1B ENU TrainerHandbook PDF

MCT USE ONLY.
STUDENT USE PROHIBITED

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20697-1B
Installing and Configuring Windows 10
MCT USE ONLY. STUDENT USE PROHIBITED
ii Configuring Windows 8.1
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
email addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/en-us/legal/intellectualproperty
/trademarks/en-us.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners
Product Number: 20697-1B
Part Number: X20-83315
Released: 01/2016
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.
Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

xi
Configuring Windows 8.1
xii Configuring Windows 8.1
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Andrew Warren Content Developer/Technical Reviewer

Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent
teaching and writing. He has been involved as a subject matter expert for many of the Windows Server
2012 courses, and as the technical lead on many Windows 8 courses. He also has been involved in
developing TechNet sessions on Microsoft Exchange Server. Andrew is based in the United Kingdom,
where he runs his own IT training and education consultancy.
Slavko Kukrika Content Developer/Technical Reviewer

Slavko Kukrika has been a Microsoft Certified Trainer (MCT) for more than 15 years. He holds many
technical certifications, and he is honored to be a Microsoft Most Valuable Professionals (MVPs). Slavko
specializes in Windows operating systems, Active Directory Domain Services (AD DS), and virtualization.
He has worked with Windows 8 since it was first available publicly, and he helped several mid-size
customers migrate to Windows 8. Slavko regularly presents at technical conferences, and he is the author
of several Microsoft Official Courses. In his private life, Slavko is the proud father of two sons, and he tries
to extend each day to at least 25 hours.
Claus Jacob Wordenskjold Content Developer

Claus Jacob Wordenskjold is an independent consultant and trainer based in Denmark. He founded his
company, Chinchilla Data, in 1995, and he has more than 25 years of IT experience. Claus has been a MCT
since 2002, and he has delivered training throughout Europe. He specializes in Windows Client and
Windows Server courses, and also conducts training in Microsoft SharePoint. Claus holds certifications for
every Windows operating system since Windows 2000, and he provides consulting services on Windows
Server, AD DS, and Group Policy. Claus has been a speaker at Danish Microsoft events and has authored
several Windows-related courses.
Dave Franklyn Content Developer

David M. Franklyn, MCT, Microsoft Certified Solutions Expert (MCSE), Microsoft Certified IT Professional
(MCITP), Microsoft MVP, and Windows Expert--It Pro, is a Senior IT Trainer and Consultant at Auburn
University in Montgomery, Alabama, and is the owner of DaveMCT, Inc. LLC. He is also Adjunct Faculty
with MyITStudy.com. Dave, who has been teaching at Auburn since 1998, is an Eastern USA Regional Lead
MCT, and has been a Microsoft MVP since 2011. Dave has worked with computers since 1976, having
started out in the mainframe world and moving early into the networking arena. Before joining Auburn
University, Dave spent 22 years in the US Air Force as an electronic communications and computer
systems specialist, before retiring in 1998. Dave is president of the Montgomery Windows IT Professional
Group, and is a guest speaker at many events involving Microsoft products.
Orin Thomas Content Developer

Orin Thomas is an MVP, an MCT, and has a string of Microsoft MCSE and MCITP certifications. He has
written more than 20 books for Microsoft Press, and he is a contributing editor for Windows IT Pro
magazine. Orin, who has worked in IT since the early 1990s, is a regular speaker at events such as TechED
in Australia, and at events around the world on the topics of Windows Server, Windows Client, System
Center, and security. Orin founded and runs the Melbourne System Center Users Group.
Configuring Windows 8.1 xiii
Contents
Module 1: Overview of Windows 10
Module Overview 1-1
Lesson 1: Introducing Windows 10 1-2
Lesson 2: Navigating the Windows 10 User Interface 1-11

Lab: Navigating and Customizing the User Interface 1-16
Module Review and Takeaways 1-20
Module 2: Installing Windows 10

Module Overview 2-1
Lesson 1: Installing Windows 10 2-2
Lesson 2: Upgrading to Windows 10 2-16
Lab: Installing Windows 10 2-26

Module 3: Configuring Your Device

Module Overview 3-1
Lesson 1: Overview of Tools You Can Use to Configure Windows 10 3-2

Lab A: Configuring Windows 10 3-16
Lesson 2: Common Configuration Options 3-21
Lesson 3: Managing User Accounts 3-28

Lesson 4: Using OneDrive 3-35
Lab B: Synchronizing Settings with OneDrive 3-40
Module 4: Configuring Network Connectivity

Module Overview 4-1
Lesson 1: Configuring IP Network Connectivity 4-2
Lesson 2: Implementing Name Resolution 4-17

Lesson 3: Implementing Wireless Network Connectivity 4-25
Lesson 4: Overview of Remote Access 4-29
Lab: Configuring Network Connectivity 4-33

xiv Configuring Windows 8.1
Module 5: Managing Storage

Module Overview 5-1
Lesson 1: Overview of Storage Options 5-2
Lesson 2: Managing Disks, Partitions, and Volumes 5-7
Lesson 3: Maintaining Disks and Volumes 5-19

Lesson 4: Managing Storage Spaces 5-28
Lab: Managing Storage 5-33
Module 6: Managing Files and Printers

Module Overview 6-1
Lesson 1: Overview of File Systems 6-3

Lesson 2: Configuring and Managing File Access 6-9
Lesson 3: Configuring and Managing Shared Folders 6-21
Lab A: Configuring and Managing Permissions and Shares 6-29
Lesson 4: Work Folders 6-36

Lab B: Configuring and Using Work Folders 6-41
Lesson 5: Managing Printers 6-44
Lab C: Installing and Managing a Printer 6-51

Module 7: Managing Apps in Windows 10

Module Overview 7-1
Lesson 1: Overview of Providing Apps to Users 7-2

Lesson 2: The Windows Store 7-8
Lab A: Installing and Updating Apps from the Windows Store 7-13
Lesson 3: Web Browsers 7-17

Lab B: Configuring Windows 10 Web Browsers 7-29
Module 8: Managing Data Security

Module Overview 8-1
Lesson 1: Overview of Data-Related Security Threats 8-2
Lesson 2: Securing Data with EFS 8-5
Lesson 3: Implementing and Managing BitLocker 8-12

Lab: Managing Data Security 8-26

Configuring Windows 8.1 xv
Module 9: Managing Device Security

Module Overview 9-1
Lesson 1: Using Security Settings to Mitigate Threats 9-2
Lesson 2: Configuring UAC 9-7
Lesson 3: Configuring Application Restrictions 9-16

Lab: Managing Device Security 9-24
Module 10: Managing Network Security

Module Overview 10-1
Lesson 1: Overview of Network-Related Security Threats 10-2
Lesson 2: Windows Firewall 10-4

Lesson 3: Connection Security Rules 10-14
Lesson 4: Windows Defender 10-22
Lab: Managing Network Security 10-26
Module 11: Troubleshooting and Recovery

Lesson 1: Managing Devices and Drivers 11-2
Lesson 2: Recovering Files 11-10

Lesson 3: Recovering Devices 11-18
Lab: Troubleshooting and Recovery 11-29
Module 12: Maintaining Windows 10

Lesson 1: Updating Windows 12-2
Lesson 2: Monitoring Windows 10 12-12

Lesson 3: Optimizing Performance 12-19
Lab: Maintaining Windows 10 12-29

xvi Configuring Windows 8.1
Lab Answer Keys

Module 1 Lab: Navigating and Customizing the User Interface L1-1
Module 2 Lab: Installing Windows 10 L2-5
Module 3 Lab A: Configuring Windows 10 L3-9
Module 3 Lab B: Synchronizing Settings with OneDrive L3-15

Module 4 Lab: Configuring Network Connectivity L4-19
Module 5 Lab: Managing Storage L5-25
Module 6 Lab A: Configuring and Managing Permissions and Shares L6-29

Module 6 Lab B: Configuring and Using Work Folders L6-36
Module 6 Lab C: Installing and Managing a Printer L6-39
Module 7 Lab A: Installing and Updating Apps from the Windows Store L7-43
Module 7 Lab B: Configuring Windows 10 Web Browsers L7-46
Module 8 Lab: Managing Data Security L8-51
Module 9 Lab: Managing Device Security L9-55

Module 10 Lab: Managing Network Security L10-61
Module 11 Lab: Troubleshooting and Recovery L11-67
Module 12 Lab: Maintaining Windows 10 L12-77

About This Course xvii
About This Course

This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.
Course Description
This course provides students with the knowledge and skills required to install and configure Windows 10
desktops and devices in a corporate Windows Server domain environment. The skills that this course
details include learning how to install and customize Windows 10 operating systems and apps, and
configure local and remote network connectivity and storage. Students also will learn how to configure
security for data, devices, and networks, and maintain, update, and recover Windows 10.
Audience
This course is for information technology (IT) professionals who administer and support Windows 10
desktops, devices, users, and associated network and security resources. The networks with which these
professionals typically work are configured as Windows Server domain-based environments with
managed access to the Internet and cloud services. Students who seek certification in the 70-697
Windows 10 Configuring exam also will benefit from this course. Additionally, this course builds skills
for Enterprise Desktop/Device Support Technicians who provide Tier 2 support to users who are running
Windows 10 desktops and devices within a Windows domain environment in medium-sized and larger
organizations.
Student Prerequisites
This course requires that you meet the following prerequisites:
Knowledge of networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and
Domain Name System (DNS).
Knowledge of Active Directory Domain Services (AD DS) principles, and fundamentals of AD DS
management.
Understanding of certificate-based security.
Understanding of Windows Server 2008 or Windows Server 2012 fundamentals.

Understanding of Windows client operating system essentials, such as a working knowledge of
Windows Vista, Windows 7, or Windows 8.
Course Objectives
After completing this course, students will be able to:
Describe the important new features of Windows 10.
Install Windows 10.

Configure a device that is running Windows 10.
Configure network connectivity for a Windows 10 device.
Manage storage in Windows 10.

Manage folders and printers.
Manage apps.
Manage data security.

Manage device security.
xviii About This Course
Implement Windows 10 features to improve network security.
Monitor and update Windows 10 devices.
Restore files, roll back drivers, and recover Windows 10 devices.
Course Outline
The course outline is as follows:
Module 1, Overview of Windows 10," describes the Windows 10 operating system. It describes the new
features in Windows 10, and the important changes since Windows 8.1. It describes the use, navigation,
and customization of the enhanced Windows 10 user interface. Additionally, module 1 describes the
Windows 10 features that make it beneficial for organizations of different sizes.
Module 2, Installing Windows 10, introduces the different editions of Windows 10, and the differences
between them. It describes the requirements and available options for installing Windows 10 on a device,
and provides instructions for installing, or upgrading to, Windows 10. Additionally, module 2 provides
points that you should consider when deciding between an upgrade or migration to Windows 10, and
the supported upgrade paths from older versions of the Windows operating system.
Module 3, Configuring Your Device, explains how to configure Windows 10 by using tools such as the
Settings app, Control Panel, Windows PowerShell, RSAT, and GPOs. It describes the different types of user
accounts, and the benefits of using a Microsoft account. Module 4 also describes Microsoft OneDrive and
its integration with Windows 10.
Module 4, Configuring Network Connectivity," explains the use of tools to configure network settings,
including the Settings app, the Network and Sharing Center, and Windows PowerShell. It describes the
differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) settings,
and the benefits of IPv6. Additionally, it describes name resolution and provides an overview of the
DNS service. Lastly, module 4 describes how you can configure wireless connectivity in Windows 10,
and explains remote access methods that are available in Windows 10, such as virtual private networks
(VPNs), DirectAccess, and Remote Desktop.
Module 5, Managing Storage," provides an overview of storage options, including hard disks, server-
based storage, and virtual hard disks. It describes network storage options, including network-attached
storage (NAS) and storage area networks (SANs), and cloud-based storage options, such as OneDrive and
Microsoft Azure Storage. Additionally, module 5 describes the management and maintenance of disks,
partitions, and volumes, and the configuration and use of the Storage Spaces feature.
Module 6, Managing Files and Printers," provides an overview of the file systems that Windows 10
supports. It explains how to configure file permissions, the effect of file permissions, how explicit and
inherited permissions work, and how to include user and device claims in access permissions. This
module also explains how to share folders, the tools that you can use to share folders, and the effective
permissions when a user tries to access data in a shared folder that is protected by file permissions. The
last lesson in module 6 describes how to add and share a printer, and how to manage client and server-
side printing.
Module 7, Managing Apps in Windows 10," describes how to install and configure desktop apps and
Windows Store apps in Windows 10. It explains how to install apps manually and automatically, and how
to use Microsoft System Center Configuration Manager and Microsoft Intune to deploy apps. Additionally,
it describes the Windows Store and the way in which you can manage access to it. Lastly, module 7
describes the Internet Explorer 11 and Edge browsers, and explains how to configure and manage both
browsers.
About This Course xix
Module 8, Managing Data Security," explains how the technologies available with Windows 10 work
together to protect against data-related security threats. It provides an overview of these threats, and
discusses possible mitigations and best practices for dealing with them. It describes defense-in-depth
and Encrypting File System (EFS), and how you can use those methods to counter security threats.
Additionally, module 8 describes how to configure, administer, and monitor BitLocker drive encryption.
Module 9, Managing Device Security," explains how to mitigate security threats with the use of Security
Compliance Manager, the Enhanced Mitigation Experience Toolkit, and security settings in GPOs. It also
describes how to configure and utilize User Account Control (UAC).
Module 10, Managing Network Security," describes common network-related security threats and
options to mitigate them. It also describes Windows Firewall, Internet Protocol security (IPsec) connection
security rules, and Windows Defender, and how you can configure these tools to manage network
security.
Module 11, Troubleshooting and Recovery," describes device drivers and how you can use Device
Manager to view, configure, update, and roll back device drivers. It explains the Windows 10 file recovery
methods, including Backup and Restore, File History, and Previous Versions. Additionally, module 12
explains features such as System Restore, Startup Recovery, and System Image Recovery, and describes
how you can use restore points to roll back device configuration.
Module 12, Maintaining Windows 10," describes Windows Update and Windows Update for Business,
and how you can configure Windows 10 settings to ensure updates occur. It describes how to use
Windows Server Update Services (WSUS), Configuration Manager, or Microsoft Intune to distribute
updates within organizations. Additionally, module 11 also explains how to use the Action Center,
Event Viewer, and Performance Monitor in Windows 10.
xx About This Course
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
o Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
o Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
o Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
o Lab Answer Keys: provide step-by-step lab solution guidance.
Additional Reading: Course Companion Content on the

http://www.microsoft.com/learning/en/us/companion-moc.aspx Site: searchable, easy-to-
browse digital content with integrated premium online resources that supplement the Course
Handbook.
Modules: include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: include well-categorized additional resources that give you immediate access to the most
current premium content on TechNet, MSDN, or Microsoft Press.
Additional Reading: Student Course files on the

http://www.microsoft.com/learning/en/us/companion-moc.aspx Site: includes the
Allfiles.exe, a self-extracting executable file that contains all required files for the labs and
demonstrations.
Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
o To provide additional comments or feedback on the course, send an email to

support@mscourseware.com. To inquire about the Microsoft Certification Program, send an
email to mcphelp@microsoft.com.
About This Course xxi
Virtual Machine Environment

This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration

In this course, you will use Microsoft Hyper-V to perform the labs.
Note: At the end of each lab, you must revert the virtual machines to a snapshot. You can
find the instructions for this procedure at the end of each lab.
The following table shows the role of each virtual machine that is used in this course:
Virtual machine Role
20697-1B-LON-DC1 Domain controller in the Adatum.com domain.
20697-1B-LON-CL1 Windows 10 Enterprise client computer in the

Adatum.com domain.
20697-1B-LON-CL2 Windows 10 Enterprise client computer in the

Adatum.com domain.
20697-1B-LON-CL3 Windows 7 computer in the Adatum.com

domain.
20697-1B-LON-CL4 Windows 10 Enterprise client computer in a

workgroup.
20697-1B-LON-CL5 A virtual machine that does not have an

operating system installed.
20697-1B-LON-SVR1 A member server that is running Windows Server

2012 R2.
Software Configuration
The following software is installed on each VM:
Windows Server 2012 R2

Windows 10 client (Windows 10 Enterprise)
Microsoft Office 2013
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
xxii About This Course
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware is taught.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor

Dual 120-gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
8 GB of random access memory (RAM)
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft mouse or compatible pointing device
Sound card with amplified speakers
* Striped
Additionally, the instructors computer must be connected to a projection display device that supports
SVGA 1024768 pixels, 16-bit colors.
Cloud Accounts Required for this Course

To complete the labs in this course, you will be creating a Microsoft account in Module 3. The Microsoft
account will use the format Your first name plus last initial-20697-1B@outlook.com. When creating the
account, you must provide a birth date and a phone number. You can provide any information for these
values when creating the account, as long as the information uses the correct format.
Note: We do not recommend using preexisting Microsoft accounts for completing the labs
in this course.
1-1
Module 1
Overview of Windows 10
Contents:
Module Overview 1-1
Lesson 1: Introducing Windows 10 1-2
Lesson 2: Navigating the Windows 10 User Interface 1-11

Lab: Navigating and Customizing the User Interface 1-16
Module Overview
Windows 10 is the latest version of client operating system offered by Microsoft. Windows 10 is designed
for touch devices, and it introduces new features and a new interface, which touch-device users will find
more applicable for their needs. Windows 10 builds on the core functionality of both Windows 7 and
Windows 8.1 to provide a stable client experience across a number of processor architectures and device
types. This module introduces the new Windows 10 features and the enhanced user interface.
Objectives
After completing this module, you will be able to:
Describe the important new features of Windows 10.
Navigate and customize the Windows 10 interface.

1-2 Overview of Windows 10
Lesson 1
Introducing Windows 10
Windows 10 operates across a wide range of devices, including desktop computers, laptops, tablets, and
other touch-enabled devices and phones. To optimize your users experience, you can choose between
several Windows 10 editions, each of which has slightly different features. This lesson describes the new
features in Windows 10 and provides guidance with respect to navigating and customizing the user
interface.
Lesson Objectives
After completing this lesson, you will be able to:
Describe Windows 10.

Explain the new features available in Windows 10.
Describe the changes to Windows 10 since Windows 8.1.
Explain the benefits of using Windows 10 for small and medium-sized organizations.
Determine whether your organization is ready for Windows 10.
Describe the features for users own devices in Windows 10.
Determine whether your organization will enable users to connect their own devices to the corporate
network.
Overview of the Windows Client

Windows has been around for almost three
decades, and the Windows operating system is
widely adopted within organizations around the
world. The Windows operating system is a stable
and trusted platform that users install on server
computers, desktop computers, laptops, and other
computing devices.
Periodically, Microsoft creates a new version of
their client operating system that capitalizes on
the ongoing changes in computer hardware
technology, and which acknowledges changes in
the way users wish to work with their computing
devices. These architectural updates often incorporate user-interface changes. In recent years, Microsoft
sought to expand the range of devices that its client operating system supports.
Windows 8 introduced a touch-centric interface that enabled users to utilize the operating system on
handheld devices, such as tablets, as well as more traditional computing platforms, such as desktop
computers and laptops. At the same time, modifications to the operating systems architecture enabled
support for non-Intel, processor-based devices, including devices installed with ARM processors.
Note: ARM provides a lightweight form factor with excellent battery life specifically for
mobile devices. However, please note that Windows 10 does not support ARM.
Installing and Configuring Windows 10 1-3
Windows 8 also supported touch-enabled versions of Microsoft apps, including Microsoft Office.
Additionally, the operating system allowed users to install small, more task-focused apps from an
online store, similar to what users might do with their other computing devices, such as Android
phones and tablets, or the Apple iPhone.
Note: Later sections of this course provide more detail about these small, task-focused
apps, known as Windows Store apps. Windows 10 includes a new Windows Store, from which
users can download and install desktop and Windows Store apps.
Windows 10 is the latest version of Microsofts client operating system. It offers many improvements
over Windows 7, and provides numerous important enhancements and functional improvements over
Windows 8.1. You can install and run it on a variety of hardware platforms, ranging from traditional
desktop and laptop computers to tablets, phones, and other devices, such as the Xbox.
Note: The Windows 10 hardware requirements, in terms of processor, memory, and disk
space, do not vary greatly from those of Windows 8.1. The next module provides more details
regarding these requirements.
The release of Windows 10 incorporates feedback that Microsoft received from Windows 8.1 users
regarding interacting with the user interface when users installed the operating system on desktop
computers. The operating system now senses its own environment. When it discovers a desktop
computer, Windows 10 runs in desktop mode. In this mode, apps are resizable, and a more familiar,
although enhanced, Start menu is available to navigate the operating system. When running on a tablet,
Windows 10 runs in the tablet mode with apps defaulting to a full-screen layout, and the Start menu
becomes a full-screen app. These subtle changes greatly increase the usability of the operating system.
Whats New in Windows 10?

The differences that you notice in Windows 10
depend on the operating system from which you
are transitioning. If you were using Windows 7
previously, Windows 10 is radically different in
both functionality, and in look and feel. If you are
using Windows 8.1 currently, you will notice more
nuanced changes in Windows 10.
This topic explores all the features that are new

or improved in Windows 10 since Windows 7. The
following section highlights some of the most
important features and changes:
Start screen and Start menu improvements.
The Start screen represents a significant change in the way users find and interact with apps and
information in Windows 10. The Start screen is tile-based, and its configurable tiles can display live
information and provide an interactive hub experience for users. It has a touch-friendly layout, and is
significantly different from the Windows 7 Start button interface. However, for users with desktop
devices, it displays a more traditional Start menu. This, too, is tile-based and similarly configurable,
but more practical for non-touch devices.
Cloud integration. Windows 10 provides increased integration with cloud-based services and
information. Users signing in to a Windows 10 device can connect instantly to the information
and settings that are important to them. Windows 10 ensures a consistent user experience across
devices, regardless of a specific devices location.
Recovery tools and options:
o Reset this PC. By using the Reset this PC feature, you can return a device to its initial state, or
recover Windows 10 from corrupted operating system files and other errors. When you launch
Reset this PC, you can choose to:
Keep my files. This option retains your personal files, but removes apps and settings, and
reinstalls Windows.
Remove everything. This option removes all personal data, apps, and settings from the
device, and reinstalls Windows.
o Advanced start-up options. These recovery features enable you to recover Windows 10 from
common errors. Options include:
Use a device. Enables you to recover Windows by using a universal serial bus (USB) drive,
network connection, or recovery disk.
Troubleshoot. Enables you to access Advanced options, including System Restore, System
Image Recovery, Startup Repair, Command Prompt, and Unified Extensible Firmware
Interface (UEFI) settings.
Note: A section at the end of this course provides more detail about these recovery
options.
Windows To Go. This feature enables you to supply a fully functioning copy of Windows 10 that users
can start and run from a USB storage device. When users boot from a Windows To Goenabled USB
device, they get a complete Windows 10 experience, including all of their apps, files, and settings.
Client Hyper-V. Client Hyper-V on Windows 10 provides a flexible and high-performing client
virtualization environment. You can use this environment to use a single device to test applications
and IT scenarios in multiple operating system configurations. By using Client Hyper-V, IT departments
can provide a consolidated and efficient virtual environment through virtual-machine compatibility
with Windows Server 2012 R2.
Note: Client Hyper-V is available in the Windows 10 Pro, Windows 10 Enterprise, and
Windows 10 Education editions. Your computer hardware must support hardware virtualization
and Second Level Address Translation (SLAT). Furthermore, you must ensure that these features
are enabled in the devices BIOS or firmware settings.
Support for multiple device types. Windows 10 runs on desktop and laptop computers, tablets and
similar devices, phones, the Xbox platform, and Microsoft HoloLens, thereby providing users with very
extensive access to the Windows 10 environment.
Bring Your Own Device support. Many users have their own personal computing devices, and they
might wish to connect these devices to their corporate networks so that they can access apps and
services, and work with data files. Bring Your Own Device (BYOD) is the ability to connect users
personal devices to a corporate network. Windows 10 introduces a number of features that improve
the support of users who wish to bring their own devices.
Note: A later section in this lesson provides more information about Bring Your Own
Device support.
Mobility improvements. Windows 10 includes a number of features that improve support for mobile
devices, including:
o Mobile broadband. Windows 10 provides support for embedded wireless radio. This support
helps to improve power efficiency and reduce the size of some devices.
o Broadband tethering. You can turn your Windows 10 device into a Wi-Fi hotspot.
o Auto-triggered VPN. If an app requires access to your companys intranet, Windows 10 can
automatically trigger a virtual private network (VPN) connection.
Security enhancements. These include:
o Remote Business Data Removal. With Windows 10 and Windows Server 2012 R2, you can use
Remote Business Data Removal to classify and flag corporate files, and to differentiate between
these files and user files. With this classification, the remote wipe of a Windows 10 device will not
remove user-owned data when securing or removing corporate data on the device.
o Improved biometrics. Windows 10 provides a number of improvements in the area of biometrics,
including the use of Windows sign-in, remote access, and user account control (UAC).
Furthermore, you can configure biometric authentication to enable Windows Store access.
o Pervasive device encryption. On Microsoft Surface devices, device encryption is enabled by
default, and you can configure additional BitLocker Drive Encryption protection. You also can
enable additional management capability on the Windows 10 Pro and Enterprise editions.
o Malware resistance. Windows Defender now includes network-behavior monitoring that can help
to detect and prevent the execution of known and unknown malware.
o Device lockdown. The Assigned Access feature enables you to restrict the Windows Store app
experience on a device to a specific subset of apps, or even to a single app. This could be a line-
of-business (LOB) app in a kiosk scenario, or a set of educational apps for children in a school
setting.
o Virtual secure mode. This is a secure process-execution environment that Windows 10 introduces.
This execution environment helps protect system processes by running them in a separate,
virtualized container, known as a trustlet, rather than in the operating system itself. Because the
Windows operating system does not have access to these trustlets, processes and data within
them are safer.
Whats Changed Since Windows 8.1?

Windows 10 introduces many new and improved
features over those available in Windows 8.1,
including:
Interface Improvements. There are numerous

interface improvements, in terms of look, feel,
and functionality, including:
o Sign-in improvements. Windows 10

introduces Windows Hello, which
supports a number of biometric sign-in
methods, including fingerprint scanning.
Windows Hello also allows users to utilize
face recognition to sign in if their device
has an approved camera.
Note: For face recognition to function, your device must have an infrared camera. This
enables Windows to verify your identify, and ensure that another person is not trying to sign into
your account by using your photograph.
o Improved Start. Windows 95 introduced the Start button, which gave users access to a list of
installed programs and links to management tools. Windows 8 replaced the Start button with a
single screen that has customizable tiles. Windows 10 provides a hybrid approach: users can
continue using the Start button, which is vastly improved, or use a Start screen, with customizable
tiles, on touch-enabled devices.
o Cortana. Cortana is a search and control assistant that you can control with voice commands,
and was available initially on Windows Phone devices. You can use Cortana to search for your
installed apps, documents, and Internet results. You access Cortana from a search box on the
taskbar or by activating search verbally.
o Continuum. This feature enables Windows to switch between desktop mode and tablet mode,
based on what the operating system detects during startup. This allows apps to run in full-screen
when Windows 10 is running on a tablet and when the Windows operating system is running on
a nontouch device, such as a desktop computer. If you have a convertible device, and you rotate
it to act as a tablet, Windows enables the tablet mode. When you rotate the device to act as a
laptop, Windows switches to the desktop mode. However, you can override this behavior
manually.
o Multiple desktops. You can enable multiple desktops even if your device does not have multiple
monitors. This allows you to separate apps and views into distinct desktops. This feature can be
useful when you want to share your desktop during a Skype for Business meeting, but want to
share certain apps only.
o Task switcher. There is a Task View icon in the taskbar that you can use to view the running apps,
and switch between them easily.
o Taskbar improvements. Aside from the Cortana search box and the Task View icon, other running
apps are highlighted with a subtle underline. This reduces the space that a running app occupies
on the taskbar.
o Snap Assist. In Windows 8.1, it was possible to drag apps to split the screen, so that each app
takes up half of the available screen space. In Windows 10, Snap Assist allows you to position
apps to the desktops four corners, enabling four apps to occupy a quarter of the available space.
This is partly because all apps, whether they are desktop apps or Windows Store apps, now run
on the desktop when in desktop mode.
Action Center. Many phones and tablet devices provide quick access to commonly used operating-
system features. For example, swiping down the display on an Android phone accesses notifications
and options, such as Wi-Fi, mobile data, and brightness settings. Windows 10 now provides an
improved Action Center, which consolidates information that was available previously in the Windows
8.1 Action Center with configurable notifications. You can access the Action Center by swiping from
the right on the desktop or Start screen. This displays a notification list with tiles, at the ribbons
bottom, for actions such as accessing Settings, configuring brightness, enabling Airplane mode, and
other settings.
Universal Windows Platform (UWP) apps. In Windows 8.1, you can install desktop apps from the
desktop by using local or network sources. Windows 10 includes a new Windows Store from which
users can download and install both desktop and Windows Store apps. Specific versions of apps run
on Windows Phone and Windows 8.1. Many of these apps are universal, which means you can install
them on multiple hardware platforms, such as an Intel tablet that is running Windows 10 Pro, the
Xbox One, and Windows Phone 10.
Note: Microsoft Office apps, such as Microsoft Office Word and Office Excel, are available
as both desktop apps and Universal Windows apps that share the same code across devices, such
as a PC, a Windows Phone, and an Xbox One.
Microsoft Edge. Although Internet Explorer is still included in Windows 10, indeed, it is necessary to
support some websites or internal corporate apps that require ActiveX controls, Microsoft also
provides a new browser. The Microsoft Edge browser is lighter, faster, more efficient, and designed
for touch-enabled devices. It also is available across multiple platforms, including Windows Phone,
so users will be familiar with the interface when they switch between their devices.
Consolidated settings. One of the issues with earlier Windows versions is that you must access the
operating-system settings by using a variety of disparate tools and interfaces. However, with Windows
8.1, Microsoft consolidated many settings into a single place: the Settings app. In Windows 10, this
consolidation continues. Many of the settings that are accessible through Control Panel in Windows
8.1 now are accessible in Settings. This makes it easier to locate the appropriate settings and
configure your operating system.
Note: Control Panel is still available, and you can use it when you want to make
configuration changes.
Multiple update sources. Windows 10 supports multiple sources for obtaining updates. These sources
include the Microsoft Update server, and configurable local sources, such as file servers and other
Windows 10 devices have the updates you desire.
Benefits of Windows 10 for Small and Medium-Sized Organizations

In most organizations, the typical lifetime of a
desktop or laptop computer typically is three
and four years. During that time, it is possible
that the computer receives hardware upgrades,
such as memory and possibly replacement disks.
However, the operating system deployed to many
workstations remains constant for the devices
lifetime, except for updates, patches, and fixes.
The current generation of hardware devices often

employs touch as one of the input mechanisms,
and sometimes it is the only input mechanism, as
with many Windows-based tablets. Additionally,
many users have access to multiple devices, and it is common for a user to utilize a laptop, a tablet, and a
phone regularly, and often simultaneously. Furthermore, many of these devices might belong to the users
themselves, and they might desire to connect to their corporate network from these devices.
Despite the investment required, both in terms of software licenses, as well as increasing employees
knowledge and skills with new hardware, there are compelling reasons for small and medium
organizations to update to Windows 10 from Windows 7, including:
Easier to use. Windows 10 is easier to use, which means fewer calls to your support desk. The features
that make Windows 10 more easy to use include:
o Support for touch. Using a touch device is intuitive. For example, working with images and
navigating an operating system is easier when you are using touch rather than a mouse and
keyboard, especially if the user is not in a traditional office environment. Windows 10 supports
touch-enabled devices and optimizes itself for this environment, while continuing to support
more traditional input methods where required. An intuitive, user-friendly interface helps to
reduce calls for support.
o A consistent user interface and Universal Windows apps. If your users are using phones, tablets,
and computers, they can work more effectively and efficiently if you provide a consistent
interface and access to Windows Universal apps that they can use on any device.
o Performance improvements. Windows 10 starts up more quickly, and due to improvements in the
architecture, navigating the operating system is faster, as well.
Continuous updates. Microsoft plans to provide updates on a continuous basis. This means that rather
than periodic upgrades, such as from Windows 7 to Windows 10, there will be a constant process of
smaller updates. Therefore, you will not have to perform wipe-and-load upgrades when a new
Windows version arrives. This reduces support efforts and costs.
Improved device management. You can choose to manage your Windows 10 devices by using System
Center Configuration Manager, or Microsoft Intune. The method that you choose depends on your
needs, the number of devices you have, and the complexity of your environment. For example, with
Microsoft Intune, you can provide for cloud-based management of mobile devices, apps, and PCs.
You can provide your users with access to your corporate apps, data, and resources from virtually
anywhere and on almost any device.
Note: Course: 20697-2B. Deploying and Managing Windows 10 Using Enterprise Services
provides more details about System Center Configuration Manager and Microsoft Intune.
Distribution of apps by using the Windows Store. Microsoft will provide organizations with the
ability to acquire Windows Store apps, and then by using a web portal, make those apps available
to their users. Additionally, Microsoft will allow organizations to create an organizational private app
repository within Windows Store for Business. These changes will allow you to deploy and manage
apps within your organization more easily.
More secure. Several new and improved Windows 7 features make Windows 10 more secure. Keeping
users devices safe and secure helps reduce supports costs.
Free upgrade to Windows 10. Microsoft is providing a free upgrade to Windows 10 Pro for users of
Windows 7 Pro and Windows 8.1 Pro, and to Windows 10 Home from users of Windows 7 Home and
Windows 8.1 Home editions.
Note: This free upgrade is for a limited period only, currently one year from the release of
Windows 10. The upgrade is not available currently to users of Windows 7 Enterprise or Windows
8.1 Enterprise.
Discussion: Is Your Organization Ready for Windows 10?

Consider the following questions, and then be
prepared to discuss your answers with the class
as directed by your instructor.
Question: Has your organization started
deploying Windows 10, or are you
considering it?
Question: What Windows client version does

your organization deploy currently?
BYOD Features
Many of your organizations users likely have
smartphones and tablets. In some circumstances,
users might wish to use their own devices to
access corporate data because their devices form
factor is better suited to the environment in which
that user is working. For example, a user who is
moving between meetings and requires a device
for taking notes might wish to use a tablet rather
than a laptop. Unless your organization wishes to
equip all its users with multiple devices, the
solution might be to allow users to connect their
own equipment. Windows 10 supports the idea of
Bring Your Own Device (BYOD) to work, and includes several useful features that make it easier to
integrate users personal devices into your network, including:
Device Registration. Enables a device to neither completely join, nor completely be removed from,
your Active Directory Domain Services (AD DS) domain. The Device Registration features allows your
users to work on the devices that they choose, while continuing to access to enterprise network
resources. You can control access to resources and provide a finer level of control over devices that
register through Device Registration.
Work Folders. Work Folders enable a user to synchronize their data from their network user folder to
their device. When you implement Work Folders, locally created files also synchronize to the network
folder location. The client-computing device does not need to be domain-joined to access this shared
content.
Mobile Device Management. After users enroll their devices, they join them to the Microsoft Intune
management service and get access to the company portal. This provides them with a consistent user
experience while accessing their applications and data, which enables them to manage their own
devices. You have improved management over these devices, and can manage them as mobile
devices without having to deploy a full management client.
RemoteApp. This feature enables users to run apps remotely from their device through Remote
Desktop Services. This makes it appear as if the app is running locally on the users own device, when
in reality, it runs securely on the Remote Desktop Session Host server. Using RemoteApp apps allows
you to be sure that users with even the most esoteric devices can run all required apps.
Discussion: Will Your Organization Embrace the BYOD Philosophy?

Consider the following questions, and then be
prepared to discuss your answers with the class
Question: Does your organization allow users
to connect their own devices to the corporate
network?
Question: If you answered yes to the

previous question, with what types of devices
do users connect most commonly?
Question: Do you think the Windows 10
features for management and integration of
users own devices within the corporate workspace will make it easier for organizations to
support BYOD?
Check Your Knowledge

Question
What are the benefits to small and medium-sized organizations of using Windows
10? (Choose all that apply)
Select the correct answer.
Windows 10 is easy to use.
Windows 10 is provided with continuous updates.
Microsoft provides Windows 10 as a free upgrade for Windows 7 Enterprise

users.
Microsoft provides Windows 10 as a free upgrade for Windows 7 Pro users.

Lesson 2
Navigating the Windows 10 User Interface
Windows 10 has an improved user interface that allows you to navigate the operating system by using
touch-enabled devices as well as devices that are equipped with a keyboard and mouse. This lesson
explores the user interface, and identifies the important interface elements. It also explains how to
perform common navigation tasks by using touch, as well as a keyboard and mouse.
Lesson Objectives
Describe the elements of the new Windows 10 user interface.
Determine how to perform actions within the interface with both touch, as well as mouse and
keyboard.
Navigate the Windows 10 interface.
Customize the Start screen.
The Windows 10 User Interface

If you are currently using Windows 7, then the
changes in the user interface of Windows 10 are
significant. If you have used Windows 8.1, then
the changes are not as significant and represent
more of an on-going interface evolution.
Using touch actions

The most significant change from Windows 7 is
the support for touch. Before examining the user
interface in more detail, it is worth discussing the
terminology for touch actions within the
operating system.
You are doubtless familiar with the concept of using a mouse to navigate the Windows operating system.
For example, you click an item to select it, double-click an item to open it, and right-click an item to
access a context menu. These actions remain the same for Windows 10 when you use a mouse to
navigate. However, when you use touch, you must use gestures to complete the same tasks. Therefore,
to select an item, you tap it. To open an item, use double-tap. To access an items context menu, use tap
and hold.
Changes to the user interface

This section describes the new interface and highlights the most significant changes, which include:
Sign in. You can sign in to Windows 10 by swiping up from the bottom of your tablets display to
access the sign-in page.
Note: If you are using a device with a keyboard, you can press <Ctrl><Alt><Del> to access
the sign-in page.
Tap the Username box, and the virtual keyboard appears. Enter your username and password, and
then tap the right arrow. If you want to sign in with a different account, tap Other user in the lower
left of your display.
Note: Windows 10 also supports sign-in by using a personal identification number (PIN), as
well as biometric and multi-factor authentication options enabled by Windows Hello.
Start. The device type and orientation controls the behavior of Start:
o Nontouch. If you sign in by using a device that does not support touch, Windows starts in
Desktop mode. This means that a Start menu represents the Start screen, and this menu is
accessible when you click Start in the lower left of the taskbar.
o Touch-enabled. If you sign in by using a device that is touch-enabled, or is a convertible device,

like a Microsoft Surface tablet, and which is placed as a tablet (that is, the keyboard is detached
or folded out of the way), Windows starts in the Tablet mode. In this scenario, Windows presents
Start as a full-screen app.
Note: You can force Windows manually to switch between Desktop and Tablet modes by
using the Tablet mode tile in the Action Center to toggle between settings.
Start consists of a list, on the left side of the display, of your Most used apps and shortcuts for File
Explorer, Settings, Power, and All apps. The right-hand side of Start has tiles that you can use to
launch apps. You can configure which tiles display and how, and you can group the tiles into
meaningful collections.
Action Center. The Action Center consolidates notifications from the operating system with shortcut
tiles that enable you to perform common or frequently accessed tasks. To access the Action Center,
click the Notifications icon in the notification area in the Desktop mode, or swipe from the right in
the Tablet mode. Available tiles include:
o Tablet mode. Switches between Desktop and Tablet modes. In the Tablet mode, all apps run full
screen, and Start displays as a full-screen app. The Desktop mode runs apps in resizable windows,
with Start appearing as a menu.
o Rotation lock. Enables you to lock the display in either portrait or landscape modes.
o Connect. Searches for and allows you to connect to wireless display and audio devices in the local
area.
o Note. Opens a new note in Microsoft OneNote.
o All settings. Launches the Settings app, which provides access to options for the devices
configuration and settings.
o Battery saver. Toggles into battery saver mode. This reduces power consumption by reducing
display brightness and configuring other power-intensive operating-system components.
Note: You can configure Battery saver settings by using All settings, accessing System, and
then Battery saver.
o VPN. Enables you to configure and connect to a VPN.
o Bluetooth. Enables you to toggle the Bluetooth radio on or off.
o Brightness. Use this tile to step up or down the brightness range.

o WiFi. Enables you to toggle the Wi-Fi radio on or off.
o Flight mode. Enables you to disable all radios so that your device can safely be used onboard an
aircraft.
o Quiet hours. Toggles into a setting that reduces the notifications that you receive.
o Location. Toggles the location setting. Many apps use location to customize behavior and to
provide geographically pertinent information to the user.
Note: The specific tiles that you see vary depending upon the type of device that you are
using. For example, a desktop computer does not display the Rotation lock tile.
Settings. You can access Settings from the All settings tile in the Action Center or by tapping Settings
in Start. You can configure almost all device settings within the Settings app.
Demonstration: Navigating the Windows 10 User Interface

In this demonstration, you will see how to navigate the Windows 10 interface.
Demonstration Steps
1. Sign in as ADATUM\April.
2. Open the Action Center.
3. Switch to Tablet mode.
4. Switch to Start.
5. View All apps.
6. Switch between running apps.
7. Add a new desktop.

8. Close all apps, and then sign out.
Customizing the User Interface

You can configure the desktop settings in
Windows 10 just as you do in Windows 7,
including adding and removing your own
shortcuts, and customizing your color scheme.
However, you have the most control over
customization from the Start screen, from
where you can:
Add tiles. When you add a tile, you are

pinning an app to Start. To do this, tap All
apps, which is an icon that appears in Start
beneath the Power icon on the left. A list of
all installed apps appears. Tap and hold (or
right-click) the desired app, and then tap Pin to Start. The app appears as a tile in Start in its own
unnamed tile group.
Remove tiles. When you remove a tile, you are not uninstalling the app. Tap and hold the tile that you
wish to remove from Start, and then tap Unpin from Start.
Pin to the taskbar. You also can pin apps to the taskbar, in addition to (or rather than) pinning them
to Start. To do this, tap All apps. A list of all installed apps appears. Tap and hold (or right-click) the
desired app, and then tap Pin to taskbar. The app appears as an icon on the taskbar.
Note: The taskbar is visible only in desktop mode.
Resize tiles. To resize a tile, tap and hold the tile, tap Resize, and then tap the desired size. You can
resize most tiles as Small, Medium, Wide, and Large.
Live tiles. You can make many tiles, such as News and Weather, update automatically. Live tiles
display content relevant to the app, such as continuously updated news in the News tile or weather
information in the Weather tile. To enable live tiles, tap and hold the relevant tile, and then tap Turn
live tile on. To disable a live tile, tap and hold the tile, and then tap Turn live tile off.
Grouping tiles. You can group tiles into specific categories. Windows creates two default groups
during installation: Life at a glance, and Play and explore. You can rename groups by tapping the title
bar of the group and entering a new name. To create new groups, drag tiles to a new area on the
Start screen. Windows creates a new, unnamed group for the moved tile. You then can add tiles to
the group, and rename it as applicable.
Note: In Windows 10 Enterprise and Windows 10 Education, a network administrator can

use Group Policy Objects (GPOs) to configure and control the Start screen and other aspects of
the user interface.
Demonstration: Customizing the Windows 10 Start Menu

In this demonstration, you will see how to customize the Start screen
Demonstration Steps
1. Sign in as ADATUM\April.
2. Pin a tile to Start.

3. Create a group to accommodate the new tile.
4. Remove a tile from Start.
5. Pin a tile to the taskbar.

Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
When you sign in to Windows 10 on a touch device, Windows 10 runs in

Tablet mode only.
Lab: Navigating and Customizing the User Interface

Scenario
You are working on an upcoming project at A. Datum Corporation to deploy Windows 10 to all users.
Your users will receive their new Windows 10 devices soon, so you must familiarize yourself with the new
user interface. Additionally, you must learn how to customize the user interface so that it addresses the
specific needs of individual users.
Objectives
After completing this lab, you will be able to:
Navigate the Windows 10 user interface.

Configure and customize the Start menu.
Customize the desktop.
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20697-1B-LON-DC1 and 20697-1B-LON-CL1

User name: Adatum\Administrator and Adatum\April
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
o User name: Administrator

o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 and 3 for 20697-1B-LON-CL1.
Exercise 1: Navigating the Windows 10 User Interface

Scenario
The new Windows 10 devices have arrived, and you must familiarize yourself with the interface before
distributing them to your users.
The main tasks for this exercise are as follows:
1. View installed apps.

2. Switch between running apps.
Task 1: View installed apps

1. On LON-CL1, sign in as ADATUM\April with the password Pa$$w0rd.
2. From the taskbar, open Action Center.
Note: If the tiles at the bottom of Action Center do not display, close and then open
Action Center again.
4. View All apps.
5. Open Calculator.
6. Open Alarms & Clock.
7. Use Task View to switch between the apps.
Task 2: Switch between running apps

1. Open Task View.
2. From Action Center, switch into Desktop mode.
3. Position the two running apps, side by side, on the display.
Results: After completing this exercise, you will have navigated the Windows 10 user interface
successfully.
Exercise 2: Configuring Start

Scenario
It is important that your users know how to configure Start, so you decide to familiarize yourself with the
process of adding, removing, and resizing tiles, and creating and naming groups.

1. Add and remove tiles.
2. Group tiles.
3. Remove and resize tiles.
Task 1: Add and remove tiles

1. From Action Center, enable Tablet mode.
2. Open All apps.
3. Pin the following apps to Start:
o Word 2013
o PowerPoint 2013
o Excel 2013
o Calculator
Task 2: Group tiles

1. Rename the group that is created to hold these tiles Microsoft Office.
2. Drag the Microsoft Office group to the top of Start.
Task 3: Remove and resize tiles

1. Remove the Calculator tile from the Microsoft Office group.
2. In Start, in the Microsoft Office group, resize Excel 2013 to be Small.

3. In Start, in the Life at a glance group, resize Mail to be Large.
Results: After completing this exercise, you will have customized Windows 10 Start successfully.
Exercise 3: Configuring the Desktop

Scenario
Some of your users prefer to work in desktop mode. Therefore, you decide to investigate the
configuration options for it.
1. Customize the Taskbar.

2. Configure desktops.
3. Personalize the desktop and Start.
Task 1: Customize the Taskbar

Pin the Calendar app to the taskbar.
Task 2: Configure desktops

1. Use Task View to add a second desktop.
2. Switch to Desktop 2, and then launch Word 2013 from Start.

3. Close Desktop 2. Word 2013 now runs in Desktop 1.
Task 3: Personalize the desktop and Start

1. Close all running apps.
2. Add a new shortcut to the desktop for the This PC\Pictures folder.
3. Right-click the desktop, and then click Personalize.

4. Configure the following settings:
o Background: Select an image from the Choose your picture list.
o Color: Select a color from the Choose your accent color list.
o Lock screen:
Choose an app to show detailed status: Calendar
Choose apps to show quick status: Alarms & Clock
Note: If you do not see Alarms & Clock, choose another app from the list.
o Start:
Show most used apps: Off
Show recently added apps: Off
5. Sign out, and then sign back in as ADATUM\April to verify your settings.
6. Verify the color and background changes that you made do appear. Open Start to view the changes
that you configured.
Note: Due to a limitation in the virtual machine, this setting is not retained but should
display.
Results: After completing this exercise, you will have configured the Windows 10 desktop successfully.
Prepare for the next module

When you have finished the lab, revert the virtual machines to their initial state:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20697-1B-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

4. Repeat steps 2 and 3 for 20697-1B-LON-DC1.
Module Review and Takeaways

Review Questions
Question: What are some of the more significant issues that an organization faces when it
allows users to bring their own devices to the workplace and connect to the corporate
network?
Question: What is the purpose of Client Hyper-V in Windows 10?

2-1
Module 2
Installing Windows 10
Contents:
Module Overview 2-1
Lesson 1: Installing Windows 10 2-2
Lesson 2: Upgrading to Windows 10 2-16

Lab: Installing Windows 10 2-26
Module Overview
Windows 10 is the first client operating system from Microsoft that provides the same look and feel
across all device types. With Windows 10, Microsoft recommends performing an in-place upgrade over
a migration, unlike previous operating systems. This module introduces the different editions of
Windows 10, and provides instructions on installing and upgrading to Windows 10.
Objectives
Choose how to install Windows 10.

Describe the process of upgrading to Windows 10.
2-2 Installing Windows 10
Lesson 1
Installing Windows 10
You can use Windows 10 on a variety of computing devices, from traditional platforms to the latest tablet,
phone, and gaming platforms. This lesson introduces the different editions of Windows 10 and the
features of each. The lesson also describes why and when you might select a specific Windows edition.
Lesson Objectives
Explain the differences between the different editions of Windows 10.

Select the most suitable Windows 10 device for your needs.
Describe the minimum recommended hardware requirements for installing Windows 10.
Describe the options available for installing and deploying Windows 10.
Describe the tools available in the Windows Assessment and Deployment Kit.
Describe the process of installing Windows 10.

Install Windows 10.
Describe the methods of activation for Windows 10.
Windows 10 Editions
Before you can install Windows 10, you
must select the most suitable edition for
your organization. The different editions of
Windows 10 address the needs of consumers
ranging from individuals to large enterprises.
This topic describes the different features of each
edition and the differences between the 32-bit
and 64-bit editions of Windows 10.
Note: Module 1 contains a more detailed

description of some of the new features of
Windows 10.
Windows 10 Home
Windows 10 Home is the consumer-oriented desktop edition of Windows 10. It offers the familiar
Windows experience for PCs, tablets, and the new hybrid laptop/tablets. Windows 10 Home includes
several new features:
Cortana, the new personal digital assistant
Microsoft Edge, the new web browser

Continuum tablet mode for touch-capable devices
Windows Hello biometric sign-in

Virtual Desktops
Photos, Maps, Mail, Calendar, Music and Video, and other built-in universal Windows apps
New updates and features received automatically
Windows 10 Pro
Windows 10 Pro builds on the features of Windows 10 Home, with many extra features to meet the needs
of small and medium-sized businesses. Windows 10 Pro is also suitable for advanced consumers who are
looking for features such as BitLocker and virtualization. Windows 10 Pro offers the new Windows Update
for Business, which will:
Reduce management costs.

Provide controls over update deployment.
Offer quicker access to security updates.
Provide access to the latest innovation from Microsoft on an ongoing basis.

Windows 10 Pro provides the following additional features:
Domain Join and Group Policy Management
BitLocker
Enterprise Mode Internet Explorer
Client Hyper-V
Microsoft Azure Active Directory Join
Windows Store for organizations

Enterprise Data Protection
Windows 10 Enterprise
Windows 10 Enterprise builds on the features of Windows 10 Pro, with additional features that meet the
needs of large enterprises. Windows 10 Enterprise is available to Volume Licensing customers only. They
can choose the pace at which they adopt new technology, including the option to use the new Windows
Update for Business. Windows 10 Enterprise also gives customers access to the Long Term Servicing
Branch as a special deployment option for their mission-critical devices and environments.
Windows 10 Enterprise offers new featuresCredential Guard and Device Guardto protect against
security threats. Windows 10 Enterprise also supports a broad range of options for operating system
deployment and device and app management. Windows 10 Enterprise provides the following additional
features:
DirectAccess
Windows To Go Creator
AppLocker
Windows BranchCache
Start Screen Control with Group Policy
Credential Guard
Device Guard
Windows 10 Enterprise LTSB

Windows 10 Enterprise Long Term Servicing Branch (LTSB) is a special edition of Windows 10 Enterprise
that Microsoft will not update with any new features. Windows 10 Enterprise LTSB only gets security
updates and other important updates. You can install Windows 10 Enterprise LTSB to devices that run in
a known environment that does not change. The differences between Windows 10 Enterprise LTSB and
the normal Windows 10 Enterprise are the following:
Does not receive feature upgrades

No Microsoft Edge browser
No Windows Store client

No Cortana
Many built-in universal Windows apps are missing
Windows 10 Education
Windows 10 Education offers the same features as Windows 10 Enterprise, except for Long Term Servicing
Branch. This edition of Windows 10 is suitable for school staff, administrators, teachers, and students.
Windows 10 Education is only available through academic Volume Licensing.
Windows 10 Mobile
Windows 10 Mobile is for smaller, mobile, touch-centric devices, such as smartphones and small tablets.
It offers the same new universal Windows apps that Windows 10 Home includes, in addition to a new
touch-optimized version of Microsoft Office. On new devices, Windows 10 Mobile can take advantage of
Continuum for phone, so you can use the phone like a PC when it is connected to a monitor with larger
screen resolution. Windows 10 Mobile runs universal apps only. You cannot run desktop applications.
Windows 10 Mobile Enterprise

Windows 10 Mobile Enterprise is for business customers on smartphones and small tablets. It is only
available to Volume Licensing customers. Windows 10 Mobile Enterprise provides businesses with flexible
ways of managing updates. In addition, Windows 10 Mobile Enterprise gives faster access to the latest
security updates and provides access to the latest innovations from Microsoft on an ongoing basis.
Windows 10 IoT
There are also three editions for Internet of Things (IoT):
Windows 10 IoT Core is suitable for small devices such as robots, toy cars, and sensors.
Windows 10 IoT Enterprise is suitable for devices such as ATMs and industrial robotics.
Windows 10 IoT Mobile is suitable for handheld terminals and automobiles.

These Windows 10 IoT editions will not be available when Windows 10 launches, but will be released later.
Note: Further details on Windows Mobile and IoT editions are outside the scope of
this course. The mention here is for reference only. Unless otherwise noted, all references to
Windows 10 in this course are for the 32-bit and 64-bit editions.
Note: Some of the features require special hardware to work properly.
Compare Windows 10 Editions

http://aka.ms/k8iq7l
32-bit vs. 64-bit editions of Windows 10

All desktop editions of Windows 10Windows 10 Home, Windows 10 Pro, Windows 10 Enterprise, and
Windows 10 Educationare available in both 32-bit and 64-bit versions. The features of the 64-bit
versions are similar to those of the 32-bit versions, but offer several advantages, including:
Improved performance. The 64-bit processors can process more data for each clock cycle, enabling
you to scale your applications to run faster or support more users. However, to benefit from this
improved processor capacity, you must install a 64-bit edition of the operating system.
Enhanced memory. A 64-bit operating system can make more efficient use of random access memory
(RAM). It can address memory above 4 gigabytes (GB). This is different from all 32-bit operating
systems, including all 32-bit editions of Windows 10, which are limited to 4 GB of addressable
memory.
Improved security. The architecture of 64-bit processors enables a more secure operating system
environment through Kernel Patch Protection, mandatory kernel-mode driver signing, and Data
Execution Prevention (DEP).
Support for the Client Hyper-V feature. This feature is only available in the 64-bit versions of Windows
10, except Windows 10 Home. Client Hyper-V requires 64-bit processor architecture that supports
second-level address translation.
Note: It is worth noting that the 64-bit editions of Windows 10 do not support the 16-bit
Windows on Win32 (WOW) environment. If your organization requires earlier versions of 16-bit
applications, they will not run natively in Windows 10. One solution is to run the application
within a virtual environment by using Client Hyper-V.
Choosing between 32-bit and 64-bit editions for installation

In most cases, a computer will run the edition of Windows 10 that corresponds to its processor
architecture. A computer with a 32-bit processor will run the 32-bit edition of Windows 10, and a
computer with a 64-bit processor will run the 64-bit edition of Windows 10. You can use the following
list to determine which edition of Windows 10 you should install on a computer:
You can install 64-bit editions of Windows 10 only on computers with 64-bit processor architecture.
You can install 32-bit editions of Windows 10 on computers with 32-bit or 64-bit processor
architecture. When you install a 32-bit edition of Windows 10 on a 64-bit processor architecture,
the operating system does not take advantage of any 64-bit processor architecture features or
functionality.
32-bit drivers will not work in 64-bit editions of Windows 10. If you have hardware for which
only 32-bit drivers are available, you must use a 32-bit edition of Windows 10, regardless of the
computers processor architecture.
You can install 32-bit editions of Windows 10 on 64-bit architecture computers to support earlier
versions of applications or for testing purposes.
Discussion: Selecting a Windows 10 Edition

Windows 10 runs on several different types of
devices or form factors. However, not all editions
of Windows 10 can run on all device types. This
discussion will help you to decide which form
factor and edition of Windows 10 to choose in
different scenarios.
Form factors
Prior to Windows 8, Microsoft had three types of
devices: traditional PCs, mobile phones, and Xbox.
The release of Windows 8 saw new device types
emerge, including tablets and other touch-
enabled devices. With Windows 10, Microsoft
introduces two new types of devices: Microsoft Surface Hub and Microsoft HoloLens. Here is a list of the
different form factors and their typical use in a work environment:
Desktop PC. The desktop PC is the form factor of choice in businesses where the need for high
performance is predominant, such as computer-aided design (CAD).
Laptop. Traditionally, travelling users were the primary users of laptops. However, recently laptop
sales have surpassed desktop PC sales, perhaps due to increasing workforce mobility and superior
laptop performance. When a consumer uses a laptop as an office computer, the addition of an
external keyboard, mouse, and monitor can remedy the lack of workplace ergonomics.
Tablet. Tablets are popular for reading emails, doing presentations, or as entertainment devices. The
latest developments bring improved performance, but still lack in expansion possibilities.
Hybrid. The popularity of the tablet has led to the innovation of a hybrid device that converts from a
normal laptop to a tablet. Hybrid devices are more popular than tablets among users whose work
involves more typing. These devices also offer better performance than typical tablets.
Mobile phone or smartphone. It is best to use these devices for apps, where the smaller screen size is
not important. However, Windows 10 Continuum enables users to connect to a large monitor and
switch the Windows 10 Mobile edition to the Windows 10 desktop experience.
Xbox. The Xbox is a device that is most popular for gaming and entertainment.
HoloLens. The HoloLens is one of the first holographic computers. It has many uses for educational
purposes, design, and constructing businesses.
Surface Hub. The Surface Hub is a large-format, touch-friendly monitor used in meetings.
Scenario 1
Contoso Pharmaceuticals considers purchasing new computers to control and supervise its production
lines. The production lines require special hardware with sensors in the computers that employees will use
to perform the supervision. The production line software is sensitive to major changes in the operating
system.
Which edition of Windows 10 would you recommend for purchase by Contoso Pharmaceuticals for
supervision of its production lines?
Scenario 2
A hospital is doing satisfaction surveys among its patients. The administration wants to replace the laptops
currently used, as they are too heavy. The employees use a newly developed universal Windows app to do
the surveys. No typing is necessary, because all input is touch-based.
Which edition of Windows 10 is the most suitable for the hospital employees doing surveys?
Scenario 3
Contoso Pharmaceuticals is trying to secure their information technology (IT) infrastructure by limiting the
apps that users can run. Some employees install unauthorized apps on their devices. Contoso wants to
limit users to apps that are on the companys list of approved apps.
Which edition of Windows 10 would you recommend to Contoso Pharmaceuticals to use on its devices?
Question: Which edition of Windows 10 would you recommend for purchase by Contoso
Pharmaceuticals for supervision of its production lines?
Question: Which edition of Windows 10 is the most suitable for the hospital employees
doing surveys?
Question: Which edition of Windows 10 would you recommend that Contoso

Pharmaceuticals use?
Requirements for Installing Windows 10

Windows 10 is capable of running on similar
hardware as Windows 7. Many computers in
enterprises today easily meet the minimum
hardware requirements for Windows 10.
Hardware requirements
The following section lists the minimum
recommended hardware requirements for
Windows 10. Windows 10 will install if some of
these requirements are not met. However, user
experience and operating system performance
might be compromised if the computer does not
meet or exceed the following specifications:
Processor: 1 gigahertz (GHz) or faster processor, or system on a chip (SOC)
RAM: 1 GB for 32-bit or 2 GB for 64-bit
Hard disk space: 16 GB for 32-bit or 20 GB for 64-bit
Graphics card: DirectX 9 or newer with Windows Display Driver Model (WDDM) 1.0 driver
Display: 800x600 pixels
Windows 10 offers additional features if the correct hardware is present. The following are some of the
hardware and software requirements for various additional features:
Windows Hello requires a specialized illuminated infrared camera for facial recognition or iris
detection, or a fingerprint reader that supports the Windows Biometric Framework.
Two-factor authentication requires the use of a PIN, fingerprint reader, or illuminated infrared
camera, or a phone with Wi-Fi or Bluetooth capabilities.
Depending on the resolution of the monitor, the number of simultaneously snapped applications
might be limited.
Touch requires a tablet or a monitor that supports multi-touch for full functionality.
Users need a Microsoft account for some Windows 10 features.
Secure boot requires firmware that supports Unified Extensible Firmware Interface (UEFI) and has the
Microsoft Windows Certification Authority in the UEFI signature database. The secure boot process
takes advantage of UEFI to prevent the launching of unknown or potentially unwanted operating-
system boot loaders between the systems BIOS start and the Windows 10 operating system start.
While the secure boot process is not mandatory for Windows 10, it greatly increases the integrity of
the boot process.
Some applications might require a graphics card that is compatible with DirectX 10 or newer versions
for optimal performance.
BitLocker requires either Trusted Platform Module (TPM) or a USB flash drive (Windows 10 Pro,
Windows 10 Enterprise, and Windows 10 Education).
Client Hyper-V requires a 64-bit system with second level address translation capabilities and an
additional 2 GB of RAM (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education).
Second level address translation reduces the overhead incurred during the virtual-to-physical address
mapping process performed for virtual machines.
Miracast requires a display adapter that supports WDDM, and a Wi-Fi adapter that supports Wi-Fi
Direct.
Wi-Fi Direct Printing requires a Wi-Fi adapter that supports Wi-Fi Direct and a device that supports
Wi-Fi Direct Printing.
InstantGo works only with computers designed for connected standby. InstantGo allows network
connectivity in standby mode and allows for receiving updates, mail, and Skype calls with the screen
turned off.
Device encryption requires a PC with InstantGo and TPM 2.0.
64-bit architecture
Windows 10 fully supports the 64-bit architecture. The 64-bit version of Windows 10 can run all 32-bit
applications with the help of the WOW64 emulator. Considerations for the 64-bit Windows 10 include:
Applications or components that use 16-bit executable programs or 32-bit kernel drivers will fail to
start or function properly on a 64-bit edition of Windows 10.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer adds a driver manually
by editing the registry, the system will not load this driver, and this can cause a system failure.
Installation of 64-bit unsigned drivers will fail by default on the 64-bit system. If an installer manually
adds a driver by editing the registry, the system will not load the driver.
Device drivers
Finding device drivers for Windows 10 for all your legacy hardware might be difficult. Many companies
producing hardware have their drivers tested and certified at the Windows Hardware Quality Labs.
However, you might not be able to find a built-in driver for a specific piece of hardware. The best way to
find drivers for legacy hardware is to search the manufacturers website.
Installation and Deployment Options for Windows 10

You can use a number of different methods to
install Windows 10. However, regardless of the
method, the image-based nature of the
installation process and the desired resulta
properly functioning Windows 10 deviceremain
consistent. Determining which method to use and
how to best implement that method are
important parts of the planning process for a
Windows 10 installation.
In this topic, you will learn to analyze the reasons

for using certain installation methods and
implement those methods. You will also learn
about the new provisioning method in Windows 10 that you can use to customize an existing
Windows 10 installation with a provisioning package.
High-touch with retail media deployment

The high-touch with retail media deployment strategy is suitable for small organizations that do not
have information technology (IT) staff, or have IT staff members without deployment experience. Such
organizations typically have fewer than 100 client computers. This strategy is the simplest way to deploy
Windows 10. Insert the Windows 10 DVD and run the setup program. It is a manual installation that
requires you to answer each prompt in the setup program.
Low-touch deployment
The low-touch deployment strategy is suitable for medium-sized organizations with 200500 client
computers. This strategy uses Microsoft Deployment Toolkit (MDT) together with Windows Deployment
Services. It is an easier deployment strategy, because MDT automates most of the installation and handles
application, device driver, and update installation.
Zero-touch deployment
The zero-touch deployment strategy is suitable for large organizations that typically have more than 500
client computers. This deployment strategy uses MDT together with Microsoft System Center 2012 R2
Configuration Manager SP1 to deliver a more streamlined, fully automated deployment that does not
require user interaction.
Note: If you want to know more about Windows 10 deployment, course 20697-2A:
Deploying and Managing Windows 10 Using Enterprise Services covers how to deploy
Windows 10 in more detail.
Provisioning packages
Beginning with Windows Vista, the standard Windows operating system deployment changed to an
image-based deployment. This typically required the IT department to create a custom image or at least
an answer file to do an unattended installation. Windows 10 introduces provisioning, which enables you
to modify your existing Windows 10 installation. Provisioning eases the process of installation, and helps
to reduce the cost of deploying Windows-based PCs and devices such as tablets and phones by removing
the need to reimage new PCs before first use.
You use the Windows Imaging and Configuration Designer (ICD) from the Windows Assessment and
Deployment Kit (Windows ADK) to create provisioning packages. The packages contain rules that can:
Change edition upgrade

Configure settings, including computer name, local users, domain join, Start menu customization, and
browser settings
Add or remove Universal Windows Apps
Deploy Windows Installer files and execute scripts

Create virtual private network (VPN) and Wi-Fi profiles
Modify files such as data and certificates

Modifying some settings, such as the edition of Windows 10 or the computer name, will require a restart.
You can deploy provisioning packages by:
Email
Removable media
Network share
Windows ADK
Windows ADK for Windows 10 is a collection
of tools that you can use to automate the
deployment of Windows operating systems
and mitigate application compatibility issues.
Previously, Windows ADK was called Business
Desktop Deployment (for Windows Vista) and
Windows Automated Installation Kit (for
Windows 7).
ACT
The Microsoft Application Compatibility Toolkit
(ACT) is a graphical tool that can evaluate and
mitigate application compatibility issues before
deploying a new version of Windows. ACT requires access to a database. The database must be Microsoft
SQL Server 2008 (or SQL Server 2008 Express Edition) or a newer version. You can install SQL Server or use
an existing installation.
DISM
Deployment Image Servicing and Management (DISM) is a command-line tool that enables you to
capture, deploy, service, and manage Windows images. You can use it to apply updates, drivers, and
language packs to a Windows image, offline or online.
Windows SIM
Windows System Image Manager (Windows SIM) is a graphical tool that you can use to create
unattended installation answer files and distribution shares, or modify the files that a configuration
set contains.
Windows PE
Windows PreInstallation Environment (Windows PE) is a minimal 32-bit or 64-bit operating system
with limited services, built on the Windows 10 kernel. Use Windows PE during Windows installation
and deployment to boot the computer and start the setup program. Windows PE provides read and
write access to Windows file systems, and supports a range of hardware drivers, including network
connectivity, which makes it useful for troubleshooting and system recovery. You can run Windows PE
from the CD/DVD, USB flash drive, or a network, by using the Pre-Boot EXecution Environment (PXE).
The Windows ADK includes the tools to build and configure Windows PE.
Imaging and Configuration Designer

The Imaging and Configuration Designer is a graphical tool that is new in this version of the Windows
ADK. It includes a command-line tool for building provision packages and images.
You use Windows Imaging and Configuration Designer to:

View configurable settings and policies for a Windows 10 image or provisioning package.
Create Windows provisioning answer files.
Create variants to configure language and branding dynamically during deployment.
Build and deploy a Windows image.

Create provisioning packages.
USMT
User State Migration Tool (USMT) is a command-line tool that you can use to migrate user settings from
a previous Windows operating system to Windows 10 or from one Windows 10based computer to
another.
VAMT
Volume Activation Management Tool (VAMT) is a graphical tool that you can use to automate and
manage activation of Windows, Windows Server, and Microsoft Office.
The VAMT PowerShell cmdlets require Windows PowerShell 3.0. VAMT requires a connection to SQL
Server, version 2008 or newer (including Express Edition).
Other tools
Windows ADK also includes the following tools:
Windows Performance Toolkit. It consists of performance-monitoring tools that produce in-depth
performance profiles of Windows operating systems and applications.
SQL Server 2012 Express. It is included here for the tools that require a connection to a SQL Server.
The Process of Installing Windows 10

The process of deploying a Windows operating
system is simpler today than it has been in the
past. The person who performs the deployment
has fewer decisions to make. However, those
decisions are critical to the success of the
deployment. A typical manual installation of
Windows 10 involves performing the following
procedure:
1. Connect to the installation source. Options for

this include:
o Insert a DVD containing the Windows 10
installation files, and boot from the DVD.
o Connect a specially prepared USB drive that hosts the Windows 10 installation files.
o Perform a PXE boot, and connect to a Windows Deployment Services server.
2. On the first page of the Windows Setup Wizard, select the following:
o Language to install
o Time and currency format
o Keyboard or input method
3. On the second page of the Windows Setup Wizard, click Install now. You also can use this page to
select Repair Your Computer. You use this option in the event that an installation has become
corrupt, and you are no longer able to boot into Windows 10.
4. On the License Terms page, review the terms of the operating system license. You must choose to
accept the license terms before you can proceed with the installation process.
5. On the Which Type Of Installation Do You Want page, you have the following options:
o Upgrade. Select this option if you have an existing installation of Windows that you want to
upgrade to Windows 10. You should launch upgrades from within the previous version of
Windows rather than booting from the installation source.
o Custom. Select this option if you want to perform a new installation.

6. On the Where do you want to install Windows page, choose an available disk on which to install
Windows 10. You can also choose to repartition and reformat disks from this page. If you want to do
this from the command line, you can press Shift+F10 to access a command prompt. When you click
Next, the installation process will copy files and reboot the computer several times.
7. On the Set up for you, so you can get going fast page, click Use Express settings.
8. If the computer does not have Internet access, you might see a page telling you something went
wrong. Click Skip to continue the installation. The installation will then skip to number 12 in this list,
Create an account for this PC.
9. On the Who owns this PC? page, click This device belongs to my company, and then click Next.
Depending on your choice in this step, the installation will take two different directions. If you
indicate that this is a private computer, the setup program asks you to sign in with your Microsoft
account or create a new one or a local account. If you indicate that this is a company computer, the
setup program asks you to sign in with your Office 365 account or create a local account. Depending
on which edition of Windows 10 you install, you may or may not see this page.
10. On the Heads up page, click Continue.
11. On the Lets get you signed in page, click Skip this step.
12. On the Create an account for this PC page, type the username you want to use together with a
password and a password hint, and then click Next.
13. This concludes the installation of Windows 10. You have signed in and you have installed the built-in
universal apps. It will take a few minutes before you see the desktop.
Demonstration: Installing Windows 10

In this demonstration, you will see how to install Windows 10.
Demonstration Steps
Mount the Windows 10 DVD
In Hyper-V Manager, mount the Win10Ent_Eval.iso file for the 20697-1B-LON-CL5 virtual machine
(VM). This file should be located at C:\Program Files\Microsoft Learning\20697-1\Drives\.
Start the 20697-1B-LON-CL5 VM

Start the 20697-1B-LON-CL5 VM.
Install Windows 10
1. On the first page of the Windows setup program, accept the default settings.
2. On the second page of the Windows Setup Wizard, click Install now.
3. On the License Terms page, accept the license terms.
4. On the Which Type Of Installation Do You Want page, choose a custom installation.
5. On the Where do you want to install Windows page, use the default drive. The install begins, it will
take a few minutes to complete.
6. On the Get going fast page, use Express settings.
7. On the Create an account for this PC page, type the following:
o Username: LocalAdmin
o Re-enter password: Pa$$w0rd
o Password hint: Standard password
8. Finish the installation.
Revert virtual machines

When you finish the demonstration, revert the virtual machine to its initial state. To do this, complete the
following step:
On the host computer, in Hyper-V Manager, revert 20697-1B-LON-CL5.

Activating Windows 10
All editions of Windows 10 require activation.
Activation confirms the licensing status of a
Windows product and ensures that the product
key has not been compromised. The activation
process links the softwares product key to a
particular installation of that software on a device.
If the device hardware changes considerably, you
need to activate the software again. Activation
assures software integrity and provides you with
access to Microsoft support and a full range of
updates. Activation is also necessary if you want to
comply with licensing requirements. Depending
on the license type, you may find that the license is locked to that particular hardware. In this case, you
may not install Windows 10 on another computer with the same license.
Unlike Windows 7, Windows 10 does not have a grace period. You must activate Windows 10 immediately
upon installation. Failure to activate a Windows operating system will prevent users from completing
customization. In older versions of the Windows operating system, activation and validation with the
Windows Genuine Advantage tool occurred separately. This caused confusion for users who thought the
terms were interchangeable. In Windows 10, activation and validation occur at the same time. If you wish
to evaluate Windows 10, Microsoft provides a separate evaluation edition that is available as an .iso image
file to Microsoft Developer Network (MSDN) subscribers and Microsoft partners.
Activation methods
There are three main methods for activation:
Retail. Any Windows 10 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete activation after installing the
operating system.
OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 10. You can perform OEM activation by associating the operating system to the computer
system.
Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization.
Volume customers set up volume licensing agreements with Microsoft. These agreements include
Windows upgrade benefits and other benefits related to value-added software and services. Microsoft
Volume Licensing customers use Volume Activation Services to assist in activation tasks, which consist
of Active Directorybased activation, Key Management Service (KMS), and multiple activation key
(MAK) models.
You can view the Windows 10 activation status on the System properties page or by running the
following command:
cscript C:\windows\system32\slmgr.vbs -dli


Question
Which Windows ADK tool do you use to create provisioning packages?
Application Compatibility Toolkit
Windows PE
Deployment Image Servicing and Management
Imaging and Configuration Designer
Windows System Image Manager

Question
You want to secure your laptop by enabling BitLocker. Which editions of Windows 10
include BitLocker?
Windows 10 Home
Windows 10 Pro
Windows 10 Enterprise
Windows 10 Education
Lesson 2
Upgrading to Windows 10
The decision to upgrade or migrate from a previous Windows version can be complicated. You must also
decide how to perform the upgrade or migration. A large number of parameters can contribute to the
upgrade decision. However, at the end of the process, the goal is always the same. You want to have your
computer running the newest operating system, while retaining settings or data that existed in the
Windows operating system prior to installing Windows 10.
This lesson examines the upgrade process, identifies different methods that you can use for upgrading
and migrating your operating system, and introduces you to the tools and processes that you can use to
perform an upgrade or migration.
Lesson Objectives
Identify the supported upgrade paths to Windows 10.

Describe the difference between an upgrade and a migration.
Decide when to choose upgrade or migration.
Select the correct upgrade or migration option for your needs.

Describe the processes for upgrading to Windows 10.
Describe the processes for migrating to Windows 10.
Explain how to migrate user state.

Assess whether your device is ready for Windows 10.
Supported Upgrade Paths

Performing an in-place upgrade to Windows 10
can save time and enable you to retain user
settings and computer settings from a previous
Windows version. However, the Windows version
from which you are upgrading will dictate the
options that are available for the upgrade process.
Note: For the first year after the release of

Windows 10, the upgrade will be free for all
Windows editions other than Windows 8/8.1
Enterprise and Windows 7 Enterprise.
Upgrade paths for Windows editions

You cannot upgrade previous Windows versions that do not have the same feature set as the edition of
Windows 10 that you are installing. The following table lists upgrade possibilities based on Windows
editions.
Previous Windows edition Windows 10 Home Windows 10 Pro Windows 10 Enterprise
Windows 8/8.1 X
Windows 8/8.1 Pro X
Windows 8/8.1 Enterprise X
Windows RT
Windows 7 Starter X
Windows 7 Home Basic X
Windows 7 Home X
Premium
Windows 7 Professional X
Windows 7 Ultimate X
Windows 7 Enterprise X
If your computer has the latest updates and service packs and you are running Windows 8.1 Pro,
Windows 7 Home Basic, Windows 7 Home Premium, or Windows 7 Professional, you will receive the
update to Windows 10 from Windows Update. If you do not have the latest updates, you can still
upgrade to Windows 10, but you will have to perform the upgrade from media, such as a DVD.
Previous Windows edition Media (.iso file) Windows Update
Windows 8.1 Update X X
Windows 8.1 RTM X
Windows 8 X
Windows RT
Windows 7 SP1 X X
Windows 7 RTM X
Deprecated features
When you upgrade to Windows 10, there may be some features in your old operating system that will no
longer be available. The following list details the deprecated features that are not a part of Windows 10:
If you are running Windows 8.1 Pro with Media Center, Windows 8 Pro with Media Center,
Windows 7 Home Premium, Windows 7 Professional, or Windows 7 Ultimate, Windows Media Center
will no longer be available.
You require separate software to play DVDs.

Windows 7 desktop gadgets will no longer be available when you install Windows 10.
Windows 10 Home users will have updates from Windows Update automatically available.
Solitaire, Minesweeper, and Hearts Games that come preinstalled on Windows 7 will no longer be
available when you upgrade to Windows 10. Microsoft has released universal apps called the
Microsoft Solitaire Collection and Microsoft Minesweeper.
If you have a USB floppy drive, you can download the latest driver from Windows Update or the
manufacturer's website.
If you have Windows Live Essentials installed, the installation of Windows 10 will replace the Microsoft
OneDrive application with the inbox version of OneDrive.
Upgrade vs. Migrate

When you decide to upgrade to Windows 10, you
can use two different methods. You can do an in-
place upgrade if you want to keep all applications,
settings, and files. This is the preferred method of
upgrading to Windows 10.
The other method is to migrate. You use this

method primarily when the users receive a new
computer with Windows 10 and you want to
preserve the users files and settings.
In-place upgrade
The in-place upgrade is now the recommended
way to move from an existing Windows operating system to Windows 10. You perform an in-place
upgrade when you want to replace an existing Windows version with Windows 10, and you need to
retain all user applications, files, and settings. To perform an in-place upgrade to Windows 10, run the
Windows 10 installation program (setup.exe), and click Upgrade. You can run setup.exe from the product
DVD or from a shared folder on the network. During an in-place upgrade, the Windows 10 installation
program retains all user settings, data, hardware device settings, applications, and other configuration
information automatically.
Best Practice: Always back up all of your important data before performing an upgrade.
Migration
You perform a migration when you have a computer already running the Windows operating system,
and you need to move files and settings from your old operating system (source computer) to the
Windows 10based computer (destination computer). Perform a migration by doing the following:
Back up the users settings and data

Perform a clean installation
Reinstall the applications
Restore the users settings and data

There are two migration scenarios: side-by-side, and wipe-and-load. In side-by-side migration, the source
computer and the destination computer are two different computers. In wipe-and-load migration, the
destination computer and the source computer are the same. To perform wipe-and-load migration, you
perform a clean installation of Windows 10 on a computer that already has an operating system, by
running the Windows 10 installation program, and then clicking Custom (advanced).
Note: Previously, migration was the recommended way to do upgrades, but now the
in-place upgrade is preferable.
Windows as a Service
Windows 10 will use a new method of delivering new features and functional changes. This method is
known as Windows as a Service. This is a major change from the past, when new Windows versions arrived
approximately every three years. This new way of delivering new functionality is comparable to when the
Windows 8.1 update came one year after the Windows 8 release.
With Windows 10, you can expect shorter release cycles, with bigger changes happening once a year.
Updates will no longer just be available on the second Tuesday of each month. Security and driver
updates will automatically download and install as soon as they become available for some Windows 10
editions. Other editions can defer some updates for a nonconfigurable period.
Note: The support for Windows 10 will continue for 10 years, until 2025.
Considerations for Choosing Between Upgrade and Migration

In the previous topic, you learned about the
difference between an in-place upgrade and a
migration. Each upgrade project is different, with
circumstances that might support one over the
other.
Considering in-place upgrade

In any potential upgrade scenario, there may
be certain circumstances that favor an in-place
upgrade. However, there are also disadvantages
to this process. The following table outlines the
advantages and disadvantages of in-place
upgrades.
Advantages Disadvantages
Retains user settings, application settings, Does not take advantage of the opportunity to start
and files with no additional effort fresh with standardized reference configurations
Preserves installed applications, and Preserved applications may not work correctly after
typically does not require reinstallation of upgrading from an older Windows version
applications
Does not require additional storage space Remnant files or settings from in-place upgrade may
for migration files contribute to performance and security issues
Affects user productivity minimally, and Does not allow for edition changes
preserves user settings and data just as in
the source computer
Provides a simpler setup process Is only available on supported operating systems
Rollback is available in case of a problem Computer has to meet the minimum hardware
requirements
Considering migration
As an alternative, you might consider using the migration process. The following table outlines the
advantages and disadvantages of migrations.
Offers a fresh start with the opportunity to Requires the use of migration tools, such as USMT, to
clean up existing computers and create capture and restore user settings and data
more stable and secure desktop
environments, a significant advantage
when creating a managed environment
Allows for installation of any edition Requires reinstallation of applications

regardless of what edition was running
previously on the computers
Provides the opportunity to reconfigure Requires storage space for user settings and files to be
hardware-level settings, such as disk migrated
partitioning, before installation
Viruses, spyware, and other malicious May have an impact on user productivity because of
software do not migrate to the new the reconfiguration of applications and settings
installation of Windows
Discussion: Common Upgrade and Migration Scenarios

Because in-place upgrades are the preferred
upgrade method, you should select the migration
scenario only when an in-place upgrade would
not work. You need to look for any deciding
factor that would cause you to choose one over
the other. Read the scenarios and choose
between:
In-place upgrade
Side-by-side migration
Wipe-and-load migration
Scenario 1
Contoso Pharmaceuticals owns 100 workstations on which Windows 7 was manually installed. They want
to upgrade these workstations to Windows 10, and switch to a more standardized and managed
deployment. What is the best upgrade method for Contoso?
Scenario 2
Litware, Inc. has only 25 computers of different models. They do not employ any IT staff. Their users are all
local administrators who are skilled in managing their own computers. All their computers run Windows 7
or Windows 8.1. They want to upgrade to Windows 10. What is the best upgrade method for Litware?
Scenario 3
A. Datum Corporation has 5000 client computers running Windows 8.1 in a managed environment. All
computers have the same set of applications installed. They want to upgrade to Windows 10. What is the
best upgrade method for A. Datum?
Scenario 4
Contoso Pharmaceuticals discovers that not all computers will have hardware drivers for Windows 10.
They will need to purchase 50 new computers. What is the best upgrade method for the 50 users who are
getting new computers?
Question: What is the best upgrade method for the 100 workstations running Windows 7 at
Contoso Pharmaceuticals?
Question: What is the best upgrade method for the 25 computers at Litware, Inc.?
Question: What is the best upgrade method for the 5,000 client computers at A. Datum?
Question: What is the best upgrade method for the 50 users who are getting new
computers at Contoso Pharmaceuticals?
The Process of Upgrading to Windows 10

An in-place upgrade replaces the operating
system on your computer while retaining all
programs, program settings, user-related settings,
and user data. Performing an in-place upgrade
from Windows 7 with Service Pack 1 (SP1) or
Windows 8.1 Update is the easiest way to upgrade
to Windows 10. The process for upgrading to
Windows 10 includes the following steps:
1. Evaluate
2. Back up
3. Upgrade
4. Verify
5. Update
Evaluate
Before starting the upgrade, you must evaluate whether your computer meets the requirements needed
to run Windows 10. If you are upgrading more than one computer, you should consider using the ACT
and Microsoft Assessment and Planning Toolkit (MAP) to assess your organizations readiness.
You must determine whether any installed applications will have compatibility problems while running on
Windows 10. ACT, which is a part of the Windows ADK for Windows 10, provides several tools that can
assist with evaluating potential compatibility problems.
Back up
To prevent data loss during the upgrade process, back up any data and personal settings before starting
the upgrade. You can back up data to any appropriate media, such as tape, removable storage, writable
disc media, or a network shared folder.
Upgrade
After evaluating your computer requirements, and backing up your data and personal settings, you are
ready to perform the actual upgrade. To perform the upgrade, run the Windows 10 installation program
(setup.exe) from the product DVD, removable media, or a network share. If your computer supports an in-
place upgrade to Windows 10, you can select Upgrade during the installation process. The installation
program prevents you from selecting the upgrade option if an in-place upgrade is not possible. This
might occur for several reasons, such as your computer lacking sufficient disk space, or your current
Windows edition not supporting a direct upgrade to the Windows 10 edition that you want to install. In
this case, stop the upgrade process and resolve the indicated problem before attempting the upgrade
again.
Note: We recommend that you disable antivirus programs before attempting an upgrade.
Verify
When the upgrade completes, sign in to your computer, and verify that all of the applications and
hardware devices function correctly.
Update
Finally, determine whether there are any relevant updates to the Windows 10 operating system, and apply
them to your computer. It is important to keep the operating system up to date to protect against
security threats. You also can check for updates during the upgrade process. Dynamic Update is a feature
of Windows 10 Setup that downloads any critical fixes and drivers that the setup process requires. With
Windows as a Service, it is more important than ever to make sure your Windows-based computer is up
to date, because you m also receive new functionality via Windows Update.
The Process of Migrating to Windows 10

If you cannot, or prefer not to, perform an
in-place upgrade, you can perform a clean
installation of Windows 10, and then migrate
the user-related files and settings. The process
for migrating to Windows 10 includes the
following steps:
1. Back up
2. Install Windows 10
3. Update
4. Install applications
5. Restore
Back up
Before installing the new operating system, you must back up all user-related settings and program
settings with USMT. Additionally, you should consider backing up the user data. Although the
Windows 10 installation will not erase user data by default, it is a good practice to back up your
data to protect against accidental loss or damage during installation.
Note: Before the installation begins, you can choose to repartition or reformat the hard
disk. If you choose one of these actions, all user data will be deleted from the hard disk.
Note: When you do a clean installation of Windows 10 without reformatting the hard disk,
the existing Windows installation will be moved to a windows.old directory containing the
Windows, Program Files, and Users directories. All remaining directories and files stay in place.
Install Windows 10
Run the Windows 10 installation program (setup.exe) from the product DVD, removable media, or a
network share, and perform a clean installation by selecting Custom (advanced) during the installation
process. Then follow the on-screen instructions to complete the installation.
Update
If you chose not to check for updates during the installation process, it is important to do so after
verifying the installation. Keep your computer protected by ensuring that you have the most current
updates installed.
Install applications
Performing an upgrade by using a clean installation and migration process does not migrate the installed
applications. When you complete the Windows 10 installation, you must reinstall all applications.
Windows 10 may block the installation of any incompatible programs. To install any of these programs,
contact the software vendor for an updated version that is compatible with Windows 10.
Restore
After installing your applications, use USMT to migrate your application settings and user-related settings.
Note: In Windows 7 and Windows 8.1, you can also use Windows Easy Transfer to migrate
settings and data. Windows Easy Transfer is not available in Windows 10. Microsoft has partnered
with LapLink to provide PCmover Express, which is free to use for personal use.
Windows Easy Transfer is not available in Windows 10

http://aka.ms/nt1ycs
Migrating User State

Migration scenarios require toolsets that enable
you to capture the necessary information for
migration, and ensure that the information moves
successfully to the new Windows installation. In
this topic, you will learn about the tools that you
need to perform a migration to Windows 10
successfully. You must back up user-related
settings, application settings, and user data that
you will restore after the Windows 10 installation.
Identifying which components to

migrate
When planning your migration, it is important to
identify which components you need to migrate to the new operating system platform. These
components may include:
User accounts. Workstations may have settings related to both domain and local user accounts. You
must determine if you need to migrate local user accounts.
Application settings. You must determine and locate the application settings that you want to
migrate. You can acquire this information when you are testing the new applications for compatibility
with the new operating system.
Operating-system settings. Operating-system settings include appearance, mouse actions such as
click or double-click, keyboard settings, Internet settings, email-account settings, VPN connections,
accessibility settings, and fonts.
File types, files, folders, and settings. When you plan your migration, identify the file types, files,
folders, and settings to migrate. For example, you need to determine and locate the standard file
locations on each computer, such as the My Documents folder and company-specified locations.
You also must determine and locate the non-standard file locations.
You can use the following tools to perform migration:
Windows Easy Transfer. Use Windows Easy Transfer to perform a migration for a single computer or a
small number of computers. Windows Easy Transfer is not available in Windows 10. You can copy it
from a Windows 7based computer. It is located in the C:\Windows\system32\migwiz directory.
USMT. Use USMT to perform a migration for a large number of computers and to automate the
process as much as possible. USMT is available as part of the Windows ADK. You will use USMT in
the lab.
USMT
USMT is a scriptable command-line tool that provides a highly customizable user-profile migration
experience for IT professionals. The components of USMT include:
ScanState.exe. The ScanState tool scans the source computer, collects the files and settings, and then
creates a store.
LoadState.exe. The LoadState tool migrates the files and settings, one at a time, from the store to a
temporary location on the destination computer.
Migration .xml files. The .xml files that the USMT uses for migrations are the MigApp.xml,
MigUser.xml, or MigDocs.xml, and any custom .xml files that you create.
The MigApp.xml file. Specify this file with both the ScanState and LoadState commands to migrate
application settings to computers that are running Windows 8.
The MigUser.xml file. Specify this file with both the ScanState and LoadState commands to migrate
user folders, files, and file types to computers that are running Windows 8.
The MigDocs.xml file. Use this file with both the ScanState and LoadState tools to migrate all user
folders and files.
Custom .xml files. You can customize the migration for your organizations needs by making custom
.xml files. For example, you can migrate an application or modify the default migration behavior with
the use of a custom .xml file.
Note: The course 20697-2A: Deploying and Managing Windows 10 Using Enterprise
Services includes more information about USMT and migrating user state.
Statement Answer
Migration is the preferred method of upgrading to Windows 10.
Statement Answer
You need to migrate user state after an in-place upgrade.

Lab: Installing Windows 10

Scenario
You are involved with a project within A. Datum Corporation to deploy Windows 10 on the computers of
all users. You are performing a trial Windows 10 deployment by performing a test upgrade of a small
group of devices, starting with a single Windows 7based computer. You will also test the feasibility of
migrating user settings for those users who will receive new hardware.
Objectives
After completing this lab, you will have:
Performed an in-place upgrade of Windows 7 to Windows 10.

Migrated user settings between two computers.
Lab Setup
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL2, 20697-1B-LON-CL3
User name: Adatum\Administrator

Password: Pa$$w0rd

2. In Hyper-V Manager, click 20697-1B-LON-DC1, and in the Actions pane, click Start.

o Domain: Adatum
5. Repeat steps 2 and 3 for 20697-1B-LON-CL2 and 20697-1B-LON-CL3.
Exercise 1: Upgrading Windows 7 to Windows 10

Scenario
You want to start your deployment of Windows 10 by upgrading your own Windows 7based computer.

1. Verify that the computer meets the minimum requirements.
2. Perform an in-place upgrade from local media.

3. Verify that the upgrade was successful.
Task 1: Verify that the computer meets the minimum requirements

1. Sign in to 20697-1B-LON-CL3 with the username ADATUM\Administrator and the password
Pa$$w0rd.
2. Use System properties and Windows Explorer to check whether LON-CL3 matches the minimum
hardware requirements.
3. Write down the settings for:
o Processor: _____________________
o Installed memory (RAM):_____________

o Screen resolution:_________________
o Available disk space for drive C: ________________

o Do the above noted values match the minimum requirements? _______________
o Which setting does not match the minimum requirements? _____________
4. Shut down LON-CL3.
Task 2: Perform an in-place upgrade from local media

1. Change available RAM for 20697-1B-LON-CL3 to 2048 MB.
2. Start 20697-1B-LON-CL3, in the Actions pane, click Start, and then click Connect.
3. Mount the C:\Program Files\Microsoft Learning\20697-1\Drives\Win10ENT_Eval.iso in the

DVD drive.
4. Sign in as Adatum\Administrator with the password Pa$$w0rd.
5. Run the setup program from the DVD.
6. Do not download updates to the setup.

7. Accept the license terms in the setup wizard and choose to keep no previous settings.
Note: The setup program will now upgrade your Windows 7 installation to Windows 10.
This will take approximately 30 minutes.
8. Finish the setup program by selecting the default values, selecting the express settings, and clicking
the appropriate buttons.
9. On the Create an account for this PC page, provide the following, and then click Next:
o Hint: Standard password
10. After the setup finishes, you should be at the desktop of the new installation.
Task 3: Verify that the upgrade was successful

1. Run winver.
2. Make sure that the version number is 10.0 (Build 10240).
3. Revert 20697-1B-LON-CL3 to the previous checkpoint.
Results: After completing this exercise, you will have upgraded your Windows 7based computer to
Windows 10.
Exercise 2: Migrating User Settings

Scenario
You can use the in-place upgrade for most of your computers, but you will replace some of the older
computers with more modern hardware that includes touch screens. You need to verify that you can
migrate users settings from their old Windows 7based computers to the new Windows 10based
computer. You start by testing your own Windows 7based computer.
1. Prepare the source computer.
2. Complete the migration.
3. Verify the migration.
Task 1: Prepare the source computer

1. Start and then sign in to LON-CL3 as Adatum\Administrator with the password Pa$$w0rd.
2. Create a new text file named Demofile on the desktop and put some random text in it.
3. Mount \\LON-DC1\USMT as the F drive.
4. Run the following command from the F drive:
Scanstate \\LON-DC1\MigrationStore\LON-CL3\ /i:migapp.xml /i:miguser.xml /o
This will take several minutes to complete.
Task 2: Complete the migration

1. Sign in to LON-CL2 as Adatum\Administrator with the password Pa$$w0rd.
2. Notice that there is no Demofile.txt on the desktop and no Internet Explorer or Windows Media
Player icon in the taskbar.
3. Mount \\LON-DC1\USMT as the F drive.

4. Run the following command from the F drive:
Loadstate \\LON-DC1\MigrationStore\Lon-CL3\ /i:migapp.xml /i:miguser.xml /lac:Pa$$w0rd /lae

Task 3: Verify the migration

Notice that the demofile.txt is now on the desktop and the Internet Explorer and Windows Media
Player icons are visible on the taskbar.
Results: After completing this exercise, you will have migrated your settings from your Windows 7based
computer to a new Windows 10based computer.

When you are finished with the lab, revert all virtual machines to their initial state:

2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
4. Repeat step 2 and 3 for 20697-1B-LON-CL2 and 20697-1B-LON-CL3.


Review Questions
Question: Your organization wants to deploy Windows 10 and wants to be able to join the
computers to Microsoft Azure Active Directory. Which edition(s) of Windows 10 will you be
able to use?
Question: You have a few computers running Windows Vista. What is a supported method
of upgrading the computers to Windows 10?
Tools
Tool Use to Where to find it
Windows ADK Assess and deploy Windows Microsoft Download Center
Application Compatibility Check application compatibility Windows ADK

Toolkit for Windows 10
Windows SIM Create and edit answer files Windows ADK
USMT Migrate user settings Windows ADK
DISM Service Windows image files Windows ADK
Volume Activation Management Manage volume Windows Windows ADK

Tool activation
Imaging and Configuration Manage images and Windows ADK

Designer provisioning packages
3-1
Module 3
Configuring Your Device
Contents:
Module Overview 3-1
Lesson 1: Overview of Tools You Can Use to Configure Windows 10 3-2
Lab A: Configuring Windows 10 3-16

Lesson 2: Common Configuration Options 3-21
Lesson 3: Managing User Accounts 3-28

Lesson 4: Using OneDrive 3-35
Lab B: Synchronizing Settings with OneDrive 3-40
Module Overview
After you install the Windows 10 operating system with its various apps and programs, you need to
configure the device for use. Windows 10 provides a number of tools that you can use to do this, some of
which are new and some that have been available in older Windows versions. Proper device configuration
is an important part of managing a Windows 10 system. In this module, you will learn about the tools that
you can use to configure Windows 10 devices. You also will learn about several common configuration
options, user accounts, and Microsoft OneDrive integration with Windows 10.
Objectives
Describe the different tools that you can use to configure Windows 10.
Explain common configuration options.
Manage user accounts.

Use OneDrive with Windows 10.
3-2 Configuring Your Device
Lesson 1
Overview of Tools You Can Use to Configure Windows 10
Windows 10 provides a variety of tools that you can use to configure a device. The new Settings app and
the Control Panel both provide you with extensive configurable settings that you can set. You often will
use the Control Panel, which has not changed significantly since Windows 8.1, in conjunction with the
Settings app. For example, many of the configurable items in the Settings app have direct links to specific
Control Panel items and functions. Additionally, Windows PowerShell is a powerful tool that you can use
to configure a Windows 10 device and create reusable scripts to make complex configuration changes
quickly. Finally, you can manage multiple devices centrally by using Active Directory Domain Services
(AD DS) Group Policy Objects (GPOs), and use GPOs to configure a wide range of settings.
Lesson Objectives
Explain how to use the Windows 10 Settings app.

Explain how to use the Control Panel.
Describe Windows PowerShell.
Explain how to use Windows PowerShell.

Configure a device.
Explain how to use GPOs.
Explain how to apply GPOs.

Use GPOs to configure devices.
Using the Settings App

Windows 10 continues to use many of the same
computer controls that previous Windows
versions have included, such as the Control Panel.
However, in Windows 10, many of the Control
Panel functions are available in the Settings app.
The Settings app contains several settings that you
can use to configure your device. These settings
appear in nine different categories: System,
Devices, Network & Internet, Personalization,
Accounts, Time & Language, Ease of Access,
Privacy, and Update & Security. In Windows 8.1,
you used the Charms feature to access Settings.
Windows 10 does not include the Charms feature. However, you can use the Start menu or the taskbar
to access the Settings app and other features that were accessible through the Charms feature in
Windows 8.1.
Note: One of the key differences between Windows 8.1 and Windows 10 is that the latter
features the return of the Start menu. However, you can retain or reapply the Start screen
functionality if you want to.
Windows 10 Settings App

You can access the Settings app in any of the following ways:
Open the Action Center, and in the lower portion, click the All Settings tile.
Click the Start menu icon, and then click Settings on the menu.
Type Settings in the search box located on the taskbar, and then press the Enter key.
The Settings app page has nine separate icons that represent the main categories that you can configure.
When you click any of these icons, you will access a page with subcategories that appear in a console tree
on the left of the page. Depending on the subcategory that you select, more items and configurable
settings appear in the details pane.
Using Control Panel

The Control Panel lets you adjust your computers
settings. Much of the functionality in the new
Settings app also is present in the Control Panel.
The Control Panel has been part of every

Windows version since Windows 2.0. However, in
Windows 10, there are significant changes in the
Control Panel. The Settings app replaces many
possible configurable actions that were in the
Control Panel previously, and it is the quickest
way to make configuration changes. However, the
Control Panel allows you to make more advanced
changes that may not be available in the Settings
app.
The Control Panel appears as a File Explorer folder. You also can open Control Panel by right-clicking
the Windows Start icon, and then clicking Control Panel, or by pressing the Windows logo key and X
simultaneously, and then clicking Control Panel. By default, items in the Control Panel appear in the
Category view. However, you also can display items in the Large or Small icon views.
In the Category view, two columns display the following items, in order from upper left to lower right:
System and Security
Network and Internet
Hardware and Sound
Programs
User Accounts
Appearance and Personalization
Clock, Language, and Region
Ease of Access
What Is Windows PowerShell?

Windows PowerShell is an integrated shell
environment that enables scriptable, flexible, and
comprehensive management of Windows 10.
Windows PowerShell has several characteristics
that make it ideal for local and remote
management of one or more Windows 10
devices, including:
Windows operating-system integration.

Microsoft introduced Windows PowerShell 1.0
was as an installable option for Windows Vista
and as a feature for Windows Server 2008.
Every Windows operating-system version
since Windows 7 and Windows Server 2008 R2 has included native support for Windows PowerShell.
Windows PowerShell 2.0 was part of Windows 7 and Windows Server 2008 R2. Windows PowerShell
3.0 is part of Windows 8 and Windows Server 2012. Windows PowerShell 4.0 is part of Windows 8.1
and Windows Server 2012 R2, and Windows PowerShell 5.0, the most recent version, is part of
Windows 10.
Remote management capability. You can use Windows PowerShell to manage remote computers,
provided remote management is enabled and the user who is performing the remote management
has the proper authorization.
Script-based execution. You can use Windows PowerShell scripts to build automation and complex
logic into management tasks.
Using the command-nine interface

Commands provide Windows PowerShells main functionality. There are different types of commands,
including cmdlets (pronounced command-lets), functions, and workflows. These commands are building
blocks, designed for piecing together and implementing complex and customized processes and
procedures. Windows PowerShell provides a command-line interface (CLI) that you can use to enter
cmdlets interactively.
Using the GUI

Windows PowerShell is not restricted to the command line. For example, the Active Directory
Administrative Center in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2
is a graphical user interface (GUI) that uses Windows PowerShell to perform all of its tasks.
Using the CLI or GUI

The architecture of Windows PowerShell and the ability to use it directly as a CLI, or to use it through a
GUI that embeds the shell, increases the consistency and coverage of administrative capabilities. For
example, an administrator might rely completely on a GUI app to perform tasks. However, if the
administrator must perform some task or implement some process that the GUI does not explicitly
support, the administrator instead can use the shell directly. When you implement it correctly, this
architecture helps ensure that anything that you can do in the GUI, you can do in the CLI, with the CLI
further allowing you to customize processes and procedures.
Windows PowerShell ISE

The Windows PowerShell app is available in both 32-bit and 64-bit versions of Windows 10. The 32-bit
version displays as Windows PowerShell (x86) in the All apps area in the Start menu. The 64-bit version
displays as Windows PowerShell.
Note: The 32-bit version of Windows 10 does not contain the 64-bit version of Windows
PowerShell.
There is another Windows PowerShell app in the same app area called Windows PowerShell Integrated
Scripting Environment (ISE) that provides command-completion functionality, and enables you to see all
available commands and the parameters that you can use with those commands.
You also can use a scripting window within Windows PowerShell ISE to construct and save Windows
PowerShell scripts. The ability to view cmdlet parameters ensures that you are aware of the full
functionality of each cmdlet, and can create syntactically correct Windows PowerShell commands.
Windows PowerShell ISE provides colorcoded cmdlets to assist with troubleshooting. Windows
PowerShell Integrated Scripting Environment also provides debugging tools that you can use to debug
simple and complex Windows PowerShell scripts. You can use the Windows PowerShell ISE to view
available cmdlets by module.
Using Windows PowerShell

You can use Windows PowerShell to run individual
cmdlets that perform actions, or to run scripts that
use cmdlets. Using Windows PowerShell is much
simpler than other scripting languages such as
VBScript.
Windows PowerShell uses Windows PowerShell
drives to provide access to data stores. These
drives present data in a format similar to a file
system. Some common Windows PowerShell
drives are:
The C drive is the local file systems C drive.

The cert drive is the local certificate store.
The Env drive contains environmental variables that are stored in memory.
The HKCU drive is the HKEY_CURRENT_USER portion of the registry.
The HKLM drive is the HKEY_LOCAL_MACHINE portion of the registry.

The Variable drive contains the variables that are stored in memory.
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to
retrieve a list of services, you would use the Get-Service cmdlet. This standardization makes it easier to
learn how to accomplish administrative tasks.
Some common cmdlet verbs are:
Get. Retrieves data.
Set. Establishes or modifies data.
New. Creates a new object.

Each cmdlet has options called parameters. Some parameters are required and some are optional. The
parameters vary for each cmdlet.
The following example shows how to start the Application Identity service by using the Name parameter.
Start-Service Name Application Identity
Note: The cmdlets that are available for use on a computer system vary depending on its
Windows PowerShell version and the snap-ins with cmdlets that are installed.
Compatibility with command-line tools

You can run batch files and executable files at a Windows PowerShell command prompt. For example, you
can run ipconfig.exe at a Windows PowerShell command prompt, and it behaves exactly as if you ran it
from a command prompt. This allows you to start using Windows PowerShell as your default command-
line environment for administration. Note that there are also equivalent cmdlets that return similar values
as older executables. For example, the cmdlet alternative to ipconfig.exe /all is Get-NetIPAddress,
which returns a somewhat similar data set.
In some cases, commands or options for commands contain reserved words or characters for
Windows PowerShell. In such a case, you can enclose the command in single quotation marks to
prevent Windows PowerShell from evaluating the reserved word or combination of words. You also
can use the grave accent (`) character to prevent the evaluation of a single character.
In rare cases, an executable file does not run correctly at a Windows PowerShell command prompt. You
should test batch files to ensure that they work properly at a Windows PowerShell command prompt.
Using Windows PowerShell for bulk operations

Windows PowerShell helps you manage multiple computers or perform bulk operations in the Windows
environment. You can leverage Windows PowerShell features, such as variables, scripts, and system
interoperability, to encapsulate tedious and time-consuming management tasks into scripts or cmdlets
that only take seconds to run.
Getting help with using Windows PowerShell

You can use a number of cmdlets to get help with using Windows PowerShell. One of the key cmdlets for
help is the Get-Help cmdlet. Get-Help followed by the name of the cmdlet will give you a brief but
detailed guide on that particular cmdlet, including the parameters that you can use.
For example, the Get-Help Set-Item returns the following result:
NAME
Set-Item
SYNOPSIS
Changes the value of an item to the value specified in the command.
SYNTAX
Set-Item [-Path] <String[]> [[-Value] <Object>] [-Credential <PSCredential>]
[-Exclude <String[]>] [-Filter
<String>] [-Force] [-Include <String[]>] [-PassThru] [-Confirm] [-WhatIf]
[-UseTransaction [<SwitchParameter>]]
[<CommonParameters>]
Set-Item [[-Value] <Object>] [-Credential <PSCredential>] [-Exclude <String[]>] [-Filter <String>] [-Force]
[-Include <String[]>] [-PassThru] -LiteralPath <String[]> [-Confirm] [-WhatIf]
[-UseTransaction
[<SwitchParameter>]] [<CommonParameters>]
DESCRIPTION
The Set-Item cmdlet changes the value of an item, such as a variable or registry key, to the value specified in the
command.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/p/?linkid=293910
Clear-Item
Copy-Item
Get-Item
Invoke-Item
Move-Item
New-Item
Remove-Item
Rename-Item
about_Providers
REMARKS
To see the examples, type: "get-help Set-Item -examples".
For more information, type: "get-help Set-Item -detailed".
For technical information, type: "get-help Set-Item -full".
For online help, type: "get-help Set-Item -online"
Another useful cmdlet is Get-Command. This cmdlet shows a list of all cmdlets, aliases, functions,
workflows, filters, scripts, and applications installed on your version of Windows PowerShell.
There are numerous websites that can help you learn Windows PowerShell. Microsoft TechNet has the
Microsoft Script Center, where you can search for Windows PowerShell scripts based on what you want
the script to do. Examples include deleting files older than X number of days, controlling Windows Update
on your computer, and a wide variety of other functions.
Microsoft Script Center

http://aka.ms/ipge1q
Demonstration: Configuring a Device

In this demonstration, you will see how to:
Explore and use the Settings app.

Explore and use the Control Panel.
Open and use Windows PowerShell.
Use Windows PowerShell ISE.

Open and review a script.
Modify and test a script.
Run a script from the Windows PowerShell command prompt.
Demonstration Steps
Explore and use the Settings app
1. On LON-CL1, open Settings, and go to System.
2. In the Display item, go to Advanced Display Settings, and then set the Resolution to 1280 X 800.
3. Return to the main Settings page.

4. Go to the Devices item.
5. Click Add a printer or scanner.
6. Scroll down, and then select the Devices and printers hyperlink.
7. Note that the Control Panel, Devices and Printer item appears. Click the Add a printer hyperlink.
Note: To make some configurations at the Settings level, you will need to use the Control
Panel.
8. In the Choose a device or printer to add to this PC window, select The printer that I want isnt
listed hyperlink.
9. Select Add a local printer or network printer with manual settings, and then accept the default
port. Click Next.
10. For the print driver, select HP and HP Photosmart 7520 series Class Driver, and then name the
printer HP Photosmart 7520.
11. On the Printers & Scanners page, in Settings, click the HP Photosmart 7520 icon. Notice that the
Remove device option appears.
Note: The controls for printers are limited on this page.
12. Spend some time going through other Settings items. When finished, close the Settings app.
Explore and use the Control Panel

Use Start menu to open the Control Panel.
Note: Spend a few moments reviewing items in Control Panel. However, please note that
most of it has not changed.
Open and use Windows PowerShell

1. Use Search the web and Windows to open the 64-bit version of Windows PowerShell.
2. Use of the Get-Command. Examine the results that Windows PowerShell returns.
3. Add the parameter ListImported to Get-Command. Review the results that Windows PowerShell
returns.
4. Review the cmdlet Get-Help New-Item. Note the Remarks section of the reply, and how you would
want to use the Online parameter to get the additional content.
5. Review the different outputs between ipconfig.exe /all and Get-NetIPAddress.
Using Windows PowerShell ISE

1. Open the Windows PowerShell ISE app as Administrator.
2. Use the cmdlet Get-ExecutionPolicy to confirm that the current execution policy is Unrestricted.
3. If it is Restricted, use the cmdlet Set-ExecutionPolicy Unrestricted to ensure that the execution
policy is now at Unrestricted.
Open and review a script

1. In Windows PowerShell ISE, open E:\Labfiles\Mod03\Services.ps1.
2. Read the script, and examine what the script is doing.
Note: Note the following:
Comments are green.

Variables are red.
Cmdlets are bright blue.

Text in quotation marks is dark red.
Modify and test a script

1. Select line 3 in the script, and then run the selection.
2. In the console pane, view the contents of the $services variable.
3. Run the script, and then read the output. Notice that it does not have multiple colors.
4. At the end of line 14, type ForegroundColor $color.
5. Run the script, and then read the output. Notice that running services are green and services that are
not running are red.
6. On line 16, type Write-Host A total of $services.count services were evaluated.
7. Run the script.

8. In the Commands pane, build a Write-Host command with the following options:
o BackgroundColor: Gray
o ForegroundColor: Black
o Object: Script execution is complete
9. Copy the command, and then paste it on line 17 of the script.
10. Run the script.
11. Save the script.
Run a script from the Windows PowerShell command prompt

1. Open the Windows PowerShell command prompt.
2. At the command prompt, type Set-Location E:\Labfiles\Mod03, and then press Enter.
3. Type .\Services.ps1, and then press Enter.
Using GPOs
Group Policy is a system that you can use to apply
configuration settings to Windows clients and
servers. You create GPOs that contain Group
Policy settings, and domain-joined Windows 10
based computers download and apply the settings
in GPOs.
GPOs
A GPO is an object that contains one or more
policy settings that apply configuration settings
for users, computers, or both. GPOs in AD DS are
stored in the SYSVOL share on domain controllers,
and you can manage them by using the Group
Policy Management Console (GPMC). Within the GPMC, you can open and edit a GPO by using the Group
Policy Management Editor window. GPOs logically link to AD DS containers to apply settings to the
objects in those containers.
Note: GPOs can link to AD DS sites, domains, and organizational units (OUs). GPOs cannot
link to the default Computers or Users containers in AD DS.
Group Policy Settings

A Group Policy setting is the most specific component of Group Policy. It defines a specific configuration
change to apply to an object (a computer, a user, or both) within AD DS. Group Policy has thousands of
configurable settings. These settings can affect nearly every area of the computing environment. Not all
settings can be applied to all older versions of Windows Server and Windows operating systems. Each new
version introduces new settings and capabilities that only apply to that specific version. If a computer has
a Group Policy setting applied that it cannot process, it simply ignores it.
Most Group Policy settings have three states:
Not Configured. The GPO will not modify the existing configuration of the particular setting for the
user or computer.
Enabled. The GPO will apply the policy setting.
Disabled. The GPO will reverse the policy setting.
Note: By default, most Group Policy settings are set to Not Configured.
Note: Some settings are multivalued or have text string values. These typically provide
specific configuration details to applications or operating system components. For example, a
setting might provide the URL of the home page for Internet Explorer or for blocked applications.
The effect of the configuration change depends on the Group Policy setting. For example, if you enable
the Prohibit Access to Control Panel Group Policy setting, users will be unable to open Control Panel. If
you disable the Group Policy setting, you ensure that users can open Control Panel. Notice the double
negative in this Group Policy setting: you disable a policy setting that prevents an action, thereby allowing
the action.
Group Policy Settings Structure

There are two distinct types of Group Policy settings:
User settings. These settings modify the HKEY_CURRENT_USER hive of the registry.
Computer settings. These settings modify the HKEY_LOCAL_MACHINE hive of the registry.
User settings and computer settings each have three areas of configuration, as described in the following
table.
Section Description
Software settings Contains software settings that can deploy to either the user
or the computer. Software that deploys or publishes to a
user is specific to that user. Software that deploys to a
computer is available to all users of that computer.
Windows operating system settings Contains script settings and security settings for both user
and computer, and Internet Explorer maintenance for the
user configuration.
Administrative templates Contains hundreds of settings that modify the registry to

control various aspects of the user and computer
environment. Microsoft or other vendors might create new
administrative templates. You can add these new templates
to the GPMC. For example, Microsoft has Microsoft Office
2013 templates that are available for download that you can
add to the GPMC.
Group Policy Management Editor

The Group Policy Management Editor window displays the individual Group Policy settings that are
available in a GPO. These display in an organized hierarchy that begins with the division between
computer settings and user settings, and then expands to show the Computer Configuration node and
the User Configuration node. You configure all Group Policy settings and preferences in the Group Policy
Management Editor window.
Group Policy Preferences

In addition to the Group Policy sections shown in the preceding table, there is a Preferences node under
both the Computer Configuration and User Configuration nodes in the Group Policy Management Editor
window. Preferences provide even more capabilities with which to configure the environment. The key
difference between a GPO setting and Group Policy Preference is that the GPO setting is enforced, and
cannot be modified outside of the GPO. For example, you cannot change an item whose setting was
configured in a GPO by changing it in the Settings app or the Control Panel. A Group Policy Preference,
on the other hand, is not enforced. Users can change it if they have the necessary permissions and rights
on the computer.
How GPOs Apply

GPOs apply in a consistent order that allows you
to predict which settings are effective when there
are conflicting settings in GPOs that apply to a
user or computer. GPOs that apply later in the
process overwrite any conflicting policy settings
that applied earlier.
GPOs apply in the following order:

1. Local GPOs. Each operating system that is
running Windows Vista or newer potentially
has a local GPO configured already.
2. Site GPOs. Policies that link to sites process
next.
3. Domain GPOs. Policies that link to the domain process next. There often are multiple policies at the
domain level. These policies process in order of preference.
4. OU GPOs. Policies linked to OUs process next. These policies contain settings that are unique to the
objects in that OU. For example, Sales users might have special required settings. You can link a policy
to the Sales OU to deliver those settings.
5. Child OU policies. Any policies that link to child OUs process last.
AD DS objects in the containers receive the cumulative effect of all policies in their processing order. In
the case of a conflict between settings, the last policy applied takes effect. For example, a domain-level
policy might restrict access to registry editing tools, but you could configure an OU-level policy and link it
to the Information Technology (IT) OU to reverse that policy. Because the OU-level policy applies later in
the process, access to registry tools would be available to users in the IT OU.
If multiple policies apply at the same level, an administrator can assign a preference value to control the
order of processing. The default preference order is the order in which the policies were linked. You also
can disable the user or computer configuration of a particular GPO.
Local GPOs
A local GPO is the least influential object in an AD DS environment because its settings can be overwritten
by GPOs that are associated with sites, domains, and OUs. In a non-networked environment, or in a
networked environment that does not have a domain controller, local GPO settings are important because
other GPOs do not overwrite them. Stand-alone computers only use local GPOs to control the
environment.
Each Windows 10based computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default local
GPO, you can create custom local user GPOs.
Windows Vista and newer Windows client operating systems, and Windows Server 2008 and newer
Windows Server operating systems, have an added feature: multiple local GPOs. Since Windows 8 and
Windows Server 2012, you also can have different user settings for different local users, but this is only
available for users configurations that are in Group Policy. In fact, there is only one set of computer
configurations available that affects all users of the computer.
Computers that run Windows 7 and newer versions provide this ability with the following three layers of
local GPOs:
Local Group Policy (contains the computer configuration settings)

Administrators and Non-Administrators Local Group Policy
User-specific Local Group Policy
Domain GPOs
You can use Group Policy in an AD DS environment to provide centralized configuration management.
Domain GPOs are created and linked to objects within an AD DS infrastructure. The settings in the GPO
then affect the computers and users that are within those objects, depending on how you configure the
application of the GPO.
Options for Modifying Group Policy Processing

You can modify the default processing of GPOs by using:
Security filtering. You can use security filtering to specify users, computers, or groups that are able or
not able to process a GPO. For example, you could specify that members of the Technical Support
group have special security settings.
Enforcement. You can use enforcement to ensure that settings in a specific GPO apply regardless of
any lower-level GPOs that would normally override this GPO. For example, you could specify
standardized security settings at the domain level.
Block inheritance. You can use block inheritance to prevent a lower-level OU from inheriting settings
from a higher-level OU. For example, you could block settings applied at the domain level from
affecting users in the IT OU.
Note: When a link is enforced and a lower-level OU blocks inheritance, the settings in the
enforced GPO apply.
Demonstration: Using GPOs to Configure Devices

Explore the Group Policy Editor on the local Windows 10-based computer.
Configure and test a domain GPO that alters Windows 10 display settings.
Demonstration Steps
Explore the Group Policy Editor on the local Windows 10-based computer
1. On LON-CL1, open the Local Group Policy Editor (gpedit.msc).
2. Spend a few moments exploring the various console tree items and what appears in the details pane.
Configure and test a domain GPO that alters Windows 10 display settings
1. On LON-DC1, in Group Policy Management, create a new GPO named Win10 Display.
2. Edit Win10 Display.
3. In the Group Policy Management Editor, in the console tree under Computer Configuration, expand
Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then
select Security Options.
4. In the Interactive Logon: Message title for users attempting to log on text box, type Attention!
5. In the Interactive Logon: Message text for users attempting to log on text box, type This
computer belongs to the A. Datum Corporation.
6. Close the Group Policy Object Management Editor, and then link the Win10 Display GPO to
Adatum.com.
7. Close the Group Policy Management Console, and then return to LON-CL1.
8. Run gpupdate /force at a command prompt.

9. Sign out, and then press Ctrl+Alt+Delete in the Virtual Machine Connection window. You should see
Attention! This computer belongs to the A. Datum Corporation directly underneath the user
name. Click OK, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
Categorize Activity
Categorize each item below.
Items
1 Learn what the Get-Process cmdlet does.
2 Scripts are allowed to run, but must be signed by a trusted publisher.
3 Shows whether a service is running or stopped.
4 Find out all the cmdlets you can use with the Get verb.
5 Removes all restrictions on running scripts.
6 Shows status of all services.
7 Find examples of various cmdlets.
8 Locally created scripts can run.
9 Retrieve a list of services.
Category 1 Category 2 Category 3
Get-Help Set-ExecutionPolicy Get-Service

Categorize Activity
Items
1 Set the main display for the computer
2 Query IP address
3 Enable a policy setting for all computers in an organizational unit

(OU)
4 Check for updates
5 Test the secure channel to the domain
6 Map a drive letter for all users in the domain
7 Add a Microsoft account
8 Add parameters to filter a returned list
9 Add an interactive logon message
Settings app Windows PowerShell GPO

Lab A: Configuring Windows 10

Scenario
Your organizations IT Manager, Ed Meadows, wants you to configure a Windows 10-based computer
that the IT department can use for development and testing. He wants you to ensure that the antivirus
program does not scan the Labfiles folder on drive E, because it contains some scripts that deliberately
trigger and test antivirus programs. Additionally, you will need to install the HP Photosmart 7520 printer
on this computer. You will need to install the duplex-printing functionality of this printer. You need to
ensure that the Windows PowerShell execution policy is set to unrestricted, and you will use Windows
PowerShell to turn on and off the duplex printing. You also must put a warning on the computer that
indicates that it is for A. Datum IT Development and Testing only, and ensure that you disable the
Encrypting File System (EFS) on this computer only.
Objectives
After completing this lab, you will have configured a Windows 10 device with the Settings app, Control
Panel, Windows PowerShell, and GPOs.
Lab Setup
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1

Password: Pa$$w0rd

o Domain: Adatum
5. Repeat steps 2 through 4 for 20697-1B-LON-CL1.
Exercise 1: Using the Settings App

Scenario
You need to use the Settings app to ensure that the antivirus program does not scan the Labfiles folder
on drive E, because it contains some scripts that deliberately trigger and test antivirus programs.
Additionally, you will need to install the HP Photosmart 7520 printer on this computer.
The main task for this exercise is as follows:
1. Use the Settings app to configure a device.

Task 1: Use the Settings app to configure a device

1. On LON-CL1, open Settings and go to Update & security.
2. Go to Windows Defender, and then add the E:\Labfiles folder to the Folder Exclusion list.
4. Click the Devices item.
5. Click Add a printer or scanner. Notice that the printer is not found.
6. Scroll down, and then select the Devices & printers hyperlink.
7. Note that the Control Panel, Devices and Printer item appears. Some Settings-level configurations
still use the Control Panel.
8. Click Add a printer, and then click the The printer that I want isnt listed hyperlink.
9. Click the Add a local printer or network printer with manual settings, and then accept the
default port.
10. For the print driver, select HP and HP Photosmart 7520 series Class Driver, and then name the
printer HP Photosmart 7520.
11. Return to Settings, and on the Printers & scanners page, click the HP Photosmart 7520 icon. Note
that the Remove device option appears. Close the Settings app.
Results: After completing this exercise, you will have successfully used the Settings app to configure a
device.
Exercise 2: Using Control Panel

Scenario
After adding the printer in the Settings app, you need to use the Control Panel to finish configuring those
items that you cannot configure in the Settings app.
1. Use the Control Panel to configure a device.
Task 1: Use the Control Panel to configure a device

1. On LON-CL1, open the Control Panel.
2. In the Control Panel, navigate to the Devices and Printers item, and then open the HP Photosmart
7520 printer that you installed earlier.
3. Check the printing preferences to see if you can turn on the duplex printing. Note that Print on both
sides is not an option.
4. Open the HP Photosmart 7520 Properties, and then under the Device settings tab, install the
Automatic Duplexing Unit.
5. Check the printing preferences to see if you can now enable the duplex printing. Set the Print on
both sides preference to Flip on Long Edge. Close all open windows.
Results: After completing this exercise, you will have successfully used the Control Panel to configure a
device.
Exercise 3: Using Windows PowerShell

Scenario
Your supervisor, Mr. Meadows, wants you to use Windows PowerShell to test the scripting environment.

1. Use Windows PowerShell to configure a device.
Task 1: Use Windows PowerShell to configure a device

1. Run the Windows PowerShell desktop app as Administrator.
2. Check the Execution Policy. If set to Restricted, change to Unrestricted with the following cmdlet:
Set-ExecutionPolicy Unrestricted
3. Confirm that Execution Policy is now Unrestricted.

4. Open the Devices and Printers Control Panel item, and then confirm that the HP Photosmart 7520
printer has the Print on Both Sides preference turned on.
5. Use a Windows PowerShell cmdlet to query the printer preferences, and then change the DuplexUnit
value to FALSE with the following syntax:
Get-PrinterProperty PrinterName HP Photosmart 7520

Set-PrinterProperty PrinterName HP Photosmart 7520 PropertyName Config:DuplexUnit Value FALSE
Note: In Windows PowerShell, a dash symbol precedes each cmdlets parameter name,
such as the Value parameter above. Please note, when you copy and paste text from a file, word
wrap may separate the dash from the parameter. Therefore, you should inspect all pasted
cmdlets and parameters to ensure they follow Windows PowerShell syntax requirements.
6. Close all open windows.

7. In Search the web and Windows, type PowerShell_ISE and then press Enter.
8. In Windows PowerShell ISE, open E:\Labfiles\Mod03\Services.ps1.
9. Read the script, and then note what the script is doing, according to the legend below.
Comments are green.

Variables are red.

14. Run the script, and then read the output. Notice that running services are green and services that are
not running are red.
16. Run the script.
17. In the Commands pane, build a Write-Host cmdlet with the following options:
19. Run the script.
20. Save the script.

23. Type .\Services.ps1, and then press Enter. Close all open windows.
Results: After completing this exercise, you will have successfully configured the device with Windows
PowerShell.
Exercise 4: Using GPOs

Scenario
You must put a sign-in disclaimer on the Windows 10-based computer in the developer area that
identifies it as a testing-only computer for A. Datum Corporation, and you need to ensure that you
disable the EFS service. You decide to use a GPO.
1. Use GPOs to configure devices.
Task 1: Use GPOs to configure devices

1. On LON-DC1, from Server Manager, open Group Policy Management, and then create a new GPO
named Win10 Display.
2. Edit Win10 Display, and in the Group Policy Management Editor, click Computer Configuration,
click Policies, click Windows Settings, click Security Settings, click Local Policies, and then click
Security Options.
3. In the Interactive Logon: Message title for users attempting to log on text box, type Attention!
4. In the Interactive Logon: Message text for users attempting to log on text box, type This
computer is used for A. Datum Corp Development and Testing Only! Do not use on production
network!
5. In Control Panel Settings, in Services, create a Computer Configuration Preference with the following
parameters:
o Startup: Disabled
o Service Name: EFS
o Service Action: Stop service
o Item-level Targeting on
o Targeting Computer name LON-CL1
6. Close the Group Policy Object Management Editor, and then link the Win10 Display GPO to
Adatum.com.
7. Close the Group Policy Management Console and all open windows, and then sign out.
8. Return to LON-CL1, run gpupdate /force at a command prompt, and then when it completes
successfully, run Shutdown /r /t 0.
9. After LON-CL1 restarts, press Ctrl+Alt+Delete in the Virtual Machine Connection window. You should
see the message Attention! This computer is used for A. Datum Corp Development and Testing
Only! Do not use on production network!
10. Click OK, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
11. Open the Services Control Panel item, and then confirm that Encrypting File System (EFS) service is
now disabled.
12. Close all open windows, and then sign out.
Results: After completing this exercise, you will have successfully used GPOs to configure devices.
Prepare for the next lab

When you are finished with the lab, keep all virtual machines running for the next lab. Complete the
following steps:
2. In Hyper-V Manager, click MSL-TMG1, and then in the Actions pane, click Start.
3. You do not need to sign in to this virtual machine.

Lesson 2
Common Configuration Options
Setting a devices display capabilities and screen effects is an important part of getting the most from
your computing environment. Many users find it important to have a crisp, sharp display that is capable of
vibrant colors and fast movement. However, such displays often result in high power consumption, which
is a disadvantage, especially for those using mobile devices on battery power. As a result, it is equally
important to be able to configure the power consumption options.
Lesson Objectives
Describe the various display settings in Windows 10.

Configure display options.
Describe how to manage mobile-device settings in Windows 10.
Describe power plans.

Configure power options.
Display Options
Most of the display settings in Windows 10 are
new, but some of the settings still use the same
configuration options available in older Windows
versions. For many people, changing the display
options starts with right-clicking the desktop, and
then clicking the Display settings menu item.
This procedure remains the same in Windows 10.
However, by doing so, you open the new Display
item in the System category of the Settings app.
Here, you can configure a wide variety of settings.
The Display item contains the following
configurable items:
Large Display icon. A large rectangle or multiple large rectangles at the top of the Display area
represent your displays. When you have more than one display, you can change the placement of
these display rectangles. For example, you can move one rectangle to the left and the other to the
right. However, if you extend these displays, the mouse cursor will not necessarily move from left to
right across the gap between displays as expected. To fix this issue, you can switch the two display
rectangles--or more if you have them--so that the mouses cursor moves between them.
Identify. If you have more than one display, each display rectangle will have a number on it, starting
with the number 1. Even if you only have one display, you will see the rectangle with the number 1 on
it. If you click the Identify hyperlink under the rectangle, a large number will appear in a pop-up
window on your screen, corresponding to the displays you have. Therefore, if you have one display,
you will see a pop-up window with a large number 1 on your only display. If you have two displays,
one display will have a large number 1 in a pop-up window, while the other display will have a large
number 2 in a pop-up window.
Detect. When you click this hyperlink, it detects other displays that are connected, but which have
not come up in the Display settings. However, any connected displays should show automatically.
Change the size of text, apps, and other items. You can use this slider bar to edit the size from 100
percent, on the far left, to 125 percent on the far right.
Orientation. Not all Windows 10 devices will have this drop-down option. Virtual machines and
desktops normally do not, because this is primarily a mobility function. Tablets and certain laptops
will change automatically from landscape to portrait view based on how users hold them, due to a
gyroscopic sensor in the device. Not every device has such sensors, and the Display settings provide
the orientation drop-down to manage this manually.
Brightness level. You can move the toggle on this slider bar from left to right to set the brightness
level from 0 at 100 percent. A corresponding number will appear right above the slider toggle as you
move it, to show the brightness percentage.
Multiple displays. This drop-down list box is unavailable if you only have one display. The choices
you can make include Duplicate these displays, Extend these displays, Show only on 1, Show only
on 2, and more if you have more than two connected displays.
Make this my main display. This check box is only available when you have two or more displays.
You must select one of the large rectangular Display icons to make the change. Otherwise, the main
display will be the monitor you are on, and because that is already the main display, it will be grayed
out. The display that you select will be the display on which you sign in and get the first items on the
desktop.
Apply. Some of the changes will not take place until you click Apply. When you do so, the changed
display appears with an overlay screen with a Keep these display settings? Reverting to previous
display in x seconds message. The overlay screen also includes two options: Keep changes and
Revert. If you click Keep changes, you will return to the Display Settings page with the new settings
applied. If you click Revertor wait for the seconds to elapsethe display reverts back to the way it
was before you clicked Apply. The Display Settings page appears again.
Cancel. Removes any changes you may have made previously.
Advanced Display Settings. This hyperlink takes you to another page that is virtually identical to the
Display page but with the Resolution check box described below. The page also has an Apply
option and a Cancel option at the bottom.
Resolution. This drop-down box contains all the resolution sizes that are available to the graphics
device and monitor that make up your display(s). Sizes will vary, but the drop-down box normally has
several choices, including the recommended choice for a particular display and that setting, such as
1366X768 (Recommended).
Other Display Settings

At the bottom of the console tree of the Advanced Display Settings page there is a Advanced sizing of
text and other items hyperlink, which you can click to access the Display area in the Control Panels
Appearance and Personalization area. The Display area has several more advanced display settings that
you can modify, which are either duplicates of the Windows 10 Settings app or are not available there.
Many of these settings take you back to the appropriate Settings app page for that functionality.
The Personalization category of the Settings app contains several configurable items that affect the
display, such as background, colors, and other functions such as Themes, Lock screen, and Start menu.
Demonstration: Configuring Display Options

In this demonstration, you will see how to configure the display options on a Windows 10-based
computer.
Demonstration Steps
1. On LON-CL1, open Settings, and then go to System.
2. In the Display item, in Change the size of text, apps, and other items, slide the slider toggle all the
way to the right, so that it zooms to 125%. Apply this, sign out, and then sign back in as
Adatum\Administrator.
Note: If a windows opens that says "Attention! This computer belongs to the A. Datum
Corporation", click OK.
3. Return to the Display Settings page, go to Advanced Display Settings, and then set the
Resolution to 1366 X 768.
5. Open the Personalization category, and then navigate through all of the various settings.
Options for Mobile Devices

Computers play an important part in peoples
daily lives. The ability to carry out computing
tasks at any time and in any place has become
a necessity for many users. Mobile computers
are portable devices that you can use for work,
such as:
Laptops and notebook computers
Tablets
Windows 10 Mobile phone devices
When you select a mobile computer operating

system, ensure that the device can adapt to a
variety of scenarios. Windows 10 allows you to change configuration settings based on specific
requirements.
You can access and configure mobile computer settings by using the various Settings app category pages
of configuration settings. You can access various settings such as System, including Display, which the
previous topic detailed, and Power, which the next topic covers. The System setting also includes the
tablet mode settings, which allows you to use tablet devices with full touch capabilities and reverts the
Start menu to a Start screen similar to that in Windows 8.
The Action Center can help you manage many of the mobile-device settings with simple tiles referred
to as Quick Actions. To open the Action Center, click the Notifications balloon icon in the taskbars
notification area. You can click the Quick Actions tiles, or touch them on a touch-capable device. The
Quick Actions tiles let you edit different settings quickly. These tiles are:
Tablet mode. Enables you to go into tablet mode with one click, and back to normal mode by clicking
or touching it again. When tablet mode is in effect, this tile is live.
Connect. Connects searches for wireless display and audio device by using Bluetooth, wireless,
Miracast, or WiGig-capable components. In the computing industry, WiGig refers to Wireless
Gigabyte Alliance, Institute of Electrical and Electronics Engineers (IEEE) standard 802.11ah.
Note. Brings up Microsoft OneNote for Windows 10.
All Settings. Takes you to the Settings app.
VPN. Connects a VPN connection, if you have one.
Quiet hours. Turns off all Windows notifications during the time that you configure. This means that
a new email or friends Skype status will not trigger an audio alarm and a pop-up notification. The
benefit of this Quick Action is that you do not have to turn off all notifications manually, and when
you disable Quiet hours, you then see all your notifications.
Location. Turn on or off the location-based settings that many apps use.
Battery saver. Switches the Battery saver mode on and off, which lowers the screen brightness and
limits background tasks, and adjusts other settings to reduce your devices power consumption.
Airplane mode. Turns airplane mode on or off. Airplane mode turns off wireless, cellular, and
Bluetooth transmissions while keeping the device running for local tasks.
WiFi. Turns your wireless adapter on or off.
Bluetooth. Turns your Bluetooth adapter on or off.
Note: Not all Quick Actions tiles will be available on your device. Some of these tiles
require that your device has specific hardware or software installed.
Power Plans
Computing devices need electrical power,
regardless of whether they are stationary or
mobile. One of the main concerns with mobile
devices that use stored electrical power is that the
power in the battery is limited and depletes over
time. Another issue for many organizations is the
power consumption by all of the different devices
that they may own. Conserving power helps to
reduce business expenses and benefits the
environment.
Power Plans
You can create power plans in Windows 10 that govern power consumption and operations. By default,
there are three preconfigured power plans: Balanced, Power saver, and High performance. You can
adjust and save any of these power plans, or create your own power plan. The following table provides
details about each plan.
Power plan Energy usage Screen brightness System activity
Balanced Medium Can turn off display Measures ongoing activity,

after a specified amount and, when in use, continues to
of time. provide full power to all
system components.
Power saver Least By default, after five Saves energy by reducing

minutes of inactivity, system performance whenever
the display will power possible.
off.
High performance Highest Sets the screen at its Keeps the systems disk drive,
highest brightness. memory, and processor
continuously supplied with
power.
If the computer is a portable device, such as a tablet or laptop, you can use separate settings within each
plan for when the device is on battery or plugged in. Because you can adjust and save each plan, there is
also an option in the plan to restore default settings. You can use this option to return the plan to where
you started.
You can access the power plans by performing the following procedure:
1. Open the Settings app, click System Category, and then click Power & Sleep.
2. Click the Additional power settings hyperlink, or alternatively, type Power Plans in the Search the
web and Windows text box in the taskbar. This will open up the Control Panel Power Options page.
Note: By default, you will see only the Balanced and Power saver plans in the Preferred
plans section. If you click the down arrow by the Show additional plans section, the High
performance plan appears. The three plans are the Windows 10 default plans. However, any new
plans that you create will appear on this page as well.
Configuration options
There are different options available in the Setting apps System Category section, on the Power & Sleep
page. The options that are available on your device depend on its hardware configuration. For example,
on a laptop or other mobile device, you will have the following configurable options, with a drop-down
list box for various minutes, hours, and never:
Screen
o On battery power, turn off after
o When plugged in, turn off after
Sleep
o On battery power, PC goes to sleep after
o When plugged in, PC goes to sleep after

The Additional power settings hyperlink appears below the settings discussed above, and you can click
it to access the Power Options configuration page in the Hardware and Sound section of the Control
Panel. The Power Options configuration page includes many options.
Note: Not all devices will have all of the settings that the following section lists. Several of
these settings apply to particular hardware that may not be present on all devices.
On the left side is a list of settings, including:
Require a password on wakeup. Use this setting to access the Define power buttons and turn on
password protection page. On this page, there is a Password protection on wakeup section that
allows you to ensure that when a computer resumes from a hibernated state, the screen is locked
until the user presents credentials. This setting is turned on, by default.
Choose what the power buttons do. Use this setting to access the Define power buttons and turn
on password protection page. Most devices have a power button, and additionally, many have a
sleep button. For mobile devices with both power and sleep buttons, both buttons include the On
battery and Plugged in columns with four choices: Do nothing, Hibernate, Sleep, and Shut down.
Some devices do not have a Sleep or Hibernate option. Certain devices also have a Shutdown
settings section on the Define Power buttons and turn on password protection page, which
includes check boxes for:
o Turn on fast startup. Allows the Windows operating system to save system information into a
file that it uses to start up when you reapply power.
o Sleep. Suspends power to the hard drive and display, but continues supplying power to the
processor and memory.
o Hibernate. Writes all activity in memory to a file and shuts down all power, but allows the file to
reanimate memory with the same values once you supply power.
o Lock. Locks the screen, and requires the user to reenter credentials before resuming operations.
Choose what closing the lid does. Use this setting to access the Define power buttons and turn
on password protection page, and drop-down list boxes for On Battery and Plugged in. You also
can select an option for Choose what closing the lid does, including Do nothing, Sleep,
Hibernate, and Shut down.
Create a power plan. When you click this setting, the Create a Power Plan Wizard appears, in which
you can select one of the three default power-plan options: Turn off the display, Put the computer
to sleep, and Adjust plan brightness. You can save one of these options to a custom name, and
then change the default plan settings on the wizards Edit Plan Settings page. If you select the Turn
off the display and Put the computer to sleep values from a drop-down menu that has options
from 1 minute to five hours, or never. You also can configure the Adjust plan brightness setting
from fully dim to the highest brightness setting by using its slider bar.
Choose when to turn off the display. Use this setting to access the Edit Plan Settings page, which
is identical to the one in the Create a Power Plan Wizard.
Change when the computer sleeps. This setting is identical to the Choose when to turn off the
display setting.
The Power Options screen also lists the default and custom power plans. When you click the Change plan
settings setting and access a particular power plan, the Change advanced power settings setting becomes
available. This setting opens the Power Options window, with a list of options that you can expand and
individually select. These options include settings for the battery, hard disk, graphics settings, multimedia
settings, and USB, which refers to universal serial bus.
Demonstration: Configuring Power Options

In this demonstration, you will see how to create and edit power plans.
Demonstration Steps
1. On LON-CL4, go to the Control Panel Power Options page.
2. Review all of the different plans and hyperlinks. Click the Show additional plans down arrow.
3. Create a new plan based on the High performance plan, and then name it Demo Plan. Adjust the
Turn off the display setting to Never, or if it is set to Never, set it to 5 hours.
4. Set the Turn off the Display setting to 4 hours. In the Change advanced power settings, Advanced
settings window, set the Wireless Adapter Settings to Medium power saving, and then save the
changes.
5. Close all windows, and then sign out.

Question
Which default power plan offers the greatest savings of electrical power?
High Performance
Balanced
Power Saver
Economy
Lightning Speed

Question
There are a number of ways to make configuration changes to a Windows 10-based

computer. Which method allows you to make changes the most quickly?
GPO
Settings app
Control Panel
Windows PowerShell
Preference
Lesson 3
Managing User Accounts
A user account is far more than just properties that relate to a users security identity. It is the cornerstone
of identity and access in Windows.
In this lesson, you will learn about managing users accounts, which involves much more than just creating
and deleting them. User accounts have many attributes that you can use for a variety of purposes, such as
storing additional user contact information or application-specific information for Active Directoryaware
applications. Additionally, you can use a Microsoft account, which allows access to the Microsoft Store and
allows personal devices to share data and settings. You also will learn about Azure Active Directory (Azure
AD) accounts, and learn how to use an Azure AD to authenticate on a Windows 10 device, even if you do
not add the device to Azure AD. Finally, you will learn when to use each type of user account.
Lesson Objectives
After completing this lesson, students will be able to:
Describe user accounts.
Describe how to use a Microsoft account.
Connect a Microsoft account.

Describe how to use an Azure AD account.
Explain when to use a Microsoft account.
What Is a User Account?

A user account is an object that contains all the
information that defines a user. The account can
be a local or a domain account. A user account
includes the user name and password and can
contain other organizational or infrastructure
information such as department, telephone
numbers, manager (which you use to browse
hierarchically through the organization), home
directory, and the location in which the user
profile is stored. Users can be members of groups.
Typically, groups have access to resources rather
than individuals. A user account also contains
many other settings that you can configure based on your organizational requirements. A user account
enables a user to sign in to computers and domains with an identity that the domain can authenticate.
With a user account, you can do the following:

Allow or deny users to sign in to a computer based on their user account identity.
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
To maximize security, you should avoid multiple users sharing one account. Then each user who signs in
to the network needs to have a unique user account and password.
When you create a user account, you must provide a user name. The preferred method to sign in to a
Windows 10-based computer that belongs to a business or organization is to use a domain account. For
a personally owned device, sign-in usually uses a Microsoft account, which the next topic covers. You can
still create a local user account, but the process is different in Windows 10. The following section details
those changes.
Creating a Local User Account

You can create a local user account for a family member only on a workgroup or standalone Windows 10
computer. To do so perform the following procedure:
1. Open the Settings app, and then click the Accounts category.
2. In the Accounts category, in the console tree, click the Family & other users node. If you are on an
AD DS joined Windows 10 computer, than the Family & other users node is now Other users.
Note: There are two main categories here: Your family or Other users. If you wish to
add a family member, click the Sign in with a Microsoft account hyperlink under the Family
category for that option. In the dialog box that appears, add their email address to create an
account, or create an email address in the Outlook.com domain by clicking The person I want
to add doesnt have an email address.
3. If you click The person I want to add doesnt have an email address, the Lets create an
account page opens, in which you can create an email account in Microsoft Outlook.
Note: If you are adding a child and creating an email address, you will be prompted to
enter the childs birthday. If you are using a Microsoft account while making the childs account,
and want to allow the child to go online to use Microsoft services, you will be charged .50 cents
(in U.S. dollars), as US law requires this for validation of creating a child account. The process of
creating an account for an adult family member is similar, but you do not have to pay for it.
Note: You cannot create an account on an AD DS joined computer if you are signed in
as the AD DS domain administrator. To accomplish the steps below on an AD DS joined
Windows 10 computer, you must sign out and then sign in by using credentials for an
account with local administrator permissions.
You can create a local user account on an AD DS joined or standalone Windows 10 computer by the
following procedure:
To create a local user account without a Microsoft account, perform the following procedure:
1. Open the Settings app, and then click the Accounts category.
2. In the Accounts category, in the console tree, click the Family and other users node, if standalone
or workgroup, or, if AD DS joined, Other users.
3. Scroll down, and under Other users, click the plus sign for Add someone else to this PC. Another
window appears, asking for that persons email address or telephone number.
4. Enter the required information, or click the The person I want to add doesnt have an email
address hyperlink at the bottom of the window.
5. If you click the The person I want to add doesnt have an email address hyperlink, you have
option to create an email account or continue without an account. To create an email account, in the
Lets create your account page, you can create an email address for the person in Outlook.com.
6. If you do not wish to create an email address, click the Add a user without a Microsoft account
hyperlink at the bottom of the page.
7. On the Create an account for this PC page, type the name, type the new password twice, and then
click Next to create the local account.
Using a Microsoft Account

A Microsoft account provides you with a unified
identity, which you can use for authenticating to
Microsoft and other cloud-based services. You can
use this account regardless of your location or the
organizations of which you are a member. Your
Microsoft account includes an email address and
a password that you use to sign in to different
services. You already have a Microsoft account if
you sign in to services such as OneDrive, Xbox
Live, Outlook.com, Hotmail, or Windows Phone.
This also applies to the legacy Windows Live ID
and Microsoft Passport sign-ins. Even if you
already have a Microsoft account, you can sign up for a new one.
Note: All Microsoft account credentials pass back to the Microsoft authentication server
through a Secure Sockets Layer (SSL) connection by using the HTTPS protocol.
Windows 10 is highly integrated with Microsoft account functionality. You can sign in to Windows 10
as a local or domain user, and you can sign in by using a Microsoft account if your computer has Internet
connectivity and the account is associated with a local or domain account. When you use a Microsoft
account, you can synchronize some Windows 10 settings between devices. You can control these settings
in the Accounts category in the Settings app. To access this category, click the Start icon, click Settings,
and then click the Accounts category icon. In Accounts, you can set your account picture and desktop
background, among other settings. If you do not have a Microsoft account, you can create one and an
Outlook.com email address at the same time. After you configure your Windows account the first time,
your settings will synchronize between every computer to which you sign in by using your Microsoft
account.
When you connect a Microsoft account with your local or domain account, you can access Microsoft
cloud services such as OneDrive, Mail, Calendar, People, and other personal apps. You can browse the
Windows Store even if you do not have a Microsoft account. However, if you want to download and
install an app from the Windows Store, you first must sign up for a Microsoft account.
To connect your Microsoft account with your domain account, go to the Settings app. On the Settings
page, click the Accounts category. In the console tree, click Your account. At the bottom of the details
pane, click the Add a work or school account hyperlink. A pop-up window appears with the message
Lets get you signed in, with text boxes for your work or school email address and password. Type your
email address and password, and then click Sign in.
Note: If your account is in a subdomain, change the email address to domain\username.

Small and medium-sized environments typically use a Microsoft account to provide users access to, and
integration with, public cloud services such as OneDrive. Enterprise environments typically implement
strict control and allow access only to company-owned resources. Typically, these environments use
integration with a Microsoft account less often.
Note: Your domain account or Group Policy settings might not allow you to connect a
Microsoft account or synchronize some settings.
You can disconnect your Microsoft account from your domain account at any time by going to the
Settings app, clicking Accounts, and then clicking Disconnect your Microsoft account.
Signing Up for a Microsoft Account

You also can use your Microsoft account to access Microsoft Intune, Microsoft Office 365, Windows Azure,
and other Microsoft cloud services. As noted above, you can create a Microsoft account in the Accounts
section of the Settings app. You also can create a new Microsoft account at Outlook.com, or you can use
an existing Microsoft account email address. To sign up for a Microsoft account at the Microsoft account
sign-up webpage, perform the following procedure:
1. Go to https://signup.live.com.
2. To use your own email address for your Microsoft account, enter it. If your email provider supports
Post Office Protocol version 3 (POP3), you can even manage your existing email account in Hotmail
or Outlook.com.
3. If you want to create a Hotmail or Outlook account, click the Get a new email address hyperlink,
and then fill out the new email name line for your Microsoft account. There is a drop down list to
choose the Hotmail or Outlook.com domains. Press the Tab key on the keyboard to see if the name
you entered is available. If not, try another email name. Repeat until the line account is available
appears.
4. Provide the rest of the information, and then read the Microsoft service agreement and the privacy
statement. If you agree to the terms, click I accept.
5. If you sign up by using an existing email address, you will need to verify it to prove that it is yours.
Demonstration: Connecting a Microsoft Account

In this demonstration, you will see how to connect an existing Microsoft account to a Windows device.
Demonstration Steps
1. In the Settings app, in the Accounts category, click the Other users node.
2. Click Add someone else to this PC, click the I dont have this persons sign-in information
hyperlink, and then create a Microsoft account with the following values:
o First name: Your first name + last names first letter (for example, KariT)
o Last name: 20697-1B

o Click the Get a new email address hyperlink, and in the New email text box, type Your first
name + last initial-20697-1B, and then press Tab.
Note: This should return a check mark with the statement Your first name + last initial-
20697-1B@outlook.com is available. If not, go back and add the second letter of your last
name to the email address (for example, KariTr). You may have to continue to add letters until
you create a name that is unique enough for the system to accept it.
Note: If you select another country/region instead of the United States, the birth text boxes
do not appear. This is expected behavior, and you do not need to a birth date in this scenario.
o Country/region: Select your country/region
o Birth month: January
o Birth day: 1
o Year: 1990
o Add security info, Phone number: 888-555-1212

4. Sign in LON-CL1 with the password Pa$$w0rd, and then in the Start menu, in the Admin button on
top, click Your first name + last initial-20697-1B@outlook.com, enter the password Pa$$w0rd,
and then press Enter.
5. Windows 10 then will create your profile.
6. At the Passwords are so yesterday page, click Skip this step.
7. Sign out of LON-CL1.
Using an Azure AD Account

During the initial Windows 10 setup, right after
the installation process, a screen with the message
Who owns this PC? message appears. You can
choose from two options: Join a domain or Join
Azure AD. If you choose to join Azure AD, you
sign into your Azure AD account, and then follow
the prompts to create a personal identification
number (PIN).
A text code sent to your mobile phone, or another

other verification option, such as email, will allow
you to verify your identity. Finally, you have to
agree to accept the security policies enforced by
your organization.
However, in some cases, you may have joined a domain already; you might be using a device that your
organization owns, and are required to join the domain; or the device is already joined to the domain for
you. In these scenarios, Microsoft allows you to use AD DS and Azure AD together. When you connect the
two, users can automatically sign in to cloud-based services such as Office 365, Microsoft Intune, and the
Windows Store, even when signing in to their machines by using Active Directory accounts. This will mean
that users no longer need to remember additional account names or passwords.
Joining the Device to Azure AD

Scenarios in which you would join a device to Azure AD include a personal device in a Bring Your Own
Device (BYOD) setting, or a device such as a smart phone or a table that an organizations issue to a user.
To join the device to Azure AD, perform the following procedure:
1. Open the Settings app, and in the System category, click the About section at the bottom of the
console tree.
2. Click Join Azure AD. You will use your Azure credentials to add the device.
3. Once you join Azure AD, you must restart your machine. After the restart, you or an administrator can
check your Azure AD to see if your device has joined the domain.
If you are already in a domain, you must use the Disconnect from organization hyperlink that is in
the Settings apps About item in the System category, and then click the Join Azure AD hyperlink.
Disconnecting from the domain is not something the average user should do unless their administrator
directs them to do so.
Not Joining the Device to Azure AD

Traditional computing devices normally belong to a domain. As mentioned above, it is not necessary to
leave the domain to add the device to Azure AD. It is possible to link AD DS to Azure AD. This requires an
organization to subscribe to Azure and have Azure AD already set up to synchronize with the on-premises
AD DS. In this case, if the AD DS account is associated with a synchronized Azure AD account, Windows 10
can use Azure AD to authenticate the user for sign-in.
The user will enjoy the following benefits:
True SSO to cloud-based and on-premises resources from anywhere.

Roaming of settings across devices when users sign in with their corporate credentials.
Access to the organizations private catalog on the enterprise-ready Windows store.
Microsoft Passport, which reduces the risk of credential theft.
Note: Microsoft Passport is a new two-factor authentication method in Windows 10. It

includes biometrics, and replaces traditional password methods.
Discussion: When to Use a Microsoft Account

Join your instructor in a discussion about using
a Microsoft account in Windows 10. The purpose
is not to determine a right or wrong answer, but
for you to consider all the different aspects of a
Microsoft account. The discussion consists of the
following questions:
When would you use a domain account?

Under what circumstances would you not
be able to use a domain account on a
Windows 10 device?
What is the benefit of using a Microsoft

account?
The staff at a military base has a special computer that they use to encrypt orders. They want to install
Windows 10 on it. Due to security issues, the computer cannot connect to a network. What kind of
account should you use?
Contoso, Ltd. has a vigorous Office 365 and Azure cloud-service presence. They have tied in their on-
premises AD DS infrastructure with Azure AD. What might Contoso do to ensure that users do not
have to sign in to Windows 10 on one account, and then into Office 365 and Azure on another?
Question: When would you use a domain account?
Question: Under what circumstances would you not be able to use a domain account on a
Windows 10 device?
Question: What is the benefit of using a Microsoft account?

Question: The staff at a military base has a special computer that they use to encrypt orders.
They want to install Windows 10 on it. Due to security issues, it cannot be on a network.
What kind of account should you use?
Question: Contoso, Ltd. has a vigorous Office 365 and Azure cloud-service presence. They
have tied in their on-premises AD DS infrastructure with Azure AD. What might Contoso do
to ensure that users do not have to sign in to Windows 10 on one account, and then into
Office 365 and Azure on another?

Question
What type of account can become a Microsoft account?
Xbox Live
Hotmail
Windows Live ID
Microsoft Passport
All of the above

Lesson 4
Using OneDrive
OneDrive, the free cloud storage service for every Microsoft account, integrates with Windows 10 to allow
you to access your files from any location by using a Windows device and an Internet connection. In this
lesson, you will see how OneDrive works, and how it integrates with Windows 10.
Lesson Objectives
After completing this lesson, students will be able to:
Describe OneDrive.
Explain how to enable OneDrive.
Synchronize settings with OneDrive.
What Is OneDrive?
OneDrive is the free cloud-based file service that
is available to Microsoft account holders. The
OneDrive service is a consumer-oriented solution,
which allows for 15 gigabytes (GB) of free cloud
storage. You can use OneDrive to save personal
files in your private store or in your public store,
so that you can share files with anyone. OneDrive
is designed for personal files and not as an
enterprise solution. For corporate organizations,
Microsoft provides a different service named
OneDrive for Business.
Note: You also can purchase more storage

space by clicking the Buy more storage link in the Storage space screen online in your
OneDrive account.
Features
OneDrive offers many useful features, such as:
Integration with Windows 10 File Explorer. You can view OneDrive from File Explorer, and you can
save files directly to OneDrive from Office or any other app.
Microsoft Office Online. You can use Microsoft Office Online to view and edit documents that are
stored in OneDrive.
PDF and OpenDocument Format (ODF) support. You can view PDF and ODF documents that are
saved in OneDrive.
OneDrive
http://aka.ms/lv5n2s
Accessing OneDrive
There are several different methods and operating systems that you can use to access OneDrive. You can
access it from any currently supported Windows-based computer or Apple iOS device. You can use a web
browser to go directly to OneDrive at http://www.OneDrive.com, and you also can access OneDrive by
using File Explorer or by installing the OneDrive app to a Windows 10 computer.
OneDrive Privacy
The Microsoft Online Privacy Statement specifies the terms of use of the personal information that you
provide when you use OneDrive. Before you use Microsoft online services, you must read and understand
the privacy statement. The main points in the privacy statement include that Microsoft:
Collects personal information from you when you register, and may combine this information with
data that other companies and Microsoft services collect.
Tracks your interaction with Microsoft sites by using cookies and other technologies, to personalize
your online experience.
Does not share your personal information with third parties, but may provide this information to
companies that work on behalf of Microsoft.
Uses your personal information to provide services, such as personalized content and advertising, to
inform you about Microsoft products and services, and to invite you to complete surveys about
Microsoft services.
Terms of Service
The OneDrive terms of service specify how you and Microsoft can use the information you post on
OneDrive. Some of the main terms of service are:
Ownership of Content. You own content such as documents, videos, photos, and email that you
upload to the services store. The same is true of content that you store on OneDrive, or transfer
through it. Microsoft does not claim ownership of your content, except for Microsoft material, such
as clip art, that Microsoft licenses to you, and that you may use in your content.
Access of Content. You can choose with whom you share your content. You can choose to not share
your content, to share your content publicly, or to choose other users with whom you want to share
your content. If you share your content with other users, they may use, reproduce, distribute, or
display your content for free.
Microsoft Use of Content. Microsoft may use, modify, adapt, save, reproduce, distribute, and display
your content to protect you, and to improve Microsoft services. In such cases, Microsoft protects your
privacy by taking necessary steps. Examples of such usage of your content include isolation of
information from content to prevent and protect you from spam and malware.
Removal of Content. Microsoft may ask you to remove content that is in violation of the anti-spam
policy, the Microsoft Code of Conduct, or your local law. Microsoft also may ask you to remove
content if it infringes on a third partys intellectual property. If you fail to comply, you might lose
access to your account, or Microsoft may cancel your account. In such cases, Microsoft may also
remove your content without asking you.
Enabling OneDrive
Before you can use OneDrive from the
Windows 10 OneDrive tile, you must connect
your domain or local account with your Microsoft
account. To begin the process, click the OneDrive
item in the File Explorer console tree. You then
will receive a prompt to sign in with your
Microsoft account or to create an account if
you do not have one.
If you want to configure your synchronization

settings, you will need to connect OneDrive to
your Microsoft account by performing the
following procedure:
1. From the taskbar, open File Explorer, and then click the OneDrive node.
2. In the Welcome to OneDrive Wizard, click Get started.
3. In the Sign in page, type your Microsoft account and password.
4. After you successfully sign in, in the Introducing your OneDrive folder page, you can apply the
default local folder location, which is C:\users\username\OneDrive. Alternatively, you can select
another location by clicking Change. However, if you accept the default location, simply click Next.
5. If you click Change, the Browse for folder window appears, where you can select a different location
from a file tree or create a new folder. After selecting the location, click OK, and then Next.
6. The Sync your OneDrive files to this PC page shows all your OneDrive folders, with a check box
next to each. You can leave the folder check boxes selected to sync them, or clear the folder check
boxes to skip syncing. The bottom of the window indicates how much free space you have remaining
on the local hard drive. After making your selections, click Next.
7. On the Fetch your files from anywhere page, click Done to sync your OneDrive contents to your
hard drive.
You can manage, share, and synchronize your OneDrive files and folders from the OneDrive node in File
Explorer. To do so, right-click any of the OneDrive folders in the node, and then click one of the following
options:
Share a OneDrive link. This option creates and saves a link in the Clipboard. To provide others with
instant access, you need to paste the link into an email, instant message, or document.
More OneDrive sharing options. This option opens the OneDrive webpage, which provides more
traditional OneDrive web-based sharing functionality.
View on OneDrive.com. This option opens the OneDrive.com web-based version of the folder that
you right-click within File Explorer.
Choose OneDrive folders to sync. This option opens the Sync your OneDrive files to this PC page
in the Getting started Wizard. Here, you can synchronize individual folders, or all folders.
Unlike the Windows 8 version of OneDrive, which synchronized with File Explorer, Windows 10 only allows
you to synchronize files in the root of OneDrive or an entire subfolders contents.
Restricting Access to OneDrive

As an IT administrator, you might wish to prevent your users from accessing OneDrive from organizational
systems. You can accomplish this by using Group Policy. In the appropriate GPO, go to the Computer
Configuration\Policies\Administrative Templates\Windows Components\OneDrive node, and
enable the Prevent the usage of OneDrive for file storage policy setting. When this Group Policy
setting applies to the client system, if users try to start OneDrive, they will receive a notification that the
system administrator has blocked the use of OneDrive. If you need to block access to OneDrive for all
devices, including users personal devices, you could create a URL block list on your organizational
firewall.
Demonstration: Synchronizing Settings with OneDrive

In this demonstration, you will see how to configure synchronization of OneDrive between two
Windows 10-based computers.
Demonstration Steps
1. On LON-CL2, in the Start menu. click the Settings app, and in Accounts, select Other users, and
then click the Add someone else to this PC plus sign.
2. In the How will this person sign in? page, in the Email or phone text box, type Your first name +
last initial-20697-1B@outlook.com.
3. In the Start menu, select the Admin account. change it to Your first name + last initial-20697-
1B@outlook.com, and then enter your password. It may take a moment to build your profile.
4. If prompted to Set up a PIN, click Skip this step.
5. Open File Explorer, and then select the OneDrive node.
Note: It may take a few minutes before the OneDrive node appears for the first time.
6. In the OneDrive node, in the Documents folder, create a new text document named I was here.txt.
7. Open the document, type the line I was here on LON-CL2., and then save and close the file.
8. Return to LON-CL1. You should be signed in as Your first name + last initial-20697-
1B@outlook.com. Open File Explorer, and then select the OneDrive node.
9. Open the Documents folder under the OneDrive node. After a few moments (it can take up to five
minutes), the I was here.txt document should appear.
10. Add the following line to the document: Now Im here on LON-CL1. Save and close the document.
Make note of the documents date and time.
11. Return to LON-CL2. In the Documents folder, under the OneDrive node, you should see that the
date and time matches the date and time, which were on the I was here.txt document previously
created on LON-CL1. Open the document, and then confirm that both lines of text appear.
12. Close all open windows, and then sign out of all virtual machines.
When you finish the demonstration, revert the virtual machines to their initial state. To do this, perform
the following steps:

4. Repeat steps 2 and 3 for 20697-1B-LON-CL1, 20697-1B-LON-CL2 and 20697-1B-LON-CL4.

5. Ensure that MSL-TMG1 continues to run for subsequent demonstrations.
Statement Answer
You can synchronize files individually in OneDrive subfolders.

Lab B: Synchronizing Settings with OneDrive

Scenario
Your users have a range of devices including some that run Windows 8. The users want to be able to
use the same Microsoft account to access all their devices. You must connect a Microsoft account to a
Windows 10 device.
You must enable and test the users ability to synchronize their Windows 10 settings between their
devices. You have set up a test lab for this purpose.
Objectives
Connected a Microsoft account to a Windows 10 device.
Connected a Microsoft account to a second computer.
Synced their settings between those computers.
Lab Setup
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1, MSL-TMG1, and 20697-1B-LON-CL2
Password: Pa$$w0rd
LON-CL1
User name: LON-CL1\Admin
Password: Pa$$w0rd
LON-CL2
User name: LON-CL2\Admin
Password: Pa$$w0rd

4. Sign in by using the following credentials for 20697-1B-LON-CL1:

o User name: LON-CL1\Admin
5. Sign in by using the following credentials for 20697-1B-LON-CL2:
o User name: LON-CL2\Admin

If the MSL-TMG1 virtual machine is not running, then in Hyper-V Manager, click MSL-TMG1, and in
the Actions pane, click Start. You do not need to sign in on this virtual machine or 20697-1B-LON-DC1,
but ensure both are running at the Sign in screen before starting 20697-1B-LON-CL1 or
20697-1B-LON-CL2.
Exercise 1: Connecting a Microsoft Account

Scenario
You need to test how a Microsoft account works on Windows 10.
1. Connect your Microsoft account.
2. Perform verification.
3. Sign in to LON-CL2 with your Microsoft account.
4. Perform verification.
Task 1: Connect your Microsoft account

1. On LON-CL1, open the Settings app, and then in the Accounts category, click the Other users node.
2. Click Add someone else to this PC, and then I don't have this person's sign-in information
hyperlink and then create a Microsoft account with the following values:
a. First name: Your first name + last names first letter (for example, KariT)
b. Last name: 20697-1B
c. Click the Get a new email address hyperlink, in the New email text box, type Your first name
+ last initial-20697-1B, and then press Tab.
20697-1B@outlook.com is available. If not, go back and add the second letter of your last
name to the email address (for example, KariTr). You may have to continue to add letters until
you reach a name that is unique enough for the system to accept it.
d. Password: Pa$$w0rd
e. Country/region: Select your country/region
f. Birth month: January
g. Birth day: 1
h. Year: 1990
i. Add security info, Phone number: 888-555-1212,
3. If either the Passwords are so yesterday or Set up a PIN pages appear, click Skip this step.
Task 2: Perform verification

1. Sign in as Your first name + last initial-20697-1B@outlook.com, enter the password Pa$$w0rd. If
either the Passwords are so yesterday or Set up a PIN pages appear, click Skip this step.
2. On the Start menu, click the Mail tile.
3. On the Welcome page, click Get started.
4. On the Accounts page, click Ready to go.

5. In the Mail app, send yourself a test message.
6. If you encounter a message that states "Please sign in to your Outlook.com account", click sign in to
validate the account.
7. When the test message arrives, confirm it, close all open windows, and then sign out.
Task 3: Sign in to LON-CL2 with your Microsoft account

1. Switch to LON-CL2.
2. In the Start menu, click the Settings app, in Accounts, select Other users, and then click the Add
someone else to this PC plus sign.
last initial-20697-1B@outlook.com.
4. In the Start menu, select the Admin account and change it to Your first name + last initial-20697-
1B@outlook.com, and then enter your password. It may take a moment to build your profile.
5. At the Set up a PIN page, click Skip this step.
6. In the Get your files here, there and everywhere page, click Next.
8. Sign in as Your first name + last initial-20697-1B@outlook.com.

1. On LON-CL2, in the Start menu, click the Mail tile.
2. On the Welcome page, click Get started. Accept your account, and then click Ready to go.
3. Note that all your previous messages are there.
4. Open your test message, reply to it, and then send it back to yourself.
5. Close all open Windows, and then sign out.
Results: After you complete this exercise, you will have successfully:
Connected your Microsoft
account to a device.
Performed verification.
Signed in with your Microsoft account.
Exercise 2: Synchronizing Settings between Devices

Scenario
You need to further explore OneDrive in Windows 10, and how it can synchronize content across devices.
1. Enable sync on LON-CL2.
2. Sign in to LON-CL1 with your Microsoft account, and update the synchronized document.
Task 1: Enable sync on LON-CL2

1. On LON-CL2, sign in as Your first name + last initial-20697-1B@outlook.com, with the password
Pa$$w0rd.
2. Open File Explorer, and then click the OneDrive node.
Note: The OneDrive node in File Explorer may take several minutes to appear. Please wait
for it to appear before proceeding. If it takes longer than 15 minutes, sign out, and then sign
back in by using your Microsoft account.
3. In the OneDrive node, in the Documents folder, create a new text document named I was here.txt.
4. Open the document and type the line I was here on LON-CL2., and then save and close the file.
Task 2: Sign in to LON-CL1 with your Microsoft account, and update the
synchronized document
1. Return to LON-CL1, and sign in as Your first name + last initial-20697-1B@outlook.com, with the
password Pa$$w0rd, and then open the Documents folder under the OneDrive node. After a few
moments (it can take up to five minutes), the I was here.txt document should appear.
2. Add the following line to the document: Now Im here on LON-CL1. Save and close the document,
and then make note of the documents date and time.
3. Return to LON-CL2. In the Documents folder, under the OneDrive node, you should see that the
date and time matches the date and time, which were on the I was here.txt document previously
created on LON-CL1. Open the document, and then confirm that both lines of text appear.
Enabled synchronization on both devices.


When you have finished the lab, revert all virtual machines back to their initial state:

3. In the Revert Virtual Machines dialog box, click Revert.

4. Repeat steps 2 and 3 for 20697-1B-LON-CL1, 20697-1B-LON-CL2, and MSL-TMG1.

Review Questions
Question: What happens to a Windows 10 tablet device when you remove the magnetically
attached keyboard?
Question: What is the difference between a child and adult family member Windows 10
account?
Tools
Tool Used to Where to find it
Settings app Configure almost any Windows 10 In the Start menu. This tool is a
setting part of the Windows 10
operating system.
Action Center Quickly provide broad changes to the In the notification area on the
Windows 10 device, such as putting the taskbar in the Notifications icon.
device in Airplane or Tablet mode or This tool is a part of the
connecting to a Miracast capable device. Windows 10 operating system.
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Cannot add or apply a Microsoft account.

Clicking Sign in with a Microsoft account
instead results in an error.
Cannot sync an offline file in OneDrive.

4-1
Module 4
Configuring Network Connectivity
Contents:
Module Overview 4-1
Lesson 1: Configuring IP Network Connectivity 4-2
Lesson 2: Implementing Name Resolution 4-17

Lesson 3: Implementing Wireless Network Connectivity 4-25
Lesson 4: Overview of Remote Access 4-29

Lab: Configuring Network Connectivity 4-33
Module Overview
Configuring network connectivity is a common administrative task. In many organizations, it can account
for a significant percentage of overall administrative effort. Windows 10 includes several tools that enable
you to set up and troubleshoot both wired and wireless network connections more efficiently. To support
your organizations network infrastructure, it is important that you understand how to configure and
troubleshoot network connections.
Objectives
Describe how to configure IP network connectivity.

Implement name resolution.
Implement wireless network connectivity.
Describe options for remote access in Windows 10.

4-2 Configuring Network Connectivity
Lesson 1
Configuring IP Network Connectivity
By default, Windows 10 implements both Internet Protocol version 4 (IPv4) and Internet Protocol
version 6 (IPv6). It is important that you understand the fundamentals of both IPv4 and IPv6, and
know how to configure them in Windows 10 within the context of your organizations network
infrastructure.
Lesson Objectives
Describe IPv4.
Describe IPv4 subnets.
Explain the difference between public and private IPv4 addressing.

Implement automatic IPv4 address allocation.
Describe the tools available to configure network settings in Windows 10.
Describe the tools available to troubleshoot network connections.

Configure an IPv4 network connection.
Describe IPv6.
Explain IPv6 addressing.
Overview of IPv4 Settings

To configure network connectivity, you must be
familiar with IPv4 addresses and how they work.
Communication between computers can happen
only if they can identify each other on the
network. When you assign a unique IPv4 address
to each networked computer, the IPv4 address
identifies the computer to the other computers
on the network. That IPv4 address, combined
with the subnet mask, identifies the computers
location on the network, just as the combination
of a number and a street name identify the
location of a house.
Overview of connecting with another network host

In a typical situation, communication starts with a request to connect to another host by its computer
name. However, to communicate, the requesting host needs to know the media access control (MAC)
address of the receiving hosts network interface. Conversely, the receiving host needs to know the
requesting hosts MAC address. Once the requesting host discovers the MAC information, it caches
it locally. A MAC address is a hard-coded, unique identifier assigned to network interfaces by the
manufacturers of network adapters. Before the requesting host can find the receiving hosts MAC
address, a number of steps occur.
The following is a high-level overview of these steps:
1. A host sends a request to connect to Server1. The name Server1 must be resolved to an IPv4 address.
You will learn about name resolution later in the module.
2. Once the sender knows the recipients IPv4 address, it uses the subnet mask to determine whether the
IPv4 address is remote or on the local subnet.
3. If it is local, an Address Resolution Protocol (ARP) request is broadcast on the local subnet. If it is
remote, an ARP request is sent to the default gateway and then routed to the correct subnet.
4. The host that owns that IPv4 address will respond with its MAC address and a request for the senders
MAC address.
5. Once the exchange of MAC addresses completes, IPv4 communication negotiation and the exchange
of IP data packets can occur.
Components of an IPv4 address

IPv4 uses 32-bit addresses. If you view an IPv4 address in its binary format, it has 32 characters, as the
following example shows:
11000000101010000000000111001000
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in
decimal form, as the following example shows:
192.168.1.200
In conjunction with a subnet mask, the address identifies:

The computers unique identity, which is the host ID.
The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed
environment.
IPv4 address classes

The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes, and the number of
hosts in a network determines the required class of addresses. Class A through Class E are the names that
IANA has specified for IPv4 address classes.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses, whereas
you can use Class D for multicasting. Additionally, IANA reserves Class E for experimental use.
Defining Subnets
A subnet is a network segment. Single or multiple
routers separate the subnet from the rest of the
network. When your Internet service provider (ISP)
assigns a network to a Class A, B, or C address
range, you often must subdivide the range to
match the networks physical layout. Subdividing
enables you to break a large network into smaller,
logical subnets.
When you subdivide a network into subnets, you

must create a unique ID for each subnet, which
you derive from the main network ID. To create
subnets, you must allocate some of the bits in the
host ID to the network ID. By doing so, you can create more networks.
By using subnets, you can:
Use a single Class A, B, or C network across multiple physical locations.
Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome the limitations of current technologies, such as exceeding the maximum number of hosts
that each segment can have.
A subnet mask specifies which part of an IPv4 address is the network ID and which is the host ID. A subnet
mask has four octets, similar to an IPv4 address.
Simple IPv4 networks

In simple IPv4 networks, the subnet mask defines full octets as part of the network and host IDs. A 255
represents an octet that is part of the network ID, and a 0 represents an octet that is part of the host ID.
Class A, B, and C networks use default subnet masks. The following table lists the characteristics of each IP
address class.
Number of Number of hosts

Class First octet Default subnet mask
networks per network
A 1 to 127 255.0.0.0 126 16,777,214
B 128 to 191 255.255.0.0 16,384 65,534
C 192 to 223 255.255.255.0 2,097,152 254
Complex IPv4 networks

In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might
subdivide one octet with some bits for the network ID and some for the host ID. If you do not use an
octet for subnetting, this is classless addressing, or Classless Interdomain Routing (CIDR). You use more or
less of the octet. This type of subnetting uses a different notation, which the following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called
CIDR. This subnet mask in binary notation would look like this:
11111111.11111111.11110000.00000000
The first 20 bits are set to 1 and indicate the subnet ID, and the last 12 zero placeholders represent how
many bits are used to identify the host.
Configuring connectivity to other subnets

A default gateway is a device on a TCP/IP internetwork, usually a router, which forwards IP packets to
other subnets. A router connects groups of subnets to create an intranet. In an intranet, any given subnet
might have several routers that connect it to other local and remote subnets. You must configure one of
the routers as the default gateway for local hosts so that the local hosts can communicate with hosts on
remote networks.
When a host delivers an IPv4 packet, it performs an internal calculation by using the subnet mask to
determine whether the destination host is on the same network or on a remote network. If the destination
host is on the same network, the local host delivers the packet. If the destination host is on a different
network, the host transmits the packet to a router for delivery.
Note: The host determines the MAC address of the router for delivery, and the initiating
host addresses the router explicitly, at the media access layer.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults the
internal routing table to determine the appropriate router to ensure that the packet reaches the
destination subnet. If the routing table does not contain any routing information about the destination
subnet, IPv4 forwards the packet to the default gateway. The host assumes that the default gateway
contains the required routing information.
In most cases, you can use a Dynamic Host Configuration Protocol (DHCP) server to assign the default
gateway automatically to a DHCP client. This is more straightforward than manually assigning a default
gateway on each host.
Public and Private IP Addressing

Devices and hosts that connect directly to the
Internet require a public IPv4 address. However,
hosts and devices that do not connect directly to
the Internet do not require a public IPv4 address.
Public IPv4 addresses

Public IPv4 addresses, which IANA assigns, must
be unique. Usually, your ISP allocates to you one
or more public addresses from its address pool.
The number of addresses that your ISP allocates
to you depends upon how many devices and
hosts that you have to connect to the Internet.
Private IPv4 addresses

The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate superfluous IPv4
addresses. Technologies such as network address translation (NAT) enable administrators to use a
relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect
to remote hosts and services on the Internet.
IANA defines the following address ranges as private. Internet-based routers do not forward packets
originating from, or destined to, these ranges.
Class Mask Range
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 -
192.168.255.255
In todays network environments, it is most common for organizations to have one or more public,
routable IP addresses from an ISP assigned to the external interfaces of their firewall appliances.
Additionally, they use the designated private IP subnets internally.
Implementing Automatic IPv4 Addressing

It is important that you know how to assign static
IPv4 addresses manually and support devices that
use DHCP to assign IPv4 addresses dynamically.
Static configuration
You can configure static IPv4 configuration
manually for each of your networks computers.
When you perform IPv4 configuration, you must
configure the:
IPv4 address
Subnet mask
Default gateway
Domain Name System (DNS) server
Static configuration requires that you visit each computer and input the IPv4 configuration. This method
of computer management is time-consuming if your network has more than 10 to 12 computers.
Additionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large number of computers without
having to assign each one individually. The DHCP service receives requests for IPv4 configuration from
computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 information
from scopes that you define for each of your networks subnets. The DHCP service identifies the subnet
from which the request originated, and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process. However, keep in mind that if you use DHCP to assign
IPv4 information and the service is business-critical, you must:
Include resilience in your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network, and it can prevent communication.
IPv4 alternate configuration

If you use a laptop to connect to multiple networks, such as networks at work and at home, each
network might require a different IP configuration. Windows 10 supports the use of Automatic Private
IP Addressing (APIPA) and an alternate static IP address for this scenario.
When you configure Windows 10 devices to obtain IPv4 addresses from DHCP, use the Alternate
Configuration tab to control the behavior if a DHCP server is not available. By default, Windows 10
uses APIPA to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address
range. This enables you to use a DHCP server at work and the APIPA address range at home, without
reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the computer has an
address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP
server.
Tools for Configuring Network Settings

You can configure network settings by using a
number of tools in Windows 10. The tool you
decide to use depends on your situation and
goals.
Network & Internet

To access the network settings, open Settings, and
then click Network & Internet. If you are using a
wired connection, tap Ethernet. If you are using a
wireless connection, tap WiFi.
Note: You can also access NETWORK &

INTERNET by tapping the network icon in the notification area and then tapping Network
settings.
From within Ethernet or WiFi, you can:
Change adapter options. You can configure the network adapter settings. A list of network adapters
displays, and you can then configure the properties for each, including:
o Internet Protocol Version 6 (TCP/IPv6). Enables you to manually configure the IPv6 settings for a
given adapter.
o Internet Protocol Version 4 (TCP/IPv4). Enables you to manually configure the IPv4 settings for a
given adapter.
Change advanced sharing options. You can configure network discovery, file and print sharing, public
folder sharing, media streaming options, and the encryption level to use for file sharing connections.
Launch the Network and Sharing Center. You can use this tool to configure most network settings.
You will learn more about it below.
Enable and configure a homegroup. You can enable and configure homegroups, which are collections
of computers that you deploy on a home network and that share resources such as files and printers.
When your computer is part of a homegroup, you can share images, media files, documents, and
printer devices with others in your homegroup. Once you enable a homegroup, you can then define
which libraries you will share, such as Pictures, Documents, or Videos. You can enable a homegroup
only on network interfaces that are defined as part of a private network location profile. To provide
for basic security, you can enable a password on your homegroup.
Note: Although domain-joined computers cannot create homegroups, they can connect to
existing homegroups.
Configure Internet options. You can configure the options your web browsers use.
Configure Windows Firewall. You can launch the Windows Firewall tool and configure Windows
Firewall rules, notifications, and advanced settings.
Network and Sharing Center

This tool is largely the same as it is in Windows 8.1. It provides a clear view of the status for any wired or
wireless connection, and you can use it to create additional network connections by using a wizard-driven
interface. The Network and Sharing Center also provides links for accessing other network-related tools,
including:
Change advanced sharing settings
Internet Options
Windows Firewall
Network and Internet Troubleshooting Wizard
Network Setup Wizard

Windows 10 provides the Network Setup Wizard, a user-friendly interface that you can use to configure
network settings. Windows 10 recognizes any unconfigured network devices on the computer, and then
automates the process of adding and configuring them. The Network Setup Wizard also recognizes any
wireless networks in range of the computer, and then guides you through the process of configuring
them.
You can save network settings to a USB flash drive for use when configuring additional computers, which
makes that process quicker. You also can use the Network Setup Wizard to enable sharing across your
network for documents, photos, music, and other files.
Windows PowerShell
Although you can use the graphical tools previously described to perform all network configuration and
management tasks, sometimes it can be quicker to use command-line tools and scripts. Windows has
always provided the command prompt for certain network management tools. However, Windows
PowerShell provides a number of network-specific cmdlets that you can use to configure, manage, and
troubleshoot Windows network connections.
The following table lists some of the network-related Windows PowerShell cmdlets and their purposes.
Cmdlet Purpose
Get-NetIPAddress Retrieves information about the IP address

configuration.
Get-NetIPv4Protocol Retrieves information about the IPv4 protocol

configuration (the cmdlet Get-NetIP6Protocol
returns the same information for the IPv6
protocol).
Get-NetIPInterface Obtains a list of interfaces and their

configurations. This does not include IPv4
configuration of the interface.
Set-NetIPAddress Sets information about the IP address

configuration.
Set-NetIPv4Protocol Sets information about the IPv4 protocol

configuration (the cmdlet Set-NetIP6Protocol
returns the same information for the IPv6
protocol.)
Set-NetIPInterface Modifies IP interface properties.
Get-NetRoute Obtains the list of routes in the local routing

table.
Test-Connection Runs similar connectivity tests to that used by the

Ping command. For example, test-connection
lon-dc1.
Resolve-Dnsname Provides a similar function to the NSLookup tool.
Get-NetConnectionProfile Obtains the type of network (public, private, or

domain) to which a network adapter is
connected.
Clear-DnsClientCache Clears the clients resolver cache, similar to the

IPConfig /flushdns command.
Get-DnsClient Retrieves configuration details specific to the

different network interfaces on a specified
computer.
Get-DnsClientCache Retrieves the contents of the local DNS client

cache, similar to the IPConfig /displaydns
command.
Get-DnsClientGlobalSetting Retrieves global DNS client settings, such as the

suffix search list.
Get-DnsClientServerAddress Retrieves one or more DNS server IP addresses

associated with the interfaces on the computer.
Register-DnsClient Registers all of the IP addresses on the computer

onto the configured DNS server.
Cmdlet Purpose
Set-DnsClient Sets the interface-specific DNS client

configurations on the computer.
Set-DnsClientGlobalSetting Configures global DNS client settings, such as the

suffix search list.
Set-DnsClientServerAddress Configures one or more DNS server IP addresses

associated with the interfaces on the computer.
For example, to configure the IPv4 settings for a network connection by using Windows PowerShell, use
the following cmdlet:
Set-NetIPAddress InterfaceAlias Wi-Fi IPAddress 172.16.16.1
Netsh
You can also use the Netsh command-line tool to configure network settings. For example, to configure
IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection" source=static addr=172.16.16.3
mask=255.255.255.0 gateway=172.16.16.1
Note: Functionality in the Windows PowerShell network-related cmdlets has largely

replaced Netsh.
Tools for Troubleshooting Network Connections

Windows 10 includes a number of tools that you
can use to diagnose network problems, including:
Event Viewer
Windows Network Diagnostics
IPConfig
Ping
Tracert
NSLookup
Pathping
Windows PowerShell
Microsoft Message Analyzer
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. IP conflicts are reflected in the system log and might prevent services from starting. When these
events occur, Windows records the event in an appropriate event log. You can use Event Viewer to read
the log. When you troubleshoot errors on Windows 10, you can view the events in the event logs to
determine the cause of the problem.
You can use Event Viewer to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings related to
network services in the System log.
Windows Network Diagnostics

In the event of a Windows 10 networking problem, the Diagnose Connection Problems option helps
diagnose and repair the problem. Windows Network Diagnostics then presents a possible description
of the problem and a potential remedy. The solution may require manual intervention from the user.
IPConfig
The IPConfig command displays the current TCP/IP network configuration. Additionally, you can use
IPConfig to refresh DHCP and DNS settings. For example, you might need to flush the DNS cache. The
following table provides a brief description of some of the IPConfig command switches.
Command Description
ipconfig /all View detailed configuration information.
ipconfig /release Release the leased configuration back to the DHCP server.
ipconfig /renew Renew the leased configuration.
ipconfig /displaydns View the DNS resolver cache entries.
ipconfig /flushdns Purge the DNS resolver cache.
ipconfig /registerdns Register/update the clients host name with the DNS server.
Ping
You use the Ping command to verify IP-level connectivity to another TCP/IP computer. This command
sends and receives Internet Control Message Protocol (ICMP) echo request messages, and displays the
receipt of corresponding echo reply messages. The Ping command is the primary TCP/IP command used
to troubleshoot connectivity.
Note: Firewalls might block the ICMP requests. As a result, you may receive false negatives
when using ping as a troubleshooting tool.
Tracert
The Tracert tool determines the path taken to a destination computer by sending ICMP echo requests.
The path displayed is the list of router interfaces between a source and a destination. This tool also
determines which router has failed, and what the latency, or speed, is. These results may not be accurate
if the router is busy, because the router will assign the packets a low priority.
Pathping
The Pathping command traces a route through the network in a manner similar to the Tracert tool.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the
network. The command can provide greater detail because it sends 100 packets for each router, which
enables it to establish trends.
NSLookup
The NSLookup tool displays information that you can use to diagnose the DNS infrastructure. You can
use the tool to confirm connection to the DNS server, in addition to the existence of the required records.
Windows PowerShell
You can use Windows PowerShell to configure network connection settings. In addition to this, you can
use Windows PowerShell cmdlets for troubleshooting network settings.
Microsoft Message Analyzer

Microsoft Message Analyzer is a tool that captures network traffic and then displays and analyzes
information about that traffic. You can use Microsoft Message Analyzer to monitor live network traffic,
or import, aggregate, and analyze data from log and trace files. Microsoft Message Analyzer replaces
Network Monitor.
Demonstration: Configuring an IPv4 Connection

View IPv4 configuration from a GUI.

View IPv4 configuration from a command line.
Test connectivity.
Check Windows Firewall configuration.

Reconfigure the IPv4 configuration.
Demonstration Steps
View IPv4 configuration from a GUI
1. Launch Network and Sharing Center.
2. View the TCP/IPv4 configuration.
View IPv4 configuration from a command line

1. Open Windows PowerShell, and run Get-NetIPAddress.
2. Run Get-NetIPv4Protocol.
3. Run netsh interface ipv4 show config. The current IPv4 configuration is displayed.
4. Run ipconfig /all.
Test connectivity
1. Run test-connection LON-DC1.
2. Run netstat n. Observe the active connections to 172.16.0.10. Most connections to services are
transient. If no connections appear, create a connection.
3. Run netstat -n. Identify the services that LON-CL1 had connections to on LON-DC1.
Check Windows Firewall configuration

1. In Windows Firewall with Advanced Security, expand Monitoring, and then click Firewall. These are
the active firewall rules.
2. In Windows PowerShell, run netsh advfirewall firewall show rule name=all dir=in. Review the
results, which display all inbound rules.
Reconfigure the IPv4 configuration

1. By using Network and Sharing Center, modify the adapters TCP/IPv4 configuration to enable
automatic IPv4 addressing.
2. Verify your configuration change from the command prompt by using Get-NetIPAddress.
Overview of IPv6 in Windows 10

Though most networks to which you connect
Windows 10based devices currently provide
IPv4 support, many also support IPv6. To connect
computers that are running Windows 10 to
IPv6-based networks, you must understand the
IPv6 addressing scheme and the differences
between IPv4 and IPv6.
Benefits of IPv6
The IPv6 protocol provides the following benefits:
Large address space. A 32-bit address space
can have 2^32 or 4,294,967,296 possible
addresses. IPv6 uses 128-bit address spaces, which can have 2^128 or
340,282,366,920,938,463,463,374,607,431,768,211,456 (or 3.4x10^38 or 340 undecillion) possible
addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space is more efficient for
routers, which means that even though there are many more addresses, routers can process data
much more efficiently because of address optimization.
Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP,
and it can discover router information so that hosts can access the Internet. This is a stateless address
configuration. A stateful address configuration is when you use the DHCP version 6 (DHCPv6) protocol.
Stateful configuration has two additional configuration levels: one in which DHCP provides all the
information, including the IP address and configuration settings, and another in which DHCP provides
just configuration settings.
Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the
Authentication Header (AH) and encapsulating security payload (ESP) headers that IPsec defines.
Although IPsec does not define support for its specific authentication methods and cryptographic
algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
Note: IPsec provides for authentication and, optionally, encryption for communications
between hosts.
Restored end-to-end communication. The global addressing model for IPv6 traffic means that
translation between different types of addresses is not necessary, such as the translation done by
NAT devices for IPv4 traffic. This simplifies communication because you do not need to use NAT
devices for peer-to-peer applications, such as video conferencing.
Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that
the packet processing should occur at a rate that you specify. This enables traffic prioritization. For
example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner.
You can set this field to ensure that network devices determine that the packet delivery is time-
sensitive.
Support for single-subnet environments. IPv6 has much better support of automatic configuration
and operation on networks consisting of a single subnet. You can use this to create temporary, ad
hoc networks through which you can connect and share information.
Extensibility. The design of IPv6 enables you to extend it with less constraint than IPv4.
IPv6 in Windows 10
Windows 10 uses IPv6 by default. Windows 10 includes several features that support IPv6, as described
below.
Windows 10 dual stack

Windows 10 supports both IPv6 and IPv4 in a dual stack configuration. The dual IP stack helps reduce
maintenance costs by providing the following features:
Shared transport and framing layer.
Shared filtering for firewalls and IPsec.
Consistent performance, security, and support for both IPv6 and IPv4.
When you connect to a new network that advertises IPv6 routability, Windows 10 tests IPv6 connectivity,
and it will only use IPv6 if IPv6 connectivity is actually functioning. Windows 10 also supports a
functionality called address sorting. This functionality helps the Windows 10 operating system determine
which protocol to use when applications that support both IPv4 and IPv6 addresses are configured for
both protocol stacks.
DirectAccess use of IPv6

DirectAccess enables remote users to access a corporate network anytime they have an Internet
connection, because it does not require a virtual private network (VPN). DirectAccess provides a flexible
corporate network infrastructure to help you remotely manage and update user PCs on and off a network.
DirectAccess makes the end-user experience of accessing corporate resources over an Internet connection
nearly indistinguishable from the experience of accessing these resources from a computer at work.
DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients.
Windows services can use IPv6

Windows 10 services such as file sharing and remote access use IPv6 features, such as IPsec. This includes
VPN Reconnect, which uses Internet Key Exchange version 2 (IKEv2), an authentication component of
IPv6.
The Windows 10 operating system supports remote troubleshooting capabilities such as Windows Remote
Assistance and Remote Desktop. Remote Desktop enables administrators to connect to multiple Windows
Server sessions for remote administration purposes. You can use IPv6 addresses to make remote desktop
connections. Windows Remote Assistance and Remote Desktop use the Remote Desktop Protocol to
enable users to access files on their office computers from other computers, such as their home
computers.
Overview of IPv6 Addressing

The most obvious, distinguishing feature of IPv6
is its use of much larger addresses. IPv4 addresses
are expressed in four groups of decimal numbers,
such as 192.168.1.1. Each grouping of numbers
represents a binary octet. In binary, the preceding
number is as follows:
11000000.10101000.00000001.00000001
(four octets = 32 bits)
The size of an address in IPv6 is four times larger

than an IPv4 address. IPv6 addresses are
expressed in hexadecimal, as the following example shows:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
This might seem complex for end users, but the assumption is that users will rely on DNS names to resolve
hosts, meaning they will rarely type IPv6 addresses manually. The IPv6 address in hexadecimal also is
easier to convert to binary. This makes it simpler to work with subnets and calculate hosts and networks.
IPv6 address types

IPv6 address types are similar to IPv4 address types. The IPv6 address types are:
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this address
type for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses.
There are three types of unicast addresses:
o Global unicast addresses. These are equivalent to public IPv4 addresses. They are globally
routable and reachable on the IPv6 portion of the Internet.
o Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts
on the same link. For example, on a single-link IPv6 network with no router, hosts communicate
by using link-local addresses. Link-local addresses are local-use unicast addresses with the
following properties:
IPv6 link-local addresses are equivalent to IPv4 APIPA addresses.
Link-local addresses always begin with FE80.
o Unique local unicast addresses. Unique local addresses provide an equivalent to the private IPv4
address space for organizations, without the overlap in address space when organizations
combine.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type for
one-to-many communication between computers that you define as using the same multicast
address.
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communicate to an anycast address, only the closest host responds. You typically use
this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, you must know
the purposes for which IPv6 uses each of these addresses.
Interface identifiers
The last 64 bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify
hosts uniquely.
Statement Answer
Domain-joined computers cannot join homegroups.

Question
Which command would you use to obtain a new lease from a DHCP server?
Ping
Tracert
Netsh
Ipconfig
NSLookup
Lesson 2
Implementing Name Resolution
Windows 10 devices communicate over a network by using names in place of IP addresses. Devices use
name resolution to find an IP address that corresponds to a name, such as a host name. This lesson
focuses on different types of computer names and the methods to resolve them.
Lesson Objectives
Describe name resolution.

Describe DNS.
Explain how to troubleshoot name resolution.
Configure and test name resolution settings in Windows 10.
What Is Name Resolution?

Name resolution is the process of converting
computer names to IP addresses. Name resolution
is an essential part of computer networking
because it is easier for users to remember names
than abstract numbers, such as an IPv4 or IPv6
address. Windows 10 supports a number of
different methods for resolving computer names,
such as DNS, Windows Internet Name Service
(WINS), and local hosts or LMHOSTS resolution.
Computer names
A host name is a user-friendly name that is
associated with a hosts IP address and identifies it
as a TCP/IP host. A host name can be no more than 255 characters in length, and must contain only
alphanumeric characters, periods, and hyphens. A host name is an alias or a fully qualified domain name
(FQDN).
Note: An alias is a single name associated with an IP address, and the host name combines
an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet.
An example of an FQDN is payroll.contoso.com.

A NetBIOS name is a nonhierarchical name that some older apps use. A 16-character NetBIOS name
identifies a NetBIOS resource on a network. A NetBIOS name represents a single computer or a group
of computers. NetBIOS uses the first 15 characters for a specific computers name and the final sixteenth
character to identify a resource or service on that computer. An example of a NetBIOS name is NYC-
SVR2[20h].
Methods for resolving names

There are a number of ways in which apps resolve names to IP addresses. DNS is the Microsoft standard
for resolving host names to IP addresses. Apps also use DNS to do the following:
Locate domain controllers and global catalog servers. Apps use this functionality when you sign in to
Active Directory Domain Services (AD DS).
Resolve IP addresses to host names. Apps use this functionality when a log file contains only a hosts
IP address.
Locate a mail server for email delivery. Apps use this functionality for the delivery of all Internet email.
When an app specifies a host name, TCP/IP uses the DNS resolver cache, DNS, and Link-Local Multicast
Name Resolution when it attempts to resolve the host name. The Hosts file is loaded into the DNS
resolver cache.
Note: If NetBIOS over TCP/IP is enabled, TCP/IP also uses NetBIOS name resolution
methods when resolving single-label, unqualified host names.
Depending on the configuration, Windows 10 resolves host names by performing the following actions:
1. Checking whether the host name is the same as the local host name.
2. Searching the DNS resolver cache which is populated from the local Hosts file.
3. Sending a DNS request to its configured DNS servers.
Note: Windows 10 can use Link-Local Multicast Name Resolution for networks that do not
have a DNS server.
Overview of DNS
DNS is a service that manages the resolution of
host names to IP addresses. Microsoft provides
a DNS Server role on Windows Server 2012 R2
that you can use to resolve host names in your
organization. Typically, you will deploy multiple
DNS servers in your organization to help improve
both the performance and the reliability of name
resolution.
Note: The Internet uses a single DNS

namespace with multiple root servers. To
participate in the Internet DNS namespace, you
must register a domain name with a DNS registrar. This ensures that no two organizations
attempt to use the same domain name.
Structure of DNS
The DNS namespace consists of a hierarchy of domains and subdomains. A DNS zone is a specific portion
of that namespace that resides on a DNS server in a zone file. DNS uses both forward and reverse lookup
zones to satisfy name resolution requests.
Forward lookup zones

Forward lookup zones are capable of hosting a number of different record types. The most common
record type in forward lookup zones is an A record, also known as a host record. This record is used
when resolving a host name to an IP address. Record types in forward lookup zones include:
A. A host record, the most common type of DNS record.
SRV. Service records are used to locate domain controllers and global catalog servers.
MX. Mail exchange records are used to locate the mail servers responsible for a domain.
CNAME. Canonical name records (CNAME records) resolve to another host name, also referred to as
an alias.
Reverse lookup zones

Reverse lookup zones contain PTR records. PTR records are used to resolve IP addresses to host names. An
organization typically has control over the reverse lookup zones for its internal network. However, some
PTR records for external IP addresses obtained from an ISP may be managed by the ISP.
How names are resolved with DNS

Resolving DNS names on the Internet involves an entire system of computers, not just a single server.
There are hundreds of servers on the Internet, called root servers, which manage the overall process of
DNS resolution. 13 FQDNs represent these servers. A list of these 13 FQDNs is preloaded on each DNS
server. When you register a domain name on the Internet, you are paying to become part of this system.
To understand how these servers work together to resolve a DNS name, see the following name resolution
process for the name www.microsoft.com:
1. A workstation queries the local DNS server for the IP address www.microsoft.com.
2. If the local DNS server does not have the information, it queries a root DNS server for the location of
the .com DNS servers.
3. The local DNS server queries a .com DNS server for the location of the microsoft.com DNS servers.
4. The local DNS server queries the microsoft.com DNS server for the IP address of www.microsoft.com.
5. The microsoft.com DNS server returns the IP address of www.microsoft.com to the local DNS server.
6. The local DNS server returns the result to the workstation.

Caching and forwarding can modify the name resolution process:
Caching. After a local DNS server resolves a DNS name, it caches the results for the period that the
Time to Live (TTL) value defines in the Start of Authority (SOA) record for the DNS zone. The default
TTL is one hour. Subsequent resolution requests for the DNS name receive the cached information.
Note that it is not the caching server that sets the TTL, but the authoritative DNS server that resolved
the name from its zone. When the TTL expires, the caching server must delete it. Subsequent requests
for the same name would require a new name resolution request to the authoritative server.
Forwarding. Instead of querying root servers, you can configure a DNS server to forward DNS
requests to another DNS server. For example, requests for all Internet names can be forwarded to a
DNS server at an ISP.
Troubleshooting Name Resolution

When you troubleshoot name resolution, you
must understand which name resolution methods
the computer is using, and in what order. As you
know, the operating system resolves host names
either by using a local text file named Hosts, or by
using DNS.
Note: Windows 10 appends the primary and

connection-specific suffixes to all names that it is
resolving. If the name resolution is unsuccessful
initially, Windows 10 applies parent suffixes of the
primary DNS suffix. For example, if the DNS
resolver attempts to resolve the name LON-CL1, Windows 10 appends the .adatum.com suffix to
attempt resolution. If that is unsuccessful, the operating system appends .com to the name, and
attempts to resolve it once again. You can configure this behavior from the Advanced TCP/IP
Settings page.
The primary tools for troubleshooting host name resolution are IPConfig and NSLookup, and their
Windows PowerShell equivalents Get-NetIPAddress, Get-NetIPv4Protocol, and Resolve-dnsname.
Best Practice: Be sure to clear the DNS resolver cache between resolution attempts.
The process for troubleshooting name resolution

If you cannot connect to a remote host, and if you suspect a name resolution problem, you can
troubleshoot name resolution by using the following procedure:
1. Open an elevated command prompt, and then clear the DNS resolver cache by typing the following
command:
IPConfig /flushdns
Note: Alternately, you can use the Windows PowerShell cmdlet Clear-DnsClientCache.
2. Attempt to verify connectivity to a remote host by using its IP address. This helps you identify
whether the issue is due to name resolution. You can use the Ping command or the test-connection
Windows PowerShell cmdlet. If the Ping command succeeds with the IP address but fails by the host
name, the problem is with name resolution.
Note: Remember that the remote host must allow inbound ICMP echo packets through its
firewall for this test to be viable.
3. Attempt to verify connectivity to the remote host by its host name, by using the FQDN followed by a
period. For example, type the following command at the command prompt:
Test-connection LON-cl1.adatum.com.
Note: You can also use the ping command.
4. If the test is successful, the problem is likely unrelated to name resolution.
5. If the test is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and then add
the appropriate entry to the end of the file. For example, add this line, and then save the file:
172.16.0.51 LON-cl1.adatum.com
6. Perform the test-by-host-name procedure again. Name resolution should now be successful.
7. Examine the DNS resolver cache to verify that the name resolved correctly. To examine the DNS
resolver cache, type the following command at a command prompt:
IPConfig /displaydns
Note: You can also use the Windows PowerShell cmdlet Get-DnsClientCache.
8. Remove the entry that you added to the Hosts file, and then clear the resolver cache once more.
At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
NSLookup.exe d2 LON-cl1.adatum.com. > filename.txt
The Windows PowerShell equivalent command is:
Resolve-dnsname lon-cl1.adatum.com. > filename.txt

Interpreting NSLookup output

You should understand how to interpret the NSLookup command output so that you can identify
whether the name resolution problem exists with the client computers configuration, the name server,
or the configuration of records within the name server-zone database. In the first section of the following
output sample, the client resolver performs a reverse lookup to determine the DNS server host name.
You can view the query 10.0.16.172.in-addr.arpa, type = PTR, class = IN in the QUESTIONS section. The
returned result, name = LON-dc1.adatum.com, identifies the host name of the petitioned DNS server:
------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (73 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.0.16.172.in-addr.arpa
type = PTR, class = IN, dlen = 20
name = LON-dc1.adatum.com
ttl = 1200 (20 mins)
------------
Server: LON-dc1.adatum.com
Address: 172.16.0.10
Demonstration: Configuring and Testing Name Resolution

Verify the IPv4 configuration.
View and clear the name cache.
Test name resolution to LON-DC1.

Create a record in the Hosts file.
Test the new record.
Test name resolution.
Demonstration Steps
Verify the IPv4 configuration

On LON-CL1, using Network and Sharing Center, view the adapters TCP/IPv4 configuration. Notice
that DHCP is enabled, and that the IP address of the DHCP server displays. Notice the DNS server
address.
View and clear the name cache

1. Open Windows PowerShell.
2. Run the following commands:

o ipconfig /displaydns
o Get-DnsClientCache
o ipconfig /flushdns
o Clear-DnsClientCache
Test name resolution to LON-DC1

At the Windows PowerShell command prompt, run the following commands:
o test-connection lon-dc1
o Get-DnsClientCache | fl
Create a record in the Hosts file

1. At the Windows PowerShell command prompt, run the following command: notepad
C:\windows\system32\drivers\etc\hosts.
2. Create a host record called 172.16.0.10 intranet, and then save the file.
Test the new record

1. At the Windows PowerShell command prompt, run test-connection intranet.
2. Run Get-DnsClientCache | fl.
3. View the intranet record in the cache.
Test name resolution

1. At the Windows PowerShell command prompt, run the following commands:
o nslookup LON-DC1
o Resolve-Dnsname LON-DC1 | fl
o nslookup d1 LON-DC1 > file.txt
o notepad file.txt
2. Review the information, and then close Notepad.

Question
Which command(s) should you always use before starting to test name resolution?
Choose all that apply.
Ipconfig /release
Ipconfig /flushdns
Clear-DnsClientCache
Purge-DnsClientCache
Lesson 3
Implementing Wireless Network Connectivity
An increasing number of devices use wireless connections as the primary method for accessing corporate
intranets and the Internet. Additionally, many users have come to expect a wireless infrastructure in a
corporate workplace. As a result, a good working knowledge of wireless connectivity is a requirement for
todays networking environment. This lesson discusses the various wireless standards and the
configuration and support of Windows 10 wireless clients.
Lesson Objectives
Describe wireless technologies.

Configure wireless settings in Windows 10.
Discuss the considerations for implementing wireless networks within organizations.
Wireless Network Technologies

Wireless networking uses radio waves to connect
wireless devices to other network devices. Wireless
networks generally consist of wireless network
devices, access points (APs), and wireless bridges
that conform to 802.11x wireless standards.
Wireless network topologies

There are two types of wireless network
topologies:
Infrastructure. Infrastructure wireless networks
consist of wireless local area networks (LANs)
and cellular networks, and require the use of
a device, such as an AP, to allow communication between client wireless devices. You can manage
infrastructure wireless networks centrally.
Ad hoc. Ad hoc networks can connect wireless devices dynamically in a peer-to-peer configuration
without the use of any infrastructure devices.
802.11x wireless standards

The 802.11 standard has been evolving since 1997. There have been many improvements in transmission
speed and security of the 802.11 technology since then. A letter of the alphabet designates each new
standard, as the following table shows.
Specification Description
802.11a This is the first extension to the original 802.11 specification. It provides up to 54
megabits per second (mbps) and operates in the 5 gigahertz (GHz) range. It is not
compatible with 802.11b.
802.11b This specification provides 11 mbps and operates in the 2.4 GHz range.
802.11e This specification defines Quality of Service and multimedia support.

Specification Description
802.11g This specification is for transmission over short distances at speeds up to 54 mbps. It is
backward-compatible with 802.11b, and operates in the 2.4 GHz range.
802.11n This specification adds multiple-input and multiple-output, thereby providing increased
data throughput at speeds up to 100 mbps. It vastly improves speed over previous
specifications, and it supports both 2.4 GHz and 5 GHz ranges.
802.11ac This specification builds on 802.11n to attain data rates of 433 mbps. 802.11ac operates
only in the 5 GHz frequency range.
Wireless security
Wireless security has been the biggest consideration by organizations planning a wireless implementation.
Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers.
Therefore, organizations utilize several security technologies to address these concerns. Most Wi-Fi
devices support multiple security standards. The following table describes the current security methods
available for wireless networks.
Security method Description
Wired Equivalent Privacy WEP is the oldest form of wireless security. Some devices support different
(WEP) versions:
WEP 64-bit key
WEP 128-bit key
WEP 256-bit key
The security issues surrounding WEP are well-documented, and you should
avoid using WEP unless it is the only alternative.
Wi-Fi Protected Access Developed to replace WEP, WPA has two variations:
(WPA) WPA-Personal. WPA-Personal is for home and small business networks,
and is easier to implement than WPA-Enterprise. It involves providing a
security password, and uses a technology called Temporal Key Integrity
Protocol. The password and the network Service Set Identifier (SSID)
generate constantly changing encryption keys for each wireless client.
WPA-Enterprise. WPA-Enterprise is for corporate networks. It involves the
use of a Remote Authentication Dial-In User Service (RADIUS) server for
authentication.
WPA2 This is an improved version of WPA that has become the Wi-Fi security
standard. WPA2 employs Advanced Encryption Standard (AES), which
employs larger encryption key sizes.
The security methods that a given wireless device supports depend on the vendor and the devices age.
All modern wireless devices should support WPA2.
Configuring Wi-Fi Settings

Windows 10 makes it very easy to connect to
and configure wireless network settings. Use the
following procedures to manage your wireless
network connections.
Connect to a wireless network

To connect to a wireless network:
1. Tap the network icon on the notification area

to see a list of available wireless networks.
2. Tap the network of your choice.
3. Tap Connect.
4. When prompted, enter the security information required by the wireless hub to which you are
connecting your device, and then tap Next.
You are connected.
Configure wireless networks

To configure your wireless networks:
1. Open Network settings.

2. In NETWORK & INTERNET, on the WiFi page, tap Manage WiFi settings.
3. Choose options:
o Connect to suggested open hotspots.

o Connect to networks shared by my contacts.
o Select how you will share your networks with your contacts. Choose from:
Outlook.com
Skype
Facebook
4. At the bottom of the page, beneath Manage known networks, tap the network you wish
to manage.
5. Tap to Share or Forget the network.
Configure advanced wireless properties

From Network and Sharing Center, you can also configure advanced wireless properties:
In Network and Sharing Center, tap the name of your wireless network adapter on the right.
In the Wi-Fi Status dialog box, you can view the properties of your wireless connection.
Tap Wireless Properties to view additional information, including the security settings of the
connection.
Note: You can use Windows Server Group Policy Objects (GPOs) to configure wireless
profiles. This saves your users from having to configure their wireless connections manually.
Discussion: Considerations for Wireless Connectivity

Consider the following question, and be prepared
to discuss your answers with the class as directed
by your instructor.
Question: What are some considerations for

enabling Wi-Fi access for your users?
Lesson 4
Overview of Remote Access
Windows 10 helps users improve their productivity, regardless of their location, or that of the data they
need. Windows 10 supports the use of either VPNs or DirectAccess to enable users to access their work
environments from anywhere they connect.
Lesson Objectives
Describe how to use VPNs to connect to a remote network.

Explain how DirectAccess can help remote users connect.
Discuss the considerations of enabling remote access for your users.
Overview of VPNs
A VPN provides a point-to-point connection
between components of a private network,
through a public network such as the Internet.
Tunneling protocols enable a VPN client to
establish and maintain a connection to the
listening virtual port of a VPN server. To emulate
a point-to-point link, the data is encapsulated, or
wrapped, and prefixed with a header. This header
provides routing information that enables the
data to traverse the public network to reach its
endpoint.
To emulate a private link, the data is encrypted to

ensure confidentiality. Packets that are intercepted on the public network are indecipherable without
encryption keys. Two types of VPN connections exist:
Remote access. Remote access VPN connections enable users who are working at home, at customer
sites, or from public wireless access points to access a server that exists in your organizations private
network. They do so by using the infrastructure that a public network, such as the Internet, provides.
From the users perspective, the VPN is a point-to-point connection between the computer, the VPN
client, and your organizations server. The exact infrastructure of the shared or public network is
irrelevant, because it logically appears as if the data is sent over a dedicated private link.
Site-to-site. Site-to-site VPN connections, which also are known as router-to-router VPN connections,
enable your organization to have routed connections between separate offices or with other
organizations over a public network, while maintaining secure communications.
Properties of VPN connections

VPN connections in Windows 10 can use:
Point-to-Point Tunneling Protocol (PPTP)

Layer Two Tunneling Protocol with IPsec (L2TP/IPsec)
Secure Socket Tunneling Protocol (SSTP)
Internet Key Exchange version 2 (IKEv2)

Note: An IKEv2 VPN provides resilience to the VPN client when the client either moves
from one wireless hotspot to another or switches from a wireless to a wired connection. This
ability is a requirement of VPN Reconnect.
All VPN connections, irrespective of tunneling protocol, share some common characteristics:
Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing
information, which allows the data to traverse the transit network.
Authentication. Authentication ensures that the two communicating parties know with whom they
are communicating.
Data encryption. To ensure data confidentiality as the data traverses the shared or public transit
network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption
processes depend on both the sender and the receiver using a common encryption key. Intercepted
packets sent along the VPN connection in the transit network will be unintelligible to anyone who
does not have the common encryption key.
Creating a VPN connection in Windows 10

To create a VPN connection in Windows 10, use the following procedure:
1. Tap the Network icon in the notification area, and then tap Network settings.
2. In NETWORK & INTERNET, tap the VPN tab.
3. Tap Add a VPN connection.

4. In the Add a VPN connection dialog box, in the VPN provider list, tap Windows (built-in).
5. In the Connection name box, enter a meaningful name, such as Office Network.
6. In the Server name or address box, type the FQDN of the server to which you want to connect. This
is usually the name of the VPN server.
7. In the VPN type list, select between Point to Point Tunneling Protocol (PPTP), Layer Two
Tunneling Protocol with IPsec (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), and
IKEv2. This setting must match the setting and policies configured on your VPN server. In you are
unsure, tap Automatic.
8. In the Type of sign-in info list, select either User name and password, Smart card, or One-time
password. Again, this setting must match your VPN server policies.
9. In the User name (optional) box, type your user name, and then in the Password (optional) box,
type your password. Select the Remember my sign-in info check box, and then tap Save.
To manage your VPN connection, from within NETWORK & INTERNET, on the VPN tab, tap the VPN
connection, and then tap Advanced options. You can then reconfigure the VPN settings as needed.
Note: Your VPN connection will appear on the list of available networks when you tap the
network icon in the notification area.
Overview of DirectAccess
The DirectAccess feature in Windows 10 enables
seamless remote access to intranet resources
without first establishing a user-initiated VPN
connection. The DirectAccess feature also
ensures seamless connectivity to an application
infrastructure for internal users and remote users.
Unlike traditional VPNs that require user

intervention to initiate a connection to an
intranet, DirectAccess enables any application
that supports IPv6 on a client computer to
have complete access to intranet resources.
DirectAccess also enables you to specify resources
and client-side applications that are restricted for remote access.
IPv6 in DirectAccess
DirectAccess uses IPv6 and IPsec when clients connect to internal resources. However, many organizations
do not have native IPv6 infrastructure. Therefore, DirectAccess uses transitioning tunneling technologies
and communication through IPv4-based Internet to connect IPv6 clients to IPv4 internal resources.
DirectAccess tunneling protocols include:
ISATAP. ISATAP enables DirectAccess clients to connect to the DirectAccess server over the IPv4
networks for intranet communication. By using ISATAP, an IPv4 network emulates a logical IPv6
subnet to other ISATAP hosts, where ISATAP hosts automatically tunnel to each other for IPv6
connectivity. ISATAP does not need changes on IPv4 routers because IPv6 packets are tunneled
within an IPv4 header. To use ISATAP, you have to configure DNS servers to answer ISATAP queries,
and enable IPv6 on network hosts.
6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over IPv4-based
Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in
an IPv4 header and sent over the 6to4 tunnel adapter to the DirectAccess server. You can use a GPO
to configure the 6to4 tunnel adapter for DirectAccess clients and the DirectAccess server.
Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4
Internet, when clients are located behind an IPv4 NAT device. Clients that have a private IPv4 address
use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over IPv4-based Internet.
You can use a GPO to configure Teredo for DirectAccess clients and the DirectAccess server.
IP-HTTPS. IP-HTTPS enables DirectAccess clients to connect to the DirectAccess server over IPv4-
based Internet. Clients that are unable to connect to the DirectAccess server by using ISATAP, 6to4,
or Teredo use IP-HTTPS. You can use a GPO to configure IP-HTTPS for DirectAccess clients and the
DirectAccess server.
Components of DirectAccess
To deploy and configure DirectAccess, your organization must support the following infrastructure
components:
DirectAccess server. The DirectAccess server can be any computer running Windows Server 2012 or
Windows Server 2012 R2 that you join to a domain, that accepts connections from DirectAccess
clients, and that establishes communication with intranet resources.
DirectAccess clients. A DirectAccess client can be any domain-joined computer that is running the
Enterprise edition of Windows 10, Windows 8.1, Windows 8, or Windows 7.
Network Location Server. A DirectAccess client uses the Network Location Server to determine its
location. If the client computer can securely connect to the Network Location Server by using HTTPS,
then the client computer assumes it is on the intranet, and the DirectAccess policies are not enforced.
If the client computer cannot contact the Network Location Server, the client assumes it is on the
Internet.
Internal resources. These are the server-based resources to which users want to connect.
An AD DS domain. You must deploy at least one AD DS domain running, at a minimum, Windows
Server 2003 domain functional level.
Group Policy. You need to use Group Policy for the centralized administration and deployment of
DirectAccess settings.
Public key infrastructure (PKI). This is optional for the internal network. It provides the security
infrastructure (in terms of certificates) for authentication in some configurations of DirectAccess.
DNS server. You use the DNS server to enable name resolution of the servers in the DirectAccess
topology.
Discussion: Considerations for Remote Access

Consider the following question, and be prepared
to discuss your answers with the class as directed
by your instructor.
Question: What are the considerations for
enabling remote access to your network?

Question
Which VPN tunneling protocol supports the VPN auto reconnect feature?
PPTP
L2TP
SSTP
IKEv2
Lab: Configuring Network Connectivity

Scenario
Before delivering the first batch of Windows 10 devices to your users, you decide to test them on a secure
test network. You have installed a domain controller and deployed the DHCP and DNS Server roles within
the test environment. You must configure the IP network settings on your Windows 10 devices.
Objectives
Verified IPv4 settings.

Configured the IPv4 settings so that the device obtains an automatic IP configuration from a DHCP
server.
Verified the settings by testing name resolution.
Lab Setup

Password: Pa$$w0rd

o Domain: Adatum
Exercise 1: Verifying and Testing IPv4 Settings

Scenario
In this exercise, you will verify and test the initial network settings of a Windows 10 device.
1. Verify the IPv4 settings from Network and Sharing Center.
2. Verify the current IPv4 settings from the command line.

3. Test connectivity.
Task 1: Verify the IPv4 settings from Network and Sharing Center
2. Open Network and Sharing Center.
3. Open the Ethernet connection.
4. Click Details and record the following information:
o IPv4 Address
o IPv4 Subnet Mask
o IPv4 DNS Server
5. Click Properties, and then double-click Internet Protocol Version 4 (TCP/IPv4). You can configure
the IP address, subnet mask, default gateway, and DNS servers in this window.
6. Verify that the configuration matches what you just recorded.
7. Close all open windows without making modifications.
Task 2: Verify the current IPv4 settings from the command line
1. Open Windows PowerShell, and then run Get-NetIPAddress. The IPv4 address should match what
you recorded earlier.
2. Run netsh interface ipv4 show config. The current IPv4 configuration is displayed and should
match what you recorded earlier.
3. Run ipconfig /all. Again, the information should match what you recorded earlier.
4. Leave Windows PowerShell open.
Task 3: Test connectivity

1. In Windows PowerShell, run test-connection LON-DC1.
transient. If no connections appear, create a connection. For example, map a network drive to
\\LON-DC1\NETLOGON.
Results: After completing this exercise, you will have successfully verified Internet Protocol version 4 (IPv4)
settings.
Exercise 2: Configuring Automatic IPv4 Settings

Scenario
It is necessary to assign IPv4 configurations for the Windows 10 devices by using DHCP. You will test this
in your computer lab.
1. Reconfigure the IPv4 settings.

2. Test connectivity.
3. View the impact on the DHCP server.

Task 1: Reconfigure the IPv4 settings

1. By using Network and Sharing Center, modify the adapters TCP/IPv4 configuration to enable
automatic IPv4 addressing by selecting these two options:
o Obtain an IP address automatically

o Obtain DNS server address automatically
2. Verify your configuration change from the Windows PowerShell prompt by using Ipconfig /all.

1. In Windows PowerShell, run test-connection LON-DC1.
transient. If no connections appear, create a connection.
4. Close all open windows except Windows PowerShell.
Task 3: View the impact on the DHCP server

1. Switch to LON-DC1.
2. In Server Manager, open DHCP.

3. Expand lon-dc1.adatum.com, expand IPv4, expand Scope [172.16.0.0] Adatum, and then click
Address Leases.
4. In the details pane, you should see the address lease for your Windows 10 client.
Results: After completing this exercise, you will have successfully configured IPv4 settings to be assigned
automatically.
Exercise 3: Configuring and Testing Name Resolution

Scenario
Name resolution is a critical part of your network infrastructure. You must ensure that you have correctly
configured the Windows 10 devices for name resolution. Then you must test the name resolution process.
1. Verify current DNS settings on the client.
2. View and clear the DNS resolver cache.

3. Test name resolution.
4. Create and test a new record.
5. Troubleshoot name resolution.
Task 1: Verify current DNS settings on the client

1. On LON-CL1, by using Network and Sharing Center, view the adapters TCP/IPv4 configuration.
2. Notice that DHCP is enabled, and that the IP address of the DHCP server displays. Notice the DNS
server address.
Task 2: View and clear the DNS resolver cache

1. Switch to Windows PowerShell.
2. Run the following commands:
o ipconfig /displaydns. This displays the current DNS resolver cache.
o Get-DnsClientCache. This displays the current DNS resolver cache.
o ipconfig /flushdns. This flushes the current DNS resolver cache.
o Clear-DnsClientCache. This flushes the current DNS resolver cache. It is not necessary to run this
in addition to the preceding command.
o ipconfig /displaydns. This verifies that you have no entries in the cache.
Task 3: Test name resolution

At the Windows PowerShell command prompt, run the following commands:
o test-connection lon-dc1
o Get-DnsClientCache | fl
o ipconfig /displaydns. This should display similar information to the preceding command.
Task 4: Create and test a new record

1. At the Windows PowerShell command prompt, run the following command: notepad
C:\windows\system32\drivers\etc\hosts
2. Create a host record 172.16.0.10 www, and then save the file.
3. At the Windows PowerShell command prompt, run test-connection www.

4. Run Get-DnsClientCache | fl.
5. View the www record in the cache.
Task 5: Troubleshoot name resolution

1. At the Windows PowerShell command prompt, run the following commands:
o nslookup LON-DC1
o Resolve-Dnsname LON-DC1 | fl,
o nslookup d1 LON-DC1 > file.txt

o notepad file.txt
2. Review the information. Note that you must scroll to the section starting Got answer.
o What was the question that was asked of the DNS server?
o What was the response?
o How long will the record be cached?
o What is the FQDN for the primary name server?

3. Close Notepad and Windows PowerShell.
Results: After completing this exercise, you will have successfully verified your DNS settings and tested
name resolution.

When you have finished the lab, revert the virtual machines to their initial state.


Review Questions
Question: You are troubleshooting a network-related problem. The IP address of the host
you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
Question: You are troubleshooting a network-related problem, and you suspect a name-
resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do
you do that?
5-1
Module 5
Managing Storage
Contents:
Module Overview 5-1
Lesson 1: Overview of Storage Options 5-2
Lesson 2: Managing Disks, Partitions, and Volumes 5-7

Lesson 3: Maintaining Disks and Volumes 5-19
Lesson 4: Managing Storage Spaces 5-28

Lab: Managing Storage 5-33
Module Overview
The Windows 10 operating system simplifies common tasks for information technology (IT) professionals
who manage and deploy desktops and laptops, devices, or virtual environments. IT professionals can take
advantage of tools and capabilities similar to those that they use in Windows 7 and Windows 8.
Although most computers that run Windows 10 have a single physical disk configured as a single volume,
this might not always be the case. For example, there might be times when you want to run multiple
operating systems on a single computer, or you might want to have the paging file on a different volume.
Therefore, it is important that you understand how to create and manage simple, mirrored, spanned, and
striped volumes. Windows 10 provides the Storage Spaces feature, which enables you to simplify multiple
hard disk storage administration from within the operating system installed on a physical computer. In
addition to traditional storage, you can use Windows 10 to create and access virtual hard disks. Windows
10 also introduces the Storage Sense feature that provides an overview of what files are stored on your
computer and where to store different types of files by default. To help maintain and optimize file system
performance, you must be familiar with file system fragmentation and the tools that you can use to
defragment a volume. Additionally, a good understanding of disk quotas is helpful if you want to manage
available disk space for volumes on computers.
Objectives
Explain the different storage options in Windows 10.

Manage disks, partitions, and volumes.
Maintain disks, partitions, and volumes.

Manage storage spaces.
5-2 Managing Storage
Lesson 1
Overview of Storage Options
Although you can save files to the local hard disk in Windows 10, several additional storage options are
available. This lesson describes some of the different storage technologies, including different types of
server-based and cloud-based storage. You also can use the virtual hard disk feature in Windows 10 to
present a portion of a hard drive as an independent hard drive.
Lesson Objectives
Describe the different ways to access storage.
Explain the difference between network-attached storage (NAS) and storage area networks (SANs).
Describe how to use the cloud-based storage options available in Windows 10.
Local and Network Storage Options
Local hard disk

A locally attached hard disk is also known as
direct-attached storage (DAS). Depending on
the hard disk type and the type of hard disk
controller, you might get varying performance
of the local hard disk. The solid-state drives (SSDs),
which use flash card technology, are the fastest
hard disks, but they are more expensive than
older technologies. SSDs are also often smaller in
capacity compared to the normal hard disk drives.
At the time of writing this content, the largest
hard disk drive available is 8 terabytes (TB), while the largest SSD available is 2 TB.
All tablets use some kind of flash card technology. They use SSDs when they require more capacity for
local storage.
Depending on the hard disk controller installed in your computer, you might need to acquire a driver for
the hard disk before you can install Windows 10.
Advantages of using local hard disks include:
Availability. The local hard disk is always available, including in situations where there is no network
connectivity.
Performance. Only a single user uses the local hard disk. In addition, the bandwidth of your network
connection does not limit you.
Disadvantages of using local hard disks include:
Backup. You will not automatically have a backup of your data.
Physical failures. If your local hard disk fails, you will not be able to start your computer.
Virtual hard disk

Windows 10 fully supports virtual hard disks. The virtual hard disk (.vhd or .vhdx) file format specifies a
virtual hard disk encapsulated in a single file. It is capable of hosting native file systems and supporting
standard disk operations.
Virtual hard disks are an integral part of virtual machine environments such as Client Hyper-V. You can
use virtual hard disks for several purposes and in any scenario where you might use a physical hard disk.
If you plan to use a virtual hard disk in place of a physical disk, consider the following advantages and
disadvantages.
Advantages of using virtual hard disks include:
Portability. Virtual hard disk files might be easier to move between systems, particularly when you use
shared storage.
Backup. A .vhd file represents a single file for backup purposes.

Disadvantages of using virtual hard disks include:
Performance. In high I/O scenarios, the additional overhead of using a virtual hard disk can affect
performance.
Physical failures. A .vhd file does not protect against cluster failure on the underlying physical disks.
Supporting virtual disk formats

Windows 10 supports both the .vhd and .vhdx virtual disk formats. The .vhdx format has a metadata
structure that reduces data corruption and improves alignment on large sector disks. Virtual hard disks
are limited to 2 TB of storage, whereas the new .vhdx format is suitable for virtual disks up to a supported
maximum size of 64 TB.
Server-based storage
Using Windows Server 2012 R2 as a file server gives you central access to your files. Although the file
server contains local storage, larger organizations will often acquire separate storage systems optimized
for performance and security. You connect these separate storage systems to the server, like a NAS and a
SAN, which you will learn about later in this module. Windows Server 2012 R2 adds functionality, such as
Work Folders, offline files, and failover clustering, that makes it suitable as a file server for both small,
medium, and large enterprises.
Advantages of using server-based storage include:
Redundancy. Because most server-based storage protects data by using redundant disk systems, you
will not suffer data loss due to the failure of a single hard disk.
Backup. Automatic backup is in place for most server-based storage.
Performance. Server-based storage is often faster than local hard disks because it uses faster disks,
which you configure in a performance-optimized way.
Disadvantages of using server-based storage include:
Availability. You need a network connection to access server-based storage. If you are outside your
companys network, you might not be able to access the storage remotely, unless you use some kind
of caching technique, such as offline files.
Performance. You can experience bottlenecks in both network connectivity and access to server-
based storage because many users are accessing the same storage simultaneously.
Network Storage Options

There are two types of external storage systems:
NAS and SAN. You use NAS for both client-based
and server-based computing, whereas you most
often use SAN for server-based computing and
then make it accessible to users. Although
Windows 10 includes the iSCSI initiator that allows
you to connect to SANs, you usually use SANs in
server-based computing.
NAS
NAS is storage that is connected to a dedicated
storage device. You can access it over the
network. Unlike DAS, NAS is not directly attached
to a computer or server, and users access it over the network. NAS has two distinct solutions: a low-end
appliance (NAS only), and an enterprise-class NAS that integrates with SAN.
Each NAS device has a dedicated operating system that controls access to the data on the device, which
reduces the overhead associated with sharing the storage device with other server services. An example of
NAS software is Windows Storage Server, a special edition of Windows Server 2012 R2.
NAS devices typically provide file-level access to the storage, which means that you can access the data
on the storage only as files. You must use protocols such as Common Internet File System (CIFS), Server
Message Block (SMB), or network file system (NFS) to access the files.
To enable NAS storage, you need a storage device. Frequently, these devices do not have any server
interfaces such as keyboards, mice, and monitors. To configure the device, you need to provide a network
configuration, and then access the device across the network. You can then create network shares on the
device by using the name of the NAS and the share created. The networks users can then access these
shares.
SAN
SAN is a highspeed network that connects computer systems or host servers to high-performance
storage subsystems. A SAN usually includes various components such as host bus adapters (HBAs), special
switches to help route traffic, and storage disk arrays with logical unit numbers (LUNs) for storage.
A SAN enables multiple servers to access a pool of storage in which any server can potentially access any
storage unit. Because a SAN is a network, you can use a SAN to connect many different devices and hosts
and provide access to any connected device from anywhere.
SANs provide block-level access. This means that, rather than accessing the content on the disks as files by
using a file access protocol, SANs write blocks of data directly to the disks by using protocols such as Fibre
Channel over Ethernet or Internet Small Computer System Interface (iSCSI).
Today, most SAN solutions offer SAN and NAS together. The backend head units, disks, and technologies
are identical, and only the access method differs. Enterprises often provision block storage from the SAN
to the servers by using Fibre Channel over Ethernet or iSCSI. NAS services use the CIFS and NFS protocols.
If you want to use a SAN, Windows 10 supports the iSCSI protocol with the iSCSI initiator.
Cloud-Based Storage
Cloud storage simplifies access to your files as
long as you have Internet access. When you sign
in with your Microsoft account, you can access all
the files on your Microsoft OneDrive. Microsoft
also offers enterprise cloud storage with Microsoft
Azure Storage. Cloud storage provides several
benefits:
Easy access anywhere to data such as photos,

music, and documents.
Automatic backup of important files.
Synchronizing favorites and other settings

across devices.
Microsoft OneDrive
OneDrive is free online storage that your Microsoft account provides. It is like an extra hard drive that is
available from any of the devices you use. When you create your Microsoft account, you get 15 gigabytes
(GB) of storage with options to get more storage space. You no longer need to email files to yourself
or carry around a USB flash drive that you might easily misplace. Instead, you can access your files on
OneDrive irrespective of whether you are on your laptop working on a presentation, on your new tablet
viewing photos from your last family vacation, or on your phone reviewing your shopping list.
Getting started with OneDrive is easy. You can add files already on your PC to OneDrive by either copying
them over or moving them from your PC. When you save new files, you can choose to save them to
OneDrive so that you can access them from any device and share them with other people. From devices
with a built-in camera, you can automatically save copies of the photos in your camera roll to OneDrive,
so you will always have a backup.
You can access OneDrive natively from Windows 8 and Windows 10 or you can access it through a
browser at onedrive.com to access additional enabled features, such as sharing and accessing files on
your devices remotely.
Changes to OneDrive in Windows 10

Windows 8.1 introduced online-only or smart files in OneDrive. OneDrive stores the file content, so they
do not take up much of your local disk space. When you open online-only files, Windows downloads the
content automatically.
Windows 10 does not support smart files. Instead, the selective sync feature in Windows 10 allows you to
choose which files and folders you want available for offline access. This change is due to the increased
storage available in OneDrive. Because some customers have unlimited space on their OneDrive, the
smart files take up a significant amount of local storage, placeholders, and index, which might not be
available on devices with limited local storage, such as tablets.
Azure Storage
Microsoft Azure Storage is a cloud storage solution that developers and IT professionals use to build
applications. Azure Storage saves data in the cloud. You can access Azure Storage by using any type of
device and by using any type of application, from the smallest app to applications with terabytes of data.
Azure Storage can handle four types of storage:
Blob storage stores any type of text or binary data. This includes documents and media files.
Table storage stores structured datasets. Table storage is a NoSQL key-attribute data store.
Queue storage provides messaging for workflows. Communication between different components of
cloud services is also one of the uses of queue storage.
File storage uses the standard SMB protocol. Azure virtual machines and cloud services can share file
data with file storage. On-premises applications can also access file data in a share via file storage.

Question
What are the advantages of using virtual hard disks? (Select all that apply)
Backup
Performance
Portability
Availability
Physical failures

Question
Which features do you get with Microsoft OneDrive in Windows 10? (Select all that
apply)
15 GB free storage
Synchronization of selected folders
Automatic synchronization of all folders
Built-in universal app
Need to install app to get OneDrive integration

Lesson 2
Managing Disks, Partitions, and Volumes
Before you can use a disk in Windows 10, you must prepare it for use. You must first partition the disk by
using the master boot record (MBR) partitioning scheme or the globally unique identifier (GUID) partition
table-partitioning scheme. After partitioning the disk, you must create and format one or more volumes
before an operating system can use the disk.
You can use disk management tools to perform disk-related tasks, such as creating and formatting
partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
Compare MBR and GUID partition table (GPT) disks.

Describe how to convert a basic disk to a dynamic disk.
Describe the tools available for managing disks.

Describe a simple volume.
Describe mirrored, spanned, and striped volumes.
Create volumes.
Manage volumes
Resize a volume.
MBR and GPT
MBR disks
The MBR contains the partition table for a disk
and a small amount of executable code called the
master boot code. Partitioning a disk creates the
MBR automatically on the first sector of the hard
disk. The MBR contains a four-partition entry table
that describes the size and location of a disk
partition by using 32-bit logical block addressing
(LBA) fields. Most Windows 10 editions, such as
the 32-bit and 64-bit versions that run on
motherboards with BIOS firmware, require an
MBR-partitioned system disk and are not bootable with a larger capacity disk. Newer motherboards
enabled with Unified Extensible Firmware Interface (UEFI) can read both MBR and the newer GPT disks.
How MBR disks work

The MBR is stored at a consistent location on a physical disk, enabling a computers BIOS to reference it.
During the startup process, a computer examines the MBR to determine which partition is active on the
installed disks. The active partition contains the operating system startup files.
Features of MBR disks

The MBR partition scheme has been in use for a long time. It supports both current and older
desktop operating systems, such as the MS-DOS and Microsoft Windows Server 4.0 operating
systems. Consequently, most operating systems today support the MBR partition scheme. However,
the MBR partition scheme imposes certain restrictions, including:
Four partitions on each disk. MBR-based disks are limited to four partitions. All of these can be
primary partitions, or one can be an extended partition with logical volumes inside. You can configure
the extended partition to contain multiple volumes.
A 2 TB-maximum partition size. A partition cannot be larger than 2 TB.
No redundancy provided. The MBR is a single point of failure. If it is corrupt or suffers damage, it can
render a computer incapable of starting.
MBR disks can be either basic or dynamic disk types. Dynamic disks support additional options that are
not available on a basic disk, including volumes that are able to span multiple disks and fault-tolerant
volumes.
GPT disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a
disk. Each GPT partition has a unique GUID and partition-content type. Each LBA that the partition table
describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI systems.
Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems. However,
they cannot boot from them. 64-bit Windows operating systems support GPT for boot disks on UEFI
systems.
Features of GPT disks

GPT disks address the limitations of MBR disks and provide support for the following:
128 partitions per disk. This is a vast improvement over MBR-based disks.
18 exabytes of volume size. This is a theoretical maximum because hard-disk hardware that can
support such vast volume sizes is not yet available.
Redundancy. Cyclic redundancy check (CRC) duplicates and protects the GPT.
You can implement GPT disks on Windows Server 2008 and newer versions, Windows 10, Windows 8.1,
Windows 8, Windows 7, and Windows Vista. You cannot use the GPT partition style on removable disks.
GPT architecture
A GPT-partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the
entire disk:
o The protective MBR protects GPT disks from previously released MBR disk tools, such as the
MS-DOS fdisk or Windows NT Disk Administrator. These tools view a GPT disk as a single
encompassing (possibly unrecognized) partition by interpreting the protected MBR, rather than
mistaking the disk for one that does not have any partitions. This means that the tools will not
view a GPT-initialized disk as having no partitions, making it less vulnerable to incidental data
loss.
o Legacy software that is not aware of GPT interprets only the protected MBR when it accesses a
GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID,
the number of partition entries (usually 128), and pointers to the partition table.
The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 10 creates when you install it on a GPT disk.
Partition Type Size Description
A Extensible 100 megabytes Contains the Windows Boot Manager, the

Firmware (MB) files that an operating system requires to
Interface (EFI) start, the platform tools that run before an
system partition operating system starts, and the files that
the Windows Boot Manager must access
before an operating system starts.
The EFI system partition must be the first
partition on the disk because it is
impossible to span volumes when the EFI
system partition is logically between what
you are attempting to span.
B Microsoft 128 MB Reserved for Windows components.

Reserved
The Disk Management tool hides this
partition (MSR
partition. It does not receive a drive letter.
partition)
Usage example: When you convert a basic
GPT disk to dynamic, the system decreases
the size of the MSR partition and uses that
space to create the Logical Disk Manager
Metadata partition.
C Operating system Remaining disk This partition contains the operating

system and is the size of the remaining
disk.
Dynamic Disks
Dynamic disks provide features that basic disks
do not. You can create volumes that span multiple
disks and fault-tolerant volumes. Dynamic disks
can also use the MBR or GPT partition styles.
Dynamic disks use a database to track information

about volumes on dynamic disks in the computer.
Each dynamic disk in a computer stores a replica
of the dynamic disk database, which is useful if
you experience a corrupted dynamic disk
database. Windows can repair the corrupted
dynamic disk by using the database on another
dynamic disk. The partition style of the disk
determines the location of the database. On MBR partitions, Windows 10 stores the database in the last
1 MB of the disk. On GPT partitions, the database is located in a 1-MB reserved and hidden partition.
You can perform the following operations only on dynamic disks:
Create and delete spanned, striped, and mirrored volumes.
Extend a simple volume to a noncontiguous space or spanned volume.
Remove a mirror from a mirrored volume.
Repair mirrored volumes.
Reactivate a missing or offline disk.
You should be aware of the following considerations regarding dynamic disks:
You cannot convert a basic disk to a dynamic disk unless there is at least 1 MB of unused space on
the disk because of the Logical Disk Manager database.
You cannot convert a dynamic disk to a basic disk without losing data. You need to delete all dynamic
volumes on the disk. Disk Management automatically converts the disk to basic when you delete the
last volume.
You cannot use Windows PowerShell to manage dynamic disks. The storage cmdlets will not
recognize dynamic disks.
Convert a basic disk to a dynamic disk

You use the Disk Management snap-in to convert a basic disk to a dynamic disk. Right-click the disk you
want to convert and click Convert to Dynamic Disk.
Note: In a multiboot scenario, if you are in one operating system, and you convert a basic
MBR disk that contains an alternate operating system to a dynamic MBR disk, you will not be
able to start in the alternate operating system.
Basic disks vs. dynamic disks

The following table describes the differences between using basic and dynamic disks.
Basic disks Compatible with most operating Only uses contiguous space on one disk.
systems.
Limited number of partitions on MBR
Convert to dynamic disk without disks.
data loss.
Dynamic disks Multidisk volumes. Only compatible with Windows.

Fault-tolerant volumes. Does not convert to basic disk without
data loss.
1024 volumes on MBR disks.
Disk Management Tools

You can use the following tools to manage
Windows 10 disks and the volumes or partitions
that they contain:
Disk Management. A GUI for managing disks

and volumes, both basic and dynamic, locally
or on remote computers. After you select the
remote computer that you want to manage,
you can perform the same tasks that you
typically perform when you use a local
computer.
DiskPart. A scriptable command-line tool

with functionality that is similar to Disk
Management, which also includes advanced features. You can create scripts to automate disk-related
tasks, such as creating volumes or converting disks to dynamic. This tool always runs locally.
Windows PowerShell 5.0. Windows PowerShell is a scripting language that accomplishes many tasks
in the Windows environment. Starting with Windows PowerShell 3.0, disk management commands
are available for use as stand-alone commands or as part of a script.
Note: Windows 10 does not support remote connections in workgroups. Both the local
computer and the remote computer must be in a domain for you to use Disk Management to
manage a disk remotely.
Note: Do not use disk-editing tools such as dskprobe.exe to make changes to GPT disks.
Any change that you make renders the checksums invalid, which might cause the disk to become
inaccessible. To make changes to GPT disks, use Windows PowerShell, DiskPart, or Disk
Management.
With either tool, you can initialize disks, create volumes, and format a volume file system. Additional
common tasks include moving disks between computers, changing disks between basic and dynamic
types, and changing the partition style of disks. You can perform most disk-related tasks without
restarting a system or interrupting users, and most configuration changes take effect immediately.
Disk Management
By using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators
can manage volumes quickly and confirm the health of each volume. Disk Management in Windows 10
provides the same features as previous versions, including:
Simpler partition creation. When you right-click a volume, you can choose whether to create a basic,
spanned, or striped partition directly from the menu.
Disk conversion options. When you try to extend a partition to a noncontiguous area on the same or
another disk, Disk Management prompts you to convert the disk to dynamic. You also can convert
basic disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic
is not possible without first deleting all of the volumes.
Extend and shrink partitions. You can extend and shrink partitions from Disk Management.
To open Disk Management, use this procedure:
1. Click Start and type disk. This will display the search window.
2. Continue typing diskmgmt.msc in the search box, and then click diskmgmt.msc in the results list.
DiskPart
By using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the
command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart
command prompt. The following are common DiskPart actions:
To view a list of DiskPart commands, at the DiskPart command prompt, type commands.
To create a DiskPart script in a text file and then run the script, type a script similar to diskpart /s
testscript.txt.
To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently.
Command Description
list disk Displays a list of disks and related information, including:

Disk size
The amount of available free space on the disks
Whether the disks are basic or dynamic
Whether the disks use the MBR or GPT partition style
The disks marked with an asterisk (*) are the ones against which the commands
will execute.
select disk Selects the specified disk, where disknumber is the disk number, and gives it
disknumber focus.
convert gpt Converts a disk with the MBR partition style to a basic disk with the GPT
partition style.
Windows PowerShell
Prior to Windows PowerShell 3.0, if you wanted to script disk management tasks, you had to make calls
to Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows
PowerShell 3.0 and newer versions include commands for natively managing disks. The following table
details some Windows PowerShell commands.
Command Description Additional parameters
Get-Disk Returns information on all -FriendlyName returns information about disks

disks or disks that you specify that have the specified friendly name.
with a filter. -Number returns information about a specific
disk.
Clear-Disk Cleans a disk by removing all -ZeroOutEntireDisk writes zeros to all sectors
partition information. of a disk.
Initialize-Disk Prepares a disk for use. By -PartitionStyle PartitionStyle specifies the type
default, it creates a GPT of the partition, either MBR or GPT.
partition.
Command Description Additional parameters
Set-Disk Updates a physical disk with -PartitionStyle PartitionStyle specifies the type
the specified attributes. of the partition, either MBR or GPT. You can use
this to convert a disk that was initialized
previously.
Get-Volume Returns information on all -DriveLetter Char gets information about the
file systems volumes, or specified drive letter.
those volumes that you -FileSystemLabel String returns information on
specify with a filter. the NTFS file systems or Resilient File System
(ReFS) volumes.
Simple Volumes
The most commonly used disk arrangement is
a simple volume. This volume is a contiguous,
unallocated area of a physical hard disk that you
format to create a file system. You then assign a
drive letter to it or mount it in an existing volume
by using a volume mount point.
Simple volume characteristics

A simple volume is a volume that encompasses
available free space from a single, basic, or
dynamic hard-disk drive. A simple volume can
consist of a single region on a disk or multiple
regions of the same disk that link together. Simple
volumes have the following characteristics:
Not fault-tolerant. Disk failure leads to volume failure.
Volume I/O performance is the same as disk I/O performance.
Simple volume scenarios

The following table contains example scenarios for disks and volumes.
Scenario Description
Business desktop Most business users require a basic disk and one basic volume for storage,
computer with one disk but do not require a computer with volumes that span multiple disks or
that provide fault tolerance. This is the best choice for those who require
simplicity and ease of use.
Business desktop If small business users want to upgrade their operating systems and reduce
computer with one disk the impact on their business data, they must store the operating system in
and more than one a separate location from business data.
volume This scenario requires a basic disk with two or more simple volumes. Users
can install an operating system on the first volume, creating a boot volume
or system volume, and use the second volume to store data.
When a new version of an operating system releases, users can reformat
the boot or system volume, and then install the new operating system. The
business data, located on the second volume, remains untouched.
A simple volume might provide better performance than striped data layout schemes. For example, when
serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream.
Workloads composed of small, random requests do not always result in performance benefits when you
move them from a simple to a striped data layout.
The emergence of SSDs, which offer extremely fast data transfer rates, offers the Windows 10 user another
decision related to storing data. SSDs currently are more expensive and have smaller capacities compared
to traditional magnetic hard disk drives. This combination of performance, size, and cost is an acceptable
compromise when used in small form factor devices. However, a desktop PC might benefit from a
combination of an SSD for Windows system files and a large capacity hard disk drive for business data.
Mirrored, Spanned, and Striped Volumes

A mirrored volume presents two disks to the
operating systems as a single logical volume.
A mirrored volume always consists of exactly
two disks. Each disk has an identical copy of
the data that is on the logical volume.
A spanned volume joins areas of unallocated

space on at least two and at most 32 disks into
a single logical disk. Similar to a spanned volume,
a striped volume also requires two or more disks.
However, striped volumes map stripes of data
cyclically across the disks.
Basic disks support only primary partitions,
extended partitions, and logical drives. To use mirrored, spanned, or striped volumes, you must convert
the disks to dynamic disks as described previously. Dynamic disks use a database to track information
about the disks dynamic volumes and the computers other dynamic disks. Because each dynamic disk
on a computer stores a replica of the dynamic disk database, the Windows operating system can repair
a corrupted database on one dynamic disk by using the database on another dynamic disk.
Characteristics of mirrored volumes

A mirrored volume also is a RAID-1 (Redundant Array of Independent Disks) volume. A mirrored volume
combines equal-sized areas of unallocated space from two disks. You use a mirrored volume when you
wish to provide redundancy for your system partition. Both spanned volumes and striped volumes require
a Windows operating system to be running to recognize the volumetherefore, neither of those
solutions can provide protection against disk failures for a system partition.
When creating a mirrored volume, the disk for the shadow volume must be at least the same size as the
volume you want to mirror. Once you establish the mirror, you cannot resize the mirrored volume.
There are two main benefits of using mirrored volumes. Recovering from a disk failure is very quick as
there is no data to rebuild. Additionally, read operations have a slight performance boost because you
can read from both disks simultaneously.
There are two main disadvantages of using mirrored volumes. Write operations are slightly slower as every
write needs to occur on both disks. Mirrored volumes are the least efficient use of space compared with
other disk configurations.
Characteristics of spanned volumes

A spanned volume gives users the option to gather noncontiguous free space from two or more disks
into the same volume. A spanned volume does not provide any fault tolerance. Additionally, because the
areas that you combine are not necessarily equally distributed across the participating disks, there is no
performance benefit to implementing spanned volumes. I/O performance is comparable to simple
volumes.
You can create a spanned volume by extending a simple volume to an area of unallocated space on a
second disk, or you can designate multiple disks during the volume-creation process. The benefits of
using spanned volumes include uncomplicated capacity planning and straightforward performance
analysis.
If you create a new spanned volume, you must define the same properties as when you create a simple
volume in terms of size, file system, and drive letter. In addition, you must define how much space to
allocate to the spanned volume from each physical disk.
You can create spanned volumes on dynamic disks only. If you attempt to create a spanned volume on
basic disks, the Windows operating system prompts you to convert the disk to dynamic after you have
defined the volumes properties and confirmed the choices.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific
disk. For example, if a spanned volume consists of three 100-MB partitions on each of three disks, you
cannot delete the third element.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of
unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk
limit for spanned volumes.
Characteristics of striped volumes

A striped volume is a RAID-0 volume. A striped volume combines equal-sized areas of unallocated space
from multiple disks.
You should create a striped volume when you want to improve the I/O performance of a computer.
Striped volumes provide for higher throughput by distributing I/O across all disks that are a part of the
volume. The more physical disks that you combine, preferably across several disk controllers, the faster
the potential throughput is. For most workloads, a striped data layout provides better performance than
simple or spanned volumes, as long as you select the striped unit appropriately, based on workload and
storage hardware characteristics. The overall storage load balances across all physical drives.
Striped volumes also are well suited for isolating the paging file. By creating a volume where Pagefile.sys
is the only file on the entire volume, the paging file is less likely to become fragmented, which helps
improve performance. Redundancy is not required for the paging file normally. Striped volumes provide
a better solution than RAID-5 for paging file isolation. This is because the paging file activity is write-
intensive, and RAID-5 is better suited for read performance than write performance.
Because there is no allocated capacity for redundant data, striped volumes do not provide data-recovery
mechanisms such as those in RAID-1 and RAID-5. The failure of any disk results in data loss on a larger
scale than it would on a simple volume, because it disrupts the entire file system that spreads across
multiple physical disks. The more disks that you combine in RAID-0, the less reliable the volume becomes.
When you create a striped volume, you define the file system, drive letter, and other standard volume
properties. Additionally, you must define the disks from which to allocate free space. The allocated space
from each disk must be identical in size. It is possible to delete a striped volume, but it is not possible to
extend or to shrink the volume.
Note: RAID-5 is a striped set with parity volume. It combines the speed of striped volumes
with fault tolerance. It is not possible to create RAID-5 in Disk Management in Windows 10.
Demonstration: Creating Volumes

In this demonstration, you will see how to create volumes in Windows 10.
Demonstration Steps
Initialize disks
In Windows PowerShell, type the following command:
Get-Disk | Where partitionstyle -eq 'raw' | Initialize-Disk -PartitionStyle MBR
Create simple volume in Disk Management

1. Start Disk Management.
2. Create a new simple volume on Disk 1 with a size of 5GB. Assign the default drive letter to the
volume.
Create simple volume in Windows PowerShell

In Windows PowerShell, type the following commands:
Get-Disk -Number 2
New-Partition Size 5350879232 Disknumber 2| Format-Volume -Confirm:$false FileSystem NTFS
NewFileSystemLabel Simple2
Get-Partition DiskNumber 2
(Note the partition number you just created, as you will use that in the next step)
Set-Partition -DiskNumber 2 -PartitionNumber <NumberFromBefore> -NewDriveLetter F
Create spanned volume

In Disk Management, create a new spanned volume on Disk 2 and Disk 3 using 2GB from each disk.
Assign the default drive letter to the volume.
Create striped volume

1. In Disk Management, create a new striped volume on Disk 2 and Disk 3 using 2GB from each disk.
Assign the default drive letter to the volume.
2. Leave the virtual machine running.

Managing Existing Volumes

Windows 10 allows you to resize a volume by
using the Shrink Volume or Extend Volume
options within the provided disk tools. You can
shrink existing volumes to allow space to create
additional, unallocated space to use for data or
apps on a new volume. On the new volume, you
can:
Install another operating system, and then

perform a dual boot.
Save data separately from the operating

system.
To perform a shrink operation, ensure that the disk is formatted with the NTFS file system or, if it is
unformatted, ensure that you are part of the Backup operator or Administrators group. When you shrink
a volume, contiguous free space relocates to the end of a volume. If you want to ensure that the
maximum amount of space is available, make sure you perform the following tasks before shrinking:
Defragment the disk. This rearranges the disk sector so that unused space is at the end of the disk.
Ensure that the volume you are shrinking is not storing any page files.
When you shrink a volume, unmovable files (for example, a page file) do not relocate automatically. It is
not possible to decrease the allocated space beyond the point where the unmovable files are located. If
you need to shrink a partition further, transfer the unmovable file to another disk, shrink the volume, and
then transfer the unmovable file back to the disk. You can shrink simple and spanned volumes, but not
others. You can increase the size of a simple volume in the following ways:
Extend the simple volume on the same disk. The disk remains a basic disk if the free space is adjacent
to the volume you want to extend. If it is not contiguous space, then the disk will convert to a
dynamic disk.
Extend a simple volume to include unallocated space on other disks on the same computer. This
creates a spanned volume.
Demonstration: Resizing a Volume

In this demonstration, you will see how to both shrink and extend a volume.
Demonstration Steps
Shrink partition in Windows PowerShell
In Windows PowerShell, type the following command:
Resize-Partition DiskNumber 1 -PartitionNumber 1 Size 3GB
Extend partition in Disk Management

1. In Disk Management, extend the Simple (E:) volume to take up all of Disk 1.

Question
What are the features of a GPT-initialized disk? (Select all that apply)
Up to four partitions
Up to 128 partitions
Maximum size of 2 TB
Maximum size of 18 exabytes
Redundancy
Statement Answer
You can shrink a volume to the size of the used storage space on the
volume.
Lesson 3
Maintaining Disks and Volumes
The Storage Sense feature in Windows 10 can give you an overview of what types of files the volumes are
storing. When you first create a volume, you typically create new files and folders on a volumes available
free space in contiguous blocks. This provides an optimized file system environment. As the volume
becomes full, the availability of contiguous blocks diminishes. This can lead to suboptimal performance.
This lesson explores file system fragmentation and the tools that you can use to reduce fragmentation.
You also will see how Windows 10 can compress files to take up less space on the hard disk. You will see
how you can configure disk quotas to monitor and control the use of disk space.
Lesson Objectives
Explain what Storage Sense is.
Show how to use Storage Sense.
Describe how files stored on disks might fragment.

Show how to defragment volumes.
Explain folder compression.
Show how to compress folders.

Describe what disk quotas are.
Show how to configure disk quotas.
What Is Storage Sense?

Windows 10 comes with a feature called Storage
Sense that debuted in Windows Phone 8. In
previous Windows versions, it was not easy to
get an overview of what type of files took up
space on the hard disks. Windows 10 gives you
that information in the Storage section of PC
Settings. Storage gives you an easy way to
manage all your storage and the files that a
particular drive is storing. It presents a
straightforward method to clean out the files
you no longer need and an easy way to select
the drive where you want to store different
categories of files.
Storage
In Storage, you get an overview of all the volumes currently attached to your PC. This includes hard disks,
USB drives, and other external storage, except OneDrive. The drive that contains the Windows installation
has the label This PC. You identify the other drives by label and drive letter. When you click a drive, you
will get a more detailed view of the categories of files that are taking the most space. The categories are
color-coded to make it easier to see how the space is divided. Storage Sense shows the size for the
following categories of files:
System and reserved
Apps and games
Documents
Pictures
Music
Videos
Mail
OneDrive
Desktop
Maps
Other users
Temporary files
Other
Depending on the drive and category that you click, you will have different management options. If
you click one of the file type categories on drives other than This PC, you will see a list of directories
containing files from that category. For This PC, you have a choice to open File Explorer with that
particular file types folder within the users profile.
System and reserved

This category gives you a list of disk space used by Windows system files, virtual memory, hibernation file,
and System Restore. You can click Manage System Restore to configure System Restore and decide how
much disk space System Restore can use.
Apps and games

You can sort the application list by size, name, and install date. You can also search for an app by name,
and when you click the app, you have easy access to uninstall the app.
OneDrive
You will be able to select which folders synchronize to this device to save disk space. This is particularly
useful on devices with limited storage space, such as tablets.
Temporary files
This category gives you a list of disk space used by temporary files, downloads, the recycle bin, and
previous versions of Windows. For each item, there is an option to delete the files.
Save locations
Storage Sense also allows you to choose the drive to save new files. You can choose between the drives
connected to your computer. If you are signed in with a Microsoft account, you can also choose OneDrive.
Demonstration: Using Storage Sense

In this demonstration, you will see how to use Storage Sense.
Demonstration Steps
1. Open Storage in Settings.
2. Uninstall the Money app.

3. Delete the temporary files.
4. Change the default drive where documents are saved to Simple (E:).
Disk Fragmentation
Fragmentation of a file system occurs over time
as you save, change, and delete files. Initially,
Windows saves files in contiguous areas on a
given volume. This is efficient for the physical
disk, as the read/write heads are able to access
these contiguous blocks most quickly.
As the volume fills with data and other files,

contiguous areas of free space become harder
to find. File deletion also causes fragmentation
of available free space. Additionally, when you
extend and save a file, such as editing a document
or spreadsheet, there might not be contiguous
free space following the existing file blocks. This forces the I/O manager to save the remainder of the
file in a noncontiguous area. Over time, contiguous free space becomes more scarce, leading to
fragmentation of newly stored content. The incidence and extent of fragmentation varies depending
on available disk capacity, disk consumption, and usage patterns.
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this
fragmentation still presents a potential performance problem. Combined hardware and software
advances in the Windows operating system help to mitigate the impact of fragmentation and deliver
better responsiveness.
Optimizing a disk
When you optimize a disk, files are relocated optimally. This ability to relocate files is beneficial when you
are shrinking a volume, because it frees up space that you can later reclaim. Windows 10 defragments
drives automatically on a scheduled basis, running weekly in the background to rearrange data and
reunite fragmented files. You can check the status of a defragmentation or perform a manual
optimization at any time by launching the Optimize Drives tool.
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a
volume in File Explorer, click Properties, click the Tools tab, and then click Optimize. You can perform
the following tasks:
Change settings, which allows you to:

o Enable or disable the automated optimization.
o Specify the automated optimization frequency.
o Set a notification for three consecutive missed optimization runs.

o Select which volumes you want to optimize.
Analyze the disk to determine whether it requires optimization.

Launch a manual optimization.
You can also start the optimization process by launching Defragment and Optimize Your Drives from the
Administrative Tools section within the System and Security section in Control Panel.
To verify that a disk requires defragmentation, in the Optimize Drives tool, select the disk that you want to
defragment, and then click Analyze. After Windows finishes analyzing the disk, check the percentage of
fragmentation on the disk in the Current status column. If the number is high, you should defragment
the disk. The Optimize Drives tool might take several minutes to a few hours to finish defragmenting,
depending on the size and degree of fragmentation of the disk or USB device, such as an external hard
drive. You can use the computer during the defragmentation process, although disk access might be
slower and the defragmentation might take longer.
You can configure and run disk defragmentation from an elevated command prompt by using the defrag
command-line tool. Use Defrag /? at a command prompt for available options.
You can minimize file system fragmentation by using the following methods:
Partition a disk so that you isolate static files from those that users create and delete frequently, such
as some user-profile files and temporary Internet files.
Use the Disk Cleanup feature (cleanmgr.exe) to free disk space that is consumed by each users
preferences for console files that the profile saves.
Use the Optimize Drives tool to help reduce the impact of disk fragmentation on disk volumes,
including USB drives. The Optimize Drives tool rearranges fragmented data so that disks and drives
can work more efficiently.
You should not defragment newer drives, such as SSDs. If a SSD or USB flash drive becomes fragmented,
you will gain only a small amount of performance benefit by optimizing the drive. This is because all files
are accessed at equally high speed, regardless of the location or level of fragmentation. Because of the
volume of read/write operations that the optimization process requires, you should not defragment SSDs.
Note: Defragmenting an SSD or a USB flash drive can decrease the life span of a drive
significantly.
Demonstration: Performing Disk Maintenance

In this demonstration, you will see how to defragment drives.
Demonstration Steps
1. Open File Explorer.
2. Start the Optimize Drives tool from the Tools tab on Properties of the C drive.
3. Analyze and optimize the C drive.
4. Change the schedule to perform optimization monthly.
5. Choose not to get any notifications if optimization has not occurred.

File and Folder Compression

Windows 10 supports file compression on an
individual-file basis on NTFS-formatted volumes
only. The file compression algorithm is a lossless
compression algorithm, which means that
compressing and decompressing a file results in
no data loss. This is different from other types of
compression algorithms, where compression and
decompression always cause some data loss.
Configuring compression
You set compression from the properties of a file
or folder on the General tab. You click Advanced
and set or clear the compression attribute. You
can also configure compression from the command line by using the compact command.
Features of NTFS folder compression

NTFS compression, which is available on volumes that use NTFS, has the following features and
limitations:
Compression is an attribute of a file or folder.
Volumes, folders, and files on an NTFS volume are either compressed or uncompressed.
New files created in a compressed folder are compressed by default.

The compression state of a folder does not necessarily reflect the compression state of the files within
that folder. For example, you can compress a folder without compressing its contents, and you can
compress some or all of the files in a compressed folder.
NTFS compression works with NTFS-compressed files without decompressing them because they are
decompressed and recompressed without user intervention:
o When you open a compressed file, the Windows operating system automatically decompresses it
for you.
o When the file closes, the Windows operating system compresses it again.
NTFS-compressed file and folder names display in a different color, by default, to make them easier
to identify.
NTFS-compressed files and folders only remain compressed while an NTFS volume is storing them.
You cannot encrypt an NTFS-compressed file.
The compressed bytes of a file are not accessible to applications, which see only the uncompressed
data:
o Applications that open a compressed file can perform tasks on it as if the file was not
compressed.
o If you copy compressed files to a file allocation table (FAT) or Resilient File System (ReFS) volume,
the copy of the file will not be compressed because those file systems do not support NTFS
compression.
Copying and moving compressed files and folders

When you move or copy compressed files and folders, the method and destination can change the
compression state. The following list explains what happens when you move and copy files:
When you copy a file or folder within an NTFS partition, the file or folder inherits the compression
state of the target folder. For example, if you copy a compressed file or folder to an uncompressed
folder, the file or folder is uncompressed automatically.
When you move a file or folder within an NTFS partition, the file or folder retains its original
compression state. For example, if you move a compressed file or folder to an uncompressed
folder, the file remains compressed.
When you move a file or folder between NTFS partitions, the file or folder inherits the target folders
compression state. Because Windows 10 treats a move between partitions as a copy followed by a
delete operation, the files inherit the target folders compression state.
When you copy a file to a folder that already contains a file of the same name, the copied file takes
on the compression attribute of the target file, regardless of the compression state of the folder.
Compressed files that you copy to a FAT partition are uncompressed because FAT volumes do not
support compression. However, when you copy or move files from a FAT partition to an NTFS
partition, they inherit the compression attribute of the folder into which you copy them.
When you copy a file, NTFS calculates disk space based on the uncompressed files size. This is important
because files are uncompressed during the copy process, and the system must ensure there is enough
space. If you copy a compressed file to an NTFS partition that does not have enough space for the
uncompressed file, an error message notifies you that there is not enough disk space.
Compressed (zipped) folder

In Windows 10, you can combine several files and folders into a single compressed folder by using the
Compressed (zipped) Folder feature. Use this feature to share a group of files and folders with others,
without sending individual files and folders.
Files and folders that you compress by using the Compressed (zipped) Folder feature can compress on
both FAT-formatted and NTFS-formatted volumes. A zipper icon identifies files and folders that you
compress by using this feature.
You can open files directly from these compressed folders, and you can run some of these programs
directly from compressed folders without uncompressing them. Files in compressed folders are
compatible with other file compression programs and files. You also can move compressed files and
folders to any drive or folder on your computer, the Internet, or your network.
Compressing folders by using Compressed (zipped) Folder does not affect a computers overall
performance. Central processing unit (CPU) utilization increases only when you use Compressed (zipped)
Folder to compress a file. Compressed files take up less storage space, and you can transfer them to other
computers more quickly than uncompressed files. You can work with compressed files and folders the
same way you work with uncompressed files and folders.
Comparing zipped folder compression and NTFS folder compression

You should be aware of the differences between zipped folder compression and NTFS folder compression.
A zipped folder is a single file inside which Windows allows you to browse. Some applications can access
data directly from a zipped folder, while other applications require that you first unzip the folder contents
before the application can access the data.
In contrast, NTFS compression compresses individual files within a folder. Therefore, NTFS compression
does not affect data access as zipped folders do, because it occurs at the individual file system level and
not the folder level. Additionally, zipped folders are useful for combining multiple files into a single email
attachment, whereas NTFS compression is not.
File and folder compression that uses the Send To Compressed (zipped) Folder command is different
from NTFS file and folder compression:
For selected files or folders, the Send To Compressed (zipped) Folder command compresses the
selected content into a portable zip file. The original file or folder does not change, and a new,
compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the
size of the selected file, folder, or volume by compressing its content.
Demonstration: Compressing Files and Folders

In this demonstration, you will see how to compress files in a folder.
Demonstration Steps
1. In File Explorer, open Properties for the C:\Users\Admin folder.
2. Note the Size on Disk in MB for the folder:___________

3. Compress the folder.
4. After the compression finishes, note the Size on Disk in MB:______________
5. Leave the virtual machine running for the next demonstration.

What Are Disk Quotas?

You can use disk quotas to limit each users
disk space usage. You configure disk quotas
on a volume to conserve disk space. Disk quotas
enable you to track and restrict disk consumption
proactively. You can enable quotas on any NTFS-
formatted volumes.
When you configure disk quotas, you can

configure a warning level, if you want to alert
users before they exceed their quota limit. You
can configure disk quotas to log events, when
users exceed both the warning and limit levels.
You use the Event Viewer to configure scheduled
tasks to start when events are logged.
You can use quotas to track disk space usage and determine who is using disk space, without restricting
disk consumption at the same time.
You configure disk quotas from the Quota tab on the properties dialog box of an NTFS-formatted
volume. You can also manage quotas by using the fsutil quota and fsutil behavior commands from
the command prompt.
After you create a quota, you can export it and import it to a different volume. In addition to establishing
quota settings on a single computer by using the methods outlined above, you can use Group Policy
settings to configure disk quotas. This enables administrators to configure multiple computers with the
same settings.
Over time, the amount of available disk space decreases, so make sure that you have a plan to increase
storage capacity.
Note: An alternative to disk quotas is using quotas in File Server Resource Manager (FSRM)
on Windows Server 2012 R2. Quotas in FSRM can track disk space usage per folder instead of per
volume.
Demonstration: Configuring Disk Quotas

In this demonstration, you will see how to configure disk quotas.
Demonstration Steps
Enable disk quotas
1. In File Explorer, open Quotas from the Properties of the E drive.
2. Configure quotas with the following attributes:

o Deny disk space to users exceeding quota limit: selected
o Limit disk space to: 200 MB
o Set warning level to: 100 MB

3. Sign out as Adatum\Administrator.
Create files
1. Sign in as the local user Admin with the password Pa$$w0rd.
2. Open a command prompt, and then type the following commands:
E:
MKDIR files
CD files
Fsutil file createnew file1.txt 104857600
3. Sign out as Admin.
Check disk quotas usage

3. Open Quota Entries and notice the warning for LON-CL2\Admin for the disk space used.

Question
Which features in Windows 10 will work on both FAT-formatted and NTFS-formatted

volumes? (Select all that apply)
Storage Sense
Defragmenting disks
Folder compression
ZIP compression
Disk quotas
Statement Answer
By default, defragmentation runs on a monthly basis.

Lesson 4
Managing Storage Spaces
Managing multiple physical disks attached directly to a computer can often be a tedious task for
administrators. To overcome this problem, many organizations use SANs that essentially group physical
disks together. SANs require specialized configuration and sometimes specialized hardware, which makes
them expensive.
To overcome these issues, you can use the Storage Spaces feature. It pools disks together, and presents
them to the operating system as a single disk. This lesson explains how to configure and implement the
Storage Spaces feature.
Lesson Objectives
Explain what the Storage Spaces feature is.
Describe the features of Storage Spaces.
Discuss in which scenarios to use Storage Spaces.

Show how to configure Storage Spaces.
What Is the Storage Spaces Feature?

Storage Spaces is a storage virtualization
capability that is available in Windows Server
2012, in addition to Windows 8 and newer
versions. This feature is available for NTFS and
ReFS volumes, providing redundancy and pooled
storage for numerous internal and external drives
of differing sizes and interfaces. You can use
Storage Spaces
to add physical disks of any type and size to a
storage pool, and then create highly available
virtual disks from the storage pool. The primary
advantage of Storage Spaces is that you do not
have to manage single disks, but can manage multiple disks as one unit.
To create a highly available virtual disk, you need the following:
Physical disk. Physical disks are disks such as Serial ATA (SATA) or Serially Attached SCSI (SAS) disks. If
you want to add physical disks to a storage pool, the disks need to satisfy the following requirements:
o Creating a storage pool requires one physical disk.
o Creating a resilient mirror virtual disk requires a minimum of two physical disks.
o Creating a virtual disk with resiliency through parity requires a minimum of three physical disks.
o Three-way mirroring requires at least five physical disks.
o Disks must be blank and unformatted; no volume must exist on them.

o Disks attachment can use a variety of bus interfaces including SAS, SATA, small computer system
interface (SCSI), and USB.
Storage pool. A storage pool is a collection of one or more physical disks that you can use to create
virtual disks. You can add all nonformatted physical disks and disks that do not have an attachment to
another storage pool to a storage pool.
Storage space. This is similar to a physical disk from the perspective of users and programs. However,
storage spaces are more flexible because they include thin provisioning or just-in-time (JIT)
allocations, and they include resiliency to physical disk failures with built-in functionality such as
mirroring.
Disk drive. You can access this volume from your Windows operating system, for example, by using a
drive letter.
Features of Storage Spaces

You can create storage spaces from storage pools.
If your storage pool contains more than one disk,
you can also create redundant storage spaces. To
configure Storage Spaces in the Control Panel or
Windows PowerShell, you need to consider the
following features and their redundancy
functionalities.
Storage layout
Configure this feature to define the number of
disks from the storage pool that you allocate to
a virtual disk. Valid options include:
Simple. A simple space has data striping but no redundancy. In data striping, logically sequential
data is segmented across all disks in such a way that provides access for these sequential segments
to different physical storage drives. Striping makes it possible to access multiple segments of data
concurrently. Do not host important data on a simple volume, because it provides no failover
capabilities when the disk that is storing the data fails. This is similar to the striped volumes discussed
earlier.
Two-way and three-way mirrors. Mirror spaces maintain two or three copies of the data that they
host (two data copies for two-way mirrors and three data copies for three-way mirrors). Data
duplication happens with every write to ensure that all data copies are always current. Mirror spaces
also stripe the data across multiple physical drives. Mirror spaces provide the benefit of greater data
throughput and lower access latency. They also do not introduce a risk of corrupting at-rest data, and
do not require the extra journaling stage when writing data. Two-way mirrors are similar to the
mirrored volumes discussed earlier.
Parity. A parity space is similar to RAID 5. Storage Spaces stores data, along with parity information,
striped across multiple physical drives. Parity enables Storage Spaces to continue servicing read and
write requests even when a drive has failed. Parity always rotates across available disks to enable I/O
optimization. Storage Spaces require a minimum of three physical drives for parity spaces. Parity
spaces have increased resiliency through journaling. There is no equivalent to parity in volumes on
dynamic disks.
Provisioning schemes
You can provision a virtual disk by using two different schemes:
Thin provisioning space. Thin provisioning is a mechanism that enables you to allocate storage when
the storage space needs it. The storage pool organizes the storage capacity into provisioning slabs.
The allocation does not happen until the point when datasets grow to require the storage. As
opposed to the traditional fixed storage allocation method, in which you might allocate large pools
of storage capacity that remain unused, thin provisioning optimizes utilization of available storage.
Organizations also can save on operating costs, such as electricity and floor space, associated with
keeping the unused drives operating. The disadvantage of using thin provisioning is lower disk
performance because storage allocation occurs when the pool needs extra storage.
Fixed provisioning space. With Storage Spaces, fixed provisioned spaces also employ the flexible
provisioning slabs. The difference between thin provisioning and a fixed provisioning space is that the
storage capacity allocation in the fixed provisioning space happens at the same time as storage space
creation.
Question: What is the name for a storage space that is larger than the amount of disk space
available on the physical disks portion of the storage pool?
Scenarios for Storage Spaces

Storage Spaces can simplify your storage
administration and allow for easy storage
growth. In most enterprises, servers will be
the only computers using Storage Spaces.
Small offices might use Storage Spaces in
Windows 10 to create high capacity and
storage that is easy to administer.
Thin provisioning storage

The need for storage is always growing. Smaller
companies without IT staff might find it difficult to
add new storage to their solutions today. Storage
Spaces can help with storage growth when you
use thin provisioning. Thin provisioning will allow you to create a bigger storage space than what the
disks will be able to store. You then add the disks to the storage space when you need more storage, and
the storage space will automatically claim the space on the disks.
Reliable storage
Small businesses often do not have the funds for acquiring enterprise-grade storage solutions. Storage
Spaces can help these companies get fault-tolerant storage for an affordable price. Storage Spaces has
two resiliency types that provide fault tolerance. These will help to make the storage highly available in
case of disk failures. Two-way mirror and parity can function even when one drive fails. Three-way mirror
can function with two drive failures.
High-performance storage
Users who have computing needs with high-performance storage, such as video editing, might also
benefit from Storage Spaces. When you create a storage space with parity resilience, the striping will give
a better performance reading and writing to the storage. When you use SSDs as the physical drives, you
should be able to get the required disk I/O.
Demonstration: Configuring Storage Spaces

In this demonstration, you will see how to configure Storage Spaces.
Demonstration Steps
Clear disks in Windows PowerShell
1. In Windows PowerShell, type the following command:
Get-Disk | Clear-Disk -RemoveData
2. Verify that Disks 1, 2, and 3 are not initialized in Disk Management.
Create a storage space

1. In the Control Panel, open Storage Spaces.
2. Create a new storage pool with Disks 1, 2, and 3.

3. Choose Parity as the resiliency type.
4. In File Explorer, verify that the size of Storage Space (E:) is 17.3 GB.
Modify an existing storage space

1. Change the size of the storage space to 1 TB. Notice the information text stating that you can add
more drives when the capacity is low.
2. In File Explorer, verify that the size of Storage Space (E:) is now 0.99 TB.
Revert virtual machines

When you finish the demonstration, revert the virtual machine to its initial state. To do this, complete the
following steps:
1. On the host computer, open Hyper-V Manager.

Question
Which types of storage spaces can you create in Windows 10? (Select 4)
Simple
Advanced
Two-way mirror
Three-way mirror
Parity
Statement Answer
You need three disks to create a three-way mirror storage space.

Lab: Managing Storage

Scenario
April Reagan in the IT department has purchased several storage devices and she wants you to make
them available for use in her Windows 10 device. You must compress a folder that contains several files,
and then verify that the storage allocation is smaller after compression. You must also enable disk quotas
to ensure that users do not use excessive disk space.
You have bought a number of hard disk drives and SSDs, and your task is to create a storage solution that
can fully utilize these new devices. You decide to implement a storage solution based on the Storage
Spaces feature.
Objectives
Enable a disk.
Create and configure a volume.
Compress a folder.
Enable disk quotas.
Implement a storage space.
Lab Setup
User names: Adatum\Administrator and Adatum\April

Password: Pa$$w0rd

o Domain: Adatum
5. Repeat steps 2, 3, and 4 for 20697-1B-LON-CL2.

Exercise 1: Adding a Disk

Scenario
You want to add one of the new disks on Aprils computer so she can use the hard disk to store files.
1. Use Disk Management to initialize a disk.
Task 1: Use Disk Management to initialize a disk

1. On LON-CL2, start the Disk Management snap-in.
2. Initialize Disk 1 only. You can see that Disk 1 now has a status of Online.
Results: After completing this exercise, you will have initialized one hard disk.
Exercise 2: Creating a Simple Volume

Scenario
You need to create a volume of the right size on the hard disk before April can store files on the hard disk.
1. Create a simple volume.

2. Extend the simple volume.
Task 1: Create a simple volume

In the Disk Management snap-in, create a simple volume on Disk 1 with the following attributes:
o Size: 5120 MB
o Drive letter: E
o Volume label: Data
Task 2: Extend the simple volume

1. In Windows PowerShell, type the following two commands:
$MaxSize = (Get-PartitionSupportedSize -DriveLetter e).sizeMax

Resize-Partition -DriveLetter e -Size $MaxSize
2. In Disk Management, verify that the E volume now occupies the entire Disk 1.
Results: After completing this exercise, you will have created a simple volume and then extended the
volume.
Exercise 3: Compressing a Folder

Scenario
April worries that some of a previous users files might take up too much space.
1. Verify current folder size.
2. Configure compression on the folder.
3. Verify the storage consumed by the compressed folder.
Task 1: Verify current folder size

1. In File Explorer, navigate to the C:\Users\Admin folder.
2. Note the Size on Disk of the folder in MB:______________
Task 2: Configure compression on the folder

1. Compress the contents of the C:\Users\Admin folder.
2. In the Access Denied window, click Continue.

3. In the Error Applying Attributes window, click Ignore All.
Task 3: Verify the storage consumed by the compressed folder

After compression has finished, note the Size on Disk in MB for the folder:_________________. Notice
that the Admin folder is now blue because it is compressed.
Results: After completing this exercise, you will have compressed a folder with files.
Exercise 4: Enabling Disk Quotas

Scenario
You want to make sure that April is not using all the available space on her new drive. Configure disk
quotas to limit the total space that April can use.
1. Create disk quotas.
2. Create test files.

3. Verify the disk quota functionality.
Task 1: Create disk quotas

2. Configure quotas with the following attributes:
o Deny disk space to users exceeding quota limit: selected

o Limit disk space to: 500 MB
o Set warning level to: 250 MB
3. Sign out as Adatum\Administrator.

Task 2: Create test files

1. Sign in as the user Adatum\April with the password Pa$$w0rd.
2. In a command prompt, type the following five commands:
E:
MKDIR research
CD research
3. Sign out as April Reagan.
Task 3: Verify the disk quota functionality

2. In File Explorer, examine Quota Entries for Data (E:).

3. Notice the warning for April Reagan for the disk space used.
Results: After completing this exercise, you will have configured disk quotas.
Exercise 5: Creating a Storage Space

Scenario
April Reagan is worried that if her new hard disk fails, she will lose valuable data. She wants you to make a
redundant drive by using the existing disk and two other disks she has purchased.
1. Initialize the required disks.

2. Create a mirrored storage pool.
3. Verify that the volume is available in File Explorer.
Task 1: Initialize the required disks

In Windows PowerShell, type the following two commands:
Clear-Disk Number 1 RemoveData

Task 2: Create a mirrored storage pool

Create a new storage space with Disk 1, 2, and 3. Choose a resiliency type of Two-way mirror.
Task 3: Verify that the volume is available in File Explorer

1. Check the size of the new drive in File Explorer.
2. Notice that the capacity is approximately 12.1 GB.
Results: After completing this exercise, you will have created a two-way mirror storage space.

4. Repeat the steps for 20697-1B-LON-CL2.


Review Question
Question: You are implementing 64-bit Windows 10 and need to partition the disk to
support 25 volumes, some of which will be larger than 2 terabytes (TB). Can you implement
this configuration by using a single hard disk?
Tools
The following table lists some of the tools that are available for managing hard disks.
Tool Used for Where to find
Defrag.exe Performing disk Command prompt

defragmentation tasks from the
command line
Compact.exe Performing NTFS compression Command prompt

from the command line
DiskPart Managing disks, volumes, and Command prompt

partitions from the command
line or from the Windows
Preinstallation Environment
Fsutil.exe Performing tasks that relate to Command prompt

file allocation table (FAT) and
NTFS, such as managing disk
quotas from the command line
Disk Management Managing disks and volumes, Diskmgmt.msc

both basic and dynamic, locally
or on remote computers
The Optimize Drives tool Rearranging fragmented data so In File Explorer, right-click a
that disks and drives can work volume, click Properties, click
more efficiently the Tools tab, and then click
Optimize
Storage Spaces Creating and managing storage Control Panel

spaces
Storage Sense Getting an overview of disk PC Settings

usage and uninstalling
applications
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Configuring disk quotas on multiple

volumes
Exceeding the quota allowance

6-1
Module 6
Managing Files and Printers
Contents:
Module Overview 6-1
Lesson 1: Overview of File Systems 6-3
Lesson 2: Configuring and Managing File Access 6-9

Lesson 3: Configuring and Managing Shared Folders 6-21
Lab A: Configuring and Managing Permissions and Shares 6-29

Lesson 4: Work Folders 6-36
Lab B: Configuring and Using Work Folders 6-41
Lesson 5: Managing Printers 6-44
Lab C: Installing and Managing a Printer 6-51

Module Overview
The ability to control permissions to stored files is a critical aspect of data security. File permissions control
who can access files and what type of permissions a user has. You can configure basic permissions, such
as Read, Write, Modify, and Full Control, although each of those is comprised of additional advanced
permissions. You can configure these permissions for each file individually, for folders, for a single user,
or for a group of users. You should be aware of how permissions apply in different scenarios to ensure
that you do not grant access inadvertently to unauthorized users.
You can use the Work Folders feature in Windows 10, which allows users to access their data from
Windows 10 devices that are not joined to Active Directory Domain Services (AD DS) or connected to
your corporate network. Work Folders enable users to synchronize their data between all of their devices,
regardless of whether their device belongs to a domain.
Windows 10 enables you to manage locally attached printers, in addition to other print servers, by using
the Print Management feature. However, you must have network connectivity and permissions to use it.
Type 4 printer drivers no longer require a different printer driver for each printer model, and you can use
it with local and network printers in Windows 10.
6-2 Managing Files and Printers
Objectives
Describe and create file systems that Windows 10 supports.

Configure file permissions.
Explain how permission inheritance works.
Implement conditions to limit access to files and folders.

Create and manage shares.
Create and use Work Folders.
Configure and manage printers.

Lesson 1
Overview of File Systems
Before you can store data on a volume, you must first format the volume. To format a volume, you must
select the file system that the volume should use. Windows 10 supports different file systems, including
file allocation table (FAT), FAT32, and extended file allocation table (exFAT); NTFS file system and Resilient
File System (ReFS); and Compact Disc File System (CDFS) and Universal Disk Format (UDF), which are used
on optical and read-only media.
In this lesson, you will learn about the differences and benefits of the file systems that Windows 10
supports.
Lesson Objectives
Describe the features of the FAT file system.
Explain the features of the NTFS file system.
Describe the features of the ReFS file system.

Work with the file systems available in Windows 10.
The FAT File System

FAT is the oldest file system that Windows 10
supports. It has a low overhead but many
limitations when compared with newer file
systems. However, enterprises often use it because
nearly every operating system supports it. For
example, you would use FAT on removable media,
such as a USB key, when you need to transfer
data between Windows 10 and a non-Microsoft
operating system or on a local hard drive if you
have a PC with dual-boot configuration.
Windows 10 supports three versions of FAT: FAT,

FAT32, and exFAT. The main difference between
the three versions is the size of the largest supported volume, the default cluster size, and the maximum
number of files and folders that you can create on the volume. The following table lists the differences
between the three FAT versions.
FAT FAT32 exFAT
Maximum volume size 4 gigabytes (GB) 32 GB 232-1 clusters
Maximum file size 4 GB 4 GB 16 exabytes
Maximum files per volume 65536 4177920 Nearly unlimited
Note: A cluster is the smallest unit of disk space that you can allocate to store a file. For
example, if a volume cluster is 4 kilobytes (KB) and you store a file with a size of 100 bytes on that
volume, it will use one cluster, which is 4 KB.
Note: The exFAT file system supports clusters from 512 bytes to 32 megabytes (MB).
For a detailed comparison between FAT and FAT32, refer to:
FAT16 vs. FAT32

http://aka.ms/i7wc50
For more information about exFAT limitations, refer to:

File System Functionality Comparison
http://aka.ms/q3z160
When you compare any version of FAT with the NTFS file system, which is the default file system in
Windows 10, you will find that many NTFS features are not available with FAT, such as:
Security. You cannot configure file permissions and limit user actions on a FAT volume. Any user
has unlimited permissions to data stored on a FAT volume, which includes reading, modifying, and
deleting. You cannot limit user permissions to data that the FAT file system stores.
Auditing. You cannot audit user actions on the FAT file system. For example, if a user deletes a file,
Event Viewer will not log that action.
Compression. The FAT file system does not support compression and each file uses its full original
size, rounded to the closest cluster size. You can use compression that is not file-system dependent
on the FAT file system, such as compressed (zipped) folders.
Encryption. Encrypting File System (EFS) is not supported, and you cannot use it on ExFAT volumes.
You can use encryption that is not file-system dependent, such as non-Microsoft Pretty Good Privacy
(PGP) solution.
Disk Quota. The FAT file system does not support quotas. This means that you cannot limit the disk
space that users can use on a FAT volume. Each user can store as much data as there is available
space on the FAT volume.
Note: Windows 10 adds support for encryption on FAT and FAT32 volumes.
Note: You select a file system and cluster size when you format a volume. However, you
cannot change the file system or cluster size that you are using on the volume. You can only
perform a backup, and then reformat the volume with different parameters. The only exception
is that you can convert FAT or FAT32 to NTFS file system.
Question: Why would you use the FAT file system in Windows 10?
Question: Can you format a 40 GB volume with the FAT32 file system?
The NTFS File System

The NTFS file system is the default file system
in Windows 10. The NTFS file system provides
performance, reliability, and advanced features
that are not available in any version of FAT,
including:
Reliability. The NTFS file system uses log-

file and checkpoint information to restore
the consistency of the file system when the
computer restarts. In the event of a bad-
sector error, the NTFS file system dynamically
remaps the cluster that contains the bad
sector, and it allocates a new cluster for the
data. The NTFS file system also marks the cluster as bad, and no longer uses it.
Security. You can set permissions on a file, folder, or the entire NTFS volume, which enables you to
control which users, groups, or computers can read, modify, or delete data. You also can enable
auditing to log activities on the NTFS volume.
Data confidentiality. The NTFS file system supports EFS to protect file content. If you have enabled
EFS, you can encrypt files and folders for use by single or multiple users. The benefits of encryption
are data confidentiality and integrity, which can protect data against malicious or accidental
modification.
Limit storage growth. The NTFS file system supports the use of disk quotas, which enable you to
specify the amount of disk space that is available to a user. When you enable disk quotas, you can
track and control disk-space usage. You can configure whether to allow users to exceed their limits
and configure Windows 10 to log an event when a user exceeds a specified warning level or quota
limit.
Provide additional space. The NTFS file system allows you to create extra disk space by compressing
files, folders, or whole drives. You also can extend an NTFS volume by mounting an additional volume
to an empty folder.
Support for large volumes. You can format a volume up to 256 TB by using the NTFS file system with
a 64 KB cluster size. The NTFS file system supports larger files and a larger number of files per volume
compared with any FAT version. The NTFS file system also manages disk space efficiently by using
smaller cluster sizes. For example, a 30-GB NTFS volume uses 4-KB clusters. The same volume
formatted with FAT32 uses 16-KB clusters. Using smaller clusters reduces space wastage on hard disks.
Advanced features. The NTFS file system includes multiple advanced features, such as distributed link
tracing, sparse files, and multiple data streams.
Note: By using the Convert.exe utility, you can convert FAT or FAT32 to NTFS file system on
data volumes without downtime or data loss.
You cannot convert NTFS to FAT. You first must back up data, and then format the volume by
using the NTFS system and restore the data.
Question: What are the main benefits of the NTFS file system?
The ReFS File System

Windows Server 2012 introduced ReFS. It also is
available in Windows 8.1, Windows Server 2012
R2, and in all newer Microsoft operating systems.
ReFS is built on the NTFS file system, and it is
designed to provide the highest level of resiliency,
integrity, and scalability, regardless of software
or hardware failures. ReFS includes only some
of NTFS features, such as security and auditing,
but does not support others, such as quota,
compression, and EFS encryption. ReFS is
especially useful for data volumes in multiterabyte
(TB) file servers and for cluster-shared volumes in
failover clusters.
ReFS includes the following benefits:

ReFS is designed to provide the highest level of protection for data from common errors that can
cause corruption, such as unexpected loss of power or disk failure. If you use ReFS with redundant
storage, which is mandatory in Windows 10, ReFS can detect data corruption and automatically
correct it by using the second copy of the data.
ReFS periodically scans volumes. If it detects corruption, ReFS tries to correct the corruption
automatically. If it cannot repair the corruption automatically, ReFS localizes the salvaging process
to the corruption area. This does not require any downtime for the volume.
ReFS supports extremly large volumes, even larger than the NTFS file system, without impacting
performance . ReFS volumes can have multiple petabytes of data and a theoretical size limit for ReFS
volume is 278 bytes.
ReFS allows you to control file permissions and configure auditing as you would with the NTFS file
system. But several other NTFS features, such as compression, disk quotas, EFS, and volume shrinking,
are not available with ReFS volumes.
Windows 10 provided limited support for ReFS. You can use it only with two-way or three-way storage
spaces. You cannot format ReFS for nonmirrored storage spaces, such as simple or parity storage spaces.
For more information on ReFS, refer to:
Resilient File System Overview

http://aka.ms/m3p37a
Building the next generation file system for Windows: ReFS

http://aka.ms/al1zfa
Question: Can you use Disk Management or File Explorer to format a volume with ReFS in
Windows 10?
Demonstration: Work with File Systems in Windows 10

In this demonstration, you will see how to create a volume and format it with different file systems. You
will also see some of the differences between the various file systems and how to convert a FAT file system
to the NTFS file system. Finally, you will see how to create a two-way mirrored storage space and format it
with the ReFS file system.
Demonstration Steps
1. On LON-CL1, use Disk Management to show that when you create a 100 MB volume on Disk 2, you
can select between FAT, FAT32, and NTFS file systems. Additionally, note that you can mount a new
volume only to an empty folder on the NTFS volume.
2. Use Disk Management to show that if you are creating a 40,000 MB volume on Disk 2, you can
select only between exFAT and NTFS file systems. FAT32 supports volume sizes up to 32 GB.
Therefore, it is not available for a 40 GB volume.
3. Use Disk Management to create a 30,000 MB volume on Disk 2, formatted with FAT32 file system.
Note that the available options for file system are FAT32 and the NTFS file system only.
4. Use File Explorer to see that in volume F: properties, there is no Security and Quota tab, because
FAT does not support permissions and disk quotas.
5. At the command prompt, convert a file system on the F drive to the NTFS system by running the
following command: convert f: /fs:ntfs.
6. Use File Explorer to note that in the F volume properties, there now is a Security and Quota tab, as
the NTFS system supports permissions and disk quotas. Note also the Compress this drive to save
disk space check box, because the NTFS system supports compression.
7. Use Storage Spaces to create a new pool and two-way mirror resiliency type with the ReFS file
system. If you select Simple (no resiliency) or Parity resiliency type, ReFS file system is not available.
It is available only with two-way or three-way mirror resiliency types.
8. Use Disk Management to verify that Disk 3 and Disk 4 no longer appear, but that Disk 5 appears.
Disk 5 has a primary partition that is formatted with ReFS file system.
9. Use File Explorer to note that in the volume G properties, there is a Security tab, but there is no
Quota tab and no Compress this drive to save disk space check box. This is because ReFS does
not support disk quotas and compression.

Question
Which two of the following file systems can you use on the 100-GB simple volume
that you created on a single disk?
FAT
FAT32
exFAT
NTFS
ReFS
Statement Answer
You cannot convert a partition with the exFAT file system to the NTFS file
system.
Statement Answer
You can format a 1-TB volume on a single physical disk in Windows 10 with
ReFS.
Lesson 2
Configuring and Managing File Access
You can control user access to files by configuring file and folder permissions. If file permissions are
supported by the file system, such as the NTFS file system or ReFS, you can configure permissions at
the volume (root folder), folder, and file levels.
You also can assign permissions explicitly or you can inherit them from the higher levels. If you are unsure
whether you can inherit permissions, you can use the effective permissions feature to review what type of
permissions a user or group has to a file.
While permissions typically use group membership to control access, if Windows 10 is an AD DS member,
you also can use conditions to limit access. Conditions use claims, which are user-property values in
AD DS.
Lesson Objectives
Describe the tools for managing files and folders.
Describe how to configure file and folder permissions.
Describe the concept of permission inheritance.

Implement conditions to limit file and folder access.
Secure files and folders by using file permissions.
Use the effective permissions feature.

Describe how copying and moving files and folders affect permissions.
Tools Used for Managing Files and Folders

When you restart or turn off a PC, only stored
data is persistent in the memory. You can store
data as files, either on local or remote storage.
You can manage files by using several tools in
Windows 10, such as File Explorer, command
prompts, and Windows PowerShell.
File Explorer
File Explorer, called Windows Explorer in previous
Windows versions, is a tool that you typically use
to manage files and folders. File Explorer provides
a simple interface that is familiar to most Windows
users. You can use File Explorer to perform several
functions, including:
Creating files and folders.
Accessing files and folders.

Managing properties of files and folders.
Searching for content in files and folders.
Previewing contents of files and folders.

By default, File Explorer is pinned to the Windows 10 taskbar. It includes the navigation and the details
pane, in addition to the address bar and ribbon, which makes it easier to use on touch devices. Depending
on your permissions, you can right-click or use the ribbon option in File Explorer to access the properties
of any file or folder. You also can manage file permissions, and create, open, and delete files. The ribbon is
case-sensitive, and it provides fast access to common options. For example, you can map a network drive
from the ribbon when you have This PC selected and you can create a new folder when you have Local
Disk (C:) selected. If you need to access the same folder often, you can pin it to Quick access, and it will
appear in the navigation pane.
If you need to manage file permissions in File Explorer, right-click the object, and then select Properties,
or select the object, and then click Properties on the Home tab of the ribbon. You can configure
permissions on the Security tab of the Properties dialog box.
Command prompt
If you prefer, you can use a command prompt to access files and folders. You can access a command
prompt by right-clicking Start or by typing cmd in the Search the web and Windows text box on the
taskbar. The following table lists some common commands for managing files and folders.
Command Purpose
cd, chdir Changes the parent directory.
md, mkdir Creates a directory.
del, erase Deletes one or more files.
Move Moves one or multiple files.
Dir Displays a list of files and subdirectories in a directory.
icacls Displays or modifies permissions by using access control lists (ACLs).
For additional information on the icacls tool, refer to the following URL:
icacls
http://aka.ms/e898bk
Windows PowerShell
You can access Windows PowerShell by typing PowerShell in the Search the web and Windows text
box on the taskbar. Windows PowerShell provides multiple cmdlets that you can use to manage files and
folders, such as Get-Childitem, which displays a directorys list of files and subdirectories, or Set-
Location, which changes the parent directory. It also includes many aliases, which are the same as the
familiar tools in command prompt, such as dir and cd, and you can use them instead of the Windows
PowerShell cmdlets. Run the Get-Alias cmdlet to view the list of all aliases.
To manage file permissions, you can use the Get-ACL and Set-ACL cmdlets. For example, to see the
current ACL on the C:\Perflogs directory, with the output in list format, run the following command:
Get-ACL C:\perflogs | Format-List

To modify a file or folders ACL, use the Set-ACL cmdlet. You also can use the Get-ACL cmdlet in
conjunction with the Set-ACL cmdlet. You can use the Get-ACL cmdlet to provide the input by getting
the object that represents the file or folders ACL, and then use the Set-ACL cmdlet to change the ACL
of the target file or folder to match the values that the Get-ACL cmdlet provides. For example, to set the
ACL on the C:\Folder2 folder to be the same as the permissions on CL\Folder1, including inheritance
settings, you would run the following command:
Get-ACL C:\Folder1 | Set-ACL C:\Folder2
For more information on the Set-ACL cmdlet, refer to:
Set-Acl
http://aka.ms/xxgj91
Question: Which Windows 10 graphical tool is used most often to manage files and folders?
File and Folder Permissions

You can configure file and folder permissions only
on NTFS and ReFS volumes. Permissions are rules
that determine what operations specific users can
perform on a file or a folder. A file or folders
owner can grant or deny permissions to it, as can
anyone with Full Control permissions, which
grants that person rights to modify permissions
for that file or folder. You assign permissions to
files and folders by granting or denying a specific
permission level. Typically, you assign them in
groups to minimize administrative overhead. If
you assign permissions to a group, every group
member has the assigned permission. You can also assign permissions to individual users and computers.
If you assign permissions to a group and to individual group members, they are cumulative. This means
that a user has the permissions that you assign to him or her, in addition to those you assign to the group.
Permissions example
Consider the following example. Adam is a member of the Marketing group, which has Read permission
to the Pictures folder. If an administrator assigns Write permissions to Adam for the Pictures folder, Adam
will have Read permissions, because he is a member of the Marketing group, and Write permissions,
because the administrator assigned them directly to him.
Types of permissions
You can configure two types of permissions for files and folders on NTFS and ReFS volumes: basic and
advanced. The difference is that:
Basic permissions are the most commonly used permissions. You most often will work with basic
permissions and assign them to groups and users. Each basic permission is built from multiple special
permissions.
Advanced permissions provide a finer degree of control. However, advanced permissions are more
complex to document and manage than basic permissions.
Basic file and folder permissions

The following table lists the basic file and folder permissions. You can choose whether to allow or deny
each.
File permissions Description
Full control Provides complete control of the file or folder and control of permissions.
Modify Allows you to read a file, write changes to it, and modify permissions. The
advanced permissions that comprise Modify permissions are Traverse
folder/execute file, List folder/read data, Read attributes, Read extended
attributes, Create files/write data, Create folders/append data, Write attributes,
Write extended attributes, Delete, and Read permissions.
Read & execute Allows you to see folder content, read files, and start programs. This applies to
an object and any child objects by default. The advanced permissions that make
up Read & execute permissions are Traverse folder/execute file, List folder/read
data, Read attributes, Read extended attributes, and Read permissions.
Read Allows you only the ability to read a file, not make any changes to it. This
applies to an object and any child objects by default. The advanced permissions
that make up Read permissions are List folder/read data, Read attributes and
Read extended attributes, and Read permissions.
Write Allow you to change folder and file content. This applies to an object and any
child objects by default.
The advanced permissions that make up Write permissions are Create files/write
data, Create folders/append data, Write attributes, and Write extended
attributes.
Special permissions This is a custom configuration.
Note: Groups or users that are have the Full Control permission on a folder can delete any
files in that folder, regardless of the permissions that protect the file.
To modify permissions, you must have the Full Control permission for a folder or file. The one exception is
for file and folder owners. The owner of a file or folder can modify permissions, even if they do not have
any current permission. Administrators can take ownership of files and folders to make modifications to
permissions.
Question: If a users permissions are shown as Special permissions, what file permissions
does the user have?
Question: If user with Read permissions only is a member of a group that has Write
permissions, what type of permissions does the user actually have?
Overview of Permission Inheritance

There are two ways that you can assign
permissions to files and folders, including:
Explicit permissions. When you set

permissions directly on a file or a folder, the
permissions are applied explicitly. You can
assign permissions to the object directly by
modifying the security settings in the objects
properties dialog box.
Inherited permissions. Files and folders

typically are arranged in a nested structure,
where a folder contains subfolders and files,
and those subfolders contain files and folders.
Permission inheritance allows for child objects to inherit the parent objects permissions settings.
This allows you to assign explicit permissions to a parent folder and have inheritance pass those
permissions settings down to the parent folders subfolders and files. You can control inheritance
behavior. Inherited permissions ease the task of managing permissions, and they ensure the
consistency of permissions among all of a containers objects.
Permission inheritance allows the permissions that you set on a folder to apply automatically to files that
users create in that folder and its subfolders. This means that you can set permissions for an entire folder
structure at a single point. If you have to modify permissions, you then have to perform the change at
that single point only.
For example, when you create a folder called Folder1, all subfolders and files created within Folder1
automatically inherit that folders permissions. Therefore, Folder1 has explicit permissions, while all
subfolders and files within it have inherited permissions.
Permissions on a file are a combination of inherited and explicit permissions. For example, if you assign
Group1 Read permissions on a folder and Write permissions on a file in the folder, members of Group1
can read and write in the file. If inherited and explicit permissions conflict, explicit permissions take
precedence.
Inheritance for all objects

If the Allow or Deny check boxes that are associated with each of the permissions appear shaded, a file
or folder has inherited permissions from one of its parent folders. There are two ways that you can make
changes to inherited permissions:
Make changes to a parent folder at which you set permissions explicitly. The file or folder will inherit
these modified permissions.
Choose not to inherit permissions from a parent object. You then can make changes to the
permissions or remove a user or group from the permissions list of the file or folder.
Note: You can make changes to inherited permissions also by selecting the opposite
permission (Allow or Deny) to override the inherited permission. You should be aware that this
might cause a different result than many users expect, because when you set both the Deny and
the Allow permissions at the same level, Deny has a higher precedence than Allow. Therefore, we
recommend that you avoid using this option.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file, even though he is a member of the Marketing group, which has Read permissions. She can exclude
Bob by explicitly denying him permission to read the file. Typically, you use explicit denial to exclude a
subset, such as Bob, from a larger group, such as Marketing, that has permission to perform an operation.
Please note that although explicit denials are possible, their use increases the complexity of the
authorization policy, which can create unexpected errors. For example, you might want to allow domain
administrators to perform an action, but deny domain users the ability to perform it. If you attempt to
implement this by explicitly denying domain users, you also deny any domain administrators who are
domain users. Though it is sometimes necessary, you should avoid the use of explicit denials.
In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In
that case, the setting inherited from the parent closest to the object in the subtree takes precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited permissions,
including inherited Deny permissions.
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a
parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the
following procedure to assign permissions that child objects can inherit:
1. In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2. In the Advanced Security Settings for file or folder dialog box, the Inherited From column lists
from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files
to which the permissions are applied.
3. Double-click the user or group for which you want to adjust permissions.
4. In the Permissions Entry for name dialog box, click the Applies to drop-down list, and then select
one of the following options:
o This folder only
o This folder, subfolders, and files
o This folder and subfolder

o This folder and files
o Subfolders and files only

o Subfolders only
o Files only
5. Click OK in the Permission Entry for name dialog box, click OK in the Advanced Security Settings
for name dialog box, and then click OK in the Properties dialog box.
If the Special permissions entry in Permissions for User or Group box is shaded, it does not imply
that this permission is inherited. Rather, this means that a special permission is selected.
Note: If you add permissions for CREATOR OWNER at the folder level, those permissions
will apply to the user who created the file in the folder.
Preventing inheritance
After you set permissions on a parent folder, new files and subfolders that users create in the folder inherit
these permissions. You can block permission inheritance to restrict access to these files and subfolders. For
example, you can assign all Accounting users the Modify permission to the Accounting folder. On the
subfolder Invoices, you can block inherited permissions and grant only a few specific users permissions
to the folder.
Note: When you block permission inheritance, you have the option to convert inherited
permissions into explicit permissions, or you can remove all inherited permissions. If you want to
restrict a particular group or user, you can convert inherited permissions into explicit permissions
to simplify configuration.
To prevent a child file or folder from inheriting permissions from a parent folder, select This folder
only in the Applies to drop-down list box when you configure permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following
procedure:
1. In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2. In the Advanced Security Settings for file or folder dialog box, click Disable inheritance.
3. In the Block Inheritance dialog box, select any of the following options:
o Convert inherited permissions into explicit permissions on this object
o Remove all inherited permissions from this object
o Cancel
4. Click OK in the Advanced Security Settings for name dialog box, and then click OK in the
Properties dialog box.
Forcing permission inheritance

The Advanced Security dialog box for folders includes a Replace all child object permission entries
check box with inheritable entries from this object. Selecting this check box will replace the permissions
on all child objects for which you can change permissions, including child objects that had Block
inheritance configured. This is useful if you need to change permissions on a large number of subfolders
and files, especially if you set the original permissions incorrectly.
Question: If a file inherits permissions from a folder, can you modify the permissions on
that file?
Implementing Conditions to Limit File and Folder Access

Traditionally, you control permissions to files and
folders by using group membership. However, if
your Windows 10based computer is a domain
member, you can extend this traditional access
control by using conditions to limit access.
Windows 8 and Windows Server 2012 introduced
this feature, which allows you to utilize user or
computer properties to limit access beyond group
membership. For example, if the users have a
defined department in AD DS, you can limit
access to files or folders to users from a specific
department, regardless of their group
membership. You also can limit access to users who are in the department and in a specific group. You do
this by extending a user token, which all users receive upon sign-in, with the claims. Claims are AD DS
properties and their values, and an administrator must configure which properties can be used as claims
in AD DS.
Even if an administrator does not specify in AD DS which properties to use as claims, you can use
conditions to limit access to files or folders based on user or device-group membership. When viewing
the permissions for a file or folder, the Condition column in the Advanced Security Settings lists the
applied conditions. Please note that when you specify conditions:
You use a Group condition so that you can specify that the permission will apply to the user based on
the following group-membership rules:
o Member of Any of the specified groups.
o Member of Each of the specified groups.
o Not Member of Any of the specified groups.
o Not Member of Each of the specified groups.

You use a Device condition so that you can specify that the permission will apply if a user accesses
the file from a specified computer or computers. The following topic provides more detail about this
condition.
You can specify multiple conditions for the configured permission to apply. For example, you can create
a permission that would give members of the Financial group Full Control permissions if they also are
members of the Managers group and are accessing the folder from Computer1.
Question: What conditions should you include so that you limit access to files in the NTFS
file system or the ReFS file system?
Demonstration: Securing Files and Folders with File Permissions

In this demonstration, you will demonstrate how to configure file permissions. You also will demonstrate
the difference between basic and advanced file permissions, and the effects of permission inheritance.
Demonstration Steps
1. Use File Explorer to create a folder called C:\Data.
2. View security for C:\Data, and then explain why check boxes in the Permissions for Authenticated
Users section are dimmed.
3. Verify that you cannot remove permissions for Authenticated Users on the C:\Data folder.
4. Add default permissions to Managers on the C:\Data folder, and then explain why permissions for
Managers are not dimmed.
5. Remove Read & execute and List folder contents permissions for Managers on C:\Data.
6. View advanced permissions for Managers on C:\Data, and then explain that basic Read permission
contains multiple advanced permissions.
7. Create a file named File1.txt in C:\Data.
8. View the advanced security settings for File1.txt, and then note that permissions for Managers are
inherited from C:\Data\, and all other permissions are inherited from C:\.
9. Verify that you cannot remove permissions for Managers from File1.
10. Convert inherited permissions into explicit permissions on File1.txt, explain the options in the Block
Inheritance dialog box, and then verify that all permissions entries now are set explicitly at this level.
11. Remove permissions for Managers on File1.txt.
Effective Permissions
Each file or folder on the NTFS file system or
ReFS has inherited or explicit permissions
assigned, or both. Windows 10 determines
effective permissions by combining the user
and group permissions and comparing them
to the permissions of the selected user. You also
can evaluate what the effective permissions will
be if you add a user or a device to additional
groups, and configure whether to include user
and device claims. For example, if you assign a
user Read permission and assign the Modify
permission to a group of which the user is a
member, the effective permissions are a superset of the Read and Modify permissions. This superset is the
Modify permission, because Modify permission also includes Read permission. You also can evaluate what
type of permissions the user would have if you add the user to the IT and Managers groups (without
actually doing so) and whether the effective permissions should be different if the users token includes
a Country = US user claim.
Note: When you combine permissions, Windows 10 evaluates the Deny permissions before
the Allow permissions that are set at the same level. Therefore, the Deny permission takes
precedence and overrides the Allow permission set on the same level.
If you set Deny and Allow permissions at different levels (for example, if Deny is set at the folder
and Allow is set at its subfolder) Allow can take precedence and override Deny.
Effective Access feature

The Effective Access feature determines the permissions a user or group has on an object by calculating
the permissions that are granted to the user or group. The calculation takes into account the group
membership permissions and any of the permissions inherited from the parent object. The calculation
determines all of the domain and local groups of which the user or group is a member.
Note: The Effective Access feature always includes the Everyone group when calculating
effective permissions, as long as the selected user or group is not a member of the Anonymous
Logon group.
The Effective Access feature only produces an approximation of the permissions that a user has. The actual
permissions a user has might be different, because permissions can be granted or denied based on how a
user signs in. The Effective Permissions feature cannot determine this information specific to the sign-in,
because the user might not sign in. Therefore, the effective permissions it displays reflect only those
permissions that a user or group specifies, not the permissions that the sign-in specifies. For example, if a
user connects to a computer through a file share, the sign-in for that user is marked as a Network Logon.
You then can grant or deny permissions to the well-known security identifier Network that the connected
user receives. This way, users have different permissions when they sign in locally than when they sign in
over a network.
You can view effective access permissions in the Advanced Security Settings dialog box for files or
folders stored on the NTFS or ReFS file system. You can access this dialog box from a folders Properties
dialog box by using the Advanced button on the Security tab, or directly from the Share menu on the
ribbon.
Note: Windows 10 supports claims, so you can include the user and device claims when
evaluating effective access. A claim is information about a user or device that a domain controller
published, and you can use it to evaluate if a user has access to data.
Question: How can you include the calculation of conditions that limit access to the Effective
Access feature?
Question: Can the Effective Access feature consider only the current group membership
when it is calculating effective permissions for a selected user or group?
Copying and Moving Files

When you copy or move a file or folder, the
permissions can change, depending on where
you move the file or folder. Therefore, when you
copy or move files or folders, it is important to
understand the impact on permissions.
Effects of copying files and folders

When you copy a file or folder from one folder
to another, or from one volume to another,
permissions for the files or folders might change.
Copying a file or folder creates new objects with
the same content as the original files or folders,
and it has the following effects on permissions:
When you copy a file or folder within a single volume, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a different volume, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a volume that does not support permissions (non-NTFS and non-
ReFS), such as a FAT file system, the copy of the folder or file loses its permissions. This is because the
target volume does not support permissions.
Note: When you copy a file or folder within a single volume or between volumes, you must
have the Read permission for the source folder and the Write permission for the destination
folder.
Effects of moving files and folders

When you move a file or folder, permissions might change, depending on the destination folders
permissions. Moving a file or folder has the following effects on permissions:
If you move a file or folder within the same volume, only the pointer(s) are updated, and data is not
moved. Permissions that are inherited at the source location no longer apply and the file or folder
that you moved inherits the permissions from the new parent folder. If the file or folder has explicitly
assigned permissions, it retains those permissions, in addition to the newly inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit
permissions from their parent folder. If you move files that have only inherited permissions,
they do not retain the inherited permissions during the move.
When you move a file or folder to a different volume, the folder or file inherits the destination folders
permissions, but it does not retain the explicitly assigned or inherited permissions from the source
location. When you move a folder or file between volumes, Windows 10 copies the folder or file to
the new location and deletes the original file from the source location.
When you move a file or folder to a volume that does not support permissions (non-NTFS and non-
ReFS), the folder or file loses its permissions because the target volume does not support permissions.
Note: When you move a file or folder within a volume or between volumes, you must have
both the Write permission for the destination folder and the Modify permission for the source file
or folder. You require the Modify permission to move a folder or file, because Windows 10
deletes the folder or file from the source folder after it copies it to the destination folder.
The Copy command is not aware of the security settings on folders or files. However, commands that are
more robust have this awareness. For example:
Xcopy has the /o switch to include Ownership and ACL settings.
Robocopy has several switches that cause security information to be copied:

o /Copy:copyflag(s) the default setting is the equivalent of /Copy:DAT where D=Data,
A=Attributes, and T=Timestamps. You can add the S flag where S=Security, such as NTFS ACLs.
o /Sec is the equivalent of /Copy:DATS.
Question: You have FileA on the NTFS volume on Computer1. You grant the user John
explicit Full control permissions on FileA, and then you move FileA to the NTFS partition on
Computer2. Will John still have explicit permissions on FileA?

Question
On which two file systems can you assign permissions in Windows 10?
FAT
FAT32
exFAT
NTFS
ReFS
Statement Answer
You can modify inherited permissions on a file without disabling the

inheritance.
Lesson 3
Configuring and Managing Shared Folders
Collaboration is an important part of an administrators job. Your team might create documents that
only team members can share, or you might work with a remote team member who needs access to your
teams files. Because of collaboration requirements, you must understand how to manage shared folders
in a network environment.
Sharing folders enables users to connect to a shared folder over a network, and to access the folders
and files that it contains. Shared folders can contain applications, public data, or a users personal data.
Managing shared folders helps you provide a central location for users to access common files, and it
simplifies the task of backing up data that those folders contain. This lesson examines various methods
of sharing folders, along with the effect this has on file and folder permissions when you create shared
folders on an NTFS-formatted partition.
Lesson Objectives
Describe shared folders.
Describe methods for sharing folders.

Describe the effect of combining file permissions and share permissions.
What Are Shared Folders?

When you share a folder, you make its content
available on the network to multiple users. You
can limit who can access the shared folder and
what type of share permissions they have.
Additionally, you can limit the number of users
who can access the share at the same time and
specify if an offline copy of the files users open
will be created automatically on their computer.
Shared folders maintain a separate set of
permissions from the file-system permissions,
which means that you can set share permissions
even if you share a folder on the FAT file system.
The same share permissions apply to all shared content. This behavior is different from file system
permissions, where you can set permissions for each file individually. You can use these permissions to
provide an extra level of security for files and folders that you make available on your network. You can
share the same folder multiple times, by using a different share name and other share settings for each
creation.
Note: Sharing is limited to folders. You cannot share an individual file or group of files
within a folder that is not shared. Windows 10 allows you to right-click a file in a users profile,
and then click Share with. However, this will share the Users folder, in which all user profiles are
stored.
After you share a folder, all users will see the share name over your network. However, only users
with Read permissions can view its content.
Windows 10 restricts sharing of folders to members of the Administrators group only. If you want to share
a folder, you will have to provide administrative credentials to User Account Control (UAC).
Note: File and printer sharing is disabled by default. When you share the first folder on
a Windows 10 device, Windows 10 turns on file and printer sharing automatically. This setting
remains turned on even if you remove all shared folders. You can configure it manually in
Advanced sharing settings in Control Panel.
Shared folders permissions

When you share a folder, you must configure the permissions that a user or group will have when they
connect to the folder through the share. This is called sharing permissions, and there are three options:
Read. Users can view content, but they cannot modify or delete it.
Change. Users can also modify, delete, and create content, but they cannot modify permissions.
Includes Read permission.
Full Control. Users can perform all actions, including modifying the permissions. Includes Change
permission.
Basic sharing permissions are simplified and can have one of two options:
Read. The look but do not modify option. Users can open, but not modify or delete a file.
Read/Write. The Full Control option. Users can open, modify, or delete a file, and modify permissions.
View shared folders

Windows 10 creates several shared folders by default. You can view all shared folders in the Computer
Management console, by clicking the Shared Folders node. You also can run net view \\localhost /all
command or the Get-SmbShare cmdlet.
Note: In older Windows versions, you could recognize shared folders in File Explorer,
because there was a different icon for folders that were shared than for folders that were not
shared. In File Explorer in Windows 10, the same icon is used regardless of whether a folder is
shared or not.
Connecting to a shared folder

Users can connect to a shared folder most commonly over the network by using its Universal Naming
Convention (UNC) address. The UNC address contains the name of the computer that is hosting the folder
and the shared folder name, separated by a backward slash (\) ,and preceded by two backward slashes
(\\). For example, the UNC name for the Sales shared folder on the LON-CL1 computer in the
Adatum.com domain would be \\LON-CL1.Adatum.com\Sales.
Question: Can any user connect to any shared folder?

Methods Available to Share Folders

You can share folders in several ways, including by
using:
The Shared Folders snap-in.
File Explorer.
A command prompt.
Windows PowerShell cmdlets.
Sharing folders by using the Shared

Folders snap-In
You can use the Shared Folders snap-in to
manage a computers file shares centrally. Use this
snap-in to create file shares, set permissions, and to view and manage open files and the users who can
connect to a computers file shares. Additionally, you can view the properties for the shared folder, which
would allow you to perform actions such as specifying file permissions.
You can create a new share in the Shared Folders snap-in by running the Create a Shared Folder Wizard.
When you run the wizard, you need to specify the folder path that you want to share and the share name.
By default, offline files are not created from the share content, and all users have Read-only share
permissions. However, you can modify these settings in the wizard or after creating the share.
Sharing folders by using File Explorer

You can use File Explorer to share a folder by:
Using the Share with option from the shortcut menu or ribbon (also called Network File and Folder
Sharing on the Sharing tab).
Selecting Advanced Sharing from the Sharing tab.
Using the Share with option (Network File and Folder Sharing)
The Share with option is a quick and easy way to share a folder. When you right-click a folder, and then
select Share with, you see a submenu that allows you to stop sharing the folder or share the folder with
specific people. When you share with specific people, you can select Everyone or use Find people to
share the folder with specific groups. After selecting the users with whom you want to share with a folder,
you can set Read or Read/Write permissions. You cannot remove a folders owner. You also might notice
users or groups that have Permission Level value Custom. This is because they have file-specific file
permissions.
Be aware that Network File and Folder Sharing will set share permissions and file permissions. The Share
permissions will be set as Everyone Full Control, and the file permissions will be set based on what you
select. The share name will be the same as the folder name. You cannot share the same folder multiple
times by using Network File and Folder Sharing.
Using Advanced Sharing

Advanced Sharing provides several additional configuration options compared to Network File and Folder
Sharing. You can specify the share name, which is the same as the folder name, by default. However, you
can modify the name, choosing any name that is not used for a share name on the same computer. You
also can configure the number of users that can access a shared folder simultaneously, specify caching
settings, and define share permissions, which can be Full Control, Change, or Read. When you use
Advanced Sharing, you are configuring only share-folder permissions. You must configure file permissions
separately. However, you must be careful when you do this to ensure you are setting the permissions
exactly as you require. For example, if group does not have Read permissions to a folder, you still can
grant that group Full Control share permissions. However, when a group member tries to connect to the
share, an error returns, even if that user has sufficient share permissions. This is because the user does not
have file permissions, and therefore cannot access the shares files.
Sharing folders by using the command line

You can share a folder by using the net share command, as the following example illustrates:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify, and which grants all users
Read permissions. You can specify additional parameters when creating a share, which the following
table lists.
Option Description
/Grant:user Allows you to specify Read, Change, or Full share permissions for
permission the specified user.
/Users:number Allows you to limit the number of users who can connect to the
share.
/Remark:text Allows you to add a comment to the share.
/Cache:option Allows you to specify the caching options for the share.
sharename /Delete Allows you to remove an existing share.
Sharing folders by using Windows PowerShell

Windows PowerShell includes several cmdlets that you can use to manage shares. The following example
illustrates the cmdlet for creating a share:
New-SmbShare Name ShareName Path C:\LocalFolder
The following table lists additional Windows PowerShell commands that you can use to manage shares.
Command Description
Get-SmbShare Retrieves a list of the computers existing shares.
Set-SmbShare Modifies an existing share.
Remove-SmbShare Removes an existing share.
Get-SmbShareAccess Retrieves a shares permissions.
Grant- Sets share permissions.

SmbShareAccess
Question: What is the main difference between sharing a folder by using Network File and
Folder Sharing and by using Advanced Sharing?
Shared Folder Properties

You can configure multiple shared folder
properties when you create a share or when
you modify shared folder properties. Share
properties control share behavior, including:
How users can view and connect to a share.
How many users can access a share

simultaneously.
Which share permissions will be effective
when users access the data through a share.
The offline settings for the share data.

You can configure these four properties in several ways, including by using Advanced Sharing, the Shared
Folders snap-in, the net use command, and the New-SmbShare or Set-SmbShare Windows PowerShell
cmdlets. However, if you want to modify more advanced share properties, such as by using access-based
enumeration or Server Message Block (SMB) encryption, you can do that only by using the Set-SmbShare
cmdlet.
You can configure the following basic properties for a share by using Advanced Sharing:
Share name. Each share must have a share name, and it must be unique for each Windows 10based
computer. The share name can be any string that does not contain special characters, and it is part of
the UNC path, which Windows users use when connecting to a share. You can share the same folder
multiple times and with different properties, but each share name must be unique. If the share name
ends with a dollar sign ($), the share is hidden and not visible on the network. However, you can
connect to it if you know the share name and have appropriate permissions.
Number of simultaneous users. This limits the number of users that can have an open connection to
the share. The connection to the share is open when a user accesses the share for the first time, and it
closes automatically after a period of inactivity. The default value in Windows 10 is no more than 20
users. However, you can configure this to a lower number.
Caching/offline settings. You can control which of the shares files and programs are available to
offline users, or those who do not have network connectivity. You can configure files to:
o Cache on the client computer automatically when a user has network connectivity and opens
them for the first time.
o Cache offline, only if the user manually configures this and has the necessary permissions.
o Not cache at all.
Permissions. You can configure shared folder permissions, which Windows uses in conjunction with
file system permissions when a user tries to use a shared folder to access data over a network. Shared
folder permissions can allow Read, Change, or Full control permissions.
If you try to use a share name that is already in use on the computer, Windows 10 provides you with an
option to stop sharing an old folder and use the share name for sharing the current folder.
If you rename a folder that is shared currently, you do not receive a warning. However, the folder is no
longer shared.
Note: If you share a folder by using Network File and Folder Sharing, you can share a folder
only once, and you cannot configure its properties manually. The share name is set automatically
and is the same as the folder name. The share permissions, number of simultaneous users, and
caching properties retain the same value.
You can configure advanced share properties only by using Windows PowerShell. You cannot configure or
view them by using the GUI tool. Advanced share settings that you can configure in Windows 10 include
access-based enumeration and SMB encryption. For example, you can enable access-based enumeration
for the share name Folder1 by using the following cmdlet:
Set-SmbShare Name Folder1 FolderEnumerationMode AccessBased
Note: Access-based enumeration displays only the content for which a user has
permissions. If the user does not have Read permission to a file or folder, that file or folder does
not display when the user connects to the shared folder.
You can view all shared folder properties for the share name Folder1 by using the following cmdlet:
Get-SmbShare Name Folder1 | Format-List Property *
For more information on the Get-SmbShare cmdlet, refer to:
Get-SmbShare
http://aka.ms/dwc4lz
For more information on the Set-SmbShare cmdlet, refer to:

Set-SmbShare
http://aka.ms/unkrou
Question: What is the maximum number of users who can connect to a share
simultaneously on Windows 10?
Question: Can you configure Caching (Offline Settings) when you share a folder by using
Network File and Folder Sharing?
Statement Answer
If users have the Change share permission, they can take ownership of the
files when they access the share over the network.
Discussion: Combining Shared Folder and NTFS File Permissions

When you create a shared folder on a volume
that is formatted with a file system that supports
security, both the shared folder permissions and
the file and folder permissions combine to control
permissions to file resources when a user connects
via a network. File and folder permissions apply
whether users access a resource locally or over a
network, but they filter against the shared folder
permissions.
When you grant shared folder permissions, the

following rules apply:
Except when using the Share in Network File
and Folder Sharing, the Everyone group has the Read shared folder permission.
Users must have appropriate file system permissions for each file and subfolder in a shared folder to
access those resources, in addition to appropriate shared folder permissions.
When you combine file-system and shared-folder permissions, the resulting permission is the most
restrictive one of the effective permissions between the two types. Typically, this is the highest
common denominator of the file-system and shared-folder permissions.
When a user attempts to connect to content through a share, the share permissions on a folder apply
to that folder, all of its files and subfolders, and all files in those subfolders.
When you configure shared folder permissions per shared folder, you can allow or deny only Read,
Change, and Full Control permissions, and these permissions apply to content in all folders and
subfolders. You have much more granularity when you configure file-system permissions. You can
configure permissions for each file, and you can allow or deny many more file-system permissions than
share permissions.
Note: If you enable the Guest user account on your computer, the Everyone group includes
anyone. Therefore, as a best practice, remove the Everyone group from any permission lists, and
replace it with the Authenticated Users group.
The following analogy can help you understand what happens when you combine file system and share
permissions. If you want to access a shared folders files over a network, you must go through the shared
folder. Therefore, you can think of the shared folder permissions as a filter that only allows users to
perform those actions that are acceptable to the share permissions. All file system permissions that are
less restrictive than the share permissions filter out, so that only the most restrictive permissions remain.
For example, if a share permission is set to Read, the most that you can do when connecting through a
shared folder is read the file, even if the individual file system permission is set to Full Control. If you
configure the share permission to Modify, you are allowed to read or modify the shares data. If the file
system permission is set to Full Control, the share permissions filter the effective permission to Modify.
Demonstration: Sharing Folders

In this demonstration, you will see how to share a folder, configure share properties, and access a share.
Demonstration Steps
1. On LON-CL1, view security for the C:\Data folder. Use File Explorer to confirm that the Managers
group has permissions on the folder and that the folder is not shared.
2. Use Network File and Folder Sharing to share the C:\Data folder. Remove permissions for
Managers, and then add Read/Write permissions for the IT group.
3. Use File Explorer to note that the Managers group no longer has permissions on the folder but the
IT group does, and that the folder C:\Data is now shared.
4. Use Advanced Sharing to review the share name, limit the number of simultaneous users to five, and
review the share permissions that were set when using Network File and Folder Sharing.
5. Create an additional share for the C:\Data folder, called IT Data, and grant Everyone Full Control
permissions for the share.
6. Use File Explorer to view the Data and IT Data shares on LON-CL1 and File1.txt in the IT Data
share.
7. Use the Shared Folders console to view shares on LON-CL1.
8. Use the Get-SmbShare Windows PowerShell cmdlet to list shares on LON-CL1.

Statement Answer
You can configure advanced permissions for the shared folder.
Statement Answer
You cannot configure access-based enumeration for shares on a Windows

10based computer.
Lab A: Configuring and Managing Permissions and Shares

Scenario
You have users in the Marketing, Research, and IT departments who share computers and require
permissions to shares on those computers. In this lab, you will create shared folders by using Network
File and Folder Sharing and Advanced Sharing, and then configure permissions such that users can access
only content on their departmental share. You also will test local and network permissions to the shared
folder, and then use the Effective Permissions tool to verify user permissions.
Your company is planning to implement dynamic access control, so you also will implement a pilot project
for the Research department, where you will utilize user claims to limit access to its share.
Objectives
Share a folder by using Network File and Folder Sharing and Advanced Sharing.
Understand the differences between using Network File and Folder Sharing and Advanced Sharing.
Configure conditions to limit file and folder access.

Use the Effective Access feature.
Lab Setup
User names: Adatum\Administrator, Adatum\Adam, Adatum\April, Adatum\Jesper and

Adatum\Anil
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
o User name: Adatum\Administrator
5. Repeat steps 2 and 3 for 20697-1B-LON-CL1 and 20697-1B-LON-CL2. Do not sign in until directed
to do so.
Exercise 1: Creating, Managing, and Sharing a Folder

Scenario
In this exercise, you will create a folder structure for the Marketing and IT departments. After you review
the default permissions, you will share folders for both departments, and then test the differences in
permissions when using Network File and Folder Sharing and Advanced Sharing.

1. Create a folder structure.
2. Review default permissions.
3. Configure permissions for the IT and Marketing folders.

4. Review configured permissions.
5. Test local file permissions.

6. Test share permissions.
Task 1: Create a folder structure

2. Use File Explorer to create the following folders: C:\Data, C:\Data\Marketing, and C:\Data\IT.
Task 2: Review default permissions

1. On LON-CL1, find out why you cannot remove permissions for Authenticated Users from the
C:\Data\IT folder.
2. Verify that all permissions entries for the C:\Data\IT folder are inherited from C:\. Also, verify that
Users (LON-CL1\Users) have Read & execute Access, while Authenticated Users have Modify
Access.
3. Verify that all permissions entries for the C:\Data\Marketing folder are inherited from C:\. Also,
verify that Users (LON-CL1\Users) have Read & execute Access, while Authenticated Users have
Modify Access.
Task 3: Configure permissions for the IT and Marketing folders

1. On LON-CL1, use File Sharing (Network File and Folder Sharing) to share the C:\Data\IT folder with
the IT group, and then provide them with Read/Write permissions.
2. Use Advanced Sharing to share the C:\Data\Marketing folder with the Marketing group only, and
then provide them with Change share permissions.
3. Use the net view \\lon-cl1 command to view shares on LON-CL1.
4. Use the Shared Folders tool in Computer Management to view shares on LON-CL1.
Task 4: Review configured permissions

1. On LON-CL1, view the advanced security settings for the C:\Data\IT folder. Verify that all permissions
entries are set explicitly at this level, and that only administrator and Administrators [LON-
CL1\Administrators, SYSTEM and IT (ADATUM\IT)] have access to the folder.
2. View the advanced sharing properties for the C:\Data\IT folder, and then verify that Everyone and
Administrators have Full Control permissions to the share.
Note: If you share a folder by using the File Sharing dialog box, you will modify the local
file permissions to match your configuration, while the Everyone and Administrators groups will
have the Full Control share permission.
3. View the advanced security settings for the C:\Data\Marketing folder. Verify that all of the
permissions entries are inherited from C:\. Also, verify that Users (LON-CL1\Users) have Read &
execute permission, while Authenticated Users have Modify permission.
Note: If you share a folder by using the Advanced Sharing feature, this does not modify
local file permissions. You only modify share permissions if you use the Advanced Sharing
feature.
Task 5: Test local file permissions

1. Sign in to LON-CL1 as Adatum\Adam with the password Pa$$w0rd. Adam is a member of the
Marketing group, but is not a member of the IT group.
2. Create a text document named File10 in the C:\Data\Marketing folder.
Note: Adam has local file permissions to create a new file in the Marketing folder, because
permissions were configured by using the Advanced Sharing feature. This modified only the share
permissions, while the default local file permissions were not modified. By default, Authenticated
Users have the Modify permission.
3. Try to create a text document in the C:\Data\IT folder.
Note: You will get an error, because Adam does not have local file permissions to the IT
folder. Permissions were configured by File Sharing, and only members of IT group have local file
permissions to the folder.
5. Sign in to LON-CL1 as Adatum\April with the password Pa$$w0rd. April is a member of the IT
group, but she is not a member of the Marketing group.
6. Create a text document named File20 in the C:\Data\Marketing folder.
Note: April has local file permissions to create a new file in the Marketing folder, because
7. Create a text document named File21 in the C:\Data\IT folder.
Note: April is able to create a file, because permissions were configured by File Sharing.
Members of the IT group have local file permissions to the IT folder.
Note: Be aware that Network File and Folder Sharing, which sometimes is referred to as
simple file sharing, modifies file permissions and shared folder permissions. However, Advanced
Sharing does not modify file permissions. It modifies only share permissions.
Task 6: Test share permissions

1. Sign in to LON-CL2 as Adatum\Adam with the password Pa$$w0rd. Adam is a member of the
Marketing group, but he is not a member of the IT group.
2. Verify that you can see the IT and Marketing shares on LON-CL1.
3. Create a text document named File30 in the \\LON-CL1\Marketing share.
4. Try to connect to the \\LON-CL1\IT share.
Note: Adam is not a member of the IT group, so he does not have permissions to access
the IT share.

6. Sign in to LON-CL2 as Adatum\April with the password Pa$$w0rd. April is a member of the
IT group, but she is not a member of the Marketing group.
7. Verify that you can see the IT and Marketing shares on LON-CL1.
8. Try to connect to the \\LON-CL1\Marketing share.
Note: April is not a member of the Marketing group, so she does not have permissions to
access the Marketing share.
9. Create a text document named File40 in the \\LON-CL1\IT share.
Note: Users can access only the shares that were shared for groups in which they are
members, regardless of whether they were shared by File Sharing or Advanced Sharing.
Results: After completing this exercise, you will have created a folder structure for the Marketing and
information technology (IT) departments, shared their folders, and tested local and share permissions.
Exercise 2: Using Conditions to Control Access and Effective Permissions

Scenario
Your company has been using group membership to control user access, but it is now considering
implementing dynamic access control. Therefore, your companys IT department has created user
claims for department and Country, and populated user attributes in AD DS.
In this exercise, you will implement a pilot project to protect data for the Research department by using
user claims. You also will demonstrate how you can limit access to IT data to only those users who live in
the U.S. You will test user access by using the Effective Permissions tool.
1. Configure conditions to control access.
2. Test conditions to control access.

3. View effective permissions.
Task 1: Configure conditions to control access

2. Create a folder called C:\Data\Research.

3. Use Advanced Sharing to share the C:\Data\Research folder with Change permissions in the Allow
column for Everyone.
4. Disable security inheritance for the C:\Data\Research folder, and then convert inherited permissions
into explicit permissions.
5. Remove the Users (LON-CL1\Users) permissions on the C:\Data\Research folder.
6. Edit advanced security settings for the C:\Data\Research folder, and then add the condition User
department Equals Value research for Authenticated Users. You will need to type research
manually in the last box.
7. Edit the advanced security settings for the C:\Data\IT folder, and then add the condition User
Country Equals Value US for the IT (ADATUM\it) group. You will need to type US manually in the
last box.
Task 2: Test conditions to control access

1. On LON-CL2, where you are signed in as Adatum\April, use File Explorer to try to connect to the
\\LON-CL1\Research share.
2. View user claims by running the whoami /claims command.
Note: April has a department claim value of IT and she cannot connect to the Research
share.
3. Create a text document named File50 in the \\LON-CL1\IT share.
Note: April has permissions to create a new file in the IT share because she is a member of
the IT group and her Country claim has a value of US.

5. Sign in to LON-CL2 as Adatum\Jesper with the password Pa$$w0rd. Jesper is a member of the
IT group.
6. Try to connect to the \\LON-CL1\IT share.

Note: Jesper has a Country claim with the value of GB, so he cannot connect to the
IT share, even though he is a member of the IT group.
9. Sign in to LON-CL2 as Adatum\Anil with the password Pa$$w0rd.
11. Create a text document named File60 in the \\LON-CL1\Research share.
Note: Anil has permissions to create a new file in the Research share because his
department claim has a value of Research.
Task 3: View effective permissions

1. On LON-CL1, view the effective permissions to the C:\Data\Marketing folder for a user named Joel.
Note: As Authenticated Users have the Modify permissions to the Marketing folder, you
can see that Joel has the most permissions allowed.
2. View the effective permissions to the C:\Data\Research folder for the user named Ales, who is a
member of Development group.
Note: Only users who have the department-claim value of Research can access the folder.
Therefore, Ales does not have the required permissions to access it.
3. View the effective access to the C:\Data\Research folder for the user named Ales when you include
a user claim of department = Research.
Note: You can see that if Ales had the user claim of department with the value of
Research, he would have the most permissions allowed.
4. View effective access to the C:\Data\Research folder for the user named Aziz, who is a member of
the Research group, when you include user claim of department = Research.
Note: If Aziz had the user claim of department with the value of Research, he would have
the most permissions allowed.
Results: After completing this exercise, you will have configured and tested conditions to control access.
You will have also viewed effective permissions.
Lesson 4
Work Folders
Work Folders is a Windows 10 feature that enables users to sync their local copy of files with files on a
server, which must be running Windows Server 2012 R2 or a newer operating system. Users can use Work
Folders, even if their Windows 10 device is not joined to the domain, and an administrator can configure a
policy for the local copy. For example, you can encrypt a local copy, and if a device is lost or an employee
has left the company, you can wipe the local copy remotely in a Work Folder, while leaving the user data
on the device intact.
Lesson Objectives
Describe the functionality of the Work Folders feature.

Describe the Work Folders components.
Explain how to configure Work Folders.

Deploy and use Work Folders.
What Are Work Folders?

Organizations typically store files on file servers.
This approach provides many advantages, such
as central access control and auditing, central
backup, quotas, reporting, and availability from
any domain-joined and network-attached device.
However, users also need to access and modify
company data when they are not connected to a
company network, and from devices that are not
domain members. You can use several solutions
for such scenarios, such as Folder Redirection,
Offline Files, or synchronization with Microsoft
OneDrive or OneDrive for Business. Windows 10
offers an additional solution, the Work Folders feature. This feature is useful when users utilize multiple
devices to access company data and they need to synchronize data between their devices, some of which
are not domain-joined.
Work Folders allow home and office users to access their individual data, regardless of whether their
devices are connected to a company network or whether their devices are domain-joined. Work Folders
only store the individual files of users, and users can access only their own Work Folders. A traditional file
server stores Work Folders data, but devices also keep a local copy of the users subfolders in a sync share.
This is known as a user work folder. Users can access a local copy of their Work Folders even without
network connectivity, and any modifications they make synchronize with their Work Folders on a file
server immediately or after their connectivity to the file server is restored. Users can access and use Work
Folders from various devices, irrespective of their domain membership. Windows 10 and Windows 8.1
support Work Folders natively, and you can add Work Folders support to Windows 7, Apple iPad, and
Apple iPhone devices.
If users use multiple devices that are configured with Work Folders, changes they make on one device
synchronize with their other devices automatically. A file server stores Work Folders content, so you can
use all the features that are available on a file server, such as dynamic access control, auditing, quotas,
file-classification infrastructure, and protecting content with Active Directory Rights Management Services
(AD RMS). You can define a policy for devices that access Work Folders. For example, you can create a
policy that requires encryption of a devices local copy of the Work Folders data. You also can use the
Remote Business Data Removal feature to prevent access or remotely wipe a devices local copy of Work
Folders data if the device is lost or stolen, or if the employee leaves the company.
For more information on Work Folders, refer to the following webpage on the Microsoft TechNet website:
Work Folders Overview
http://aka.ms/cdspcf
Question: Can you share your Work Folders content with your coworkers?
Components of Work Folders

If you want to use Work Folders, several
components must be available in your
environment:
Work Folders server. You need a file server
that is running Windows Server 2012 R2 or
newer to host Work Folders because older
versions of Windows Server do not support
the Work Folders feature. The file server must
be joined to an AD DS domain, and it must
have the Work Folder role service installed,
which is part of the File and Storage Services
role. When you install the role service, this
adds an additional access protocol and extends Server Manager. You can use Server Manager to
create and manage sync shares, which contain users Work Folders. You also can use Server Manager
to view who can access sync shares, when and from which devices users can access it, and to perform
other tasks, such as setting quotas and managing volumes. Users can access and synchronize their
Work Folders by using the HTTPS encapsulated access protocol. Synchronization uses HTTPS
encryption, so the file server must have an installed Secure Sockets Layer (SSL) certificate, and the
devices from which users access the Work Folders must trust that certificate.
Sync share. A sync share is a unit of synchronization between the Work Folders server and client
devices. You can create multiple sync shares on a Work Folders server, and each sync folder maps
to the physical folder on the file server. For each user who uses Work Folders, a personal subfolder
is created inside the sync share, and users can access and synchronize only the content of their
subfolders. You can configure who can access a sync share, and then specify a device policy, such as
specifying that the local copy of Work Folders data on client devices must be encrypted. Although
users can have permissions to access multiple sync shares, they are limited to a single sync share. You
can access a sync share only by using the Work Folders feature by default, but an administrator also
can create a SMB share that uses the same folder as a sync share. If users can access sync share
content by using SMB access, you can view synced content from devices that do not use Work
Folders. The sync share is stored on a file server, so you can use features such as dynamic access
control, quotas, and file screening when managing the sync shares content.
User devices. These are the devices from which you can access, modify, and synchronize content
that is stored in Work Folders. You can access Work Folders from workgroup devices, devices that
are workplace-joined, or from domain member devices. Windows 10 and Windows 8.1 devices
support Work Folders by default, and you can add Work Folders support to Windows 7, iPad, and
iPhone devices. Devices also must trust the SSL certificate that the Work Folders server is using. If
you configure devices to use Work Folders, Windows detects the changes to the local copies of data,
and then synchronizes them with the server. By default, devices check the Work Folders server every
10 minutes and synchronize changes with local copies of the Work Folders data.
When you configure Work Folders on a device, you establish a Work Folders sync partnership between
the device and the file server. During initialization, the data directory, version database, and download-
staging directory are created on a device. Version database keeps a local copy of the data in sync with the
file servers data file. On the server side, when a user first synchronizes, similar structures are created. You
provision the server Work Folders only once per user, while the client side is provisioned for each device
on which the user is using Work Folders. When users modify their Work Folders content, the following
process takes place:
1. Users modify local Work Folders content, and the Work Folders server detects the changes on the
client in real time. The client then initiates a sync session with the Work Folders server, and uploads
the changes.
2. After the upload is complete, the Work Folders server applies uploaded changes to the users Work
Folders content. The server is configured, by default, to perform all modifications to the users data. If
the file changes on multiple user devices in the same synchronization cycle, based on the time stamp,
the latest version of the file keeps the original file name. The Work Folders server preserves the other
copies of the file in the same directory, but the devices name on which the conflict occurred is
appended to the file name, and a number is appended if there are multiple conflicts for the same
file. The Work Folders server keeps 100 conflict files. If more than 100 conflict files are generated,
Work Folders synchronization stops for the user until the user manually resolves the problem.
3. The second client device initiates synchronization. This occurs because data is modified also on the
second client device, and the second client device initiates synchronization of those modifications.
Alternatively, this occurs if there are no local changes, but the second device initiates synchronization
based on the pooling interval, which is 10 minutes, by default. The second client downloads changes
from the Work Folders server and applies them to the local copy of the data.
When you use Work Folders, you should be aware of following considerations:
Work Folders synchronization is limited to one partnership per user, per device. If multiple users
use the same device, all users can have their own partnership with the sync folder on the same, or
different, Work Folders servers, but the same user cannot create a sync partnership with a second
sync share on the same or different Work Folders servers.
Clients always initiate synchronization. A Work Folders server is passive and responds only to sync
requests.
Clients synchronize only with the Work Folders server. If users are using multiple devices, and they are
all configured with Work Folders, devices do not synchronize changes between themselves. Devices
synchronize changes only with the server. After one device synchronizes changes with a server, other
devices are synchronized with the changes from the server.
The system that applies the change, which can be either the user device or the Work Folders server, is
responsible for conflict resolution. Conflicts are resolved automatically by renaming the conflicting
files with older time stamps.
Question: Can users access multiple Work Folders?

Configuring Work Folders

A server administrator must create Work Folders
on a Windows Server 2012 R2 or newer file server
before you can configure and use Work Folders
on a Windows 10based computer. To create
Work Folders on a Windows Server 2012 R2, you
must perform the following steps:
1. Install the Work Folders role service. Before

you can configure a file server to host Work
Folders, you first must install the Work
Folders role service. You can install it from
Server Manager or by running the following
cmdlet:
Install-WindowsFeaturef FS-SyncShareService
2. Create a sync share for Work Folders. A sync share is the unit of synchronization that can be
synchronized with a user device. You can create a sync share by using Server Manager or by using
the New-SyncShare cmdlet. A sync share can be an existing SMB share, or you can point it to a new
folder. Multiple users can have access to the same sync share. Therefore, you must specify the naming
syntax for the user subfolders. Use either user_alias or user_alias@domain. The first syntax maintains
compatibility with existing user folders that use aliases for their names, while the second syntax
eliminates conflicts between identical user aliases in multiple domains in the same AD DS forest. By
default, users synchronize their whole Work Folders structure, but you can limit the synchronization
to specific subfolders. You also can configure who has permissions to access the sync folder and
device policy, in which you define requirements for devices that will be used for accessing sync shares.
After you configure Work Folders on a file server, you can deploy Work Folders to client devices. Based on
the client device type and whether it is domain-joined or not, you have different options for deploying
Work Folders:
Manual. You can configure Work Folders by using the Manage Work Folders option in Control Panel.
You can add Work Folders either by entering an email address or the Work Folders URL. If you enter
an email address, the word workfolders is appended to the email domain to create the URL. For
example, if you enter adam@adatum.com, the URL is https://workfolders.adatum.com. If this URL
does not resolve to the Work Folders server, then auto discovery fails and you must enter the Work
Folders URL.
Opt-in. You can configure Work Folders settings by using domain-based Group Policy, Microsoft
Intune, or Microsoft System Center Configuration Manager. However, those settings are not
mandatory. Users can decide if they want to use those settings and configure Work Folders on
the device or not.
Mandatory. You can use the same three methodsdomain-based Group Policy, Microsoft Intune,
or Configuration Managerto deliver Work Folders settings to a device. However, these settings are
mandatory and users cannot modify them. Work Folders are configured transparently on devices
without user interaction.
Question: Can you use Group Policy to deploy Work Folders centrally to devices that are not
domain-joined?
Demonstration: Enabling Work Folders

In this demonstration, you will see how you can deploy Work Folders on a domain-joined Windows 10
device by using Group Policy and how to deploy Work Folders manually on a workgroups Windows 10
device.
Demonstration Steps
1. On LON-CL1, sign in as user adatum\adam with the password Pa$$w0rd.
2. Use File Explorer to create a new text document named On LON-CL1.txt in Work Folders.
3. On LON-CL4, sign in as user Admin with the password Pa$$w0rd.
4. On LON-CL4, use Work Folders to set up Work Folders with the following settings:
o Work Folders URL: https://lon-dc1.adatum.com
o Credentials: adatum\adam with Pa$$w0rd as the password
5. On LON-CL4, verify that the file On LON-CL1.txt is available in Work Folders.

Statement Answer
You can use Work Folders only if a Windows 10 device is joined to AD DS.
Statement Answer
User can have single Work Folders in Windows 10.

Lab B: Configuring and Using Work Folders

Scenario
A. Datum Corporation uses the AD DS environment. Many users access company data by using company-
owned computers, but an increasing number of users bring their own devices to work. They would like to
be able to access the same data from their devices. Your task is to implement the Work Folders feature,
which will enable users to synchronize their data between their devices.
Objectives
Configure and deploy Work Folders.

Use Work Folders to synchronize data between devices.
Lab Setup
User names: Adatum\Administrator, Adatum\Adam and Admin

Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The virtual machines should be
running from the previous lab, and you need to start only 20697-1B-LON-CL4. If you need to start a
virtual machine, you can start it by completing the following steps:
2. In Hyper-V Manager, click 20697-1B-LON-CL4, and then in the Actions pane, click Start.
o User name: Admin

Exercise 1: Configuring Work Folders

Scenario
Users currently are using offline files to keep local copies of data in sync with data on a file server.
However, many users are using devices that are not domain members, and they complain that they
cannot use offline files. The IT department is considering implementing Work Folders, but it must confirm
that users with devices that are not domain members will be able to use it, and that Work Folders will be
configured automatically on devices that are domain members. You must implement a proof-of-concept
deployment of Work Folders. Based on the results, the IT department will decide if the Work Folders
feature meets the companys needs.
1. Install the Work Folders feature and create a sync share.
2. Bind an SSL certificate for Work Folders.
3. Configure Group Policy to deploy Work Folders
4. Deploy Work Folders on a device that is not a domain member.
5. Use Work Folders to synchronize files.
Task 1: Install the Work Folders feature and create a sync share
1. On LON-DC1, install the FS-SyncShareService feature by using the Install-WindowsFeature cmdlet.
2. Use Server Manager to create New Sync Share, by using the following data:
o Local path: C:\MarketingSync
o Structure for user folders: User alias
o Grant sync access to groups: Marketing

o Device policies: Only the Encrypt Work Folders policy is selected
3. Use Server Manager to verify that MarketingSync is listed in the WORK FOLDERS section and that
user Adam Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders

On LON-DC1, use Internet Information Services (IIS) Manager to add https Site Bindings to the
Default Web Site. Use LON-DC1.adatum.com as an SSL certificate.
Task 3: Configure Group Policy to deploy Work Folders

1. On LON-DC1, use Group Policy Management to create and link a Group Policy Object named
Deploy Work Folders to the Marketing organizational unit (OU).
2. In the Deploy Work Folders Group Policy, under User Configuration\Policies\Administrative
Templates\Windows Components\Work Folders, enable the Specify Work Folder settings
setting, configure it with https://lon-dc1.adatum.com as Work Folders URL, and then select the
Force automatic setup check box.
3. On LON-CL1, sign in as adatum\adam with the password Pa$$w0rd.
4. Use File Explorer to create a New Text Document named On LON-CL1 in Work Folders.
5. Verify that the On LON-CL1 file is encrypted.
Task 4: Deploy Work Folders on a device that is not a domain member

1. Switch to LON-CL4, where you are signed in as user Admin.
2. On LON-CL4, open Control Panel and use Work Folders to set up Work Folders with the following
settings:
o Work Folders URL: https://lon-dc1.adatum.com
o Credentials: adatum\adam with the password Pa$$w0rd
3. Verify that the On LON-CL1.txt file is available in Work Folders on LON-CL4.
Task 5: Use Work Folders to synchronize files

1. On LON-CL4, use File Explorer to create a New Text Document named On LON-CL4.txt in
WorkFolders.
2. On LON-CL1, verify that only the On LON-CL1.txt file displays in Work Folders.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option
to trigger synchronization manually.
3. Use File Explorer to sync Work Folders on LON-CL1.
4. Use File Explorer to verify that both files, On LON-CL1 and On LON-CL4, display in Work Folders.
5. Disable the Ethernet network connection by using Administrator and the password Pa$$w0rd as the
credentials.
6. Modify the On LON-CL1.txt file in Work Folders by adding the following content: Modified offline.
7. Create a New Text Document named Offline LON-CL1.txt in Work Folders.

8. On LON-CL4, modify the file On LON-CL1.txt in Work Folders by adding the following content:
Online modification.
9. On LON-CL1, enable the Ethernet network connection. Use Administrator and the password
Pa$$w0rd as the credentials.
10. On LON-CL1, verify that four files are displayed in Work Folders, including On LON-CL1.txt and
On LON-CL1-LON-CL1.txt. The file was modified at two locations, so a conflict occurred, and one
of the copies was renamed.
Note: File On LON-CL1-LON-CL1 will appear after few seconds, when sync happens.
Results: After completing this exercise, you will have configured and used the Work Folders feature
successfully.
Question: Can a user access the same Work Folders from domain devices and from
workgroup devices?
Lesson 5
Managing Printers
To be able to print over the network in Windows 10, you must understand the Windows 10 printing
components and how to manage them.
This lesson examines the printing components in a Windows 10 environment, including the relation
between printing devices, printers, ports, and drivers. You will see how to install, share, and manage a
printer, and you will review how to use the Print Management tool to administer multiple printers and
print servers.
Lesson Objectives
Describe Windows 10 printer features.

Describe printing components.
Understand benefits of Type 4 printer drivers.

Install and share a printer.
Describe how to manage client-side printing.
Describe how to manage print server properties.
Overview of Printing Components

When you install and share a printer in
Windows 10, you must define the relationship
between the printing device, which is the physical
printer, and the Windows 10based computer.
You can do this by adding a printer in Windows
10, and then specifying which driver will be used
for communicating with the printing device and
processing print jobs, and which port will be used
for connecting with the physical printing device.
Typically, locally attached Plug and Play printing
devices install automatically. However, when you
add a wireless printing device or a network-
printing device in Devices and Printers by using the Add printers button, Windows 10 must be able to
communicate with the printing device or the print server to which the printing device is connected.
Printing device
A printing device is a physical device that is available locally, connected to the network, or connected
to the print server. You use it to produce the print job output, which is typically a printed document. By
default, Windows 10 supports many printing devices and includes drivers for communicating with those
devices. You can add support for additional devices if needed.
Printer port
Windows 10 can automatically detect printers when you connect them to your computer, and it installs
the printer driver without interaction if the driver is available in the driver store. However, a Windows
operating system might not detect printers that you connect by using older ports, such as serial or parallel
ports, or network printers. In these cases, you must configure a printer port manually.
Printer and printer driver

A printer is a Windows 10 representation of a physical printing device. It is associated with a printer driver,
which is used for communicating with a print device and rendering print jobs. Without a printer driver,
the printing device that connects to a computer will not work properly. A printer driver is responsible for
converting a print job into a page-description language (PDL) that the printer can use to print a job. The
most common PDLs are PostScript, Printer Control Language, and XML Paper Specification (XPS).
In most cases, printer drivers are included with the Windows 10 operating system. If you are missing
a driver for your printer, you can try to download it through Windows Update or from the printer
manufacturers web page, or you can access it on the media that came with the printer
Note: The Add Printer Wizard presents you with an exhaustive list of currently installed
printer types. However, if your printer is not on the list, you must obtain and install the necessary
driver.
You can preinstall printer drivers in the driver store, thereby making them available in the printer
list by using the pnputil.exe command-line tool.
Question: Can you add multiple printers in Windows 10, while they are all using the same
physical printing device?
What Are Type 4 Printer Drivers?

Windows traditionally uses separate Type 3
printer drivers for each printer device model.
Printer manufacturers created customized printer
drivers for each specific device that they created,
to ensure that Windows could use all of the
printer features. When printers are shared on the
network, the administrator must maintain drivers
for each printing device in the environment, and
the administrator must add separate 32-bit and
64-bit drivers for a single printer to support both
type of clients.
Microsoft introduced Type 4 printer drivers in

Windows 8 and Windows Server 2012. By following the Type 4 printer driver model, printer manufacturers
can create a single Print Class Driver that supports similar printing features and printing language that are
common to a large number of printer models. Common printing languages include PCL, and PostScript
or XPS.
Type 4 printer drivers typically are delivered by using Windows Update or Windows Software Update
Services (WSUS). Unlike Type 3 drivers, Type 4 drivers do not download from a print server.
A Type 4 printer driver model provides the following benefits:
Sharing a printer does not require adding additional drivers that match the client architecture
A single Type 4 driver can support multiple printer models
Driver files are isolated on a per-driver basis, which prevents potential driver file-naming conflicts
Driver packages are smaller and more streamlined than Type 3 drivers, and Type 4 drivers install faster
than Type 3 drivers
Printer driver and the printer user interface can be deployed independently with Type 4 drivers
You can read additional information about Type 4 printer drivers at the following URL:
Print and Document Services Architecture

http://aka.ms/vjupv8
Question: Do you need a specific Type 4 printer driver for each printer?
Demonstration: Adding and Sharing a Printer

In this demonstration, you will show how to add a printer, share it, and modify the printers security, and
then explain some advanced properties that you can configure.
Demonstration Steps
1. On LON-CL1, add a local printer with the following manual settings:
o Printer driver: Microsoft PCL6 Class Driver
o Printer Name: Managers Printer
o Share Name: Managers Printer

2. Remove permissions on the Managers Printer for Everyone group, and then add print permissions for
the Marketing group.
3. Explain Priority and Available from the Advanced tab options.
Managing Client-Side Printing

Companies typically use print servers to provide
centralized access to network printing devices.
However, Windows 10 allows you to connect to a
network printing device directly by using a print
server. Alternately, you can connect it locally by
using a local printer, such as via USB, or by a
wireless or Bluetooth connection.
You can manage client-side printing by using

various tools, such as Devices and Printers, Print
Management, and Windows PowerShell cmdlets,
from the PrintManagement module. Typical
operations include the following tasks:
Modifying printer properties, such as sharing, security, and advanced properties.
Selecting your default printer.

Viewing and managing your print queue.
Pausing or resuming a printers operation.
Pausing, resuming, restarting, or canceling print jobs.

Reordering print jobs in your print queue.
Modifying printer properties

You can modify printer behavior by configuring printer properties, such as the:
General printer properties.

Printers physical location.
Printer-sharing functionality.
Ports that the printer uses.

Times during which the printer is available.
Number of print jobs that can spool at one time.
Names of groups that are allowed to use the printer.
Selecting a default printer

You can add many printers to a Windows 10based computer, but only one of them can be the default
printer. The default printer is marked with a green check mark in Devices and Printers, and it is used by
default for printing documents. You can print a document from any of the other available printers, but
you must manually select the specific printer that you want to use.
View and manage the print queue

After you initiate a print job, you can view, pause, or cancel it through the print queue, which displays
what is printing or waiting to print. It also displays information such as the job status, who is printing
what, and how many unprinted pages remain. From the print queue, you can view and maintain the
print jobs for each printer.
You can access the print queue from Devices and Printers by right-clicking a printer, and then selecting
the See whats printing option or by running the Get-PrintJob cmdlet, as the following example shows
for the Printer1 queue:
Get-PrintJob PrinterName Printer1
You can view all printer-related cmdlets by running Get-Command Module PrintManagement.
Pause or resume printer

If you pause a printer, it will still accept print jobs, but they will wait in the print queue and they will not
print. If you resume a printer, print jobs will be sent to the printing device. You can pause or resume a
printer from the printer queue window.
Pause, resume, restart, or cancel a print job

You can pause and resume a single print job or multiple jobs in the queue. To pause or resume an
individual print job, right-click the print job in print queue window, and then click Pause or Resume.
To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing, click
Resume Printing.
If a print job is printing in the wrong color or the wrong size, you can start over. To restart a print job,
right-click the specific print job, and then click Restart.
If you start a print job by mistake, it is simple to cancel the print job, even if printing is underway. To
cancel an individual print job, right-click the print job that you want to remove, and then click Cancel.
To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item that is printing
currently might finish, but the remaining items will be cancelled.
Reorder the print queue

If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the
print queue, right-click the print job to reorder, and then click Properties. Modify the print job priority by
using the Priority slider on the General tab of the print job properties page. Print jobs with higher
priority print first.
Question: Which Windows PowerShell cmdlet can you use to modify printer properties?
Question: Can you manage printers that are connected to a remote Windows 10based
computer by using Devices and Printers?
Managing Print Server Properties

Windows 10 can act as a print server, or you can
connect to Windows-based print servers through
the Print Management Console and manage
them remotely. Windows 10 includes the Print
Management Console in the Administrative Tools,
and you can open it from there or by typing
Printmanagement.msc in the Search the web
and Windows field on the taskbar. The Print
Management Console provides a single interface
through which you can administer multiple
printers and print servers and perform
management tasks, such as:
Add and remove print servers.
Add and delete printers.

Add and manage drivers.
Manage print queues.
View and modify status of printers.

Create custom filters to view printers that match certain criteria.
Add and remove print servers

When you open the Print Management Console for the first time, it is connected only to a local Windows
10based print server. If you have appropriate permissions, and you want to manage other Windows
based print servers, you must first add them to the Print Management Console by right-clicking the Print
Servers node, and then selecting Add/Remove Print Servers.
Add and delete printers

You can add or delete printers locally or remotely on any print server that is added to the Print
Management Console. You add printers by using Network Printer Installation Wizard, which is similar to
the Add Printer Wizard in Devices and Printers. The Network Printer Installation Wizard allows you to:
Search the network for printers.
Add a TCP/IP or Web Service Printer by IP address or host name.
Add a new printer by using an existing port.
Create a new port, and add a new printer.

Add and manage drivers

When you add a printer, Windows also installs a driver for the appropriate printing device. For example, if
you add a PostScript printing device on the 32-bit version of Windows 10, a 32-bit Windows 10 driver for
PostScript will be installed. However, when you share that printer, other users might connect to it and be
able to use a printer. Therefore, you should provide drivers for the operating systems that they are using.
For example, if someone is using a 64-bit version of Windows 7, you might want to add a 64-bit driver to
your Windows 10based print server. The Print Management Console allows you to add printer drivers by
running the Add Printer Driver Wizard. You should be aware that with Type 4 printer drivers, users no
longer need multiple drivers for different printers, and printer drivers cannot be downloaded from the
print server, but from Windows Update or from Windows Update for Business.
Managing print queues

You can view printers that are installed on a specific print server by clicking the Printers node under
that print server. You also can view all installed printers on all print servers that are added to the Print
Management Console by selecting the All Printers node. You can view the printer queue by right-clicking
the printer, and then selecting Open Printer Queue from the shortcut menu. From the print queue
window, you can pause, resume, restart, cancel, or reorder print jobs.
View and modify the status of printers

The All Printers node shows information about every printer that is connected to any print server that
you have added to the Print Management Console. There you can view the print queue status of the
printer, number of jobs in the queue, name and version of the printer driver, and the driver type.
Create custom filters to view printers that match certain criteria

The Print Management Console includes four custom filters by default: All Printers, All Drivers, Printers
Not Ready, and Printers With Jobs. You can add new custom printers or driver filters by defining a
condition(s) that printers must match to appear when you select a filter. For example, you could create
a custom filter to show printers that are at a specific location, regardless of the print server to which they
are connected, or to show printers that have more than five print jobs in a print queue.
Note: You can use the Devices and Printers tool to manage printers only on local
Windows 10based computers. When you use the Print Management Console, you can manage
printers on local Windows 10based computers, in addition to printers that are connected to
other Windowsbased printer servers.
Question: Do you need to turn on any Windows feature to be able to install and share
printers on Windows 10 and use the Print Management tool?
Question: Can you use the Print Management tool for managing printers only on
Windows 10based and Windows 8.1based computers?

Question
Which tool would you use to manage printers on multiple Windows 10based
computers in the AD DS environment?
Device Manager
Printers & Scanners
Print Management
Computer Management
Connected Devices
Statement Answer
You can add multiple printers in Windows 10 for a single printing device
that is connected to your computer.
Lab C: Installing and Managing a Printer

Scenario
Marketing users want to add and share their local printer. You need to demonstrate them how to use
Devices and Printers, and Print Management, to add, share, and manage a printer. You also need to
demonstrate how to limit who can use a shared printer.
Objectives
Add and share a local printer.

Configure printer security.
Use Print Management to manage printers.
Manage print jobs.
Lab Setup

User names: Adatum\Administrator and Adatum\April
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. If virtual machines are already running
from the previous lab, you do not need to start any virtual machines. Before you begin the lab, all virtual
machines that are used in this lab must be running. You can start them by completing the following steps:

5. Repeat steps 2 and 3 for 20697-1B-LON-CL1 and 20697-1B-LON-CL2. Do not sign in until directed
to do so.
Exercise 1: Managing and Using a Printer

Scenario
In this exercise, you will perform basic printer configuration. You will add a local printer by using Devices
and Printers. You then will configure printer security, and use the Print Management tool to add a printer
on a remote computer. You also will connect to a remote printer, and then manage a print job.

1. Add and share a local printer.
2. Configure printer security.
3. Use Print Management to manage a remote printer.

4. Connect to a remote printer.
5. Print a document, and manage a print job.
Task 1: Add and share a local printer

2. Add a local printer with the following manual settings:
o Printer driver: Microsoft PCL6 Class Driver

o Printer Name: Managers Printer
o Share Name: Managers Printer
Task 2: Configure printer security

On LON-CL1, remove permissions on the Managers Printer for the Everyone group, and add print
permissions for the Managers group.
Task 3: Use Print Management to manage a remote printer

1. On LON-CL1, use Print Management to add LON-CL2 and LON-DC1 as print servers.
2. Use Print Management to add a printer on LON-CL2 with the following settings:
o Printer driver: Microsoft PS Class Driver
o Printer Name: PostScript Printer
o Share Name: PostScript Printer
Task 4: Connect to a remote printer

1. Sign in to LON-CL2 as Adatum\April with the password Pa$$w0rd. April is member of the IT group,
but she is not a member of the Managers group.
2. Verify that you can see the PostScript printer that you added remotely in the previous task.
3. Try to add the \\LON-CL1\Managers Printer printer by using the Select a shared printer by name
option.
Note: Because April is not member of the Managers group, and she does not have
permissions to \\LON-CL1\Managers Printer, you were asked to enter credentials with the
appropriate permissions.
4. Add \\LON-DC1\Printer1 network printer.
5. Verify that Printer1 on lon-dc1 is added and that it is the default printer.
Task 5: Print a document, and manage a print job

1. On LON-CL2, type your name in Notepad, and then print the document on the Printer1 on lon-dc1
printer.
2. On LON-CL1, use Print Management to verify that Printer1 is listed as the only printer with jobs
pending.
3. On LON-CL1, view the printing jobs on Printer1 on lon-dc1.
4. Review the properties of the Untitled Notepad printing job on Printer1 on lon-dc1.
5. Cancel the Untitled Notepad printing job on Printer1 on lon-dc1.

6. On LON-CL1, use Print Management to verify that no pending job appears in the printer pending
job list.
Results: After completing this exercise, you will have added a local and remote printer. You also will have
configured printer security, and used the Print Management feature to manage printers.

When you have finished the lab, revert all virtual machines to their initial state:

4. Repeat steps 2 and 3 for 20697-1B-LON-CL1, 20697-1B-LON-CL2, and 20697-1B-LON-CL4.


Best Practice: File Permissions
Supplement or modify the following best practices for your own work situations:
To simplify the assignment of permissions, you can grant the Everyone group Full Control share
permission to all shares, and then you can configure file permissions to control access. Restrict share
permissions to the minimum required to provide an extra layer of security in case file permissions are
configured incorrectly.
When you disable permission inheritance, you have options to convert inherited permissions into
explicit permissions, or you can remove all inherited permissions. If you only want to restrict a
particular group or user, then you should convert inherited permissions into explicit permissions to
simplify the configuration process.
Best Practice: Managing Shared Folders

Supplement or modify the following best practices for your own work situations:
Be aware that Network File and Folder Sharing (sometimes referred also as Simple File Sharing)
modifies file permissions and share folder permissions, while Advanced Sharing does not modify file
permissions, only set share permissions.
If the guest user account is enabled on your computer, the Everyone group includes anyone. In
practice, remove the Everyone group from any permission lists, and replace it with the Authenticated
Users group.
Be aware that if you use a different firewall than the one that Windows 10 includes, it can interfere
with the network discovery and file sharing features.
Review Questions
Question: On which objects can you set file-level permissions?
Question: Robin recently created a spreadsheet and assigned it file permissions that
restricted file access only to her. Following the system reorganization, the file moved to a
folder on a different NTFS volume, and Robin discovered that other users were able to open
the spreadsheet. What is the probable cause of this situation?
Question: Can you access Work Folders content on a computer without network
connectivity?
7-1
Module 7
Managing Apps in Windows 10
Contents:
Module Overview 7-1
Lesson 1: Overview of Providing Apps to Users 7-2
Lesson 2: The Windows Store 7-8

Lab A: Installing and Updating Apps from the Windows Store 7-13
Lesson 3: Web Browsers 7-17

Lab B: Configuring Windows 10 Web Browsers 7-29
Module Overview
Users require apps for every task that they perform on their computers, such as editing documents,
querying databases, and generating reports. As part of administering the Windows 10 operating system,
you need a strategy for deploying and managing the apps that your organizations users will run on their
new Windows 10 computers and devices. Based on your organizations specific needs, you can choose
from a variety of methods to deploy and manage apps, including manual deployment methods to
management that you partially or fully automate.
Objectives
Describe Windows 10 options for app deployment.
Install and manage Windows Store apps.
Configure Windows 10 web browsers.

7-2 Managing Apps in Windows 10
Lesson 1
Overview of Providing Apps to Users
In your organization, you may face scenarios in which certain app-deployment methods are better for
your organization than other methods. In this lesson, you will learn about traditional app-deployment
methods, as well as methods that you can use to help to automate app deployment.
Lesson Objectives
Differentiate between the types of apps in Windows 10.

Describe manual app installation.
Explain the methods for automating installation of desktop apps.
Types of Windows 10 Apps

Windows 10 includes two types of apps: desktop
apps and Windows Store apps. Users install and
manage these two types of apps in different ways.
Furthermore, network administrators can make
Azure RemoteApp apps available for users. The
following sections outline the differences between
these types of apps.
Desktop apps
Desktop apps are traditional apps, such as
Microsoft Office 2013. Most users and network
administrators are familiar with desktop apps.
An administrator can install desktop apps on
Windows 10 computers locally by using one of three methods: with a product DVD that contains a
desktop app, over the network, or by downloading an app from a vendors website. As an administrator,
when you install Windows desktop apps, you can:
Install by using the .exe or .msi installer files.

Automate installations.
Replace apps by using distributed app installation and execution methods in larger environments.
Windows Store apps

A Windows Store app is a special type of app that works on computers that are running Windows 8 and
newer operating systems. Windows Store apps do not run on Windows 7 or older Windows versions.
Generally, Windows Store apps are smaller, faster, and more task-focused than desktop apps. Windows
Store apps provide a small number of functions, or sometimes only one function, and:
Can run on Windows 10, Windows 8.1, Windows 8, Windows RT 8.1, and Windows RT.
Are available from the Windows Store or through sideloading.

Are distributed in the .appx file format, and must be digitally signed.
Are designed for touch. With Windows 8.1, you can run two Windows Store apps side by side, each
using half the screen. In Windows 10, you can run Windows Store apps in windows that you can resize
in the same way as desktop apps.
Are not installed by means of traditional app-deployment methods.
Universal Windows Platform apps

You can install Universal Windows Platform (UWP) apps on multiple hardware platforms, such as an Intel
tablet that is running Windows 10 Pro, an Xbox One, or a Windows Phone 10.
RemoteApp apps
Windows Server 2012 R2 RemoteApp apps display locally but run remotely. From a users perspective, a
RemoteApp app appears to be the same as any other app that runs on a computer. Consider deploying
RemoteApp in situations where an app does not run on a client computer.
Some scenarios in which you can use RemoteApp to deploy an app include when users of:
Windows RT 8.1 computers need to access an app that only runs on the x64 version of Windows 10.
Computers that run the x86 version of Windows 10 need to access an application that is available
only in an x64 version.
Computers that have 4 gigabytes (GB) of random access memory (RAM) need to run an application
that requires 8 GB of RAM.
In each of the preceding scenarios, you can provide the app by using RemoteApp. The app displays
locally, but runs on a platform that has appropriate hardware resources to support the app.
Installing Desktop Apps Manually
To install a desktop app from local media, you

insert a product DVD that contains a desktop app,
and then Windows 10 prompts you with the next
steps. Typically, you choose to run Setup.exe.
Note: You also can install desktop apps by

using Control Panel. If a network administrator
has made apps available for network installation,
you can open Control Panel, and then click Get
Programs. A list of apps that are available for
network installation displays. Windows 10 makes
these apps available by using Group Policy Objects (GPOs) and software distribution points.
The installation process for a desktop app begins, and the app installs. By default, all users run as standard
users. Windows 10 prompts you to elevate to full administrator privileges through User Account Control
(UAC) to install the app.
Note: Apps that you install across a network can install automatically without your
intervention, depending on the app packages configuration.
The Windows Installer service

Windows Installer is the Windows 10 desktop-app installation and configuration service, and provides
Windows Installer app packages in an .msi file format. However, vendors already may have made apps
available in the .msi format. You also can use non-Microsoft app-packaging products to convert app
installers from the .exe file format to Windows Installer packages that are in the .msi format.
A Windows Installer package in the .msi format includes the information that is necessary to add, remove,
and repair an app. You can install an app installer in the .msi format locally, or you can deploy it through
an automatic app-deployment solution, such as Group Policy or System Center Configuration Manager.
Because of the way that Windows Installer packages manage changes to an operating system, apps that
you deploy from these packages are more likely to uninstall cleanly than those that you deploy by using
apps installers in executable files. This is important from an app-management perspective, because the
ability to remove an app cleanly, without leaving any trace of it on a device, is as important as installing it
correctly in the first place.
If an app is packaged as an .msi file, and is accessible from the target device, you can run Msiexec.exe
from an elevated command prompt to install a desktop app. For example, to install an app from a shared
folder, type the following command at a command prompt, and then press Enter:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
Administrators also can use Windows Installer to update and repair installed desktop apps.
Installing Desktop Apps Automatically

A single, user-directed installation process
works for scenarios in which a desktop app will
be installed only once or twice. However, for
larger and more complex installations, you should
plan and perform an automated desktop-app
deployment. Several options exist for automating
desktop-app deployment to Windows 10
computers.
Automating installation by using Group

Policy
Group Policy software deployment enables you to
deploy desktop apps in the Windows Installer .msi
file format to computers that belong to an Active Directory Domain Services (AD DS) environment. Group
Policy software deployment offers the most basic form of automated app deployment. To perform Group
Policy software deployment, you configure a GPO. Use Group Policy as a software-deployment method in
small organizations where the desktop apps that you want to deploy already are packaged in the
Windows Installer format.
Group Policy software deployment has the following requirements and properties:
The target computers must belong to an AD DS domain.
You must package the software in the Windows Installer .msi file format.
User and computer accounts can be the targets of an app deployment.

You can target a deployment at the domain level, the site level, or the organizational unit (OU) level.
Group Policy software deployment supports the following deployment types:
Assign. You can assign apps to users or computers. When you assign an app to a user, the app installs
when the user signs in. When you assign an app to a computer, the app installs when the computer
starts.
Publish. You can publish apps to users. Doing so makes an app available through the Programs and
Features item in Control Panel. You cannot publish apps to computers.
Group Policy software deployment has the following drawbacks:
It can be difficult to determine whether a deployment is successful. Group Policy software

deployment does not include reporting functionality. The only way to determine whether an app
has installed correctly is to check it manually.
There is no prerequisite checking. Group Policy software deployment does not enable you to perform
prerequisite checks directly. You can use Windows Management Instrumentation (WMI) queries to
perform these checks. However, this complex operation requires significant expertise and time.
There is no installation schedule. Deployment will occur the next time a Group Policy refresh occurs.
You cannot schedule Group Policy software deployment to occur at a specific date and time.
Automating installation by using MDT

Microsoft Deployment Toolkit (MDT) 2013 Update 1 is a solution accelerator that you can use to
automate the deployment of operating systems and apps to devices. You can use MDT to perform lite-
touch installation (LTI). LTI requires that you trigger an operating system deployment or app installation
on each computer, but it requires minimal intervention after the deployment begins. You can use MDT to
perform automated app and operating-system deployment without deploying Configuration Manager.
However, you can use MDT when you integrate it with Configuration Manager to perform zero-touch
installation (ZTI). ZTI enables app and operating-system deployment and migration without requiring any
intervention.
The LTI process requires only the tools that are available in MDT. You do not need to deploy
Configuration Manager in your environment to perform LTI. To perform LTI by using MDT, perform
1. Deploy MDT on a computer that will function as the management computer, create a deployment
share on this computer, and then import the image files that you will use.
2. Create a task sequence and a boot image for the computer that will function as the reference
computer.
3. Start the reference computer by using the medium that contains MDT. The task sequence files, task
sequence, and boot image transfer to the reference computer.
4. Use the Windows Deployment Wizard to deploy the operating system and required apps. After
deployment, capture the reference computer as an image.
5. Transfer the captured image to the management computer.
6. Create a new boot image and task sequence for deployment to the target computers.
7. Start the deployment target computers by using the medium that contains MDT. The task sequence
files, task sequence, and boot image transfer to the reference computer.
8. Run the Windows Deployment Wizard to deploy the prepared image.

Automating installation by using Configuration Manager

Configuration Manager provides a comprehensive platform for app deployment and management, and
it supports deploying apps in the .exe, .msi, .appv, and .appx file formats. Configuration Manager enables
administrators to target deployments to groups of users and computers, and to configure deployments
to occur at specific dates and times. Computers must have the Configuration Manager client installed to
receive software that Configuration Manager deploys. Using Configuration Manager provides you with a
number of benefits, including:
Collections. Configuration Manager enables you to create collections that consist of manually created
groups of users or computers, or collections based on the results of queries of user or computer
properties. You then can target app deployment to these collections. For example, you can create a
collection that includes only the computers that are located at a specific site with a certain deployed
app and a specific piece of installed hardware.
Multiple deployment types. Configuration Manager enables you to use multiple deployment
types. With this feature, you can configure a single app deployment but make it possible for
that deployment to occur in different ways, depending on the conditions that apply to the target
computer or user. For example, you can configure an app to install locally if a user is logged on
to his or her primary device, but to stream as an App-V app if the user is logged on to another device.
Note: App V, which is part of the Microsoft Desktop Optimization Pack, is a Microsoft
solution that allows users to run virtualized applications on their computers without having to
install or configure them locally.
Deployment types also enable you to configure the deployment of the x86 version of an app if the
target computer has a 32-bit processor, or to configure the deployment of the x64 version if the
target computer has a 64-bit processor.
Reporting. This feature enables you to determine how successful an app deployment was after its
completion. Configuration Manager also enables you to simulate app deployments before
performing them, enabling you to determine if any factors that you have not considered might
block a successful app deployment.
Wake on LAN (WOL). Instead of interrupting a user with an app installation that might require a
restart, which could disrupt his or her current productivity WOL functionality allows you to schedule
app deployment to occur after normal business hours. Typically, users are done working during this
time, and compatible computers are in a low power state.
Software inventory, software metering, and Asset Intelligence. A software inventory provides you with
a list of which apps are installed on your organizations computers. You can use software metering to
monitor how often particular apps are used. You can use the Asset Intelligence feature to check
software-licensing compliance. This helps you ensure that the number of apps deployed in your
organization equals the number of software licenses that you have available.
Automating installation by using Microsoft Intune

You can use Microsoft Intune to perform app deployments and manage computers that run Windows 10,
Windows 8.1, Windows 8, Windows RT 8.1, Mac OS X, Windows 7, Windows Vista, and Windows Phone,
iOS, and Android devices. However, you first must deploy the Microsoft Intune client on target computers
if you want to use Microsoft Intune.
Note: If users have local Administrator rights, they can perform this operation themselves
by downloading Microsoft Intune client software from their organizations Microsoft Intune site.
If users do not have Administrator rights, they can install a Microsoft Intune client by using
Windows Remote Assistance or by bringing their computers to a branch office location.
After the Microsoft Intune client is installed, you can:
Use Microsoft Intune to manage Windows computers, irrespective of whether they are members of an
AD DS domain.
Use Microsoft Intune to deploy apps to Microsoft Intune clients, in both the .exe and .msi file formats.
Note: You must upload apps to Microsoft Intune before you can deploy them.
Make software available as an optional installation or configure it as a required installation.
Use reporting features of Microsoft Intune. This provides reporting on the success and failure of
targeted app deployment, and it means that you can determine how many clients out of the target
group successfully installed the deployed app.
Remove apps that previously were deployed to client computers.
Integrate Microsoft Intune with Configuration Manager. You then can manage devices that are
hosted in both platforms from a single console.

Question
Which of the following statements about installing apps in Windows 10 is true?

(Choose all that apply)
Desktop apps are installed with either .exe or .appx installer files.
Windows Store apps are installed with .appx files.
RemoteApp apps allow users of Windows RT computers to run apps that are
designed for 64-bit versions of Windows 10.
Desktop apps must be signed digitally.
Windows Store apps must be signed digitally.

Lesson 2
The Windows Store
Windows 10 supports Windows Store apps, which were introduced with Windows 8 and Windows RT.
Windows Store apps are small, light, and easily accessible. It is important that you know how to manage
user access to the Windows Store, which will enable you to control the installation and use of these apps.
Lesson Objectives
Describe the Windows Store and Windows Store apps.

Describe sideloading apps.
Sideload Windows Store apps.
What Is the Windows Store?

The Windows Store provides a convenient, single
location for users to access and download apps.
Users can access the Windows Store from Start,
without navigating to Control Panel.
Note: Windows 10 users do not need

to sign in with a Microsoft account to access
and browse the Windows Store. However, to
download and install apps from the Windows
Store, users must sign in to Windows by using a
Microsoft account. Users can create a Microsoft
account during Windows 10 installation, or they
can define it after installation.
Windows Store apps

In Windows 8.1, the Windows Store enables users to access and install Windows Store apps, which are
not the same as desktop apps, such as Microsoft Office 2013. In Windows 10, the Windows Store enables
users to deploy both Windows Store apps and desktop apps.
These apps can communicate with one another and with Windows 10 so that it is easier to search for and
share information, such as photographs. After an app installs, users can see tiles on Start. Some of those
tiles continuously update with live information from installed apps.
Finding Windows Store apps

The home page is the initial page that users see when accessing the Windows Store. When users connect
to the Windows Store, they can locate apps easily on the home page, searching through several
categories, including Games, Entertainment, Music & Videos, and others.
Users also can use Windows 10 Search to search the Windows Store for specific apps. For example, if users
are looking for video-editing apps, they can perform the following procedure: tap Search, type in a search
text string, and then tap Store. The Windows Store returns suitable apps from which the user can make a
selection.
Installing Windows Store apps

Installing Windows Store apps is a simple task for most users. They can install with a single tap on the
appropriate app from the Windows Store list. Apps install in the background, so users can continue
browsing the Windows Store. After an app installs, a tile for the app appears in Start.
Note: Windows 10 enables you to determine the installation location of apps. In Windows
8.1, Windows Store apps installed on the C drive. In Windows 10, you can move apps after you
install them. To do this, perform the following procedure: open Settings, and then select System.
Then tap Apps & features. A list of your apps should appear. Tap each app that you want to
move, and then tap Move. This feature is useful especially on smaller tablet and phone devices
that are running Windows 10, because free storage space can be limited on the system drive.
However, users can add storage by using micro secure digital (SD) cards.
Installing Windows Store apps on multiple devices

Many users have multiple devices, such as desktop and laptop computers. The Windows Store allows
multiple installations of a single Windows Store app so that users can run the app on all of their devices.
Note: You can synchronize Windows Store apps between your Windows 8.1 devices.
However, in Windows 10, you must manually install your apps on each device.
Updating Windows Store apps

Windows 10 checks the Windows Store for updates to installed apps on a daily basis. When an update for
an installed Windows Store app is available, by default, Windows automatically updates the app.
Note: Windows also displays a counter on the menu bar of the Windows Store app. This
counter displays how many apps you can update.
However, you can control this behavior and manually select which apps you wish to update.
To control app update behavior, perform the following procedure:
1. Open the Windows Store.
2. Next to the Search box at the top of the display, tap the account symbol, and then tap Settings.
3. Under App updates, turn off Update apps automatically.
To update apps manually, perform the following procedure:
1. Open the Windows Store.
2. Next to the Search box at the top of the display, tap the account symbol, and then then tap
Downloads.
3. All apps with updates pending are displayed. You can tap Update all. Alternatively, you can select
which apps to update manually.
Note: You also can access a list of all your apps from the Settings menu. Tap My Library,
and a list of your apps is displayed. These apps may not be installed on your device currently, but
you may have installed them previously on one of the devices associated with your Microsoft
account.
What Is Sideloading?
If your organization has developed custom
Windows Store apps, you can use sideloading
to install these apps. When sideloading a
Windows Store app, you use an .appx installer
file. You can use Dism.exe or the Windows
PowerShell command-line interface to sideload
and manage Windows Store apps.
Note: For large-scale deployment of

sideloaded apps, an enterprise organization
could use Microsoft System Center 2012 R2
Configuration Manager. They could also consider
using Microsoft Intune to deploy Windows Store apps by using the Self-Service Portal.
To prevent malware from deploying through the sideloading process, Windows 10 only allows installation
of apps that the developer has signed by using a trusted root certificate. If your organization creates a line
of business (LOB) app, it must be signed by using the organizational trusted root certificate.
Note: You can use a self-signed certificate to sideload an app, but this is not a best practice
in a production environment.
The process of sideloading apps

To sideload an app, you first must enable the Windows 10 sideloading feature by performing the
following procedure by:
1. Opening Settings, and then tapping Update & security.
2. On the For developers tab, select Sideload apps.

3. In the Use developer features dialog box, tap Yes.
Note: In Windows 8.1, it is necessary to either edit the devices registry or use GPOs to
configure this behavior by enabling the Allow all trusted apps to install option in the App
Package Deployment node.
If the app is signed with a trusted certificate, proceed to installing the app. However, if the app is signed
by a certificate that your device does not trust, you must install the certificate into the computers Trusted
Root Certification Authorities node. To do this, perform the following procedure:
2. Locate the certificate that came with the app. Tap and hold the certificate, and then tap Install
Certificate.
3. On the Certificate Import Wizard page, tap Local Machine, and then tap Next.
4. On the Certificate Store page, tap Place all certificates in the following store, tap Browse, tap
Trusted Root Certification Authorities, tap OK, tap Next, and then tap Finish.
5. In the Certificate Import Wizard dialog box, confirm that the import was successful, and then
tap OK.
You now can install the app by performing the following procedure:
1. Open Windows PowerShell.
2. Run the add-appxpackage PATH\APP.appx cmdlet, replacing PATH with the full pathname to the
app, and then replacing APP.appx with your apps name.
The app now should appear in Start.
Demonstration: Sideloading Windows Store Apps

Enable sideloading.
Install a certificate.
Sideload an app.
Remove an installed Windows Store app.
Demonstration Steps
Enable sideloading
1. Sign in to LON-CL1 as Adatum\Chad with the password Pa$$w0rd.
2. Open Settings, and then navigate to Update & Security/For developers.
3. Enable Sideload apps.
Install the root certificate

1. Right-click the file \\lon-dc1\apps\LeXProductsGrid81_1.1.0.2_AnyCPU.cer.
2. Install the certificate into the Local Machine Trusted Root Certification Authorities certificate
store.
3. Confirm that the import was successful.
Install a Windows Store app

1. Sign in to LON-CL1 as Adatum\April with the password Pa$$w0rd.
2. On LON-CL1, at a Windows PowerShell command prompt, type add-appxpackage
\\lon-dc1\apps\App1.appx, and then press Enter.
3. On the Start screen, from All apps, click TestAppTKL1. Verify that the app runs.
Remove an installed Windows Store app

1. On the Start Screen, right-click the TestAppTKL1 tile, and then click Uninstall.

Statement Answer
To install Windows Store apps by using sideloading, you must first configure
GPOs to enable the Windows 10 sideloading feature.
Lab A: Installing and Updating Apps from the Windows

Store
Scenario
Users in the Research department use a modern app that was developed in-house. You want to make this
app available for all users, so you decide to sideload the app to test its deployment.
Your users require access to apps available in the Windows Store, so you decide to offer a trial of the
installation and update process for apps in the Store.
Objectives
Use sideloading to install a custom Windows Store app.

Sign in by using a Microsoft account.
Install and update apps from the Windows Store.
Lab Setup

Password: Pa$$w0rd


o Domain: Adatum
5. Repeat steps 2 and 3 for 20697-1B-LON-CL1 and 20697-1B-MSL-TMG1.

Exercise 1: Sideloading an App

Scenario
The Research department has an app that it uses, and you must ensure that you can deploy it by using
sideloading. The app comes with a self-signed certificate that is only useful for test purposes.
After the trial, you will remove the app.

1. Enable sideloading.
2. Install the required certificate.

3. Install and test an app.
4. Remove an app.
Task 1: Enable sideloading

2. Open Settings, and then navigate to Update & Security/For developers.
3. Enable Sideload apps.
Task 2: Install the required certificate

1. Open File Explorer, and then browse to \\LON-DC1\Apps.
2. Right-click the \\lon-dc1\apps\LeXProductsGrid81_1.1.0.2_AnyCPU.cer file.
3. Install the certificate into the Local Machine Trusted Root Certification Authorities certificate
store.
4. Confirm that the import was successful.
Task 3: Install and test an app

2. On LON-CL1, open an Administrative Windows PowerShell command prompt as
Adatum\Administrator with the password of Pa$$w0rd.
3. Type add-appxpackage \\lon-dc1\apps\App1.appx, and then press Enter.

4. On the Start screen, from All apps, click TestAppTKL1. Verify that the app runs.
Task 4: Remove an app

1. On the Start Screen, right-click the TestAppTKL1 tile, and then click Uninstall.

Results: After completing this exercise, you will have successfully sideloaded an app.
Exercise 2: Signing In with a Microsoft Account

Scenario
In order to install and update Windows Store apps, you must sign in with a Microsoft account.
The main tasks for this exercise is as follows:
1. Associate your Microsoft account with a local account.
Task 1: Associate your Microsoft account with a local account

1. Sign in to LON-CL1 as .\Admin with the password Pa$$w0rd.
2. Open Settings, open Accounts, and then click Sign in with a Microsoft account instead.
3. Enter the credentials of a valid Microsoft account.
Note: In Module 3, you created a Microsoft account with the following properties:
Account name: Your first name plus last initial-20697-1Ba@outlook.com.

Password: Pa$$w0rd
You may use this or another Microsoft account throughout this procedure.
4. Enter the password of the local account, which is Pa$$w0rd.

5. Configure a sign-in personal identification number of 1212.
Results: After completing this exercise, you will have signed in successfully with a Microsoft account.
Exercise 3: Installing and Updating Windows Store Apps

Scenario
You are now ready to start testing the Windows Store. You decide to disable automatic app updates and
then manually install, update, and remove apps.
1. Configure app updates.
2. Install an app.
3. Update and remove apps.
Task 1: Configure app updates

1. Close Settings.
2. Open the Store app.
3. In Settings, disable the Update apps automatically setting.
Task 2: Install an app

1. Search for the Excel Mobile app, and then install it.
Task 3: Update and remove apps

1. In the Store app, click the head and shoulders symbol on the menu bar, and then click Downloads
and updates.
2. Update all apps.

3. Click Start, and then click All apps.
4. Uninstall the News app.
Results: After completing this exercise, you will have installed and maintained Windows Store apps
successfully.

When you have finished the lab, leave the virtual machines running for the subsequent lab.
Lesson 3
Web Browsers
Microsoft provides two web browsers in Windows 10: the new Microsoft Edge browser, and Internet
Explorer 11. The Microsoft Edge browser provides a consistent browsing interface across devices,
including Windows Phones, tablets, and laptops. Internet Explorer provides backwards compatibility
with websites that require some features that Microsoft Edge does not support. This lesson explores the
features of both web browsers.
Lesson Objectives
Describe Internet Explorer 11.

List and explain the Internet Explorer 11 privacy features.
List and explain the Internet Explorer 11 security features.
Explain how to manage add-ons in Internet Explorer 11.

Use the Compatibility View feature in Internet Explorer 11.
Configure and use Internet Explorer.
Describe the features of Microsoft Edge.

Configure and use Microsoft Edge.
Discuss the appropriate browser to use in your organization.
Internet Explorer 11
Windows 10 includes Internet Explorer to
ensure that any legacy or LOB apps that your
organization uses can continue to function.
Internet Explorer includes a number of security
and compatibility features that enable users to
browse with safety and confidence. This in turn
helps maintain customer trust in the Internet and
the apps based on Internet technologies.
Additionally, it helps protect your IT environment
from the evolving threats that the web presents.
Internet Explorer 11 specifically helps users

maintain their privacy with features such as:
InPrivate Browsing
InPrivate Filtering
The SmartScreen Filter provides protection against social-engineering attacks by:

Identifying malicious websites that try to trick people into providing personal information or installing
malware.
Blocking malware downloads.
Providing enhanced antimalware support.

Other security features of Internet Explorer 11 include:
Active X controls, which help prevent a browser from becoming an attack agent. You can use the
following features for more detailed control over the installation of ActiveX controls:
o Per-site ActiveX features
o Per-user ActiveX features
The cross-site scripting filter, which protects websites from attacks.

Internet Explorer also includes the Compatibility View feature, which allows users to view websites and
web apps based on older web technologies.
Privacy Features in Internet Explorer 11

One of the biggest concerns for users and
organizations is the issue of security and privacy
with respect to the Internet. Internet Explorer 11
helps users maintain their security and privacy. For
enterprises that want their users to able to browse
without collecting browsing history, Internet
Explorer 11 has a privacy mode called InPrivate
Browsing. This allows users to surf the web
without leaving a trail. As an alternative to
InPrivate Browsing, a user can use the Delete
Browsing history option found in the Internet
options dialog box to delete their browsing
history manually without losing site functionality.
The InPrivate Browsing feature

InPrivate Browsing helps protect data and privacy by preventing the browser from locally storing or
retaining browsing history, temporary Internet files, form data, cookies, user names, and passwords. This
leaves virtually no evidence of browsing or search history as the browsing session does not store session
data.
From an enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using the Delete Browsing history option to maintain privacy. This is there are no logs kept or tracks made
during browsing. InPrivate Browsing is a proactive feature that allows users to control what is tracked in a
browsing session.
Note: Some users might attempt to use InPrivate Browsing to conceal their tracks when
browsing prohibited or websites that do not pertain to work. However, you can use Group Policy
to configure how your organization uses InPrivate Browsing, to provide you with full
manageability control on users work devices.
The Tracking Protection feature

Most websites today contain content from several different sites. The combination of these sites, known as
a mashup, is an integration that users have come to expect, and can include an embedded map from a
mapping site, and greater integration of advertisements or multimedia elements. Organizations try to
offer more of these experiences because it draws potential customers to their site. This capability makes
the web more robust, but it also provides an opportunity for a hacker to create and exploit vulnerabilities.
Every piece of content that a browser requests from a website discloses information to that site,
sometimes even if a user blocks all cookies. Often, users are not fully aware that websites are tracking
their web- browsing activities are tracked by websites other than those they have consciously chosen
to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites
that a user visits. You can configure a frequency level or alert which by default is set to 10. The Tracking
Protection feature blocks third-party content that appears with high incidence when users reach the
frequency level. Tracking Protection does not discriminate between different types of third-party content.
It blocks content only when it appears more than the predetermined frequency level.
Note: Tracking Protection Lists can help increase your browsing privacy. When you install
a Tracking Protection List, you will prevent the websites specified in the list from sending your
browsing history to other content providers. Microsoft maintains a website that contains Tracking
Protection Lists that you can install.
The Delete Browsing History dialog box

Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean
up cookies and browsing history at the end of a browsing session. This type of environment might be
necessary for sensitive data, for regulatory or compliance reasons, or for private data, such as in the
healthcare industry.
The Delete Browsing History dialog box in Internet Explorer 11 enables users and organizations to delete
browsing history selectively. For example, you can remove the history for all websites except those in a
users Favorites list by using the Preserver Favorites feature. You can switch this feature on and off in the
Delete Browsing History dialog box.
You can configure Delete Browsing history options by using Group Policy. You also can configure which
sites the Preserve Favorites feature includes automatically in a users Favorites list. This allows you to
create policies that help ensure security, without affecting users daily interactions with their preferred and
favorite websites. The Delete browsing history on exit check box in Internet options allows you to delete
your browsing history automatically when Internet Explorer 11 closes.
Security Features in Internet Explorer 11

Internet Explorer includes a number of security
features, including:
The SmartScreen Filter. Businesses put a lot

of effort into protecting computer assets and
resources. Phishing or social-engineering
attacks often can evade those protections,
which results in users unwittingly revealing
personal information. The majority of
phishing scams target individuals in an
attempt to extort money or perform identity
theft. The SmartScreen Filter helps protect
against phishing websites, other deceptive
sites, and sites known to distribute malware.
The SmartScreen Filter consists of a range of defensive tools, including:
o Windows SmartScreen, which is a client feature. You can configure these settings from within
Control Panel.
o SmartScreen Filter, which is the spam-filtering solution that is built into Microsoft email solutions.
o The Internet Explorer 11 SmartScreen Filter.
The SmartScreen Filter component of Internet Explorer 11 relies on a web service that is backed by
a Microsoft-hosted URL reputation database. The SmartScreen Filters reputation-based analysis
works with other signature-based antimalware technologies, such as Windows Defender, to provide
comprehensive protection against malware. When you enable the SmartScreen Filter, Internet
Explorer 11 performs a detailed examination of an entire URL string, and then compares it to a
database of sites known to distribute malware. The SmartScreen Filter then checks the website that
a user is visiting against a dynamic list of reported phishing and malware sites. If the SmartScreen
Filter determines that the website is unsafe, it blocks the site, and notifies the user.
Controls and management features to mitigate ActiveX. Improvement to controls and management
features allow you to increase security and trust by controlling how and where an ActiveX control
loads and which users can load them. ActiveX controls are relatively straightforward to create and
deploy, and they provide extra functionality beyond regular webpages. Organizations cannot control
the inclusion of ActiveX controls or how they are written. Therefore, organizations need a browser
that provides flexibility in dealing with ActiveX controls, so that they are usable, highly secure, and
pose as small a threat as possible. The improved ActiveX controls include:
o Per-user ActiveX. By default, Internet Explorer 11 employs ActiveX Opt-In, which disables most
controls on a user's computer. Per-user ActiveX makes it possible for standard users to install
ActiveX controls in their own user profile without requiring administrative permissions. This helps
organizations realize the full benefit of UAC, and allow standard users the ability to install ActiveX
controls that are necessary in their daily browsing.
In most situations, if a user installs a malicious ActiveX control, the overall system remains
unaffected because the control is installed under the users account only. Therefore, because
installations are restricted to a user profile, you are lowering the cost and risk of a compromise
significantly.
When a webpage attempts to install a control, an information bar displays to the user, who then
can install the control system-wide or only for his or her user account. The options in the ActiveX
menu vary depending on a users rights, which you manage by using Group Policy settings, and
whether the control allows per-user installation. You can disable this feature in Group Policy.
o Per-site ActiveX. When a user navigates to a website that contains an ActiveX control, Internet
Explorer 11 performs a number of checks, including a determination of where a control has
permission to run. If a control is installed, but does not have permission to run on a specific site,
an information bar appears that asks the users permission to run on the current website or on all
websites. Administrators can use Group Policy to preset Internet Explorer configurations with
allowed ActiveX controls and their related trusted domains.
Cross-Site Scripting Filter. The Cross-Site Scripting Filter helps block cross-site scripting attacks, one of
the most common website vulnerabilities today.
Most sites include a combination of content from local site servers and content obtained from other
sites or partner organizations. Cross-site scripting attacks exploit vulnerabilities in web applications,
and attackers then can control the relationship between a user and a website or web application that
they trust. Malicious users who utilize cross-site scripting can enable attacks, including the following:
o Stealing cookies, including session cookies, which can lead to account hijacking.
o Monitoring keystrokes.
o Performing actions on the victim website on behalf of the victim user.

o Using cross-site scripting, which utilizes a victims website to subvert a legitimate website.
Internet Explorer 11 includes a filter that helps protect against cross-site scripting attacks. The Cross-
Site Scripting Filter has visibility into all requests and responses that flow through a browser. When
the filter discovers suspected cross-site scripting in a request, it identifies and neutralizes the attack if
it replays in the servers response. The Cross-Site Scripting filter helps protect users from website
vulnerabilities. It does not ask difficult questions that users are unable to answer, nor does it harm
functionality on a website.
Data Execution Prevention (DEP). DEP is enabled by default to help prevent system attacks in which
malware exploits memory-related vulnerabilities to execute code. Internet Explorer 7 introduced the
DEP/NX option in Control Panel to provide memory protection that helps mitigate online attacks.
DEP or no execute (NX) helps thwart attacks by preventing code that is marked as non-executable
from running in memory, such as a virus disguised as a picture or video. DEP/NX also makes it harder
for attackers to exploit certain types of memory-related vulnerabilities, such as buffer overruns.
DEP/NX protection applies to both Internet Explorer and its add-ons. No additional user interaction
is required to activate this protection. Unlike Internet Explorer 7, Internet Explorer 11 enables this
feature by default.
Enhanced Protected Mode. You can reduce the amount of permissions that a browser has to modify
system settings or to write to a computers hard disk by using Enhanced Protected Mode, which is
turned on by default in Internet Explorer 11.
Managing Add-Ons
Most websites will display normally when you
use Internet Explorer without any add-ons or
modifications. Internet Explorer 11, which
Windows 10 includes by default, provides an
experience that is free from add-ons. Add-ons
that enhance the browsing experience by
providing multimedia content also are referred
to as:
ActiveX controls
Plug-ins
Browser extensions
Browser helper objects
Toolbars
Explorer bars
Search providers
Accelerators
Tracking Protection Lists
The following are examples of plug-in based technology:
Microsoft Silverlight
Apple QuickTime
Java applets
Adobe Flash Player
Skype Click to Call
Two popular multimedia extensions--HTML5 and Adobe Flash--are supported out-of-box as a platform
feature on Internet Explorer. In previous Internet Explorer versions, some multimedia add-ons could cause
security concerns, which Internet Explorer 11 addresses with the Automatic Updates feature, which
provides updates to help remediate problems quickly when identified.
Sometimes an add-on, such as a pop-up advertisement, can annoy users or create problems that affect
browser performance. A user can disable an individual add-on or all add-ons within Internet Explorer 11
by using the Manage Add-ons dialog box. To do this, a user would perform the following steps:
1. Open Internet Explorer.
2. On the Tools menu, click Manage add-ons.

3. In the Manage Add-ons dialog box, in the Show list, click All add-ons.
4. Find the name of the add-on that you want to modify in the reading pane. To disable an add-on, tap
or click it, and then click Disable. To enable an add-on, tap or click it, and then click Enable.
5. Close the Manage Add-ons dialog box.
Compatibility View
None of the improvements in Internet Explorer 11
matter if websites look bad or work poorly.
Internet Explorer 11 includes features that comply
with web standards and that allow websites to
display better and operate more predictably.
Each new version of Internet Explorer must try
to maintain compatibility with existing websites.
Internet Explorer 11 includes multiple layout
engines, which provides web developers with the
ability to determine whether Internet Explorer 11
needs to support legacy behaviors or strict
standards, by allowing them to specify which
layout engine to use on a page-by-page basis.
Internet Explorer 11 provides an automatic Compatibility View feature that invokes an older Internet
Explorer engine to display webpages whenever it detects a legacy website. This helps improve
compatibility with applications written for older Internet Explorer versions. If you do not see the
Compatibility View button appear in the Address bar, there is no need to turn on Compatibility View
because Internet Explorer 11 will have detected that the webpage has loaded correctly.
Note: By default, intranet sites and apps continue to run in Internet Explorer 11, which
supports the Compatibility View feature.
The Compatibility View feature in Internet Explorer 11 helps display a webpage as the web developer
intended. This view provides a straightforward way to fix display problems, such as out-of-place menus,
images, and text. The main benefits of the Compatibility View feature include:
Internet websites display in Internet Explorer 11 standards mode by default. You can use the
Compatibility View button to fix sites that render differently than expected.
Internet Explorer 11 remembers sites that have been set to Compatibility View so that a user only
needs to press the button once for a site. After that, the site always renders in Compatibility View
unless users remove it from the list.
Intranet websites display in Compatibility View by default. This means that internal websites that were
created for older Internet Explorer versions will work correctly.
You can use Group Policy to set a list of websites to render in Compatibility View.
Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button displays only if is not stated clearly how the website is to render. In other
cases, the button is hidden. These cases include viewing intranet sites or viewing sites with a <META> tag
or a / HTTP header that indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet
Explorer 10 standards.
When you activate Compatibility View, the page refreshes, and a balloon tip in the taskbar notification
area indicates that the site is now running in Compatibility View.
Configuring Compatibility View

You can use the Compatibility View settings option in the Tools menu to customize the Compatibility
View to meet enterprise requirements. For example, you can configure it so that all intranet sites display
in Compatibility View (the default), or you can configure it so that all website are viewed in Compatibility
View.
Enterprise Mode
Enterprise Mode is a compatibility mode in Internet Explorer 11 that supports legacy apps that require
Internet Explorer 8 features, and it includes:
Improved web app and website compatibility. Enterprise Mode allows legacy web apps to run
unmodified on Internet Explorer 11.
Tool-based management for website lists. You can use the Enterprise Mode Site List Manager tool to
add website domains and domain paths, and to specify whether a site renders by using Enterprise
Mode.
Note: You can download the Enterprise Mode Site List Manager tool from the Internet
Explorer Download Center.
Centralized control. You can specify the websites or web apps that use Enterprise Mode by using an
XML file on a website or that is stored locally.
You can configure the domains and paths within those domains to receive different treatment, which
provides you with granular control.
Note: You can use GPOs to configure Internet Explorer to allow users to turn Enterprise
Mode on or off from the Tools menu.
Integrated browsing. When you enable and configure Enterprise Mode, users can browse the web
normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
Demonstration: Configuring and Using Internet Explorer 11

Configure Compatibility View.
Delete browsing history.

Configure InPrivate Browsing.
View the add-on management interface.
Manage downloading with the Download Manager.
Demonstration Steps
Configure Compatibility View
1. Sign in to LON-CL1 as ADATUM\April with the password Pa$$w0rd.
3. Enable the Menu bar.
4. In Internet Explorer, open the LON-DC1 website at http://LON-DC1.

5. Add the website to Compatibility View.
Delete browsing history

In Internet Explorer, delete the selected browsing history.
Configure InPrivate Browsing

1. Open InPrivate Browsing.
3. Verify that the browsing history has not retained the websites address.
View the add-on management interface

1. Open the Add-on manager.
2. Review the current add-ons.

Download a file
1. Navigate to http://LON-DC1, and then click the Download Current Projects link.
2. View the current downloads.

3. Open the downloaded file.
4. Close Microsoft Office Excel and other open windows.
The Microsoft Edge Browser

The new Microsoft Edge browser is a cross-
platform browser that is available on Windows
Phone and Windows 10. The interface is more
simple and intuitive to use, with options that
users can configure with touch on or off.
New or improved features

Microsoft Edge includes a number of features that
make it easier to use on a touch device, including:
Reading mode, which allows you to view
webpages in a simplified layout. You can
configure the style that optimizes the viewing
layout.
The Hub, which is a central location in which Microsoft Edge consolidates several items, including
a users:
o Favorites
o Reading list
o Browser history
o Downloads
Web notes, which you can enable for webpages that you visit. In tablet mode, you can use tools to
take notes, write, draw, and highlight webpage elements. You then can store these notes in OneDrive
or locally in your Favorites.
Options and Settings

Internet Explorer has an extensive range of settings that you can configure to control your browsing
experience. Microsoft Edge streamlines these settings, and you can configure options and settings by
using the More actions link. This opens a window on the right in which you can:
Open a New InPrivate window. This provides the same privacy benefits of InPrivate browsing in
Internet Explorer 11.
Zoom. This allows you to zoom in or out.
Find on page. This is a box in which you can enter text to search for on the open webpage.
Print. This allows you to print your webpage.

Pin to Start. This allows you to pin frequently accessed webpages directly to your Start page.
Open with Internet Explorer. This opens the current webpage in Internet Explorer. Some websites use
ActiveX controls or other features that require Internet Explorer to render them.
Settings. This provides access to:
o Choose a theme. This allows you to choose between light and dark themes. Sometimes, the dark
display is better suited for ambient lighting conditions, such as when reading webpages in poor
light.
o Show the favorites bar. This allows you to expose a list of the sites on your favorites bar.
o Import favorites from another browser. This copies the favorites you have in another web
browser, such as Internet Explorer.
o Open with. This allows you to specify what you see when you open Microsoft Edge, such as a
specific webpage or multiple tabbed webpages(s).
o Open new tabs with. This determines what you see. You can configure it to match the preceding
setting, or you can define another value.
o Clear browsing data. This allows you to delete browsing history. As with Internet Explorer, you
can define what you want to delete.
o Reading. This allows you to configure:

Reading view style. Choose Light, Medium, or Dark.
Reading view font size. Choose Small, Medium, Large, or Extra Large.
o Advanced settings. These include several options, with the defaults shown in parenthesis:
Show the home button (Off). If enabled, you can select the default webpage to display when
the home button is tapped.
Block pop-ups (On).
Use Adobe Flash Player (On).
Always use caret browsing (Off).
Offer to save passwords (On).
Manage my saved passwords.
Save form entries (On).
Send Do Not Track requests (Off).
Have Cortana assist me in Microsoft Edge (Off).
Search in the address bar with (Bing).
Show search suggestions as I type (On).
Cookies. (Dont block cookies).
Let sites save protected media licenses on my device (On).
Use page prediction to speed up browsing, improve reading, and make my overall
experience better (On).
Help protect me from malicious sites and downloads with SmartScreen Filter (On).
Demonstration: Configuring and Using Microsoft Edge

Open a webpage.
Load a webpage that requires an ActiveX control.
Configure settings.
Download a file.
Make a web note.
Demonstration Steps
Open a webpage
1. On LON-CL1, open Microsoft Edge, and then navigate to http://lon-dc1.
Load a webpage that requires an ActiveX control

1. Open Current Projects. A new tab opens with columns displayed for Project and Project Lead.
No data displays.
2. Use the Open with Internet Explorer option. The same webpage displays, but with the data
extracted from the comma-separated value (CSV) file and displayed in the appropriate columns.
Configure settings
1. Open Settings.
2. Configure Reading view style to Dark.
3. Open advanced settings.
4. Verify Help protect me from malicious sites and downloads with SmartScreen Filter is enabled.
Download a file
1. In Microsoft Edge, on the A Datum Intranet tab, click Download Current Projects.

4. Close Microsoft Office Excel.
5. Switch to Microsoft Edge.
Make a web note

2. In Microsoft Edge, on the A Datum Intranet tab, on the menu bar, click Make a Web Note.
3. Draw a square.
4. Highlight two of the hyperlinks on the webpage.
5. Add a typed note.
6. Save the note to Favorites.

7. Open the saved web note.
8. Switch to Desktop mode.
9. Close Microsoft Edge.

Discussion: Which Browser to Use?

Consider the following question, and then be
prepared to discuss your answers with the class,
Question: How well suited is Microsoft Edge

to your environment?
Lab B: Configuring Windows 10 Web Browsers

Scenario
Users will need access to both Internet Explorer and Microsoft Edge. You decide to configure and test
both browsers against your company intranet on a local web server.
Objectives
1. Configure Microsoft Edge.
2. Use Microsoft Edge to browse a local Intranet website.
3. Configure Internet Explorer 11.
4. Use Internet Explorer 11 to browse a local Intranet website.
Lab Setup

Password: Pa$$w0rd

o Domain: Adatum
Exercise 1: Configuring and Using Microsoft Edge

Scenario
You deploy Windows 10 to your test network and configure a copy of the company intranet site to a local
web server. You them implement a series of tests by using Microsoft Edge.
1. Open a webpage.
2. Configure settings.
3. Download a file.
4. Make a web note.
5. Load a webpage that requires an ActiveX control.

Task 1: Open a webpage

2. On LON-CL1, open Microsoft Edge, and then navigate to http://lon-dc1.
Task 2: Configure settings

1. Open Settings.
2. Configure the following settings:

o Enable Show the favorites bar
o Open with: Custom: http://lon-dc1
o Clear about:Start
3. Open View advanced settings, and then configure the following settings:
o Enable Show the home button

o Configure the home button to open the A Datum Intranet site
o Block third party cookies
4. Close Settings.

6. Open Microsoft Edge, and then verify that the default page opens correctly.
7. Open a new tab, and then verify that clicking the Home button displays the A. Datum Intranet site.
Task 3: Download a file


4. Close Microsoft Office Excel.
6. Close the DOWNLOADS tab.
Task 4: Make a web note

3. Draw a shape.

5. Add a typed note.
6. Save the note to Favorites.

7. Open the saved web note.
8. Switch to Desktop mode.

Task 5: Load a webpage that requires an ActiveX control

1. Open Microsoft Edge.
2. Open Current Projects. A new tab opens with columns displayed for Project and Project Lead. No
data displays.
3. Use the Open with Internet Explorer option. The same webpage displays, but with the data
extracted from the CSV file and displayed in the appropriate columns.
4. Close Internet Explorer.
Results: After completing this exercise, you will have configured and used Microsoft Edge successfully in
Windows 10.
Exercise 2: Configuring and Using Internet Explorer

Scenario
You deploy Windows 10 to your test network and configure a copy of the company intranet site to a local
web server. You them implement a series of tests by using Internet Explorer.
1. Configure the Compatibility View feature.

2. Test privacy settings.
3. Disable an add-on.
Task 1: Configure the Compatibility View feature

2. Enable the Menu bar.
4. Add the website to Compatibility View.
Task 2: Test privacy settings

1. In Internet Explorer, delete the selected browsing history:
a. Clear the Preserve Favorites website data check box
b. Select Temporary Internet files and website files
c. Select Cookies and website data

d. Select History
2. Open InPrivate Browsing.

4. Verify that the website address has not been retained in the browsing history.
Note: You can ignore Bing.com.

Task 3: Disable an add-on

1. Open the Add-on manager.
2. Disable the Tabular Data Control.
3. On the A Datum Intranet Home Page, open the link for Current Projects.
4. A new tab opens, but the data does not populate the table.
Results: After completing this exercise, you will have configured and used Internet Explorer 11
successfully.


4. Repeat steps 2 and 3 for 20697-1B-LON-DC1 and MSL-TMG1.


Review Questions
Question: What does Internet Explorer 11 display when a browser detects that a website
does not adhere to HTML5 or CSS3 standards?
Question: You are installing apps from the Windows Store on a tablet that has a small
internal hard disk. However, you have added a micro SD card with 64 GB of space. How can
you utilize this storage for your apps?
Question: You want to know which apps you have previously installed or purchased on your
Windows devices, regardless of whether they are installed on your current device. How can
you access this information in Windows 10?
8-1
Module 8
Managing Data Security
Contents:
Module Overview 8-1
Lesson 1: Overview of Data-Related Security Threats 8-2
Lesson 2: Securing Data with EFS 8-5

Lesson 3: Implementing and Managing BitLocker 8-12
Lab: Managing Data Security 8-26

Module Overview
Most organizations are concerned about unauthorized release of data. Although they might act in an
ethical manner, these organizations still are responsible for working with data that needs to remain
private and removed from malicious users. This data includes credit-card accounts, customers personal
information, and medical records. This module details how the technologies in Windows 10 work together
to protect against data-related security threats.
Objectives
Describe data-related security threats.
Secure data with Encrypting File System (EFS).
Implement and manage BitLocker Drive Encryption.

8-2 Managing Data Security
Lesson 1
Overview of Data-Related Security Threats
The information technology (IT) media frequently reports on the theft and public release of sensitive
organizational data. Security breaches of this kind receive significant attention. However, many
organizations find that many of the data-security issues they experience involve their own users. Insiders
are not deliberately attacking resources to gain access to confidential data. Rather, insiders are able to
access confidential data because it does not have adequate protection. In this lesson, you will learn about
the defense in depth strategies for protecting data, common data-related security threats, and potential
mitigations for those threats.
Lesson Objectives
Describe the defense in depth strategy for protecting data.
List common data-related security threats.
Describe mitigations for common data-related security threats.
What Is Defense in Depth?

Defense in depth is a security concept in which
you use several layers of security for protection.
If an attacker compromises one layer of defense,
other layers continue to offer protection. The
design of castles is an analogy for the concept of
defense in depth. Castles have outer walls, inner
walls, and moats. A networking example is the
common practice of having an external firewall, a
perimeter network, an internal firewall, and then
firewalls that you configure on each host
computer.
However, when it comes to data security, no

single solution can ensure that data remains secure. Instead, organizations that want to protect their data
must use a layered approach. If you want to protect data on computers that are running Windows 10, this
can involve implementing:
A full-volume encryption solution, such as BitLocker, to protect all data on the volume.
A file-encryption level solution, such as EFS.
File and folder permissions.

An application-level solution, such as the ability to configure password protection in products such as
Microsoft Word and Microsoft Excel.
It is important to remember that you should implement defense in depth in conjunction with other
protection methods. Furthermore, the methods that you use to protect data should be commensurate
with the datas value. The steps that you take to protect an Excel worksheet that contains a grocery list
should be different from the steps to protect an Excel worksheet that contains salary information.
Discussion: What Are the Common Data-Related Security Threats?

Consider the topic of data-related security threats
and be prepared to discuss your thoughts with
the class. Describe common security threats to
data, such as:
Users who access sensitive files to which they

should not have access.
Competitors who gain access to your

organizations sensitive files.
Data that a user publishes to the Internet,

either inadvertently or intentionally.
Private information that a user utilizes

inappropriately, either inadvertently or maliciously.
Discuss the possible ways in which data exposure can occur, such as:
Lost or stolen laptop computers and USB drives.
Malware infection of your corporate network or individual devices.
Accidental release of data.
Discuss scenarios that have been in the media recently, in which private data became public, either
maliciously or inadvertently.
Possible Mitigations for Common Data-Related Threats

The following list includes some possible
mitigations for common data-related threats:
Threat Possible mitigations
Unauthorized user accessing information Apply permissions to files and folders

on a file share Apply claims-based permissions to files and folders
Utilize Active Directory Rights Management Services
(AD RMS)
Unauthorized user accessing data from a Utilize a BitLocker To Go on thumb drive

lost or stolen USB drive Apply AD RMS or Microsoft Azure Rights
Management Services protection to files
Configure password protection for files if the
application provides support for this functionality
Lost or stolen laptop that is storing Enforce BitLocker data protection on laptops
confidential information
User emailing protected content to Apply AD RMS or Azure Rights Management Services
unintended recipient inadvertently protection to files
Configure password protection for files if the
application provides support for this functionality
Apply policies for data-loss prevention by using
Microsoft Exchange or Exchange Online

Question
Your coworker lost his USB drive, which contained confidential information about a
new project. Which security feature could have prevented unauthorized users from
accessing that data? (Choose all that apply)
Applying file permissions
Utilizing BitLocker To Go
Applying claims permissions to files and folders
Applying BitLocker data protection on a laptop computer

Lesson 2
Securing Data with EFS
The EFS technology allows you to encrypt files to be used with Windows operating systems. However, IT
professionals who want to implement EFS should research it thoroughly before using it. For example, it is
not possible to encrypt files with the System attribute. You need to have a comprehensive understanding
of EFS to implement a secure and recoverable EFS policy. If you implement EFS without implementing
proper recovery operations or without understanding how the feature works, you can expose your data
unnecessarily or leave it in a state from which you cannot recover it. This lesson provides a brief overview
of EFS.
Lesson Objectives
Describe EFS.
Describe how to encrypt and decrypt files and folders with EFS.
Describe how to recover EFS-encrypted files.

Describe enterprise solutions for managing EFS.
What Is EFS?
EFS is a built-in file encryption tool for Windows-
based systems. EFS is a component of the NTFS
file system, and it uses advanced, standard
cryptographic algorithms to allow transparent
file encryption and decryption. Through the
Enterprise Data Protection functionality of
Windows 10, EFS functionality is also simulated
on volumes that use the FAT32 file system. Any
individual or app that does not have access to
a certificate store that holds an appropriate
cryptographic key cannot read encrypted data.
You can protect encrypted files even from those
who gain physical possession of a computer on which files are stored. Even people who have the
authorization to access a computer and its file system cannot view the encrypted data.
Encryption is a powerful addition to any defensive plan. However, you must use additional defensive
strategies, because encryption is not the correct countermeasure for every threat. Furthermore, every
defensive weapon has the potential to harm your data, if you use it incorrectly.
Managing EFS certificates

EFS uses public key cryptography to apply file encryption. EFS obtains the keys from a users EFS
certificate, which also might contain private key information. Therefore, you must manage them correctly.
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another
users EFS certificate, that user may make those files available to yet another users EFS certificates.
Note: You can issue EFS certificates only to individual users. You cannot issue EFS
certificates to groups.
Backing up certificates
Certification authorities (CAs) can archive and recover CA-issued EFS certificates. Users must back up their
self-generated EFS certificates and private keys manually. To do this, they can export the certificate and
private key to a Personal Exchange File (.pfx), which is password-protected during the export process. This
password is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private
key to Canonical Encoding Rules (.cer) files. A users private key is stored in the users profile in the RSA
folder, which you can access by expanding AppData, expanding Roaming, expanding Microsoft, and
then expanding Crypto. However, please note that because there is only one instance of the key, it is
vulnerable to hard-disk failure or data corruption.
The Microsoft Management Console (MMC) snap-in, Certificates, exports certificates and private keys. The
Personal Certificates store contains the EFS certificates.
Question: Why is it not possible to encrypt system files with EFS?
Common EFS Usage Scenarios

Utilizing EFS is a good way to secure data in
several scenarios, including protecting files on
shared computers and from privileged users, and
protecting files that you want to share with others.
Protecting files on shared computers

EFS allows users of shared computers to secure
files so that other users of those computers
cannot access them. You can use EFS with NTFS
permissions as part of a defense-in-depth
strategy.
Protecting files from privileged users

EFS allows you to prevent privileged users from accessing certain files. Many data breaches are caused
by attackers getting access to a privileged account and using that privileged account to override file
and folder permissions. While the default Administrator account is also the data recovery agent for EFS-
protected files, you can change this so that there is no data recovery agent.
Sharing encrypted files with specific users

EFS users can share encrypted files with other users on file shares and in web folders. This allows you to
grant individual users permissions to access an encrypted file. After you encrypt a file, you can enable file
sharing through the user interface. You first must encrypt a file and then save it before adding more users.
You can add users from a local computer or from Active Directory Domain Services (AD DS) if the users
have a valid certificate for EFS.
Users who elect to share encrypted files must be aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over a network,
you will need to provide them with a file share or web folder. Alternatively, users can use Remote
Desktop Services to establish remote sessions with computers that store encrypted files.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting
access is not limited to the file owner. Caution users to share files only with trusted accounts, because
those accounts can authorize other accounts. Removing the Write permission from a user or group of
users can prevent this problem, but it also prevents the user or group from modifying the file. EFS
sharing requires that the users who will have authorization to access the encrypted file have EFS
certificates. These certificates can be located in roaming profiles, in the user profiles on the computer
that is storing the file, or in AD DS.
If a user chooses to remotely access an encrypted file that is stored on a file share, and that user
authorizes other users to access the file, the authorization process and requirements are the same as
on the local computer. Additionally, EFS must impersonate the user to perform this operation, and all
the requirements for remote EFS operations on files stored on file shares apply.
If a user chooses to remotely access an encrypted file that is stored on a web folder, and that user
authorizes other users to access the file, the file transmits automatically to the local computer in
ciphertext. The authorization process takes place on the local computer, and it has the same
requirements as locally stored, encrypted files.
How EFS Works

The basic EFS functionality of EFS is as follows:
When a user who possesses the necessary key

opens a file, the file opens. If a user does not
possess the key, the user receives an access-
denied message.
File encryption uses a symmetric key that it
encrypts with a users public key, which is
stored in the file header. Additionally, it stores
a certificate with the users public and private
keys, or asymmetric keys, in the users profile.
The users private key must be available for
decryption of the file.
If a private key incurs damage or is lost, the file cannot be decrypted. If a recovery agent exists,
the file is recoverable. If you implement key archival, you can recover the key and decrypt the file.
Otherwise, the file might be lost. This encryption system is referred to as public key infrastructure
(PKI).
You can archive a users certificate that contains his or her public and private keys. For example, you
can export it to a USB flash drive, and then keep the USB flash drive in a safe place for recovery if the
keys incur damage or are lost.
A users password protects the public and private keys. Any user who can obtain the user ID and
password can sign in as that user and decrypt that users files. Therefore, an organizations security
practices should include a strong password policy and user education to protect EFS-encrypted files.
EFS-encrypted files do not remain encrypted when crossing the network, such as when you work
with the files on a shared folder. The file is decrypted, and it then traverses the network in an
unencrypted state. EFS encrypts it locally if you save it to a folder on the local drive that is configured
for encryption. EFS-encrypted files can remain encrypted while traversing a network if you save them
to a web folder by using the World Wide Web Distributed Authoring and Versioning (WebDAV)
protocol.
EFS supports industry-standard encryption algorithms, including Advanced Encryption Standard

(AES). AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
Additionally, be aware of the following features when implementing EFS on Windows 10:
Support for storing private keys on smart cards. Windows 10 includes full support for storing users
private keys on smart cards. If a user signs in to Windows 10 with a smart card, EFS also can use the
smart card for file encryption. Administrators can store their domains recovery keys on a smart card.
Recovering files is then as simple as signing in to the affected machine, either locally or by using
Remote Desktop, and using the recovery smart card to access the files.
The Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users
to choose an EFS certificate, then select and migrate the existing files that will use the newly chosen
EFS certificate. Administrators can use the wizard to migrate users in existing installations from
software certificates to smart cards. The wizard also is helpful in recovery situations, because it is
more efficient than decrypting and reencrypting files.
Group Policy settings for EFS. You can use Group Policy to control and configure EFS protection
policies centrally for an entire enterprise. For example, Windows 10 allows page file encryption
through the local security policy or Group Policy.
Per-user encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote
servers. When you enable this option, each file in the offline cache is encrypted with a public key from
the user who cached the file. Thus, only that user has access to the file, and even local administrators
cannot read the file without access to the user's private keys.
Selective Wipe. A feature of Windows 10 in a corporate environment is Selective Wipe. If a device
is lost or stolen, an administrator can revoke the EFS key that was used to protect the files on the
device. Revoking a key prevents all access to data files that are stored on a users device.
Note: When users encrypt files in remote shared folders, their keys are stored on the
file server.
Obtaining key pairs

Users need asymmetric key pairs to encrypt data, and they can obtain these keys:
From a CA. An internal or third-party CA can issue EFS certificates. This method provides central
management and backup of keys.
By generating them. If a CA is unavailable, Windows 10 will generate a key pair. These keys have a
lifespan of 100 years. This method is more difficult than using a CA because there is no centralized
management, and users become responsible for managing their own keys. Additionally, it is more
difficult to manage for recovery. However, it is still a popular method because it requires no setup.
Question: How would you protect files in transit across your organizational network?
How EFS Recovery Works

You can configure the recovery of EFS-encrypted
data by using two methods: the data recovery
agent and the Key Recovery Agent.
Data recovery agent

The data recovery agent is an account that you
can configure by using Group Policy. It has access
to all EFS-encrypted files. The data recovery agent
account is able to recover EFS-encrypted files if
the original owner loses access to his or her EFS
private key or if the people with the appropriate
keys to decrypt the file are not available. The
default Administrator account in a domain is
configured as the default data recovery agent. This presents a security risk, as anyone who has access to
the default Administrator account can access the contents of any EFS-encrypted file.
When you implement EFS in your organization, you should change the default configuration for the data
recovery agent, and configure a special account that has been issued an appropriate EFS data recovery
certificate. Once you configure the certificate, you can export this certificates private key to a USB key,
and then secure it in a safe. This allows you to restrict data-recovery operations to occur during
authorized conditions only. This is because only a user with access to the private key of the EFS data
recovery certificates can perform EFS data recovery.
Key recovery agent

In organizations that are using CA-issued EFS certificates, you can use a key recovery for EFS recovery.
Unlike the data recovery agent, which grants the holder of the data recovery agent private key access to
all applicable EFS-encrypted files, the Key Recovery Agent allows an authorized person to extract the EFS
keys for a specific user from the certificate servers database. When you need to perform data recovery,
the authorized person can recover the EFS-encrypted data only for that specific user. By limiting the data
that users can recover in an operation, instead of allowing all users to recover all EFS data, you can
minimize the chances of an unauthorized person accessing confidential data.
Demonstration: Using EFS to Secure Data

In this demonstration, you will see how to configure a folder to encrypt files placed in it so that they are
only accessible to a user named Don. You will verify that this is the case by attempting to access the file as
a user named Adam.
Demonstration Steps
1. Sign in to LON-CL1 as Adatum\Don, and then create the folder C:\SecretDon.
2. Edit the advanced properties of the SecretDon folder, and then enable the Encrypt contents to
secure data option.
3. Sign in to LON-CL1 as ADATUM\Adam, and then verify that the user is unable to access the contents
of the file c:\SecretDon\Secrets.txt.
Enterprise Solutions for Managing EFS

Organizations that use EFS extensively should
deploy an enterprise CA. The benefits of using
an enterprise CA include:
Improved EFS functionality. You can configure

the template used to create EFS certificates,
which strengthens the encryption algorithm.
Certificates stored in AD DS. Certificates are

stored with a users account in AD DS and are
accessible when the user signs in to different
computers in the domain.
Certificates are recoverable. Should a person
leave the organization, you can recover that users EFS certificates from a properly configured CA.
Automatic certificate deployment. You can configure Group Policy and a certificate template to
deploy EFS certificates automatically to users by using certificate auto-enrollment. This means that
the first time that a user encrypts a file, certificates are present and do not have to be generated.
This also simplifies encrypting files for other users, because AD DS stores the public keys, which are
necessary to encrypt files, for other users.
Ability to issue, manage, secure, and revoke the certificate for the data recovery agent. Using a
CA simplifies the process of managing a data recovery agent that is separate from the default
administrator account.
Ability to restrict the process of data recovery by using Key Recovery Agents. Key Recovery Agents
allow recovery of private keys used to encrypt EFS-protected files on a per-user basis from a CA
database. Instead of a user being able to recover all EFS-protected files, configuring a Key Recovery
Agent will allow per-user recovery of EFS-protected content. Limiting the scope of recovery reduces
the chance that an unauthorized user can access protected content, such as a privileged user who is
asked to recover a peers encrypted files, but instead attempts to examine their bosss encrypted files.
Categorize Activity
Items
1 Allows direct recovery of all encrypted data
2 Authorized person can recover the EFS-encrypted data for all users
in the organization
3 Authorized person can recover the EFS-encrypted data only for that
specific user
4 Allows the recovery of EFS private keys from the CA database
Category 1 Category 2
Data recovery agent Key recovery agent

Lesson 3
Implementing and Managing BitLocker
BitLocker is another defensive strategy that complements EFS. BitLocker protects against data theft or
exposure on computers that are lost or stolen, and it offers more secure data deletion when you
decommission computers. Data on a lost or stolen computer is vulnerable to unauthorized access, either
by a malicious user running a software-attack tool against it or by transferring the computer's hard disk
to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers
by combining two major data-protection procedures. It encrypts the entire Windows operating-system
volume on a hard disk, and it encrypts multiple fixed volumes.
Lesson Objectives
Describe BitLocker and BitLocker To Go.
Describe BitLocker requirements.
Describe BitLocker modes.

Describe the Group Policy settings for BitLocker.
Describe how to configure BitLocker.
Describe how to recover BitLocker-encrypted drives.

Describe the Microsoft BitLocker Administration and Monitoring tool.
What Is BitLocker?
BitLocker provides protection for an operating
system and the data that an operating system
volume stores in addition to other volumes on the
computer. It helps ensure that data stored on a
computer remains encrypted, even if someone
tampers with the computer when the operating
system is not running. BitLocker provides a closely
integrated solution in Windows 10 to address the
threats of data theft or exposure from lost, stolen,
or inappropriately decommissioned computers.
Data on a lost or stolen computer can become

vulnerable to unauthorized access when a
malicious user runs a software-attack tool against it or transfers the computers hard disk to a different
computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections.
Additionally, BitLocker helps render data inaccessible when you decommission or recycle BitLocker-
protected computers.
BitLocker performs two functions that provide offline data protection and system-integrity verification:
It encrypts all data that is stored on a Windows operating system volume and configured data
volumes. This includes the Windows operating system, hibernation and paging files, applications,
and application data. BitLocker also provides umbrella protection for non-Microsoft applications,
which benefits applications automatically when you install them on an encrypted volume.
It is configured, by default, to use a Trusted Platform Module (TPM) to help ensure the integrity of the
startup components that an operating system uses in the early stages of the startup process. BitLocker
locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the
computer when the operating system is not running. A later section of this module describes how you
can enable BitLocker on devices without a TPM chip.
System integrity verification

BitLocker uses a TPM to verify the integrity of the startup process by:
Providing a method to check that early boot-file integrity has been maintained, and to help
ensure that there has been no adverse modification of those files, such as with boot-sector viruses
or root kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for a Windows operating system volume.
Locking the system when it detects tampering. If BitLocker determines that tampering has occurred
with any monitored files, the system does not start. This alerts a user to tampering because the system
fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery
process.
In conjunction with a TPM, BitLocker verifies the integrity of early startup components, which helps
prevent additional offline attacks, such as attempts to insert malicious code into those components. This
functionality is important because the components in the earliest part of the startup process must remain
unencrypted so that the computer can start.
As a result, an attacker can change the code of those early startup components and then gain access to
a computer even though the disk data is encrypted. Then, if the attacker gains access to confidential
information, such as the BitLocker keys or user passwords, the attacker can circumvent BitLocker and
other Windows security protections.
Comparing BitLocker and EFS

The following table compares BitLocker and EFS-encryption functionality.
BitLocker functionality EFS functionality
Encrypts volumes (the entire operating-system volume, Encrypts files.

including Windows system files, and the hibernation
file).
Does not require user certificates. Requires user certificates.
Protects the operating system from modification. Does not protect the operating
system from modification.
Device encryption
Device encryption is a built-in Windows 10 feature. By default, device encryption protects the operating
system drive and any fixed data drives on the system by using Advanced Encryption Standard (AES) 128-
bit encryption, which uses the same technology as BitLocker. You can use device encryption with a
Microsoft account or a domain account.
Device encryption is enabled automatically on all Windows 10 versions on new devices, so that the device
is always protected. Supported devices that you upgrade to Windows 10 with a clean installation also
have device encryption automatically enabled.
BitLocker To Go
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer
asset. As more people use removable storage devices, they can lose data without losing a computer.
BitLocker To Go provides enhanced protection against data theft and exposure by extending BitLocker
support to removable storage devices, such as USB flash drives. You can manage BitLocker To Go by using
Group Policy, from Windows PowerShell, and by using the BitLocker Drive Encryption Control Panel app.
In Windows 10, users can encrypt their removable media by opening File Explorer, right-clicking the drive,
and clicking Turn On BitLocker. Users then can choose a method with which to unlock the drive,
including using a:
Password. This is a combination of letters, symbols, and numbers that a user will enter to unlock a
drive.
Smart card. In most cases, an organization issues a smart card, and a user enters a smart card PIN to
unlock a drive.
After choosing an unlock method, users must print or save their recovery key. You can store this 48-digit
key in AD DS, so that you can use it if other unlocking methods fail, such as when users forget their
passwords. Finally, users must confirm their unlocking selections to begin encryption. When you insert a
BitLocker-protected drive into your computer, the Windows operating system will detect the encrypted
drive and prompt you to unlock it.
BitLocker Requirements
In Windows 10, Windows 8.1, and Windows 7,
BitLocker automatically prepares drives for use.
As a result, there is no need to create separate
partitions before turning on BitLocker. This is an
improvement over BitLocker in Windows Vista,
which required that users manually partition their
hard drive.
Windows 10 automatically creates the system
partition on a hard drive. In a default installation,
a computer will have a separate system partition
and an operating-system drive. The system
partition is smaller in Windows 10, Windows 8.1,
and Windows 7 than in Windows Vista, requiring only 100 megabytes (MB) of space.
You can use BitLocker to encrypt operating-system drives, fixed data drives, and removable data drives
in Windows 10. When you use BitLocker with data drives, you can format the drive with the extended
file allocation table (exFAT), FAT, FAT32, or NTFS file system, but the drive must have at least 64 MB of
available disk space. When you use BitLocker with operating-system drives, you must format the drive
with the NTFS file system.
BitLocker stores its own encryption and decryption key in a hardware device that is separate from the
hard disk. Therefore, you must have one of the following:
A computer with TPM 1.2 or newer.
A removable USB memory device, such as a USB flash drive.

On computers that do not have TPM 1.2, you still can use BitLocker to encrypt the Windows operating
system volume. However, this implementation requires the user to insert a USB startup key to start the
computer or resume from hibernation, and it does not provide the prestartup system-integrity verification
that BitLocker provides when working with a TPM.
Additionally, BitLocker offers the option to lock the normal startup process until a user supplies a PIN or
inserts a removable USB device that contains a startup key. These additional security measures provide
multifactor authentication and assurance that a computer will not start or resume from hibernation until
a user enters the correct PIN or startup key.
Hardware requirements
To turn on BitLocker, a computer must:
Have the hard drive space necessary for Windows 10 to create two disk partitionsone for the
operating system volume and one for the system volume:
o Operating system volume. This partition includes the drive on which you install Windows.
BitLocker encrypts this drive.
o System volume. A second partition is created as needed when you enable BitLocker in Windows
10. This partition must remain unencrypted so that you can start the computer. This partition
must be at least 100 MB, and you must set it as the active partition.
Have a BIOS or Unified Extensible Firmware Interface (UEFI) environment that is compatible with TPM
or supports USB devices during computer startup. The BIOS must be:
o Compliant with Trusted Computing Group (TCG).
o Set to start first from the hard disk, not the USB or CD drives.
o Able to read from a USB flash drive during startup.
Determining if a computer has a TPM 1.2 or newer chip

BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional
security of prestartup system-integrity verification. Perform the following procedure to determine if a
computer has a TPM 1.2 or newer chip:
1. Open Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. In the lower left corner, click TPM Administration. The TPM Management on Local Computer
console opens. If the computer does not have a TPM 1.2 chip, the Compatible TPM cannot be
found message appears.
BitLocker Modes
BitLocker can run on two types of computers:
Those with TPM 1.2 and newer.

Those without TPM 1.2, but which have a
removable USB memory device.
This topic provides an in-depth examination of

these two BitLocker modes.
Computers with TPM 1.2

The most secure implementation of BitLocker takes advantage of the enhanced security capabilities of
TPM 1.2 or newer. TPM is a hardware component that manufacturers install in many newer computers.
It works with BitLocker to help protect user data and to ensure that offline tampering does not impact a
computer that is running Windows 10.
BitLocker supports TPM 1.2, but it does not support older TPMs. Version 1.2 TPMs provide increased
standardization, security enhancement, and improved functionality compared with previous versions.
On computers that have TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure
that your data is accessible only if the computer's startup components appear unaltered and the
encrypted disk is located in the original computer.
If you enable BitLocker on a Windows 10based computer that has TPM 1.2 or newer, you can add the
following additional authentication factors to the TPM protection:
Configure BitLocker to lock the normal startup process until a user supplies a PIN or inserts a USB
device, such as a flash drive, that contains a BitLocker startup key.
Require both a PIN and a USB device.

In a scenario that uses a TPM with an advanced-startup option, you can add a second factor of
authentication to the standard TPM protection: you can require that the user enters a PIN or provides
a startup key on a USB flash drive. To use a USB flash drive with a TPM, the computer must have a BIOS
that can read USB flash drives in the preoperating system environment (at startup). You can check your
BIOS by running a hardware test near the end of the BitLocker setup wizard.
These additional security measures provide multifactor authentication and help ensure that a computer
will not start or resume from hibernation until a user presents the correct authentication method.
How TPM works

On computers equipped with a TPM, each time a computer starts, each of the early startup components,
such as the BIOS, the boot sector, and the boot manager code, examines the code that is about to run,
calculates a hash value, and stores the value in the TPM. Once that value is stored in the TPM, it cannot
be replaced until the user restarts the system, and TPM records a combination of these values.
You can use these recorded values to protect data by using the TPM to create a key that links to these
values. When you create this type of key, the TPM encrypts it. Only that specific TPM can decrypt it. Each
time the computer starts, the TPM compares the values that are generated during the current startup with
the values that existed when the key was created. It decrypts the key only if those values match. This
process is called sealing and unsealing the key.
As part of its verification process for system integrity, BitLocker examines and seals keys to the
measurements of the following:
The core root of trust for measurement.
The BIOS and any platform extensions.
Optional read-only memory (ROM) code.
Master boot-record code.
The NTFS boot sector.
The Windows Boot Manager.
If any of these items change unexpectedly, BitLocker locks the drive to prevent access or decryption.
Computers without TPM 1.2 or newer

By default, BitLocker looks for and uses a TPM. You can use Group Policy to allow BitLocker to work
without a TPM and store keys on an external USB flash drive. However, BitLocker will not be able to verify
early startup components.
You can enable BitLocker on a computer without TPM 1.2 as long as the BIOS has the ability to read from
a USB flash drive in the boot environment. This is because BitLocker will not unlock a protected volume
until BitLocker's own volume master key is released by the computer's TPM or by a USB flash drive that
contains the computers BitLocker startup key. However, computers without TPMs will not be able to use
the system-integrity verification that BitLocker provides.
If a startup key is located on a USB flash drive, your computer must have a BIOS that can read USB flash
drives in the preoperating system environment (at startup). You can check your BIOS by running the
hardware test that is near the end of the BitLocker setup wizard.
To help determine whether a computer can read from a USB device during the boot process, use the
BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm
that the computer can read from USB devices properly at the appropriate time and that the computer
meets other BitLocker requirements.
To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker
user interface. When you enable the advanced options, the non-TPM settings appear in the BitLocker
setup wizard.
Question: What is a disadvantage of running BitLocker on a computer that does not have
TPM 1.2?
Using Group Policy Settings to Configure BitLocker

BitLocker in Windows 10 includes several new
Group Policy settings that permit simplified
feature management. For example, you can:
Require all removable drives to be BitLocker-

protected before users can save data to them.
Require or disallow specific methods for

unlocking BitLocker-protected drives.
Configure methods to recover data from
BitLocker-protected drives if a user's unlock
credentials are unavailable.
Require or prevent different types of recovery

password storage or make them optional.
Prevent BitLocker from activating if it is not possible to back up the keys to AD DS.
You also can use Group Policy to configure a domain-wide data recovery agent that will permit an
administrator to unlock any drive encrypted with BitLocker. Before you can use a data recovery agent,
you must add it from the Public Key Policies item in the Group Policy Management Console (GPMC) or
the Local Group Policy Editor MMC snap-in.
To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the
drives that you use with BitLocker. These policy settings are:
Choose how BitLocker-protected operating system drives can be recovered

Choose how BitLocker-protected removable data drives can be recovered
Choose how BitLocker-protected fixed data drives can be recovered
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy
setting for each type of drive, so you can configure individual recovery policies for each type of drive on
which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy
setting to associate a unique identifier with a new drive that BitLocker is protecting. BitLocker manages
and updates data recovery agents only when an identification field is present on a drive and is identical
to the value that is configured on the computer.
You can use these policy settings to enforce a standard BitLocker deployment in your organization.
Group Policy settings that affect BitLocker are located in Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy
settings are located in this folder. Subfolders for fixed data drives, operating system drives, and removable
drives support the configuration of policy settings specific to those drives.
Note: If you want to use BitLocker to protect an operating-system drive on a computer that
does not have a TPM, you must enable the Require additional authentication at startup policy
setting, and then within that setting, click Allow BitLocker without a compatible TPM.
Summary of Group Policy settings

The BitLocker Drive Encryption folder on an operating system typically contains the following subfolders:
Fixed Data Drives, Operating System Drives, and Removable Data Drives.
The following table summarizes some of the key policy settings that affect Windows 10 client computers.
Each setting includes the following options: Not configured, Enabled, and Disabled. The default setting
for each setting is Not configured.
Setting name Location Description
Choose default folder BitLocker Drive Specifies a default location to which the user can save
for recovery Encryption folder recovery keys. This can be a local or network location.
password The user also can choose other locations.
Choose drive BitLocker Drive Allows you to configure the algorithm and cipher
encryption method Encryption folder strength that BitLocker uses to encrypt files. If you
and cipher strength enable this setting, you will be able to choose an
encryption algorithm and key cipher strength. If you
do not configure this setting, or you disable it,
BitLocker will use the default encryption method of
AES 128-bit with a diffuser or the encryption method
that the setup script specifies.
Provide the unique BitLocker Drive Allows you to associate unique organizational
identifiers for your Encryption folder identifiers to a new drive that you enable with
organization BitLocker. BitLocker will manage and update data
recovery agents only when the identification field on
the drive matches the value that you configure in the
identification field. This also applies to removable
drives that you configure by using BitLocker To Go.
Prevent memory BitLocker Drive Controls computer restart performance if there is a

overwrite on restart Encryption folder risk of exposing BitLocker secrets. BitLocker secrets
include key material that you use to encrypt data. If
you enable this setting, the operating system will not
overwrite memory when the computer restarts. This
can improve restart performance, but it does increase
the risk of exposing BitLocker secrets. If you disable or
do not configure this setting, BitLocker removes
secrets from memory when the computer restarts.
Deny write access to Fixed Data Drives Controls whether BitLocker protection is required if
fixed drives not folder users are going to write data to fixed data drives on
protected by a computer. If you enable this setting, all fixed data
BitLocker drives that are not BitLocker-protected will be
mounted as read-only. If the drive is BitLocker-
protected, or if you disable or do not configure this
setting, all fixed data drives will be mounted with
read/write permission.
Allow access to Fixed Data Drives Configures whether fixed data drives formatted with
BitLocker-protected folder the FAT file system can be unlocked and viewed on
data drives from computers that are running Windows Server 2008,
earlier versions of Windows Vista, or Windows XP with Service Pack 3
Windows (SP3) or Service Pack 2 (SP2) operating systems.
Choose how Fixed Data Drives Allows you to control how BitLocker-protected fixed
BitLocker-protected folder data drives are recovered in the absence of the
fixed drives can be required credentials.
recovered
Require additional Operating System Allows you to configure whether you can enable
authentication at Drives folder BitLocker on computers without a TPM, and whether
startup you can use multifactor authentication on computers
with a TPM.
Choose how Operating System Allows you to control recovery of BitLocker-protected

BitLocker-protected Drives folder operating system drives if the required startup-key
operating system information is not available.
drives can be
recovered
Configure TPM Operating System Configures which TPM platform measurements that
platform validation Drives folder are stored in the Platform Configuration Register
profile indices are used to seal BitLocker keys.
Control use of Removable Data Controls the use of BitLocker on removable data
BitLocker on Drives folder drives.
removable drives
Configure use of Removable Data Allows you to specify whether smart cards can
smart cards on Drives folder authenticate user access to BitLocker-protected
removable data removable drives on a computer.
drives
Deny write access to Removable Data Configures whether BitLocker protection is required
removable drives not Drives folder for a computer to be able to write data to a
protected by removable data drive.
BitLocker
Allow access to Removable Data Configures whether removable data drives formatted
BitLocker-protected Drives folder with the FAT file system can be unlocked and viewed
removable drives on computers that are running Windows Server 2008,
from earlier versions Windows Vista, and Windows XP with SP3 or SP2
of Windows operating systems.
Configure use of Removable Data Specifies whether a password is required to unlock

passwords for Drives folder BitLocker-protected removable data drives. If you
removable data choose to enforce use of a password, you can enforce
drives complexity requirements and configure a minimum
password length.
Choose how Removable Data Allows you to control the recovery of BitLocker-
BitLocker-protected Drives folder protected removable data drives if the required
removable drives can startup key information is not available.
be recovered
Group Policy settings and TPM

Group Policy settings that control TPM behavior are in Computer Configuration\Administrative
Templates\System\Trusted Platform Module Services. The following table summarizes these settings.
Setting name Default Description
Turn on TPM backup Disabled Controls whether the password information of the TPM
to Active Directory owner is backed up in AD DS. If you enable this setting,
Domain Services it also can control whether backup is required or
optional.
Configure the list of None Allows you to disable or enable specific TPM functions.
blocked TPM However, please note that the next two settings can
commands restrict which commands are available. Group Policy
based lists override local lists. You can configure local
lists in the TPM Management Console.
Ignore the default list Disabled By default, BitLocker blocks certain TPM commands. To
of blocked TPM enable these commands, you must enable this policy
commands setting.
Ignore the local list Disabled By default, a local administrator can block commands in
of blocked TPM the TPM Management Console. You can use this setting
commands to prevent that behavior.
Question: How can you use Microsoft BitLocker Administration and Monitoring 2.5 SP1 to
reduce the time that the help desk spends recovering a BitLocker unlock key for a remote
user?
Demonstration: Configuring and Using BitLocker

In this demonstration, you will configure BitLocker-related group policies, enable BitLocker on a volume,
and unlock a BitLocker-encrypted volume.
Demonstration Steps
2. Open the Local Group Policy Editor.

3. Enable the Require additional authentication at startup policy setting located at Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive
Encryption\Operating System Drives.
4. Close the Local Group Policy Editor.
5. Refresh the Group Policy settings on the local computer by running gpupdate /force.
6. On LON-CL1, open the Manage BitLocker control panel item, and then turn on BitLocker for
Allfiles (E:):
o Select the Use a password option.
o Use the password Pa$$w0rd.

o Save the recovery key to the Local Disk (C:) drive.
7. After the encryption process is complete, restart LON-CL1.

9. Open File Explorer, and then explore Drive E, which is encrypted.
10. Open the BitLocker control panel item, and then unlock volume E:.
11. Enter password Pa$$w0rd to unlock the drive, and then verify access to the drive.
Recovering BitLocker-Encrypted Drives

When a BitLocker-enabled computer starts,
BitLocker checks the operating system for
conditions that might indicate a security risk. If
BitLocker detects potential security risks, it does
not unlock the system drive but enters recovery
mode. When a computer enters recovery mode,
the user must enter the correct recovery password
to continue. The recovery password is tied to a
particular TPM or computer, not to individual
users, and it typically does not change.
Save the recovery information on a USB flash drive

or in AD DS by using one of these formats:
A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker recovery console.
A recovery key in a format that the BitLocker recovery console can read directly.
Locating a BitLocker recovery password

A BitLocker recovery password is a 48-digit password that unlocks a system in recovery mode. The
recovery password is unique to a particular BitLocker encryption, and you can store it in AD DS.
You will require the recovery password if you need to move the encrypted drive to another computer or
make changes to the system startup information. This password is so important that you should make
additional copies of the password and store it in safe places to ensure access to your data.
You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a
locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to
recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password that is unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords that are stored
in AD DS. To locate a password, the following conditions must be true:
You are a domain administrator or have delegate permissions.

The client's BitLocker recovery information is configured to be stored in AD DS.
The clients computer has been joined to the domain.

BitLocker is enabled on the client's computer.
Prior to searching for and providing a recovery password to a user, confirm that the person is the account
owner and is authorized to access data on the computer in question.
Search for the password in Active Directory Users and Computers by using one of the following:
A drive label
Password ID
To search by drive label, perform the following procedure. Locate the computer, right-click the drive label,
click Properties, and then click the BitLocker Recovery tab to view associated passwords.
To search by password ID, perform the following procedure. Right-click the domain container, and then
click Find BitLocker Recovery Password. In the Find BitLocker Recovery Password dialog box, enter
the first eight characters of the password ID in the Password ID field, and then click Search.
Examine the returned recovery password to ensure that it matches the password ID that the user provides.
Performing this step helps verify that you have obtained the unique recovery password.
Support for the data recovery agent

Windows 10 BitLocker provides support for the data recovery agent for all protected volumes. This allows
you to recover data from any BitLocker and BitLocker To Go device when the data is inaccessible. This
technology helps you recover organizational data on a portable drive by using the key that you created.
Support for the data recovery agent allows you to dictate that all BitLocker-protected volumes, such as
operating-system, fixed, and new portable volumes, are encrypted with an appropriate data recovery
agent. The data recovery agent is a new key protector that is written to each data volume so that
authorized IT administrators always have access to BitLocker-protected volumes.
Back up your Windows 10 BitLocker recovery key to a Microsoft account

For devices that are not domain-joined, Windows 10 allows you to back up BitLocker recovery keys to a
Microsoft account, which then is stored in your Microsoft OneDrive (formerly known as SkyDrive) account.
During BitLocker configuration on a fixed or removable drive, and just before encryption begins, you are
prompted to specify how you want to back up your recovery key. You can:
Save it to your Microsoft account.

Save it to a USB flash drive.
Save it to a file.
Print it.
To obtain your saved BitLocker recovery key, open an Internet browser, go to
https://onedrive.live.com/recoverykey, and then sign in with your Microsoft account.
You will find recovery keys for all of your BitLocker-protected drives.
Question: What is the difference between the recovery password and the password ID?
Microsoft BitLocker Administration and Monitoring
Microsoft BitLocker Administration and

Monitoring 2.5 SP1
BitLocker and BitLocker To Go offer enhanced
protection against data theft or data exposure
from computers that might have been lost or
stolen. We recommend that medium and large
organizations that deploy BitLocker should use
the Microsoft BitLocker and Monitoring 2.5 SP1
tool to provide management capabilities for
BitLocker and BitLocker To Go.
Administrators can use Microsoft BitLocker

Administration and Monitoring to simplify the following BitLocker management tasks:
Deploying BitLocker and recovering encryption keys.
Conducting centralized compliance monitoring and reporting.

Provisioning encrypted drives.
Supporting encrypted drives.
Microsoft BitLocker Administration and Monitoring 2.5 SP1 allows administrators to enforce
organizational BitLocker-encryption policies across an enterprise. It also allows administrators to
monitor policy compliance of client computers, providing centralized reporting on the encryption
status of devices that are in use on a network.
Note: Microsoft BitLocker Administration and Monitoring 2.5 SP1 is available only as part
of the Microsoft Desktop Optimization Pack, which offers Microsoft Software Assurance
customers a suite of premium utilities that are useful for administrators to manage desktop
computers and devices within an organization.
Additionally, Microsoft BitLocker Administration and Monitoring lets you access recovery key information,
which is helpful when users forget their PINs or passwords, or when their BIOS or UEFI firmware or boot
records change. If you adopt an enterprise BitLocker management solution, you can increase BitLockers
level of effectiveness significantly, and reduce your administrative overhead and total cost of ownership.
Microsoft BitLocker Administration and Monitoring provides:
Integration with Configuration Manager.
Hardware compatibility integration with Configuration Manager.
Upgrade to the Microsoft BitLocker Administration and Monitoring 2.5 SP1 client from the Microsoft
BitLocker Administration and Monitoring 1.0 and 2.0 clients.
Upgrade to the Microsoft BitLocker Administration and Monitoring 2.5 from previous versions of the
Microsoft BitLocker Administration and Monitoring Server.
Support by Microsoft BitLocker Administration and Monitoring 2.5 SP1 for BitLockers enterprise
scenarios on Windows 10.
A Self-Service Portal so that end users can recover their recovery keys.
Automatic resumption of BitLocker protection from a suspended state after restart.

Fixed data drives that you can configure to unlock automatically without a password.
For more information on Microsoft BitLocker Administration and Monitoring 2.5, refer to:
Microsoft BitLocker Administration and Monitoring 2.5

http://aka.ms/n3mqgm
Categorize Activity
Items
1 Encrypts the entire operating-system volume, including Windows

system files and the hibernation file
2 Does not protect the operating system from modification
3 Encrypts files
4 Protects the operating system from modification
5 Does not require user certificates
6 Requires user certificates
Category 1 Category 2
BitLocker EFS
Lab: Managing Data Security

Scenario
Don and Adam work different days at the same office. They share a desk and a computer. Don works on
sensitive information to which Adam should not have access. Therefore, you have instructed Don to create
a folder, and you will encrypt the contents so that only he can access its contents.
Your manager also wants to ensure that volumes containing critical data are locked. Unfortunately, several
of the computers in your office lack TPM chips. You wish to explore the functionality of using BitLocker
without a TPM chip.
Objectives
Configure EFS protection for folders.

Protect a volume with BitLocker.
Lab Setup
User names: Adatum\Administrator, Adatum\Adam, Adatum\Don
Password: Pa$$w0rd
Exercise 1: Using EFS

Scenario
In this exercise, you will create a folder and configure it to encrypt files placed inside it. You then will
create a file, and verify that it is encrypted so that other users are unable to access its contents.
1. Create a data folder.

2. Encrypt the folder.
3. Test access to the folder.
Task 1: Create a data folder

Sign in to LON-CL1 as Adatum\Don, and then create the folder C:\SecretDon.
Task 2: Encrypt the folder

1. Edit the advanced properties of the SecretDon folder, and then enable the Encrypt contents to
secure data option.
2. In the SecretDon folder, create a new text document named Secrets. Open the file and enter This is
a secret file.
3. Save the file and then close Notepad.
4. Sign out from LON-CL1.
Task 3: Test access to the folder

1. Sign in to LON-CL1 as ADATUM\Adam, and then verify that the user is unable to access the contents
of the file C:\SecretDon\Secrets.txt.
Results: After completing this exercise, you will have created a folder that automatically encrypts files
placed inside it to the Don account. You also will have verified this by using the Adam account.
Exercise 2: Using BitLocker

Scenario
You have decided to implement BitLocker to protect the users data files.
1. Configure GPO settings.
2. Enable BitLocker.
3. Verify BitLocker.
Task 1: Configure GPO settings


3. Enable the Require additional authentication at startup policy setting located at Computer
Configuration\Administrative Templates\Windows Components\BitLocker Drive
Encryption\Operating System Drives.
5. Refresh the Group Policy settings on the local computer by running gpupdate /force.
6. Restart LON-CL1.
7. After the computer restarts, sign in as Adatum\Administrator with the password Pa$$w0rd.
Task 2: Enable BitLocker

1. On LON-CL1, open the Manage BitLocker control panel item, and then turn on BitLocker for
Allfiles (E:):
o Select the Use a password option.

o Use the password Pa$$w0rd.
o Save the recovery key to C:\Bitlocker.
2. After the encryption process is complete, restart LON-CL1.
Task 3: Verify BitLocker

2. Open File Explorer, and then explore Drive E, which is encrypted.
3. Open the BitLocker control panel item, and then unlock volume E:.
4. Enter the password Pa$$w0rd to unlock the drive, and then verify access to the drive.
Results: After completing this exercise, you will have encrypted the hard drive.


Review Question
Question: What are some limitations of EFS?
9-1
Module 9
Managing Device Security
Contents:
Module Overview 9-1
Lesson 1: Using Security Settings to Mitigate Threats 9-2
Lesson 2: Configuring UAC 9-7

Lesson 3: Configuring Application Restrictions 9-16
Lab: Managing Device Security 9-24

Module Overview
This module has three lessons. The first lesson describes three different tools that you can use to mitigate
security threats: security settings in Group Policy Objects (GPOs), the Security Compliance Manager, and
the Enhanced Mitigation Experience Toolkit. In the second lesson, you will learn how to configure User
Account Control (UAC). In the third lesson, you learn about AppLocker policies.
Objectives
After completing this module, students will be able to:
Use security settings to mitigate threats.
Configure UAC.
Configure application restrictions.

9-2 Managing Device Security
Lesson 1
Using Security Settings to Mitigate Threats
You can use appropriately configured Group Policy settings and tools, such as the Security Compliance
Manager and the Enhanced Mitigation Experience Toolkit, mitigate many threats against computers
that are running Windows 10 in your organization. A defense-in-depth approach is appropriate when
attempting to mitigate one threat. Administrators should assume that no single device will be able to
mitigate most threats, and should instead use a suite of tools with overlapping functionality to help
mitigate threats.
Lesson Objectives
Describe security settings available in GPOs.

Configure security settings by using GPOs.
Describe the features and use of the Security Compliance Manager.

Explain the functionality of the Enhanced Mitigation Experience Toolkit.
Describe Credential Guard and Device Guard
Security Settings Available in GPO

You can use Group Policy to access and configure
security options. You can configure settings for
Security Options by accessing the Computer
Configuration\Policies\Windows Settings\Security
Settings\Local Policies\Security Options location
from the Group Policy Management Console
(GPMC). Common computer security settings that
you can configure in Security Options include the
following:
Administrator and Guest account names
Password and account lockout policies
Access to CD/DVD drives
Digital data signatures
Driver installation behavior
Logon prompts
UAC
AppLocker policies
The following are examples of commonly used Security Options:
Account lockout policies. Locks out a user account after a user enters a specific number of incorrect
passwords in succession.
Prompt user to change password before expiration. Determines how many days in advance of a user-
password expiration the operating system will provide a warning.
Interactive logon: Do not display last user name. Determines whether the name of the last user to sign
in to a computer displays in the Windows logon window.
Accounts: Rename administrator account. Determines whether a different account name is associated
with the security identifier (SID) for the administrator account.
Devices: Restrict CD-ROM access to locally enact user only. Determines whether a CD-ROM is
accessible simultaneously to both local and remote users.
Demonstration: Using GPOs to Configure Security Settings

In this demonstration, you will see how to configure password and account-lockout policies.
Demonstration Steps
1. Sign in to LON-DC1 as Adatum\Administrator, and then open the Group Policy Management
Console.
2. Edit the Default Domain policy, and then navigate to the Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies\Password Policy node.
3. Configure the Minimum Password Length policy to require at least 12 characters.
4. Select the Account Lockout Policy node.

5. Configure the Account Lockout Duration Policy, and then set the value to 20 minutes.
6. Configure the Account Lockout Threshold policy to lock out accounts after 2 invalid logon
attempts.
7. Close the Group Policy Management Editor and the Group Policy Management Console.
8. Use the Active Directory Users and Computers Console to edit the properties of the Don Funk user
account, located in the IT OU, so that the user is required to change his password during his next
sign-in attempt.
9. On LON-DC1, open a Windows PowerShell prompt, and trigger a Group Policy update by typing
the following command, and then pressing Enter:
Gpupdate /force
10. Sign in to LON-CL1 as Adatum\Don. When prompted, attempt to change the password to
Pa$$w0rd12.
11. Review the informational message that appears, and then change the password to Pa$$w0rd1234.
12. When signed in, open a command prompt, and force a Group Policy update by typing the following
command at the command prompt, and then pressing Enter:
Gpupdate /force

14. Attempt to sign in to LON-CL1 as Adatum\Don by using the incorrect password, Banana, three
times.
15. Verify that the account is locked.

Security Compliance Manager

The Solution Accelerators team, a group within
Microsoft, works on providing free tools to help
organizations leverage all of the capabilities of
the enterprise software that they use. As Microsoft
updates each version of an underlying
technology, such as the Windows operating
system or Internet Explorer, the Solution
Accelerators team also updates the Solution
Accelerators tool.
The Security Compliance Manager tool, which

Microsoft released in 2010, allows an enterprise
administrator to configure and manage
computers quickly by using Group Policy and Microsoft System Center 2012 R2 Configuration Manager.
Security Compliance Manager has evolved over several years, and it continues to benefit from industry
experts feedback and extensive field use. This free tool comes with ready-to-deploy policies and desired
configuration-management configuration packs, which you can use with Configuration Manager.
Administrators can modify any of the supplied policies to generate a custom policy that is available
for export. You then can incorporate the custom policy into your preferred deployment tool, such as
Configuration Manager or the Microsoft Deployment Toolkit (MDT).
Administrators can use Security Compliance Manager to plan, deploy, operate, and manage security
baselines quickly, which are essential for securing Windows client operating systems, Microsoft Office,
and other Microsoft applications. Throughout the tools lifespan, by default, Security Compliance Manager
automatically checks for new updates to the available baselines each time you start the tool. Some of key
features of the Security Compliance Manager include:
Baselines that have Microsoft security guide recommendations and industry best practices as their
basis. You can compare your configuration against industry best practices for the latest Windows
client and Microsoft applications.
Centralized features for security baseline management so that you can manage your organizations
security and compliance process efficiently.
Gold master support that allows you to import your existing Group Policy settings for reuse and
deployment.
Standalone machine configuration that allows you to deploy your configurations to computers that
are not domain-joined.
Updated security guides that provide security expertise and best practices.
The Enhanced Mitigation Experience Toolkit

The Enhanced Mitigation Experience Toolkit is a
tool that you can download from the Microsoft
website. This tool allows you to prevent malicious
users from exploiting software vulnerabilities, by
using security-mitigation technologies that
function as special protections and obstacles to
exploit authors.
The Enhanced Mitigation Experience Toolkit also

includes the SSL/TLS certificate-pinning feature,
Certificate Trust. This feature blocks man-in-the-
middle attacks that leverage public key
infrastructure (PKI).
After you install the Enhanced Mitigation Experience Toolkit, you configure protection on a
per-application basis. When configuring protection for an application, you enable specific mitigations
that protect the application from exploits that use specific techniques. A drawback of the Enhanced
Mitigation Experience Toolkit is that it can cause compatibility issues with some applications. This is
because the tool might enable mitigations that stop the application from functioning correctly. You
can restore application functionality by disabling specific mitigations. Prior to implementing a set of
mitigations to protect applications, you should perform extensive testing to ensure that Enhanced
Mitigation Experience Toolkit mitigations do not adversely affect application functionality.
The Enhanced Mitigation Experience Toolkit includes the following mitigations:
Attack Surface Reduction (ASR) Mitigation
Export Address Table Filtering (EAF+) Security Mitigation

Data Execution Prevention (DEP) Security Mitigation
Structured Execution Handling Overwrite Protection (SEHOP) Security Mitigation

NullPage Security Mitigation
Heapspray Allocation Security Mitigation
Export Address Table Filtering (EAF) Security Mitigation

Mandatory Address Space Layout Randomization (ASLR) Security Mitigation
Bottom Up ASLR Security Mitigation
Load Library Check Return Oriented Programming (ROP) Security Mitigation
Memory Protection Check Return Oriented Programming (ROP) Security Mitigation
Caller Checks Return Oriented Programming (ROP) Security Mitigation
Simulate Execution Flow Return Oriented Programming (ROP) Security Mitigation
Stack Pivot Return Oriented Programming (ROP) Security Mitigation

Device Guard and Credential Guard

Windows 10 includes two new features: Device
Guard and Credential Guard.
Device Guard
Device Guard locks down a device so that it
only runs applications that are signed digitally.
Device Guard uses virtualization-based security
to isolate the service that verifies the digital
signatures of apps. Device Guard differs from
other protection technologies in that it only
allows verified applications. Other protection
technologies block applications that meet specific
signatures or exhibit specific behaviors. The
Device Guard feature works with universal apps and classic Windows applications. Device Guard requires
hardware that supports Unified Extensible Firmware Interface (UEFI) version 2.3.1 or newer, virtualization
extensions enabled, and Second Level Address Translation (SLAT).
Credential Guard
Credential Guard is a virtualization-based technology that stores credentials, such as NTLM hashes and
Kerberos tickets, in a protected virtualized container. Credential Guard provides a defense against pass
the hash and other credential theft attacks. Credential Guard requires hardware that supports UEFI 2.3.1
or newer, virtualization extensions enabled, and SLAT.

Question
Which of the following options best describes the gold master support feature of
Security Compliance Manager?
You can use it to compare your configuration against industry best practices.
You can use it to deploy your configurations to computers that are not domain-
joined.
You can use it to manage the security and compliance process efficiently.
You can use it to import your existing GPO settings for reuse and deployment.
Statement Answer
After implementing a set of Enhanced Mitigation Experience Toolkit

mitigations to protect applications, you should perform extensive testing to
ensure that those mitigations do not affect application functionality
adversely.
Lesson 2
Configuring UAC
Many users sign in to their computers with a user account that has more rights than are necessary to run
their applications and access their data files. Using an administrative user account for day-to-day user
tasks poses significant security risks. In older versions of the Windows operating system, administrators
were encouraged to use an ordinary user account for most tasks, and to use the Run As account to enact
tasks that required additional rights.
Windows 10 provides UAC to simplify and help secure the process of elevating your account rights.
However, unless you know how UAC works, and how it can affect your users, you might have problems
when you attempt to carry out typical end-user support tasks. This lesson introduces how UAC works
and how you can use UAC-related desktop features.
Lesson Objectives
Describe UAC.
Explain how UAC works.
Explain how to configure UAC notification settings.

Configure UAC with GPOs.
What Is UAC?
UAC is a security feature that provides a way for
users to elevate their status from a standard user
account to an administrator account, without
having to sign out or switch user profiles. UAC is
a collection of features rather than just a prompt.
These features, which include File and Registry
Redirection, Installer Detection, the UAC prompt,
the ActiveX Installer Service, and more, allow
Windows users to operate with user accounts that
are not members of the Administrators group.
These accounts, typically referred to as standard
users, are broadly described as operating with
least privilege. The most important fact is that when users sign in with standard user accounts, the
experience typically is much more secure and reliable.
In Windows 10, the number of operating system applications and tasks that require elevation is fewer
when compared to older operating systems. This allows standard users to do more while experiencing
fewer elevation prompts, and this improves interaction with UAC while upholding high security standards.
When you need to make changes to your computer that require administrator-level permissions, UAC
notifies you as follows:
If you are an administrator, click Yes to continue.
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing administrative credentials gives you administrator rights to complete
the task. When you complete the task, permissions will revert to those that a standard user has. This
ensures that even if you are using an administrator account, no one can make changes to your computer
without your knowledge. This helps prevent malicious users from installing malware and spyware on, or
making changes to, your computer.
How UAC Works

There are two general types of user groups in
Windows 10: standard users and administrative
users. UAC simplifies users ability to operate as
standard users and perform all necessary daily
tasks. Administrative users also benefit from UAC,
because administrative permissions are available
only after UAC requests permission from the user
for that instance.
Standard users
In previous versions of the Windows operating
system, many users were configured to use
administrative permissions rather than standard
user permissions. This was because previous Windows versions required that users have administrator
permissions to perform basic system tasks, such as adding a printer or configuring a time zone. In
Windows 10, many of these tasks no longer require administrative permissions.
When users have administrative permissions on their computers, they can install additional software.
Despite organizational policies against installing unauthorized software, many users still do it, which can
make their systems less stable and drive up support costs.
When you enable UAC, and a user needs to perform a task that requires administrative permissions, UAC
prompts the user for administrative credentials. In an enterprise environment, the help desk can give a
user temporary credentials that have local administrative permissions to complete a task.
The default UAC setting allows a standard user to perform the following tasks without receiving a UAC
prompt:
Install updates from Windows Update.
Install drivers from Windows Update or those that are included with the operating system.
View Windows settings. However, a standard user is prompted for elevated permissions when
changing Windows settings.
Pair Bluetooth devices with the computer.
Reset the network adapter and perform other network-diagnostic and repair tasks.
Administrative users
Administrative users automatically have:
Read/write/enact permissions for all resources.
All Windows permissions.

While it might seem clear that all users will not be able to read, alter, and delete any Windows resource,
many enterprise IT departments that run older versions of Windows operating systems had no other
option but to assign all of their users to the local Administrators group.
One of the benefits of UAC is that it allows users with administrative permissions to operate as standard
users most of the time. When users with administrative permissions perform a task that requires
administrative permissions, UAC prompts the user for permission to complete the task. When the
user grants permission, the task is performed by using full administrative rights, and then the account
reverts to a lower level of permission.
UAC Elevation Prompts
UAC elevation prompts

Many applications require users to be
administrators, by default, because they
check Administrators group membership
before running an application.
The following list details some of the tasks that
a standard user can perform:
Establish a local area network (LAN)
connection.
Establish and configure a wireless connection.
Modify display settings.

Users cannot defragment the hard drive, but a service does this on their behalf.
Play CD/DVD media (configurable with Group Policy).
Burn CD/DVD media (configurable with Group Policy).

Change the desktop background for the current user.
Open Date and Time in Control Panel, and change the time zone.
Use Remote Desktop to connect to another computer.
Change a users own account password.
Configure battery power options.
Configure accessibility options.
Restore a users backup files.
Set up computer synchronization with a mobile device, including a smartphone, laptop, or personal
digital assistant (PDA).
Connect and configure a Bluetooth device.
The following list details some of the tasks that require elevation to an administrator account:
Install and uninstall applications.
Install a driver for a device, such as a digital camera driver.
Install Windows updates.
Configure Parental Controls.

Install an ActiveX control.
Open Windows Firewall in Control Panel.

Change a users account type.
Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the Microsoft Management
Console (MMC).
Configure Remote Desktop access.
Add or remove a user account.
Copy or move files into the Program Files or Windows directory.

Schedule Automated Tasks.
Restore system backup files.
Configure Automatic Updates.

Browse to another users directory.
When you enable UAC, members of the local Administrators group run with the same access token as
standard users. A process can use an administrators full access token only when a member of the local
Administrators group gives approval.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that
require an administrator access token. When a standard user attempts to perform an administrative task,
UAC prompts the user to enter valid credentials for an administrator account. This is the default for
standard user-prompt behavior.
The elevation prompt displays contextual information about the executable that is requesting elevation.
The context is different, depending on whether the application is signed by Authenticode technology. The
elevation prompt has two variations that the following table describes: the consent prompt and the
credential prompt.
Elevation prompt Description
Consent prompt Displayed to administrators in Admin Approval Mode when they

attempt to perform an administrative task. It requests approval to
continue from the user.
Credential prompt Displayed to standard users when they attempt to perform an

administrative task.
Elevation entry points do not remember that elevation has occurred, such as when you return from a
shielded location or task. As a result, the user must reelevate to enter the task again.
The Windows 10 operating system reduces the number of UAC elevation prompts for a standard user who
performs everyday tasks. However, there are times when it is appropriate for an elevation prompt to be
returned. For example, viewing firewall settings does not require elevation. However, changing the
settings does require elevation because the changes have a system-wide impact.
Types of elevation prompts

When a permission or password is necessary to complete a task, UAC will notify you with one of three
different types of dialog boxes. The following table describes the different types of dialog boxes that users
will see, and provides guidance on how to respond to them.
Type of elevation prompt Description
A setting or feature that is part of Windows This item has a valid digital signature that verifies
needs your permission to start. that Microsoft is the publisher of this item. If this
type of dialog box displays, it usually is safe to
continue. If you are unsure, check the name of the
program or function to decide if it is something
that you want to run.
A program that is not part of Windows This program has a valid digital signature, which
needs your permission to start. helps to ensure that the program actually is what
it claims to be, and it verifies the identity of the
programs publisher. If this type of dialog box
displays, make sure the program is the one that
you want to run and that you trust the publisher.
A program with an unknown publisher This program does not have a valid digital
needs your permission to start. signature from its publisher. This does not
necessarily indicate danger, because many older,
legitimate apps lack signatures. However, use extra
caution, and only allow a program to run if you
obtained it from a trusted source, such as the
product CD or a publishers website. If you are
unsure, search the Internet for the programs name
to determine if it is a known program or malware.
Most of the time, you should sign in to your computer with a standard user account. You can browse the
Internet, send email, and use a word processor, all without an administrator account. When you want to
perform an administrative task, such as installing a new program or changing a setting that will affect
other users, you do not have to switch to an administrator account. The Windows operating system will
prompt you for permission or an administrator password before performing the task. We also recommend
that you create standard user accounts for all of the people that use your computer.
Configuring UAC Notification Settings

In Windows 10, you can configure UAC to notify
you when changes are made to your computer. To
do this, go to the Control Panel, click System and
Security, and then under Action Center, click
Change User Account Control settings. Use the
slider to determine how Windows will prompt
you. The default is Notify me only when apps
try to make changes to my computer.
The following table identifies the four settings that

enable customization of the elevation-prompt
experience.
Prompt Description
Never notify me UAC is off.
Notify me only when apps try to make changes When a program makes a change, a prompt
to my computer (do not dim my desktop) appears, and the desktop dims to provide a
visual cue that an installation is being
attempted. Otherwise, the user is not
prompted.
Notify me only when apps try to make changes When a program makes a change, a prompt
to my computer (default) appears, but the desktop does not dim.
Otherwise, the user is not prompted.
Always notify me The user always is prompted when changes

are made to the computer.
You can configure varying user experiences by using different Group Policy settings. The configuration
choices that you make for your environment affect the prompts and dialog boxes that standard users,
administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. When you configure this type of configuration, a
yellow notification appears at the bottom of the User Account Control Settings page, indicating the
requirement.
Demonstration: Configuring UAC

View the current UAC settings.
Configure the UAC settings.
Test the UAC settings.
Reconfigure the UAC settings.
Test the UAC settings.

Demonstration Steps
View the current UAC settings
1. Sign in to LON-CL1 as administrator.

3. Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies
\Security Options.
Configure the UAC settings

Create a UAC Group Policy setting that prevents access elevation. Modify the User Account Control:
Behavior of the elevation prompt for standard users setting to Automatically deny elevation
requests.
Test the UAC settings

1. Sign in as Holly, a standard user.
2. Attempt to open the Local Group Policy Editor snap-in, which is an administrative task.
Reconfigure the UAC settings

1. Sign in as administrator.
3. Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies

\Security Options.
4. Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to Prompt for credentials.
Test the UAC settings

1. Sign in as Holly, a standard user.
2. Attempt to open an administrative command prompt, which is an administrative task.
3. Enter administrative credentials as prompted.

4. Revert 20697-1B-LON-DC1 and 20697-1B-LON-CL1.
Categorize Activity
Items
1 Change the desktop background for the current user
2 Install a driver for a device, such as a digital camera driver
3 Install updates from Windows Update
4 Configure accessibility options
5 Configure Automatic Updates
6 Install drivers from Windows Update or those that are included with the operating system
7 Use Remote Desktop to connect to another computer

Items
8 Configure Remote Desktop access
9 View Windows settings
10 Establish and configure a wireless connection
11 Open Windows Firewall in Control Panel
12 Pair Bluetooth devices with the computer
13 Configure battery power options
14 Schedule Automated Tasks
15 Reset the network adapter
16 Restore a users backup files
17 Restore system backup files
18 Perform network repair tasks
Tasks a Standard User Can Tasks That Require Elevation Tasks that the default UAC
Perform to an Administrator setting allows a standard
Account user to perform without
receiving a UAC prompt

Question
Which of the following is the default setting for the UAC elevation prompt?
Never notify me
Notify me only when apps try to make changes to my computer (do not dim my desktop)
Notify me only when apps try to make changes to my computer (default)
Always notify me
Lesson 3
Configuring Application Restrictions
The reliability and security of enterprise devices significantly increases with the ability to control which
applications a user, or set of users, can run. Overall, an application lockdown policy can lower the total
cost of computer ownership in an enterprise. AppLocker controls application execution and simplifies the
process of authoring an enterprise application lockdown policy. It also reduces administrative overhead,
and helps administrators control how users access and use files, such as .exe and .appx files, scripts,
Windows Installer files (.msi, .mst, and .msp files), and .dll files.
Lesson Objectives
Describe how to use AppLocker to control application usage.

Explain how AppLocker rules work to enforce your chosen application-usage policy.
Configure AppLocker rules.

Enforce AppLocker rules.
What Is AppLocker?
Todays organizations face a number of challenges
in controlling which applications run on client
computers, including:
The packaged and custom applications that
users can access.
Which users are allowed to install new

software.
Which versions of applications are allowed to
run, and for which users.
Users who run unauthorized software can
experience a higher incidence of malware
infections and generate more help desk calls. However, it can be difficult for you to ensure that user
computers run only approved, licensed software.
Windows Vista addressed this issue by supporting software restriction policies, which administrators used
to define the list of applications that users were allowed to run. AppLocker builds on this security layer,
providing you with the ability to control how users run all types of applications, such as executable files,
Windows Store .appx apps, scripts, Windows Installer files (.msi, .mst, and .msp), and .dll files.
Benefits of AppLocker
You can use AppLocker to specify exactly what you will allow users to run on their PCs and devices. This
allows users to run the applications, installation programs, and scripts that they require to be productive,
while still providing the security, operational, and compliance benefits of application standardization.
AppLocker can be useful for organizations that want to:
Limit the number and types of files that they allow users to run, by preventing unlicensed software
or malware from running, and by restricting the ActiveX controls that are installed.
Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise and that users only run software and applications that an enterprise approves.
Reduce the possibility of information leaks from unauthorized software.
AppLocker Rules
You can prevent many problems in your work
environment by controlling which applications
users can run. AppLocker lets you do this by
creating rules that specify exactly what
applications users can run, and you also can
configure AppLocker to continue to function
even when applications are updated.
AppLocker is an additional Group Policy
mechanism, so IT professionals and system
administrators need to be comfortable with
Group Policy creation and deployment. This
makes AppLocker ideal for organizations that
currently use Group Policy to manage their Windows 10 computers or have per-user application
installations.
A new AppLocker MMC snap-in in the Group Policy Management Console (GPMC) offers an improvement
to the process of creating AppLocker rules. AppLocker provides several rule-specific wizards. You can use
one wizard to create a single rule and another wizard to generate rules automatically, based on your rule
preferences and the folder that you select. The four wizards that AppLocker offers administrators to
author rules are:
Executable Rules
Windows Installer Rules
Script Rules
Packaged app Rules.
At the end of the wizards, you can review a list of analyzed files. You then can modify the list to remove
any file before rules are created for the remaining files. You also can receive useful statistics about how
often a file has been blocked, or test the AppLocker policy for a specific computer.
Accessing AppLocker
To access AppLocker, perform the following steps:
1. Run Gpedit.msc from the Run dialog box.

2. Browse to Computer Configuration, click Windows Settings, click Security Settings, and then click
Application Control Policies.
3. Expand the Application Control Policies node, and then click AppLocker.
In AppLocker, you can configure Executable, Windows Installer, and Script rules. For example, you can
right-click the Executable Rules node, and then click Create New Rule. You then can create a rule that
allows or denies access to an executable file based on criteria such as the file path or publisher. AppLocker
also will let you apply both default and automatically generated rules.
Creating default AppLocker rules

Many organizations implement standard user policies, which allow users to sign in to their computers
only as standard users. An increasing number of independent software vendors are creating per-user
applications that you can install without administrative rights. Instead, these applications install and run
in the user profile folder. As a result, standard users can install many applications and circumvent an
application lockdown policy.
With AppLocker, you can prevent users from installing and running per-user applications by creating a set
of default AppLocker rules. Default rules also ensure that the key operating-system files are allowed to run
for all users.
Note: Before you manually create new rules or automatically generate rules for a specific
folder, you must create default AppLocker rules.
Specifically, default rules allow the following:

All users can run files in the default Program Files directory.
All users can run all files that are signed by the Windows operating system.
Members of the built-in Administrators group can run all files.

Perform the following procedure to create default AppLocker rules:
1. To open the Local Security Policy MMC snap-in, run secpol.msc.
2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3. Right-click Executable Rules, and then click Create Default Rules.
By creating these rules, you also have automatically prevented all non-administrator users from being
able to run programs that are installed in their user profile directory. You can recreate the rules at any
time.
Note: Without default rules, critical system files might not run. Once you have created one
or more rules in a rule collection, only applications that those rules affect can run. If you have not
created default rules, and you are prevented from performing administrative tasks, restart the
computer in safe mode, add the default rules, delete any Deny rules that are preventing access,
and then refresh the computer policy.
Automatically generating AppLocker rules

Once you create default rules, you can create custom application rules. To facilitate creating sets or
collections of rules, AppLocker includes a new Automatically Generate Rules Wizard that is accessible from
the Local Security Policy console. This wizard simplifies the task of creating rules from a user-specified
folder. By running this wizard on reference computers and specifying a folder that contains the executable
files for applications for which you want to create rules, you can quickly create AppLocker policies
automatically.
When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable
applications to run, whereas Deny rules prevent applications from running. The Automatically Generate
Rules Wizard only creates Allow rules.
You can create exceptions for executable files. For example, you can create a rule that allows all Windows
processes to run except Regedit.exe, and then use audit-only mode to identify files that will not be
allowed to run if the policy is in effect. You can create rules automatically by running the wizard and
specifying a folder that contains the executable files for applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. It might not be secure
to create rules to allow executable files in user profiles.
Before you create the rules at the end of the wizards, review the analyzed files and view information
about the rules that you are creating. After you create the rules, edit them to make them more or
less specific. For example, if you selected the Program Files directory as the source for automatically
generating the rules, and you created the default rules, there is an extra rule in the Executable Rules
collection.
Automatically generating rules

To generate rules automatically from a reference folder:
1. Ensure that the Local Security Policy MMC is open.
2. In the console tree under Application Control Policies\AppLocker, right-click Executable Rules,
and then click Automatically Generate Rules.
3. On the Folder and Permissions page, click Browse.
4. In the Browse For Folder dialog box, select the folder that contains the executable files that you
want to create the rules for, and then click OK.
5. Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the
name that you provide is used as a prefix for the name of each rule that you create.
6. On the Rule Preferences page, click Next without changing any of the default values. The Rule
generation progress dialog box is displayed while the files are processed.
7. On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable
Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them
more detailed.
Creating rules allowing only signed applications to run

With the advent of new experimental identification technologies in web browsers and operating systems,
more independent software vendors are using digital signatures to sign their applications. These
signatures simplify an organizations ability to identify applications as genuine and to create a better and
more trustworthy user experience.
Creating rules based on the digital signature of an application helps make it possible to build rules that
survive application updates. For example, an organization can create a rule to allow all versions greater
than 9.0 of a program to run if it is signed by the software publisher. This allows IT professionals to deploy
an application update safely without having to build another rule.
Note: Before performing the following procedure, ensure that you have created
default rules.
Perform the following procedure to allow only signed applications to run:
1. To open the Local Security Policy MMC snap-in, in the Run dialog box, type secpol.msc, and then
press Enter.
2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3. Right-click Executable Rules, and then click Create New Rule.
4. On the Before You Begin page, click Next.

5. On the Permissions page, click Next to accept the default settings.
6. On the Conditions page, click Next.
7. On the Publisher page, note that the default setting is to allow any signed file to run, and then
click Next.
8. On the Exceptions page, click Next.
9. On the Name and Description page, accept the default name or enter a custom name and
description, and then click Create.
By using this rule, and ensuring that all applications are signed within your organization, you can be sure
that users only run applications from known publishers.
Note: This rule prevents unsigned applications from running. Before implementing this
rule, ensure that all of the files that you want to run in your organization are signed digitally. If
any applications are not signed, consider implementing an internal signing process to sign
unsigned applications with an internal signing key.
Deleting unnecessary rules

If you created default rules and then selected the Program Files folder as the source to generate rules
automatically, there are one or more extraneous rules in the Executable Rules collection. When you create
the default rules, a path rule is added to allow any executable file in the entire Program Files folder to run.
This rule is added to ensure that users are not by default prevented from running applications. Because
this rule conflicts with rules that were generated automatically, delete this rule to ensure that the policy is
more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule.
Perform the following procedure to delete a rule:
1. Ensure that the Local Security Policy MMC is open.
2. In the console tree under Application Control Policies\AppLocker, click Executable Rules.
3. In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then
click Delete.
4. In the AppLocker dialog box, click Yes.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement
mode.
Starting the Application Identity service

Before you can enforce AppLocker policies, you must start the Application Identity service. You need to be
a member of the local Administrators group, or equivalent, to start the service by using the following
procedure:
1. Click Start, type Services, and then click View local services.
2. In the Services console, double-click Application Identity.
3. In the Application Identity Properties dialog box, in the Startup type list, click Automatic, click
Start, and then click OK.
Note: If an AppLocker rule is not working, check to see that the Application Identity service
has started. This service is required to be running for AppLocker to work.
Demonstration: Configuring AppLocker Rules

Create a custom AppLocker rule.
Automatically generate the script rules.
Demonstration Steps
Create a custom AppLocker rule
1. Sign in as administrator.

3. In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
4. Create a new executable rule:

o Permissions: Deny
o Group: Marketing
o Program: C:\Windows\Regedit.exe
Automatically generate the script rules

1. Click the Script Rules node.
2. Select Automatically generate rules.

Demonstration: Enforcing AppLocker Rules

Enforce AppLocker rules.

Confirm executable rule enforcement.
Test executable rule enforcement.
After you create new AppLocker rules, you must configure enforcement for the rule collections and
refresh the computer's policy. Enforcement is configured in the Local Security Policy console in the
Configure Rule Enforcement area. The following table outlines the three enforcement options for each
rule type.
Enforcement mode Description
Enforce rules with Group Policy inheritance Default setting. If linked GPOs contain a different
setting, that setting is used. If any rules are
present in the corresponding rule collection, they
are enforced.
Enforce rules Rules are enforced.
Audit only Rules are audited, but not enforced.
To view information about applications that AppLocker rules affect, use Event Viewer. Each event in the
AppLocker operational log contains detailed information, such as the following:
Which file was affected and the path of that file
Whether the file was allowed or blocked

The rule type: Path, File Hash, or Publisher
The rule name
The security identifier for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following
table identifies three events to use in determining which applications are affected.
Event ID Level Event text Description
8002 Informational Access to <file_name> Specifies that the file is allowed by an

is allowed by an AppLocker rule.
administrator.
8003 Warning Access to <file_name> Applied only when in the Audit only
is monitored by an enforcement mode. Specifies that the
administrator. file will be blocked if the Enforce rules
enforcement mode is enabled.
8004 Error Access to <file_name> Applied only when the Enforce rules
is restricted by an enforcement mode is either directly
administrator. or indirectly set through Group Policy
inheritance. The file cannot run.
Demonstration
This demonstration will show the different enforcement options and how to configure the enforcement
for the rule that was created in the previous demonstration. The demonstration then will verify the
enforcement with gpupdate.
Demonstration Steps
Enforce AppLocker rules

1. Switch to the Local Group Policy Editor.
2. View the properties of the AppLocker node.
3. Configure Enforcement:
o Executable rules: Enforce rules
o Script rules: Audit only
Confirm the executable rule enforcement

1. Refresh the Group Policy settings by typing gpupdate /force.
2. Open Computer Management, and then select Event Viewer.
3. Review the System log for Event ID 1502, which indicates that the Group Policy settings were
refreshed.
4. Start the Application Identity service, which is required for AppLocker enforcement.
Test the executable rule enforcement

1. Sign out, and then sign in as Adatum\Adam.
2. Attempt to run Regedit.exe at the command prompt. You are unsuccessful, as the signed-in user is
not a member of the Marketing group.
3. Sign in as Adatum\Administrator.
4. Open Event Viewer, and in Application and Services Logs\Microsoft\Windows\ AppLocker,
select the EXE and DLL log.
5. Review the entries. Locate Event ID 8004. It indicates that an attempt was made to run Regedit.exe,
which was not allowed to run.
Question: What are some of the drawbacks of enforcing a more rigorous account lockout
policy?
Lab: Managing Device Security

Scenario
You are concerned about the security of your organizations user-account passwords. Therefore, you want
to implement a more strict set of password policies, which require longer passwords and account lockouts
if users incorrectly enter their password more than twice in succession.
You also are interested in configuring UAC so that when the UAC dialog box prompts a standard user, he
or she can enter the credentials of an administrator account to gain elevated privileges. You also want to
restrict the execution of certain applications.
Objectives
Configured account password and lockout policies.

Configured UAC policies.
Configured and tested AppLocker rules.
Lab Setup
User names: Adatum\Administrator, Adatum\Dan, Adatum\Don

Password: Pa$$w0rd
Exercise 1: Creating Security Policies

Scenario
In this exercise, you will configure password policies and account lockout policies that are stricter than the
default policies.

1. Configure password and account options.
2. Refresh GPOs.
Task 1: Configure password and account options

1. Sign in to LON-DC1 as Adatum\Administrator, and then open the Group Policy Management
Console.
2. Edit the Default Domain policy, and then navigate to the Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies\Password Policy node.
3. Configure the Minimum password length policy to require at least 12 characters.

4. Select the Account Lockout Policy node.
5. Configure the Account lockout duration policy, and then set the value to 20 minutes.
6. Configure the Account lockout threshold policy to lock out accounts after 2 invalid logon attempts.
7. Close the Group Policy Management Editor and the Group Policy Management Console.
8. Use the Active Directory Users and Computers Console to edit the properties of the Don Funk user
account, located in the IT OU, so that the user is required to change his password during his next
sign-in attempt.
Task 2: Refresh GPOs

On LON-DC1, open a Windows PowerShell prompt, and then trigger a Group Policy update by typing
the following command and pressing Enter:
Gpupdate /force
Results: After completing this exercise, you will have configured password policies to require a
12-character password and an account lockout policy that will lock out a user account if a user enters
more than two incorrect passwords in succession.
Exercise 2: Testing Security Policies

Scenario
In this exercise, you will verify that the policies that you configured in previous exercises have been
applied correctly.
1. Change your password.

2. Attempt repeated sign-ins.
Task 1: Change your password

1. Sign in to LON-CL1 as Adatum\Don. When prompted, attempt to change the password to
Pa$$w0rd12.
2. Review the informational message, and then change the password to Pa$$w0rd1234.
3. After you sign in, open a command prompt, and then force a Group Policy update by typing the
following command, and then pressing Enter:
Gpupdate /force

Task 2: Attempt repeated sign-ins

1. Attempt to sign in to LON-CL1 as Adatum\Don by using the incorrect password, Banana, three
times.
2. Verify that the account is locked out.
Results: After completing this exercise, you will have verified that the policies, with respect to password
length and account lockout, were applied correctly.
Exercise 3: Configuring UAC Prompts

Scenario
You decide to reconfigure the UAC notification behavior and prompts.
1. Modify UAC prompts.
2. Test the UAC prompts as a standard user.

3. Test the UAC prompts as an administrator.
Task 1: Modify UAC prompts

2. Open the Local Group Policy Editor, and then navigate to Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options.
3. Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to Prompt for credentials on the secure desktop.
4. Enable the User Account Control: Only elevate executables that are signed and validated policy
setting.
5. Enable the User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode policy setting, and then select the Prompt for consent on the secure
desktop option.
Task 2: Test the UAC prompts as a standard user

1. Sign in to LON-CL1 as Adatum\Dan with the password Pa$$w0rd.
2. Open an administrative command prompt. UAC prompts you for credentials on the secure desktop.
Provide the necessary credentials, and after the administrative command prompt opens, close it, and
then sign out.
Task 3: Test the UAC prompts as an administrator

Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd, and then open Action
Center to verify that the notification settings for UAC are configured for Always notify.
Results: After completing this exercise, you will have reconfigured UAC notification behavior and
prompts.
Exercise 4: Configuring and Testing AppLocker

Scenario
In this exercise, you will create and test executable and default AppLocker rules.
1. Create a new executable rule.
2. Enforce AppLocker rules.
3. Confirm executable rule enforcement.
4. Test rule enforcement.
Task 1: Create a new executable rule

2. Open the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
3. Create a new executable rule with the following properties:

o Permissions: Deny
o Group: IT
o Program: C:\Program Files\Windows Media Player\wmplayer.exe

4. Create the default rules.
Task 2: Enforce AppLocker rules

1. In the Local Group Policy Editor, open the AppLocker Properties, and then configure the Executable
rules for Enforce rules.
2. Close the Local Group Policy Editor, and then open an elevated command prompt. Run the
gpupdate /force command.
Task 3: Confirm executable rule enforcement

2. Open Event Viewer, and then expand Windows Logs.

3. View the System log in Event Viewer. Check for Event ID 1502.
4. Start the Application Identity service.

Task 4: Test rule enforcement

1. Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd.
2. Attempt to open Windows Media Player.
3. Sign out, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
4. Open Event Viewer.
5. Locate the Application and Services\Microsoft\Windows\AppLocker\EXE and DLL log. Locate

Event ID 8004. This shows that Holly attempted to run a prohibited application.
Results: After completing this exercise, you will have created and tested executable and default
AppLocker rules.


Review Question
Question: When you implement UAC, what happens to standard users and administrative
users when they perform a task that requires administrative permissions?
10-1
Module 10
Managing Network Security
Contents:
Lesson 1: Overview of Network-Related Security Threats 10-2
Lesson 2: Windows Firewall 10-4

Lesson 3: Connection Security Rules 10-14
Lesson 4: Windows Defender 10-22

Lab: Managing Network Security 10-26
Module Overview
Protecting data from malicious attacks is one of an administrators foremost concerns. Windows 10
includes Windows Firewall, which you can use to prevent unauthorized network traffic from entering or
existing in a computer. It provides the basic protection that you expect from Windows Firewall, and also
allows you to configure connection security rules to protect network traffic from interception and
modification. Windows 10 also includes the Windows Defender feature, which helps protects computers
from malware.
Objectives
Describe network-related security threats.
Manage Windows Firewall.
Configure connection security rules.
Manage Windows Defender.

10-2 Managing Network Security
Lesson 1
Overview of Network-Related Security Threats
A computer that is running Windows 10 is more likely to face threats that originate from the network than
from any other location. This is because attacks from the network can target a large number of computers
and malicious users perform them remotely, whereas other forms of attacks require physical access to the
computer. In this lesson, you will learn about common network-related security threats and the steps that
you can take to mitigate them.
Lesson Objectives
Identify common network-related security threats.

Understand the methods by which you can mitigate these common security threats.
Discussion: Common Network-Related Security Threats

There are many network-security threats, which
you can group into different categories. Common
network-based security threats include:
Eavesdropping. An eavesdropping attack,
also known as network sniffing, occurs when
a hacker captures network packets that
workstations connected to your network
send and receive. Eavesdropping attacks can
compromise your organizations sensitive
data, such as passwords, which can lead to
other, more damaging attacks.
Denial of service (DoS) attack. This type of

attack limits the function of a network app, or renders an app or network resource unavailable.
Hackers can initiate a DoS attack in several ways, and often are aware of vulnerabilities in the
target app that they can exploit to render it unavailable. Hackers typically perform DoS attacks by
overloading a service that replies to network requests, such as Domain Name System (DNS), with a
large number of fake requests in an attempt to overload and shut down a service or the server that
hosts the service. A distributed denial of service (DDoS) attack is a version of a DoS attack.
Port scanning. Apps that run on a computer using the TCP/IP protocol use Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) ports to identify themselves. One way that attackers
exploit a network is to query hosts for open ports on which they listen for client requests. Once
attackers identify an open port, they can use other attack techniques to access the services that are
running on the computer.
Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legitimate
host on the network with which your computers are communicating. The attacker intercepts all of the
communications that are intended for a destination host. The attacker might wish to view the data in
transit between the two hosts, but also can modify that data before forwarding the packets to the
destination host.
Mitigations for Network-Related Security Threats

Attackers will try to access your network by
using a variety of tools and techniques. Once
they find a way into your network, they can
exploit that success and take their attack further.
For this reason, it is important to implement a
comprehensive approach to network security, so
that you can ensure that one loophole or
omission does not result in further weaknesses
upon which malicious users can capitalize.
You can use any, or all, of the following defense

mechanisms to help protect your network from
malicious attacks:
Internet Protocol security (IPsec), which authenticates IP-based communications between two hosts
and, where desirable, encrypt that network traffic.
Firewalls, which allow or block network traffic based on the type of traffic.
Perimeter networks, which are isolated areas on your network to and from which you can define
network traffic flow. When you need to make network services available on the Internet, it is not
advisable to connect hosting servers directly to the Internet. However, by placing these servers in a
perimeter network, you can make them available to Internet users without allowing those users access
to your corporate intranet.
VPNs and DirectAccess. It is important that users have the ability to connect to their organizations
intranet from the Internet as securely as possible. The Internet is a public network, and data in transit
across the Internet is susceptible to eavesdropping or MITM attacks. However, by using virtual private
networks (VPNs) or DirectAccess, you can authenticate and encrypt connections between remote
users and your organizations intranet. This can help to mitigate risk.
Server hardening. When you run only the services that you need, you can make servers inherently
more secure. To determine what services you require, you must establish a security baseline among
your servers. To determine precisely which Windows Server services you need to support the
functionality that you or your enterprise requires, you can use tools such as the Security Configuration
Wizard or the Microsoft Baseline Security Analyzer.
Intrusion detection. It is important to implement the preceding techniques to secure your network,
and it also is sensible to monitor your network regularly for signs of attack. You can use intrusion-
detection systems to do this by implementing them on perimeter devices, such as Internet-facing
routers.
Domain Name System Security Extensions (DNSSEC), which use digital signatures for validation, so
that DNS servers and resolvers can trust DNS responses. The DNS zone contains all signatures that are
generated in the new resource records. When a resolver issues a query for a name, the DNS server
returns the accompanying digital signature in the response. The resolver then validates the signature
by using a preconfigured trust anchor. Successful validation proves that no data modification or
tampering has occurred.
Lesson 2
Windows Firewall
Windows Firewall provides built-in functionality that you can use to protect Windows 10 computers
from unauthorized access attempts or other unwanted incoming or outgoing network traffic. Unwanted
traffic often comes from Internet-based sources, but traffic from a local area network (LAN) or wide area
network (WAN) also can compromise your network. You can use Windows Firewall to filter incoming and
outgoing traffic based on the traffics characteristics and the type of network to which a Windows 10
computer is connected.
Lesson Objectives
Describe the purpose of a firewall.

Describe Windows Firewall functionality.
Explain network-location profiles.

Explain the increased functionality of Windows Firewall with Advanced Security.
List well-known network ports.
What Is a Firewall?
Firewalls block or allow network traffic, based on
the traffics properties. You can utilize hardware-
based firewalls or software firewalls that run on a
device.
Depending on your firewalls sophistication, you

can configure it to block or allow traffic based
on the:
Traffic source address.

Traffic destination address.
Traffic source port.
Traffic destination port.
Traffic protocol.
Packet contents.
For example, a sophisticated firewall analyzes network traffic and filters out harmful traffic, such as
attempts to cause a denial-of-service attack or an SQL injection attack.
Administrators often place firewalls at a network perimeter, between an organizations screened subnet
and the Internet, and between the screened subnet and the internal network. Today, it also is common for
each host to have its own additional firewall.
What Is Windows Firewall?

Windows 10 centralizes basic firewall information
in Control Panel, in the Network and Sharing
Center and System and Security items. In System
and Security, you can configure basic Windows
Firewall settings and access the Action Center to
view notifications for firewall alerts. In the
Network and Sharing Center, you can configure
all types of network connections, such as
changing the network location profile.
Firewall exceptions
When you add a program to the list of allowed
programs, or open a firewall port, you are
allowing that program to send information to or from your computer. Allowing a program to
communicate through a firewall is like making an opening in the firewall. Each time that you create
another opening, the computer becomes less secure.
Generally, it is safer to add a program to the list of allowed programs than to open a port for an app. If
you open a port without scoping the port to a specific app, the opening in the firewall stays open until
you close the port, regardless of whether a program is using it. If you add a program to the list of allowed
programs, you are allowing the app itself to create an opening in the firewall, but only when necessary.
The openings are available for communication only when required by an allowed program or computer.
To add, change, or remove allowed programs and ports, you should perform the following steps. Click
Allow an app or feature through Windows Firewall in the left pane of the Windows Firewall page,
and then click Change settings. For example, to view performance counters from a remote computer,
you must enable the Performance Logs and Alerts firewall exception on the remote computer.
To help decrease security risks when you open communications:
Only allow a program or open a port when necessary.
Remove programs from the list of allowed programs, or close ports when you do not require them.
Never allow a program that you do not recognize to communicate through the firewall.
Multiple active firewall profiles

Windows 10 includes multiple active firewall policies. These firewall policies enable computers to obtain
and apply a domain firewall profile, regardless of the networks that are active on the computers.
Information technology (IT) professionals can maintain a single set of rules for remote clients and those
that physically connect to an organizations network. To configure or modify profile settings for a network
location, click Change advanced sharing settings in the left pane of the Network and Sharing Center.
Windows Firewall notifications

You also can display firewall notifications in the taskbar by performing the following steps. Click Change
notification settings in the left pane of the Windows Firewall page, and then for each network location,
select or clear the Notify me when Windows Firewall blocks a new app check box.
Network Location Profiles

The first time that you connect a computer to a
network, you must select whether you trust the
network, which sets appropriate firewall and
security settings automatically. When you connect
to networks in different locations, you can ensure
that your computer is set to an appropriate
security level at all times by choosing a network
location.
Windows 10 uses network location awareness to

identify networks uniquely to which a computer is
connected. Network location awareness collects
information from networks, including IP addresses
and address data for media access control (MAC) address data from important network components, like
routers and gateways, to identify a specific network.
There are three types of network location:
Domain networks. These typically are workplace networks that attach to a domain. Use this option for
any network that allows communication with a domain controller. Network discovery is on by default,
and you cannot create or join a HomeGroup.
Private networks. These are networks at home or work where you know and trust the people and
devices on the network. When you select Home or work (private) networks, this turns on network
discovery. Computers on a home network can belong to a HomeGroup.
Guest or public networks. These are networks in public places. This location keeps the computer from
being visible to other computers. When you select the Public place network location, HomeGroup is
not available, and Windows 10 turns off network discovery.
You can modify the firewall settings for each type of network location from the main Windows Firewall
page. Click Turn Windows Firewall on or off, select the network location, and then make your selection.
You also can modify the following options:
Block all incoming connections, including those in the list of allowed programs.
Notify me when Windows Firewall blocks a new program.
The Public networks location blocks certain programs and services from running, which protects a
computer from unauthorized access. If you connect to a Public network, and Windows Firewall is on, some
programs or services might ask you to allow them to communicate through the firewall so that they can
work properly.
Windows Firewall with Advanced Security

Although you still can perform typical end-user
configuration through Windows Firewall in
Control Panel, you can perform advanced
configuration
in the Windows Firewall with Advanced Security
snap-in. You can access this snap-in through
Control Panel from the Windows Firewall page
by clicking Advanced settings in the left pane.
The snap-in provides an interface for configuring
Windows Firewall locally, on remote computers,
and by using Group Policy.
Windows Firewall with Advanced Security is an

example of a network-aware app. You can create a profile for each network location type, and each
profile can contain different firewall policies. For example, you can allow incoming traffic for a specific
desktop management tool when a computer is on a domain network, but block traffic when the computer
connects to public or private networks.
Network awareness enables you to provide flexibility on an internal network without sacrificing security
when users travel. A public network profile must have stricter firewall policies to protect against
unauthorized access. A private network profile might have less restrictive firewall policies to allow file
and print sharing or peer-to-peer discovery.
Windows Firewall with Advanced Security properties

You can configure basic firewall properties for domain, private, and public network profiles by using the
Windows Firewall with Advanced Security Properties dialog box to configure basic firewall properties
for domain, private, and public network profiles. A firewall profile is a way of grouping settings, including
firewall rules and connection security rules. Use the IPsec Settings tab on the Windows Firewall with
Advanced Security Properties dialog box to configure the default values for IPsec configuration options.
Note: To access the global profile settings in Windows Firewall with Advanced Security
Properties, perform one of the following procedures:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click
Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the
Overview section, click Windows Firewall Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Actions
pane, click Properties.
The options that you can configure for each of the three network profiles are:
Firewall state. Turn on or off for each profile.
Inbound connections. Configure to block connections that do not match any active firewall rules,
block all connections regardless of inbound rule specifications, or allow inbound connections that
do not match an active firewall rule.
Outbound connections. Configure to allow connections that do not match any active firewall rules, or
block outbound connections that do not match an active firewall rule.
Settings. Configure display notifications, unicast responses, local firewall rules, and local connection
security rules.
Logging. Configure the following logging options:

o Name. Use a different name for each network profiles log file.
o Size limit (KB). The default size is 4,096. Adjust this if necessary when troubleshooting.
o No logging occurs until you set one or both of following two options to Yes:
Log dropped packets
Log successful connections
Windows Firewall with Advanced Security rules

Rules are a collection of criteria that define what traffic you will allow, block, or secure with a firewall. You
can configure the following types of rules:
Inbound
Outbound
Connection security rules
Inbound rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can
configure a rule to allow traffic for Remote Desktop from the local network segment through the firewall,
but block traffic if the source is a different network segment.
When you first install the Windows operating system, Windows Firewall blocks all unsolicited inbound
traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that
describes that traffic. For example, if you want to run a Web server, you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows
Firewall with Advanced Security takes, which is whether to allow or block connections when an inbound
rule does not apply.
Outbound rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from a computer that matches a rules criteria. For example, you can configure a
rule to explicitly block outbound traffic to a computer by IP address through the firewall, but allow the
same traffic for other computers.
Inbound and outbound rule types

There are four different types of inbound and outbound rules:
Program rules. These control connections for a program. Use this type of firewall rule to allow a
connection based on the program that is trying to connect. These rules are useful when you are not
sure of the port or other required settings, because you only specify the path to the programs
executable (.exe) file.
Port rules. These control connections for a TCP or UDP port. Use this type of firewall rule to allow a
connection based on the TCP or UDP port number over which the computer is trying to connect. You
specify the protocol and the individual or multiple local ports to which the rule applies.
Predefined rules. These control connections for a Windows-based experience. Use this type of firewall
rule to allow a connection by selecting one of the programs or experiences from the list. Network-
aware programs that you install typically add their own entries to this list, so that you can enable and
disable them as a group.
Custom rules. Configure these as necessary. Use this type of firewall rule to allow a connection based
on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the
Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote
Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the
predefined rule type on an inbound rule.
Alternatively, you might want to block all web traffic on the default TCP Web server port 80. In this
scenario, you create an outbound port rule that blocks the specified port. The next topic discusses well-
known ports, such as port 80.

Firewall rules and connection security rules are complementary, and both contribute to a defense-in-
depth strategy to protect a computer. Connection security rules secure traffic as it crosses a network by
using IPsec. Use connection security rules to require authentication or encryption of connections between
two computers. Connection security rules specify how and when authentication occurs, but they do not
allow connections. To allow a connection, create an inbound or outbound rule. After a connection security
rule is in place, you can specify that inbound and outbound rules apply only to specific users or
computers.
You can create the following connection security rule types:

Isolation rules. These isolate computers by restricting connections based on authentication criteria,
such as domain membership or health status. Isolation rules allow you to implement a server or
domain isolation strategy.
Authentication exemption rules. These designate connections that do not require authentication. You
can designate computers by specific IP address, an IP address range, a subnet, or a predefined group,
such as a gateway.
You typically use this type of rule to grant access to infrastructure computers, such as Active Directory
domain controllers, certification authorities (CAs), or Dynamic Host Configuration Protocol (DHCP)
servers.
Server-to-server rules. These protect connections between specific computers. When you create
this type of rule, you must specify the network endpoints between which you want to protect
communications. You then designate requirements and the type of authentication that you want
to use, such as the Kerberos version 5 protocol. A scenario in which you might use this rule is if you
want to authenticate traffic between a database server and a business-layer computer.
Tunnel rules. These secure communications that travel between two computers by using tunnel mode
in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you
route between two defined endpoints.
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or
specify a gateway computer that connects to a private network onto which the received traffic is
routed after extracting it from the tunnel.
Custom rules. Configure these as necessary. Custom rules authenticate connections between two
endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules,
connection security rules, and security associations (SAs). The Monitoring page displays which profiles
are active (domain, private, or public), and the settings for the active profiles.
The Windows Firewall with Advanced Security events also is available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The
operational log is always on, and it contains events for connection security rules.
Windows PowerShell commands
You can use the following Windows PowerShell cmdlets to manage Windows Firewall rules:
Get-NetFirewallRule. Use this cmdlet to display a list of available firewall rules.

Copy-NetFirewallRule. Use this cmdlet to copy an existing firewall rule.
Enable-NetFirewallRule. Use this cmdlet to enable an existing firewall rule.
Disable-NetFirewallRule. Use this cmdlet to disable an existing firewall rule.

New-NetFirewallRule. Use this cmdlet to create a new firewall rule.
Remove-NetFirewallRule. Use this cmdlet to delete a firewall rule.
Rename-NetFirewallRule. Use this cmdlet to rename a firewall rule.

Set-NetFirewallRule. Use this cmdlet to configure the properties of an existing firewall rule.
Show-NetFirewallRule. Use this cmdlet to view all firewall rules in the policy store.
Well-Known Ports
Before you configure either inbound or outbound
firewall rules, you must understand how apps
communicate on a TCP/IP network. At a high
level, when an app wants to establish
communications with an app on a remote host,
it creates a connection to a defined TCP or UDP
socket.
The combination of the following three parts

defines a socket:
The transport protocol that the app uses,
either TCP or UDP.
The Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses of the source and
destination hosts.
The TCP or UDP port number that the apps are using. TCP or UDP communications use ports to name
the ends of logical connections that transfer data.
Well-known ports
The Internet Assigned Numbers Authority (IANA) assigns the well-known ports on most systems. Typically,
only system processes or programs that privileged users execute can use these ports. Ports receive a
number between 0 and 65,535:
Well-known ports are those from 0 through 1,023.
Registered ports are those from 1,024 through 49,151.
Dynamic and private ports are those from 49,152 through 65,535.
To view the current TCP/IP network connections and listening ports, use the netstat -a command or the
Get-NetTCPConnection Windows PowerShell command-line interface cmdlet.
IANA assigns well-known ports to specific apps so that client apps can locate them on remote systems.
Therefore, to the extent that is possible, use the same port assignments with TCP and UDP. To view a list
of well-known ports and the associated services that Windows 10 recognizes, open the C:\Windows
\System32\drivers\etc\Services file. The following table identifies some well-known ports.
Port Protocol Application
21 TCP File Transfer Protocol (FTP)
23 TCP Telnet provides access to a command-line interface on a remote

host
25 TCP Simple Mail Transfer Protocol (SMTP) that email servers and clients
use to send email
53 UDP DNS
53 TCP DNS
80 TCP Hypertext Transfer Protocol (HTTP) that Web servers use
110 TCP Post Office Protocol version 3 (POP3) that email clients use for
email retrieval
143 TCP Internet Message Access Protocol (IMAP) used for email retrieval
from email clients
161 UDP Simple Network Management Protocol (SNMP)
389 TCP Lightweight Directory Access Protocol (LDAP)
443 TCP Hypertext Transfer Protocol Secure (HTTPS) for secured Web
servers
3389 TCP Remote Desktop Protocol (RDP) is a proprietary protocol that

provides a user with a graphical interface to another computer
Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of
the ports that applications use to ensure that the required ports are open through your firewall when you
use a port rule.
Remember that when you add a TCP or UDP port to the rules list, the port is open whenever Windows
Firewall with Advanced Security is running, regardless of whether a program or system service is listening
for incoming traffic on the port. Therefore, if you need to allow unsolicited incoming traffic, create a
program rule instead of a port rule. When you use a program rule, the port opens and closes dynamically
as the program requires. You also do not need to be aware of the port number that the application uses.
If you change the application port number, the firewall automatically continues communication on the
new port.
Demonstration: Configuring Inbound and Outbound Firewall Rules

In this demonstration, you will see how to configure inbound and outbound firewall rules for Windows
Firewall.
Demonstration Steps
Test Remote Desktop connectivity

2. In the search box on the taskbar, type mstsc, and then click mstsc. This opens a Remote Desktop
Connection.
3. Connect to LON-CL1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
4. After verifying the connection, sign out of LON-CL1.
Configure an inbound rule

2. Sign in to LON-CL1 as Adatum\Administrator.
3. Open Control Panel, and then open Windows Firewall.

4. Create the following inbound rule:
o Rule Type: Predefined
o Rule Name: Remote Desktop

o Predefined Rules:
Remote Desktop Shadow (TCP-in)
Remote Desktop User Mode (TCP-In)
Remote Desktop User Mode (UDP-In)
o Action: Block the connection
Test the inbound rule

1. Switch to LON-CL2, and in the search box on the taskbar, type mstsc and then click mstsc. This
opens a Remote Desktop Connection.
2. Connect to LON-CL1.
3. Verify that the connection attempt fails.
Test outbound Remote Desktop connectivity

2. In the search box on the taskbar, type mstsc, and then click mstsc. This will open Remote Desktop
Connection.
3. Connect to LON-DC1, and then sign in as Adatum\Administrator.
4. After verifying the connection, sign out of LON-DC1.

Configure an outbound rule

1. On LON-CL1, restore the Windows Firewall with Advanced Security window.
2. Create a new program rule with the following property:

o Block connections from the C:\Windows\System32\mstsc.exe program
3. Name the rule Block Outbound RDP to LON-DC1.
4. Open the properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
5. Modify the scope so that the rule applies only to the remote IP address 172.16.0.10.
Test outbound Remote Desktop connectivity

1. In the search box on the taskbar, type mstsc, and then click mstsc. This opens a Remote Desktop
Connection.
2. Attempt to connect to LON-DC1, which should fail immediately.

Question
You need to open a firewall port to allow Lightweight Directory Access Protocol
(LDAP) traffic. Which port would you open to accomplish this task?
143
389
443
161
Lesson 3
Connection Security Rules
Windows 10 does not authenticate or encrypt connections made from one computer to another, by
default. However, by configuring and using connection security rules, you can verify the identity of each
computer that is communicating. You also can encrypt the connection between those computers, and
then ensure that no tampering has occurred with respect to the transmission between the two computers.
Lesson Objectives
Describe the purpose and functionality of IPsec.
Understand how to configure IPsec.
Describe connection security rules.

Explain authentication options.
Monitor connections.
What Is IPsec?
You can use IPsec to ensure confidentiality,
integrity, and authentication in data transport
across channels that are not secure. Though its
original purpose was to secure traffic across public
networks, many organizations have chosen to
implement IPsec to address perceived weaknesses
in their own private networks that might be
susceptible to exploitation.
If you implement IPsec properly, it provides a
private channel for sending and exchanging
potentially sensitive or vulnerable data, whether
it is email, FTP traffic, news feeds, partner and
supply-chain data, medical records, or any other type of TCP/IP-based data.
IPsec:
Offers mutual authentication both before and during communications.
Forces both parties to identify themselves during the communication process.
Enables confidentiality through IP traffic encryption and digital-packet authentication.
IPsec modes
IPsec has two modes:
Encapsulating security payload (ESP). This mode encrypts data using one of several available
algorithms.
Authentication Header (AH). This mode signs traffic, but does not encrypt it.
Providing IP traffic integrity by rejecting modified packets

ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will
not match, and IPsec will discard the packet. ESP in the tunnel mode encrypts the source and destination
addresses as part of the payload. In the tunnel mode, ESP adds a new IP header to the packet that
specifies the tunnel endpoints source and destination addresses. ESP can make use of Data Encryption
Standard (DES), Triple Data Encryption Standard (3DES), and Advanced Encryption Standard (AES)
encryption algorithms in Windows Server 2012 R2 and Windows 10. As a best practice, you should
avoid using DES unless clients cannot support the stronger encryption that AES or 3DES offer.
Providing protection from replay attacks

ESP and AH use sequence numbers. As a result, any packets that hackers attempt to capture for later
replay use numbers that are out of sequence. Using sequenced numbers ensures that an attacker cannot
reuse or replay captured data to establish a session or gain information. Using sequenced numbers also
protects against attempts to intercept a message and use it to access resources, possibly months later.

You can protect a network with two types of isolation:
Server isolation. You can isolate a server by configuring specific servers to require an IPsec policy
before accepting authenticated communications from other computers. For example, you might
configure a database server to accept connections only from a web application server.
Domain isolation. You can isolate a domain by using Active Directory domain membership to ensure
that computers that are domain members accept only authenticated and secured communications
from other domain-member computers. The isolated network consists only of that domains member
computers, and domain isolation uses an IPsec policy to protect traffic between domain members,
including all client and server computers.
What Are Connection Security Rules?

A connection security rule forces authentication
between two peer computers before they can
establish a connection and transmit secure
information. Windows Firewall with Advanced
Security uses IPsec to enforce the following
configurable rules:
Isolation. An isolation rule isolates computers

by restricting connections based on
credentials, such as domain membership
or health status. Isolation rules allow you to
implement an isolation strategy for servers
or domains.
Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by a specific IP address, an IP address
range, a subnet, or a predefined group, such as a gateway.
Server-to-server. A server-to-server rule protects connections between specific computers. This type
of rule usually protects connections between servers. When you create the rule, you specify the
network endpoints between which communications are protected. You then designate requirements
and the authentication that you want to use.
Tunnel. A tunnel rule allows you to protect connections between gateway computers, and typically,
you use it when you are connecting across the Internet between two security gateways.
Custom. There might be situations in which you cannot configure the authentication rules that you
need by using the rules available in the New Connection Security Rule Wizard. However, you can use
a custom rule to authenticate connections between two endpoints.
You can configure connection security rules by using Group Policy, Windows Firewall with Advanced
Security, or Windows PowerShell.
The relation between firewall rules and connection security rules

Firewall rules allow traffic through a firewall, but do not secure that traffic. To secure traffic with IPsec, you
can create connection security rules. However, when you create a connection security rule, this does not
allow the traffic through the firewall. You must create a firewall rule to do this if the firewalls default
behavior does not allow traffic. Connection security rules do not apply to programs and services. They
apply only between the computers that are the two endpoints.
Authentication Options
When you use the New Connection Security Rule
Wizard to create a new rule, you can use the
Requirements page to specify how you want
authentication to apply to inbound and outbound
connections. If you request authentication, this
enables communications when authentication
fails. If you require authentication, this causes the
connection to drop if authentication fails.
The Request authentication for inbound

and outbound connections option
Use the Request authentication for inbound
and outbound connections option to specify
that all inbound and outbound traffic must authenticate, but that the connection is allowable if
authentication fails. However, if authentication succeeds, traffic is protected. You typically use this
option in low-security environments or in an environment where computers must be able to connect,
but they cannot perform the types of authentication that are available with Windows Firewall with
Advanced Security.
The Require authentication for inbound connections and Request authentication for
outbound connections option
Use the Require authentication for inbound connections and request authentication for outbound
connections option if you want to ensure that all inbound traffic is authenticated or blocked. This allows
you to allow outbound traffic for which authentication fails. If authentication succeeds for outbound
traffic, the firewall authenticates that traffic. You typically use this option in most IT environments in which
the computers that need to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
The Require authentication for inbound and outbound connections option

Use the Require authentication for inbound and outbound connections option if you want to require
that all inbound and outbound traffic either is authenticated or else blocked. You typically use this option
in higher-security IT environments where you must protect and control traffic flow, and in which the
computers that must be able to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
The New Connection Security Rule Wizard has a page on which you can configure the authentication
method and the authentication credentials that you want clients to use. If the rule exists already, you can
use the Authentication tab in the Properties dialog box of the rule that you wish to edit.
Default
Select the Default option to use the authentication method that you configured on the IPsec Settings tab
of the Windows Firewall with Advanced Security Properties dialog box.
Computer and user (Kerberos V5)

The Computer and user (Kerberos V5) method uses both computer and user authentication, which means
that you can request or require both the user and the computer to authenticate before communications
continue. You can use the Kerberos V5 authentication protocol only if both computers are domain
members.
Computer (Kerberos V5)

The Computer (Kerberos V5) method requests or requires the computer to authenticate by using the
Kerberos V5 authentication protocol. You can use the Kerberos V5 authentication protocol only if both
computers are domain members.
User (Kerberos V5)

The User (Kerberos V5) method requests or requires the user to authenticate by using the Kerberos V5
authentication protocol. You can use the Kerberos V5 authentication protocol only if the user is a domain
user.
Computer certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and
you must have certificates from a CA trusted by both computers. s. Use this method if the computers are
not part of the same AD DS domain.
Advanced
You can configure any available method, and you can specify methods for first authentication and second
authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and a
Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User
NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates issued by
trusted CAs. Only computers that are running Windows Vista, Windows 7, Windows 8, Windows 10,
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2
support second authentication methods.
Monitoring Connections
Windows Firewall with Advanced Security is
a stateful, host-based firewall that blocks
incoming and outgoing connections based
on its configuration. Although you can perform
a typical end-user configuration for Windows
Firewall by using the Windows Firewall control
panel item, you can perform advanced
configuration in the Microsoft Management
Console (MMC) snap-in named Windows Firewall
with Advanced Security.
The inclusion of this snap-in not only provides an

interface for configuring Windows Firewall locally,
but also for configuring Windows Firewall on remote computers and by using Group Policy. You also can
use Windows PowerShell to configure Windows Firewall policies throughout your environment. Windows
Firewall functions now integrate with settings for connection-security protection, which reduces the
possibility of conflict between the two protection mechanisms.
Monitoring options for Windows Firewall with Advanced Security

You can use the Windows Firewall with Advanced Security console to monitor security policies that you
create in the Connection Security Rules node. However, you cannot view the policies that you create by
using the IP Security Policy Management snap-in. These security options are for use with Windows Vista,
Windows 7, Windows 8, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows
Server 2012, and Windows Server 2012 R2.
Monitoring connection security rules

The Connection Security Rules node lists all of the enabled connection security rules with detailed
information about their settings. Connection security rules define which authentication, key exchange,
data integrity, or encryption you can use to form an SA. The SA defines the security that protects the
communication from the sender to the recipient.
Implementing Connection Security Monitor

You can implement the Connection Security Monitor as an MMC snap-in. It includes enhancements that
you can use to view details about an active connection security policy that the domain applies or that you
apply locally. Additionally, you can view Quick Mode and Main Mode statistics, filters, negotiation policies,
and security associations. You also can use Connection Security Monitor to search for specific Main Mode
or Quick Mode filters. To troubleshoot complex designs for connection-security policies, you can use
Connection Security Monitor to search for all matches for filters of a specific traffic type.
Changing default settings

You can change the Connection Security Monitor default settings, such as automatic refresh and DNS
name resolution. For example, you can specify the time that elapses between IPsec data refreshes.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that
there are some issues to consider when enabling DNS. For example, it only works in a specific filter view
for Quick Mode and in SAs view for Quick Mode and Main Mode monitoring. There also is the possibility
that you can affect a servers performance if several items in the view require name resolution. Finally, the
DNS record name resolution requires a proper pointer (PTR) resource record in DNS.
Obtaining information about the active policy

You can get basic information about the current IP security policy in the Active Policy node of the IP
Security Monitoring snap-in to the MMC. During troubleshooting, this is useful to identify which policy
IPsec is applying to the server. Details such as the policy location and the time of its last modification
provide key details when you are determining the current in-place policy.
To view the connection security rules in the active policy store, you can use the following Windows
PowerShell command:
Show-NetIPsecRule PolicyStore ActiveStore
Main Mode SA and Quick Mode SA

The Main Mode SA is the initial SA that Windows 10 establishes between two computers. This negotiates a
set of cryptographic protection suites between both hosts. This initial SA allows Quick Mode key exchange
to occur in a protected environment. The Internet Security Association Key Management Protocol or
Phase 1 SA is another name for the Main Mode SA. Main Mode establishes the secure environment to
other exchange keys, as IPsec policy requires.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. An IPsec or Phase 2 SA is
another name for a Quick Mode SA. This process establishes keys based on the information that the policy
specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that
the policy specifies.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information
about their settings and endpoints.
Main Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode
Quick Mode provides more-detailed information about connections. If you are having issues with an IPsec
connection, Quick Mode statistics can provide insight into the problem.
Demonstration: Creating and Configuring Connection Security Rules

In this demonstration, you will see how to configure and monitor connection security rules.
Demonstration Steps
2. Ping LON-CL1.
3. Open Control Panel, open Windows Firewall, and then open the Advanced settings.
4. Examine the Security Associations monitoring. No information should be present.

5. Switch to LON-CL1, and then open a Windows PowerShell command prompt in Administrator mode.
6. To examine the Main Mode Security Associations, at the command prompt, type the following
command, and then press Enter:
Get-NetIPsecMainModeSA
7. To examine the Quick Mode Security Associations, at the command prompt, type the following
Get-NetIPsecQuickModeSA
8. Running each command should present no result.
9. On LON-CL1, open Control Panel, open Windows Firewall, and then open Windows Firewall with
Advance Security.
10. Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o Rule: Isolation
o Requirements: Require authentication for inbound connections and request authentication

for outbound connections
o Authentication: Computer and user (Kerberos V5)
o Name: Authenticate all inbound connections
Advance Security.
o Rule: Isolation

13. On LON-CL2, ping LON-CL1.
15. Examine the Security Associations monitoring.

17. To examine the Main Mode Security Associations, at the Windows PowerShell prompt, type the
following command, and then press Enter:
18. Review the result.
20. Review the result.


Question
Which of the following authentication options allows you to use a preshared key
when configuring a connection security rule?
Computer and User (Kerberos V5)
Computer (Kerberos V5)
User (Kerberos V5)
Computer Certificate
Advanced
Lesson 4
Windows Defender
Malware might show up on your organizations computers and devices, despite your efforts to prevent it.
When this occurs, you must investigate it immediately and take appropriate action. Windows 10 includes
components that can help you identify and remove malware from your environments computers.
Lesson Objectives
Describe malware.
Understand the sources of malware.
Describe ways of mitigating malware.
Use Windows Defender to detect and quarantine malware.
What Is Malware?
Malicious software, or malware, is software
that attackers design to harm computer systems.
Malware can do many things, from causing
damage to the computer, to allowing
unauthorized parties remote access to the
computer, to collecting and transmitting sensitive
information to unauthorized third parties. There
are several types of malware, including:
Computer viruses. This type of malware

replicates by inserting a copy of its executable
code into other applications, operating-
system files, data files, or hardware
components, such as the BIOS or boot sector files.
Computer worms. Worms are a special form of malware that replicate without direct intervention.
Worms spread across networks and can infect other computers on a network, without requiring a user
to open an email attachment or file.
Trojan horses. This type of malware provides an attacker with remote access to the infected computer.
Ransomware. This type of malware encrypts user data, and you can recover your data only if you pay
a ransom to the malware authors.
Spyware. This type of malware tracks how a computer is used without the users consent.
Discussion: What Are Sources of Malware?

Lead a discussion about the sources of malware,
such as:
The methods through which devices become

infected with malware, including through
websites, email, pirated software, video, and
music files.
It is likely that students have experience with

malware, either professionally or personally, so
consider discussing:
Ways in which malware has infected students

personal devices.
Ways in which malware has infected students work devices.
Discussion: What Are Possible Mitigations for Malware Threats?

There are many ways that you can help protect
against malware infection on your devices,
including that you:
Ensure that you apply all software and
operating system updates to your devices.
Ensure that you install anti-malware software
on your devices.
Ensure that anti-malware definitions are

current.
Avoid risky behavior, such as consuming
pirated software or media.
Avoid opening suspicious email attachments, even if they are from senders that you trust.
Point out to students that malware can infect the devices of even the most diligent people. For example,
users with good malware-avoidance habits might visit a reputable website that has been compromised
and that leverages an undisclosed exploit in popular software. These users devices could become
infected. An example could be that the software vendor has not fixed that software because they are
unaware that the exploit exists.
Additionally, point out that no anti-malware solution has a perfect detection rate. It is possible to take all
necessary precautions and still have your devices infected. Taking precautions only reduces the probability
that a persons device will be compromised by malware. It does not eliminate that possibility.
How Windows Defender Can Help?

Windows Defender helps protect your computer
from spyware, malware, and viruses. Windows
Defender also is Hyper-V-aware, which means that
it detects if Windows 10 is running as a virtual
machine. Windows Defender uses definitions to
determine if software it detects is unwanted, and
it alerts you to potential risks. To help keep
definitions up to date, Windows Defender
automatically installs new definitions as they
are released.
You can use Windows Defender to run a Quick,

Full, or Custom scan. If you suspect spyware has
infected a specific area of a computer, you can customize a scan by selecting specific drives and folders.
You also can configure the schedule that Windows Defender will use.
You can choose to have Windows Defender exclude processes in your scan. This can make a scan finish
more quickly, but your computer will have less protection. When Windows Defender detects potential
spyware activity, it stops the activity, and then it raises an alert.
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Windows Defender behavior when a scan identifies unwanted software. You also receive an alert if
software attempts to change important Windows operating system settings.
To help prevent spyware and other unwanted software from running on a computer, turn on Windows
Defender real-time protection.
Windows Defender includes automatic scanning options that provide regular scanning and on-demand
scanning for malware. The following table identifies scanning options.
Scan options Description
Quick Checks the areas that malware, including viruses, spyware, and unwanted software,
are most likely to infect.
Full Checks all files on your hard disk and all running programs.
Custom Enables users to scan specific drives and folders.
As a best practice, you should schedule a daily Quick scan. At any time, if you suspect that spyware has
infected a computer, run a Full scan. When you run a scan, the progress displays on the Windows
Defender Home page. When Windows Defender detects a potentially harmful file, it moves the file to a
quarantine area, and it does not allow it to run or allow other processes to access it. Once the scan is
complete, you can perform the following steps. You can select Remove or Restore Quarantined items
and to maintain the Allowed list, and then a list of Quarantined items is available from the Settings page.
Click View to see all items. Review each item, and then individually Remove or Restore each.
Alternatively, if you want to remove all Quarantined items, click Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your
privacy and your computers security at risk.
If you trust detected software, stop Windows Defender from alerting you to risks that the software might
pose by adding it to the Allowed list. If you decide to monitor the software later, remove it from the
Allowed list.
The next time Windows Defender alerts you about software that you want to include in the Allowed list,
you can perform the following steps. In the Alert dialog box, on the Action menu, click Allow, and then
click Apply actions. Review and remove software that you have allowed from the Excluded files and
locations list on the Settings page.
Demonstration: Using Windows Defender

In this demonstration, you will show students how to configure and use Windows Defender.
Demonstration Steps
1. On LON-CL1, open Control Panel, and then open Windows Defender.
2. On the Home page, perform a Quick scan, and then review the results.
3. Close Windows Defender.
4. Open File Explorer, and then browse to E:\Labfiles\Mod10.

5. In the Mod10 folder, open sample.txt in Notepad. The sample.txt file contains a text string to test
malware detection.
6. In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
7. Save and close the file. Immediately, Windows Defender detects a potential threat.
8. Windows Defender then removes sample.txt from the Malware folder.
9. Open Control Panel, and then open Windows Defender.
10. On the History tab, click View Details, and then review the results.
11. Remove any quarantined files.

Lab: Managing Network Security

Scenario
Remote Desktop is enabled on all client systems through a Group Policy Object (GPO). However, as
part of your infrastructure security plan, you must configure certain desktops systems, such as the
Human Resources department systems, for limited exposure to remote connections. However, before
implementing firewall rules in a GPO, you want to validate your plan by manually configuring the rules
on local systems. You decide to control this through local firewall rules that block traffic on the client
systems, using LON-CL1 as a test computer.
A. Datum Corporation uses many outside consultants. The enterprises management has a concern that if
consultants were on the company network, they might be able to connect to unauthorized computers.
You are planning to use Window Defender to check for malware every day. You also want to ensure that
Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
Create and test an inbound firewall rule.
Create and test an outbound firewall rule.
Create and test a connection security rule.

Configure Windows Defender.
Lab Setup
Password: Pa$$w0rd

5. Repeat steps 2 through 3 for 20697-1B-LON-CL1 and 20697-1B-LON-CL2.

Exercise 1: Creating and Testing Inbound Rules

Scenario
You want to ensure that Windows Firewall blocks certain services. Therefore, you will configure and test a
firewall rule.

1. Test existing functionality.
2. Create an inbound rule.
3. Test the rule.
Task 1: Test existing functionality

2. Open the Search box, and then run mstsc to start a Remote Desktop Connection.
3. Connect to LON-CL1, and then sign in as Adatum\Administrator.
4. After verifying the connection, sign out of LON-CL1.
Task 2: Create an inbound rule

2. Open Control Panel, and then open Windows Firewall.

3. Create the following Inbound Rule:
o Rule Type: Predefined
o Rule Name: Remote Desktop

o Predefined Rules:
Remote Desktop Shadow (TCP-in)
Remote Desktop User Mode (TCP-In)
Remote Desktop User Mode (UDP-In)
4. Minimize the Windows Firewall with Advanced Security window.
Task 3: Test the rule

1. Switch to LON-CL2, and then start Remote Desktop Connection.
2. Connect to LON-CL1.
Results: After completing this exercise, you will have created and verified inbound firewall rules.
Exercise 2: Creating and Testing Outbound Rules

Scenario
You want to create a firewall rule that blocks specific types of outbound network traffic.
1. Test existing functionality.
2. Create an outbound rule.
3. Test the rule.

2. Open the Start menu, and then run mstsc to start Remote Desktop Connection.
3. Connect to LON-DC1, and then sign in as Adatum\Administrator.
4. After verifying the connection, sign out of LON-DC1.
Task 2: Create an outbound rule

1. On LON-CL1, restore the Windows Firewall with Advanced Security window.
2. Create a new outbound rule with the following properties:
o Rule Type: Program

o Program: C:\Windows\System32\mstsc.exe
o Profile: Domain, Private, and Public

o Name: Block Outbound RDP to LON-DC1
3. Open the Properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
4. Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.

1. Start the Remote Desktop Connection app.
2. Attempt to connect to LON-DC1, which should fail immediately.
Results: After completing this exercise, you will have created and tested outbound firewall rules.
Exercise 3: Creating and Testing Connection Security Rules

Scenario
You need to create connection security rules to ensure proper protection for network traffic. You also
need to verify that these rules are functioning correctly.

1. Verify that communications are not secure.
2. Create the Connection Security Rule.
3. Verify the rule, and monitor the connection.
Task 1: Verify that communications are not secure

2. Ping LON-CL1.
4. Examine the Security Associations monitoring. No information should be present.

5. Switch to LON-CL1. To examine the Main Mode Security Associations, at the Windows PowerShell
command prompt, type the following cmdlet, and then press Enter:
6. To examine the Quick Mode Security Associations, at the Windows PowerShell command prompt,
type the following cmdlet, and then press Enter:
7. Running each command should present no result.
Task 2: Create the Connection Security Rule

Advance Security.
o Rule: Isolation
Advance Security.
o Rule: Isolation

Task 3: Verify the rule, and monitor the connection

1. On LON-CL2, ping LON-CL1.
3. Examine the Security Associations monitoring.
5. To examine the Main Mode Security Associations, at the Windows PowerShell command prompt, type
the following cmdlet, and then press Enter:
6. Review the results.
cmdlet, and then press Enter:
8. Review the results.
Results: After completing this exercise, you will have created and tested connection security rules.
Exercise 4: Configuring Windows Defender

Scenario
You need to ensure that Windows Defender is identifying and quarantining malware correctly. Therefore,
you will test the product against a file that it should quarantine.
1. Perform a quick scan.

2. Introduce suspicious software.
3. View the quarantined file.
Task 1: Perform a quick scan

1. On LON-CL1, open Control Panel, and then open Windows Defender.
2. On the Home page, perform a Quick scan, and then review the results.
Task 2: Introduce suspicious software

malware detection.
or blank spaces.

Task 3: View the quarantined file

1. Open Control Panel, and then open Windows Defender.
2. On the History tab, click View Details, and then review the results.
3. Remove any quarantined files.
Results: After completing this exercise, you will have configured and tested Windows Defender.




Review Question
Question: Why is it important to have a firewall on the host and a firewall on the perimeter
network?
11-1
Module 11
Troubleshooting and Recovery
Contents:
Lesson 1: Managing Devices and Drivers 11-2
Lesson 2: Recovering Files 11-10

Lesson 3: Recovering Devices 11-18
Lab: Troubleshooting and Recovery 11-29

Module Overview
Users often do not think about troubleshooting and recovery unless they are dealing with computer
failure or outages due to natural disasters. By then, it might be too late to recover data or devices.
Therefore, it is important that you familiarize yourself with recovery and restore tools in Windows 10, and
learn how to use them. Some of these tools, such as the Previous Versions feature, are very user-friendly
and show several improvements in Windows 10. Other tools, such as Backup and Recovery (Windows 7)
tool and advanced startup tools from the recovery environment, require administrator credentials and
more experience. In this module, you will learn about file and device recovery features in Windows 10.
You will also test these features in the hands-on lab at the end of the module.
Objectives
Describe and manage device drivers.
Configure file recovery and revert to previous versions of files.
Describe and use device recovery features in Windows 10.

11-2 Troubleshooting and Recovery
Lesson 1
Managing Devices and Drivers
Windows 10 uses device drivers to control and communicate with a variety of hardware devices. A device
driver is a program that communicates with a hardware device on one side and the operating system on
the other. Device drivers are a critical part of the operating system. The operating system cannot use a
device if its driver is unavailable.
Device drivers execute in the operating system kernel and have access to all system resources. Thorough
testing of device drivers is very important to ensure that they do not include malicious code. A digital
signature from a trusted authority is proof that you can safely use a device driver. The 64-bit versions of
Windows 10 enforce this requirement, and do not permit the use of drivers that a trusted authority has
not digitally signed. The 32-bit versions of Windows 10 warn users about unsigned drivers, but permit
their use.
In this lesson, you will learn about device drivers and how you can install them in Windows 10. You will
also learn more about tools for managing device drivers, particularly Device Manager, and how to use
them. Because device drivers are critical for operating system stability, you will also learn how to revert to
previous versions of device drivers by using Driver Roll Back, if a newer version of the device driver causes
problems.
Lesson Objectives
Explain the use and importance of device drivers.
Explain how to manage device drivers by using Device Manager.
Explain how to use the Driver Roll Back feature.

Manage device drivers.
What Is a Device Driver?

The Windows operating system has two layers:
The kernel mode, which is privileged and has
full access to everything on the system.
The user mode, in which user apps and

administrative tools run.
The kernel mode includes the hardware

abstraction layer (HAL), which abstracts the
operating system from the physical hardware.
HAL enables the same operating system to use
and interact with different hardware and devices.
HAL uses common interfaces to communicate
with device drivers, which are small, device-specific software packages that control and communicate with
devices. Device drivers are specific to the family of Windows operating systems. Without device drivers,
you cannot use the hardware devices that you connect to a computer. Windows 10 includes device drivers
for tens of thousands of devices. If Windows 10 does not include the device driver for the device that you
want to use, additional device drivers are available online through Windows Update. You can also obtain
required device drivers on the manufacturer's website, or on the media that came with the device.
32-bit and 64-bit drivers

Windows 10 is available in 32-bit and 64-bit versions. Drivers developed for the 32-bit versions do not
work with the 64-bit versions, and vice versa. To avoid problems, ensure that you obtain the appropriate
device drivers for your version of Windows 10.
Driver packages
A driver package is a set of files that make up a driver. A driver package includes:
The .inf file.

Any files that the .inf file references.
The catalog (.cat) file that contains the digital signature of the device driver.
Note: The device drivers that Windows 10 includes have a Microsoft digital signature that
indicates whether a particular driver or file is stable and reliable, has met a certain level of testing,
and has not been altered since it was digitally signed. The 32-bit versions of Windows 10 check
for a drivers digital signature during driver installation and prompt the user if the driver is
unsigned. The 64-bit versions of Windows 10 require that all drivers have a digital signature,
and do not allow you to install unsigned device drivers.
Driver store
The driver store is the Windows 10 driver package repository. Because the driver store is a trusted
location, when you connect compatible hardware, Windows 10 installs the driver for the appropriate
device automatically from the driver store. Standard users can install any device driver from the driver
store. Therefore, users can attach and use new devices without help from the IT helpdesk, if their driver
package is in the driver store. Information technology (IT) administrators can preload the driver store
with the necessary driver packages for commonly used devices. The driver store is located at
%SystemRoot%\System32\DriverStore.
Installing a device driver

Installing a device driver is a two-stage process. First, you install the driver package into the driver store.
You can do this even if you have not attached the device to the computer. You must use administrator
credentials to install the driver package into the driver store. The second step is attaching the device to
the computer. Windows 10 detects the device and installs the driver from the driver store. A standard user
can perform the second step, because it does not require administrative permissions.
Depending on the packaging of the device, you can install it in different ways. If the device driver has its
own installation program (for example, setup.exe), you run the installation program, which installs the
driver package in the driver store. If you attach a device to the computer and its device driver package is
not in the driver store, Windows 10 searches for a matching driver package in several locations. You can
customize these locations and include folders specified by the DevicePath registry entry and the Windows
Update site. If Windows 10 finds the driver package, Windows 10 first installs the driver package into the
driver store, and then installs it from the driver store to the system. You can also manually install the driver
package, by using the pnputil.exe command.
Note: If there are multiple driver packages available for the same device, Windows 10 uses
ranking to decide which driver to use. The ranking process includes evaluation of criteria such as:
Is the driver signed or not?
Is the driver specific to the attached device or for a compatible set of devices?
What is the driver version?
Note: You can view the list of installed device drivers by using the driverquery.exe tool.
Question: Can you use a 32-bit device driver with the 64-bit versions of Windows 10?
Question: Can you use an unsigned device driver with a 32-bit version of Windows 10?
Question: What is the difference between a driver and a driver package?
Using Device Manager

In most cases, Windows 10 detects devices and
installs device drivers automatically. Windows 10
has several tools that you can use if you need to
list installed devices, change device settings, or
troubleshoot devices that do not work correctly.
Device Manager is the most widely used tool for
this purpose. It provides a list of all detected
devices and the resources they use, and you can
use it for troubleshooting. If you need to modify
basic device settings, you can use the Devices
section in the Settings app. You can also use the
Devices and Printers item in Control Panel, in
which you can view and manage devices that are connected to your computer. To perform basic device
management, you can use the Windows PowerShell cmdlets in the PnpDevice module.
Device Manager
You can use Device Manager to install and update device drivers, disable or enable devices, use Driver
Roll Back, change resources that devices use, such as interrupt requests (IRQs), and troubleshoot device
problems. You can also view currently connected devices and the resources they use by device type or
by connection. Device Manager view is updated dynamically when the status of the connected devices
changes, or you can update it manually by clicking the option to scan for hardware changes.
You can open Device Manager in one of the following ways:
Right-clicking the Start icon and clicking Device Manager.
Typing Device Manager or devmgmt.msc in the Search the web and Windows box.
Clicking the Device Manager node in Computer Manager.
You can perform the following tasks in Device Manager:

View a list of connected devices. View all the currently installed devices by their type, by their
connection to the computer, or by the resources they use. Device Manager recreates this device list
after every system restart or dynamic change.
View detailed properties for the connected devices. This is the data that the system obtains from the
connected device, such as device Hardware IDs, Model, and Friendly name.
Uninstall a device. Uninstall the device driver and remove the driver software from the computer.
Enable or disable devices. If you want a device to remain attached to a computer without enabling it,
you can disable the device instead of uninstalling it. Disabling a device is different from uninstalling it,
because you disable only the drivers, and the hardware configuration remains unchanged. You can
recognize disabled devices by the downward-pointing arrow next to the device icon in Device
Manager.
Troubleshoot devices. Determine whether the hardware on a computer is working properly. If a

device is not operating correctly, or if the device driver for a device is unavailable, the device icon
has an exclamation point (!) in a yellow triangle next to it.
Update device drivers. If you have an updated driver for a device, you can use Device Manager to
update it in the driver store.
Roll back drivers. If you experience system problems after updating a driver, you can roll back to a
previous driver. By using this feature, you can reinstall the last device driver that was functioning
before the installation of the current device driver.
Device Manager shows each connected device by using an icon. The status of a device shows whether a
device has drivers installed and whether the Windows operating system is able to communicate with the
device. For example, if a device is missing the device driver, the device icon appears below the Other
devices node, and has an exclamation point (!) in a yellow triangle next to it. The device icon will also
have an exclamation point in a yellow triangle next to it, if it has some other issue, such as the device
driver not starting. If you disable the device, its icon displays a downward-pointing arrow next to it. You
can also view the status of a device by right-clicking it and then clicking Properties.
By default, Device Manager does not show hidden devices. The most common types of hidden devices are
devices that do not support Plug and Play (PnP), storage volumes, and internal network adapters. To view
hidden devices in Device Manager, click View, and then click Show hidden devices.
Note: You can only use Device Manager to manage devices on a local computer. The
remote access to the PnP remote procedure call (RPC) interface that Windows 8 included is not
available in Windows 10. As a result, you cannot use Device Manager to connect to a remote
Windows 10based computer. If you try to use Device Manager to connect to a remote
computer, you will get an error message saying that access is denied.
Devices and Printers

After you connect an external device, it appears in Devices and Printers. You can also use this tool to add
a printer manually, if it is not detected automatically, which might happen if it is shared over the network,
for example. Devices and Printers also displays multifunction devices, and lets you manage them as one
device, instead of individual printer, scanner, and fax devices. For example, when you connect a web
camera to your computer, Devices and Printers displays it as a single device, whereas Device Manager
shows the same device as an Audio input and output device, an Imaging device, and a Sound, video and
game controller device.
Devices in the Settings app

You can perform very basic device management by using the Devices section in the Settings app in
Windows 10. The interface is optimized for touch, and includes links to Device Manager and to Devices
and Printers for advanced management. You can add printers, faxes, and other devices here, and also
specify if users can download drivers over metered connections, configure spelling, AutoPlay, mouse, and
touchpad settings.
Windows PowerShell
Windows 10 includes several Windows PowerShell cmdlets for managing devices.
Cmdlet Description
Enable-PnpDevice Enables a PnP device.
Disable-PnpDevice Disables a PnP device.
Get-PnpDevice Displays information about PnP devices.
Get-PnpDeviceProperty Displays detailed properties for a PnP device.
Question: Can you use Device Manager to manage devices on a remote Windows 10based
computer?
Question: How does Devices and Printers display a multifunction device that you connect to
a Windows 10based computer differently than Device Manager?
Driver Roll Back

Driver Roll Back is a system-recovery feature that
is available on the device property page in Device
Manager. Driver Roll Back reinstalls the last device
driver that was functioning and overwrites the
current device driver. This reinstallation enables
users to recover from system problems due to the
installation or update of a particular driver. Driver
Roll Back is nondestructive and replaces only the
device driver, while leaving system settings and
user data intact. It supports only a single level of
rollback, and after the rollback operation, the
previous device driver is no longer available.
Note: The Roll Back Driver button is available only if a previous version of the driver was
updated. If the current driver for the device is the only one ever installed on the computer, the
Roll Back Driver button is grayed out and unavailable.
Windows 10 will only back up drivers that are active and functional. It will not back up inactive or
malfunctioning drivers. Driver Roll Back is available for any device except printers (Print queues). Printers
cannot use Driver Roll Back, because you cannot manage printers through Device Manager. You have to
use Devices and Printers to configure printers.
Note: If a malfunctioning driver is preventing Windows 10 from starting normally, you can
start the computer in safe mode and then use the Roll Back Driver option.
To roll back a driver, use the following procedure:
1. Open Device Manager.
2. Right-click the device to roll back, and then click Properties.
3. In the Properties dialog box, click the Drivers tab, and then click Roll Back Driver.
4. In the Driver Package rollback dialog box, click Yes.
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce
problems that the newer version addressed.
Driver Roll Back only replaces the current device driver with the previous device driver. Therefore, it is a
nondestructive operation. Sometimes, when you install a device driver, the installation program also
modifies some other system settings. In such cases, Driver Roll Back might not resolve all the issues, and
you might have to consider System Restore, which reverts system settings, but preserves user data. As a
last resort, you can use the Reset PC option, System image recovery, or Backup and Restore (Windows 7).
System Restore
In rare cases, after you install a device or update a device driver, a computer might not start. This problem
might occur because:
The new device or driver causes conflicts with other drivers on the computer.
A hardware-specific issue occurs.

The installed driver is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are
unable to recover a computer by performing a driver rollback, consider using System Restore. You can
use System Restore when you want to retain all new data and changes to existing files, but still want to
perform a restoration of the system from when it was running well. Windows 10 lets you return a
computer to the way it was at a previous point without deleting any personal files. System Restore is
reversible, because it creates an undo restore point before the restore operation starts.
Note: You can learn more about System Restore later in this module.
Question: Why is the Roll Back Driver option unavailable for some devices?
Question: Can you roll back device drivers for printers in Device Manager?
Demonstration: Managing Device Drivers

Update a device driver.
Roll back a device driver.
Install a driver into the driver store.

Demonstration Steps
1. In LON-CL1, use Device Manager to show the properties of the Standard PS/2 Keyboard. Look at the
Driver tab and note that the Roll Back Driver button is not available.
2. Update the driver for Standard PS/2 Keyboard with driver for PC/AT Enhanced PS/2 Keyboard
(101/102 Key).
3. Note that the dialog box is now titled PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties,
and that the Roll Back Driver button is available.
4. Roll back the driver for PC/AT Enhanced PS/2 Keyboard (101/102 Key), and do not restart the
computer.
5. Note that the dialog box is now titled Standard PS/2 Keyboard Properties, and the Roll Back
Driver option is not available, because driver rollback can go back by only one version.
6. In File Explorer, sort the contents of the C:\Windows\System32\DriverStore\FileRepository folder

by date modified, and note that the highest folder was created most recently.
7. Use the command prompt to run the following command:
pnputil a E:\Labfiles\Mod11\dc3dh\*.inf
8. In File Explorer, note that the top folder was created when you installed the driver package. View the
contents of the folder, and note that it contains driver package files.

Question
From which tool or tools can you perform a driver rollback operation for printers?
Device Manager
Devices and Printers
Devices in Windows 10 Settings
All of the above
None of the above


Question
Which command or Windows PowerShell cmdlet can you use to install a driver
package in the driver store of a Windows 10based computer running in normal
mode?
Msconfig.exe
Driverquery.exe
Pnputil.exe
Add-WindowsDriver
Get-SystemDriver
Statement Answer
You can disable the DVD-ROM drive on a remote Windows 10based

computer by using Device Manager.
Lesson 2
Recovering Files
Although you might implement a file-recovery strategy for user data that is stored on network file servers
or network-accessible storage devices, you should remember that users often save their work to local
storage. Consequently, it is important that you provide some method of local file recovery so that you
can recover these data files if users delete them accidentally or they become corrupted.
In this lesson, you will learn about file backup and recovery tools in Windows 10. If you are a long-time
Windows user, you will recognize some of these tools, such as Backup and Restore (Windows 7) or the
Previous Versions feature. Previous Versions enables users to view and recover files that they modified or
deleted by mistake. As the name suggests, the Backup and Restore (Windows 7) tool provides backup and
recovery in Windows 7, but you can also use it in Windows 10. File History is a user data protection
mechanism, which periodically copies user data to a local or network drive, and enables users to recover
files if needed.
Lesson Objectives
Explain the file recovery methods and tools in Windows 10.

Describe and configure File History.
Use File History to recover files.
Configure and use Backup and Restore (Windows 7) tool in Windows 10.
Describe and use the Previous Versions feature.
File Recovery Methods in Windows 10

A computer contains different types of data that it
stores in different locations. Computer data types
include operating system configuration files, app
settings, user-related settings, and user data files.
The latter can include documents, images,
spreadsheets, and other types of files. Although
computers are very reliable and most operating
systems are robust and recoverable, problems do
occur. Sometimes these problems can result in
data loss.
To prevent data loss, it is best to store user data
on file servers, where it is highly available and
centrally backed up. Windows features such as Folder Redirection and mapped drives provide users with
transparent and seamless access to storage on file servers. However, users sometimes store data locally.
Therefore, you must be able to recover local data in case of hardware failure or other scenarios such as:
A user accidentally modifies or deletes a file or an entire folder.

Malware or a virus infects a computer and modifies or encrypts user files.
A user modifies a file several times but later decides that all the changes were unnecessary, and
requires the original file.
A natural disaster such as a fire, flood, or tornado damages the computer.
A users data does not synchronize with the file server for a month, and during this period, someone
steals the users laptop.
A computer stores data files and settings in several locations, and you need to ensure that you protect all
of them. Windows 10 includes several tools that can help you protect data and make backup copies of
local files. Some of these tools and features are:
Folder Redirection and Offline Files. In a domain environment, Folder Redirection redirects local
folders from the user profile to the file server. Offline Files makes a local copy of redirected files and
makes them available even when there is no network connectivity to the file server.
Work Folders. You can use Work Folders regardless of domain membership. Work Folders synchronize
user data files between the file server and user devices.
File History. After you enable File History, it automatically creates a backup of modified user files on
the local drive, removable drive, or network location. File History backs up the folders in user profiles
and libraries, and you can add additional folders to protect. By default, File History copies the
modified files in protected folders every hour, and Windows 10 keeps them indefinitely, as long as
there is enough storage space.
Backup and Restore (Windows 7). Although the name of the tool includes Windows 7, it is a part of
Windows 10. You can use this tool to create backups of individual folders, volumes, users libraries,
and the entire computer on an additional disk, removable disk (preferably), or network location. In
the event of failure, you can use this tool to restore affected files and data.
Synchronization of user data with Microsoft OneDrive or OneDrive for Business. If your user account
is connected with a Microsoft account, or your company is using OneDrive for Business, you can
synchronize data files with the cloud and between the devices you are using.
System Image. Although it is not designed as a backup and restore solution, a system image contains
the exact copy of all the data that was on your computer when you created the system image. There
is no option to create a schedule for system image creation. You can copy system images to hard
disks, sets of DVDs, or network locations. A system image contains a virtual hard disk (.vhdx file) for
each volume of the computer for which you created the image. You can mount the virtual disk in File
Explorer, and access and restore each file individually. If you want to restore the entire system image,
you can use the System Image Recovery option from Windows Recovery Environment (Windows RE).
Wbadmin.exe. This is a command-line tool that you can use to create backups and restore backup
content.
File Explorer or robocopy.exe. You can use File Explorer or the robocopy.exe command to copy files
to other media or network locations manually.
Microsoft Azure Backup. Windows 10 does not include Azure Backup. However, if you have a
Microsoft Azure subscription, you can create a Backup Vault, download and install Azure Backup
Agent, and back up Windows 10 to Microsoft Azure.
Question: Does Windows 10 include a backup tool?
Question: What is the simplest way to recover a locally stored document that a user
accidentally deleted in Windows 10?
File History
With File History, Windows 10 can save copies
of your files automatically to a removable local
drive or to a shared folder on a network. After
you enable File History, it periodically saves a copy
of your modified files to a designated location.
Windows 10 saves modified files every hour and
keeps file versions indefinitely by default.
However, you can configure the interval at which
saves occur and how long Windows 10 will keep
saved files.
By default, File History saves files from the

following folders: Contacts, Desktop, Documents,
Downloads, Favorites, Links, Music, OneDrive, Pictures, Saved Games, Searches, and Videos. Additionally,
File History saves files from the following libraries: Documents, Music, Pictures, and Videos.
You can protect additional folders by using File History in two ways:
Using the Backup option in the Update & security section in the Settings app. To access this option, in
the Settings app, click Update & security. Click Backup, and then in the Back up using File History
section, click More options.
Note: You cannot add additional folders in the File History item in the Control Panel.
Adding folders to the libraries that File History is protecting. By doing so, File History will also protect
folders that you add to one of the protected libraries. You can do this by configuring File Explorer to
show Libraries, and then modifying library properties to include additional folders.
You can modify File History settings by using the File History item in the Control Panel. You can also
modify these settings by going to the Settings app, clicking Update & security, clicking Backup, and
then in the Back up using File History section, clicking More options. You can manually start the backup
by using the File History item in the Control Panel. Alternatively, you can configure how often to perform
backups, configure how long to keep backups, specify the drive that will keep the File History backups,
and exclude folders and libraries from File History.
You can use File Explorer to revert to previous versions of files that File History is protecting. You can use
it to restore files by right-clicking the file or folder, and clicking the Previous version tab. You can also
navigate to the folder that contains a modified or deleted file, and then on the Home ribbon, click
History to open File History and view the recoverable files. Alternatively, you can use the Restore your
files with File History option directly, allowing you to compare modified files and restore deleted or
modified files.
Note: File History backs up protected folders into a folder hierarchy, in which the top folder
has as its name the user principal name (UPN), the first-level subfolder has as its name the name
of the computer from which it is protecting data, and the second-level subfolders are named
Configuration and Data. File History backs up the data itself into subfolders of the Data folder.
For example, the folder hierarchy for a user named Don in the Adatum.com domain from the
LON-CL1 computer will be in the following folder: Don@Adatum.com\LON-CL1\Data.
Question: Is File History turned on by default?
Question: Can you protect additional folders by using File History?
Demonstration: Using File History to Recover Files

Configure File History.

Add an additional folder to File History.
Use File History to recover a deleted file.
Demonstration Steps
1. In LON-CL1, in the Documents folder, create a text document named Report.txt that contains the
text This is a report.
2. Use File History to add \\LON-DC1\Backup2 as an available drive, and then turn on File History.
3. Note the Advanced Settings of File History.

4. Delete the Report.txt file in the Documents folder.
5. Use the History option in File Explorer to recover the file.
6. Use the Report.txt File History window to browse to Home File.

7. Note that File History is not protecting the Data folder.
8. Use the File History settings app to add the C:\Data folder to the folders that File History is
backing up.
9. Run File History.
10. Use File Explorer and the Previous Versions tab of the Reports.txt file to confirm that there is
one previous version. This previous version was created when you ran File History.
11. Use File Explorer and the History option to confirm that File History is now protecting the
Data folder.
Backup and Restore (Windows 7)

Windows 10 includes the Backup and Restore
(Windows 7) tool. As the name suggests, this tool
was first available in Windows 7 and is also
available in Windows 10. You can use the Backup
and Restore (Windows 7) tool to create backups of
folders, users libraries, and volumes, and also to
create a system image and restore backups. You
can create backups on a local disk, as long as it is
different from the disk on which Windows 10 is
installed. You can also create backups on an
external disk or on a network location. You can
determine which data to include in the backup,
and specify if the system image should be part of the backup. You can also let Windows choose what to
back up. You can specify how often and when to perform backups. By default, backups occur every
Sunday at 19:00.
Note: If you let Windows choose the data to back up, it will include only user libraries and
the system image in the backups, and will exclude volumes.
Note: You can manage the Backup and Restore (Windows 7) tool by using Control Panel,
but it gives you limited options to configure your backup schedule. If you want more granularity,
or if you want to create backups automatically multiple times per day, you should edit triggers
for the AutomaticBackup job in Task Scheduler.
The Backup and Restore (Windows 7) tool uses the Volume Shadow Copy Service when creating a backup.
It can store multiple versions of the backup on the same location. The first backup contains a backup of all
the selected data (full backup). When the tool performs the next backup, it backs up and stores only the
data that has changed since the previous backup. If only a small amount of data has changed, then the
next backup (incremental backup) will be smaller, and the tool will create it faster than the first time. You
can also use the Backup and Restore (Windows 7) tool to create a system image and system repair disk.
You can include system image in the backup, but you can only create a system repair disk manually.
After a backup, you can restore files or folders to their original locations or to different locations. If you
performed backups multiple times, you can select from which backup to restore data. You can also
manage the space that the backup is using. The Backup and Restore (Windows 7) tool creates a restore
point each time you run a backup. The Previous Versions tab in File Explorer lists those restore points for
the data that you included in the backup.
Note: The Backup and Restore (Windows 7) tool uses virtual hard disk (.vhdx) files to store
backup data. You can view the backup data by mounting the .vhdx file in File Explorer.
Note: You can only use the Backup and Restore (Windows 7) tool to back up data that is
stored on New Technology File System (NTFS) volumes. You cannot use it to back up data that is
on file allocation table (FAT), FAT32, exFAT, or Resilient File System (ReFS) volumes.
Question: Can you use the Backup and Restore (Windows 7) tool to back up a single file
automatically in a folder with multiple documents?
Question: How can you modify the default backup schedule for the Backup and Restore
(Windows 7) tool, which performs a backup every Sunday at 7 PM, by default?
Previous Versions
Similar to the Backup and Restore (Windows 7)
tool, the Previous Versions tab in File Explorer
is a feature that Windows 10 reintroduced. This
feature enables users to view, restore, or revert
previous versions of files, folders, or volumes. Data
from File History or restore points populates the
Previous Versions tab. Therefore, you must
configure either File History or restore points to
be able to use the Previous Versions feature.
Note: The Previous Versions tab displays a

message stating Previous versions come from File
History and from restore points. However, this message does not refer to restore points that
System Restore creates. On the contrary, the Previous Versions feature does not use the restore
points that System Restore creates. The message refers to the restore points that the Backup and
Restore (Windows 7) tool creates.
Until File History runs for the first time or until you create the initial backup by using the Backup and
Restore (Windows 7) tool, the Previous Versions tab for all files is empty. Data from File History
populates the Previous Versions tab only for files that File History protects. For example, you can modify
File1.txt in the Folder1 folder, but if File History is not protecting Folder1, then the Previous Versions tab
will remain empty. The Backup and Restore (Windows 7) tool works in a similar manner. It enables you to
use previous versions for any file that is on an NTFS volume and is included in the backup. For example, if
you use the Backup and Restore (Windows 7) tool to back up Folder1, only data from restore points for
Folder1 and all of its contents will populate the Previous Versions tab.
If you configure File History and use the Backup and Restore (Windows 7) tool, then data from both
sources will populate the Previous Versions tab. Each time File History runs, an additional file version
becomes available for any file that File History is protecting. When the Backup and Restore (Windows 7)
tool creates a backup, it also automatically adds an additional file version. If File History or Backup and
Restore (Windows 7) created the backup, you can revert files and folders only to the versions that are in
the backup.
Note: The Previous Versions feature is available, regardless of the file system. However, the
Backup and Restore (Windows 7) can only back up data from NTFS volumes. If you want to use
Previous Versions for files on the FAT file system, File History must be protecting those files.
Question: What must you configure if you want the Previous Versions tab in File Explorer
to list previous versions of files?
Question: When will the Previous Versions tab include the previous versions of a file that
the Backup and Restore (Windows 7) tool is backing up?
Demonstration: Using Previous Versions to Recover Files

Use Backup and Recovery (Windows 7) to create a restore point.
Configure data for which you create a restore point.
Revert a file to a previous version.
Demonstration Steps
1. In LON-CL1, use File Explorer to confirm that the Sales.txt file in C:\Data folder has only one
previous version. Note that it was created when File History ran in the previous demonstration.
2. Add the text Before restore point to the Sales.txt file.
3. Note that the Sales.txt file still has only one previous version.
4. Use Backup and Restore (Windows 7) to create a backup with the following settings:
o Where to save backup: \\lon-dc1\Backup2
o What to back up: C:\Data.

o Clear the Include a system image of drives: System Reserved, (C:) check box.
o Confirm that C:\Misc is not selected.
5. Wait until backup is created. Note that the Sales.txt file now has two previous versions. Note that the
second previous version was added when the backup was created.
6. Delete the C:\Data\Sales.txt file.
7. Use the Previous Versions tab of the C:\Data folder to restore the Sales.txt file.
8. Note that the file has been restored to the original location.
9. Note that the C:\Misc\Temp.txt file does not have any previous versions. Note that this is because
the backup did not include C:\Misc.

Question
Which location can File History use to store backup data?
C:\
D:\Backup
\\172.16.10.256\Share1
E:\
https://azure.microsoft.com/backup
Statement Answer
You can use the Backup and Restore (Windows 7) tool to back up data that
an ReFS volume is storing.
Statement Answer
You can use the Previous Versions feature only with files that NTFS volumes
are storing.
Lesson 3
Recovering Devices
When device failure happens, you need to recover the device. Windows 10 includes several device
recovery features, which can help you to recover the device, while leaving user data on the device intact.
You can also completely remove all the data from the device and leave it only with the default installation
of Windows 10 or with the content of system image, which you prepared in advance.
Lesson Objectives
Describe device recovery features in Windows 10.
Configure System Protection and use restore points.
Use advanced startup options.

Use device recovery tools in Windows RE.
Overview of Device Recovery Procedures

In the past, it was a common practice to create
backups of all the data on a device, including the
operating system files, apps, and user data. This
was because, in the event of a system failure, you
would need all this data to recover the device.
However, today things are different:
Devices are connected.
Apps, if installed locally, are available at all

times from the company store or Windows
store.
User data is no longer only stored locally.

Local storage provides faster access and the ability to use the data in the absence of network
connectivity. When connectivity is restored, the local copy of the data is synchronized and stored
on company file servers or in the cloud.
Today, you can recover, reinstall, or upgrade the operating system without affecting apps or user data.
Some situations might require complete replacement of local storage; for example, if the local solid-state
drive (SSD) disk is broken. In such cases, you only have to recover the operating system. You can reinstall
your apps from the stores. You can access your user data at any time from your other devices, and
synchronize it back on the device you recover.
Windows 10 is a device-oriented operating system that includes several features that you can use for
device recovery:
Driver Roll Back. A nonintrusive feature that only reverts a device driver to the previous version that
the same device used. This feature is only useful in situations where driver updates cause problems,
but it is very effective.
System Protection and System Restore. When turned on, System Protection automatically creates
snapshots, called restore points, before important changes to your device happen. Such changes
could include installation of an app or application of updates. You can also create restore points
manually. Restore points enable you to revert the operating system on your device to a previous
restore point, while leaving user data intact. You can use System Restore from a functioning Windows
10 device, but you can also run System Restore from the recovery environment, as long as the device
storage is accessible.
Startup Recovery. This feature detects and automatically corrects Windows 10 startup issues. It is
invoked automatically if the system fails to start up normally three times in a row. You can also invoke
it manually from the recovery environment. This feature is nonintrusive and leaves all device data
intact, but it can repair startup problems only.
Reset this PC. This feature enables you to either keep your files and reinstall the operating system, or
remove everything from the device and then reinstall the operating system. Windows 10 provides
considerable improvements to Reset this PC, which combines the functionality of the Refresh your PC
and Reset your PC features that were available in Windows 8 and Windows 8.1. You can run the Reset
this PC feature from the recovery environment.
System Image Recovery. This feature completely replaces any data on the device, including the
operating system, settings, and user data, with the information in a system image. To be able to use
this feature, you must create the system image in advance. Unlike the Reset this PC feature, System
Image Recovery does not differentiate between operating system and user data.
Command prompt. This is a powerful but nonautomated option. You can start the command prompt
from the recovery environment and then run other built-in commands or third-party tools.
After you recover your operating system, you can restore access to your data by doing one of the
following:
Signing in to the recovered device, if you use Folder Redirection, Offline Files, or OneDrive for
Business.
Restoring the user data by using Azure Backup or the Backup and Restore (Windows 7) tool, as
explained in the previous lesson.
Question: Can you run the Reset this PC feature from a computer running Windows 10 in
the normal mode?
Question: Why would you use Startup Repair instead of System Image Recovery if the Boot
Configuration Data (BCD) store is corrupted on a Windows 10based computer?
System Protection and Restore Points
If you use the System Restore feature in Windows

10, it will automatically create a snapshot of the
system settings before a major system change,
such as installation of a program or update.
System Restore will then store the snapshot in
a restore point. Restore points represent the
computers configuration at a point in time, and
do not include users personal data. System
Restore is enabled by default when you install
Windows 10 on a physical device, but it is disabled
when you install Windows 10 on a virtual hard
disk or on a virtual machine. Windows 10 can
create restore points automatically before the following changes occur:
Installation of the app, if the app uses an installer that is System Restorecompliant.
Installation of Windows updates.

You can create restore points in Windows 10 in three ways:
Manually, whenever you choose to create them.
Based on a schedule. Windows 10 includes scheduled tasks, which can trigger restore point creation.
Automatically, if you choose to use System Restore to restore to a previous restore point. In this
instance, System Restore creates a new restore point before it restores the system to a previous state.
This provides you with a recovery option should the restore operation fail or result in problems.
You can enable System Protection for each drive individually and configure disk space that the restore
points can use. System Protection maintains that space itself. System Protection compresses restore points
when storing them on a hard disk, and if System Protection is running out of space, it will automatically
delete the oldest restore points.
If you want to restore your computer to the state it was in before a certain event, you can access
System Restore from Windows 10 by opening System Protection, or from the Windows RE environment.
This means that you can restore your computer to an earlier restore point even if you cannot start
Windows 10. If you want to restore your computer to an earlier restore point from Windows RE, you
need to select a user and provide the users password before you can use System Restore. Before restoring
the computer to an earlier state, you can scan the restore point for the affected programs and drivers;
applying the restore point can delete some programs and drivers, and restore others. If you changed the
password recently, you should create a password reset disk before using System Restore. You cannot
interrupt System Restore once it starts, and the computer restarts during the System Restore process.
Note: Windows 10 includes a System Restore scheduled task named SR, which you can
configure to create restore points automatically at scheduled intervals. By default, SR does not
have any triggers defined.
Note: You can turn on System Protection only on NTFS volumes.

Perform driver roll backs

If you install a device driver that results in an unstable computer or one that fails to operate entirely, you
could first remove the driver by using the Driver Roll Back feature, either from the running instance of
Windows 10, or from safe mode. If this does not remove the device driver and its management utility
completely, you might use System Restore to restore the computer to the state it was in before you
installed the device driver. Older versions of Windows operating systems had a System Restore feature,
but they required the computer to start successfully. With Windows 10, you can use System Restore from
Windows RE to perform driver rollbacks by accessing the restore points, even when the computer does
not start successfully.
Protect against accidental deletion of programs

System Restore also provides protection against accidental deletion of programs. System Restore creates
restore points when you add or remove programs, and it keeps copies of app programs (file names with
an .exe or .dll extension). If you accidentally delete an .exe file, you can use System Restore to recover it by
selecting a recent restore point prior to your deletion of the program.
Consider the following example. You have a Windows 10 device and at time T1, you install Microsoft
Office. At time T2, you install an app that you downloaded from the web. At time T3, you decide to create
a restore point manually, because the system seems to be responding more slowly. At time T4, you decide
that the app that you downloaded from the web might be causing reduced responsiveness. You use
System Restore to revert your system to T2, to the system state before the installation of the app.
Microsoft Office, in addition to all your personal data and documents, remains intact.
Question: How can you configure Windows 10 to create restore points automatically?
Question: Can you enable System Protection on an ReFS volume?
Demonstration: Using a Restore Point to Roll Back Device Configuration

Turn on System Protection.
Create a restore point manually and automatically.
Revert to a previous restore point.
Demonstration Steps
1. On LON-CL1, use System Properties to turn on System protection and specify a maximum disk
space usage between 5 and 10 gigabytes (GB).
2. Create a restore point named Initial settings.
3. Create a new text document on the desktop and name it My document.
4. Use Device Manager to update the driver for Microsoft Hyper-V Virtual Keyboard with a driver for
Microsoft Wireless Keyboard 700 v2.0 (106/109).
Note: Be aware that you must clear the Show compatible hardware check box to be able
to select Microsoft Wireless Keyboard 700 v2.0 (106/109).
5. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) appears with an
exclamation point (!).
6. Use System Restore to restore the Initial settings restore point.

8. Verify that My document.txt is still on desktop.
9. Use Device Manager to verify that Microsoft Hyper-V Virtual Keyboard is present. Microsoft
Wireless Keyboard 700 v2.0 (106/109) was removed, as you added it after creating the restore point.
10. Use System Restore to verify that an additional restore point with the description Restore
Operation and the type Undo was created.
Advanced Startup Options

Windows 10 provides advanced startup settings
that you can use to start an operating system in
an advanced troubleshooting mode. If you want
to use advanced startup settings, you must
change the advanced startup options by:
Changing the advanced startup options in

Windows 10.
Pressing the Shift key while selecting the
Restart option.
Restarting the computer by running the

shutdown.exe /r /o command.
If you perform any of the above steps, the computer starts in Windows RE. From Windows RE, you need to
select Troubleshooting, select Advanced options, and then select Startup Settings.
Note: In Windows 10, you cannot access advanced startup settings by pressing F8 during
the startup process, as you were able to do in older versions of Windows operating systems.
When the computer restarts, it presents the following options:
Enable debugging. By selecting the debugging mode, you can start Windows 10 in a special
troubleshooting mode. In this mode, you can monitor the behavior of device drivers and determine
whether a specific device driver is causing Windows 10 to stop unexpectedly.
Enable boot logging. When you use this mode, the Windows 10 start process creates and writes to a
file named Ntbtlog.txt. This file records the device drivers that Windows 10 installs and loads during
startup.
Enable low-resolution video. In this mode, you can start Windows 10 in a special low-resolution
mode. This mode can be necessary when you attempt to resolve incorrectly applied graphics
resolution settings.
Enable Safe Mode. In safe mode, Windows 10 can start with a minimal set of drivers, services, and
apps. You can use safe mode to disable services and apps that might be causing the Windows
operating system to stop. Computers often start in safe mode when they are unable to start normally.
Safe mode does not load network drivers, so network connectivity is not possible in safe mode.
Enable Safe Mode with Networking. Safe mode with networking is similar to safe mode, except that it
allows network connectivity.
Enable Safe Mode with Command Prompt. This version of safe mode starts with a command prompt
window rather than the Windows interface. In this mode, you can disable apps and services from the
command line if you are unable to perform this operation by using safe mode.
Disable driver signature enforcement. In this mode, you can load device drivers that do not have a
digital signature. This might be necessary when testing device drivers with a 64-bit version of
Windows 10.
Disable early launch anti-malware protection. In this mode, you can start Windows 10 without the
early launch anti-malware functionality running. This functionality might stop Windows 10 from
starting in certain circumstances, but you should disable it only after trying other options.
Disable automatic restart after failure. Use this option to stop Windows 10 from automatically
restarting after a failure occurs.
Launch recovery environment. Use this option to start Windows RE. You can use the recovery
environment to trigger the Reset this PC function.
Note: In older versions of Windows, you could use the Last Known Good Configuration
startup option to revert registry settings to the most recent version that worked correctly. The
Last Known Good Configuration startup option is not available in Windows 10.
Question: Can you access startup settings options by pressing F8 during computer startup?
Question: How can you access the Last Known Good Configuration startup option in
Windows 10?
Tools Available in Windows RE

Windows RE provides access to tools that you
can use to recover your computers startup
environment.
Reset this PC
Selecting this option will reinstall the Windows 10
operating system, but you can decide whether
to keep your files or remove everything. If you
select to keep your files, during Windows 10
reinstallation, Reset this PC will remove all settings
and all the apps that did not come with the
operating system, but it will keep your personal
files. Reset this PC will also preserve system
settings, such as computer name and domain membership. After the reset process, when you sign in, you
will have a list of removed apps on the desktop.
If you select to remove everything, you can choose to remove your files only or to fully clean the PC. Fully
cleaning the PC can take much longer, but it is more secure, because it fully wipes the disk and overwrites
all the content before it reinstalls Windows 10. Reset this PC will set all system settings to initial values.
You do not need Windows 10 installation media or recovery media if you want to use the Reset this PC
option, but you need to provide administrative credentials. This option will restart the computer multiple
times during the reset process.
Note: Reset this PC consolidates two options, Refresh your PC and Reset your PC, which
were available in Windows 8 and Windows 8.1.
System Restore
Windows 10 provides System Restore capabilities that you can access from the System Tools folder. If you
have a system failure or another significant problem with your computer, you can use System Restore to
return your computer to an earlier state. The primary benefit of System Restore is that it restores your
system to a workable state without reinstalling the operating system or causing data loss. Additionally, if
a computer does not start successfully, you can use System Restore by starting Windows RE from
Windows 10 media. You need to provide administrative credentials if you want to use System Restore
from Windows RE.
System Image Recovery

System Image Recovery replaces your computers current operating system with a complete computer
image that you created while Windows 10 was running. You can use this tool only if you already have
a system image of your computer. You can create a system image from the Backup and Restore (Windows
7) item in Control Panel, which you can also access from the Settings app. You can store the system image
on a hard disk, on one or multiple DVDs, or on a network location. You should use System Image
Recovery only if other recovery methods are unsuccessful, because it is very intrusive and it overwrites
all the data on a computer.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. Before you can use Startup Repair, you must provide administrative
credentials. Startup Repair detects the most common startup issues and automatically corrects them.
It performs the following functions:
Replaces or repairs disk metadata. Disk metadata consists of several components, including the boot
sector and the master boot record (MBR). If these files are missing or corrupted, the startup process
fails. If you suspect that an issue has caused the damage or deletion of these files, use Startup Repair
to check for problems with the disk metadata. Startup Repair automatically checks and, if necessary,
repairs the disk metadata. Damage to disk metadata often occurs because of unsuccessful attempts to
install multiple operating systems on a single computer. Another possible cause of metadata
corruption is a virus infection.
Repairs boot configuration settings. Windows 10 uses a configuration store that is stored in a Boot
folder on an active partition. If the boot configuration data is damaged or deleted, the operating
system fails to start. The Startup Repair tool checks and, if necessary, rebuilds BCD by scanning for
Windows installations on the local hard disks, and then storing the necessary BCD.
Resolves incompatible driver issues. Installing a new hardware device and its associated device driver
can cause the Windows operating system to start incorrectly. The Startup Repair tool performs device
driver checks as part of its analysis of your computer. If Startup Repair detects a driver problem, it
uses System Restore points to attempt a resolution by rolling back the configuration to a known
working state.
Command Prompt
Windows 10 uses the Command Prompt tool from the Windows RE tool set as its command-line interface.
The Command Prompt tool features are similar to the command prompt that is available when
Windows 10 is running normally. The Command Prompt tool performs the following functions:
Resolves problems with a service or device driver. If a computer that is running Windows 10
experiences problems with a device driver or Windows service, use the Command Prompt tool to
attempt a resolution. For example, if a device driver fails to start, use the Command Prompt tool to
install a replacement driver or disable the existing driver from the registry.
Recovers missing files. The Command Prompt tool enables you to copy missing files to your
computers hard disk from the original source media, such as the Windows 10 installation media.
Accesses and configure BCD. Windows 10 uses a BCD store to retain information about the operating
systems that you install on the computer. You can access this information by using the BCDEdit.exe
tool at the command prompt. You also can reconfigure the store if necessary. For example, you can
reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id
command.
Repairs the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 10 will fail to start successfully. You can launch the
BootRec.exe command at the command prompt to resolve problems with the disk metadata.
Runs diagnostic and troubleshooting tools. The Command Prompt tool provides access to many
programs that you can also access from Windows 10 during normal operations. These programs
include several troubleshooting and diagnostics tools, such as the Registry Editor (regedit.exe), a disk
and partition management tool (diskpart.exe), and several networking configuration tools (net.exe,
ipconfig.exe, and netcfg.exe). Another option is to load Task Manager (taskmgr.exe), which you can
use to determine which programs and services are running currently.
Note: Windows RE is built on Windows Preinstallation Environment (Windows PE).

Windows PE is not a complete operating system. Therefore, when you use the Command Prompt
tool in Windows RE, remember that not all programs that work in the Windows operating system
will work at the command prompt. Additionally, because there are no sign-in requirements for
Windows PE and Windows RE, Windows 10 restricts the use of some programs for security
reasons, including many programs that administrators typically run.
Go back to previous build

If you have serious problems after a recent update of the Windows 10 build, you can use this option
to return to the previous Windows 10 build. As with other Windows RE tools, you need to provide
administrative credentials if you want to use this option. If you revert to the previous Windows 10 build,
it will not affect your personal files, but it will not preserve any changes that you made to apps and
settings since the most recent update.
Question: Can you use System Image Recovery without any previous preparation?
Question: What are the options for the Reset this PC tool?
Demonstration: Using Advanced Start-up Options

Start a computer in the recovery environment.

Use tools that are available in the recovery environment.
Use safe mode as one of the startup options.
Demonstration Steps
1. In LON-CL1, view local services and note that more than 75 services are running.
2. Restart LON-CL1 into advanced startup options.

3. Verify where you can select the Reset this PC option (but do not select Reset this PC option).
4. Restart LON-CL1 into safe mode.
5. Sign in as Adatum\Administrator with the password Pa$$w0rd. Note that the words Safe Mode
appear in all four corners of the desktop.
6. Note that Device Manager cannot show device status when it is running in safe mode. Note that you
can still update or uninstall drivers while running in safe mode.
7. Try to use the Search the web and Windows box. Confirm that you cannot search because the
computer is running in safe mode.
8. Use Computer Management to verify that less than 30 services are running in safe mode.
9. On 20697-1B-LON-CL1, mount the Windows 10 installation DVD from C:\Program Files\Microsoft
Learning\20697-1\Drives\ Win10Ent_Eval.iso, and then start the virtual machine. If virtual
machines are extracted to a different drive than C:, use that drive letter instead of C:.
10. Initialize setup from the DVD, and then click Repair your computer.
11. Click Troubleshoot from the available options, and then click Advanced options.
12. Note that only the Startup Settings option is not available when you started the recovery
environment from DVD media.
13. Note that you can run and use System Restore, even if you started the computer from the
Windows 10 installation media.
Discussion: Recovering Devices

Devices can fail, or become lost or stolen. In such
cases, you should plan on a strategy to replace the
device and recover your data. You should ensure
that you are protecting user data, which in most
cases means that you are storing it somewhere
other than on the device. When you need to
recover the device, you should first attempt to
use a nondestructive and fast recovery method,
if it is suitable for the situation. For example, if
your device cannot start, you should first start the
Startup Recovery option from the recovery
environment before considering the use of Reset
this PC or System Image Recovery. The latter options could also resolve the issue, but could cause some
data loss and would take considerably longer. The order in which you should use device recovery
methods depends on the specific situation, but as a rule of thumb, you should consider them in the
following order:
1. Startup Repair. If the hardware is functional, but the device does not start, you should consider the
Startup Repair option from the recovery environment. This option is quite fast, and will automatically
detect and fix most common startup issues, while leaving all the user data intact. Device can restart
several times during the process.
2. Driver Roll Back. If an updated device driver causes an issue, Driver Roll Back is the best option. You
can access this option from Device Manager, whether you are in normal mode in Windows 10 or in
safe mode. This option leaves the data intact. It can only fix issues related to device drivers.
3. Safe Mode. This advanced startup mode starts Windows 10 by starting only basic services and using
basic device drivers. You can use it to replace missing or damaged system files manually or to
perform diagnostics and configuration changes that are not possible when Windows 10 is running
in normal mode. You can also use System Restore and Driver Roll Back from safe mode. You can also
use safe mode by selecting Safe Mode with Networking or Safe Mode with Command Prompt.
4. System Restore. If System Protection is enabled and it has created restore points, you can use System
Restore to revert system settings to an earlier restore point. You can use System Restore from
Windows 10 running in the normal mode, from safe mode, or from the recovery environment. This
operation is nondestructive, because it leaves user data intact.
5. Command Prompt. This advanced startup option is not automated and it is suitable for experienced
users. You can use it to perform diagnostics, which is not possible when the system is running. For
example, you can use the command prompt to scan for rootkits, replace damaged system files,
change the state of the services, and run third-party apps. This option is generally not destructive,
but it could be, depending on your actions.
6. Reset this PC. If you select this option from the recovery environment, keep in mind that it will
remove apps that are not part of Windows 10, and reinstall the operating system. This option is faster
than it used to be, but it still takes some time. Based on the options that you select, Reset this PC
might also remove user data on the device during the reset process.
7. System Image Recovery. You can perform system image recovery only if you already have the system
image. This recovery process takes time and replaces all the data on the device with the system image
content. Files that you created or modified since you created the system image will not be available in
the system image.
Question: Can you start System Recovery only from Windows 10 running in the normal
mode?
Question: When would you use System Image Recovery?


Question
Which of the following tools cannot preserve user data that is stored on the C drive?
Reset this PC
System Image Recovery
Startup Repair
Diskpart.exe
Go back to the previous build
Statement Answer
System Image Recovery is the easiest and fastest tool for repairing startup
problems in Windows 10.
Statement Answer
You can use System Restore even if your Windows 10based computer has
startup problems.
Lab: Troubleshooting and Recovery

Scenario
You are a help desk technician at A. Datum Corporation. End users have been complaining that
sometimes they cannot use new devices that they connect to their Windows 10based computers,
because Windows 10 does not include the required device drivers. These users do not have administrative
permissions to install these drivers. Your coworkers need you to demonstrate the process of adding driver
packages to the driver store in advance, even if the device that will be using the driver is not connected.
You will also demonstrate other device management tasks, such as updating and rolling back drivers.
Users also complain that they cannot access previous versions of the documents that they modified or
deleted by mistake. You want to show technicians how they can configure the Previous Versions feature in
Windows 10. You also want to show end users how they can use the Previous Versions feature to access
previous versions of the documents.
Lastly, you need to demonstrate to technicians how they can use the advanced startup options to
diagnose and troubleshoot a Windows 10 device.
Objectives
Managed device drivers.

Used File History to recover files.
Used Previous Versions to recover files.
Recovered a device with a restore point.

Used the advanced startup options to recover a device.
Lab Setup
User names: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, all virtual
machines that you will use in this lab must be running. You can start the virtual machines by completing
5. Repeat steps 2 through 4 for 20697-1B-LON-CL1 and 20697-1B-LON-CL2.
Exercise 1: Managing Device Drivers

Scenario
In this exercise, you will test the process of adding a driver package for a device that is not currently
connected to the driver store. You will verify that you successfully added the driver package, in addition to
learning how you can update an existing driver by using Device Manager. If the updated driver causes
issues, you will also see how you can roll back the driver to the previous version that the same device was
using.

1. Install a driver package into the driver store.
2. Configure a picture password as a sign-in option.
3. Update a driver in Device Manager.

4. Roll back a driver.
Task 1: Install a driver package into the driver store

1. In LON-CL1, use File Explorer to sort the content of the C:\Windows\System32\DriverStore
\FileRepository folder by date modified, and confirm that the highest folder was created most
recently.
2. Use the Command Prompt to view the content of the E:\Labfiles\Mod11\dc3dh folder, which
contains the driver package.
3. Use the pnputil.exe command with a parameter to add the driver package to the driver store.
4. Use File Explorer to confirm that that the top subfolder in FileRepository was created when you
installed the driver package.
5. Review the content of the top subfolder in FileRepository, and confirm that it contains the same files
as the driver package that you added to the driver store.
Task 2: Configure a picture password as a sign-in option

In LON-CL1, create a picture password for Adatum\Administrator. Use the file Tiger.jpg as a picture
password. Remember which three gestures you are using, as you will repeat them later to sign in!
Task 3: Update a driver in Device Manager

1. In LON-CL1, use Device Manager to view the properties of Standard PS/2 Keyboard. Confirm that
the Roll Back Driver button is not available for the device.
2. Update the driver for Standard PS/2 Keyboard with the driver for Microsoft USB Internet Keyboard,
and then restart the computer.
Note: To be able to select Microsoft USB Internet Keyboard, you must clear the Show
compatible hardware check box.
Task 4: Roll back a driver

1. Sign in to LON-CL1 as Adatum\Administrator by repeating the three gestures that you defined for
the picture password in Task 2.
2. Try to open Notepad and type your name to verify if the keyboard is still working.
3. Disable Microsoft Hyper-V Virtual Keyboard.
4. Read the device status for Microsoft USB Internet Keyboard.

5. Try to type your name again in Notepad, to confirm that the keyboard is no longer working in
LON-CL1.
6. Verify that the Roll Back Driver option is available for Microsoft USB Internet Keyboard, and then
perform Driver Roll Back for that device.
7. Confirm that the Roll Back Driver option is no longer available for Standard PC/2 Keyboard, as driver
rollback can go back by only one version.
8. Type your name in Notepad to confirm that the keyboard is working again.
9. Enable Microsoft Hyper-V Virtual Keyboard.
Results: After completing this exercise, you will have added a driver package to the driver store, and used
Device Manager to update and roll back the driver.
Exercise 2: Using File History to Recover Files

Scenario
In this exercise, you will explore how File History works. First, you will configure it to store backups of the
protected folders periodically to the network location, and verify which folders are protected by default.
You will then make sure that you can recover deleted files and protect additional file folders by using File
History in two different ways.

1. Create a shared folder for File History.
2. Configure and use File History.
3. Protect additional folders with File History.
Task 1: Create a shared folder for File History

On LON-DC1, create a folder named FileHistory. Grant domain users full control permissions to the
folder, and then share the folder with full control permissions for everyone.
Task 2: Configure and use File History

1. In LON-CL1, in the Documents folder, create a text document named Report.txt that contains the
text This is a report.
2. Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History.
3. Review the Advanced Settings of File History.
4. In the Documents folder, delete the file named Report.txt.

5. Use the History option in File Explorer to review the content of the deleted file and to recover the
Report.txt file.
6. Use the Report.txt File History window to navigate to Home File History. Review the folders and
libraries that File History is protecting, and then confirm that File History is not protecting the Data
folder or the Reports folder.
Task 3: Protect additional folders with File History

1. In LON-CL1, run the E:\Labfiles\Mod11\Mod11.bat script.
2. Verify that there are no previous versions available on the Previous Versions tab of the
C:\Data\Sales.txt file.
3. Add the C:\Data folder to the Documents library. As File History protects the Documents library,
it will also protect the Data folder.
4. Verify that there are no previous versions available on the Previous Versions tab of the
C:\Reports\Report.txt file.
5. Use the File History settings app to add the C:\Reports folder to the folders that File History
backs up.
6. Run File History.
7. Verify that now there is one previous version of the C:\Reports\Report.txt file listed on the Previous
Versions tab.
8. Verify that now there is one previous version of the C:\Data folder listed on the Previous Versions
tab and that you can restore the previous version either to the original location or to a custom
location.
9. Open the previous version of the C:\Data folder in File History and use it to verify that File History is
now protecting the Data and Reports folders.
10. Navigate to C:\ - File History and view all files and libraries that File History is protecting.
Results: After completing this exercise, you will have configured and used File History. You should have
also added additional folders for File History to protect.
Exercise 3: Using Previous Versions to Recover Files

Scenario
The Backup and Restore (Windows 7) tool creates a restore point for all the data that the backup includes.
In this exercise, you will perform initial backup and then confirm that the data that was part of the backup
is also accessible through the Previous Versions feature.
1. Configure and run Backup and Restore (Windows 7).
2. Use previous versions added by restore points.
Task 1: Configure and run Backup and Restore (Windows 7)

1. In LON-CL1, verify that the Previous Versions tab lists one previous version of the C:\Data\Sales.txt
file.
2. Type the text Before restore point in a new line in the Sales.txt file.
3. Verify that the Sales.txt file still has only one previous version.
4. Use Backup and Restore (Windows 7) to create backup with the following settings:
o Where to save backup: \\lon-dc1\Backup2
o What to back up: C:\Data

o Clear the Include a system image of drives: System Reserved, (C:) check box
o Verify that the C:\Misc folder is not selected.
Task 2: Use previous versions added by restore points

1. In LON-CL1, verify that the Sales.txt file now has two previous versions. The second previous version
was added when backup was created
2. Delete the C:\Data\Sales.txt file.
3. Use the Previous Versions tab of the C:\Data folder to restore the Sales.txt file.
4. Verify that the Sales.txt file has been restored to the original location.
5. Verify that the C:\Misc\Temp.txt file does not have any previous versions available, as the backup
did not include the C:\Misc folder.
Results: After completing this exercise, you will have configured and performed initial backup by using
the Backup and Restore (Windows 7) tool. You should also have recovered deleted files by using the
previous versions of those files from restore points.
Exercise 4: Recovering a Device with a Restore Point

Scenario
In this exercise, you will turn on System Protection, create restore points, perform several configuration
changes, and then apply a previous restore point. You will verify which configuration changes reverted
and which did not revert when you applied the restore point.
1. Configure System Restore.
2. Use System Restore.
Task 1: Configure System Restore

1. In LON-CL1, use System Properties to turn on System protection and specify maximum disk space
usage between 5 GB and 10 GB.
2. Create a restore point, and name it Initial settings.
3. Install XML Notepad from the E:\Labfiles\Mod11 folder, and then verify that the XML Notepad 2007
shortcut appears on the desktop.
4. Create a new text document on the desktop and name it My document.
5. Use Device Manager to update the driver for Standard PS/2 Keyboard with a driver for PC/AT
Enhanced PS/2 Keyboard (101/102-Key), and do not restart the computer.
6. In Device Manager, verify that Enhanced PS/2 Keyboard (101/102-Key) appears.
Task 2: Use System Restore

1. In LON-CL1, use System Restore to scan for programs that you would affect if you restored the
Initial settings restore point.
2. Use System Restore to restore the Initial settings restore point.

4. Verify that My document.txt is still on desktop and that the XML Notepad 2007 shortcut is no
longer present on the desktop.
5. Use Device Manager to verify that Standard PS/2 Keyboard is present. PC/AT Enhanced PS/2
Keyboard (101/102-Key) was removed, as you added it after creating the restore point.
6. Use System Restore to verify that an additional restore point with the description Restore
Operation and the type Undo was created.
Results: After completing this exercise, you will have used System Restore to revert the computer to an
earlier restore point, and explored the effects of applying the restore point.
Exercise 5: Using the Advanced Start-up Options to Recover a Device

Scenario
In this exercise, you will explore safe mode and how it is different from the standard Windows 10
environment. You will also perform a Reset this PC operation and test other advanced startup options.
1. Use the Reset this PC option.

2. Explore safe mode.
3. Use advanced startup options.
4. Verify the effects of Reset this PC.
Task 1: Use the Reset this PC option

1. In LON-CL2, create a new text document on the desktop and name it Report.
2. Verify that the computer did not obtain an IP address from the Dynamic Host Configuration Protocol
(DHCP) server and that it is using the IP address 172.16.0.41.
3. Verify that the computer name is LON-CL2 and that it is a member of the Adatum.com domain.
4. Use the Reset this PC option and select the option to keep your files. Use Pa$$w0rd as the password
of the Admin account.
5. While the Reset this PC process is happening in LON-CL2, continue with the next task. You will review
the results of the reset process at the end of this lab.
Task 2: Explore safe mode

1. In LON-CL1, view how many local services are running.
2. Restart LON-CL1 into safe mode.

3. Sign in as Adatum\Administrator and use Pa$$w0rd as the password. Verify that the words Safe
Mode appear in all four corners of the desktop.
4. Use Device Manager to verify that it cannot show device status when it is running in safe mode.
Verify that you can still use the Update or Uninstall drivers options while running in safe mode. You
can also perform Driver Roll Back, if a previous version of the driver exists.
5. Verify that you cannot search by typing something in the Search the web and Windows box.
6. Use Computer Manager to verify how many services are running in safe mode.
7. On 20697-1B-LON-CL1, mount the Windows 10 installation DVD from C:\Program Files\Microsoft

Learning\20697-1\Drives\ Win10Ent_Eval.iso. If virtual machines are extracted to a different drive
than C:, use that drive letter instead of C:.
Task 3: Use advanced startup options

1. In LON-CL1, restart the virtual machine, initialize setup from the DVD, and then click Repair your
computer.
2. Click Troubleshoot from the available options, and then click Advanced options.
3. Use System Restore to verify that restore points that were created can be restored when you start
the computer from DVD. Verify which programs you would affect if you restored the Restore
Operation restore point. Do not restore any restore point, and then return to the Advanced options
screen.
4. Use the Command Prompt option to run the following commands to view the startup environment:
o Bcdedit
o Diskpart
5. In Diskpart, type the following commands to view information about disks and volumes installed on
LON-CL1:
o List disk
o List volume
6. Close Diskpart, and then close the Command Prompt window.

7. Perform Startup Repair.
8. Restart the computer as you normally would.
Task 4: Verify the effects of Reset this PC
Note: You can perform this task only after Reset this PC on LON-CL2 has finished. If the
Reset operation on LON-CL2 is not yet complete, the instructor may start with the lecture. You
can perform this task and the next before the lab in Module 12.
1. In LON-CL2, sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Confirm that initial sign-in takes some time, as Windows 10 is setting up your apps.
3. Verify that the Report document that you created earlier is still on the desktop.
4. Verify that after the Reset this PC operation, the computer obtained its IP address from the DHCP
server and that it is no longer using the IP address 172.16.0.41.
5. Verify that the computer name remains LON-CL2 and that the computer is member of the
Adatum.com domain.
Results: After completing this exercise, you will have used the Reset this PC option, safe mode, and
advanced startup options.

4. Repeat steps 2 and 3 for 20697-1B-LON-CL1, and 20697-1B-LON-CL2.


Review Questions
Question: The help desk recently installed a new device driver on a computer. A stop code is
generated, and you see a blue screen during computer startup. What recovery mechanism
would you try first?
Question: Which Windows 10 features can help end users restore previous versions of their
files?
Question: Can a nonadministrative user use System Restore from the recovery environment?
12-1
Module 12
Maintaining Windows 10
Contents:
Lesson 1: Updating Windows 12-2
Lesson 2: Monitoring Windows 10 12-12

Lesson 3: Optimizing Performance 12-19
Lab: Maintaining Windows 10 12-29

Module Overview
It is important to take a proactive approach to maintaining your organizations computing devices.
This approach involves keeping Windows 10 updated to help ensure the operating systems reliability.
Additionally, by monitoring your Windows devices, you can identify problems that have occurred and
respond quickly. Finally, by using performance-monitoring tools, you can optimize the performance of
your Windows 10 devices.
Objectives
Explain how to keep Windows 10 up to date.
Monitor Windows 10.
Optimize performance of Windows 10.

12-2 Maintaining Windows 10
Lesson 1
Updating Windows
To keep computers that are running Windows 10 stable and protected, you must update them regularly
with the latest security updates and fixes. Windows Update enables you to download and install important
and recommended updates automatically, instead of visiting the Windows Update website. To utilize
Windows Update effectively, you must be aware of the configuration options that it provides, and you
must be able to guide users on how to configure these options.
Lesson Objectives
Describe Windows 10 servicing options.

Describe the available methods for applying updates to Windows 10.
Explain the Windows Update configuration options.
Explain the Group Policy Object (GPO) settings available for configuring Windows Update.
Configure Windows Update.
Describe how to use Windows Server Update Services (WSUS) to provide updates to Windows 10.
Explain Windows Update for Business.
Windows 10 Servicing Options

In addition to security updates and fixes, Microsoft
delivers feature updates to Windows 10. This
approach is similar to the way that devices are
running operating systems such as Android and
iOS receive updates.
Large organizations must balance their desire to

deliver the latest operating-system features to
their users with the need to provide stable
devices. Therefore, Microsoft has a number of
servicing options that allow organizations to
determine the speed with which they deliver
new features to Windows 10 devices. The three
servicing options are:
Current branch. This servicing option makes feature updates available immediately after Microsoft
publishes them, and it is available across all main Windows 10 editions.
Current branch for business. This servicing option makes feature updates available approximately four
months after Microsoft publishes them, which gives IT staff at organizations the time to test and
evaluate feature updates before applying them to devices. This servicing option is not available for
the Home edition of Windows 10.
Long-term servicing branch. This servicing option enables long-term deployment of selected
Windows 10 releases with minimal feature updating. This option is for low-change environments,
and it available only on the Enterprise Long Term Servicing Branch edition of Windows 10.
Note: Microsoft delivers servicing updates when they become available, across all servicing
options, just as they are today for other Windows versions.
Windows 10 servicing options for updates and upgrades

http://aka.ms/h4g0gh
Methods for Applying Updates to Windows 10

It is important to keep Windows 10 and
applications up to date, and you should
consider several factors when determining
an update strategy, including that:
Updates may include:
o Security fixes to protect against recent

malware and other security threats.
o Functional changes that enable

compatibility with devices and
peripherals.
o Corrections in software behavior that

help to eliminate functionality problems with either Windows 10 or with the applications installed
on the computer.
Consistency is important. You can simplify the troubleshooting process by ensuring that all computers
are using the same software version and contain the same updates and fixes.
You can use a number of different methods and technologies to apply updates to Windows 10.
Windows Update
Windows Update is a service that provides software updates that keep your computer up to date and
protected. In the Settings app, in Update & security, on the Windows Update tab, you can view the
updates that are available for your Windows 10 device. Under Advanced options, you can configure
how Windows Update downloads and installs updates for your computer.
Generally, you must configure computers that are running Windows 10 to download and install updates
automatically to ensure that the computer has the most up-to-date and protected configuration possible.
Windows Update also can update non-Microsoft software components.
Note: By default, Windows 10 will download and install updates automatically.
You also can apply updates to Windows by using:
System Center 2012 R2 Configuration Manager. Microsoft System Center 2012 R2 Configuration
Manager performs many configuration managementbased tasks in an enterprise, including update
management. You can use Configuration Manager to incorporate WSUS into your configuration
management environment, and to provide greater control over update scheduling, deployment,
and reporting. You can also use Configuration Manager to deploy non-Microsoft updates.
Microsoft Intune. Microsoft Intune is a management tool that provides central update management.
With Microsoft Intune, you can send out updates for Windows operating systems, and also non-
Microsoft updates for non-Microsoft apps. With Microsoft Intune, you can perform the following
tasks:
o Approve and deploy updates after you test them, and not immediately after Microsoft releases
them.
o Approve different updates for different computer groups.
o Approve updates manually or automatically, based on several criteria.
o Uninstall updates.
o Deploy both Microsoft updates and non-Microsoft updates in the same way.
Microsoft Intune also provides reports about which updates clients require, which updates are
pending, and which updates are installed already.
Microsoft updates are available through Microsoft Intune automatically, as soon as Microsoft releases
them to Windows Update. However, with non-Microsoft updates, you must obtain and upload the
updates to Microsoft Intune cloud storage before you can approve and deploy them to client
computers.
Windows Update Settings in Windows 10

To configure Windows Update settings on a local
computer, open Settings. Tap Update & security
and then tap Windows Update. From the
Windows Update tab, you can configure and
control Windows Update.
Tap Advanced options. You can now configure

the following options:
Choose how updates are installed. Select

between:
o Automatic (recommended). With this

option, Windows 10 downloads and
applies updates and your computer restarts automatically, when necessary, when it is not in use.
o Notify to schedule restart. This option enables you to determine a scheduled time for a
necessary restart following the automatic application of updates.
Give me updates for other Microsoft products when I update Windows. If you have Microsoft
Office or other Microsoft products installed, selecting this option enables Windows Update to keep
those products up to date simultaneously.
Defer upgrades. Some Windows 10 editions allow you to defer upgrades to your computer. When
you defer upgrades, Windows 10 does not download or install new Windows 10 features for several
months.
Note: Deferring upgrades does not affect security updates, but it does prevent you from
getting the latest Windows features as soon as they are available.
View your update history. You can use this option to see the updates that applied, and those that
failed to apply. You can also tap Uninstall updates. This option opens the Installed Updates node
of Programs and Features in Control Panel. You can then choose to remove any undesirable updates.
Choose how updates are delivered. Windows Update enables you to obtain updates from more
than one place. By default, the Updates from more than one place option is enabled. This setting
means that Windows obtains updates from Microsoft, but also from computers on the local network
and on the Internet. The advantage of this scenario is that Windows can apply settings more quickly.
Once one device has updates installed, other devices can obtain the same updates without needing
to download from Microsoft. You can configure the additional sources as either:
o PCs on my local network

o PCs on my local network, and PCs on the Internet
Alternatively, you can disable the Updates from more than one place setting. Then Windows
Update will only update from the Microsoft update servers.
Available GPOs for Configuring Windows Update

To configure each individual computer with
specific Windows Update settings would be very
time-consuming. Fortunately, you can create a
GPO to configure the necessary settings, and then
use Active Directory Domain Services (AD DS) to
apply those settings to the appropriate collection
of computers. Three nodes in Group Policy
contain Windows Update settings that are
relevant for Windows 10 devices.
Note: There are several settings for earlier

Windows versions. Please note, this section lists
only those that are relevant to Windows 10.
The first of these nodes is the Windows Update node. Open the Group Policy Management Console on a
domain controller, and then navigate to Computer Configuration/Administrative Templates
/Windows Components/Windows Update. You can configure the following settings:
Configure Automatic Updates
This policy setting specifies whether the computer will receive security updates and other important
downloads through the Windows automatic updating service.
This setting lets you specify whether to enable automatic updates on your computer. If you enable
this service, you must select one of the four options in the Group Policy setting:
o 2 = Notify for download and notify for install
When Windows finds updates that apply to your computer, an icon displays in the status area,
with a message that updates are ready for download.
Clicking the icon or the message provides the option to select the specific updates that you want
to download. Windows then downloads your selected updates in the background.
When the download completes, the icon displays in the status area again, with notification that
the updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
o 3 = Auto download and notify for install

Windows finds updates that apply to your computer, and then downloads these updates in the
background, without notifying or interrupting the user during this process.
When the download completes, the icon displays in the status area, with a notification that the
updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
o 4 = Auto download and schedule the install

Specify the schedule by using the options in the Group Policy setting. If you do not specify a
schedule, the default schedule for all installations will be every day at 03:00.
If any of the updates require a restart to complete the installation, the Windows operating system
will restart the computer automatically. If a user is signed in to the computer when the Windows
operating system is ready to restart, it will notify the user and give the option to delay the restart.
o 5 = Allow local admin to choose setting

With this option, the local administrators will be allowed to use the Automatic Updates control
panel to select a configuration option. For example, administrators can choose their own
scheduled installation time. Local administrators cannot disable Automatic Updates
configuration.
To use the Configure Automatic Updates setting, click Enabled, and then select one of the options (2,
3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all
installations will occur every day at 03:00.
If you set the status to Enabled, Windows recognizes when the computer is online, and then uses its
Internet connection to search Windows Update for updates that apply to your computer.
If you set the status to Disabled, you must manually download and install any updates that are
available on Windows Update.
If you set the status to Not Configured, the use of Automatic Updates is not specified at the Group
Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
Specify intranet Microsoft update service location
This setting specifies an intranet server to host updates from Microsoft Update. You can then use this
update service to update your networks computers automatically.
This setting lets you specify a server on your network to function as an internal update service. The
Automatic Updates client will search this service for updates that apply to the computers on your
network.
To use this setting, you must set two server name values, including the:
o Server from which the Automatic Updates client detects and downloads updates
o Server to which updated workstations upload statistics
You can set both values to be the same server.
If you set the status to Enabled, the Automatic Updates client connects to the specified intranet
location, instead of Windows Update, to search for and download updates. Enabling this setting
means that end users in your organization do not have to go through a firewall to get updates, and
it gives you the opportunity to test updates before deploying them.
If you set the status to Disabled or Not Configured, and if Automatic Updates is not disabled by
policy or user preference, the Automatic Updates client connects directly to the Windows Update site
on the Internet.
Note: The preceding settings do not have an obvious effect on the user interface, because
in Windows 10, these options are not visible in the ADVANCED OPTIONS pane of Windows
Update. They are visible in Windows 8.1. However, these settings do affect the way in which
Windows Update delivers updates.
Defer Upgrade
If you enable this policy setting, in Windows 10 Pro and Windows 10 Enterprise editions, you can
defer upgrades until the next upgrade period (at least a few months).
If you do not enable this policy, you will receive upgrades as they become available, and Windows
Update will then install them as part of your update policies.
In addition to the Windows Update node, you also can configure update settings in Computer
Configuration/Administrative Templates/Windows Components/Data Collection and Preview
Builds. You can configure the following settings:
Toggle user control over Insider builds
This policy setting determines whether users can access the Insider build controls in the Advanced
Options for Windows Update. These controls are located under Get Insider builds, and enable users to
make their devices available for downloading and installing Windows preview software.
If you enable or do not configure this policy setting, users can download and install Windows preview
software on their devices.
If you disable this policy setting, the Get Insider builds item will be unavailable.
Allow Telemetry
This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A
value of 0 indicates that operating system (OS) components will send no telemetry data to Microsoft.
Setting a value of 0 is applicable for enterprise and server devices only. Setting a value of 0 for other
devices is equivalent to choosing a value of 1. A value of 1 sends only a limited amount of diagnostic
and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device. A
value of 2 sends enhanced diagnostic and usage data. A value of 3 sends the same data as a value of
2, plus additional diagnostics data, such as the system state at the time of a system halt or crash, and
the files and content that may have caused the problem.
If you disable or do not configure this policy setting, users can configure the Telemetry level in
Settings.
Disable pre-release features or settings
This policy setting determines the level to which Microsoft can experiment with the product to study
user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only.
A value of 2 allows Microsoft to conduct full experimentations.
If you disable this policy setting, no experimentations will occur.
If you do not configure this policy setting, user can configure the Let Microsoft try features on this
build option in Settings.
Finally, the Computer Configuration/Administrative Templates/Windows Components

/Delivery Optimization node contains the following settings:
Download Mode
Set this policy to configure the use of Windows Update Delivery Optimization in downloads of
Windows apps and updates.
Available modes are: 0=disable, 1=peers on same NAT only, 2=Local Network/Private Peering (PCs in
the same domain by default), and 3= Internet Peering.
Group ID
Set this policy to specify an arbitrary group ID to which the device belongs. Use this if you need to:
o Limit the number of devices participating in peering in a domain network with many users.
o Create a single group for Local Network Peering for branches that are on different domains or
are not on the same network address translation (NAT).
Note: This is a best effort optimization. You should not rely on it for an authentication of
identity. You must use a globally unique identifier (GUID) as the group ID.
Max Upload Bandwidth
Set this policy to define a limit for the upload bandwidth that a device will utilize for all concurrent
upload activity via Delivery Optimization (set in kilobytes per second).
Max Cache Size
Set this policy to define the maximum cache size Delivery Optimization can utilize as a percentage of
the internal disk size.
Max Cache Age
Set this policy to define the maximum time that the Delivery Optimization cache holds each file.
Demonstration: Configuring Windows Update

Configure Windows Update manually.
Configure Windows Update by using GPOs.
Demonstration Steps
Configure Windows Update manually
1. On LON-CL1, open Settings.
2. In Update & security, on the Windows Update tab, in Advanced options, configure the following
options:
o Automatic (recommended)
o Give me updates for other Microsoft products when I update Windows: Off
o Defer upgrades: Off
3. Notice the Get started option beneath Get Insider builds.

Configure Windows Update by using GPOs

1. Open Local Group Policy Editor.
2. Configure the following options:

o Computer Configuration/Administrative Templates/Windows Components/Data Collection and
Preview Builds/Toggle user control over Insider builds: Disabled
o Computer Configuration/Administrative Templates/Windows Components/Windows

Update/Defer Upgrade: Enabled

Update/Always automatically restart at the scheduled time: Enabled
3. Refresh the Group Policy settings by using gpupdate /force, and then sign out.
5. Notice the Some settings are managed by your organization banner.

6. Notice that the option to Get started with Insider builds is unavailable.
Using a WSUS Server to Deploy Updates

Organizations and home users use different
methods to process updates. Within an
organization, downloading updates and applying
them to each individual computer within an
organization is repetitive and inefficient.
Consequently, Microsoft provides a number of
ways for organizations to make the update
process more manageable. One of these is the
Windows Server Update Services (WSUS) role.
The WSUS role provides a central management
point for updates to your computers running the
Windows operating system. By using WSUS, you
can create a more efficient update environment in your organization, and stay better informed about the
overall update status of the computers on your network.
WSUS is a server role included in the Windows Server 2012 operating system that downloads and
distributes updates to Windows clients and servers. WSUS can obtain updates that are applicable to the
Windows operating system and common Microsoft programs, such as the Microsoft Office suite and
Microsoft SQL Server.
In the simplest configuration, a small organization can have a single WSUS server that downloads updates
from the Microsoft Update website. The WSUS server then distributes the updates to computers that you
have configured to obtain automatic updates from the WSUS server. You must approve the updates
before clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS
server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the
centralized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can
configure a pilot group to be the first set of computers that you use for testing updates.
WSUS can generate reports to help monitor update installation. These reports can identify which
computers have not applied recently approved updates. Based on these reports, you can investigate
why this is happening.
The WSUS update management process

The update management process allows you to manage and maintain WSUS and the updates that it
retrieves. This process is a continuous cycle during which you can reassess and adjust the WSUS
deployment to meet changing needs. The four phases in the update management process are:
Assess. The goal of the assess phase is to set up a production environment that supports update
management for routine and emergency scenarios. The assess phase is an ongoing process that you
use to determine the most efficient topology for scaling the WSUS components. As your organization
changes, you might identify a need to add more WSUS servers in different locations.
Identify. During the identify phase, you identify new updates that are available, and determine
whether they are relevant to your organization. You have the option to configure WSUS to retrieve
all updates automatically, or to retrieve only specific types of updates. WSUS also identifies which
updates are relevant to registered computers.
Evaluate and plan. After you identify the relevant updates, you need to evaluate whether they work
properly in your environment. There is always the possibility that the specific combination of software
in your environment might have problems with an update.
To evaluate updates, you should have a test environment in which you can apply updates to verify
proper functionality. During this time, you might identify dependencies that an update requires to
function properly, and you can plan any changes that you need to make. You can achieve this if you
use one or more computer groups for testing purposes. For example, you may have a computer
group with client computers that run all of the operating systems and applications that are updated
by using WSUS. You can use another computer group for servers that run the different applications
and operating systems that are updated by WSUS. Before you deploy updates to the entire
organization, you can push updates to these computer groups, and then test them. Only after
making sure they work as expected should you move on to the deploy phase.
Deploy. After you have thoroughly tested an update and determined any dependencies, you can
approve it for deployment in the production network. Ideally, you should approve the update for a
pilot group of computers before approving the update for the entire organization. You also can
configure WSUS to use automatic updates.
Windows Update for Business

As an alternative to using WSUS, organizations
implementing Windows 10 can use what is
broadly referred to as Windows Update for
Business. Windows Update for Business is not an
update platform, nor a Windows feature, but a
solution that seeks to deliver updates and fixes in
a different way from WSUS, and has the following
features:
Servicing options. Microsoft provides a

number of update servicing options,
discussed at the beginning of this lesson.
Some servicing options deliver feature
updates more quickly than others, and organizations can choose the appropriate servicing options for
their update strategy, depending on the Windows 10 edition they deploy.
Maintenance windows. You can define appropriate maintenance windows for your organization. This
allows you to define times when Windows 10 should, or should not, deliver updates.
Integration with other update tools. Windows Update for Business can coexist with other update
technologies, such as Configuration Manager or Microsoft Intune.
Note: Windows Update for Business requires Windows 10 Pro or Windows 10 Enterprise.
Windows 10 also supports a peer-to-peer delivery mechanism for updates, in which clients that receive a
particular update can serve as a source for other clients in the local network. Delivering updates this way
can be beneficial in branch offices where network bandwidth may not be as high as is desirable for quick
update delivery.

Question
Aside from using WSUS to apply updates, what other technologies could you use to
help keep your Windows 10 devices up to date? (Choose all that apply)
Microsoft Intune
Microsoft System Center 2012 R2 Configuration Manager
Windows Update for Business
Statement Answer
You can use Windows Update for Business to update all editions of
Windows 10.
Lesson 2
Monitoring Windows 10
Windows 10 includes a number of tools that you can use to monitor your Windows 10 devices proactively.
Understanding how to use these tools will help you track notifications, events, and reliability issues on
your computers.
Lesson Objectives
Describe how to use Task Manager.

Explain Event Viewer.
Describe how to create event subscriptions.
Monitor Windows 10.

View reliability history.
Task Manager
In Windows 10, Task Manager provides
information that can help you identify and
resolve problems with apps. Task Manager
includes the following tabs:
Processes. The Processes tab displays a list

of running programs, subdivided into apps
and internal Windows processes. For each
running process, this tab displays a summary
of processor and memory usage.
Performance. The Performance tab displays
a summary of central processing unit (CPU)
and memory usage, and network statistics.
App history. The App history tab displays statistics and resource consumption by apps. This is useful
for identifying a specific app that is consuming excessive resources.
Startup. The Startup tab displays items that run at startup. You can choose to disable any listed
programs.
Users. The Users tab displays resource consumption on a per-user basis. You also can expand the
user view to see more detailed information about the specific processes that a user is running.
Details. The Details tab lists all the running processes on a server, providing statistics about CPU,
memory, and other resource consumption. You can use this tab to manage running processes. For
example, you can stop a process, stop a process and all related processes, or change the priority
values of processes. By changing the priority of a process, you determine the degree to which the
process can consume CPU resources. By increasing the priority, you allow the process to request more
CPU resources.
Services. The Services tab provides a list of running Windows services with related information,
including whether a service is running and the process identifier (PID) value of a running service. You
can start and stop services by using the list on the Services tab.
You also might consider using Task Manager when a performance-related problem first becomes
apparent. For example, you might examine running processes to determine if a particular program
is using excessive CPU resources. Remember that Task Manager only shows current local resource
consumption. You also might need to examine historical data to get a better understanding of a server
or computers performance and response under load.
Event Viewer
Windows Event Viewer provides access to the
Windows 10 event logs. Event logs provide
information regarding events that occur within
Windows. These events include information,
warning, and error messages about Windows
components and installed applications.
Event Viewer provides categorized lists of essential

Windows log events, including application,
security, setup, and system events, in addition to
log groupings for individual installed applications
and specific Windows component categories.
Individual events provide detailed information
regarding the type of event that occurred, when the event occurred, the source of the event, and
technical detailed information to assist in troubleshooting the event.
Additionally, Event Viewer enables you to consolidate logs from multiple computers onto a centralized
computer by using subscriptions. Finally, you can configure Event Viewer to perform an action when
specific events occur. This may include sending an email message, launching an app, running a script, or
performing other maintenance actions to notify you or attempt to resolve a potential issue.
Event Viewer in Windows 10 includes the following features:
The ability to view multiple logs. You can filter for specific events across multiple logs, making it
simple to investigate issues and troubleshoot problems that might appear in several logs.
The inclusion of customized views. You can use filtering to narrow searches to only those events in
which you are interested, and you can save these filtered views.
The ability to configure tasks scheduled to run in response to events. You can automate responses to
events. Event Viewer is integrated with Task Scheduler.
The ability to create and manage event subscriptions. You can collect events from remote computers,
and then store them locally.
Note: To collect events from remote computers, you must create an inbound rule in
Windows Firewall to permit Windows Event Log Management.
Event Viewer tracks information in several different logs. These logs provide detailed information that
includes:
A description of the event
An event ID number
The component or subsystem that generated the event

Information, Warning, or Error status
The time of the occurrence
The users name which is associated with an event
The computer on which the event occurred
A link to Microsoft TechNet for more information about the event
Windows Logs
Event Viewer has many built-in logs, including those in the following table.
Built-in log Description and use
Application This log contains errors, warnings, and informational events that
pertain to the operation of applications.
Security This log reports the results of auditing, if you enable it. Audit
events are described as successful or failed, depending on the
event. For instance, the log would report success or failure
regarding whether a user was able to access a file.
Setup This log contains events related to application setup.
System General events are logged by Windows components and services,

and are classified as error, warning, or information. Windows
predetermines the events that system components log.
Forwarded events This log stores events collected from remote computers. To collect
events from remote computers, you must create an event
subscription.
By default, Windows log files are 20,480 kilobytes (KB) in size, and events are overwritten as needed.
Note: The Setup log is 1,028 KB in size.
Application and Services logs

Applications and Services logs store events from a single app or component rather than events that might
have system-wide impact. This category of logs includes a number of subtypes:
Hardware Events
Internet Explorer
Key Management Service
Microsoft Office Alerts
TuneUp
Microsoft Azure
Windows PowerShell
The Applications and Services logs also contain a node called Microsoft. This contains a subnode called
Windows, which includes many nodes that contain very granular log information.
Managing logs
If you want to clear a log manually, you must sign in as a local administrator. If you want to configure
event log settings centrally, you can do so by using Group Policy. Open the Group Policy Management
Console for your selected GPO, and then navigate to Computer Configuration\Policies\Administrative
Templates\Windows Components\Event Log Service.
For each log, you can define:

The location of the log file.
The maximum size of the log file.
Automatic backup options.

Permissions on the logs.
Behavior that occurs when the log is full.
Custom views
Event logs contain vast amounts of data, so it can be a challenge to narrow your search to only those
events that interest you. In Windows 10, custom views enable you to query and sort only the events that
you want to analyze. You also can save, export, import, and share these custom views.
Event Viewer allows you to filter for specific events across multiple logs, and display all events that may
relate to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create
a custom view.
Create custom views in the Action pane in Event Viewer. You can filter custom views based on multiple
criteria, including:
The time that the event was logged.

Event level to display, such as errors or warnings.
Logs from which to include events.
Specific event IDs to include or exclude.

User context of the event.
Computer on which the event occurred.
Configuring Event Subscriptions

Event Viewer enables you to view events on a
single computer. However, troubleshooting an
issue might require you to examine a set of events
that are stored in multiple logs on multiple
computers. For this purpose, Event Viewer enables
you to collect copies of events from multiple
remote computers, and then store them locally.
To specify which events to collect, create an event
subscription. After a subscription is active and
events are being collected, you can view and
manipulate these forwarded events as you would
any other locally stored events.
To use the event-collecting feature, you must configure the forwarding and the collecting computers. The
event-collecting functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are
participating in the forwarding and collecting process.
Enabling subscriptions
To enable subscriptions, perform the following steps:
1. On each source computer, to enable Windows Remote Management, type the following command at
an elevated command prompt, and then press Enter:
winrm quickconfig
2. On the collector computer, to enable the Windows Event Collector service, type the following
command at an elevated command prompt, and then press Enter:
wecutil qc
3. Add the computer account of the collector computer to the local Event Log Readers group on each
of the source computers.
Demonstration: Monitoring Windows with Event Viewer

Explore custom views.
Create a custom view.
Configure the source computer.

Configure the collector computer.
Create and view the subscribed log.
Demonstration Steps
Explore custom views
1. On LON-CL1, open Event Viewer.
2. View the Administrative Events log in Custom Views.
Create a custom view

1. Create a new custom view with the following properties:
o Select the Critical, Warning, and Error options.
o Select the System and Application logs from Windows Logs.

o Call the custom view Adatum Custom View.
2. In Event Viewer, in the right pane, view the events that are visible within your custom view.
Configure the source computer

1. On LON-DC1, run the winrm quickconfig command at an elevated command prompt.
2. In Active Directory Users and Computers, add the collector computer, LON-CL1, as a member of the
local Administrators group.
Configure the collector computer

On LON-CL1, at an elevated command prompt, run the wecutil qc command.
Create and view the subscribed log

1. In Event Viewer, in the navigation pane, under Subscriptions, create a new subscription with the
following properties:
o Name: LON-DC1 Events

o Collector Initiated: LON-DC1
o Events: Critical, Warning, Information, Verbose, and Error
o Logged: Last 30 days

2. In Event Viewer, in the navigation pane, expand Windows Logs.
3. Click Forwarded Events.
4. Examine any listed events.

5. Close all apps and open windows.
Reliability History
Reliability Monitor reviews a computers reliability
and problem history. You can use the Reliability
Monitor to obtain several kinds of reports and
charts to help you identify the source of reliability
issues. You can access the Reliability Monitor by
clicking View reliability history in the
Maintenance section of the Action Center.
The following section explains the main features
of the Reliability Monitor in more detail.
Note: To access Reliability Monitor, in the

Search box, type Reliability, and then click view reliability history.
System Stability Chart

A System Stability Chart summarizes system stability for the past year in daily increments. This chart
indicates any information, error, or warning messages, and it simplifies the task of identifying issues and
the date on which they occurred.
Installation and failure reports

The System Stability Report also provides information about each event in the chart. These reports include
the following events:
Software Installs
Software Uninstalls
Application Failures
Hardware Failures
Windows Failures
Miscellaneous Failures
Records key events in a timeline

Reliability Monitor tracks key events about the system configuration, such as the installation of new apps,
operating system patches, and drivers. It also helps you identify the reasons for reliability issues by
tracking the following events:
Memory problems
Hard-disk problems
Driver problems
Application failures
Operating-system failures
Reliability Monitor is a useful tool that provides a timeline of system changes and then reports on a
systems reliability. You can use this timeline to determine whether a particular system change correlates
with the start of system instability.
Problem Reports and Solutions

The Problem Reports and Solutions tool in Reliability Monitor helps you track problem reports and any
solution information that other tools have provided. This tool helps store information only. Windows Error
Reporting handles all Internet communication related to problem reports and solutions. The Problem
Reports and Solutions tool provides a list of the attempts made to diagnose a computers problems.
If an error occurs while an app is running, Windows Error Reporting prompts the user to choose if he or
she wants to send error information to Microsoft over the Internet. If information is available that can help
a user resolve a problem, Windows displays a message to the user with a link to information about how to
resolve the issue.
You can use the Problem Reports and Solutions tool to track resolution information and to recheck and
find new solutions. You can start the Problem Reports and Solutions tool from Reliability Monitor. The
following options are available in the tool:
Save reliability history
View all problem reports
Check for solutions to all problems
Clear the solution and problem history
Statement Answer
To establish event subscriptions, at the collector computer, you must run the
winrm quickconfig command to configure firewall rules.
Lesson 3
Optimizing Performance
By using the performance-monitoring tools in Windows 10, you can verify that your Windows 10 devices
are optimized. By understanding how Windows uses computer resources, such as memory and processor,
and by learning how to monitor these resources, you can ensure that your users computers are running
smoothly and efficiently.
Lesson Objectives
Describe factors that affect the performance of Windows 10 devices.
Explain how to use Windows 10 tools to monitor performance.
Use Performance Monitor to view system performance.
Performance Considerations
Decreased computer system performance is a
common source of user complaints. Performance
is a measure of how quickly a computer
completes application and system tasks.
Performance problems can occur when available
resources are lacking. Computers respond slowly
for several reasons, including disorganized files,
unnecessary software that consumes resources,
too many startup apps, or perhaps even malware
or a virus. Factors that can influence computer
system performance include:
Access speed of the physical hard disks.
Memory available for all running processes.
Fastest speed of the processor.
Maximum throughput of the network interfaces.
Resources that the individual applications consume.

Faulty or poor configuration of components, which leads to the unnecessary consumption of
resources.
Out-of-date or inappropriate drivers for system components and peripherals, including the graphics
subsystem.
How Windows uses key system components

The four main hardware components that you should monitor in a Windows 10based computer are:
Processor
Disk
Memory
Network
Note: Although not considered a core component, the graphics adapter and its driver can
have a significant impact on the performance of graphics-intensive apps. If your users intend to
run apps that are graphically demanding, ensure that you select a device with a powerful
graphics subsystem, and that you install the latest vendor-specific driver, rather than relying
on a generic driver.
By understanding how the operating system utilizes these four key hardware components and how
they interact, you can optimize computer workstation performance. When monitoring workstation
performance, you should consider:
The measurement of all key components in the users workstation.
The workstation role and its workload, to determine which hardware components are likely to restrict
performance.
The ability to increase workstation performance by adding power or reducing the number of
applications that the user is running.
Processor
One important factor in determining your computers overall processor capacity is processor speed. The
number of operations that the processor performs over a specific period determines its speed. Computers
with multiple processors or processors with multiple cores generally perform processor-intensive tasks
with greater efficiency, and as a result, are faster than single processor or single-core processor
computers.
Processor architecture is also important. 64-bit processors can access more memory and have a significant
positive effect on performance. This is true especially when applications running on your users
workstations require a large amount of memory.
Disk
Hard disks store apps and data. Consequently, the throughput of a workstations disk affects its speed,
especially when the workstation is performing disk-intensive tasks. Many hard disks have moving parts,
and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
Note: Most Windows 10 tablet devices use solid-state drives (SSDs), which have no moving
parts.
By selecting faster disks and by using collections of disks to optimize access times, such as Redundant
Array of Independent Disks (RAID), you can alleviate the risk of the disk subsystem creating a performance
bottleneck.
Windows 10 moves information on the disk into memory before it uses it. Therefore, if a surplus of
memory exists, the Windows 10 operating system creates a file cache for items recently written to or read
from disks. Installing additional memory in a workstation often improves the disk subsystem performance,
because accessing the cache is faster than moving the information into memory.
It is important to consider the type of work for which the user will use the device. Different work profiles
use disks in different ways. For example, some applications read from a disk more frequently than they
write to the disk (read-intensive), and therefore good read performance is important, whereas other
applications are more write-intensive.
Note: SSDs have different read and write performance profiles. Determine the workload
profile, and then attempt to match the disks performance profile to optimize the devices
performance.
Memory
Apps and data load from disk into memory before the app manipulates the data. In devices that run
multiple apps, or where datasets are very large, you can improve device performance by installing more
memory.
Windows 10 uses a memory model that does not reject excessive memory requests. Instead, Windows 10
manages them by using a process known as paging. During paging, Windows 10 moves the data and
apps in memory that processes are not currently using to the paging file on the hard disk. This frees up
physical memory to satisfy the excessive memory requests. However, because a hard disk is comparatively
slow, it has a negative effect on device performance. By adding more memory, and by using a 64-bit
processor architecture that supports larger memory, you can reduce the need for paging.
Network
It is important not to underestimate the effects that a poorly performing network may have on
workstation performance. Network performance problems may be harder to detect or measure than
problems with other workstation components. However, the network is a critical component for
performance monitoring, because network devices store so many of the apps and data being processed.
Understanding bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package may cause a bottleneck.
By using performance-monitoring tools on a regular basis, and by comparing the results to your baseline
and to historical data, you can identify performance bottlenecks before they impact users.
Once you identify a bottleneck, you must decide how to remove it. Your options for removing a
bottleneck include:
Running fewer applications.

Adding additional resources to the computer.
A computer suffering from a severe resource shortage may stop processing user requests. This situation
requires immediate attention. However, if your computer experiences a bottleneck but still operates
within acceptable limits, you might decide to defer any changes until you resolve the situation, or until
you have an opportunity to take corrective action.
Note: As you identify and resolve a performance problem that is affecting one system
component, another component may experience issues. Therefore, performance monitoring is an
ongoing process.
Performance Monitoring
By calculating performance baselines for your
client computer environment, you can interpret
real-time monitoring information more accurately.
A baseline for a Windows 10 devices performance
indicates what your performance-monitoring
statistics look like during normal use. You can
establish a baseline by monitoring performance
statistics over a specific period. When an issue or
symptom occurs in real time, you can compare
your baseline statistics to your real-time statistics,
and then identify anomalies.
You can set up a baseline with the Windows 10

performance-monitoring tools to help you with the following tasks:
Evaluating your computers workload.
Monitoring system resources.
Noticing changes and trends in resource use.

Testing configuration changes.
Diagnosing problems.
By collecting performance data, you can establish a baseline to use as a standard for comparison. Create a
baseline when you first configure the computer, at regular intervals of typical usage, and when you make
any changes to the computers hardware or software configuration. If you have appropriate baselines, you
can determine the resources that are affecting your computers performance. Windows 10 provides a
number of performance-monitoring tools that you can use to help identify performance-related issues.
Task Manager
You can use the Performance tab in Task Manager to help to identify performance problems. The
Performance tab displays a summary of CPU and memory usage, and network statistics.
Generally, you might consider using Task Manager when a performance-related problem first becomes
apparent. For example, you might examine the running processes to determine if a particular program is
using excessive CPU resources. Remember that Task Manager shows a snapshot of current resource
consumption. You may need to examine historical data to get a better understanding of a server
computers performance and response under load.
Resource Monitor
Resource Monitor provides a snapshot of system performance. Because the four key system components
are processor, memory, disk, and network, Resource Monitor provides a summary of these four
components and a detailed tab for each. If a users computer is running slowly, you can use Resource
Monitor to view current activity in each of the four component areas. You can then determine which of
the key components might be causing a performance bottleneck.
When the Resource Monitor first opens, the initial view is of the Overview tab. On the right side are
four graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for excessive
peaks in CPU, Disk, Network, or Memory activity. In the main pane, you can examine details about each
component by expanding each components information list. It lists each process that is running on the
computer, and includes information about resource consumption for each process. For example, the
number of threads and the percentage of CPU capacity in use displays for each running process.
Having determined that a particular component is causing a bottleneck, you can use the appropriate
component tab to view more information. Remember that a snapshot of current activity, which Resource
Monitor provides, tells only a partial story. For instance, you might see a peak in activity, which is not
representative of average performance.
Performance Monitor
Performance Monitor is a Microsoft Management Console (MMC) snap-in that you can use to obtain
system performance information. You can use this tool to analyze the performance effect that applications
and services have on your computer. You can also use it to obtain an overview of system performance or
collect detailed information for troubleshooting.
Performance Monitor includes the following features:
Monitoring Tools
Data Collector Sets
Reports
Monitoring tools
Monitoring Tools contains Performance Monitor, which provides a visual display of built-in Windows
performance counters, either in real time or as historical data. Performance Monitor includes the following
features:
Multiple graph views
Custom views that you can export as data collector sets

Performance Monitor uses performance counters to measure the systems state or activity, while the
operating system or individual applications may include performance counters. Performance Monitor
requests the current value of performance counters at specified time intervals. You can add performance
counters to Performance Monitor by dragging and dropping the counters, or by creating a custom data
collector set.
Performance Monitor features multiple graph views that give you a visual review of performance log data.
You can create custom views in Performance Monitor that you can export as data collector sets for use
with performance and logging features.
Data collector sets

The data collector set is a custom set of performance counters, event traces, and system configuration
data.
After you create a combination of data collectors that describe useful system information, you can save
them as a data collector set, and then run and view the results.
A data collector set organizes multiple data collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in Performance Monitor. You can configure a data collector set to generate alerts when it reaches
thresholds.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or until
it reaches a predefined size. For example, you can run the data collector set for 10 minutes every hour
during working hours to create a performance baseline. You also can set the data collector to restart when
set limits are reached, so that a separate file will be created for each interval.
You can use data collector sets and Performance Monitor tools to organize multiple data collection points
into a single component that you can use to review or log performance. Performance Monitor also
includes default data collector set templates to help system administrators begin the process of collecting
performance data specific to a server role or monitoring scenario.
In Performance Monitor, beneath the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which specific objects and counters you want to
include in the set for monitoring. To help you select appropriate objects and counters, you can access
templates to use for monitoring, including:
System Diagnostics. Selects objects and counters that report the status of hardware resources,
system response time, and processes on the local computer, along with system information and
configuration data. The report provides guidance on ways to optimize the computers responsiveness.
System Performance. Generates reports that detail the status of local hardware resources, system
response times, and processes.
WDAC Diagnostics. Enables you to trace debug information for Windows Data Access Components.
Note: It is not necessary for Performance Monitor to be running for data to be collected
into a data collector set.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using data
collector sets.
Demonstration: Monitoring Performance

Open Performance Monitor.

Add new values to the chart.
Create a data collector set.
Examine a report.
Performance impacts can occur because of the number of counters being sampled and the frequency
with which sampling occurs. Therefore, it is important to test the number of counters and the frequency
of data collection. This helps you determine the right balance between your environments needs and the
provision of useful performance information. For the initial performance baseline, however, you should
use the highest number of counters possible and the highest frequency available. The following table
shows the commonly used performance counters.
Counter Usage
LogicalDisk\% Free Space This counter measures the percentage of free space on the
selected logical disk drive. Take note if this falls below 15
percent, because you risk running out of free space for the
operating system to use to store critical files. One solution
is to add more disk space.
PhysicalDisk\% Idle Time This counter measures the percentage of time the disk was
idle during the sample interval. If this counter falls below
20 percent, the disk system is saturated. You should
consider replacing the current disk system with a faster
one.
Counter Usage
PhysicalDisk\Avg. Disk Sec/Read This counter measures the average time, in seconds, it takes
to read data from the disk. If the number is larger than 25
milliseconds (ms), the disk system is experiencing latency
when it is reading from the disk.
PhysicalDisk\Avg. Disk Sec/Write This counter measures the average time, in seconds, it takes
to write data to the disk. If the number is larger than 25 ms,
the disk system experiences latency when it is writing to the
disk.
PhysicalDisk\Avg. Disk Queue Length This counter indicates how many I/O operations are waiting
for the hard drive to become available. If the value is larger
than two times the number of spindles, the disk itself may
be the bottleneck.
Note: If this counter indicates a possible bottleneck,

consider measuring the Avg. Disk Read Queue Length and
Avg. Disk Write Queue Length to determine whether read
or write operations are the cause.
Memory\Cache Bytes This counter indicates the amount of memory that the file-
system cache is using. There may be a disk bottleneck if
this value is greater than 300 megabytes (MB).
Memory\% Committed Bytes in Use This counter measures the ratio of Committed Bytes to the
Commit Limit, or in other words, the amount of virtual
memory in use. If the value is greater than 80 percent, it
indicates insufficient memory.
Memory\Available Mbytes This counter measures the amount of physical memory, in

megabytes, available for running processes. If this value is
less than 5 percent of the total physical random access
memory (RAM), there is insufficient memory, which can
increase paging activity.
Memory\Free System Page Table Entries This counter indicates the number of page table entries not
currently in use by the system. If the number is less than
5,000, there may be a memory leak.
Memory\Pool Non-Paged Bytes This counter measures the size, in bytes, of the nonpaged
pool. This is an area of system memory for objects that
cannot be written to disk but instead must remain in
physical memory as long as they are allocated. If the value
is greater than 175 MB, or 100 MB with a /3 gigabyte (GB)
switch, there is a possible memory leak.
Memory\Pool Paged Bytes This counter measures the size, in bytes, of the paged pool.
This is an area of system memory for objects that can be
written to disk when they are not in use. There may be a
memory leak if this value is greater than 250 MB (or 170
MB with the /3 GB switch).
Memory\Pages per Second This counter measures the rate at which pages are read
from, or written to, the disk to resolve hard page faults. If
the value is greater than 1,000 as a result of excessive
paging, there may be a memory leak.
Counter Usage
Processor\% Processor Time This counter measures the percentage of elapsed time that
the processor spends executing a nonidle thread. If the
percentage is greater than 85 percent, the processor is
overwhelmed, and the server may require a faster
processor.
Processor\% User Time This counter measures the percentage of elapsed time that
the processor spends in user mode. If this value is high, the
server is busy with the application.
Processor\% Interrupt Time This counter measures the time that the processor spends
receiving and servicing hardware interruptions during
specific sample intervals. If the value is greater than 15
percent, this counter indicates a possible hardware issue.
System\Processor Queue Length This counter indicates the number of threads in the
processor queue. The server does not have enough
processor power if the value is more than two times the
number of CPUs for an extended period.
Network Interface\Bytes Total/Sec This counter measures the rate at which bytes are sent and
received over each network adapter, including framing
characters. The network is saturated if you discover that
more than 70 percent of the interface is consumed.
Network Interface\Output Queue Length This counter measures the length of the output packet
queue, in packets. There is network saturation if the value is
more than 2.
Process\Handle Count This counter measures the total number of handles that a
process currently has open. This counter indicates a
possible handle leak if the number is greater than 10,000.
Process\Thread Count This counter measures the number of threads currently

active in a process. There may be a thread leak if this value
is more than 500 between the minimum and maximum
number of threads.
Process\Private Bytes This counter indicates the amount of memory that this
process has allocated that it cannot share with other
processes. If the value is greater than 250 between the
minimum and maximum number of threads, there may be
a memory leak.
Demonstration Steps
Open Performance Monitor
1. Open the Performance tool.
2. Select the Performance Monitor node. Notice that only % Processor Time is displayed by default.
Add new values to the chart

Add the PhysicalDisk\% Idle Time counter to the chart:
o In the Instances of selected object box, select 0 C:.
o Assign the color green to % Idle Time.

Create a data collector set

1. Create a user-defined Data Collector Set:
o Name: CPU and Disk Activity

o Template type: Basic (We recommend that you use a template.)
o Use the default storage location for the data.
o Select Open properties for this data collector set.

2. In the CPU and Disk Activity Properties dialog box, on the General tab, you can configure general
information about the data collector set and the credentials that the data collector set uses when it is
running.
3. Click the Directory tab. This tab lets you define information about how to store collected data.
4. Click the Security tab. This tab lets you configure which users can change this data collector set.
5. Click the Schedule tab. This tab lets you define when the data collector set is active and collecting
data.
6. Click the Stop Condition tab. This tab lets you define when to stop data collection, based on time or
collected data.
7. Click the Task tab. This tab lets you run a scheduled task when the data collector set stops. You can
use this to process the collected data.
8. Click Cancel. Notice that there are three kinds of logs in the right pane:
o Performance Counter collects data that you can view in Performance Monitor.
o Configuration records changes to registry keys.
o Kernel Trace collects detailed information about system events and activities.
9. In the right pane, double-click Performance Counter. Notice that all Processor counters are
collected, by default.
10. Add the PhysicalDisk object.

11. Start the CPU and Disk Activity data collector set.
Examine a Report
1. Wait a few moments for the data collector set to stop automatically.
2. Right-click CPU and Disk Activity, and then click Latest Report.
3. Review the report, which shows the data that the data collector set collects.
4. Close Performance Monitor.


Question
When monitoring Windows 10based computers to optimize their performance,

which key system components should you monitor? (Choose all that apply)
Processor
System
Disk
Memory
Network
Lab: Maintaining Windows 10

Scenario
It is important to ensure that your users Windows 10 devices are up to date with security and operating
system updates and fixes. You want to be able to configure the Windows Update settings for multiple
computers from a central point. You decide to configure Windows Update settings by using GPOs.
It is important to ensure that the Windows 10 devices are operating correctly and that you can quickly
discover any problems. You can accomplish this by using a proactive approach to supporting your users.
Objectives
Examined the default Windows Update settings.
Configured GPOs to manage Windows Update settings.
Used Event Viewer.

Monitored performance.
Lab Setup
Virtual machine(s): 20697-1B-LON-DC1 and 20697-1B-LON-CL1

Password: Pa$$w0rd

o Domain: Adatum

Exercise 1: Configuring Updates for a Single Device

Scenario
It is important to keep your users Windows 10 devices up to date. In your test lab, you configure your
computers Windows Update settings manually.

1. Configure update settings for a single device.
2. Review applied updates.
Task 1: Configure update settings for a single device

1. On LON-CL1, open Settings.
2. In Update & security, on the Windows Update tab, in Advanced options, configure the following
options:
o Automatic (recommended)
o Give me updates for other Microsoft products when I update Windows: On
o Defer upgrades: On
3. Notice that the Get started option beneath Get Insider builds is available.
4. Click Choose how updates are delivered.

o Enable When this is turned on, your PC may also send parts of previously downloaded
Windows updates and apps to PCs on your local network, or PCs on the Internet,
depending on whats selected below.
o Enable PCs on my local network, and PCs on the Internet.

6. Click Back.
Task 2: Review applied updates

1. On the ADVANCED OPTIONS page, click View your update history.
2. Review the updates listed, and then click Uninstall updates.

3. Review the updates listed in Installed Updates. Close Installed Updates.
4. On the VIEW YOUR UPDATE HISTORY page, click Back.
5. On the ADVANCED OPTIONS page, click Back.
Results: After completing this exercise, you will have successfully configured Windows Update settings.
Exercise 2: Configuring Updates with GPOs

Scenario
There are many Windows 10based computers in your organization. Manually configuring Windows
Update on a per-computer basis is not feasible. You decide to implement GPOs to configure Windows
Update settings.

1. Configure update settings by using GPOs.
2. Verify that the devices update settings are managed centrally.
Task 1: Configure update settings by using GPOs

o Computer Configuration/Administrative Templates/Windows Components/Data Collection and

Preview Builds/Toggle user control over Insider builds: Disabled
Update/Defer Upgrade: Enabled
o Computer Configuration/Administrative Templates/Windows Components/Windows Update/Do
not connect to any Windows Update Internet locations: Enabled
Task 2: Verify that the devices update settings are managed centrally
1. Refresh the Group Policy settings by using gpupdate /force.
2. Switch to UPDATE & SECURITY, and then click Advanced options. Notice the Some settings are
managed by your organization banner.
4. Close all open apps and windows.
Results: After completing this exercise, you will have successfully configured Group Policy Objects (GPOs)
to configure Windows Update settings.
Exercise 3: Monitoring Events

Scenario
To help minimize support calls, you decide to enable event subscriptions within your network.
1. Configure Event Viewer to collect data from multiple devices.
2. View and filter events.
Task 1: Configure Event Viewer to collect data from multiple devices

1. On LON-DC1, run the winrm quickconfig command at an elevated command prompt.
Note: This is just a check, as the remote management feature is probably enabled.
2. In Active Directory Users and Computers, add the collector computer, LON-CL1, as a member of the
local Event Log Readers group.
3. On LON-CL1, from an elevated command prompt, run the wecutil qc command.
Task 2: View and filter events

1. On LON-CL1, in Event Viewer, in the navigation pane, under Subscriptions, create a new subscription
with the following properties:
o Name: LON-DC1 Events
o Collector Initiated: LON-DC1
o Events: Critical, Warning, Information, Verbose, and Error

o Logged: Last 30 days
o Event logs: Windows logs

4. Create a custom view called LON-DC1 errors to show only errors and critical events.
Results: After completing this exercise, you will have successfully configured monitoring by using Event
Viewer.
Exercise 4: Monitoring Reliability and Performance

Scenario
Users have been complaining about poor performance when they initiate a particular app. You decide to
investigate by using Performance Monitor.

1. Use Performance Monitor to gather a baseline.
2. Load the suspect app.
3. Use Performance Monitor to identify possible bottlenecks.
Task 1: Use Performance Monitor to gather a baseline

1. On LON-CL1, open Performance Monitor.
2. Create a user-defined Data Collector Set with the following properties:
o Name: Adatum Baseline
o Create manually (Advanced)

o Performance counter
o Sample interval: 1 second
o Counters to include:
Memory > Pages/sec
Network Interface > Packets/sec
Physical Disk > % Disk Time
Physical Disk > Avg. Disk Queue Length
Processor > % Processor Time
System > Processor Queue Length
3. Start the data collector set, and then start the following programs:
o Microsoft Word 2013
o Microsoft Excel 2013

o Microsoft PowerPoint 2013
4. Close all Microsoft Office 2013 apps.
5. In Performance Monitor, stop the Adatum Baseline data collector set.

6. In Performance Monitor, locate Reports > User Defined > Adatum Baseline, and then click the
report that has a name beginning with LON-CL1.
7. Record the following values:

o Memory Pages per second
o Network Interface Packets per second
o Physical Disk % Disk Time

o Physical Disk Avg. Disk Queue Length
o Processor % Processor Time

o System Processor Queue Length
Task 2: Load the suspect app

1. On LON-CL1, if necessary, sign in by using the following credentials:
2. Run the E:\Labfiles\Mod11\Scenario.vbs script.
3. The script starts to generate the load.
Task 3: Use Performance Monitor to identify possible bottlenecks

1. Attempt to determine the cause of the problem by using your knowledge of performance
troubleshooting:
a. Restart the Adatum Baseline data collector set.
b. Load perfmon /res to view which resources are under load. In Resource Monitor, which
components are under strain?
c. When the batch file is complete, stop the Adatum Baseline data collector set.
d. In Performance Monitor, locate Reports > User Defined > Adatum Baseline, and then click the
report that has a name beginning with LON-CL1.
e. Record the following values:
Memory Pages per second
Network Interface Packets per second
Physical Disk % Disk Time
Physical Disk Avg. Disk Queue Length
Processor % Processor Time
System Processor Queue Length
2. In your opinion, which components is the script affecting the most?
3. Be prepared to discuss your investigations with the class as directed by your instructor.
Results: After completing this exercise, you will have successfully determined the cause of a performance
bottleneck.

Review Questions
Question: What is the benefit of configuring Windows Update by using Group Policy rather
than by using Settings?
Question: What significant counters should you monitor in Performance Monitor?

Question: If you have problems with your computers performance, how can you create a
data collector set to analyze a performance problem?
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
L1-1
Module 1: Overview of Windows 10

Lab: Navigating and Customizing the User
Interface
Exercise 1: Navigating the Windows 10 User Interface
Task 1: View installed apps
1. Switch to LON-CL1, and then click the Lock screen.
2. Click Other user.
3. In the User name box, type April.
4. In the Password box, type Pa$$w0rd, and then press Enter.

5. On the taskbar, click Action Center.
Note: If the tiles at the bottom of Action Center do not display, close and then open
Action Center again.
6. Click Tablet mode.
7. Click Start to close Action Center.

8. Above the Start button, click the All apps button.
9. In the All apps list, click Calculator.
10. Click Start.
11. Click All apps, and then click Alarms & Clock.
12. On the taskbar, click Task View.
13. Click Calculator.
Task 2: Switch between running apps

1. On the taskbar, click Task View. Both running apps should display.
2. Click Action Center.
3. Click Tablet mode. You now are in the Desktop mode.

4. In Calculator, click Restore Down.
5. In Alarms & Clock, click Restore Down.
6. Drag Alarms & Clock to the right side of the display, and then release it.
7. On the taskbar, click Task View, and then click Calculator. Both apps should display, side by side.
Results: After completing this exercise, you will have navigated the Windows 10 user interface
successfully.
L1-2 Overview of Windows 10
Exercise 2: Configuring Start

Task 1: Add and remove tiles

3. Click Start to close Action Center.
4. Click Start, click All apps.
5. Click Microsoft Office 2013, right-click Word 2013, and then click Pin to Start.
6. Right-click PowerPoint 2013, and then click Pin to Start.
7. Right-click Excel 2013, and then click Pin to Start.
8. Right-click Calculator, and then click Pin to Start.

9. Click the Start screen to close All apps.
Task 2: Group tiles

1. Click the space immediately above the four tiles.
2. A text box appears. Type Microsoft Office, and then press Enter.
3. Click and hold the Microsoft Office group, and then drag it to the top of the display above the
default groups. Release it.
Task 3: Remove and resize tiles

1. In Start, in the Microsoft Office group, right-click Calculator, and then click Unpin from Start.
2. In Start, in the Microsoft Office group, right-click Excel 2013, point to Resize, and then click Small.
3. In Start, in the Life at a glance group, right-click Mail, point to Resize, and then click Large.
Results: After completing this exercise, you will have customized Windows 10 Start successfully.
Exercise 3: Configuring the Desktop

Task 1: Customize the Taskbar
3. Close Action Center.
4. Click Start, click All apps.

5. Right-click Calendar, and then click Pin to taskbar.
Task 2: Configure desktops

1. On the taskbar, click Task View.
2. On the right of the display, click New desktop.

3. Click Desktop 2.
4. Click Start, and then click Word 2013.

Installing and Configuring Windows 10 L1-3
5. On the taskbar, click Task View. Both desktops should display side by side. Move the mouse pointer
over each desktop.
6. Close Desktop 2. Word 2013 now runs in Desktop 1.
Task 3: Personalize the desktop and Start

1. Close all running apps.
2. Right-click the desktop, point to New, and then click Shortcut.
3. In the Create Shortcut Wizard, click Browse.
4. In the Browse for Files of Folders dialog box, expand This PC, click Pictures, and then click OK.
5. In the Create Shortcut Wizard, click Next, and then click Finish.
6. Right-click the desktop, and then click Personalize.
7. In Settings, in PERSONALIZATION, beneath Choose your picture, select the middle image, and then
click the Colors tab.
8. In Choose a color, beneath the Choose your accent color, click the top left square, and then click the
Lock screen tab.
9. Beneath Choose an app to show detailed status, click the plus symbol.
10. Click Calendar.
11. Under Choose apps to show quick status, click the plus symbol.
12. Click Alarms & Clock, and then click the Start tab.
Note: If you do not see Alarms & Clock, choose another app from the list.
13. On the Start tab, disable both Show most used apps and Show recently added apps.
14. Right-click Start, point to Shut down or sign out, and then click Sign out.
15. On the Sign in screen, in the Password box, type Pa$$w0rd, and then press Enter.
16. Verify that the background is correct. Verify that the color scheme is what you configured.
Note: Due to a limitation in the virtual machine, this setting is not retained but should
display.
17. Click Start. Verify that Most used does not appear.
Results: After completing this exercise, you will have configured the Windows 10 desktop successfully.

When you have finished the lab, revert the virtual machines to their initial state:

L2-5
Module 2: Installing Windows 10

Lab: Installing Windows 10
Exercise 1: Upgrading Windows 7 to Windows 10
Task 1: Verify that the computer meets the minimum requirements
1. In Hyper-V Manager, click 20697-1B-LON-CL3, and then in the Actions pane, click Connect.
2. In the 20697-1B-LON-CL3 On Host computer - Virtual Machine Connection window, click Action, and
then press Ctrl+Alt+Delete.
4. If a Microsoft Windows dialog box opens, click Restart Later.
5. If a Windows Activation dialog box opens, click Ask me later. Click OK.
6. On the taskbar, click Start. Right-click Computer, and then click Properties.
7. Write down the settings for:
o Processor speed: _____________________

o Installed memory (RAM):_____________
8. Close the System window.
9. Right-click the desktop, and then click Screen Resolution.
10. Write down the screen resolution:_________________
11. On the taskbar, click the Windows Explorer icon.
12. Click Computer.
13. Write down the available disk space for drive C: ________________
14. Do the noted values match the minimum requirements? ________________
15. Which setting does not match the minimum requirements? _________________
16. Click Start, and then click Shut down.
Task 2: Perform an in-place upgrade from local media

1. In Hyper-V Manager, click 20697-1B-LON-CL3, and in the Actions pane, click Settings.
2. In the Settings for 20697-1B-LON-CL3 on Host computer window, click Memory, and then in Startup
RAM, type 2048. Click OK.
3. In Hyper-V Manager, click 20697-1B-LON-CL3, in the Actions pane, click Start, and then click
Connect.
4. In the 20697-1B-LON-CL3 on Host computer Virtual Machine Connection window, click Media in the
menu, hover over DVD Drive, and then click Insert disk.
5. In the Open window, browse to C:\Program Files\Microsoft Learning\20697-1\Drives. Click

Win10ENT_Eval.iso, and then click Open.
6. In the 20697-1B-LON-CL3 on Host computer Virtual Machine Connection window, click Action, and
then click CTRL-ALT-DEL.

L2-6 Installing Windows 10
8. If a Microsoft Windows dialog box opens, click Restart Later.
9. If a Windows Activation dialog box opens, click Ask me later. Click OK.
10. On the taskbar, click the Windows Explorer icon.
11. In Windows Explorer, click the DVD drive.
12. In the contents pane, double-click the setup.exe file.
13. On the Get important updates page, click Not right now, and then click Next.
14. On the License terms page, click Accept.
15. On the Choose what to keep page, click Nothing. Click Next, and then click Yes.
16. Click Install. The setup program will now upgrade your Windows 7 installation to Windows 10. This
will take approximately 30 minutes.
17. On the Hi there page, click Next.
18. On the Get going fast page, click Use Express settings.
19. On the Create an account for this PC page, provide the following, and then click Next:
o Hint: Standard password

20. After the setup finishes, you should be at the desktop of the new installation.
Task 3: Verify that the upgrade was successful

1. Click Start and type winver. Press Enter.
2. Make sure that the version number is 10.0 (Build 10240).
3. On the host computer, switch to Hyper-V Manager.
Results: After completing this exercise, you will have upgraded your Windows 7based computer to
Windows 10.
Exercise 2: Migrating User Settings

Task 1: Prepare the source computer
1. Start and then sign in to LON-CL3 as Adatum\Administrator with the password Pa$$w0rd.
2. Right-click the desktop, hover over the New menu item, and then click Text Document. Type
Demofile and press Enter.
3. Double-click Demofile.txt and type some random text. Press Alt+F4, and then click the Save button.
4. Click Start, type cmd, and then press Enter.

5. At the command prompt, type the following command, and then press Enter:
Net Use F: \\LON-DC1\USMT
6. At the command prompt, type F:, and then press Enter.
7. At the command prompt, type the following, and then press Enter:
Scanstate \\LON-DC1\MigrationStore\LON-CL3\ /i:migapp.xml /i:miguser.xml /o
Task 2: Complete the migration

1. Switch to the 20697-1B-LON-CL2 on Host computer Virtual Machine Connection window.

3. Notice that there is no Demofile.txt on the desktop and no Internet Explorer or Windows Media
Player icon in the taskbar.
4. Click Start, type cmd, and then press Enter.

Net Use F: \\LON-DC1\USMT
6. At the command prompt, type F:, and then press Enter.
7. At the command prompt, type the following, and then press Enter:
Loadstate \\LON-DC1\MigrationStore\Lon-CL3\ /i:migapp.xml /i:miguser.xml /lac:Pa$$w0rd /lae

8. Type exit to close the command prompt.
Task 3: Verify the migration

Notice that the demofile.txt is now on the desktop and the Internet Explorer and Windows Media
Player icons are visible on the taskbar.
Results: After completing this exercise, you will have migrated your settings from your Windows 7based
computer to a new Windows 10based computer.


4. Repeat step 2 and 3 for 20697-1B-LON-CL2 and 20697-1B-LON-CL3.
L3-9
Module 3: Configuring Your Device

Lab A: Configuring Windows 10
Exercise 1: Using the Settings App
Task 1: Use the Settings app to configure a device
1. On LON-CL1, click the Start menu (the Windows icon). In the lower part of the Start menu, click the
Settings item.
2. Maximize the Settings page.

3. On the Settings page, click the Update & security item.
4. Click the Windows Defender item in the console tree, and then in the details pane, click the Add an
exclusion hyperlink.
5. Click the Exclude a folder plus sign, and in the Select Folder window, navigate to E:\Labfiles, and
then click Exclude this folder.
6. At the upper left of the screen, note the back arrow by Settings. Click the back arrow twice. This will
return you to the main Settings page.
7. On the Settings page, click the Devices item.
8. Click the Add a printer or scanner plus sign.
Note: The Settings app scans for printers or scanners, but finds none.
9. Scroll down and select the Devices & printers hyperlink.

10. Note that the Control Panel, Devices and Printers appears. Note that some Settings-level
configurations still use the Control Panel.
11. Click Add a printer,
12. Click The printer that I want isnt listed, select Add a local printer or network printer with
manual settings, and then click Next.
13. On the Choose a printer port page, click Next.
14. On the Install the printer driver page, under the Manufacturer column, select HP, and in the
Printers column, scroll down and choose HP Photosmart 7520 series Class Driver, and then click
Next.
15. On the Type a printer name page, delete the part of the text that says series Class Driver, leaving
only the HP Photosmart 7520 text, and then click Next.
16. On the Printer Sharing page, click Next.
17. On the Youve successfully added HP Photosmart 7520 page, click Finish.
L3-10 Configuring Your Device
18. Close the Control Panel, Devices and Printers.
19. This will return to the Printers & scanners page of the Settings app. Click the HP Photosmart 7520
icon. Note the Remove device option that appears. Without selecting it, close the Settings app.
Results: After completing this exercise, you will have successfully used the Settings app to configure a
device.
Exercise 2: Using Control Panel

Task 1: Use the Control Panel to configure a device
1. On LON-CL1, right-click the Start menu icon, and then click Control Panel.
2. In the Control Panel, in the Hardware and Sound category, click the View devices and printers
hyperlink.
3. You should see the printer named HP Photosmart 7520. Double-click it.
4. In the HP Photosmart 7520 window, click the Printer menu, and then select Printing Preferences.
5. In the HP Photosmart 7520 Printing Preferences window, note that Print on Both Sides is not found.
Click Cancel, and then close the HP Photosmart 7520 window
6. Right-click HP Photosmart 7520, and then click Printer Properties. In the HP Photosmart 7520
Properties sheet, select the Device Settings tab.
7. Note the installable options. To the right of Automatic Duplexing Unit:, click Not installed, change
the drop-down selection to Installed, and then click OK.
8. Double-click the HP Photosmart 7520 item.
9. In the HP Photosmart 7520 window, click the Printer menu, and then select Printer Preferences.
10. In the HP Photosmart 7520 Printing Preferences window, in the Print on both sides: drop-down list,
select Flip on Long Edge, and then click OK.
11. Close the HP Photosmart 7520 Control Panel window.
12. Close Devices and Printers.
Results: After completing this exercise, you will have successfully used the Control Panel to configure a
device.
Exercise 3: Using Windows PowerShell

Task 1: Use Windows PowerShell to configure a device
1. In the taskbar, in the Search the web and Windows text box, type PowerShell, right-click the
PowerShell app, and then select Run as administrator.
2. At the Windows PowerShell command prompt, type Get-ExecutionPolicy, and then press Enter.
Confirm that the current execution policy is Unrestricted. If the execution policy is Unrestricted, skip
steps 3 and 4, and proceed to step 5.
3. If set to Restricted, then in the Windows PowerShell command prompt, type Set-ExecutionPolicy
Unrestricted, and then press Enter.
4. Select Yes to All [A] by typing an A, and then press Enter. Leave the Windows PowerShell command
prompt open.
5. Click the Start Menu icon, and then in the Start menu, select Settings.
6. On the Settings page, click Devices.
7. Ensure that Printers & Scanners is selected in the console tree, and then scroll down in the details
pane, and click the Devices and Printers hyperlink.
8. In the Devices and Printers Control Panel item, double-click the HP Photosmart 7520 icon.
10. In the HP Photosmart 7520 Printing Preferences window, note that the Print on Both Sides drop-
down box is available, and then click Cancel.
11. Return to the Windows PowerShell command prompt.
12. At the Windows PowerShell command prompt, type the following, and then press Enter:
Note: The property named Config:DuplexUnit is set to TRUE.
Set-PrinterProperty PrinterName HP Photosmart 7520 PropertyName Config:DuplexUnit Value FALSE
Note: You must use all caps for the TRUE or FALSE values.
Note: Note that in Windows PowerShell, each cmdlet parameter name is preceded
immediately by a dash symbol, such as the Value parameter, which you used above. However,
the word wrap feature may separate the dash from the parameter when you copy and paste from
a file. Therefore, you need to ensure that you inspect all pasted cmdlets and parameters to
ensure they follow Windows PowerShell syntax requirements.
Note: The property named Config:DuplexUnit is now FALSE.
Note: In the HP Photosmart 7520 Printing Preferences window, note that the Print on
Both Sides drop-down list box is gone.
16. Click Cancel, and then close all open windows.

17. In Search the web and Windows, type PowerShell_ISE, and then press the Enter key.
18. In Windows PowerShell ISE, open E:\Labfiles\Mod03\Services.ps1, and then read the script.
Comments are green.
Variables are red.

23. Run the script by clicking the green arrow on the ribbon, and then read the output. Click OK in the
Windows PowerShell ISE window if prompted to save the script.
Note: Running services are green and services that are not running are red.
25. Run the script. Click OK in the Windows PowerShell ISE window if prompted to save the script.
26. In the Commands pane, build a Write-Host cmdlet with the following options:
28. Run the script. Click OK in the Windows PowerShell ISE window if prompted to save the script.
29. Save the script by pressing Ctrl+S on the keyboard.

32. Type .\Services.ps1, and then press Enter. Close all open windows.
Results: After completing this exercise, you will have successfully configured the device with Windows
PowerShell.
Exercise 4: Using GPOs

Task 1: Use GPOs to configure devices
1. On LON-DC1, in Server Manager, in the Tools drop-down list, select Group Policy Management.
2. Maximize the Group Policy window, from the console tree, expand Forest: Adatum.com, expand
Domains, and then expand Adatum.com. Select the Group Policy Objects node.
3. Right-click the Group Policy Objects node, and then click New.
4. In the New GPO pop-up, in the Name: text box, type Win10 Display and then click OK.
5. In the details pane, right-click Win10 Display, and then select Edit.
6. This brings up the Group Policy Management Editor. Maximize the console.
7. In the console tree under Computer Configuration, expand Policies, expand Windows Settings,
expand Security Settings, expand Local Policies, and then select Security Options. In the details
pane, scroll down, select Interactive Logon: Message title for users attempting to log on, and
then double-click it.
8. In the Interactive Logon: Message title for users attempting to log on pop-up window, enable the
option, and in the text box, type Attention!, and then click OK.
9. In the details pane, scroll down, select Interactive Logon: Message text for users attempting to
log on, and then double-click it.
Note: It is right above the item from step 7.
10. In the Interactive Logon: Message text for users attempting to log on pop-up window, select the
check box of Define this policy setting in the template, in the text box, type This computer is
used for A. Datum Corp Development and Testing Only! Do not use on production network!,
and then click OK.
11. In the console tree under Computer Configuration, expand Preferences, expand Control Panel
Settings, and then select Services.
12. Right-click the empty space in the details pane, click New, and then click Service.
13. In the New Service Properties window, select the following by using the drop-down arrow:
o Startup: Disabled
o Service Name: EFS
o Service Action: Stop service
14. Click the Common tab.

15. Select the Item-level targeting check box, and then click Targeting.
16. In the New Item drop-down list, select Computer Name.
17. In the Computer Name text box, type LON-CL1, click OK, and then click OK again.
18. Close the Group Policy Object Management Editor.
19. In the Group Policy Management Console, select the Adatum.com item in the console tree, right-
click it, and then select Link an Existing GPO.
20. In the Select GPO window, select the Win10 Display item, and then click OK.
21. Close the Group Policy Management Console. Close all open windows, and then sign out.
22. Return to LON-CL1, and in the taskbar, in the Search the web and Windows text box, type cmd,
23. At the command prompt, type gpupdate /force, and then press Enter. After the update reports
success, type Shutdown /r /t 0.
24. LON-CL1 will restart.

25. Press Ctrl+Alt+Delete in the Virtual Machine Connection window. You should see the Attention! This
computer is used for A. Datum Corp Development and Testing Only! Do not use on production
network! Click OK, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
26. In the taskbar, in the Search the web and Windows text box, type Services, and then in the list
above, select View Local Service Control Panel.
27. In the Services details pane, scroll down until you see the Encrypted File System (EFS) service.
Confirm that it is disabled. Close all open windows, and then sign out.
Results: After completing this exercise, you will have successfully used GPOs to configure devices.

When you are finished with the lab, keep all virtual machines running for the next lab. Complete the
following steps:
2. In Hyper-V Manager, click MSL-TMG1, and then in the Actions pane, click Start.
3. You do not need to sign in to this virtual machine.
Lab B: Synchronizing Settings with

OneDrive
Exercise 1: Connecting a Microsoft Account
Task 1: Connect your Microsoft account
1. On LON-CL1, in the Start menu, click Settings.
2. Click Accounts, in the console tree, select Other users, and then click the Add someone else to this
PC plus sign.
3. In the How will this person sign in? window, click the I don't have this person's sign-in information
hyperlink.
4. In the Lets create your account window, create a Microsoft account with the following values as
follows, and then click Next:
o First name: Your first name + last names first letter (for example, KariT)
o Last name: 20697-1B
o Click the Get a new email address hyperlink, in the New email text box, type Your first name
+ last initial-20697-1B, and then press Tab.
20697-1B@outlook.com is available. If not, go back and add the second letter of your last name
to the email address (for example, KariTr). You may have to continue to add letters until you
reach a name that is unique enough for the system to accept it.
o Country/region: Select your country/region

o Birth month: January
o Birth day: 1
o Year: 1990, click Next.

o In the Add security info, Phone number text box, type 888-555-1212, or use a number of your
choice.
Note: Because the telephone number will not be called or texted through this account, it
does not matter as long as the pattern fits your country/regions telephone system.
5. In the See whats most relevant to you window, click Next.
6. It will take a few minutes to create your profile.
7. If either the Passwords are so yesterday or Set up a PIN pages appear, click Skip this step.

1. On LON-CL1, sign in as Your first name + last initial-20697-1B@outlook.com, enter the password
Pa$$w0rd. If either the Passwords are so yesterday or Set up a PIN pages appear, click Skip this
step.
3. Click the Windows icon, and then in the Start menu, click the Mail tile.
5. On the Accounts page, click Ready to go.
6. Send a test message to yourself, as follows:
o Click the New mail plus sign, in the To: line, type Your first name + last initial-20697-
1B@outlook.com.
o In the Subject line, type First test.
o In the body, type This is my first test email.

o In the upper right, click Send.
7. If you encounter a message that states "Please sign in to your Outlook.com account", click sign in to
validate the account.
8. In the upper right, click the Refresh icon, which features two arrows in a circle. You should see your
test message. Close all open windows, and then sign out.
Task 3: Sign in to LON-CL2 with your Microsoft account

2. In the Start menu, select the Settings app.
3. Click Accounts, in the console tree, select Other users, and then click the Add someone else to this
PC plus sign.
last initial-20697-1B@outlook.com, and click Next.
5. In the Good to go page, click Finish.
6. Close the Settings app, and in the Start menu, click the Admin button, and then click Your first
name + last initial-20697-1B@outlook.com.
7. In the Password text box, type Pa$$w0rd, and press the Enter key.
8. It will take a few minutes to build the profile.
9. At the Set up a PIN page, click Skip this step and then click Next.

12. Sign in as Your first name + last initial-20697-1B@outlook.com, with the password Pa$$w0rd.

1. On LON-CL2, click the Windows icon, and then in the Start menu, click the Mail tile.
3. In the Accounts page, note that Your first name + last initial-20697-1B@outlook.com is selected,
and then click Ready to go.
4. You should see all your messages from the previous task on LON-CL1.
5. Open your test message, reply by adding some text, and then click Send.
Connected your Microsoft account to a device.
Performed verification.
Exercise 2: Synchronizing Settings between Devices

Task 1: Enable sync on LON-CL2
1. On LON-CL2, sign in as Your first name + last initial-20697-1B@outlook.com with the password
Pa$$w0rd.
2. From the taskbar, click the File Explorer icon, and then click the OneDrive node.
Note: The OneDrive node in File Explorer may take several minutes to appear. Please wait
for it to appear before proceeding. If it takes longer than 15 minutes, sign out, and then sign
back in by using your Microsoft account.
3. In the console tree, under OneDrive, select the Documents folder, and in the details pane, right-click
the empty space, point to New, click Text Document, in the name text box, type I was here.txt,
4. Double-click the I was here.txt document and when Notepad opens, type I was here on LON-CL2.
Press Ctrl+S, and then close Notepad.
Task 2: Sign in to LON-CL1 with your Microsoft account, and update the
synchronized document
1. Return to LON-CL1 and then sign in as Your first name + last initial-20697-1B@outlook.com, with
a password of Pa$$w0rd. From the taskbar, click the File Explorer icon, and then select the
OneDrive node.
2. Open the Documents folder in the OneDrive node. After a few minutes, the I was here.txt
document should appear (it can take up to five minutes).
3. When the I was here.txt document appears, double-click it.

4. In the Notepad window, directly under the I was here on LON-CL2 line, type Now Im here on
LON-CL1, and then press Enter.
5. Press Ctrl+S, and then close Notepad. Make note of the date and time of the I was here.txt file.
6. Return to LON-CL2, and if File Explorer is not still open, on the taskbar, click the File Explorer icon,
and then select the OneDrive node. Select the Documents folder in the OneDrive node.
7. Make note of the date and time of the I was here.txt document. When it changes to the date and
time you noted on LON-CL1, double-click the file (it takes up to five minutes to change).
Note: You should now see two lines in Notepad, as follows:
I was here on LON-CL2.
Now Im here on LON-CL1.
Enabled synchronization on both devices.



4. Repeat steps 2 and 3 for 20697-1B-LON-CL1, 20697-1B-LON-CL2, and MSL-TMG1.
L4-19
Module 4: Configuring Network Connectivity

Lab: Configuring Network Connectivity
Exercise 1: Verifying and Testing IPv4 Settings
Task 1: Verify the IPv4 settings from Network and Sharing Center
2. Click the Network icon in the notification area, and then click Network settings.
3. Click Network and Sharing Center.
4. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
5. In the Ethernet Status dialog box, click Details. This window displays the same configuration
information for this adapter as would the Ipconfig command.
6. Record the following information:
o IPv4 Address
o IPv4 Subnet Mask

o IPv4 DNS Server
7. In the Network Connection Details window, click Close.
8. In the Ethernet Status dialog box, click Properties. You can configure protocols in this window.
9. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. You can configure the IP
address, subnet mask, default gateway, and Domain Name System (DNS) servers in this window.
10. Close all open windows without modifying any settings.
Task 2: Verify the current IPv4 settings from the command line
1. Right-click Start, and then click Command Prompt (Admin).
2. Type PowerShell, and then press Enter.
3. At the Windows PowerShell command prompt, type Get-NetIPAddress, and then press Enter. The
IPv4 address should match what you recorded earlier.
4. At the command prompt, type netsh interface ipv4 show config, and then press Enter. The current
IPv4 configuration is displayed and should match what you recorded earlier.
5. At the Windows PowerShell command prompt, type ipconfig /all, and then press Enter. Again, the
information should match what you recorded earlier.
6. Leave Windows PowerShell open.

L4-20 Configuring Network Connectivity

1. At the Windows PowerShell command prompt, type test-connection LON-DC1, and then press
Enter.
2. At the command prompt, type netstat -n, and then press Enter. Observe and describe the active
connections to 172.16.0.10. Most connections to services are transient.
3. If no connections appear, create a connection. To create a connection, click Start, in the Search box,
type \\LON-DC1, and then press Enter.
4. In File Explorer, double-click NETLOGON.
5. At the command prompt, type netstat -n, and then press Enter. Identify the services that LON-CL1
had connections to on LON-DC1.
Results: After completing this exercise, you will have successfully verified Internet Protocol version 4 (IPv4)
settings.
Exercise 2: Configuring Automatic IPv4 Settings

Task 1: Reconfigure the IPv4 settings

4. In the Ethernet Status dialog box, click Properties. In this window, you can configure protocols.
5. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

6. In the Properties dialog box, click Obtain an IP address automatically.
7. Click Obtain DNS server address automatically.
8. Click OK to save the changes.

9. In the Ethernet Properties dialog box, click Close.
10. In the Ethernet Status dialog box, click Details. Notice that Dynamic Host Configuration Protocol
(DHCP) is enabled, and that the IP address of the DHCP server displays.
11. Switch to the Windows PowerShell command prompt, type ipconfig /all, and then press Enter. Verify
that the IPv4 address is obtained from DHCP.

1. At the Windows PowerShell command prompt, type test-connection LON-DC1, and then press
Enter.
2. At the command prompt, type netstat -n, and then press Enter. Observe and describe the active
connections to 172.16.0.10. Most connections to services are transient.
3. If no connections appear, create a connection. To create a connection, click Start, in the Search box,
type \\LON-DC1, and then press Enter.
4. In File Explorer, double-click NETLOGON.

5. At the command prompt, type netstat -n, and then press Enter. Identify the services that LON-CL1
had connections to on LON-DC1.
6. Close all open windows except Windows PowerShell.
Task 3: View the impact on the DHCP server

2. In Server Manager, click Tools, and then click DHCP.
3. Expand lon-dc1.adatum.com, expand IPv4, expand Scope [172.16.0.0] Adatum, and then click
Address Leases.
4. In the details pane, you should see the address lease for your Windows 10 client.
Results: After completing this exercise, you will have successfully configured IPv4 settings to be assigned
automatically.
Exercise 3: Configuring and Testing Name Resolution

Task 1: Verify current DNS settings on the client

5. In the Ethernet Status dialog box, click Details.
6. Notice that DHCP is enabled, and that the IP address of the DHCP server displays. Notice the DNS
server address.
7. In the Network Connection Details dialog box, click Close.
8. In the Ethernet Status dialog box, click Close.
Task 2: View and clear the DNS resolver cache

1. At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter. This
displays the current DNS resolver cache.
2. At the Windows PowerShell command prompt, type Get-DnsClientCache, and then press Enter. This
displays the current DNS resolver cache.
3. At the Windows PowerShell command prompt, type ipconfig /flushdns, and then press Enter. This
flushes the current DNS resolver cache.
4. At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.
This flushes the current DNS resolver cache. It is not necessary to run this in addition to the preceding
command.
verifies that you have no entries in the cache.
L4-22 Configuring Network Connectivity
Task 3: Test name resolution

1. At the Windows PowerShell command prompt, type test-connection lon-dc1, and then press Enter.
2. At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
should display similar information to the preceding command.
Task 4: Create and test a new record

1. At the Windows PowerShell command prompt, type notepad C:\windows\system32\drivers
\etc\hosts, and then press Enter.
2. Scroll to the end of the file, type 172.16.0.10 www, and then press Enter.
3. Click File, and then click Save.
4. Close Notepad.
5. At the Windows PowerShell command prompt, type test-connection www, and then press Enter.
6. At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
7. View the www record in the cache.
Task 5: Troubleshoot name resolution

1. At the Windows PowerShell command prompt, type nslookup LON-DC1, and then press Enter.
2. At the Windows PowerShell command prompt, type Resolve-Dnsname LON-DC1 | fl, and then press
Enter.
3. At the Windows PowerShell command prompt, type nslookup d1 LON-DC1 > file.txt, and then
press Enter.
4. At the command prompt, type notepad file.txt, and then press Enter.
5. Review the information. Note that you must scroll to the section starting Got answer.
6. What was the question that was asked of the DNS server?
QUESTIONS: lon-dc1.Adatum.com, type = A, class = IN

7. What was the response?
ANSWERS: lon-dc1.Adatum.com
internet address = 172.16.0.10
ttl = 3600 (1 hour)
8. How long will the record be cached?
1 hour
9. What is the fully qualified domain name (FQDN) for the primary name server?
lon-dc1.Adatum.com
10. Close Notepad.

11. Close Windows PowerShell.
Results: After completing this exercise, you will have successfully verified your DNS settings and tested
name resolution.


L5-25
Module 5: Managing Storage

Lab: Managing Storage
Exercise 1: Adding a Disk
Task 1: Use Disk Management to initialize a disk
1. On LON-CL2, click Start and type diskmgmt.msc. Click diskmgmt.msc in the list.
2. In the Initialize Disk window, clear the Disk 2 and Disk 3 check boxes, and then click OK. You can see
that Disk 1 now has a status of Online.
Results: After completing this exercise, you will have initialized one hard disk.
Exercise 2: Creating a Simple Volume

Task 1: Create a simple volume
1. Right-click the right side of Disk 1, and then click New Simple Volume.
2. In the New Simple Volume Wizard window, click Next.
3. On the Specify Volume Size page, type 5120, and then click Next.
4. On the Assign Drive Letter or Path page, make sure that drive E is selected, and then click Next.
5. On the Format partition page, in the Volume Label text box, type Data, and then click Next.
6. On the Completing the New Simple Volume Wizard page, click Finish.
Task 2: Extend the simple volume

1. Click Start, and then type Powershell. Press Enter.
2. In Windows PowerShell, type the following two commands:
$MaxSize = (Get-PartitionSupportedSize DriveLetter e).sizeMax

Resize-Partition DriveLetter e Size $MaxSize
3. Switch to the Disk Management window, and then verify that the E volume now occupies the entire
Disk 1.
If the change is not visible, press F5 to refresh the view in Disk Management.
Results: After completing this exercise, you will have created a simple volume and then extended the
volume.
L5-26 Managing Storage
Exercise 3: Compressing a Folder

Task 1: Verify current folder size
1. Click the File Explorer icon on the taskbar, and if necessary, click Cancel.
2. Navigate to the C:\Users folder. Right-click the Admin folder, and then click Properties.
3. On the General tab, note the Size on Disk in megabytes (MB):___________
Task 2: Configure compression on the folder

1. On the General tab, click Advanced.
2. Click Compress contents to save disk space, and then click OK.
3. Click Apply, and then in the Confirm Attribute Changes window, click OK.
4. In the Access Denied window, click Continue.
5. In the Error Applying Attributes window, click Ignore All.
Task 3: Verify the storage consumed by the compressed folder

After the compression finishes, on the General tab, note the Size on Disk in MB:______________, and
then click OK. Notice that the Admin folder is now blue because it is compressed.
Results: After completing this exercise, you will have compressed a folder with files.
Exercise 4: Enabling Disk Quotas

Task 1: Create disk quotas
1. In the File Explorer window, right-click Data (E:), and then click Properties.
2. Click the Quota tab, and then select the Enable quota management check box.
3. In the Properties window, select the Deny disk space to users exceeding quota limit check box.
4. Click Limit disk space to, in the Limit disk space to text box, type 500, and then in the Set warning
level to text box, type 250.
5. Select MB as the unit for both values.
6. In the Properties window, click OK.

7. In the Disk Quota window, click OK.
8. Click Start, click Administrator, and then click Sign out.

Task 2: Create test files

1. Sign in as the user Adatum\April with the password Pa$$w0rd.
2. Wait for April to sign in. This might take some time.
3. Click Start, and then type cmd. Press Enter.
4. Type the following five commands:
E:
MKDIR research
CD research
5. Click Start, click April Reagan, and then click Sign out.
Task 3: Verify the disk quota functionality

1. Sign in as the Adatum\Administrator with the password Pa$$w0rd.
2. Click the File Explorer icon on the taskbar.
3. In the File Explorer window, right-click Data (E:), and then click Properties.
4. Click the Quota tab, and then click Quota Entries.
5. Notice the warning for April Reagan for the disk space used. You might need to expand some
columns to read the full name and Logon Name.
6. Close the Quota Entries for Data (E:) window.

7. Click OK to close the Data (E:) Properties window.
Results: After completing this exercise, you will have configured disk quotas.
Exercise 5: Creating a Storage Space

Task 1: Initialize the required disks
1. Click Start, and then type PowerShell. Press Enter.
2. Type the following two commands:
Clear-Disk Number 1 RemoveData
(Press Y and then press Enter to confirm that you want to delete all partitions from disk 1.)
Task 2: Create a mirrored storage pool

1. Click Start, and then type Storage spaces. Press Enter.
2. Click Create a new pool and storage space.

3. Notice that Disk 1, Disk 2, and Disk 3 are selected. Click Create pool.
4. Notice that a resilience type of Two-way mirror is selected. Click Create storage space.
L5-28 Managing Storage
Task 3: Verify that the volume is available in File Explorer

2. Right-click Storage Space (E:), and then click Properties.
3. Notice that the capacity is approximately 12.1 gigabytes (GB).
Results: After completing this exercise, you will have created a two-way mirror storage space.


4. Repeat the steps for 20697-1B-LON-CL2.

L6-29
Module 6: Managing Files and Printers

Lab A: Configuring and Managing
Permissions and Shares
Exercise 1: Creating, Managing, and Sharing a Folder
Task 1: Create a folder structure
1. On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd.
2. On the taskbar, click File Explorer.
3. In File Explorer, in the navigation pane, expand This PC, and then click Local Disk (C:). In the details
pane, right-click the empty space, select New, select Folder, and then type Data for the new folders
name.
4. In File Explorer, in the navigation pane, expand Local Disk (C:), and then click Data. In the details
pane, right-click the empty space, select New, select Folder, and then type Marketing for the new
folders name.
5. In File Explorer, in the details pane, right-click the empty space, select New, select Folder, and then
type IT for the new folders name.
Task 2: Review default permissions

1. On LON-CL1, in File Explorer, in the navigation pane, double-click Data below Local Disk (C:),
right-click IT, and then select Properties.
2. In the IT Properties window, click the Security tab, and then click Edit.
3. In the Permissions for IT dialog box, verify that Authenticated Users is selected in the Group or
user names section, and then click Remove. Read the text in the Windows Security dialog box that
appears, which explains why you cannot remove an authenticated user. Click OK, and then click
Cancel.
4. In the IT Properties window, on the Security tab, click Advanced.

5. In the Advanced Security Settings for IT dialog box, verify that all permissions entries are inherited
from C:\. Also, verify that Users (LON-CL1\Users) have Read & execute Access, while
Authenticated Users have Modify Access. Click OK twice.
6. In File Explorer, in the navigation pane, right-click Marketing, and then select Properties.
7. In the Marketing Properties window, click the Security tab, and then click Advanced.
8. In the Advanced Security Settings for Marketing dialog box, verify that all permissions entries are
inherited from C:\. Also, verify that Users (LON-CL1\Users) have Read & execute Access, while
Authenticated Users have Modify Access. Click OK twice.
Task 3: Configure permissions for the IT and Marketing folders

1. On LON-CL1, in File Explorer, in the navigation pane, right-click the IT folder, select Share with, and
then select Specific people.
2. In the File Sharing dialog box, verify that Administrator is selected, click Read/Write in the
Permission Level column, and then select Remove.
3. In the Type a name and then click Add, or click the arrow to find someone text box, enter IT, and
then click Add.
L6-30 Managing Files and Printers
4. Verify that IT is added and selected. Click Read in the Permission Level column, select Read/Write,
click Share, and then click Done.
6. In the Marketing Properties dialog box, select the Sharing tab. In the Network File and Folder
Sharing section, verify that Marketing is not shared, and then in the Advanced Sharing section,
click Advanced Sharing.
7. In the Advanced Sharing dialog box, select the Share this folder check box. Verify that the share
name is Marketing (the same as the folder name), and that Limit the number of simultaneous
users to is set to 20. Click Permissions.
8. In the Permissions for Marketing dialog box, click Remove. Click Add, in the Enter the object
names to select (examples) box, type Marketing, and then click OK. In the Permissions for
Marketing section, select the Change check box in the Allow column, and then click OK twice.
9. In the Marketing Properties dialog box, in the Network File and Folder Sharing section, verify that
Marketing is now shared as \\LON-CL1\Marketing, and then click Close.
10. Right-click the Start icon, and then select Command Prompt.
11. At the command prompt, view shares created on LON-CL1 by typing net view \\lon-cl1, and then
pressing Enter. Close the command prompt.
12. Right-click the Start icon, and then select Computer Management.
13. In Computer Management, in the navigation pane, expand Shared Folders, and then click Shares. In
the details pane, verify that you see IT and Marketing shares, and the default Windows 10 shares.
Close Computer Management.
Task 4: Review configured permissions

1. On LON-CL1, in File Explorer, in the navigation pane, right-click IT, and then select Properties.
2. In the IT Properties window, click the Security tab, and then click Advanced.
3. In the Advanced Security Settings for IT dialog box, verify that all the permissions entries are set
explicitly at this level, because their permission inheritance is set to None.
4. Verify that only an Administrator, Administrators [LON-CL1\Administrators group, SYSTEM and IT
(ADATUM\IT)] group have access to the IT folder. These settings match the permissions that you
configured in the File Sharing dialog box.
5. In the Advanced Security Settings for IT dialog box, click OK. In the IT Properties dialog box,
select the Sharing tab, in the Network File and Folder Sharing section, verify that IT now is shared
as \\Lon-cl1\it, and then click Advanced Sharing.
6. In the Advanced Sharing dialog box, click Permissions. In the Permissions for IT dialog box, verify
that the Everyone and Administrators groups have Full Control permissions to the share, click OK
twice, and then click Close.
Note: If you share a folder by using the File Sharing dialog box, you will modify the local
file permissions to match your configuration, while the Everyone and Administrators groups will
have the Full Control share permission.
8. In the Marketing Properties window, click the Security tab, and then click Advanced.
9. In the Advanced Security Settings for Marketing dialog box, verify that all of the permissions
entries are inherited from C:\. Also verify that Users (LON-CL1\Users) have Read & execute Access,
while Authenticated Users have Modify Access, which are the same file permissions as before you
shared the Marketing folder. Click OK twice.
Note: If you share a folder by using the Advanced Sharing feature, this does not modify
local file permissions. You only modify share permissions if you use Advanced Sharing.
10. Right-click the Start icon, select Shut down or sign out, and then select Sign out.
Task 5: Test local file permissions

1. On LON-CL1, sign in as Adatum\Adam with the password Pa$$w0rd. Adam is a member of the
Marketing group, but is not a member of the IT group.
2. On the taskbar, click File Explorer. In File Explorer, in the navigation pane, expand This PC, expand
Local Disk (C:), expand Data, and then select Marketing.
3. In the details pane, right-click the empty space, select New, select Text Document, and then enter
File10 as the name of the file.
Note: Adam has local file permissions to create a new file in the Marketing folder, because
4. In File Explorer, in the navigation pane, select IT, and then click Cancel.
Note: You will get an error, because Adam does not have local file permissions to the IT
folder. Permissions were configured by File Sharing, and only members of the IT group have local
file permissions to the folder.
6. On LON-CL1, sign in as Adatum\April with the password Pa$$w0rd. April is member of the IT
group, and she is not member of the Marketing group.
7. On the taskbar, click File Explorer. In File Explorer, in the navigation pane, expand This PC, expand
Local Disk (C:), expand Data, and then select Marketing.
8. In the details pane, verify that you can see File10 that was created by Adam. Right-click the empty
space, select New, select Text Document, and then type File20 as the name of the file.
Note: April has local file permissions to create a new file in the Marketing folder because
you configured permissions by using the Advanced Sharing feature. This modified only the share
9. In File Explorer, in the navigation pane, select IT. In the details pane, right-click the empty space,
select New, select Text Document, and then enter File21 as the name of the file.
Note: April is able to create a file, because you configured permissions by using File
Sharing. Members of the IT group have local file permissions to the IT folder.
Note: Be aware that Network File and Folder Sharing modifies file permissions and share
permissions. However, the Advanced Sharing feature does not modify file permissions, and only
sets share permissions.
Task 6: Test share permissions

1. On LON-CL2, sign in as Adatum\Adam with the password Pa$$w0rd. Adam is a member of the
Marketing group, but he is not a member of the IT group.
2. On the taskbar, click File Explorer. In File Explorer, click the arrow in the Address bar, type
\\LON-CL1, and then press Enter.
3. Verify that you can see the IT and Marketing shares in the details pane. Double-click Marketing.
Verify that you can see the files that Adam and April created locally.
File30 as the name of the file. Adam has permissions to create a new file in the Marketing share
because he is a member of the Marketing group.
5. In File Explorer, click LON-CL1 in the address bar. In the details pane, double-click IT. Read the text in
the Network Error dialog box, and then click Close.
Note: Adam is not a member of the IT group, so he does not have permissions to the IT
share.
7. Sign in as Adatum\April with the password Pa$$w0rd. April is a member of the IT group, but she is
not a member of the Marketing group.
9. Verify that you can see the IT and Marketing shares in the details pane. Double-click Marketing.
10. Read the text in the Network Error dialog box. April is not a member of the Marketing group, so she
does not have permissions to the Marketing share. Click Close.
11. In the details pane, double-click IT. Right-click the empty space in the details pane, select New, select
Text Document, and then enter File40 as the name of the file. April has permissions to create a new
file in the IT share because she is a member of the IT group.
Note: Users can connect only to shares that were shared for groups in which they are
members, regardless of whether they were shared by File Sharing or Advanced Sharing.
Results: After completing this exercise, you will have created a folder structure for the Marketing and
information technology (IT) departments, shared their folders, and tested local and share permissions.
Exercise 2: Using Conditions to Control Access and Effective Permissions

Task 1: Configure conditions to control access
1. On LON-CL1, sign in as Adatum\Administrator with the password Pa$$w0rd.

pane, right-click the empty space, select New, select Folder, and type Research as the new folder
name.
4. Right-click Research, select Properties, select the Sharing tab, and then click Advanced Sharing.
5. In the Advanced Sharing dialog box, select the Share this folder check box, and then click
Permissions.
6. In the Permissions for Research dialog box, in the Permissions for Everyone section, select the
Change check box in the Allow column, and then click OK twice.
7. In the Research Properties dialog box, select the Security tab, click Advanced, and then verify that
all permissions entries are inherited from C:\.
8. In the Advanced Security Settings for Research dialog box, select Users (LON-CL1\Users), and
then click Remove. Read the text in the Windows Security dialog box that appears, click OK, and
then click Disable inheritance.
9. In the Block Inheritance dialog box, click Convert inherited permissions into explicit permissions
on this object, and then verify that all permissions entries are set explicitly at this level because their
permission inheritance is set to None.
10. In the Advanced Security Settings for Research dialog box, select Users (LON-CL1\Users), and
then click Remove. Entry for Users is removed from the Permission entries because it was explicitly
set at this level.
11. Verify that Authenticated Users is selected, and then click Edit.
12. In the Permission Entry for Research dialog box, click Add a condition, and compose the following
expression: User department Equals Value research. You will need to type research manually in the
last box. Click OK twice, and then click Close.
13. In File Explorer, in the navigation pane, expand Data, right-click IT, select Properties, select the
Security tab, and then click Advanced.
14. In the Advanced Security Settings for IT dialog box, select IT (ADATUM\it), and then click Edit.
15. In the Permission Entry for IT dialog box, click Add a condition, and compose the following
expression: User Country Equals Value US. You will need to type US manually in the last field. Click
OK three times.
Task 2: Test conditions to control access

1. On LON-CL2, where you are signed in as Adatum\April, in File Explorer, in the address bar, click
LON-CL1. In the details pane, double-click Research. Read the text in the Network Error dialog box,
and then click Close.
3. At the command prompt, view user claims by typing whoami /claims, and then press Enter. Review
the output, and then close the command prompt.
Note: April has a department claim value of IT and she cannot connect to the Research
share.
4. In File Explorer, in the address bar, click LON-CL1. In the details pane, double-click IT.
Note: April has permissions to create a new file in the IT share because she is a member of
the IT group and her Country claim has a value of US.
7. Sign in as Adatum\Jesper with the password Pa$$w0rd. Jesper is a member of the IT group.
9. In the details pane, double-click IT. Jesper is a member of the IT group, but he cannot connect to
the IT share. Click Close.
11. At the command prompt, view user claims by typing whoami /claims, and then press Enter. Review
the output, and then close the command prompt.
Note: Jesper has a Country claim with the value of GB, so he cannot connect to the IT
share, even though he is a member of the IT group.
13. Sign in as Adatum\Anil with the password Pa$$w0rd.
15. At the command prompt, view user claims by typing whoami /claims, and then pressing Enter.
Review the output, and then close the command prompt.
Note: Anil is in the Research department, and his department claim has the value of
Research.
17. In the details pane, double-click Research, and then verify that Anil can view the contents of the
Research folder.
Note: Anil has permissions to create a new file in the Research share because his
department claim has a value of Research.
Task 3: View effective permissions

1. On LON-CL1, in File Explorer, in the navigation pane, right-click Marketing, select Properties, select
the Security tab, click Advanced, and then select the Effective Access tab.
2. In the Advanced Security Settings for Marketing dialog box, click Select a user, in the Enter the
object name to select (examples) box, enter Joel, click OK, and then click View effective access.
View the effective permissions, and then click OK twice.
Note: As Authenticated Users have the Modify permission to the Marketing folder, you can
see that Joel has the most permissions allowed.
3. In File Explorer, in the navigation pane, right-click Research, select Properties, select the Security
tab, click Advanced, and then select the Effective Access tab.
4. In the Advanced Security Settings for Research dialog box, click Select a user, in the Enter the
object name to select (examples) text box, enter Ales, click OK, and then click View effective
access. Ales is a member of Development group.
Note: Only users with the department claim with a value of Research have permissions to
the folder, you can see that Ales has no permissions allowed.
5. In the Advanced Security Settings for Research dialog box, click Include a user claim, select
department in the drop-down list, enter Research in the Enter value here text box, and then click
View effective access.
Note: You can see that if Ales had the department user claim with the value of Research,
he would have most permissions allowed.
6. In the Advanced Security Settings for Research dialog box, click Select a user, in the Enter the
object name to select (examples) box, enter Aziz, click OK, and then click View effective access.
Review the effective permissions, and then click OK twice.
Note: If Aziz had the user claim of department with the value of Research, he would have
the most permissions allowed.
Results: After completing this exercise, you will have configured and tested conditions to control access.
You will have also viewed effective permissions.
Lab B: Configuring and Using Work Folders

Exercise 1: Configuring Work Folders
Task 1: Install the Work Folders feature and create a sync share
1. On LON-DC1, on the taskbar, click the Windows PowerShell icon, type the following cmdlet, and
then press Enter:
Install-WindowsFeature FS-SyncShareService
Note: After the feature installs, you will receive a warning message because Windows
automatic updating is not enabled. You can ignore the warning.
2. Minimize the Windows PowerShell window, and then click the Server Manager icon on the taskbar.
3. In Server Manager, in the navigation pane, click File and Storage Services, click Work Folders, click
TASKS in the WORK FOLDERS section, and then click New Sync Share.
4. In the New Sync Share Wizard, on the Before you begin page, click Next.
5. On the Select the server and path page, in the Enter a local path field, type C:\MarketingSync,
click Next, and then click OK.
Note: If LON-DC1 is not listed in the Servers section, click Cancel. In Server Manager, click
Refresh, and then repeat this task from step 3.
6. On the Specify the structure for user folders page, verify that User alias is selected, and then click
Next.
7. On the Enter the sync share name page, click Next to accept the default sync share name.
8. On the Grant sync access to groups page, click Add, and in the Enter the object name to select
(examples) field, type Marketing, click OK, and then click Next.
9. On the Specify device policies page, verify the two available options. Clear the Automatically lock
screen, and require a password check box, select the Encrypt Work Folders check box, and then
click Next.
10. On the Confirm selections page, click Create.
11. On the View Results page, click Close.

12. In Server Manager, verify that MarketingSync is listed in the WORK FOLDERS section and that user
Adam Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders

1. On LON-DC1, in Server Manager, click the Tools menu, and then select Internet Information
Services (IIS) Manager.
2. In Internet Information Services (IIS) Manager, in the navigation pane, expand LON-DC1
(ADATUM\Administrator).
3. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
4. In Site Bindings, click Add.

5. In Add Site Binding, select https as Type. In the SSL certificate box, select LON-DC1.adatum.com,
click OK, and then click Close.
6. Close Internet Information Services (IIS) Manager.
Task 3: Configure Group Policy to deploy Work Folders

1. On LON-DC1, in Server Manager, click the Tools menu, and then select Group Policy Management.
2. In the Group Policy Management Console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, and then select Marketing.
3. Right-click Marketing, and then select Create a GPO in this domain, and Link it here. In the Name
field, type Deploy Work Folders, and then click OK.
4. Right-click Deploy Work Folders, and then select Edit.
5. In the Group Policy Management Editor, under User Configuration, in the navigation pane, expand
Policies, Administrative Templates, Windows Components, and then click the Work Folders
node.
6. In the details pane, right-click Specify Work Folder settings, and then select Edit.
7. In the Specify Work Folders settings dialog box, select Enabled. In the Work Folders URL field,
type https://lon-dc1.adatum.com, select the Force automatic setup check box, click OK, and then
close the Group Policy Management Editor.
8. On LON-CL1, sign in as adatum\adam with the password Pa$$w0rd.
9. On the taskbar, click the File Explorer icon.

10. In File Explorer, in the navigation pane, click Work Folders. Right-click in the details pane, select
New, select Text Document, and then type On LON-CL1 as the file name.
11. Right-click the On LON-CL1 file, and then select Properties. Click Advanced, and then verify that the
Encrypt contents to secure data check box is selected. Click Cancel, and then click OK.
Task 4: Deploy Work Folders on a device that is not a domain member

1. Switch to LON-CL4, where you are signed in as user Admin.
2. On LON-CL4, on the taskbar, right-click the Start icon, and then click Control Panel.
3. In Control Panel, in the Search Control Panel field, type work, and then click Work Folders.
4. On the Manage Work Folders page, click Set up Work Folders, and then on the Enter your work
email address page, click Enter a Work Folders URL instead.
5. On the Enter a Work Folders URL page, in the Work Folders URL box, type
https://lon-dc1.adatum.com, and then click Next.
6. In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password
field, type Pa$$w0rd, and then click OK.
7. On the Introducing Work Folders page, review the local Work Folders location, and then click Next.
8. On the Security policies page, select the I accept these policies on my PC check box, and then
click Set up Work Folders.
9. On the Work Folders has started syncing with this PC page, click Close.
10. On the Work Folders page, verify that the On LON-CL1.txt file displays.
Task 5: Use Work Folders to synchronize files

1. On LON-CL4, in Work Folders, right-click in the details pane, select New, select Text Document, and
type On LON-CL4 as the file name.
2. On LON-CL1, in Work Folders, verify that only the On LON-CL1 file displays.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option
to trigger synchronization manually.
3. In File Explorer, in the navigation pane, right-click Work Folders, and then click Sync Now. Verify
that both files, On LON-CL1.txt and On LON-CL4.txt, display in the details pane.
4. On the taskbar, right-click the Start button, and then select Control Panel.
5. In Control Panel, in the Search Control Panel field, type network, and then click View network
connections under Network and Sharing Center. Right-click Ethernet, and then select Disable. In
the User Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password,
and then click Yes.
6. On LON-CL1, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
7. In Notepad, type Modified offline, close Notepad, and then click Save.
8. In Work Folders, right-click in the details pane, select New, select Text Document, and then name
the file Offline LON-CL1.
9. On LON-CL4, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
10. In Notepad, type Online modification, close Notepad, and then click Save.
11. On LON-CL1, in Network Connections, right-click Ethernet, and then select Enable. In the User
Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password, and then
click Yes.
12. Switch to Work Folders. Verify that four files display in the details pane, including On LON-CL1 and
On LON-CL1-LON-CL1. The file was modified at two locations, so a conflict occurred, and one of the
copies was renamed.
Note: File On LON-CL1-LON-CL1 will appear after few seconds, when sync happens.
Results: After completing this exercise, you will have configured and used the Work Folders feature
successfully.
Lab C: Installing and Managing a Printer

Exercise 1: Managing and Using a Printer
Task 1: Add and share a local printer
2. On the taskbar, in the Search the web and Windows field, enter printer, and then click Devices and
Printers.
3. In Devices and Printers, click Add a printer.
4. In the Add a device dialog box, click The printer that I want isnt listed.
5. On the Find a printer by other options page, select the Add a local printer or network printer
with manual settings option, and then click Next.
6. On the Choose a printer port page, verify that Use an existing port is selected, and then click Next.
7. On the Install the printer driver page, in the Manufacturer list, select Microsoft. In the Printers
list, select Microsoft PCL6 Class Driver, and then click Next.
8. On the Type a printer name page, in the Printer name field, type Managers Printer, and then click
Next.
9. On the Printer Sharing page, click Next, and then click Finish.
Task 2: Configure printer security

1. On LON-CL1, in Devices and Printers, right-click Managers Printer, select Printer properties, and
then select the Security tab.
2. In the Managers Printer Properties dialog box, verify that Everyone is selected, and then click
Remove. Click Add, in the Enter the object names to select (examples) box, enter Managers, and
then click OK. In the Permissions for Managers section, verify that Print check box is selected in the
Allow column, and then click OK.
Task 3: Use Print Management to manage a remote printer

1. On LON-CL1, in the Search the web and Windows field, enter administrative, and then click
Administrative Tools.
2. In the Administrative Tools window, double-click Print Management. Close the Administrative Tools
window.
3. In Print Management, in the navigation pane, expand Print Servers, and then verify that LON-CL1 is
the only print server listed. Right-click Print Servers, and then select Add/Remove Servers.
4. In the Add/Remove Servers dialog box, in the Add Servers field, enter LON-DC1, and then click
Add to List. Type LON-CL2 in the Add Servers field, click Add to List, and then click OK. Verify that
the navigation pane lists three print servers.
5. Right-click LON-CL2, and then select Add Printer.
6. On the Printer Installation page, select Add a new printer using an existing port, and then
click Next.
7. On the Printer Driver page, verify that the Install a new driver option is selected, and then
click Next.
8. On the Printer Installation page, in the Manufacturer list, select Microsoft. In the Printers list,
select Microsoft PS Class Driver, and then click Next.
9. On the Printer Name and Sharing Settings page, in the Printer Name box, enter PostScript
Printer, then in the Share Name box, enter PostScript Printer, click Next twice, and then click
Finish.
Task 4: Connect to a remote printer

1. Sign in to LON-CL2 as Adatum\April with the password Pa$$w0rd. April is member of the IT group,
but she is not a member of the Managers group.
2. On the taskbar, in the Search the web and Windows field, enter printer, and then click Devices and
Printers.
3. In Devices and Printers, verify that you can see PostScript Printer, which you added remotely in the
previous task. Click Add a printer.
4. In the Add a device dialog box, click The printer that I want isnt listed.
5. On the Find a printer by other options page, select Select a shared printer by name, type
\\LON-CL1\Managers Printer in the box, and then click Next.
6. In the Connect to lon-cl1 dialog box, click Cancel. In the box, type \\LON-DC1\Printer1, click Next
twice, and then click Finish.
Note: Because April is not a member of the Managers group, and she does not have
permissions to \\LON-CL1\Managers Printer, you were asked to enter credentials that have the
appropriate permissions.
7. In Devices and Printers, verify that Printer1 on lon-dc1 is added and that it has a green check mark,
which indicates that it is the default printer.
Task 5: Print a document, and manage a print job

1. On LON-CL2, on the taskbar, in the Search the web and Windows field, enter notepad, and then
press Enter.
2. In Notepad, type your name, click File menu, and then select Print.
3. In the Print dialog box, verify that Printer1 on lon-dc1 is selected, and then click Print.
4. On LON-CL1, in Print Management, in the navigation pane, click Printers With Jobs. In the details
pane, view that Printer1 is listed and that it has one job in the queue.
5. On LON-CL2, on the notification bar, right-click the printer icon, and then select
Printer1 on lon-dc1.
6. In the Printer1 on lon-dc1 window, verify that you can see a single document called Untitled
Notepad. Right-click Untitled Notepad, review its properties, and then click OK.
7. Right-click Untitled-Notepad, select Cancel, and then click Yes. You now have canceled Adams
print job.
8. On LON-CL1, in Print Management, verify that there are no longer any printers listed under the
Printers With Jobs node.
Task 6: Prepare for the next module

4. Repeat steps 2 and 3 for 20697-1B-LON-CL1, 20697-1B-LON-CL2, and 20697-1B-LON-CL4.
Results: After completing this exercise, you will have added a local and remote printer. You also will have
configured printer security, and used the Print Management feature to manage printers.
L7-43
Module 7: Managing Apps in Windows 10

Lab A: Installing and Updating Apps from
the Windows Store
Exercise 1: Sideloading an App
Task 1: Enable sideloading
2. In the notification area, click Notifications, and then click All settings.
3. Click Update & security.
4. On the For developers tab, select Sideload apps.

5. In the Use developer features dialog box, click Yes.
6. Close Settings.
Task 2: Install the required certificate

1. On LON-CL1, click File Explorer on the taskbar.
2. Navigate to \\lon-dc1\apps.
3. Right-click LeXProductsGrid81_1.1.0.2_AnyCPU.cer, and then click Install Certificate.

4. On the Certificate Import Wizard page, click Local Machine, and then click Next.
5. On the User Account Control page, click Yes.
6. On the Certificate Store page, click Place all certificates in the following store, click Browse, click
Trusted Root Certification Authorities, click OK, click Next, and then click Finish.
7. In the Certificate Import Wizard dialog box, confirm that the import was successful, and then
click OK.
Task 3: Install and test an app

3. At the User Account Control prompt, in the User name box, type Administrator.
4. In the Password box, type Pa$$w0rd, and then click Yes.
5. At the command prompt, type PowerShell, and then press Enter.
6. To install the package, at the Windows PowerShell command prompt, type

add-appxpackage \\lon-dc1\apps\app1.appx, and then press Enter.
8. Scroll down, and then click TestAppTKL1.

9. Close the app.
L7-44 Managing Apps in Windows 10
Task 4: Remove an app

1. Click Start, click All apps, right-click TestAppTKL1 tile, and then click Uninstall.
2. In the This app and its related info will be uninstalled dialog box, click Uninstall.
Results: After completing this exercise, you will have successfully sideloaded an app.
Exercise 2: Signing In with a Microsoft Account

Task 1: Associate your Microsoft account with a local account
1. Sign in to LON-CL1 as .\Admin with the password Pa$$w0rd.
2. In the notification area, click Notifications, and then click All settings.
3. In Settings, click Accounts, and then click Sign in with a Microsoft account instead.
4. On the Make it yours page, in the Email or phone box, type your Microsoft account email address,
and then in the Password box, type the associated password.
Note: In Module 3, you created a Microsoft account with the following properties:
o Account name: Your first name plus last initial-20697-1Ba@outlook.com.

You may use this or another Microsoft account throughout this procedure.
5. Click Sign in.
6. On the Enter your old password one last time page, in the Old password box, type Pa$$w0rd,
and then click Next.
7. On the Set up a PIN page, click Set a PIN.
8. In the Set up a PIN dialog box, in the New PIN and Confirm PIN boxes, type 1212, and then
click OK.
Results: After completing this exercise, you will have signed in successfully with a Microsoft account.
Exercise 3: Installing and Updating Windows Store Apps

Task 1: Configure app updates
1. Close Settings.
2. Click Start, and then click Store.

3. In the Store app, click the head and shoulders symbol on the menu bar, and then click Settings.
4. In Settings, under App updates, click Update apps automatically to disable the setting.
5. Click Back.
Task 2: Install an app

1. In the Windows Store app, click the Search box, type Excel Mobile, and then press Enter.
2. In the Apps list, click Excel Mobile.

3. Click Free.
Note: If prompted by the Your account is missing some key info dialog box, complete
the information regarding Birthdate and Country/Region and click Next.
Task 3: Update and remove apps

1. In the Store app, click the head and shoulders symbol on the menu bar, and then click Downloads
and updates.
2. Notice that there are several apps waiting to be updated.
3. Click Update all.

5. Right-click News, and then click Uninstall.
6. In the This app and its related info will be uninstalled dialog box, click Uninstall.
Results: After completing this exercise, you will have installed and maintained Windows Store apps
successfully.

When you have finished the lab, leave the virtual machines running for the subsequent lab.
Lab B: Configuring Windows 10 Web

Browsers
Exercise 1: Configuring and Using Microsoft Edge
Task 1: Open a webpage

3. On the taskbar, click Microsoft Edge.
4. In the Where to next box, type http://lon-dc1, and then press Enter.
Task 2: Configure settings

1. In Microsoft Edge, click More actions, and then click Settings.
2. Enable Show the favorites bar.
3. Under Open with, click A specific page or pages, and then in the list that appears, click Custom.
4. In the Enter a web address box, type http://lon-dc1, and then click the + symbol to the right.
5. Click X next to about:Start.
6. Click View advanced settings.

7. Enable Show the home button.
8. In the text box, type http://lon-dc1, and then click Save.
9. In the Cookies list, click Block only third party cookies.

10. Click << Advanced settings.
11. Click outside the SETTINGS pane to close SETTINGS.
12. Close and then reopen Microsoft Edge.

13. Verify that the A Datum Intranet page displays by default.
14. Open a new tab, and then click Home. Verify that the A. Datum Intranet site displays.
Task 3: Download a file

2. In the banner, click View downloads.

3. In DOWNLOADS, click projects.csv.
4. The file opens in Microsoft Office Excel.
Note: If prompted by Office, click Next three times, and then click All Done!
5. Close Excel.
7. Click on the A Datum Intranet Home Page to close DOWNLOADS.

Task 4: Make a web note

1. In the notification area, click Notifications, and then click Tablet mode.
3. On the webpage, draw a shape.
4. Click the Highlighter tool.
6. Click Add a typed note, and then click the cursor somewhere on the webpage.
7. Type This is my note, and then on the menu, click Save Web Note.
8. Click Favorites, and then click Add.
9. Click Exit.
10. In Microsoft Edge, click Hub, and then click Favorites.
11. Click the Web Notes A Datum Intranet link. Your web note opens.
12. In system tray, click Notifications, and then click Tablet mode.
Task 5: Load a webpage that requires an ActiveX control

1. Open Microsoft Edge.
2. In Microsoft Edge, on the A Datum Intranet Home Page, click Current Projects. A new tab opens
with columns displayed for Project and Project Lead. No data displays.
3. Click the More actions button ().
4. Click Open with Internet Explorer. The same webpage displays, but with the data extracted from
the CSV file and displayed in the appropriate columns.
Results: After completing this exercise, you will have configured and used Microsoft Edge successfully in
Windows 10.
Exercise 2: Configuring and Using Internet Explorer

Task 1: Configure the Compatibility View feature
1. Click File Manager.
2. Browse to C:\Program Files\Internet Explorer\.
3. Right-click iexplore, and then click Pin to taskbar.
4. Close File Explorer.

5. On the taskbar, click Internet Explorer.
6. In the Address bar, type http://LON-DC1, and then press Enter.

7. Right-click the home symbol, and then click Menu bar.
8. On the menu bar, click Tools, and then click Compatibility View settings.
9. In the Compatibility View Settings dialog box, click Add to add the LON-DC1 website to
Compatibility View, and then click Close.
Task 2: Test privacy settings

1. In Internet Explorer, click the down arrow next to the Address bar to confirm that the address that
you typed is stored.
2. In Internet Explorer, on the Tools menu, click Internet options.

3. Click the General tab. Under Browsing history, click Delete.
4. In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box,
select the Temporary Internet files and website files, Cookies and website data, and History
check boxes, and then click Delete.
5. Click OK to close the Internet Options dialog box.
6. Confirm that there are no addresses stored in the Address bar by clicking the down arrow next to the
Address bar.
Note: You can ignore Bing.com
7. On the Tools menu, click InPrivate Browsing.
8. In the Address bar, type http://LON-DC1, and then press Enter.
9. Confirm that the address you entered is not stored by clicking the down arrow next to the Address
bar.
Note: You can ignore Bing.com
10. Close the InPrivate Browsing window.
Task 3: Disable an add-on

1. On the Tools menu, click Manage add-ons.
2. In the Show list, click All add-ons.

3. In the Name list, right-click Tabular Data Control, and then click Disable.
4. Click Close.
5. Click Current Projects.

6. A new tab opens, but the data does not populate the table.
Results: After completing this exercise, you will have configured and used Internet Explorer 11
successfully.

4. Repeat steps 2 and 3 for 20697-1B-LON-DC1, and MSL-TMG1.

L8-51
Module 8: Managing Data Security

Lab: Managing Data Security
Exercise 1: Using EFS
Task 1: Create a data folder
1. Sign in to LON-CL1 as Adatum\Don with the password Pa$$w0rd.
2. On the taskbar, click the File Explorer icon, click This PC, and then double-click Local Disk (C:).
3. On the title bar, click the New Folder icon. Name the new folder SecretDon.
Task 2: Encrypt the folder

1. Right-click the SecretDon folder, and then click Properties.
2. Click Advanced.
3. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box.
4. Click OK twice.
5. Verify that the SecretDon folder appears in green.
6. Open the SecretDon folder.
7. In the blank area, right-click and click New, and then click Text Document.
8. Name the new file Secrets, and then double-click the file to open it.
9. Enter the following text:
This is a secret file.
10. Close the file, and then when prompted, click Save.
Task 3: Test access to the folder

1. Sign in to LON-CL1 as ADATUM\Adam with the password Pa$$w0rd.
2. On the taskbar, click the File Explorer icon.
3. Click This PC, and then double-click Local Disk (C:).
4. Open the SecretDon folder.

5. Double-click Secrets.
6. Verify that Access is denied, and then click OK.
Results: After completing this exercise, you will have created a folder that automatically encrypts files
placed inside it to the Don account. You also will have verified this by using the Adam account.
L8-52 Managing Data Security
Exercise 2: Using BitLocker

Task 1: Configure GPO settings
2. In the search box on the taskbar, type gpedit.msc, and then press Enter.
3. In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then expand BitLocker Drive Encryption.
4. Click Operating System Drives, and then double-click Require additional authentication at
startup.
5. In the Require additional authentication at startup dialog box, click Enabled, and then click OK.
7. Right-click Start, and then click Command Prompt.
8. At the command prompt, type gpupdate /force, and then press Enter.
10. Restart LON-CL1.
11. After the computer restarts, sign in as Adatum\Administrator with the password Pa$$w0rd.
Task 2: Enable BitLocker

1. On LON-CL1, in the search box on the taskbar, type bitlocker.
2. Click Manage BitLocker.
3. Click Allfiles (E:), and then click Turn on BitLocker.

4. In the BitLocker Drive Encryption (E:) dialog box, click Use a password to unlock the drive.
5. On the Choose how you want to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd, and then click Next.
6. On the How do you want to back up your recovery key? page, click Save to a file.
7. In the Save BitLocker recovery key as dialog box, click Local Disk (C:).
8. On the File Explorer toolbar, click New folder, type BitLocker, and then press Enter.
9. In the Save BitLocker recovery key as dialog box, click Open, click Save, click Yes, and then click
Next.
10. On the BitLocker Drive Encryption (E:) page, click Start encrypting, and then click Close.
11. Restart LON-CL1.
Task 3: Verify BitLocker

3. In the navigation pane, click This PC.

4. Right-click Local Disk (E:), click Open, verify that the drive is listed as not accessible and that access is
denied, and then click OK.
5. In the search box on the taskbar, type bitlocker.
6. Click Manage BitLocker.

7. Click E: BitLocker on (Locked), and then click Unlock Drive.
8. Enter the password Pa$$w0rd, press Enter to unlock the drive, and then verify access to the drive
contents.
Results: After completing this exercise, you will have encrypted the hard drive.



L9-55
Module 9: Managing Device Security

Lab: Managing Device Security
Exercise 1: Creating Security Policies
Task 1: Configure password and account options
1. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
2. On the Tools menu of the Server Manager Console, click Group Policy Management.
3. In the Group Policy Management Console, expand Forest:Adatum.com\Domains\Adatum.com,

and then click the Group Policy Objects node.
4. In the Group Policy Objects in Adatum.com window, right-click the Default Domain Policy policy,
and then click Edit.
5. In the Group Policy Management Editor, expand the Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies node, and then click Password Policy.
6. In the list of policies, double-click the Minimum password length policy.
7. On the Minimum password length Properties page, set the Password must be at least value to
12 characters, and then click OK.
8. In the console tree, click the Account Lockout Policy node.

9. Double-click the Account lockout duration policy.
10. In the Account Lockout Duration Properties dialog box, click Define This Policy Setting, and then
set the Account Is Locked Out For value to 20 minutes. Click OK.
11. In the Suggested Value Changes dialog box, click OK.

12. Double-click the Account lockout threshold policy.
13. In the Account Lockout Threshold dialog box, set the Account Will Lock Out After settings to 2
invalid logon attempts, and then click OK.
14. Close the Group Policy Management Editor.
15. Close the Group Policy Management Console.
16. On the Tools menu of the Server Manager Console, click Active Directory Users and Computers.
17. Expand the Adatum.com node, and then click the IT OU.
18. Right-click the Don Funk user account, and then click Properties.
19. In the Don Funk Properties dialog box, click the Account tab.
20. In the list of Account Options, deselect the Password never expires option, and then select the
User must change password at next logon option. Click OK.
L9-56 Managing Device Security
Task 2: Refresh GPOs

1. On LON-DC1, click the Windows PowerShell icon on the taskbar.
2. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter:
Gpupdate /force
Results: After completing this exercise, you will have configured password policies to require a
12-character password and an account lockout policy that will lock out a user account if a user enters
more than two incorrect passwords in succession.
Exercise 2: Testing Security Policies

Task 1: Change your password
1. Sign in to LON-CL1 as Adatum\Don with the password Pa$$w0rd.
2. When the message displays that indicates that the users password must be changed before signing
in,
click OK.
3. In the New Password box and the Confirm Password box, type Pa$$w0rd12, and then press Enter.
4. When the message displays that indicates that the new password does not meet the length,
complexity, or history requirements of the domain, click OK. Type the old password Pa$$w0rd.
5. In the New Password box and the Confirm Password box, type Pa$$w0rd1234, and then press
Enter.
6. When a message displays that indicates that the password has been changed, click OK.
7. After signing in, right-click Start, and then click Command Prompt.
Gpupdate /force
9. Click Start, click Don Funk, and then click Sign Out.
Task 2: Attempt repeated sign-ins

1. Attempt to sign in to LON-CL1 as Adatum\Don with the incorrect password, Banana.
2. When a message displays that indicates that the password is incorrect, click OK.
3. Attempt again to sign in to LON-CL1 as Adatum\Don with the incorrect password, Banana.
4. When a message displays that indicates that the password is incorrect, click OK.
5. Attempt again to sign in to LON-CL1 as Adatum\Don with the incorrect password, Banana.
6. When the message displays that indicates that the referenced account is locked, and you may not
sign in, click OK.
Results: After completing this exercise, you will have verified that the policies, with respect to password
length and account lockout, were applied correctly.
Exercise 3: Configuring UAC Prompts

Task 1: Modify UAC prompts
2. In the Search the web and Windows box on the taskbar, type gpedit.msc, and then press Enter.
expand Security Settings, expand Local Policies, and then click Security Options.
4. In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5. In the User Account Control: Behavior of the elevation prompt for standard users dialog box,
click Prompt for credentials on the secure desktop, and then click OK.
6. In the results pane, double-click User Account Control: Only elevate executables that are signed
and validated.
7. In the User Account Control: Only elevate executables that are signed and validated dialog box,
click Enabled, and then click OK.
8. In the results pane, double-click User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode.
9. In the User Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode dialog box, click Prompt for consent on the secure desktop, and then click OK.
10. Close the Local Group Policy Editor, and then sign out.
Task 2: Test the UAC prompts as a standard user

1. Sign in to LON-CL1 as Adatum\Dan with the password Pa$$w0rd.
2. Open the Administrative menu by pressing the Windows logo key+X, and then click Command
Prompt (Admin). The Windows operating system displays the User Account Control prompt.
3. In the User name box, type Administrator, and in the Password box, type Pa$$w0rd, and then
click Yes.
4. Close the command prompt.
5. Sign out.
Task 3: Test the UAC prompts as an administrator

2. Open the Administrative menu by pressing the Windows logo key+X, and then click Control Panel.
3. In Control Panel, click System and Security.
4. In System and Security, click Change User Account Control settings.
5. Verify that the slider is configured for Always notify.
Results: After completing this exercise, you will have reconfigured UAC notification behavior and
prompts.
L9-58 Managing Device Security
Exercise 4: Configuring and Testing AppLocker

Task 1: Create a new executable rule
2. Right-click the Start tip, and then click Run.

3. In the Run dialog box, type gpedit.msc, and then press Enter.
5. Right-click Executable Rules, and then click Create New Rule.
6. In the Create Executable Rules Wizard, click Next.
7. On the Permissions page, click Deny, and then click Select.

8. In the Select User or Group dialog box, in the Enter the object name to select (examples) box,
type IT, click Check Names, click OK, and then click Next.
9. On the Conditions page, click Path, and then click Next.
10. Click Browse Files, in the File name box, type C:\Program Files\Windows Media Player
\wmplayer.exe, and then click Open.
11. Click Next twice, and then click Create.
12. Click Yes when prompted to create default rules.
Task 2: Enforce AppLocker rules

1. In the Local Group Policy Editor, right-click AppLocker, and then click Properties.
2. On the Enforcement tab, under Executable rules, select the Configured check box, click Enforce
rules, and then click OK.

4. Select Run from the Administrative menu by pressing the Windows logo key+X.
5. Type PowerShell in the Run dialog box and press Enter.
6. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait for
the policy to update.
Task 3: Confirm executable rule enforcement

2. Select Computer Management from the Administrative menu by pressing the Windows logo
key+X. Expand Event Viewer, expand Windows Logs, and then click System.
3. In the results pane, locate and click the latest event with Event ID 1502.
4. Review event-message details under the General tab.

5. Expand Services and Applications, and then click Services.
6. Right-click the Application Identity service, and then click Start.

Task 4: Test rule enforcement

1. Sign in to LON-CL1 as Adatum\Holly with the password Pa$$w0rd.
2. Type Media Player in the Search the web and Windows box, and then click Windows Media Player.
3. Review the error message and then click OK.
4. Sign out, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
5. Select Event Viewer from the Administrative menu by pressing the Windows logo key+X.
6. In Event Viewer, expand Application and Services Logs, expand Microsoft, expand Windows,
expand AppLocker, and then click EXE and DLL.
7. Review the entries in the results pane. Locate Event ID 8004. This shows that Holly attempted to run
a prohibited application.
8. Close Event Viewer.

9. Sign out.
Results: After completing this exercise, you will have created and tested executable and default
AppLocker rules.



L10-61
Module 10: Managing Network Security

Lab: Managing Network Security
Exercise 1: Creating and Testing Inbound Rules
2. Right-click Start, click Run, type mstsc.exe, and then press Enter.
3. In the Computer box, type LON-CL1, and then press Enter.
5. Open the Start menu on LON-CL1, click Administrator, and then click Sign out.
Task 2: Create an inbound rule

2. Right-click Start, and then click Control Panel.
3. Click System and Security, and then click Windows Firewall.
4. In the left pane, click Advanced settings, right-click Inbound Rules, and then click New Rule.
5. In the New Inbound Rule Wizard window, select Predefined, click the drop-down list, click Remote
Desktop, and then click Next.
6. On the Predefined Rules page, select all available rules, and then click Next.
7. On the Action page, select Block the connection, and then click Finish.
8. Minimize the Windows Firewall with Advanced Security window.

3. In the Computer box, type LON-CL1, and then press Enter.
4. In the Remote Desktop Connection window, click OK.
Results: After completing this exercise, you will have created and verified inbound firewall rules.
L10-62 Managing Network Security
Exercise 2: Creating and Testing Outbound Rules

3. In the Computer box, type LON-DC1, and then press Enter.
4. Sign in to LON-DC1 as Adatum\Administrator with the password Pa$$w0rd.
5. Open the Start screen on LON-DC1, click Administrator, and then click Sign out.
Task 2: Create an outbound rule

1. On LON-CL1, on the taskbar, click the Windows Firewall with Advanced Security window, and then
click Outbound Rules.
2. In the Actions pane, click New Rule.

3. On the Rule Type page, verify that you are creating a Program rule, and then click Next.
4. On the Program page, browse and select C:\Windows\System32\mstsc.exe, click Open, and then
click Next.
5. On the Action page, verify that the action is Block the Connection, and then click Next.
6. On the Profile page, verify that all profiles are selected, and then click Next.
7. On the Name page, type Block Outbound RDP to LON-DC1 in the Name box, and then click
Finish.
8. In the Windows Firewall with Advanced Security window, click the Block Outbound RDP to LON-
DC1 rule, and then in the Actions pane, click Properties.
9. Click the Scope tab, and then under the Remote IP address heading, select the These IP addresses
option.
10. Under the Remote IP address heading, click Add, in the This IP address or subnet box, type
172.16.0.10, and then click OK.
11. In the Block Outbound RDP to LON-DC1 Properties dialog box, click OK.

1. Right-click Start, click Run, type mstsc.exe, and then press Enter
2. In the Computer box, type LON-DC1, and then press Enter.
3. In the Remote Desktop Connection dialog box, click OK.
Results: After completing this exercise, you will have created and tested outbound firewall rules.
Exercise 3: Creating and Testing Connection Security Rules

Task 1: Verify that communications are not secure
2. In the search box on the taskbar, type PowerShell, and then click PowerShell.
3. In the Administrator: Windows PowerShell window, type ping LON-CL1, and then press Enter.
4. Verify that the ping generated four Reply from 172.16.0.40: bytes=32 time=xms TTL=128 messages.
Please note, the times that the message lists may vary from the example.
5. Right-click Start, click Control Panel, click System and Security, and then click Windows Firewall.
6. In the left pane, click Advanced settings.
7. In the left pane, expand Monitoring, and then expand Security Associations.
8. Click Main Mode, and then examine the information in the center pane. No information should be
present.
9. Click Quick Mode, and then examine the information in the center pane. No information should be
present.

11. In the search box on the taskbar, type PowerShell, and then click PowerShell.
12. To examine the Main Mode Security Associations (SAs), at the Windows PowerShell prompt, type the
following cmdlet, and then press Enter:
13. To examine the Quick Mode SAs, at the Windows PowerShell prompt, type the following cmdlet, and
then press Enter:
14. Running each command should produce no result.
Task 2: Create the Connection Security Rule

1. On LON-CL1, right-click Start, and then click Control Panel.
3. In the left pane, click Advanced settings, and then click Connection Security Rules.

5. On the Rule Type page, verify that Isolation is selected, and then click Next.
6. On the Requirements page, select Require authentication for inbound connections and request
authentication for outbound connections, and then click Next.
7. On the Authentication Method page, select Computer and user (Kerberos V5), and then click
Next.
8. On the Profile page, click Next.
9. On the Name page, in the Name text box, type Authenticate all inbound connections, and then
click Finish.
10. Close the Windows Firewall with Advanced Security window.

L10-64 Managing Network Security
11. Switch to LON-CL2
12. On LON-CL2, right-click Start, and then click Control Panel.
14. In the left pane, click Advanced settings, and then click Connection Security Rules.
16. On the Rule Type page, verify that Isolation is selected, and then click Next.
17. On the Requirements page, select Require authentication for inbound connections and request
authentication for outbound connections, and then click Next.
18. On the Authentication Method page, select Computer and user (Kerberos V5), and then click
Next.
19. On the Profile page, click Next.
20. On the Name page, in the Name text box, type Authenticate all inbound connections, and then
click Finish.
21. Close the Windows Firewall with Advanced Security window.
Task 3: Verify the rule, and monitor the connection

1. On LON-CL2, in the Administrator: Windows PowerShell window, type ping LON-CL1, and then press
Enter.
2. Verify that the ping generated four Reply from 172.16.0.40: bytes=32 time=xms TTL=128 messages.
Please note, the times that the message lists may vary from the example.
3. Right-click Start, click Control Panel, click System and Security, and then click Windows Firewall.
4. In the left pane, click Advanced settings.
5. In the left pane, expand Monitoring, and then expand Security Associations.
6. Click Main Mode, and then examine the information in the center pane.
7. Click Quick Mode, and then examine the information in the center pane.

10. To examine the Main Mode Security Associations (SAs), at the Windows PowerShell command
prompt, type the following cmdlet, and then press Enter:
11. Review the result

12. To examine the Quick Mode SAs, at the command prompt, type the following cmdlet, and then press
Enter:
13. Review the result
Results: After completing this exercise, you will have created and tested connection security rules.
Exercise 4: Configuring Windows Defender

Task 1: Perform a quick scan
1. On LON-CL1 right-click Start, and then click Control Panel.
2. Click View by, select Large Icons, and then click Windows Defender.
3. On the Windows Defender Home tab, ensure that the Quick scan option is selected.
4. Click Scan now, and then review the results.
Task 2: Introduce suspicious software

malware detection.
or blank spaces.
Task 3: View the quarantined file

1. Right-click Start, and then click Control Panel.
2. Click Windows Defender.
3. In Windows Defender, click the History tab.
4. Click View details, and then review the results.

5. Select the check box for Virus:DOS/EICAR_Test_File, and then click Remove.
Results: After completing this exercise, you will have configured and tested Windows Defender.


L11-67
Module 11: Troubleshooting and Recovery

Lab: Troubleshooting and Recovery
Exercise 1: Managing Device Drivers
Task 1: Install a driver package into the driver store
1. In LON-CL1, on the taskbar, click File Explorer.
2. In File Explorer, in the navigation pane, expand This PC, expand Local Disk (C:), expand Windows,
expand System32, expand DriverStore, and then click FileRepository.
3. In the details pane, click the Date modified column, and then verify that the highest folder was
created most recently.
4. Right-click the Start icon, and then click Command Prompt (Admin).
5. At the command prompt, type the following commands, and press Enter after each command:
cd e:\Labfiles\mod11\dc3dh
e:
dir
Review the list of files that the driver package includes.

6. Add a device package to the driver store by typing the following command, and then pressing Enter:
pnputil a dc3dh.inf
7. In File Explorer, in the Address bar, click FileRepository to refresh the view. In the details pane,
confirm that the top folder was created when you installed the driver package and that its name
starts with dc3dh, as was the name of the .inf file.
8. In the details pane, double-click the top folder and confirm that it contains the same driver package
files that you listed in step 5.
9. Close File Explorer and the command prompt.
Task 2: Configure a picture password as a sign-in option

1. In LON-CL1, click the Start icon, and then click Settings.
2. In the Settings dialog box, click Accounts, click Sign-in options, and then in the Picture password
section, click Add. In the Windows Security dialog box, enter Pa$$w0rd as the password, and then
click OK.
3. In the Welcome to picture password window, click Choose picture, select Tiger.jpg, click Open, and
then click Use this picture.
4. Follow the on-screen instructions, and then draw three gestures on the picture. Remember which
gestures you are using, as you will repeat them later to sign in!
5. Repeat the pattern to confirm, click Finish, and then close the Settings window.
L11-68 Troubleshooting and Recovery
Task 3: Update a driver in Device Manager

1. In LON-CL1, on the taskbar, right-click the Start icon, and then select Device Manager.
2. In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click
Properties.
3. In the Standard PS/2 Keyboard Properties dialog box, select the Driver tab, and then confirm that
the Roll Back Driver button is not available. Click Update Driver.
4. In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
5. On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
6. On the Select the device driver you want to install for this hardware page, clear the Show
compatible hardware check box. In the Manufacturer section, select Microsoft, in the Model
section, select Microsoft USB Internet Keyboard, click Next, in the Update Driver Warning box,
click Yes, and then click Close twice.
7. In the System Settings Change dialog box, click Yes, and then wait until the computer restarts.
Task 4: Roll back a driver

1. Sign in to LON-CL1 as Adatum\Administrator by repeating the three gestures that you defined for
the picture password in Task 2.
2. On the taskbar, in the Search the web and Windows box, type notepad, and then press Enter.
Note: If the keyboard is not working, you should skip steps 2, 3 and 7.
3. In Notepad, type your name to confirm that the keyboard is still working.
4. Right-click the Start icon, and then click Device Manager.
5. In Device Manager, right-click Microsoft Hyper-V Virtual Keyboard, click Disable, and then
click Yes.
6. Right-click Microsoft USB Internet Keyboard, click Properties, and then read the device status.
7. In Notepad, try to type your name again. As neither keyboard is operational, you cannot use a
keyboard in LON-CL1.
8. In the Microsoft USB Internet Keyboard Properties dialog box, select the Driver tab. Confirm that
Roll Back Driver is available, click Roll Back Driver, and then click Yes.
9. Confirm that the Roll Back Driver option is no longer available, as driver rollback can go back by
only one version, and then click Close.
10. In Notepad, type your name to confirm that the keyboard is working again, and then close Notepad
without saving changes.
11. In Device Manager, right-click Microsoft Hyper-V Virtual Keyboard, click Enable, and then close
Device Manager.
Results: After completing this exercise, you will have added a driver package to the driver store, and used
Device Manager to update and roll back the driver.
Exercise 2: Using File History to Recover Files

Task 1: Create a shared folder for File History
1. On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
2. In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type FileHistory as the folder name, and then press Enter.
3. Right-click the FileHistory folder, and then click Properties.
4. In the FileHistory Properties dialog box, on the Security tab, click Edit. Click Add, in the Enter the
object names to select box, type Domain, and then click OK.
5. Click Domain Users, and then click OK.

6. In the Permissions for Domain Users section, in the Allow column, select the Full control check
box, and then click OK.
7. On the Sharing tab, click Advanced Sharing.
8. Select the Share this folder check box, and then click Permissions. In the Permissions for Everyone
section, in the Allow column, click Full Control, and then click OK twice.
9. In the FileHistory Properties dialog box, click Close.
Task 2: Configure and use File History

1. In LON-CL1, on the taskbar, click File Explorer.
2. In File Explorer, in the navigation pane, expand This PC, and then click Documents. In the details
pane, right-click an empty space, point to New, click Text Document, and then enter Report as the
name of the file.
3. Double-click Report.txt, and in Notepad, type This is a report. Close the Notepad file, and then click
Save to save the changes.
4. On the taskbar, in the Search the web and Windows box, type file, and then click File History.
5. In the File History dialog box, in the navigation pane, click Select drive.
6. In the Select Drive dialog box, click Add network location.
7. In the Folder box, type \\LON-DC1\FileHistory, click Select Folder, and then click OK.
8. In the File History dialog box, in the details pane, click Turn on.
9. In the navigation pane, click Advanced settings, review the default values for how often to save
copies of files and how long to keep them, and then click Cancel.
10. In File Explorer, in the navigation pane, click Documents, right-click Report.txt, and then click
Delete.
11. In File Explorer, click the Home tab, and then click History.
12. In the Documents File History window, right-click Report.txt, and click Preview. Confirm that you
can see the text This is a report, and then click the green round button with the arrow to restore the
file to the original location.
13. File Explorer opens. In the navigation pane, click Documents and verify that Report.txt has been
recovered to the original location. Double-click Report.txt, confirm that it contains the text that you
typed, close Notepad, and then close File Explorer.
14. In the Report.txt File History window, on the left of the address box, click the upward-pointing
arrow twice.
15. Review the folders and libraries that File History is protecting, and confirm that the Data folder and
Reports folder are not among them. Close the Home File History window.
Task 3: Protect additional folders with File History

1. In LON-CL1, in File Explorer, in the navigation pane, expand Allfiles (E:), expand Labfiles, click
Mod11, and then in the details pane, double-click Mod11.bat.
pane, right-click Sales.txt, click Properties, click the Previous Versions tab, confirm that there are
no previous versions available, and then click OK.
3. In the navigation pane, right-click Data, select Include in library, and then select Documents. As File
History protects the Documents library, where you added the folder, File History is now also
protecting the Data folder.
4. In File Explorer, in the navigation pane, click Reports. In the details pane, right-click Report.txt, click
Properties, click the Previous Versions tab, confirm that there are no previous versions available,
and then click OK.
5. On the taskbar, in the Search the web and Windows box, enter file, and then click File History
settings.
6. In the Settings dialog box, in the Back up using File History section, click More options.
7. In the BACKUP OPTIONS window, in the Back up these folders section, click Add a folder, in the
Folder box, type C:\Reports, click Choose this folder, and then close the BACKUP OPTIONS
window.
8. In the File History dialog box, in the File History is on section, click Run now.
9. In File Explorer, in the details pane, right-click Report.txt, click Properties, click the Previous
Versions tab, verify that there is now one previous version, and then click OK.
10. In the navigation pane, right-click Data, click Properties, click the Previous Versions tab, and then
select Data in the Folder versions section.
11. Click the arrow near the Restore button, and then verify that you can restore the previous version
either to the original location or to a custom location.
12. In the Data Properties dialog box, click the arrow near the Open button, and then select Open in
File History.
13. In the Data File History window, on the left of the address box, click the upward-pointing arrow
once. Notice that File History is protecting the Data and Reports folders, in addition to the Users
folder, which is protected by default.
14. In the C:\ - File History window, click the upward-pointing arrow again to view all folders and libraries
that File History is protecting.
15. Close the Home File History window, in the Data Properties dialog box, click OK, and then close
the File History window.
Results: After completing this exercise, you will have configured and used File History. You should have
also added additional folders for File History to protect.
Exercise 3: Using Previous Versions to Recover Files

Task 1: Configure and run Backup and Restore (Windows 7)
1. In LON-CL1, in File Explorer, in the navigation pane, select the Data folder. In the details pane, right-
click Sales.txt, click Properties, click the Previous Versions tab, confirm that there is one previous
version, and then click OK.
2. Double-click Sales.txt, in Notepad, type Before restore point in a new line, close Notepad, and then
click Save to save the changes.
3. Right-click Sales.txt, click Properties, click the Previous Versions tab, verify that there is still only
one previous version, and then click OK.
4. On the taskbar, in the Search the web and Windows box, enter backup, and then click Backup and
Restore (Windows 7).
5. In the Backup and Restore (Windows 7) window, click Set up backup.

6. In the Set up backup window, click Save on a network. In the Network location box, type
\\lon-dc1\Backup2, in the Username box, type Adatum\Administrator, in the Password box, type
Pa$$w0rd, click OK, and then click Next.
7. On the What do you want to back up? page, click Let me choose, click Next, clear the Include a
system image of drives: System Reserved, (C:) check box, expand Local Disk (C:), click Data, verify
that the Misc folder is not selected, and then click Next.
8. On the Review your backup settings page, click Save settings and run backup, and wait until
backup finishes.
Task 2: Use previous versions added by restore points

1. In LON-CL1, in File Explorer, right-click Sales.txt, click Properties, click the Previous Versions tab,
verify that there are now two previous versions, as the second version was added when backup was
created, and then click OK.
2. Right-click Sales.txt, and then click Delete.
3. In the details pane, right-click an empty space, click Properties, click the Previous Versions tab, click
the top folder, called Data, click Restore, and then click OK.
4. In File Explorer, in the details pane, double-click Data, and then point out that the Sales.txt file was
restored.
5. In File Explorer, in the navigation pane, expand Local Disk (C:), and then click Misc.
6. In the details pane, right-click Temp.txt, click Properties, click the Previous Versions tab, confirm
that no previous version is available because the backup did not include the C:\Misc folder, in which
the Temp.txt file is located, and then click OK.
7. Close File Explorer, and then close the Backup and Restore (Windows 7) window.
Results: After completing this exercise, you will have configured and performed initial backup by using
the Backup and Restore (Windows 7) tool. You should also have recovered deleted files by using the
previous versions of those files from restore points.
Exercise 4: Recovering a Device with a Restore Point

Task 1: Configure System Restore
1. In LON-CL1, in File Explorer, in the navigation pane, right-click This PC, and then click Properties.
2. In the System window, in the navigation pane, click System protection.

3. In the System Properties dialog box, in the Protection Settings section, click Local Disk (C:)
(System), click Configure, click Turn on system protection, move the Max Usage slider between
5 GB and 10 GB, and then click OK.
4. In the System Properties dialog box, click Create.
5. In the System Protection dialog box, type Initial settings, click Create, and then click Close.
6. In the System Properties dialog box, click OK.
7. In File Explorer, navigate to the E:\Labfiles\Mod11 folder, and then double-click XmlNotepad.msi.
8. In the XML Notepad 2007 Setup Wizard, click Next, select I accept the terms in the License
Agreement, click Next twice, click Install, and then click Finish.
9. Close Internet Explorer, and click Close all tabs.
10. Verify that an XML Notepad 2007 shortcut is on the desktop.

11. Right-click the desktop, point to New, click Text Document, type My document as its name, and
then press Enter.
13. In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update
Driver Software.
14. In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software. Click Let me pick from a list of device drivers on my computer, click PC/AT
Enhanced PS/2 Keyboard (101/102-Key), click Next, click Close, and then click No.
15. In Device Manager, verify that PC/AT Enhanced PS/2 Keyboard (101/102-Key) is visible.
Task 2: Use System Restore

1. In LON-CL1, in File Explorer, in the navigation pane, right-click This PC, and then select Properties.
3. In the System Properties dialog box, click System Restore.
4. In the System Restore dialog box, click Next.

5. Select the Initial settings restore point, and then click Scan for affected programs. Verify that XML
Notepad 2007 is visible, as you installed it after creating the restore point. Click Close.
6. In the System Restore dialog box, click Next, click Finish, and then click Yes. Wait until LON-CL1 has
restarted.
7. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. You will need to click
Sign-in options first and then click the key icon, which represents Password.
8. In the System Restore dialog box, click Close. Verify that My document.txt is still on the desktop,
and that the XML Notepad 2007 shortcut is no longer present on the desktop.

10. In Device Manager, expand Keyboards, and then verify that Standard PS/2 Keyboard is present.
PC/AT Enhanced PS/2 Keyboard (101/102-Key) was removed, because you added it after creating the
restore point.

12. In File Explorer, in the navigation pane, right-click This PC, and then click Properties.
14. In the System Properties dialog box, click System Restore.

15. In the System Restore dialog box, select Choose a different restore point, and then click Next.
16. In the System Restore dialog box, verify that the additional restore point with the description
Restore Operation and the type Undo was created. Click Cancel, click OK, and then close the
System window.
Results: After completing this exercise, you will have used System Restore to revert the computer to an
earlier restore point, and explored the effects of applying the restore point.
Exercise 5: Using the Advanced Start-up Options to Recover a Device

Task 1: Use the Reset this PC option
1. In LON-CL2, right-click the desktop, point to New, click Text Document, type Report as its name,
2. Right-click the Start icon, select Network Connections, double-click Ethernet, click Details, and
then verify that the connection is not Dynamic Host Configuration Protocolenabled (DHCP-enabled)
and that it has the IPv4 address 172.16.0.41. Click Close twice.
3. Right-click the Start icon, select System, and then verify that the computer name is LON-CL2 and
that it is in the Adatum.com domain.
4. On the taskbar, in the Search the web and Windows box, type advanced, and then click Change
5. On the UPDATE & SECURITY page, in the Advanced startup section, click Restart now, and wait a
few seconds.
6. On the Choose an option page, click Troubleshoot.

7. On the Troubleshoot page, click Reset this PC.
8. On the Reset this PC page, click Keep my files, and wait while the computer restarts.
9. On the Reset this PC page, click Admin. In the Enter the password for this account box, enter
Pa$$w0rd, click Continue, and then click Reset.
10. While the Reset this PC process is happening in LON-CL2, continue with the next task. You will review
the results of the reset process at the end of this lab.
Task 2: Explore safe mode

1. In LON-CL1, on the taskbar, in the Search the web and Windows box, type service, and then click
View local services.
2. In the Services window, click the Status column to sort the services, scroll down, verify that many
services (more than 75 services) are running, and then close Services.
3. On the taskbar, in the Search the web and Windows box, type advanced, and then click Change
4. On the UPDATE & SECURITY page, in the Advanced startup section, click Restart now, and wait a
few seconds.
5. On the Choose an option page, click Troubleshoot.

6. On the Troubleshoot page, click Advanced options.
7. On the Advanced options page, click Startup Settings, click Restart, and then press 4 to select
Enable Safe Mode.
8. When the computer starts, sign in as Adatum\Administrator and use Pa$$w0rd as the password.
9. Verify that the words Safe Mode appear in all four corners of the desktop. Right-click the Start icon,
and then click Device Manager.
10. In Device Manager, right-click Generic PnP Monitor, click Properties, and then verify that the status
of the device is not available when the computer is running in safe mode.
11. Click the Driver tab and verify that you can still use the Update or Uninstall drivers options while
the computer is running in safe mode. Click OK.
12. On the taskbar, try to enter something in the Search the web and Windows box. You cannot search,
because the computer is running in safe mode.
13. Right-click the Start icon, and then click Computer Management.
14. In Computer Management, in the navigation pane, expand Services and Applications, and then click
Services. In the details pane, click the Status column to sort the services, scroll down, and verify that
only a few services (less than 25 services) are running when the computer is in safe mode.
15. On your host computer, in the 20697-1B-LON-CL1 on localhost Virtual Machine Connection
dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk.
16. In the Open dialog box, in the File name box, type C:\Program Files\Microsoft Learning\20697-1
\Drives\Win10Ent_Eval.iso, and then click Open. If virtual machines are extracted to a different
drive than C:, use that drive letter instead of C:.
Task 3: Use advanced startup options

1. In LON-CL1, right-click the Start icon, select Shut down or sign out, and then select Restart.
2. When you see the Press any key to boot from CD or DVD message, press the spacebar, and then
wait while Windows Setup loads.
3. When prompted, in the Windows Setup dialog box, click Next.

4. On the next Windows Setup page, click Repair your computer.
5. On the Choose an option page, select Troubleshoot, and then click Advanced options.
6. On the Advanced options page, click System Restore.

7. On the System Restore page, click Windows 10.
8. In the System Restore dialog box, click Next. Select the Restore Operation restore point, and then
click Scan for affected programs. Verify that the list includes XML Notepad 2007 as a program that
might be restored. Click Close, and then click Cancel.
Note: You can use System Restore from the Windows Recovery Environment
(Windows RE).
9. On the Choose an option page, click Troubleshoot, and then click Advanced options.
10. On the Advanced options page, click Command Prompt.
11. At the command prompt, type bcdedit, and then press Enter.
12. Review the output and verify that Windows 10 appears as the default Windows Boot Loader
operating system.
13. At the command prompt, type diskpart, and then press Enter.
14. At the command prompt, type list disk, and then press Enter.
15. At the command prompt, type list volume, and then press Enter.
16. At the command prompt, type exit twice, and then press Enter.
17. On the Choose an option page, click Troubleshoot, and then click Advanced options.
18. On the Advanced options page, click Startup Repair.
19. On the Startup Repair page, click Windows 10. Startup Repair starts diagnosing your PC.
20. After a few seconds, the Startup Repair couldnt repair your PC page appears. This is because there
is nothing wrong with your computer. Click Advanced options, and then click Continue.
Task 4: Verify the effects of Reset this PC
Note: You can perform this task only after Reset this PC on LON-CL2 has finished. If the
Reset operation on LON-CL2 is not yet complete, the instructor may start with the lecture. You
can perform this task and the next before the lab in Module 12.
1. In LON-CL2, sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Confirm that initial sign-in takes some time, as Windows 10 is setting up your apps.
3. Verify that the Report document that you created earlier is still on the desktop.
4. Right-click the Start icon, select Network Connections, double-click Ethernet, click Details, and
then verify that the connection is DHCP-enabled after the Reset this PC operation, and that the
computer no longer has the 172.16.0.41 IPv4 address. Click Close twice.
5. Right-click the Start icon, click System, and then verify that the computer name and domain
membership remain the same. The computer name is still LON-CL2 and the computer is a member
of the Adatum.com domain.
Results: After completing this exercise, you will have used the Reset this PC option, safe mode, and

4. Repeat steps 2 and 3 for 20697-1B-LON-CL1, and 20697-1B-LON-CL2.

L12-77
Module 12: Maintaining Windows 10

Lab: Maintaining Windows 10
Exercise 1: Configuring Updates for a Single Device
Task 1: Configure update settings for a single device
2. Click Start, and then click Settings.
3. In SETTINGS, click Update & security.
4. On the Windows Update tab, click Advanced options.
5. On the ADVANCED OPTIONS page, beneath Choose how updates are installed, in the list, click
Automatic (recommended).
6. Select the Give me updates for other Microsoft products when I update Windows and Defer
upgrades check boxes.
7. Notice that the Get started option beneath Get Insider builds is available.
8. Click Choose how updates are delivered.

9. On the CHOOSE HOW UPDATES ARE DELIVERED page, enable the When this is turned on, your
PC may also send parts of previously downloaded Windows updates and apps to PCs on your
local network, or PCs on the Internet, depending on whats selected below option.
10. Select PCs on my local network, and PCs on the Internet, and then click Back.
Task 2: Review applied updates

1. On the ADVANCED OPTIONS page, click View your update history.
2. Review the updates listed, and then click Uninstall updates.
3. Review the updates listed in Installed Updates. Close Installed Updates.
4. On the VIEW YOUR UPDATE HISTORY page, click Back.
5. On the ADVANCED OPTIONS page, click Back.
Results: After completing this exercise, you will have successfully configured Windows Update settings.
Exercise 2: Configuring Updates with GPOs

Task 1: Configure update settings by using GPOs
1. In the Search the web and windows box, type gpedit.msc, and then click gpedit.msc in the list of
returned items.
2. In Local Group Policy Editor, navigate to Computer Configuration/Administrative Templates

/Windows Components/Data Collection and Preview Builds.
3. In the right pane, double-click Toggle user control over Insider builds.
4. In the Toggle user control over Insider builds dialog box, click Disabled, and then click OK.
L12-78 Maintaining Windows 10
5. In Local Group Policy Editor, navigate to Computer Configuration/Administrative Templates

/Windows Components/Windows Update.
6. In the right pane, double-click Defer Upgrade.

7. In the Defer Upgrade dialog box, click Enabled, and then click OK.
8. In the right pane, double-click Do not connect to any Windows Update Internet locations.
9. In the Do not connect to any Windows Update Internet locations dialog box, click Enabled, and
then click OK.
10. Close Local Group Policy Editor.
Task 2: Verify that the devices update settings are managed centrally
2. In the command prompt, type gpupdate /force, and then press Enter.
3. Switch to UPDATE & SECURITY.
4. On the Windows Update tab, click Advanced options. Notice the Some settings are managed by
your organization banner.
6. Close all open apps and windows.
Results: After completing this exercise, you will have successfully configured Group Policy Objects (GPOs)
to configure Windows Update settings.
Exercise 3: Monitoring Events

Task 1: Configure Event Viewer to collect data from multiple devices
2. Right-click Start, and then click Windows PowerShell (Admin).

winrm quickconfig
Note: This is just a check, as the remote management feature is probably enabled.
4. In Server Manager, click Tools, and then click Active Directory Users and Computers.
5. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click Builtin.
6. In the results pane, double-click Event Log Readers.
7. In the Event Log Readers Properties dialog box, click the Members tab.
8. Click Add, and then in the Select Users, Contacts, Computers, Service Accounts, or Groups dialog
box, click Object Types.
9. In the Object Types dialog box, select the Computers check box, and then click OK.
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select (examples) box, type LON-CL1, and then click OK.
11. In the Event Log Readers Properties dialog box, click OK.
Wecutil qc
15. When prompted, type Y, and then press Enter.
Task 2: View and filter events

1. On LON-CL1, click Start, click All apps, expand Windows Administrative Tools, and then click
Event Viewer.
2. In Event Viewer, in the navigation pane, click Subscriptions.
3. Right-click Subscriptions, and then click Create Subscription.
4. In the Subscription Properties dialog box, in the Subscription name box, type LON-DC1 Events.
5. Click Collector Initiated, and then click Select Computers.
6. In the Computers dialog box, click Add Domain Computers.
7. In the Select Computer dialog box, in the Enter the object name to select (examples) box, type
LON-DC1, and then click OK.
8. In the Computers dialog box, click OK.
9. In the Subscription Properties LON-DC1 Events dialog box, click Select Events.
10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
11. In the Logged list, click Last 30 days.

12. In the Event logs list, select Windows Logs. Click in the Query Filter dialog box, and then click OK.
13. In the Subscription Properties LON-DC1 Events dialog box, click OK.

16. Right-click Forwarded Events, and then click Create Custom View.
17. In the Create Custom View dialog box, select the Critical and Error check boxes, and then click OK.
18. In the Save Filter to Custom View dialog box, in the Name box, type LON-DC1 errors, and then
click OK.
19. Examine any listed events.
Results: After completing this exercise, you will have successfully configured monitoring by using Event
Viewer.
Exercise 4: Monitoring Reliability and Performance

Task 1: Use Performance Monitor to gather a baseline
1. On LON-CL1, click Start, click All apps, click Windows Administrative Tools, and then click
Performance Monitor.
2. In Performance Monitor, in the navigation pane, expand Data Collector Sets.
3. Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
4. In the Create new Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name text box, type Adatum Baseline.
5. Click Create manually (Advanced), and then click Next.

6. On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
7. On the Which performance counters would you like to log? page, in the Sample interval field,
type 1, and then click Add.
8. In the Available counters list, expand Memory, click Pages/sec, and then click Add.
9. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
10. In the Available counters list, expand Physical Disk, click % Disk Time, and then click Add.
11. Under Physical Disk, click Avg. Disk Queue Length, and then click Add.
12. In the Available counters list, expand Processor, click % Processor Time, and then click Add.
13. In the Available counters list, expand System, click Processor Queue Length, click Add, and then
click OK.
14. On the Which performance counters would you like to log? page, click Next.
15. On the Where would you like the data to be saved? page, click Next.
16. On the Create the data collector set page, click Finish.
17. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start.
18. Click Start, click All Apps, click Microsoft Office 2013, and then click Word 2013.
19. Click Start, click All Apps, click Microsoft Office 2013, and then click Excel 2013.
20. Click Start, click All Apps, click Microsoft Office 2013, and then click PowerPoint 2013.
21. Close all open Microsoft Office 2013 apps, and then switch to Performance Monitor.
22. In the navigation pane, right-click Adatum Baseline, and then click Stop.
23. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the report that has a name beginning with LON-CL1.
24. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
25. Record the following values:
Task 2: Load the suspect app

1. On LON-CL1, if necessary, sign by in using the following credentials:

2. Run the E:\Labfiles\Mod11\Scenario.vbs script.
3. The script starts to generate the load.
Task 3: Use Performance Monitor to identify possible bottlenecks

1. Switch to Performance Monitor.
2. Under Data Collector Sets, click User Defined.
3. Right-click Adatum Baseline, and then click Start.

4. In Search the web and windows, type perfmon /res, and then press Enter.
5. In Resource Monitor, which components are under strain?
Answers will vary depending upon the usage scenario and host configuration, although central
processing unit (CPU) and network are likely to be used heavily.
6. After a few minutes, in the Windows Script Host prompt, click OK.
7. Close the instance of C:\Windows\System32\cmd.exe that the script launched.
8. Switch to Performance Monitor.

9. In the navigation pane, right-click Adatum Baseline, and then click Stop.
10. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the second report that has a name beginning with LON-CL1.
11. View the chart.
12. On the menu bar, click the drop-down arrow, and then click Report.
13. Record the component details:
14. In your opinion, which components is the script affecting the most?
The script is affecting the CPU and network, but it is also affecting all counters.
15. Close all open windows and apps.
Results: After completing this exercise, you will have successfully determined the cause of a performance
bottleneck.

1B ENU TrainerHandbook PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1B ENU TrainerHandbook PDF

Uploaded by

Copyright:

Available Formats

MCT USE ONLY.

STUDENT USE PROHIBITED

2014 Microsoft Corporation. All rights reserved.

Product Number: 20697-1B

Part Number: X20-83315

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES

Revised July 2013

Andrew Warren Content Developer/Technical Reviewer

Slavko Kukrika Content Developer/Technical Reviewer

Claus Jacob Wordenskjold Content Developer

Dave Franklyn Content Developer

Orin Thomas Content Developer

Lesson 1: Introducing Windows 10 1-2

Lesson 2: Navigating the Windows 10 User Interface 1-11

Module Review and Takeaways 1-20

Module 2: Installing Windows 10

Lesson 2: Upgrading to Windows 10 2-16

Lab: Installing Windows 10 2-26

Module 3: Configuring Your Device

Lesson 1: Overview of Tools You Can Use to Configure Windows 10 3-2

Lesson 2: Common Configuration Options 3-21

Lesson 3: Managing User Accounts 3-28

Lab B: Synchronizing Settings with OneDrive 3-40

Module Review and Takeaways 3-44

Module 4: Configuring Network Connectivity

Lesson 1: Configuring IP Network Connectivity 4-2

Lesson 2: Implementing Name Resolution 4-17

Lesson 4: Overview of Remote Access 4-29

Lab: Configuring Network Connectivity 4-33

Module 5: Managing Storage

Lesson 2: Managing Disks, Partitions, and Volumes 5-7

Lesson 3: Maintaining Disks and Volumes 5-19

Lab: Managing Storage 5-33

Module Review and Takeaways 5-38

Module 6: Managing Files and Printers

Lesson 1: Overview of File Systems 6-3

Lab A: Configuring and Managing Permissions and Shares 6-29

Lesson 4: Work Folders 6-36

Lesson 5: Managing Printers 6-44

Lab C: Installing and Managing a Printer 6-51

Module 7: Managing Apps in Windows 10

Lesson 1: Overview of Providing Apps to Users 7-2

Lesson 3: Web Browsers 7-17

Module Review and Takeaways 7-33

Module 8: Managing Data Security

Lesson 2: Securing Data with EFS 8-5

Lesson 3: Implementing and Managing BitLocker 8-12

Module Review and Takeaways 8-29

Module 9: Managing Device Security

Lesson 2: Configuring UAC 9-7

Lesson 3: Configuring Application Restrictions 9-16

Module Review and Takeaways 9-29

Module 10: Managing Network Security

Lesson 2: Windows Firewall 10-4

Lab: Managing Network Security 10-26

Module Review and Takeaways 10-32