\System32. Examine the contents of this memory dump file to help deter-
mine the reason for the system failure.
Action Center
Action Center is a consolidated tool that enables you to track and repair reported problems. You also can
configure Action Center to determine how your computer reports problems. Additionally, you can use
Action Center to examine problems that Windows reports.
Disabling Services
After you determine which service is causing the startup problem, you can disable it. Depending on the
circumstances, you can disable a service in one of several ways:
Safe mode
If the Windows 10 computer does not start normally, try to start the computer in safe mode. You can
access the Safe Mode option from the Advanced Boot Options menu, but you also can activate safe
mode from MSConfig.exe. In safe mode, a minimal set of services load during the startup process.
However, these services are sufficient to load the operating system. You then can troubleshoot the service
startup problem using standard Windows operating system tools such as Control Panel, Computer
Management, Registry Editor, the services MMC snap-in, and Event Viewer.
●● A recovery key in a format that the BitLocker Recovery Console can read directly.
●● Active Directory Users and Computers. You can use this tool to verify the user’s sign-in name and
whether the account is disabled. You also can use this tool to unlock the account and reset the
password, if necessary.
Note: You also can use Windows PowerShell to query a user’s account status and reset a user’s account
properties. For example, use the Get-ADUser cmdlet to retrieve user account properties; the Unlock-AD-
Account cmdlet to unlock a user account; and the Set-ADUser –enabled $true cmdlet to enable a user
account. If you wish to use these cmdlets on a Windows 10 client computer, install Remote Server
Administration Tools (RSAT) on that computer to install the necessary Windows PowerShell cmdlets.
●● Event logs. You can use Event Viewer to view event logs that might give some indication of why a
sign-in error occurs. The Security logs on a computer or domain controller indicate if authentication
errors occur. The computer’s System log indicates if the computer account is not authenticating
correctly.
If a user is able to sign in, but cannot access network resources, the sign-in process might be using the
user’s cached credentials. If this happens, you should verify that the computer has network connectivity
and that the computer account is authenticating properly.
If your organization does not restrict user sign in to specific computers, the user can attempt to sign in to
a second computer, which identifies whether the authentication issue pertains to a specific computer. You
can use the results of this test to limit your troubleshooting scope. For example, if the issue is not
computer-specific, then it is not a local computer-configuration issue.
Practice Labs and Module Review 415
Summary
During this lab you will learn how to work with the Windows RE, manipulate the BCD from the Command
Prompt tool, and use Startup Settings to access advanced startup options.
Scenario
You need to test and validate the features available for when you need to recover from boot failures on a
Windows 10 device. You will access Windows RE to identify the recovery options that are available. You
will also use command-line tools to manipulate the BCD and use Startup Settings to access the advanced
startup options.
Summary
During this lab you will learn how to recover a Windows 10 device using Reset This PC.
Scenario
You discover that SEA-CL2 is having intermittent issues. Repeated attempts have been made to correct
the issues, but have been unsuccessful. You've decided to try resetting the PC. You would like to still
retain the user files on the PC.
Module Review
Check Your Knowledge
1. A user reports a system failure with a computer. You need to return the computer to an earlier state
without re-installing the operating system or causing data loss. Which of the Windows RE recovery
tools can you use to achieve this?
A. Reset this PC
B. Advanced options
C. System Restore
D. System Image Recovery
E. Startup Repair
F. Command Prompt
G. None mentioned
2. You are configuring a dual-boot machine. You need to specify the default operating system. You also
need to change the amount of time a user has to select an operating system during startup. Which
416 Module 12 Troubleshooting the OS
tool can accomplish this with the least amount of administrative effort?
A. Startup and Recovery
B. System Configuration tool
C. BCDEdit.exe
D. BootRec.exe
E. None mentioned
3. In an effort to protect your organization's data, you enabled System Restore points on users' Windows
10 computers. System Restore points will be created automatically when which of the following
actions occur? (select three)
A. You install a new application or driver.
B. You change your password.
C. You install updates.
D. You remove programs.
E. You perform a backup.
4. You are about to run the Reset this PC tool on a Windows 10 computer. You want to keep the current
disk partitions. Which setting should you select?
A. Keep my files
B. Just remove my files
C. Fully clean the drive
D. Keep my files or Just remove my files
E. Any mentioned
5. You are troubleshooting a Windows 10 computer. You decide to use the the Reset this PC tool. When
you select the option “Just remove my files or Fully clean the drive” which of the following statement
is true?
A. This option removes all of your Windows Store apps, desktop apps, and the apps that the default
Windows 10 installation includes.
B. This options requires special permissions to use.
C. Any apps installed and updates that were made since the computer was first installed with Win-
dows 10 will still be available.
D. You do not need a backup or Windows 10 media with this option.
E. All statements are false.
6. In an effort to protect your organization's data, you enabled System Restore points on users' Windows
10 computers. System Restore points will be created automatically when which of the following
actions occur? (select three)
A. You install a new application or driver.
B. You change your password.
C. You install updates.
D. You perform a backup.
E. You remove programs.
7. You need to launch the Windows Recovery Environment. Which of the following are methods could
you perform? (select 3)
A. From the login screen, select Shutdown, then hold down the Shift key while selecting Restart.
B. In the Windows 10 Settings App under Update & Security, select Recovery and select Restart now
under Advanced Startup.
C. Boot using recovery media.
D. Reboot and press the F8 key before Windows starts to load.
8. C 2) A 3) A,C,D 4) E 5) D 6) A,C,E 7) A,B,C
Module 13 Troubleshooting Hardware and
Drivers
Lesson Objectives
After completing this lesson, you will be able to:
●● Describe the role and importance of device drivers.
●● Manage and troubleshoot device drivers.
●● Explain the difference between the staging and installation of device drivers.
●● Restrict installation of device drivers by using Group Policy.
418 Module 13 Troubleshooting Hardware and Drivers
and Printers tool displays it as a single device. However, Device Manager shows the same device as an
audio input and output device, an imaging device, and a sound, video, and game-controller device.
Windows PowerShell
Windows 10 includes several Windows PowerShell cmdlets for managing devices.
Cmdlet Description
Enable-PnpDevice Enables a PnP device.
Disable-PnpDevice Disables a PnP device.
Get-PnpDevice Displays information about PnP devices.
Get-PnpDeviceProperty Displays detailed properties for a PnP device.
Note: The Roll Back Driver button is available only if a previous version of the driver was updated. If the
current driver for the device is the only one ever installed on the computer, the Roll Back Driver button
is grayed out and unavailable.
Windows 10 will only back up drivers that are active and functional. It will not back up inactive or mal-
functioning drivers. Driver Roll Back is available for any device except printers (Print queues). Printers
cannot use Driver Roll Back, because you cannot manage printers through Device Manager. You have to
use Devices and Printers to configure printers.
Note: If a malfunctioning driver is preventing Windows 10 from starting normally, you can start the
computer in safe mode and then use the Roll Back Driver option.
To roll back a driver, use the following procedure:
1. Open Device Manager.
2. Right-click the device to roll back, and then select Properties.
3. In the Properties dialog box, select the Drivers tab, and then select Roll Back Driver.
4. In the Driver Package rollback dialog box, select Yes.
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce problems that the
newer version addressed.
Driver Roll Back only replaces the current device driver with the previous device driver. Therefore, it is a
nondestructive operation. Sometimes, when you install a device driver, the installation program also
modifies some other system settings. In such cases, Driver Roll Back might not resolve all the issues, and
you might have to consider System Restore, which reverts system settings, but preserves user data. As a
last resort, you can use the Reset PC option, System image recovery, or Backup and Restore (Windows 7).
System Restore
In rare cases, after you install a device or update a device driver, a computer might not start. This problem
might occur because:
●● The new device or driver causes conflicts with other drivers on the computer.
●● A hardware-specific issue occurs.
●● The installed driver is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are
unable to recover a computer by performing a driver rollback, consider using System Restore. You can
use System Restore when you want to retain all new data and changes to existing files, but still want to
perform a restoration of the system from when it was running well. Windows 10 lets you return a com-
puter to the way it was at a previous point without deleting any personal files. System Restore is reversi-
ble, because it creates an undo restore point before the restore operation starts.
A digital signature uses a digital certificate to encrypt specific details about the device driver package.
The encrypted information in a digital signature includes a thumbprint for each file that the package
includes. A special cryptographic algorithm, or hashing algorithm, generates the thumbprint. The algo-
rithm generates a code that only the file’s contents can create, and changes to a single bit in the file
cause the thumbprint to change. After the file generates the thumbprints, the publisher combines them
into a catalog, and encrypts them. A digital signature does not modify the device driver. It only assures
that the device driver was not modified after it was signed.
Microsoft digitally signs all devices device drivers that are included in Windows 10 includes. Windows 10
checks for a driver’s digital signature during installation, and prompts the user if device driver is not
signed. Although you can install device drivers that are not signed to 32-editions of Windows 10, we
recommend that you use only signed drivers. You can use Group Policy to block the installation of device
drivers that are not signed by a trusted organization. 64-bit editions of Windows 10 require that all
drivers are signed digitally, and by default, you cannot use device drivers with 64-bit editions of Windows
10 if they are unsigned.
Note: You can configure 64-bit editions of Windows 10 to use unsigned device drivers, such as if you
want to test the driver before signing it, but we do not recommend this. To disable the enforcement of
driver signatures, you should restart the computer, and then select Disable driver signature enforcement
on the Startup Settings menu.
You can use Device Manager to verify if a device driver is signed digitally, but you need to do it for each
device driver separately. In Device Manager, you right-click a device, select Properties, and then on the
Driver tab, select the Driver Details button. You can verify if a device driver was signed and by whom in
the Driver File Details dialog box.
Note: If there are multiple driver packages available for the same device, Windows 10 ranks the driver
packages by evaluating criteria such as:
●● Is the driver signed?
●● Is the driver specific to the attached device or for a compatible set of devices?
●● What is the driver version?
Benefits of staging driver packages
Device drivers run as part of the operating system, so it is critical that you allow only known and author-
ized device drivers to run. Staging device-driver packages on Windows 10 provides several benefits,
including:
●● Improved security. You can allow standard users to install approved device drivers without compro-
mising computer security or requiring help-desk assistance.
●● Reduced support costs. Users can install only devices that your organization has tested and is pre-
pared to support. Therefore, you can maintain computer security while you reduce help-desk de-
mands.
●● Better user experience. A staged driver package, in the driver store, works automatically when the user
plugs in the device. Alternatively, Windows 10 will discover driver packages that you place on a shared
network folder whenever the operating system detects a new hardware device. In both cases, the user
receives no prompts prior to installation.
Staging device drivers manually
You can use the following steps to use the Pnputil.exe command-line tool to add a device driver to the
Windows 10 driver store manually:
1. Obtain a digitally signed driver package.
2. Sign in as Administrator, and then open a command prompt.
3. At the command prompt, type pnputil.exe /add-driver package_name, and then press Enter.
4. The command runs, and Windows 10 verifies the driver’s integrity and digital signature, and then
copies the driver into the driver store.
Note: The Pnputil.exe tool only runs at a command prompt with elevated user rights. The tool cannot
invoke the User Account Control dialog box.
Managing the driver store
You also can use the Pnputil.exe command-line tool to manage the driver store, including adding and
removing driver packages from the driver store, and listing non-Microsoft driver packages that already
are in the store.
You can use the Pnputil.exe command-line tool to perform the following tasks:
●● Add a driver package to the driver store.
●● Add a driver package to the driver store, and then install it in the same operation.
●● Delete a driver package from the driver store.
●● List all driver packages in the driver store.
The following table lists the Pnputil.exe command-line syntax.
Windows 10 includes several Group Policy settings that control installation of devices and device drivers.
This enables you to restrict installation of specific devices, but allows installation of all others devices. For
example, you can use these Group Policy settings to restrict certain types of USB devices and installation
of all devices that are not allowed explicitly, such as USB keys that are not company-approved. To access
the Group Policy settings for controlling driver installation, in Group Policy, select Computer Configura-
tion, Policies, select Administrative Templates, select System, and then select Driver Installation. The
following table details the Group Policy settings that you can configure.
426 Module 13 Troubleshooting Hardware and Drivers
Lesson Objectives
●● After completing this lesson, you will be able to:
●● Describe hardware-related problems.
●● Describe the considerations for using USB devices.
●● Describe considerations for using wireless devices.
●● Explain how you can use built-in diagnostic tools to gather hardware information.
●● Determine how to best approach hardware problems.
●● Apply the guidelines for troubleshooting hardware-related problems.
Hardware-Related Problems
Hardware problems occur when a failure occurs in a hardware device or the device driver that the
hardware device uses. When you troubleshoot hardware-related problems, you first must determine the
underlying cause of the hardware failure.
Note: Many tablet devices are equipped with solid-state drives (SSDs), which have no moving parts and
are less susceptible to physical failure. However, be aware that SSDs might become less reliable after a
significant number of write operations.
Additional strings in the list identify the device more generally. This allows Windows 10 to install a
different device revision driver if the correct one is not available.
●● Compatible identifiers. Windows 10 uses compatible identifiers to select a device driver only if the
driver store has no available drivers for any of the hardware identifiers that Windows 10 retrieves from
the device. These strings are optional, and Windows 10 lists them in decreasing order of suitability if
the hardware manufacturer provides them. Typically, the strings are generic and identify the hardware
device at the component level, such as a Small Computer System Interface (SCSI) hard disk drive. This
enables Windows 10 to select a generic SCSI driver for the disk drive, but may result in limited device
functionality and slower read/write performance.
Multifunction devices are physical devices that include more than one logical device. Manufacturers
assign hardware identifiers to each logical device so that it can manage part of the functionality of the
physical device. For example, an all-in-one scanner/printer/fax might have different device identification
strings for each function. To control installation of multifunction devices, you specifically must allow or
deny all hardware identifiers for each multifunctional device. If you do not do this, you could cause
unexpected results from some of the logical devices that have drivers installed for the one physical
device.
The following sample is the relevant portion of an .inf file for a keyboard device driver:
[MsMfg]
%HID\\VID_045E&PID_002D&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\\
VID_045E&PID_002D&MI_00
%HID\\VID_045E&PID_005F&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\\
VID_045E&PID_005F&MI_00
%HID\\VID_045E&PID_0061&MI_00.DeviceDesc%=MicrosoftKBD_Dev_109,HID\\
VID_045E&PID_0061&MI_00
%HID\\VID_045E&PID_0063&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\\
VID_045E&PID_0063&MI_00
To interpret the preceding and subsequent configuration files, use the following key:
●● HID = Human Interface Device, such as keyboards and mice.
●● VID = Vendor ID
430 Module 13 Troubleshooting Hardware and Drivers
●● PID = Product ID
Class=Keyboard
ClassGUID={4d36e96b-e325-11ce-bfc1-08002be10318}
Provider=Microsoft
LayoutFile=layout.inf
DriverVer=06/29/2010, 8.0.219.0
Overview of Hardware Troubleshooting 431
2. Turn on the Wi-Fi and/or Bluetooth receiver by using the computer’s switches or keyboard shortcuts.
Note: On some computers, you cannot independently enable or disable Wi-Fi and Bluetooth.
1. Ensure that Flight mode is turned off, as this disables all radio receivers.
2. Use Device Manager to verify, and if necessary update, the drivers for the computer’s Wi-Fi and/or
Bluetooth modules.
3. For Bluetooth devices, use the Bluetooth section in the Settings app to configure:
●● Discovery. Enable discovery to ensure that the computer is visible. Additionally, you might need to
enable Discovery (sometimes also known as visibility) on peripheral devices.
●● Connections. Enable the Allow Bluetooth devices to find this PC setting. Optionally, you can select
the setting to Alert me when a new Bluetooth device requests to connect.
●● Pairing. Some peripherals also require that you pair them to your computer. This process requires
that the computer and the device exchange a passcode or key to establish the partnership. You
could need to establish this process on the computer or the peripheral.
Note: The device manufacturer often defines a device’s passcode. For example, a Bluetooth headset does
not provide you with a mechanism for defining a passcode. However, 0000 or 0001 is often the default
passcode. For more information, refer to the vendor documentation.
1. For Wi-Fi devices, follow standard wireless troubleshooting techniques:
●● Ensure that the devices are close enough for the signals to communicate.
●● Configure the devices to use the same wireless protocol and security settings.
●● Investigate possible sources of interference.
Note: Some Bluetooth peripheral devices, such as wireless mouse devices and keyboards, often come
with a small Bluetooth module that you insert into a USB port on your computer. This USB Bluetooth
module allows you to use cordless devices without needing a built-in Bluetooth module.
The Event Viewer tool has many built-in logs, including Application, Security, Setup, System, and Forward-
ed events logs. Event Viewer also includes Applications and Services logs, which store events from a
single application or a component. This category of logs includes four subtypes:
●● Admin. Admin logs are helpful for IT professionals who use the Event Viewer to troubleshoot prob-
lems. These logs provide guidance about how to respond to issues, and primarily target end users,
administrators, and support personnel. The events found in admin logs indicate a problem that has a
well-defined solution that an administrator can implement.
●● Operational. Events in an operational log also are useful for IT professionals, but they often require
more interpretation. You can use operational events for analyzing and diagnosing a problem or
occurrence, and trigger tools or tasks based on the problem or occurrence.
●● Analytic and Debug. Analytic and debug logs are not as user-friendly as admin and operational logs.
Analytic logs store events that trace an issue, and they often log a high volume of events. Developers
use debug logs when debugging applications. Analytic and debug logs are not visible by default. If
you want to review them, you first must configure Event Viewer to display them.
Windows PowerShell
You can view detailed information about connected devices, as well as enable or disable connected
devices, by using Windows PowerShell. You can view information about all connected devices by running
the Get-PnpDevice cmdlet. You can view detailed information about a specific connected device, such as
a mouse, by typing the following command at a command prompt, and then pressing Enter:
Get-PnpDevice –FriendlyName “HID-compliant mouse” \| Format-List
Centralized inventory
You can use additional products or services, for example System Center 2012 R2 Configuration Manager
Service Pack 1 (SP1) or Microsoft Intune, to gather hardware information from devices in your company.
You can review this information, and then generate reports or perform various actions, as needed, based
on the device hardware.
Overview of Hardware Troubleshooting 435
Lesson Objectives
After completing this lesson, you will be able to:
●● Apply device-replacement considerations.
●● Identify the most vulnerable hardware devices.
●● Apply the guidelines for replacing hardware.
●● Diagnose memory problems.
●● Diagnose and troubleshoot disk problems.
Replacing Devices
You should be aware that computers are only tools, which allow users to perform their jobs. If a computer
fails, the user likely will not be able to perform his or her job, and because of that, you should repair the
computer as soon as possible. If you determine that the estimated recovery time is longer than is accept-
able, it often is faster and more efficient to replace the computer. Many organizations have SLAs and
warranties with hardware vendors in place. Therefore, before you replace defective hardware, consider
any procedures that your SLAs mandate must occur before you can obtain replacement hardware. You
could fix your hardware problem more quickly, and reduce the impact on your users’ productivity and
your organization’s budget. You also should remember to check for basic issues before attempting to
replace hardware devices.
Troubleshooting Physical Failures 437
SLAs
An SLA can specify what to do when hardware fails, and how to log a failure incident with your organiza-
tion’s service desk. The SLA also can dictate the expected response and replacement time for device
replacement. Procedures also must be in place to ensure that sufficient spare hardware devices are
available. Some companies maintain a hardware list of the available spare devices.
Warranties
Most hardware vendors include a warranty with their products. The warranty generally lasts for an initial
period, such as 12 months, and covers the hardware against failure during that period. A basic warranty
often includes a next-business-day response for device replacement. For a fee, most hardware vendors
offer additional warranty services with shorter response and replacement times. A typical option may
specify a four-hour telephone response time, with an engineer scheduled to visit the site within eight
hours to provide an on-site fix. Ensure that SLAs cover warranty agreements or other contracts with the
manufacturer or hardware vendor.
Escalation procedures
Providing appropriate escalation procedures and resources can be as simple as providing a contact
telephone number for the hardware vendor. However, most procedures also should include providing a
customer account number for the vendor, a specific contact name, and any pertinent contract details.
This makes service-desk employees aware of agreed-upon response times.
Issues with data security
438 Module 13 Troubleshooting Hardware and Drivers
If you need to replace a hard disk due to a hardware problem, you might need to return the broken disk
to the manufacturer. If so, check your organization’s security requirements for removing sensitive or
confidential data from the hard disk before you return it.
Solid-state drives
Many devices, including tablets and some laptops, have SSDs. This technology differs from traditional
hard drives and offers benefits to users in terms of physical device size, speed, and, to some extent,
Troubleshooting Physical Failures 439
power consumption. Although there are no moving parts, SSDs can fail, often resulting in data loss. Every
time the operating system writes to an SSD drive, it uses memory cells to store the data. These cells can
wear out after extensive write operations, resulting in errors or even drive failure. Some drives offer error
checking memory cells, which can help to mitigate data errors, and some users report more problems
with larger drives. However, it is important not to consider SSDs as a fail-safe storage solution.
Power supplies
The power supply converts regular current into low, direct current (DC) voltage that a device can use. A
failing power supply can cause erratic behavior, including devices restarting randomly, memory errors, or
power being supplied to some devices and not others. Symptoms of power supply problems can include:
●● No indicator lights, disk action, or screen display.
●● On/Off indicator lights are visible, but there is no disk action or screen display.
●● The system produces a continuous beep.
Optical drives
Optical drives such as CD and DVD drives tend to have shorter lifetimes compared to other hardware
devices, and the MTBF is lower than that for a hard disk drive. Most hardware manufacturers provide a
one-year guarantee on optical drives and a three-year guarantee on hard drives.
The media quality in optical drives is a significant factor in the length of the optical drive’s life:
●● Higher-quality media can increase a device’s life.
●● Unclean media could reduce the device’s life.
Software settings also can affect optical drives. Using a high maximum write speed can result in a greater
number of irreparable and subsequently unusable disks, compared to using slower write speeds. Optical
drives can fail due to vibration because they require precise optical alignment in the device to work
properly. You can cause vibration by moving the computer while it is in use, or by operating the comput-
er in a location that is not stable. Excessive dust also can damage optical drives, which can be an environ-
mental factor.
Cooling fans
The most common cause of cooling fan failures is dust building up inside the computer and around the
fan area. This accumulation can lead to failures in the fan bearings, motor, or power supply. Cooling fan
failure can cause system to fail because of overheating.
System memory
Memory problems can occur because of heat, power surges, or static electricity. You can use the Windows
Memory Diagnostics Tool to help identify and resolve memory issues.
440 Module 13 Troubleshooting Hardware and Drivers
Root-cause analysis
Before you replace failed hardware devices, you should try to determine the cause of the root failure so
that you can prevent this issue from damaging replacement device. The root cause could be environmen-
tal, such as heat or moisture-related failures. For example, devices placed in direct sunlight, with poor
ventilation, or in a damp location where there might be condensation, could fail after a short time.
Alternatively, the root cause could be behavioral, such as users knocking or kicking the computer.
Static-electricity issues
Because of the risks that static electricity poses to devices, such as degradation of system memory, it is
important that you observe static-electricity guidelines, and that you train your IT staff accordingly.
Initiate compulsory maintenance procedures, and ensure that you use antistatic kits, which are inexpen-
sive and available from numerous hardware manufacturers. Hardware vendors operate professional
hardware-qualification programs that include detailed information about antistatic maintenance precau-
tions. Additionally, ensure that IT staff wears grounding straps when working with sensitive components.
Windows 10 compatibility
When you purchase a new computer, verify that it is Windows 10 compatible. All hardware components
in a Windows 10 compatible computer have been tested and verified that they are optimized to run the
Windows 10 operating system.
Note: To determine which devices are compatible with Windows 10, refer to the Windows Compatibility
Center at: http://aka.ms/m5karm
If the Windows Memory Diagnostics tool identifies a memory problem, Windows 10 avoids using the
affected part of the physical memory, so that the operating system can start successfully and avoid app
failures. In most cases, Windows 10 automatically detects possible problems with a computer’s memory
and displays a notification that asks whether to run the Windows Memory Diagnostics tool. You also can
start the Windows Memory Diagnostics tool from Windows 10, from the Windows Recovery Environment,
or from Windows 10 installation media. Windows 10 prevents direct access to computer memory, so the
Windows Memory Diagnostics tool can test the memory only if Windows 10 is not running. If you start
the tool from Windows, you can restart the computer and check for memory problems immediately, or
you can schedule the tool to run when the computer next restarts.
the data on other disks in the group. If a computer fails and you need to move a dynamic disk to a
different Windows 10 computer, the target computer considers the moved dynamic disk to be foreign,
because it does not know anything about the moved disk’s database. When Disk Management displays
the status of a moved disk as Foreign, you must right-click the disk, and then select Import Foreign Disk.
This option renames and updates the database on the moved disk, and then adds the information about
the disk group to the registry. When you are moving multi-disk volumes, such as spanned, stripped, or
mirrored volumes, you must simultaneously move all disks that are part of these volumes. If you move
only one or some of these disks, the volume is inaccessible until you move all remaining disks in that
volume.
Note: If you repair a disk that was part of a storage space and then move it to different computer, Disk
Management will classify it as Foreign.
Note: Windows 10 includes support for SMART. If you use disk drives that support SMART, Windows 10
can monitor them proactively and warn you to perform a backup before an expected disk failure. You can
use the WMIC (Windows Management Instrumentation Command-line) command diskdrive get status
at a command prompt to view the status that a disk reports to the operating system.
Practice Labs and Module Review 445
Summary
During this lab, you will learn how to recover a Windows 10 device by using a Restore Point.
Scenario
One your colleagues reports that after installing a hardware driver that his device is no longer responsive.
You've decided to see if you can reproduce the same circumstances on SEA-CL1, but need to ensure that
you can return to a previous working state.
Summary
In this lab, you will learn how to use the Windows Memory Diagnostics Tool to check for memory prob-
lems on a Windows 10 device.
Scenario
SEA-CL1 is still having issues with blue screen and performance symptoms. You decide to check for
memory problems using the Windows Memory Diagnostics Tool.
Module Review
Check Your Knowledge
1. You are an IT Support professional for an architectural firm. You are connecting an optical device for a
CAD application to a Windows 10 workstation. Which of the following is not a way to obtain a valid
driver for a device?
A. Media that came with the device
B. Manufacture's website
C. Windows 10
D. Windows Update
E. All mentioned are valid
2. While troubleshooting a Windows 10 computer, you start in Safe Mode. Which of the following
devices will be accessible? (select four)
A. Mouse
B. Floppy disk
C. Network Adapter
D. Hard disk
446 Module 13 Troubleshooting Hardware and Drivers
E. CD or DVD drive
F. Printer
3. You work in a highly-secured environment. As an IT Support professional you have been asked to con-
figure a group policy that will prevent anyone from using all external storage devices on your Win-
dows 10 computers. Which Group Policy setting will accomplish this without restricting allowed
devices?
A. Prevent installation of removable devices
B. Prevent installation of devices using drivers that match these device setup classes
C. Allow administrators to override Device Installation Restrictions policies
D. Prevent installation of devices not described by other policy settings
4. New company policy restricts USB device installation. Restricting USB device installation can benefit
hardware support but it can also cause issues. Which of the following is not an issue created by
restricting USB device installation?
A. More complicated levels of data security
B. Misdiagnosed faults
C. Policy management
D. USB 2 and USB 3 support
E. None mentioned
5. A user installed a new hardware device and now is reporting problems. Based on best practices, which
of the following tools are used to perform initial hardware-related troubleshooting? (select two)
A. The System Information tool
B. The Reliability and Performance Monitor tools
C. The Event Viewer tool
D. The Windows Memory Diagnostics tool
E. The Device Manager tool
6. A user reports problems with a computer. After starting the troubleshooting process, you determine
that the estimated recovery time will be longer than is acceptable. Other than recovery time, which of
the following should be taken into account before replacing a computer or device?
A. SLAs
B. Warranties
C. Escalation procedures
D. Issues with data security
E. All mentioned
7. A user reports that something on their computer is preventing Windows from starting. On further
investigation you determine that apps are closing randomly and Stop errors are appearing on blue
screens. Which Windows 10 tool can you use to gather information and resolve these issues?
A. The Event Viewer tool
B. Windows PowerShell
C. The Device Manager tool
D. The System Information tool
E. The Reliability and Performance Monitor tools
F. The Windows Memory Diagnostics tool
8. A Windows 10 computer in the Human Resources department stores important data. You need to
create redundant storage for this data. The computer has two available disks. Which two types of
redundant storage can you create? (select two)
A. Mirrored volumes
B. Parity
C. Three-way mirrors
Practice Labs and Module Review 447
D. Two-way mirror
E. Disk Striping
9. E 2) A,B,D,E 3) D 4) A 5) C,E 6) E 7) F 8) A,D