Learn Windows 10 - MD-100 Full Course (ITCT)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome to this video training course md 100 windows 10. recently microsoft overhauled their windows 10 certifications replacing many of the technology focused exams with job role focused exams md-100 and its companion md-101 are some of the first through the gate this course is intended to provide you with the skills and knowledge necessary to prepare for and take the microsoft md100 windows 10 exam it consists of a series of lessons that guide you through the important exam objectives each lesson is a combination of discussion sessions and hands-on demonstrations i'm andrew warren and i'll be your instructor throughout those sessions and demonstrations i'm a longtime microsoft certified trainer and i've taught thousands of students in hundreds of classes over the years for the last decade i've been working with microsoft on their official curriculum courseware and i've just completed some updates to the windows 10 curriculum including working on the md101 course prior to that i designed and wrote 20741 networking with windows server 2016. i also helped on the companion courses in the windows server 2016 portfolio including 20743 upgrading your skills to mcsa windows server 2016 i've written several exam ref books for microsoft press including installing and configuring windows 10 configuring windows devices managing modern desktops networking with windows server 2016 and identity with windows server 2016 this course consists of 10 lessons each broken down into sub lessons of between 5 to 15 minutes duration although one or two lessons are a little longer the lessons have been grouped together in such a way as to easily map to the exam objective domains lesson one consists of five lessons and covers windows 10 deployment lesson two consists of six lessons and covers post installation configuration lessons one and two cover the content required for the deploy windows exam od and account for fifteen to twenty percent of the exam lesson three consists of two lessons and describes how to manage accounts and devices lesson four consists of two lessons and deals with data access and protection lesson five consists of five lessons and is all about device configuration using policies lesson six consists of three lessons and covers windows security lessons three through six cover the managed devices and data exam od accounting for around 35 to 40 percent of the exam lesson seven consists of seven lessons and describes windows networking lesson eight consists of three lessons and is about remote connectivity lessons seven and eight cover the configure connectivity exam od and account for around fifteen to twenty percent of the exam lesson nine consists of five lessons and looks at both system and data recovery lesson 10 consists of three lessons and describes monitoring and management of windows 10. these last two lessons deal with the content for the maintain winners exam od and represent about 25 to 30 of the exam mark by the end of the course you should have learned enough to support your organization's windows 10 deployment and to take the md 100 windows 10 exam i hope you get as much out of attending the course as i did writing and recording it this is lesson one deploy windows 10. in this lesson we discuss installation deployment and upgrades in this lesson you'll learn how to plan your windows installation plan windows upgrades perform a windows installation install windows on a vhd and usb and manage windows activation the hands-on demonstrations in this lesson include using microsoft assessment and planning toolkit to help determine windows 10 readiness using the application compatibility tools migrating user state performing a clean installation and creating a bootable usb windows 10 installation when you're planning to install windows 10 perhaps the first thing you need to do is to make sure that your computer is capable of running the operating system that shouldn't be too challenging windows 10 requirements are not particularly hard to meet they're very similar to those for windows 7. given that windows 10 has been around with us for almost four years now the specifications haven't really changed much over that time so let's have a look at these hardware requirements the process needs to be at least one gigahertz memory either one gigabyte for 32-bit versions of windows 10 or 2 gigabytes for 64-bit versions realistically it's going to be hard to find computers with as little memory as that hard disk space for 32-bit versions consume a little less at 16 gigabytes 64-bit versions are required a little bit more at 20 gigabytes but again a hard disk with only that amount of free space is going to be difficult to locate other thought the graphics adapter needs to be direct x9 compatible and the display resolution 800x600 now in reality these are very low specifications for hardware very low bar for you to meet when i was planning to install windows 10 on a computer it would have been four years ago now so 2015 when windows 10 was just out i looked at using intel i5 processor and 8 gig of memory and i think i had a 256 gigabyte hard drive and ssd in fact ssds are ideal for windows 10 it enables you to start the operating system very quickly so that's a fairly standard specification when i've spoken to my students i'm teaching in class that's a typical specification for most organizations so an i5 8 gig and 256 gig ssd that that's fairly standard now in addition to the basic hardware you might want to check that your peripheral devices are also compatible with windows 10 so i'm thinking of printers scanners digital pens anything like that or even a mouse or keyboard that's external will require a driver and you'll want to make sure that it's compatible if it comes from a major vendor and it's relatively recent probably be no issue at all but you'll want to check if you're buying new hardware so you bought a new pc then any peripherals that come attached are obviously going to be working with windows 10 so you don't need to do anything but if you've got older peripherals you might want to check the hardware vendor's website for drivers if you don't find specific drivers for windows 10 it's possible i mean i've done this you can use versions of drivers from earlier versions of windows so i've installed the windows 8 drivers before for a graphics adapter under windows 10 and it worked perfectly if you've got a lot of computers to verify then you might want to use something like the microsoft assessment and planning toolkit to perform that analysis so that will allow you to connect out to remote machines perform an analysis and produce a report you can use the microsoft assessment and planning toolkit to determine the upgrade feasibility to windows 10 on any devices that it can scan you can determine whether the organization is ready to migrate to microsoft azure or office 365 microsoft 365 and you can determine whether or not you can move your workloads from physical computers to hyper-v in other words on virtual machines let's take a look at how to use the microsoft assessment and planning toolkit to determine windows 10 readiness okay so i'll open up the microsoft assessment and planning toolkit i want to run this as administrator so i'll confirm the user account control prompt after a moment map initializes and what you're seeing here is a previous assessment i'm going to create a new assessment so there's an existing database here i'll create a new inventory database i'll call it test click ok and as you can see on the left hand side here in the navigation bar there are a number of assessment types that you can run assess for cloud readiness assess desktop computers assess servers assess desktop virtualization workloads and server virtualization workloads and so on what we're doing here is assessing the readiness for windows 10 so i'll select the desktop option and already you can see there's an option for assessing windows 10 readiness and i can collect the inventory data by clicking the link here you can see a list of different computer types i'm going to examine windows computers i can connect to these windows computers using a number of different techniques via active directory or using certain windows networking protocols or by scanning an ip address range i'm going to scan an ip address range because that's more suitable for my test environment here i'll enter the address range and then click through now when i'm connecting to each of the computers that i discovered i need to supply credentials to do that so i'll specify an account for admin and enter the password and also a secondary account for other computers and either one of those will be used so when i'm ready i can click next and this is just summarizing that it's going to connect as admin and then as andrew to each of the computers that it detects to see if it can connect with wmi to scan the computer a summary of what i'm asking it to do is shown there and if i click finish it will start the collection i'll expand and show you the detail it's now running the assessment against the discovered machines it's completed that close and we can see here on the summary screen that there are two computers that are ready for windows 10 there are in fact only three devices on this test network and one of the machines is there is insufficient data to make an assessment and that's because it's not running windows 10 or rather it's not running any version of windows it tells us a bit more down here about the internet explorer versions that have been discovered and the number of clients let's examine the windows 10 readiness details you can see a bit more of an assessment here of that discovery but there's also a link up here to generate a windows 10 readiness report which we can view in excel we'll do that now and it takes us to the folder where the assessment report has been stored and i can just open that up by double clicking so here we have um an overall assessment meets minimum system requirements there are two that meet the requirements and there are none that are not ready for windows 10 and there is one for which there is insufficient data we can take a look at the assessment values tab and that will tell us what it was looking for so it was looking for a cpu of one gigahertz or higher an amount of memory amount of free disk space and so on on the client assessment tab we can have a look at the specific computers that were discovered cl1 that's actually this local computer meets the minimum system requirements and it doesn't require any kind of hardware upgrade and if we scroll across here we can see its ip address the subnet mask that it's currently running windows 10 enterprise so obviously it is ready for windows 10. and beneath it we can see the other computer that was discovered which is running windows 10 pro and we can find out details about that particular machine on the device summary page you can have a look at the particular features of a particular device so we've got some power settings here got some information about the network adapter and so it's quite detailed information and on the final tab we've got a discovered applications information it tells us about the software that it's been able to discover skype for business online for example the windows powershell module skype 7.4 connects an hd audio it's done a very thorough job and then you can skim through this report and determine whether or not your organization is ready to make the move to windows 10. now in this simple test network there are only a couple of machines so it's not giving us a real feel of of the power of the application let's switch back to the assessment tool and i'll open up a database that was previously created you can see there are a large number of machines here 234 are ready for windows 10 some of which will be ready immediately some of which require upgrades if we click on the desktop tab here and then go to windows 10 readiness again you can see a bit more detail about the tests that were performed but possibly the most useful thing is to go to generate a windows 10 readiness report and view it in excel so here we have the report 72 machines are ready now 234 will be ready after a hardware upgrade let's take a look at the client assessment to make that determination so this one for example this particular computer is not ready for windows 10 because it has insufficient memory okay again insufficient memory this one here free disk space is less than 20 gig and once again we can go on to device summary to find out a bit more about what's out there in terms of hardware and devices and we can take a look at any discovered applications it may be for example that we know that there are issues with some of these applications and that might make a difference to how we proceed with the upgrade plan okay so in the demonstration we saw how we could use map to help determine windows 10 readiness now if you're upgrading to windows 10 the chances are you're going to have some applications installed on your computer or computers they may have been designed for windows 7 or indeed for earlier versions of windows if you experience problems with those applications you might want to check for application updates updates generally are free you can probably download those from the vendor's website you might want to consider upgrading if you can't find a free update to a more recent version of the application that may well come with a cost attached if you can neither update nor upgrade you might want to configure or create a compatibility fix using one of the application and compatibility tools that microsoft provide in the windows assessment and deployment toolkit if that's not an option or you'd prefer to do it differently you can build a virtual machine to host the application so for instance you might have an application designed for windows xp and you decide to create a windows xp virtual machine and run the application within the context of that virtual machine so the application's happy it's running on windows xp but you can run that virtual machine on a windows 10 computer using the client hyper-v feature to use the application and compatibility tools there's a procedure you must follow first of all build a representative windows 10 computer so one that contains all of the well the operating system clearly but also any fixes and updates that need to be applied and then any customizations that you want to make for your organization install all of the required applications run the applications to determine any problems i mean you could for example allow windows 10 to be deployed to a representative set of your users within an organization and have them perform these tests and then get feedback then install the application compatibility tools on your target test workstation open the compatibility administrator tool create a custom database the database is used to hold information about the issues that are determined with the application and how fixes can be applied to resolve those issues then create a new application fix for the application you'll run the application within the context of that environment and perform a series of standard tasks within the application whatever it is that your users normally do with the application then save the application compatibility fix file and then apply that fixed file to the application on all computers within your organization now you can obviously wander around and manually do that or you can use a method to apply that to multiple workstations if you're using imaging of course you can apply that fix to your image your source image and then that can be applied to all new computers within the organization thereafter so let's have a look at how we can use the application compatibility tools to assess and to perform a fix on an application that experiences problems we're ready to perform upgrades on various computers around our organization but we've discovered that there are some potential problems with some of the applications we have a test application on this virtual machine that will simulate some of the sorts of problems that you might experience and then we'll take a look at how we can create a work around a patch if you like a shim for that particular application the application is called stock viewer and you can see straight away that it wants us to be an administrator so click ok to that message and then within the application i can run some of the options so for example i can say show me options and it comes up with an error message i can say show me a star and it tells me that the application needs to be running under windows xp not windows 10. and i can click on trends here and again we get not very helpful message here to show that there are problems so this application isn't going to work properly under windows 10. now we have a number of different options and we could create a virtual machine running windows xp and install the application within that environment but we can also try and patch the application let's take a look at how we could do that so let me close the application and then i'm going to open up one of the compatibility tools part of the windows adk so down here i've got windows kits and i've got the compatibility administrator tool which i'm going to open now there are two versions 32-bit and 64-bit depending on the application that you're using this is a 32-bit app i'm going to create a new database for this fix the name of the application to be fixed is called stock viewer i don't know the vendor i need to locate the executable for the program there it is now we already know that it needs to run under windows xp so we can select run in compatibility mode for windows xp that was one of the messages that we saw we also saw that it required that we ran as administrator so let's scroll down into these other compatibility modes they're alphabetical so that helps run as admin there may be some additional things that you discover there's a lot of compatibility parameters here we don't need any of these right now and then we'll say we're finished so what i now need to do is to save this i'm going to call this stock viewer fix and for my convenience i'm going to put it on my desktop all fixes are stored as sdb files and although i can simply apply it using an executable locally i can also distribute these fixes using something like group policy or creating a script or using some other mechanism for applying the patch to a large number of computers i can close down the compatibility administrator now and there's our fixed file to apply that to the application i need to open a command prompt powershell will do actually in admin mode and then i need to run the sdb inst program against that particular file so that's stored under the users folder i'm signed in as andrew and it's on my desktop and i called it stock viewer fix dot sdb and as i said clearly running this on every single computer if you have thousands of computers with the application installed is a bit too time consuming so you use some mechanism to distribute the fix it's applied that fix so now if i run the stock viewer application it doesn't prompt me about being an administrator it just confirms elevation to admin and now i can say trends that now functions i can choose tools show me a star and although that's not exactly thrilling it does in fact function so it appears as if the fix has solved the issue with this application consider using a shim when you have no other alternative it's possible your vendor may have produced an update to the application if it's an internal application that some of your team can develop the application to function within windows 10 or you could consider running in a vm as we discussed earlier but you can also create these fixes and distribute that if you have no other option okay so in that demonstration we saw how to create and apply an application fix there are a number of additions that you can choose from with windows 10 windows 10 home windows 10 pro windows 10 enterprise and for most people it will be one of these three editions that are used windows 10 enterprise long term servicing channel or ltsc is a specialist version which doesn't receive updates in quite the same way as the other editions windows 10 education windows 10 mobile windows 10 mobile enterprise and for all of those there are both 32-bit and 64-bit versions generally speaking most organizations will choose windows 10 enterprise or enterprise ltsc or windows 10 education if they're an educational establishment most home users will typically choose windows 10 home or windows 10 pro there is a variation in in the features for each of these editions and you can find out more about that at the microsoft website i don't want to go through all of the specific features for all of the available editions but consider windows 10 home is the most fundamental version and then consider that windows 10 pro will extend to include certain what you might consider to be business level features so for example the ability to join an active directory domain or be as your active directory joined bitlocker drive encryption is added enterprise mode for internet explorer client hyper-v storage spaces remote server administration tools there are a range of things that you normally wouldn't need on a home computer that are added to windows 10 pro windows 10 enterprise extends that feature set to include direct access always on vpn the windows to go create a tool app locker branch cache uev application virtualization and a collection of security features including windows defender credential guard device guard and advanced threat protection there are certain specific features that require additional hardware software as well client hyper-v if you want to run virtual machines you're going to need additional memory faster disks so ideally an ssd and probably a higher level of processor i run hyper-v on my laptop machines including the surface go and that's a quite a low spec processor admittedly it's not brilliant in terms of performance but it's ideal for demonstrations cortana you'll need a microphone continuum is a feature that allows you to switch between your various devices different form factors and so on miracast allows you to connect your windows device wirelessly to a monitor or projector so you'll need compatible hardware for that windows 10 of course is a touch centric operating system so if you want to take advantage of that you'll need a touch screen it's interesting i i often ask my students in class how many of them are considering touch for their standard users and it's not particularly popular which is surprising to me because once you have a touch laptop or a convertible device like a surface pro or surface go it's very difficult to go back to not having a touch device so it's certainly worth considering if the price differential is not too significant one drive is a storage mechanism or a storage platform in the cloud there are two versions one drive for personal use and onedrive for business which is part of a microsoft 365 subscription so you'll need a subscription or a microsoft account to be able to take advantage of that facility and obviously also you'll need an internet connection synchronizing your settings or sync your settings is something you can turn on in the settings app it enables you to synchronize your settings between your devices so that would be your color scheme layout your internet explorer microsoft edge favorites uh password settings that sort of thing you can synchronize those to one drive and then synchronize it down to your other devices also running windows 10 or you can synchronize to onedrive for business through your microsoft 365 account settings that needs to be turned on within your microsoft 365 organization it's actually an azure ad setting there are also some security features first of these is bitlocker for bitlocker to work you'll need to have a compatible tpm ideally a trusted platform module you can check whether you have a tpm in your computer by i'll just show you this actually on my computer here opening up the tpm console which you can see here and it will tell you that you've got a tpm and the version number this is mine is version two and you can do things like prepare it or clear it or whatever you can also have a look in the new security application windows security and then from within windows security if you click on device security you can check the security processor details and again it's telling me a bit about effectively my tpm the tpm is used by bitlocker to provide for encryption it allows us to identify the device so that if you attempted to move a hard drive from one computer to another or you significantly change the hardware then bitlocker can recognize that and the tpm makes that an easier process if your computer doesn't have a tpm chip well that's a bit more challenging but certainly it's supported device health attestation this also requires a tpm chip whereas bitlocker requires 1.2 or later device health attestation requires 2.0 or later now my computer the one i just showed you is is quite old it's about four years old now and it has a tpm2 chip so any reasonably modern reasonably mid-range or higher computer is likely to have the required tpm chip secure boot when you enable secure boot you can only start your operating system using a signed digital certificate stored in you fee so you require a compatible you fee that's version 2.3.1 two-factor or multi-factor authentication now what is that multi-factor authentication is the ability to provide for authentication by using multiple means multiple factors something that you know like a username and password something that you have like a device your phone for example or the device that you're signing in at um or possibly a digital certificate on a smart card or virtual smart card or and something that you are so we could use biometrics to identify you with fingerprint facial recognition and so on virtual secure mode requires hyper-v and is also only available in windows 10 enterprise so it's a feature that moves some of the sensitive elements of the operating system into trustless that run in in hyper-v so virtual smart cards provide for multi-factor authentication they're one of the factors storing a digital certificate or similar but rather than requiring a physical smart card you can use a virtual smart card it requires a tpm version 1.2 or later when you come to perform the installation of windows 10 assuming you've got existing hardware then you're probably looking to do an upgrade the alternative is this is to perform a clean installation organizations take a different view on this if you've got a large number of machines to deploy it might be beneficial to do a wipe and a load so get rid of what's on there already and introduce the new operating system from scratch effectively clean installation some organizations however take a different view and prefer to perform in-place upgrades so that means overwriting the existing operating system with the new operating system until relatively recently it was always a preferable solution to go down the clean install route but microsoft are encouraging us to look at in-place upgrades more favorably now and in fact it's the basis of how feature updates are managed we'll talk a bit more about feature updates and managing windows update later on in the course so when you're upgrading windows 10 you can choose between three available methods an in-place upgrade so that's the same hardware and you're replacing the existing operating system with a new operating system or you can perform a side-by-side migration so you have an old computer with an old operating system and a new computer that already has windows 10 installed and you're simply migrating the content in terms of user settings and data from one machine to the other or a wipe and load migration where you zap the original operating system and completely replace onto the same hardware the advantage of in-place upgrades i suppose is that you've got all of your settings retained it's relatively straightforward process but there are some restrictions side-by-side migration you never don't have your original machine it's sitting right there so you can continue to use it or you can roll back to it at any time but it's a slightly more torturous process in terms of moving the content from one machine to another wiper load is perhaps the easiest but it's not strictly speaking an upgrade it's it's where you're wiping the existing operating system cleanly off the system and then performing a new installation or typically a deployment there are certain valid upgrade paths that are supported these are indicated on the slide here so for example from windows 8 to 8.1 you can upgrade to windows 10 home you can also upgrade from windows 8 and 8.1 pro to windows 10 pro and from windows 8 8.1 enterprise to windows 10 enterprise that makes sense you can go from various editions of windows 7 so from starter and home basic and home premium to windows 10 home and then from windows 7 professional and ultimate to windows 10 pro and from windows 7 enterprise to windows 10 enterprise if you want to deviate from these supported parts there's nothing stopping you necessarily from doing that but you'd be looking at doing something like a side by side or a wipe and load doing an in-place upgrade would be problematic in these scenarios if you are performing in-place upgrades it does provide a simple process which is ideal for small groups of computers it provides for rollback depending on the specifics but typically for example if you are deploying windows 10 feature updates you have 10 days to roll back to the previous feature update so if you've just deployed windows 10 1903 which is at the point of time that the latest edition you can roll back to windows 10 1809 or whichever version you're using 1803 for a period of 10 days after which that rollback is no longer available it retains all of your user application settings and all of your user data files and it maintains them in the same location so that's a very straightforward thing users don't have to start searching for things and you don't have to perform any kind of migration or backup procedure any applications that were installed before should still be installed afterwards it avoids the need to provide for external storage during the migration so typically in a migration you you migrate to a central store such as a shared folder but it doesn't allow for addition changes so if you're going from i don't know windows 7 enterprise you want to go to windows 10 professional that would not be supported in place it's only available on specific supported operating systems as indicated in the chart on the previous slide and it doesn't provide the opportunity to start with a clean standardized configuration which is sometimes quite desirable thing to perform an in-place upgrade first of all verify the user's computer meets the hardware requirements we discussed that already in the last lesson but essentially anything that can run windows 7 is almost certainly capable of running windows 10. verify all your applications work we looked at the application compatibility toolkit earlier back up your users files now strictly speaking that's not necessary but it's probably a safe thing to do run the setup program for windows 10 it identifies that it's running on an existing version of windows and it will give you the option if it's supported to choose upgrade which you will do if you're performing a migration you can create a clean installation you can reconfigure the existing disks so you haven't got to retain the current disk partitioning although bear in mind it is certainly possible to use command line tools and disk management to reconfigure disks that grow and shrink and add additional dish so that's maybe not such a big deal you can upgrade to any windows 10 edition but it is a more complex process than performing in-place upgrades you do need external storage space during the migration to to store the content by which i mean the user's data and the user's settings to perform a side-by-side migration again verify all the applications are going to work perform the clean installation of windows 10 bear in mind if you're buying new computers they will already have windows 10 of the appropriate edition so you may not need to perform this second step install all your users applications backup user data and settings on the old computer to the central store and then restore the user's data files and settings on the new computer from the central store when you're migrating the user state remember that it consists of user settings the user registry the registry is that database in windows that contains all of the computer and user settings application data which customizes the way applications behave user data so that would typically be any files that the user is stored on their local hard drive that's part of their libraries and you can use a tool like the user state migration tool or usmt to migrate those settings in either the wipe and load or side-by-side migration scenarios the usmt tool is part of the windows assessment and deployment toolkit when you're using usmt you perform a number of sequential steps first of all you capture settings and data using the scan state command and then you restore settings and data with the load state command you can configure this behavior to some extent with the following configuration files mgap.xml which defines which applications you'll migrate mig docs which defines data files that you'll migrate a big user which determines which particular users on a single computer that you'll migrate you can edit those xml files to get the desired effect you can also use custom xml files to perform additional customizations when you use usmt the following settings aren't migrated local printers hardware settings device drivers passwords customize icons shared folder permissions files and settings if different languages are installed so let's take a look at how to use usmt to migrate user state so i'm on the client computer cl1 let's just verify that if i right click this pc in file explorer choose the properties you can see cl1 and it's a member of the pearson.com domain so the first thing i'm going to do is map a network drive i'm going to map drive u to the server it's called dc1 and to a location where i've stored the user state migration tools so that i've got something to migrate i'm also going to create a desktop shortcut for a text file if i double click that i'll enter some content save the file so the next thing to do is open a command prompt i'll run this as administrator i'm going to change to drive letter u which was the drive i mapped to the usmt program files so just verify they're there they are and then i'm going to run the scan state program and specify dc1 as the target server mig store is the target share cl1 is a subfolder and i'm going to use the xml configuration files mentioned here to migrate the appropriate data and settings this is just an example command the migration process will start and that'll take a few minutes depending on the quantity of data and settings to migrate so you can see that it's discovered two user accounts and a computer account and it's migrated the user account or the two user accounts over now and it's just working on migrating the computer settings okay so that migration is complete let's just take a look on the server computer and if i open up file explorer and navigate to the store you can see that there's a cl1 folder here and a subfolder called usmt and that's the migrated content file there the next step is to migrate the content to the new computer okay to complete the process we need to switch to the second client this is another computer running windows i've signed in again as the administrator from the pearson domain the first thing i'm going to do is map a network drive as i did before i'll use the same drive letter u and those are the user state migration tools themselves i now need to open up a command prompt again i'll run that as administrator so one of the things you'll notice is there's no desktop shortcut for that file so in the command prompt i'll change to drive letter u and i'll just verify the program files are there they are and i will run the load state command this time i'm specifying the same folder location so the same server the same shared folder and the the same subfolder and specifying the configuration files and then the required security information to open up the migration store and the migration process begins it's discovering the users and then it will discover the computer and then start to migrate those elements across to this computer there's not much data to migrate for each of these user accounts so it shouldn't take too long and you can see already that the file that we created the shortcut has appeared on the desktop already and now the slightly longer process of migrating the computer settings so there we go that process is now complete so in the demonstration we saw how to migrate user state using the usmt tools scan state and load state so you have three installation strategies that you can choose from high touch retail media deployment essentially that means walking around the building with a product dvd with windows 10 installed on it and inserting that dvd into each of the machines in turn and performing an interactive installation hi touch because it requires that you answer questions during the installation process a low touch deployment which means that to some extent automating the answer process so when you launch the deployment using one of several different tools the number of questions asked to the or presented to the user the installer is reduced and that can be done with answer files or with particular services or a combination of those things or zero touch deployments which require system center configuration manager and the microsoft deployment toolkit and a collection of answer files and sequences which are used to deploy windows 10 with an entirely automated process that requires no input from an installer the option you go for will largely depend on the number of computers that you have to deploy and the level of sophistication of your infrastructure and the level of skill of your it team clearly it requires more skill to configure zero touch deployments than to perform high touch retail deployments so you have to make a a judgment about where for your organization the appropriate level of automation exists some of the tools that you can use to perform the automation are local some are built into the cloud which we'll examine later in the course so windows 10 uses an image-based installation and deployment model that means we have generic images that contain the operating system which we can apply to any piece of hardware which is then customized during the installation process itself you can use a number of different tools to work with these images the deployment imaging servicing and management tool or dism tool which is a command line tool that you can use or the windows configuration designer now i have the windows configuration designer running so let me just have a look at that for you this tool is part of the windows assessment and deployment toolkit as is dism and you can see here this is windows driven as opposed to command line tool and you can use this to provision devices so it's not strictly speaking used to deploy a new computer it's used to customize a deployment so consider a scenario where perhaps you've bought some new computers from a vendor hewlett packard dell whoever and they come pre-installed with windows 10 but they need customizing in terms of what we call the out-of-box experience or ub and you can use windows configuration designer to pick up at that point and to complete the configuration of the device so for instance if i choose the option to provision desktop devices let's name this project test and it will take a moment to open that and there you can see a windows driven process step by step in a wizard here to set up the device in terms of its computer name of product code network settings whether or not you want to enroll it into active directory as your configuration of local account details applications that you want to deploy to the device certificates that you want to deploy to the device and so on and then you can take that provisioning package and apply it to computers using a variety of techniques we'll come back and look at the windows configuration designer properly later in the course then you can create your installation media and deploy the images by using a dvd installation so having customized the image you can export it to a writable dvd and then walk around and use that as the basis of your deployment again slightly time consuming you can use a usb memory stick that's probably more practical these days many devices do not even have a optical drive so essentially the same process you write out to a usb and then you take that usb device and you boot from it and the installation proceeds you can customize either dvd installations or usb installations with answer files i'll talk about those in a moment the windows deployment service can be used let's take a quick look at that it's a server-based service as you can see here it's running on a windows server box and it's used to automate the deployment of images i've got a deployment server configured here in the contoso domain and i've added some installation images to it you can see here i've got an image for windows 10 enterprise for 64 bit and i can customize boot images which are used to start into the installation process and then i can configure what we call multicast transmissions i've not done that yet but you can configure that as the basis for deploying to groups of computers so the advantage of this is that you place your images on a service and you connect to the service from across the network typically on a computer that has no operating system already installed image-based installation of course so you can wander around with with images and use those to apply directly to your computers typically that will use an additional component so rather than windows deployment services you might use something like system center configuration manager or a third-party imaging technology when you're using imaging based installation you start with a a standard image like install.wim that comes on the dvd the product dvd you then customize that to your requirements by applying it to a target workstation and then customizing that in terms of installing applications and any security updates and feature updates that you need to apply and when it's completely configured to suit your environment you capture its state store it on a deployment server somewhere other and then deploy that out to new workstations as they arrive effectively on the basis of a wipe and load you can use windows deployment services to assist with that or sccm or as i said third party but that's what we call imaging based installations so strictly speaking a deployment technology that works with custom images a lot of organizations with a fairly large number of computers will use that mechanism to deploy windows 10. you can also place all of the installation files into a shared network folder and connect across the network and install that way by running the setup program that is marginally better than wandering around and installing the dvd but not a lot better because there's not much in terms of automation that's provided again you can create an answer file that will help with the automation but we're not using a deployment service so it's a little bit more interactive and we've also got the ability to use windows system image manager i've got that running let's have a quick look at that so this is again part of the windows assessment and deployment toolkit it's a mechanism for creating answer files in those situations where you're performing a deployment that requires some degree of interaction you can automate that interaction to some extent so if i i'm not going to it's a proper demonstration or anything but you can see here i've got an image loaded windows 10 enterprise and these components down here that are listed which are part of the setup process so for instance if i expand out this node here i've got the ability to configure display settings the disk configuration paging file and so on those are the sorts of things that you normally configure during the interactive setup and if i select to create a partition during installation to support windows once i've configured the settings over here in the create partition property window up in the top right here i can then add those settings to the answer file and once they're in the answer file here okay then i can save the answer file away and associate that answer file with an image so for instance i could place the standard windows 10 enterprise image on a memory stick and i could create an answer file that customized the installation and so as long as i created an answer file and called it auto unattended.xml and placed it in the root of my memory stick then it would automatically be detected during setup so the process of installing from a memory stick would change somewhat instead of having to boot from the memory stick and answer questions i would boot from a memory stick and it would automatically pick up the answers to any questions that are normally asked during the installation process another way or another consideration rather when you're about to perform installation of windows 10 is to check that your devices are are ready to support windows 10. we looked at some tools in an earlier lesson the microsoft assessment of planning toolkit for instance that would allow us to make that determination but there are also cloud-based services such as upgrade readiness which allow you to gather data from your organization's computers you can check the computer for settings appropriate um state for windows 10 you can check your applications and you can also check for driver issues you can use that data that's been gathered up into a cloud service which is part of azure to make a determination about whether or not your organization is ready for windows 10. okay in this demonstration we'll take a look at performing a clean installation of windows 10. so when you start setup you're prompted to choose a language and time and currency format and any keyboard layout that you want i'm just going to accept the defaults here and then choose install i accept the license terms and then i'm going to choose custom installation you can see i have a single hard disk here if i click next it will set up the appropriate partitions and format them appropriately for me so now files are copied and then we progress through a process of installing features and updates before prompting us through a short wizard to complete the installation process after a while your computer will restart and then setup will continue so when you're prompted you can configure the appropriate region and keyboard layout if you want you can add additional keyboard layouts enter a default local account add a password confirm the password and a hint if you want to enable cortana you can do so accept the privacy settings or not and then your desktop environment is built and there we go desktop is built okay so in that demonstration we saw how to perform a clean installation interactively multi-booting windows with multi-boot you can configure your computer to start from several different operating systems now this is probably less widely used or less widely implemented now than perhaps it was in the past as it pro support people it's quite likely you'll want to support several different operating systems or possibly just several different versions of windows maybe even windows 10 and windows server on the same computer in the past the only way of doing that was to configure multi-boot so that your computer could choose between multiple operating systems during the startup sequence with the advent of virtualization and client hyper-v on windows 10 there's no real reason why you can't simply create a virtual machine and support your other operating system in that way but bearing in mind that the nature of virtualization is such that it shields the hardware from direct access from the guest operating system it may not always be the appropriate method to use there have been occasions when i've needed to create physical access to hardware for my windows server installations that normally run within virtual machines and so in those circumstances i've needed to create multi-boot essentially then multi-bit windows is just the windows 10 operating system presenting you with a choice of operating systems during the startup sequence there are a number of reasons to consider multiboot they include testing application compatibility testing a new operating system and supporting multiple users normally what you see during multi-boot is what you see on the screen here a menu that pops up in the early sequence of the startup of windows 10 that offers you choices in this case you can see choose an operating system and the default is windows 10 but you also have the option for windows 8.1 in this particular circumstance to set up multi-boot you need to create a separate hard disk partition for the new operating system start your computer with the installation media installed so typically that's a dvd or usb memory stick with the necessary image files launch the operating system installation program and then specify the installation target as the newly created partition if you specify the existing partition with the existing operating system you're going to be experiencing some problems now there is an alternative you can also use virtual hard disk or vhd's to create the same scenario so instead of installing the operating system onto the same hard disk but albeit into a different partition you can instead use the following procedure create a virtual machine for your secondary operating system so in my case that was windows server on a windows 10 computer so i installed the client hyper-v feature created a virtual machine and installed the operating system into that virtual machine then i mounted the virtual hard disk in the host file system it doesn't matter particularly how you do that but it's not a complicated thing you can do it from disk management for example once it's mounted it has a drive letter associated with it so it looks very much like the c partition but will have a different drive letter and obviously a different operating system you can now modify windows 10 boot configuration data or bcd store to identify the new operating system so that it knows what operating systems are available and it will present that as a choice in an operating system menu very much like you can see on the screen here and then finally you dismount the vhd but don't remove the virtual hard disk from the host the advantage of doing things in this way is that you don't need to install onto a separate partition you don't need to re-partition up your hard disks the other significant advantage is when you finish dual booting it's much easier to clear up you simply remove the virtual hard disk completely by deleting it and then modify the boot configuration data again to identify the fact you've got a single operating system it's not as messy and therefore it's less intrusive and it would certainly be my preferred method for configuring multi where i had to have multiple operating systems installed on the hardware nativebootvhd enables you to start your computer to windows 10 from a virtual hard disk i've sort of just described that process it's slightly different it doesn't require that you use hyper-v to create the virtual hard disk in the first place but it does only support windows 10 enterprise and windows 10 education additions to complete the process create the virtual hard disk attach the hard disk to your computer but don't initialize the hard disk yet start up your computer from the windows 10 installation media launch a windows elevator command prompt and attach the virtual hard disk then install windows 10 to the newly attached disk so in essence then you create an empty virtual hard disk attach it to the computer and point the installation routine to it what i described in the previous scenario was to use client hyper-v to create a virtual machine completely configure it and then mount the completed virtual hard disk with its operating system into the file system and modify the boot store to point at it there are a number of features that are unavailable in native boot including hibernation but sleep mode is supported i don't consider that to be a particular disadvantage i seldom use hibernation now when i close the lid on my laptop it goes to sleep when i open it it starts up again and i almost never need to shut down my laptop on that basis you cannot upgrade the virtual hard disk installed version of windows 10. bitlocker is unavailable for whole drive encryption that's just in the nature of the way the computer starts up that's because when you use bitlocker for the system drive you also require an unencrypted drive that contains the boot configuration database for startup if you're building for vhd don't have that capability and you can't start up windows 10 from a vhd that's located on a remote share or a usb flash drive there are other means of enabling windows 10 on a flash drive that's called windows to go but using a native boot on a vhd is not supported in that way to install on bootable usb you can use the media creation tool which you can download from the microsoft website to create bootable usb use the following process download and run the media creation tool select create installation media for another pc select the required language edition and architecture that tends to default to what seems appropriate on the local computer but you can change that and then specify which usb flash drive you want to use and then select the appropriate flash drive the mct will download the version of windows 10 that you selected and copy it to the removable drive so that you can use that to start up windows 10. in the demonstration we'll see how to create a bootable usb version of windows 10. okay so the first thing to do is to download the media creation tool you can go to the microsoft.com website locate the create windows 10 installation media link and then select download tool now save the tool it will obviously download into your downloads folder by default i'm going to confirm with user account control that i want to proceed i'm going to accept the terms of the license agreement so using the media creation tool you can upgrade the computer you're sitting at or you can create installation media which is what i'm going to do i can choose the language the edition and the architecture and then i can create a usb flash drive or burn to an iso it can see that i have an appropriately configured usb flash drive so i've selected that it's now downloading the appropriate version of windows the one that i selected earlier after verification it goes on to create the windows 10 media and so there we are the usb flash drive is ready it's on drive e and click finish to close the wizard and then if i take a look through windows explorer and have a look at drive e there we have it that's the bootable setup for the version of windows that we downloaded windows 10 enterprise 64-bit all that would remain now is for you to take that media to the computer you want to install uh insert the usb stick and start the computer from the usb stick that might require that you reconfigure the computer's bios or ufe settings so that it can boot from usb but most modern computers will do that as soon as it recognizes that there's a bootable device in the demonstration you saw how to create a bootable usb windows 10 installation activation is an important part of configuring and managing most microsoft products and also remaining within the terms of the microsoft software licensing terms agreement sometimes activation is a manual process and sometimes it can be automated depending on your infrastructure and your particular licensing requirements there are a number of activation methods you must use a product key when you purchase the retail version of windows 10. a product key is a long number that's normally on the bottom of a computer or an associated disk and you must enter that to perform the activation if your organization has a microsoft volume licensing agreement if you purchased a new device with windows 10 installed you don't need to enter a product key when you upgraded from a supported device running a legitimate copy of windows 7 or windows 8.1 when you purchase windows 10 from the microsoft store or when you purchase the windows 10 pro upgrade from the microsoft store for large organizations you might want to use a volume activation method and there are a number of these the first the key management service or kms you can use this windows server role service to activate windows 10 in your organizational network your client computers connect to the kms server to activate and therefore don't need to connect to microsoft for activation you don't need to dedicate a particular computer to perform this role it can be an additional role on a computer that's performing other tasks but there may be certain benefits for large organizations in using a dedicated server kms is designed for organizations with 25 computers either physical or virtual that are persistently connected to a network kms requires a minimum threshold of 25 before activation requests are processed so for small organizations it's not the ideal choice as an alternative you can use active directory based activation any device running any windows 10 that is connected to your organization's domain network and is using a generic volume licensing key can use active directory-based activation every so often the client must renew the license from the licensing service so to remain valid the client must remain part of your organization's domain you don't need to dedicate a particular server in the same way as you don't with kms to perform this role note that you can't use active directory based activation for devices that are running windows 10 that aren't members of your domain multiple activation key uses special volume licensing keys that can activate a specific number of devices running windows 10. you can distribute these multiple activation keys as part of your organization's windows 10 operating system image the method's ideal for isolated client computers which benefit from a one-time activation using the hosted activation services provided by microsoft a volume activation management tool which is also part of the windows assessment and deployment toolkit is available for managing activation you can use it to verify the kms host key to discover computers and products to monitor the status of activation on those devices to manage product keys to manage and view activation data when a device running windows 10 is not activated the user is presented with a watermark on the lower right corner of the screen requesting activation there are certain restrictions whilst you're in a non-activated state so you can't personalize device such as changing wallpaper or colour schemes but there's no grace period for how long you can use windows 10 without activation typical reasons for problems with activation occur after significant hardware changes so for example if you change the motherboard then windows 10 might fall out of activation if you're experiencing problems with activation you can use the activation troubleshooter this is available for all users on the activation tab within the settings app if the device hasn't been activated running the troubleshooter can locate a digital license that's linked to the microsoft account used on the computer and then prompt you to try activation again this is lesson two perform post installation configuration in this lesson we discuss how to configure windows 10 following installation or upgrade during the lesson you'll learn how to configure sign-in options customize the user interface configure microsoft edge configure internet explorer configure mobility settings and configure power options the hands-on demonstrations in this lesson include configuring windows authentication options configuring the user interface and notifications configuring microsoft edge and internet explorer enterprise mode configuring internet explorer and configuring power options battery settings and power plans multi-factor authentication is supported by windows 10. multi-factor authentication requires two or more authentication methods these are something that you are something that you have and something that you know so for example something that you know might be a username and a password something that you have might be a physical device so for instance it might be possible for you to receive a text message to confirm you are who you claim to be when you sign in on a new device something that you are is a biometric fingerprint facial recognition retina scan a number of these exist these are becoming more commonly available even in fairly entry-level devices now windows 10 also supports digital certificates think of a digital certificate as being something like a passport a passport that proves who you are but more than that a passport is issued by an authority an authority that people trust so digital certificates are part of a public key infrastructure or pki which consists of certificate authorities which are issuing authorities they issue and manage certificates in the same way as the passport office might issue and manage passports as a proof of id and windows 10 also supports biometric authentication you can enable biometrics with group policy settings open up the policy editor and navigate to administrative tools windows components and biometrics and as you can see on the right here you can configure allow the use of biometrics allow users to log on using biometrics allow domain users to log on using biometrics and then specify timeout for fast user switching events additionally there is a facial features node for configuring those respective settings windows hello enables your users to sign in using biometric authentication windows hello for business extends that to use multi-factor authentication to sign into windows 10. users can use a pin that's a personal identification number or biometric sign-in system to sign into a windows 10 computer this enables users to authenticate to applications to enterprise content and online authentication providers such as for example office 365 or microsoft 365 note that when windows 10 first shipped it included two separate authentication technologies microsoft passport and windows hello these two are now combined as windows hello to provide for multi-factor authentication the benefits of winners hello strong passwords are difficult to remember consequently users will write them down or in other ways compromise them if you allow your users to use simple passwords then they can be relatively easily guessed passwords are also vulnerable to replay attacks this means it's possible for malicious software to capture a password and then to reuse that password passwords are also vulnerable to phishing attacks typically that might be in the form of an email requesting information from a user which may include a requirement to enter a password to avoid these vulnerabilities it's necessary to implement windows hello this helps provide protection against credential theft it also supports hybrid and cloud only deployments and provides for a faster sign-in i have a surface go device and surface go uses facial recognition as soon as i boot the device which takes eight or nine seconds if i'm within visual range which is actually not that close it recognizes me even if i'm wearing my admittedly rimless glasses and then immediately signs me in it doesn't require for me to swipe up or down or enter a pin or to remember a password and type it in it just recognizes who i am so let's have a look at some of the authentication options in windows 10. to access the sign-in options go to settings select the accounts node and then select the sign in options tab depending on the configuration of your computer that's the physical configuration will determine precisely the options that you have available you can see for example on my current laptop windows hello facial recognition is not available that's because it doesn't have an appropriate camera and nora is windows hello fingerprint however i can sign into windows using a pin i can select that option and then i can change my existing pin or remove a pin if i want to stop using pin signing i sometimes could ask why is a pin safer to use than a password a complex password or even a simple password after all a four digit number can't be that difficult to guess well four digits gives you a fair number of combinations in fact so it's quite difficult to guess and the pin number is relatively easy for a user to remember but quite hard for a malicious person to guess couple that with the fact that the pin is only useful on this device so if i sign in on another computer i may have the same pin or i may have a different pin or i may not use a pin at all so the pin requires not only knowledge of the pin but also the specific device where it was used that helps to make it more secure i can use a physical security key if i want to by creating that that requires a usb memory stick and i insert that during the sign-in process to determine or to verify who i am again that's a multi-factor option because it's requiring me to have something and then there's the traditional password as a way of signing in and then a slightly more unusual picture password so you can display a picture on the screen during the sign in and then you can use your finger on a touch screen to map a pattern that you've recorded that only you know that will help you sign in much like we do on mobile phones so in the demonstration you were able to see the various authentication options available on windows 10 computer if you're new to windows 10 there's quite a lot that's different in the user interface and the way in which it's configured compared with windows 7. but broadly speaking the same sort of options exist let's step through some of those now perhaps the most obvious difference is customizing start the start menu behaves in a little bit of a different way under windows 10. you can customize to show more tiles on start to show an app list in the start menu that's a list of all of the apps alphabetically sorted to show any recently added apps any apps that you add are always indicated as being new until you've run them at least once with the word new but you can also list them at the top of the start menu in the app list if you use apps a lot they can be listed at the top under show most used apps you can also show suggestions occasionally in start you can run start full screen that's more usual when you're using a touch device so for example i've got a fairly small windows device or windows go which is you know about uh i think it's about a 10 inch display something like that so relatively small smaller than the surface pro and certainly smaller than my 13 inch hp laptop so when i run it in full screen that's probably a more user friendly interface for a touch only device and show recently opened items in jump lists this is quite useful actually because it means if you've got icons pinned to the taskbar that's the bar across the bottom of the screen if you right-click something like your word shortcut it will show you all the documents that you've recently opened and you can select amongst those you can also pin some of the more frequently used applications to the list you can also specify which folders will appear on start so that might be your libraries such as pictures and videos and documents and you can pick which of those you want to have up here if your computer is configurable as a tablet device and many are these days then this option is useful configure tablet mode i have two computers i've got a an hp laptop which has a screen that folds all the way around 360 degrees when i flip it around it disables the physical keyboard and reorientates the display so that it's running in tablet mode and that happens automatically because of the options i've configured likewise my surface go has a detachable keyboard when i detach the keyboard it changes into tablet mode when i reattach it it flicks back into or out of tablet mode you can see the options here on the display you can choose to when i sign in use tablet mode use desktop mode or use the appropriate mode for the hardware at that moment you can also configure when this device is automatically switched tablet mode on or off you can then don't ask me and don't switch or always ask me before switching or don't ask me and always switch so i can choose that behavior for my hp laptop if i want to so that as i rotate it around the axis and the keyboard goes beyond 180 degrees what's it going to do is it going to ask me before switching into tablet mode or just go ahead and do it and that's configurable when you're in tablet mode you can also configure the following options you can hide application icons on the taskbar in tablet mode so that you've got a bit more space the thing about switching from desktop mode to tablet mode is the assumption is that you're going to start using your fingers on the screen and fingers tend to be a little less small a little smaller in other words than a mouse pointer and so touching things on the screen on the taskbar which is easy with the mouse is less easy with your fingertip because it's bigger so you can hide those icons to give you a bit more working room you can automatically hide the taskbar completely in tablet mode i prefer not to do that but it's configurable you might find that you can navigate completely by swiping from the left and the right or by tapping the some device come with a specific windows button and you can just press that and it will bring up the start screen for you once you've decided or configured tablet mode for those devices which are convertible you can also configure tiles i'll show you this in more detail and demonstration in a minute but essentially you can configure how your tiles on the right hand side look so you can make them big make the small make them wider you can enable active content on them so they animate you can group them together and so on so all of those behaviors are available the action center is the right hand side of the display you can see that here it deals with notifications in the top half and then the bottom has a number of tiles that you can use to configure again access to configuration options those that you want to frequently access and you can configure the action center through the notifications and actions tab on the system node of the settings app so open up settings go to system and then choose notification and actions and you can configure what appears here in the notification area and how notifications are handled you can manage notifications to quite a degree of accuracy you can even get notifications from specific applications as well the taskbar appears at the bottom of the screen and you can control its behavior so automatically hide it in desktop mode or automatically hide it in tablet mode or not use small taskbar buttons or not use peak which means when you hover your mouse pointer over an icon it will produce a sort of a small snapshot of what would happen where you to click that icon so if you're running word then it will show you a mini version of the document that you've got open i'll show you that in a second another useful feature here is when you right click start there are various options that appear and you can choose to replace the command prompt with windows powershell bear in mind that windows powershell allows you to run all command prompt programs whereas the command prompt does not allow you to run any windows powershell commanders so it's not a bad idea probably to replace command prompt with windows powershell and a variety of other options which i'll go through in the demo cortana is your digital assistant and you can enable and configure behavior for that assuming you have speakers and a microphone which i i'd imagine is pretty much the case for every pc accessibility options exist to make the operating system more accessible to users including display settings cursor and pointer settings the magnifier color filters high contrast settings for the display and narration when you install windows 10 you're expected to choose a language and a keyboard layout and you can also optionally choose several keyboard layouts during installation but you can then configure additional language packs afterwards you can open settings select the time and language option and then click region and language and then under languages select add a language and then select the language that you want to use i'm going to show you a short demonstration now on configuring the user interface and configuring notifications so in a particular order if i want to configure taskbar settings i can right click the taskbar and choose taskbar settings from the context menu and it will take me to the appropriate location within settings you can see that here and then i can configure automatically hide the taskbar in desktop mode if i select that now you'll see it disappear it's gone or not as the case may be and it reappears i can use small or large buttons you can see the difference there and i can choose peak so let's see what that does let's open up something if i open up file explorer here and then minimize it if i'm in peak or if i've got peak enable if i hover over that you can see it shows me a sneak preview of what's running i can replace command prompt with powershell so to have a look at that if i right click start here you can see that powershell appears if i deselect that option if i right click you can see the command prompt is there instead so you can configure the taskbar there to configure notifications i can go into settings and then on system i can choose notification and actions and you can see here get notifications from apps and other senders i've got focus assist to help me here if i'm doing a presentation or something i don't want to receive notifications from applications like messenger or something i can turn that off through focus assist so it recognizes that i'm in a presentation and it will only show me emergency notifications or those that i want to allow through i can specify whether or not locate notifications will appear on the lock screen and so on and at the moment i've got notifications only from these senders i've only got this particular one configured but i can if i have multiple applications in i can configure that behavior for each application i can edit quick actions here quick actions are those tiles that appear down on the right hand side in the notification area or in the action center and i can move these around or unpin them or replace them if i want to with others i can also choose to collapse and if i collapse i'll only see the top row so i want to make sure that that top row is the most useful features to me this is the focus assist option that i mentioned earlier on i can configure the alarms only or priority only and then specify what the priority list is and i can also specify the times when this will automatically be available so i might not want to receive notifications between 11 pm and 7 am that seems pretty sensible to me also under system we have tablet mode which i mentioned in the presentation you can choose the option for when you sign in use the appropriate mode for my hardware and that seems a very sensible setting so that whether or not you've got your keyboard detached doesn't require for you to do anything it senses that straight away so as soon as you sign in and it knows it needs to be in tablet mode or not in tablet mode and also this option here don't ask me don't switch or don't ask me an always switch for me i'd set that probably to don't ask me and always switch because if i rotate my computer around the axis i want it to turn off the keyboard and i want it to flick into tablet mode when it's in tablet mode i can control these additional behaviors as well okay and the next thing we can have a look at is configuring the start menu itself if we click on start you can immediately start to reconfigure it so if i want to rename some of these groups here i just click in that area and i type in a new name if i want to create a new grouping i can simply drag an icon to an area of free space and then give it a new group if i can type to resize an app if i right click it i can choose resize here small medium wide or large let's see what large looks like there small and then i can obviously group those together if i want to uninstall an app well now that's that gets interesting it depends on the type of the app if it's a store app i can right click it and then choose uninstall depending now if it's a built-in app you can't uninstall it but if it's a an added on app then you can uninstall it from here if you right-click a desktop app and choose the uninstall option it takes you to control panel to remove the application so it's relatively easy to customize the look and feel of this if you want to other options for things like this uh include turn live tile on or off so if you've got a weather app or a news app it will update itself with interesting content so you can see over on the left hand side here we've got a news app which got a picture going on there so that would update we've also got a weather app showing us what the weather is like in washington and we can reconfigure that behavior so we could say we want to turn off live tile in which case it just shows a standard icon as opposed to the current weather so in the demonstration you saw some of the basics of how to configure the user interface and how to configure notifications and taskbar settings in the tablet mode microsoft edge is the new browser in windows 10. windows 10 still ships with internet explorer and you can choose either of those or indeed a third-party browser if you prefer the advantage of microsoft edge is that it's a store app and therefore uses fewer resources than say internet explorer for the most part you shouldn't experience any problems using edge to navigate to some of your favorite websites edge includes a number of new features including reading mode and the hub which consolidates favorites reading list books history downloads and extensions you can also make web notes by writing or drawing on a web page occasionally you might find websites that don't render correctly in microsoft edge in which case you can use internet explorer but when you're not sure whether to use internet explorer or microsoft edge you might have to switch between the two or configure internet explorer's compatibility view microsoft provide a tool called enterprise mode which allows you to configure for particular websites a particular browser to enable enterprise mode download and install the enterprise mode sitelist manager tool for windows 10. search for that and then download and install it open the enterprise mode site this manager tool and add the urls of the websites that need internet explorer choose open in internet explorer 11 for each of these sites and then save the file to a network share next open group policy management on a domain controller or locally using the local group policy management tool and then navigate to computer configuration administrative templates windows components microsoft edge or if you're on a domain controllers group policy then computer configuration policies administrative templates windows components microsoft edge open the configure the enterprise mode site list policy and then enter the location of the xml file that you just saved in the demonstration i'll show you how you can configure microsoft edge i'll then show you how you can configure enterprise mode okay i'm on my windows 10 computer and i'll open up microsoft edge to configure microsoft edge settings click the ellipse button here and then choose settings you can then choose a theme at the moment it's defaulting to light but you can choose dark and then specify what the open or landing page will be it can be a specific page or pages i've configured here or you can choose a new tab page or previous pages when you open a new tab by clicking the plus symbol on the right hand side of an existing tab you can specify that it will open with a blank page or with top sites or with top sites as suggested content if you're new to microsoft edge you can use the import or export option here to transfer your favorites from another browser i scroll down here you can see settings including download location and under the account heading here you've got the option to configure a specific account typically that will be a microsoft account or a microsoft 365 account once you've specified the account which you can configure through the settings app then you have the option to sync your your settings synchronize settings enables you to have the same favorites reading this top sites passwords and so forth across all of your devices that are also configured with microsoft edge that's the reason i use edge in fact because i've got a number of devices that are running other operating systems i've got an ipad i've got a microsoft surface go i've also got an iphone and an android phone and they all are configured to use microsoft edge and it's handy for me to be able to have the same favorites list and the same passwords for websites configured for settings to sync properly through edge you have to first of all sync your windows settings so you click this link here and it will take you to the appropriate location to configure the windows synchronization settings on the privacy and security tab here you can configure browsing data and clear any previous history that you want you can configure cookie behavior and then behavior such as show search and site suggestions as i type and show search history and whether or not you wish to block pop-ups and whether or not you want to enable windows defender smart screen which helps protect against malicious sites you can choose the option here on the passwords and autofill tab to specify that you want to save passwords and then you can manage those passwords with this link here and then you can autofill that's a really nice feature of edge actually if you go to a form it will automatically fill in addressing information for example so it will remember as a complete suggestion your address and telephone number name as soon as it encounters those fields so it can save you quite a lot of time down here on the advanced tab you've got options for configuring adobe flash media auto play permissions for certain websites where necessary proxy settings and cortana settings over here you can see a summary of those settings if i click here on favorites i can see a list of my favorites none have been imported at the moment my reading list books history and downloads none of which have been configured because this is a virtual machine for demonstration purposes if i want i can choose this option here for annotating a web page and as you can see i've got some controls here for making notes on the web page which are stored locally okay so that's uh configuring microsoft edge let's take a look at enterprise mode now this is the enterprise mode sitelist manager tool and how to configure for a particular browser to be used for a particular website choose file and then choose i can choose import or export if i've got an existing file or click add here and then specify the url www.microsoft.com and then specify for this particular website that i want to use internet explorer in a particular mode or the default mode and then specify that the default mode is ie 11 or ms edge accordingly so ie 11 in this case and then say save it's going to validate the url for me i'll add it anyway it might be a function of the fact that i'm running this in a vm so there's the first of the websites and then i might add in another for contoso.com and then specify that that must run in microsoft edge for example so the next thing i need to do is save that away save as an xml file it needs to be to a central location a unc shared folder i'm saving this on my local workstation and then calling it sitelist.xml i'm going to copy that to the paste buffer because i'm going to need that again in a second so it's now saved that away the next thing to do is to open group policy now i'm using the local group policy editor here and i've already navigated to the appropriate location mentioned earlier on but just to reiterate that's computer configuration admin templates windows components microsoft edge and then select the configure the enterprise mode site list value double click that select enabled and then paste in the location of the xml file that you created earlier now i'm only configuring this locally but obviously if you configure this on a domain controller using group policies in a domain then all users will have access to the same settings assuming that they're configured to use that particular group policy and all i need to do now is click ok and that settings enabled so in that demonstration you saw how to configure some of the settings in microsoft edge and how to configure enterprise mode from the tools menu you can access manage add-ons you can also manage compatibility view settings and then finally you can configure internet options within internet options you have a tab dialog box general security privacy content connections programs and advanced settings are all accessible in this demonstration we'll take a look at how to configure internet explorer so let's take a look at configuring internet explorer unlike microsoft edge it's not pinned to the taskbar so i'm going to need to locate it it's actually in a folder at the bottom of the apps list but i'll type at least part of its name and then i'll right click internet explorer and choose pin to taskbar i've configured it to open in a blank page but you can configure that as you'll see in a moment so to configure the options click on the cog here tools and choose internet options you can also configure add-ons and compatibility view settings if a website that you visit doesn't work properly in internet explorer 11 choose compatibility view settings and you can configure it to run an earlier version or run as if it's in an earlier version of internet explorer i can sometimes get around a problem with a particular website expecting a particular version under internet options you've got the tabbed dialog box here the home page is configured to be about blank but i can use the default or i can use a new tab or i can use whatever is the current page that i'm looking at when i open up internet explorer it can start with a home page which is what i've configured it to do or start with tabs for whatever was the last browsing session i can change how websites are displayed in tabs and i can manage my browsing history here i can also change the basic appearance on the security tab you have a number of predefined zones each one of these zones internet local internet trusted sites and restricted sites has a different level of security pre-configured you simply need to add sites to the appropriate zones to have those security settings enforced so for example if you visit a site that you find is very untrustworthy you can select restricted sites click the sites button and then type in the url and type add if you're actually on the site at the moment then it will pre-fill this field to the site that you're looking at at the moment if a site is trustworthy click on the trusted sites option click sites and again it predisposes itself to use the existing site the site that you're looking at you can type in any url here note that for trusted sites the default is to require server verification in other words an https prefix you can clear that if you want to but you need to be careful about adding non-ssl sites to this list because you can't genuinely verify that the site is who it claims to be you can adjust the security settings for each of the zones but you need to be careful doing that you need to know what you're doing so for example on internet i can choose medium high security or i can drag it up to very high and that will make a change or i can configure the custom level and go through each of these options on the privacy tab you can configure cookie behavior on the sites button here based on each individual site that you visit you can also configure privacy settings on an advanced basis by configuring first party and third-party cookies here pop-up blocker is enabled by default but you can configure the settings on a per site basis and you can configure default blocking levels based on pre-configured settings on the content tab you can configure ssl and certificate settings certificate's a very important way of identifying servers and websites as being who they say they are at the core of that is your computer's ability to understand where a certificate came from and that's what you can figure on the publishers button here so you can specify which certificates and from which publishers you're prepared to trust windows 10 supports a wide variety of certificate types from a number of different certificate publishers but you may need to configure these slightly differently for your organizational needs on the connections tab you'll probably won't need to configure anything it's highly unlikely but if there's a peculiarity about the way a particular computer connects to the internet perhaps it goes through a proxy or there are a particular local area network settings that you need to account for then you might need to visit this page given the likelihood of that i'm not going to spend long looking at it on the programs tab you can specify when you open internet explorer what happens you can specify managing add-ons add-ons are functional components that do specific things within web pages so for example you've got an option here for link click to call so if you see a link contact and you click it it will open up link what we now call skype for business there are various accelerators available and search providers so you can turn those on or off as you need and then you can specify an editor for html editing and you can specify which particular programs you want to use for things like browsing or email or whatever so in actual fact that just takes us to a link in control panel for setting your default programs and then file associations so if a particular file is located on a web page then what will internet explorer do what program will it open based on on that file extension and the advanced tab finally allows you to configure fine detail about the way your browsing experience works it's not something you'll probably spend a lot of time looking at unless there's a specific need specific requirement for a particular user in the demonstration you saw how to configure internet explorer the ability to work with files when you're not connected to the corporate network is important so when you enable offline files specified network files are cached locally for offline access when you're not connected to the corporate network a windows 10 computer accesses the local cache in the following situations when the always offline mode has been enabled when cost aware synchronization is configured and enabled when the server is unavailable due to a network outage or malfunction when the network connection is slower than a threshold that you've configured when the user manually switches to offline mode to enable the always offline mode you can use group policies to enable the configure slow link mode policy and set the latency to one millisecond to enable the background file synchronization of offline files for a group of users while using metered connections such as a data plan on a mobile phone use group policies to enable the enable file synchronization on costed networks policy these appear under administrative templates network offline files you can use the synchronization center to sync everything or you can select particular elements that you want to synchronize and then specify schedule that you'll use for synchronization the two options add a scheduled time or when an event occurs depending on your choice you can opt for more scheduling options such as sync only when the computer has been idle for a period of time or sync if the computer is not running on a battery windows to go is the ability to create a full installation of windows 10 enterprise on a usb flash drive so you don't have to take your laptop to work you merely need to take a usb flash drive and insert it into a compatible usb port turn on the computer it will boot from the flash drive and you're running your version of windows 10. so effectively you've got windows to plug and go it's only available for users of enterprise edition it doesn't support windows recovery environment we'll talk much more about the recovery environment later in the course but it's the primary tool for performing recovery of computers that don't start or experience problems with devices or services you can use group policy settings to configure windows to go behavior as you can see here under the portal pool operating systems node this is located under computer configuration administrative template windows components portable operating system to configure windows to go you need to create a workspace mount the windows 10 installation file or image insert a certified windows to go 3 at least 3 usb drive so that's going to be a fast usb device with sufficient storage space and then launch the create a windows to go workspace wizard click through the wizard and specify the following select the usb drive select the windows 10 image choose whether or not to password protect and encrypt the drive with bitlocker and a password and choose whether to boot to the new windows to go workspace now finally users of mobile devices might be interested in the mobility center which consolidates all of the suitable settings those settings are of most use to users of laptop devices so you've got the option for example to configure your display brightness control volume manage your power settings and power options to configure landscape or vertical orientation to determine whether you're connected to external displays or not to configure synchronization behavior and to enable presentation mode remember when you turn on presentation mode that can have an impact on things like notifications these days power is one of the most important characteristics of a device the ability to last a whole day without having to gain access to a power outlet is pretty important it's certainly one of the things i considered when i was looking at my laptop and my tablet devices if i can manage a whole day without having the lug around the power charger i'm very happy so within windows 10 there are some power options that are configurable through the settings app you can see these here on the screen you've got power and sleep options and you've also got battery options power and sleep allows you to configure what will happen to the screen on battery power it will turn off as you can see here in five minutes or when plugged in it will turn off after 10 minutes you can also configure the system behavior as well on the battery node in the settings app you can also configure what happens when you get to a low level of power in this case it's configured to be 20 and then you might get some particular behaviors that will result in that based on the fact that you've got low battery life so it will start to dim the display or disable certain features if those basic configuration options through settings are not sufficient windows 10 also within control panel gives you access to power plans which ones are available will depend on the manufacture of your hardware but generally speaking you'll have a power saver a balanced and high performance power plan the power saver option uses the least power seems logical given its name the screen will turn off after five minutes of inactivity and system activity is designed to reduce performance where possible to save power the balance plan balances power consumption so it's a medium consumption you can configure the plan to power off after a period that you've decided is appropriate and it determines computer activity and continues to use full power to all system components in use where that's possible high performance uses the highest amount of power it sets the screen to 100 brightness and keeps the computer's component supplied fully with power let's have a look at these options now i'm going to show you how to configure power options battery settings and power plans okay so if i open up settings and then choose system and then click power and sleep i can specify what will happen with the screen when it's on battery power and what happens when it's plugged in i might set that to never for example on the battery tab i can configure to turn battery saver on automatically if power drops below 20 or some other value and then lower the screen brightness while in battery saver mode there are also some additional options here for change battery settings for playing video and some battery saving tips now i've got more requirements for controlling power if i go back to power and sleep and then click on additional power settings it takes me to control panel the options that you have here depend largely on the type of device and the vendor of the device as you can see here it's using the balance plan by default i can create my own power plan and then configure options accordingly so create a power plan and we can choose that it will use or be based on high performance and then i can configure what will happen with the display when it's on battery and plugged in so we set that and never and set that to 15 minutes whatever then click create and then change the plan settings and choose change advanced power settings and then you can configure hard disk shutdown based on on battery or plugged in wireless adapter settings that can make a significant difference but you want to be careful i've discovered sometimes you experience problems when you disable the wireless adapter to save power and then you maybe restore from sleep sometimes that can be a a problem you can configure sleep behavior usb settings you can control what happens with power buttons and the lid now this is not a laptop i'm running a virtual machine here it knows it's on battery but it doesn't have the notion of a lid to shut as such so it's not presenting this with all of the options here but depending on the type of device that you have you'll have more or less options here and then a variety of other settings to do with how the battery is handled when we're getting on to low and critical levels what you don't want to have happen is to run out a battery in the middle of doing something so you want a level of notification so that you know that you're approaching those lower levels perhaps a simple warning at about 10 and maybe a dimming of the display is enough but when you've made any changes you click save changes and you've then updated the power plan if there are any certain plans options that are not available you can choose this option here change settings that are currently unavailable under power options on the left hand side you can also choose when to turn off the display and again if you're a laptop you'll typically have options listed here for what happens when you press the power button to what happens when you close the lid so for example on my laptop that would put the device to sleep so in the demonstration we saw how to configure power options battery settings and power plans this is lesson three manage accounts and devices in this lesson we discuss user accounts in active directory and in azure ad we'll look at how to join devices to adds and azure ad in this lesson you'll learn how to implement accounts and manage devices in directories the hands-on demonstrations in this lesson include managing local accounts managing domain accounts configuring account policies adding a computer to a work group adding a computer to a domain sharing resources in a domain configuring azure adjoin viewing the azure ad portal and reviewing the microsoft device management portal in windows 10 you'll encounter a variety of different types of account local accounts which exist on local machines adds domain accounts which reside in domain controllers in your on-premise active directory environment microsoft accounts which are consumer accounts and azure active directory accounts which are microsoft 365 business accounts local accounts exist only on a local computer you can manage them by using either computer management the settings app or with windows powershell here you can see a list of user accounts in the users node under local users and groups in the computer management snap in if you select a user account you can manage its general properties which includes a full name and description and various password and account options group memberships and basic profiling information you can also use the settings app as shown here open up settings select the accounts node and then on the your info page you can view the currently signed in user you can also use this link here sign in with a microsoft account instead to link your local account to a microsoft consumer account on the email and accounts tab shown here you can add additional accounts these can be accounts used for specific applications such as email or calendar but you can also add a work or school account which is a way in which you can associate a computer with a microsoft 365 tenant under sign-in options you can configure the way in which you sign in we discussed this in an earlier lesson and then under access work or school you have the ability to add or remove provisioning packages and to set up an account for taking tests and to enroll in device management you can also link your device to azure ad finally on the family and other users page you can create additional accounts so for example home you might have a laptop that's used by one of your children you might add an additional account on this page for your access to the device for example for management purposes you'll also notice a link down here for setting up a kiosk that's a device which is limited to running one application you can use assigned access as a way of setting up the kiosk device we'll look at that later in addition to user accounts of course you can manage group accounts again you'll do this with computer management or windows powershell as shown in the screenshot here you can see that the group's node has been selected underneath local users and groups and there are a list of the already built in groups to add a group simply right click the groups node and then use the wizard to create a new group you can then add members to the group groups are useful for management purposes because it allows you to assign rights and privileges to the group and thereby to the membership of the group built into windows there are a number of special identity groups strictly speaking these aren't groups in the truest sense they don't have a membership list that you maintain but they are collections of users so for example if anybody can connect to your device they are deemed to be a member of the everyone group if someone accesses your device from across the network they're deemed to be a member of the network group if they can access the device interactively by signing in locally on your device then they're deemed to be a member of the interactive group and so on the idea behind this is that you are able to assign privileges based on these categorizations of user access authenticated use is another good one authenticated users and everyone are often used interchangeably but everyone means anyone and authenticated users means only those with user accounts on the device so a slight difference effectively if you disable the guest accounts on your computer authenticated users and everyone is the same if you have guest accounts and therefore anonymous login is possible then everyone means anyone the creator owner group is quite an interesting special identity group that's used in print permissions it's used in other locations as well but for example with a printer when you assign permissions on a printer the creator owner group has the ability to manage documents and what that really means is anybody that creates a print job can manage their own print job because they're a member of the creator owner group for that job now for the most part you're not going to manage very many accounts on local devices you'll tend instead to set your focus to your on-premise domain environment domain accounts exist on a domain controller or more accurately i suppose within the active directory database which resides on domain controllers so if you add a new account it will exist on all of the domain controllers in a particular domain strictly speaking that's not true either it will exist on all domain controllers in the forest to some extent because of the way in which active directory replication and the global catalog service work we'll discuss that later on in the course these accounts can be accessed from computers in the adds forest so potentially if you add a user account in a domain in your forest it can be granted access to resources elsewhere in the forest you can manage these domain accounts by using a variety of tools active directory users and computers is the one that i tend to use active directory administrative center and of course using windows powershell with the active directory module you can see here the properties of a user account rather than the three tabs we have for local accounts you can see there's far more information that you can define about a user in a domain environment so there are many properties or attributes for objects like users on the account page for example you can see the user logon name here with the suffix of the domain name and then the user logon name for signing in using the domain name followed by the user id as a suffix and then links for restricting logon hours and devices with which the user can interact and then account options such as account expiration and password settings on the profile tab you can configure a profile path to create a roaming profile for your user that can be quite useful if you want a user to sign in at any workstation and have their settings move with them the logon script option is not usually used now we tend to assign logon scripts through group policies whenever i set up user accounts in a domain environment i tend to use the home folder option shown here and select the connect button and then select select the drive letter from the drop-down list and then point it to a shared folder so that each user has a unique personal home folder on a server somewhere account policies allow you to configure security settings there are two nodes locally and three nodes on a domain you can see them listed here underneath windows settings security settings account policies and we've got the password policy on the right which allows you to configure complexity maximum password age minimum password age and password length and so forth those options default to what you can see here so 42 days maximum password age and then fairly unrestrictive thereafter the account lockout policy is used to define what happens when a user enters a bad password x number of times in y period of time does it lock out how many options how many tries do they get does the account when it's locked out have to be unlocked or will it unlock itself automatically after a period of time so you can configure those settings in a domain environment you will also have a kerberos node which allows you to configure curb bros tickets kerberos is the authentication protocol used in active directory to sign users in when a user signs in they get a kerberos ticket also referred to as a ticket granting ticket and it's the lifetime of that ticket you can define under local policies you've got the ability to configure auditing auditing options allow you to audit log on events account management changes access of the directory service that's active directory object access changing of policy privileged use a whole range of options you can set up auditing for successful executions of those events or failed attempts at those events depending on what you want the information is recorded into the event log and use event viewer to view those events under user rights assignment you can configure capabilities for whatever better term so some of these are fairly fundamental the ability to log on locally for example is the sort of thing that you'd allow for pretty much everybody but adding workstations to a domain may be something you want to be a bit more restrictive about so some of these rights are are what you might consider user rights and some of them are more administrative security options allow you to again define certain characteristics of an account so you might find for instance the ability to restrict floppy drive access i i don't suppose anybody has a floppy drive anymore or cd-rom access or from installing printed drivers so these capabilities that might prove useful in certain situations can be locked down if you want the user account control settings that's the way in which windows elevates your privileges when you sign in and you want to perform a certain type of task that requires administrative capabilities that's also configured in this list at the bottom so let's take a look at some of these things i want to show you how to manage local accounts how to manage domain accounts and how to configure account policies so here we are on a windows 10 computer this is the latest version of windows 10 at the time of the course creation this is 1903 so the first way in which you can manage accounts is to bring up computer management so if i right click start and then choose computer management and then expand the local users and groups node and you can see a user's node beneath that and a groups node so to manage accounts here simply question of right clicking users and choosing new user and then entering the details jim jim entering a password password doesn't display for fairly obvious reasons and then select some of the password options and click create that's very straightforward if i want to configure additional properties i wasn't prompted to create very many i right click the account choose properties and then i can configure group memberships on the member of tab and i can configure the profile options so that the user gm in this case can have a logon script or a profile path or whatever i can right click an account and choose set password and i can also choose all tasks and set password as well in terms of managing groups it's again click the groups node and right click it and choose new group and we'll create a group called sales and then we can either click create or we can additionally add members at this point i'll click create for now and then i can right click the sales group and add it to another group or click properties and then under the members title here click add and then select the objects i want to add now this computer is a member of a domain so it's actually defaulting to the location of contoso.com so it's going to look for users there i can specify that the location is the local computer if i want to okay so i can specify my own computer there and look for users here so for instance i can type in gym and then check the names and then click ok and i've added gym to the sales group so that's local account management using computer management i can also use the settings app so for within the settings act click on accounts and then i've got my own information on the your info tab and as i said in the slide presentation you can associate that local account with a microsoft account if i want on the email accounts page i can add a work with school account that allows me to join this device to azure ad that's something i look at shortly on the sign in options something we looked at earlier you can configure the security sign-in settings for the device on access work or school i can again associate my computer with a well it's already associated with the domain as you can see here it's joined to an on-premise active directory domain but i can also add it to azure ad either as well or instead to do that i'd click connect here and then follow a wizard which would guide me through the process we'll look at that shortly on the other users tab i can add someone else to the pc and i can select a microsoft account as you can see or indeed add a new local account we won't complete that process for now we'll look at it later okay so let's have a look at how we can manage accounts on a domain this is a domain controller i wouldn't normally recommend that you sign in interactively on domain controller and manage anything it's usually far better to do that remotely but this is a demonstration environment so i've got a limited number of virtual machines so this is the active directory administrative center i don't use this very much i tend to use active directory users and computers but this has some significant benefits let's take a look if we expand out the domain node here contoso and then find an appropriate container for example it we can then click the new link and specify to create a user in it given the first name of frederick or fred will do actually and we'll sign them in using fred as a user id so that's contoso thread or fred contoso.com we can configure some password options over here if we want to and then if i set the basic password or the initial password again it doesn't display and when i'm happy with that i can populate it with lots more information remember active directory accounts have or provide you with a capability of creating or defining many more attributes but i'll keep it simple for now when i'm happy with that i can click ok and then i can bring up the reset password option or add to a group or look at the properties of the account and then i can reconfigure the settings as you can see here but what's interesting is the way that active directory administrative center works is it uses windows powershell so if you look at the bottom of the screen here there's a heading called windows powershell history if i expand that you can see the command list that were used to create this account so it used the new ad user commandlet followed by the set ad account password commandlet followed by the enable ad account commandlet and so on so if i was starting out and trying to get familiar with using windows powershell as a way of managing accounts by using the active directory administrative center i could start to see how things work i've even got options here to copy particular elements of this so i can select something and copy it into the paste buffer and then i can use additional tools to develop scripts for the purposes of managing accounts so that's one of the really great things about the admin center you can also use active directory users and computers which is a bit of a misnomer because yes you can manage users and computers but you can also manage groups as well so if i click on it i don't need to refresh the display it should show the user that i just added fred so creating a new user here is similar to how computer management worked earlier on right click the container point to new and select user and then type in the details and these are not very inventive names so apologize for that and then click next some basic password properties and next and finish and then i can do things like add to a group enable or disable account send the email and then look at the properties of an account i mean i selected both their policies for that you can see there are many more properties that we can configure because it's in active directory and active directory supports many more attributes for users so to configure account policies you actually use group policy to do that so back in server manager on the domain controller here i can choose from the tools menu either local security policy or i can bring up group policy management and then select the default domain policy the effect is the same i'm going to use local security policy here let's maximize that and if i expand out local policies we can see the options we discussed earlier under account policies we've got the password policy here and you can see that we have a password history we have a maximum minimum password ages minimum password lengths password complexity rules are enabled so this is much more stringent than on a local computer under account lockout policy we've got no configuration just at the moment and then under kerberos policy we've got the ability to determine how granting tickets work and what the lifetime of those is if we needed to change those there's no particular reason why you ever would but you can in a sort of a heightened security environment and as mentioned earlier on in the presentation we can configure auditing user rights assignments and security options i mentioned at the bottom of security options there are the user account control settings which we'll look at later now when you make changes to the security policy particularly or specifically actually the account policies these three nodes here that has an effect on every object in the domain so there's no way here at least of being able to set a different password expiration rate or complexity rules for different accounts nor can you do that through group policy the way that you do that is through active directory administrative center so if you have a requirement to set a different account policy for certain users typically maybe your administrator's users or whatever then you do that in the following way open up the active directory administrative center or through powershell whichever and then under contoso select the system container and then select the password settings container and then create a new password settings object and you can see here i won't go through the whole process but you can see that you can configure password length and complexity and so on just the same as you could through the local policy but the difference is here you've got the directly applies to heading and you can add users and groups to which the policy will apply that allows you to create a very specific password settings object linked to specific accounts so in a scenario where you want to have a much more rigorous password policy you can apply that through a pso using the active directory administrative center so in the demonstration you saw how to manage local accounts domain accounts and to configure account policies microsoft accounts these are online identities that you can use to sign into microsoft services online or authenticate yourself with microsoft services that are online it's generally considered to be a consumer account that means a home user perhaps don't normally use these for organizations you probably have a microsoft account i'm sure you do if you've got windows 10 you want to access the store or download apps from the store you'll need a microsoft account to authenticate yourself it's usually associated with an outlook.com or hotmail.com suffix very straightforward to obtain one just um search for microsoft's account or create microsoft account and then follow the links so as i said it allows you to access personal services that are associated with windows 10 so onedrive is built into windows 10 you can only access it by signing into the onedrive service using a microsoft account you also have access to word and excel and powerpoint online and outlook.com you can use it to access intune microsoft 365 and azure but generally speaking that would be a microsoft 365 account or more accurately an azure ad account and as i mentioned it allows you to download and install apps from the microsoft store if you've got many devices or several devices that run windows 10 you can synchronize between those devices using your microsoft account in fact i use um an iphone and i've got windows 10 obviously on my laptop and i synchronize my edge favorites and passwords between those devices so i use my microsoft account to synchronize microsoft edge settings between non-windows devices to associate the microsoft account you can do that in a number of different ways you can associate it to a local account through the settings app or with a domain account to link to a domain account sign in using the domain account and then open the settings app on the your info tab in the accounts page click sign in with the microsoft account and then connect the account to the local account you'll need to enter your credentials you'll almost certainly receive a text message on your registered phone to verify and then you can connect the account to the domain account that means when you sign in you're signing into the domain but you're also signing in with um your microsoft account to cloud services but that's a consumer account you can synchronize your settings once you've signed in with your microsoft account on the accounts option within the settings app and you click the sync your settings tab as shown here in the dialog and then you can turn it on or off and then be specific about what you want to synchronize between your devices a work group is a logical grouping of windows based computers it can include both windows 10 and windows server devices the device can belong to only one work group a device cannot belong to a work group and also to an active directory domain work groups exist on a single network segment so they're for small collections of computers in a small geographic area you can share data with other devices in a workgroup in a similar way to the way that home groups work to add a computer to a work group bring up the system properties of your windows device and then click change settings on the right hand side as shown here beneath the computer name domain and workgroup settings heading you can then select beneath member of either domain or workgroup authorization within a workgroup works on the following basis bear in mind that because it's a work group all user and group accounts are local so if you're accessing a resource from across the network to another computer you will need to hold an account on that remote computer so the first time you try to access a resource you'll be prompted for a username and a password to simplify things you'll create matching account details on all of your workgroup devices so if there's an account called andrew on one computer with a password of xyz then you'll configure that same account on all computers in the work group the local security authority will check the local security accounts manager database to see whether the account that was entered is valid if it is valid you're granted access if you attempt to access another resource on the same computer you don't need to sign in again the credentials stay active until such times you disconnect from that computer but if you attempt to access another resource on another computer you'll need to provide the credentials but again if you've got a matching account you can to some extent simplify that process by creating active directory domain service domains in an active directory domain service forest you simplify this process because you can create all your accounts in a single location that's to say on all your domain controllers and once you've signed into the domain you can use the same account to access resources anywhere so it's a logical grouping of windows based computers an adds domain can be described as a logical administrative boundary and that's because a domain contains a group called domain admins which can perform management on any object within the domain but cannot necessarily be granted access to other domains you can further consolidate or group users and computers within a domain by creating organizational units these are logical containers that might describe geographical regions or departmental boundaries domains are combined to create active directory trees which in turn combine to create forests now it's true to say that although you can have many domains in many trees in potentially several forests most organizations tend to have a single active directory forest consisting of a single domain in a single tree but nevertheless it is certainly possible to create more complex structures domains can consist of windows 10 and earlier versions of windows and windows server devices a device can only belong to a single active directory domain a device cannot belong to both a work group and a domain and domains can span multiple network segments it's much easier to share resources because you have all of your user accounts in a single location and they can be granted access anywhere in the domain actually potentially anywhere in the forest if you have multiple domains to add a computer to a domain use the same procedure that you did to add a computer to a work group this time however you under the member of heading you enter the name of the domain now it's important that whatever the domain name is that the local computer can resolve that name to determine domain controllers that exist within that domain that requires that they can connect to domain name system servers or dns servers within the domain environment to perform name resolution you'll then be prompted for the user account details of a user with sufficient privilege to join a computer to a domain that tends to be restricted to if not administrators certainly a level of user that has suitable experience for performing these types of management tasks so you might have an installer role or something on your network you'll get a notification that that was successful and then you'll need to restart the computer after you've restarted the computer then the change is in effect so let's have a look at how to add a computer to a work group how to add a computer to a domain and how you can share resources within a domain so this computer is in fact already part of a domain so let's open up well what i normally do is i open up this pc and look at its properties by right clicking this pc in file explorer and selecting properties and then under computer name domain and workgroup settings i select change settings and then click the button change and you can see here the name of the computer contoso 565 and that it's a member of the contoso.com domain to make it a member of a workgroup i simply click work group and then type the name of the workgroup the workgroup doesn't need to necessarily exist and can be called something as bland as work group if you like and then click ok it tells me that i need to sign in with sufficient privilege to disjoin i'm going to click ok to that i'm actually signed in as a local admin anyway so that should be sufficient it's now thinking about that connecting the domain controller so i enter the details for a domain account to disjoin the computer from the domain in this instance it confirms that change and then i'll need to do a restart which i will do in a moment over on the domain controller i've opened up active directory users and computers and you can see under the computer's node that we've got a computer called contoso 565 the down arrow indicates that it's disjoined i can actually delete that object if i want to or i can leave it if i intend to rejoin the computer to the domain at a later stage for now i'm just going to delete it that object's now disappeared and back on my workstation now i can verify that i'm a part of the work group by opening up file explorer right click this pc select properties and then under work group settings click change settings and you can see that i'm part of a work group to add the computer back to the domain or to add it to a domain for the first ever time under this here i select domain and then type in the name of the domain contoso.com remember i need to be able to resolve that out to domain controller ip addresses click ok i must specify credentials that have the necessary privilege to perform the domain join not necessarily admin but that's what i'm using in this case welcomes me to the domain and then i'm going to need to restart that computer which i will do and then flick to the dc here do a refresh and you can see that the computer has been reestablished there contoso 565 now exists within the domain database so that link has been created so it's as simple as that to add a computer back to the domain okay so having uh rejoined the computer to the domain i can sign in to the domain by typing the domain name and then the user account that i want to use i'm going to use an administrator account here so there's my desktop and then to share resources within a domain so i'm on a workstation machine here open up something like file explorer select a folder let's create a new folder for data purposes data and then i'm going to share that by using the give access to link specific people and then i can specify user accounts in here which are part of the domain or i can right click and choose properties and then select the sharing tab and choose advanced sharing select to share the folder and then specify permissions add here and you can see that it defaults to contoso and i can look for users and groups in the contoso so if i check to see if there's a sales group there is click ok here and i can set a level of access so anybody who belongs to the sales to the domains sales group will have access to this folder this shared folder so it's very straightforward to share once you've set up your domain so you can use the users and security groups within the domain to have potential access to resources on computers that are part of the domain so in that demonstration you saw how to add a computer to a work group how to add a computer to a domain and how to share resources within a domain azure ad or azure active directory is a cloud-based service that's used to authenticate users to access cloud resources typically things like office 365 also sometimes referred to as microsoft 365 although strictly speaking they're not the same office 365 is office 365 microsoft 365 is office 365 plus microsoft device management plus as your ad premium i may use the terms interchangeably so apologies the azure ad stores its user and group information in the cloud a database in the cloud rather than in an on-premise database both are transparent to you but it's a different process you can integrate azure ad with your on-premise active directory environment through synchronization and that's important where you have a mix of resources some of which are on premise some of which are in the cloud so perhaps you have i don't know sharepoint server running locally but you've got exchange server online running in the cloud as part of your microsoft or office 365 subscription and you want to have your users gain access to both those with a single account so you can synchronize one to the other there are a variety of ways in which you can set up that synchronization but that's somewhat out of scope for this course some scenarios when you should use azure ad are when you want to access control for applications you want to integrate with on-premise ads you want to provide for single sign-on for cloud-based applications that's probably the most important of these really you want your users to have a simple sign-in experience for resources wherever they are use as your ad if most applications and resources that you use are in the cloud you want to separate temporary accounts from regular standard accounts you want to provide users with the ability to join their own device to the corporate environment that's becoming increasingly popular the ability to use for users to use their own devices to some extent i often are students in class about this and most of them allow their users to use their phone devices to access their email accounts not everybody but most certainly and if you think about that that's a device it has corporate data on it and you want to have some degree of control over that so by joining the device to azure ad then you have an ability to manage that device to perhaps secure it because it contains corporate data there are some significant differences between adds and azure ad and it's important you understand those adds devices joined to an adds domain must run a supported operating system so it's going to be windows of some sort devices in ads are mostly managed using group policy objects or gpos or microsoft system center applications devices capable of joining an adds domain usually access on-premise applications and services so sharepoint server and exchange server in azure id the scope of devices that are capable of joining is much wider so as well as windows devices you can also add ios devices macos android there's a range of different things that you can that your users can use to gain access to cloud-based resources when you join a device to azure ad you make it fully capable of accessing those cloud resources and you provide for single sign-on you can't manage devices by using group policy any longer but you can use microsoft intune or microsoft device management to manage and provision or configure these devices it is also possible to migrate some of your group policy settings over to intune and perform management in a similar way to the way that you might with group policy or more accurately perhaps with similar settings the process is quite different benefits of azure ad joining include single sign-on enterprise compliant roaming which means the ability for you to synchronize your settings across your cloud-based devices access to the microsoft store for business that's a customizable storefront that you can use to make available particular applications rather than allowing users to browse the consumer store and download any kind of app that they want to you can exert more control and assuming you have the appropriate subscription you can then customize your storefront windows hello is supported so that's signed in using multi-factor including biometrics restriction of access seamless access to on-premise resources but when you're making the decision to as your ad join you can also use azure ad registered registration is typically used for users own devices joining is used for organizations owned devices as your ad registered devices have an identity in azure ad and you can associate those with conditional access policies which determine whether or not a device can connect and how it connects azure ad join devices are similar to azure ad registered devices but you can also manage them so you have much more control typical device management tasks might include updating devices with software patches deleting devices from the organization perhaps because they become lost or whatever you can view information about a device you can view bitlocker information which is whole drive encryption for a device so let's take a look at some of these tasks now i'm going to show you how you can configure azure ad join i'm going to show you how you can navigate the azure ad portal and i'm also going to show you some of the properties of the microsoft device management portal so this is the azure ad portal it's actually the azure portal but i've selected the azure active directory node and you can see a list of properties down here we've got users and groups and devices and licenses and the azure ad connect feature here which allows us to synchronize between an on-premise and a cloud directory service uh we can configure company branding this is contoso here but you can configure what that looks like when users sign in and a variety of other things that we can configure i'm going to go to devices and then under device settings i'm going to select the option users may join devices to azure ad and i can either specify that's going to be selected users typically by group name or all i'm going to choose all and save that so now anybody can join their device to azure ad so if i go back now to contoso here i'll just show a few things that you can look at in the azure ad portal there's a list of users and you can see that these are all azure ad users if you've synchronized it would show that that they were sourced from active directory um or idds i can add a new user here click new user and then use um this blade that's what these pop outs are called to configure the user account and then to add it to groups and configure properties i won't do that right now i'm just going to give you an overview of the environment i can have a look at roles and administrators here so i can configure specific security roles to perform certain tasks some of these already defined but i can create my own billing administrator cloud device administrator and so on so i can be very specific about who can manage what within my enterprise and on the devices node i can have a look at all devices i have none at the moment none are registered or joined and we already looked at device settings and i can also configure enterprise state roaming which allows users to synchronize their settings across the environment so i just enable that all here and if they sign in on one device make changes to settings those will synchronize to their other devices let's also have a look at the intune portal or the microsoft device management portal so now first thing i want to draw attention to is if i select users in the navigation pane you should see the same user accounts that's not surprising they're lifted from azure ad and presented here in a list of all users so they're the same user accounts that we looked at and i can manage them here just as easily as i can manage them through as your ad likewise for groups but lots of other interesting things that i can do if i want to allow users to enroll their devices into device management i can configure that behavior for different types of device so different operating systems and with windows enrollment i can also enable automatic enrollment if i want to down here on devices i can have a look at the devices that listed i've got one listed here that's somewhat out of date i think that's been removed in fact it obviously hasn't realized it yet so i'll click refresh in a second i can also have a look at azure ad devices and then i can perform a monitored device actions here also for managing things like software updates i can create update rings for devices that allows me to determine how windows 10 updates are distributed to my registered join devices i can also configure applications here client apps node and i can create new apps and assign those to groups groups of users or groups of devices as you can see here so they make those apps automatically available on those devices a lot of things in that you can do with the intune portal the microsoft 365 device management portal as it's now called so my windows 10 device open up the settings app go to accounts go to access work with school click connect now type in the address this is my azure id account so now i need to enter password and then sign in you'll notice it's identified it's the contos organization and there's the contoso branding appearing okay that's that done and if we switch to the portal we can see that there's a device here that tells us we haven't evaluated for compliance or anything but it's been joined and then we can have a look at any information down here if we want to but nevertheless that's that's now been added and there we've got a contoso 565 it's an azure ad device it's azure ad registered rather than joined at the moment it's not compliant but we can look at that later so in the demonstration i showed you how to enable and then later to configure as your adjoin then we looked at the azure ad portal and had a quick review of the microsoft device management or intune portal this is lesson four configure data access and protection in this lesson we discuss managing shared folders file system security and shared folder security in the lesson you'll learn how to manage shared resources and manage file system permissions the hands-on demonstrations in this lesson include creating a shared folder assigning permissions on a shared folder managing shared folders enabling public folder sharing securing a folder and verifying effective access on the folder a shared folder is one that you have made available to other users on your network generally shared folders are stored on file servers or network storage devices shared folder permissions control access to the content of your shared folder you can share folders in a number of ways you can use the computer management snap in you can share from the command prompt you can use a number of windows powershell commandlets and you can share from file explorer as you can see here in computer management under the shared folders node there is a shares folder node right click that and select new share and then a wizard is raised that allows you to create the shared folder from the command prompt used in netshare command you can see here in the example netshare is followed by the name of the shared folder and then an equal sign pointing to the physical location of the folder and then using the slash grant switch you can specify group sales in this case has change permissions there are a number of additional net share options slash grant and then the username or group name and then the permission allows you to specify permissions for the shared folder read change or full the slash user switch specifies the number of users that can concurrently connect to the shared folder this can also be specified in the user interface you can use the slash remark switch to specify a description of the shared folder slash cache enables you to specify offline file caching options for the shared folder so that users can work offline when disconnected from the share and then if you want to remove a share you can use the net share the name of the share slash delete switch to remove the share if you're taking the md 100 exam you should have at least a passing understanding of how to use windows powershell for share management relatively straightforward to create a share new hyphen smb share that's the verb and noun pair for windows powershell followed by the minus name parameter with the marketing as the name given here and then minus path parameter and then the path to the folder in this case e code on backslash data marketing some of the other commandlets are get smb share to list the existing shares on a computer get smb share access to list the access control list of the share that's the permissions list of the share usmb share to create a new shares we've already seen set smb share to modify the properties of an existing share remove smb shed to delete a shared folder and grant smb share access to set the permissions on an existing share also available for sharing is the share tab in file explorer navigate to the appropriate folder and then from the menu select the share tab and then you can use the access controls here to determine the level of access that individual users or groups will have you can also right click a folder and choose give access to and then specify specific people the advantage of using the share tab or give access to is not only does it create the shared folder and set permissions on the shared folder but it also configures the underlying file system permissions at the same time advanced sharing gives you more control but does not allow you to configure the file system permissions at the same time right-click a folder and choose its properties and then select the sharing tab as shown here and then click share and specify the share folder name as indicated the maximum number of concurrent connections and then permissions and caching options for offline access and for the level of access that users have share folder permissions are relatively straightforward there are three to choose from full control which gives complete access change which is most access and read which is obviously the ability to open files and to list the contents of a folder if you're looking at a program area you can execute the programs that are stored within that shared folder the default share permissions are for the system group everyone read you can also use public folder sharing you can share public documents public downloads public music public pictures public videos and these are all stored in c code on backslash users backslash public it's a very convenient way of setting up a simple shared folder network but it doesn't provide you with the level of security control that you probably need in a domain environment to enable public folder sharing you need to go to the network and sharing center and choose advanced sharing settings as shown in the dialog here you can then turn on or off public folder sharing as you see fit and you can enable password protected sharing in the demonstration i'll show you how you can create a shared folder assign permissions on that folder manage existing shared folders and enable public folder sharing okay so i'm going to show you how to share a folder i'm going to use a command prompt first of all and i'll show you how to do things in file explorer first of all let's navigate to the folder itself there's a folder called data in drive c it's not currently shared let's open up a command prompt now if i type net share it will show me that there are three default shares the root of drive c ipc dollar which is a into process communication share that's for remote management and admin dollar which points to the c windows shared folder notice that they all end in a dollar sign that's interesting actually it's worth mentioning any shared folder you create that you put a dollar sign in the name is hidden from the browse list so if i browse this computer from across the network i won't see these three shared folders i have to name them explicitly so to connect to them i'd have to know that there is a share called c dollar to share a folder type netshare then the name of it data that it is c data and then i can specify permissions if i want to i'll keep it simple for now and just go with the default values and if i type net share again you can now see there's a data folder shared if i go back to file explorer and choose properties and click on the sharing tab you can see that it's shared so we're easily able to do that from the command prompt for now i'm just going to disable that share i'm going to choose advanced sharing and clear the box for share this folder and click ok and now that folder is no longer shared and if i were to type net share again you see that it's no longer there let's just uh minimize that for now to share using the share tab if i click on a folder now and click share and then choose a particular individual for example dave or sally or specific people i can then share the folder this is quite a simple way or basic way of creating a share i'm going to say sales as a group called sales on this computer and i can set the permissions as being read read write you'll notice that's not the same terms that i used in the slide deck a moment ago that's because when you choose this basic file sharing mechanism it uses simpler terms read read write one of the very interesting things it does when you share a folder in this way is it also configures the ntfs file server sorry file system permissions to match i'm not going to share it that way i'm going to click cancel for now so normally how i'd share a folder certainly on a file server is to right click it and then choose properties and then click the sharing tab and then choose advanced sharing this gives me a lot more control first of all i select the box for share this folder notice how the share name defaults to the folder name now that's great but obviously you may well have folders that have similar names or the same name and you may soon exhaust the possibility of going down that route you can't have two folders with the same share name so you might want to specify something else there i can limit the number of simultaneous users it defaults to 20 on a windows 10 computer and then i can click permissions and specify the level of access that people have to this shared folder bear in mind we have also to configure the underlying file and folder permissions on ntfs but we'll deal with that in a later session for now these are the only permissions that the users will experience as you see it defaults to the everyone group read permissions you can choose full control change or read deny permissions that you set will override any allowed permissions so i'm going to set change permissions but i don't want to really use the group everyone that's not very secure so instead i'm going to add and type in sales and i'm going to configure sales to have change permissions and i'm going to remove that change permission for everyone so anyone can connect to this shared folder and can see the contents and open the files at the moment but only sales can modify the contents in other words create files and folders and modify their contents if i want to make this folder available offline i can click caching and specify one of these several options only the files and programs that users specify are available offline so a user connected to this shared folder would need to right click a file or a folder in the share and say make that particular file or folder available offline or no files or programs are available offline or all of them are available automatically that can have quite an impact on performance if you are dealing with a large amount of content in a shared folder i'll click cancel to that for now okay so i'm happy with that i click ok the folder is now shared and i click close once you've shared some folders you may want to manage them now although you can manage them from within the file explorer right click properties sharing and go from advanced sharing you can also use computer management right click start choose computer management and if i click on the shared folders node and then click on shares you can see the shared folders the three default folders and also the one that i've just created and then i can stop sharing or i can look at the properties from here and again i can configure offline settings limit the number of maximum people that can connect although it says maximum allowed here that's still 20 on a windows 10 computer on the share permissions dialog i can specify permissions for everyone and in this case for sales where i can add and remove users and then i can also look at the underlying file system security from that node i'm going to talk about file system security shortly my recommendation to you would probably be if you are relying on ntfs file permissions to secure resources then probably the sensible thing to do is to leave the shared permissions at everyone full control that might sound like it's a time to ring the alarm bells but if you think about it and we'll discuss this shortly that makes your life a lot easier as an administrator and allows you to rely on one set of permissions only it provides for administrative clarity i can also create new shares from within computer management as you can see here now not everyone's going to be as concerned with the detail of setting up shared folders they might instead be more interested in in just enabling access between a collection of a small collection of computers maybe in a work group environment now windows 10 also supports a home group something we'll be talking about later but within a work group you can also enable public folder sharing you configure public folder sharing by opening up the network and sharing center click on change advanced sharing settings and you can see here that we've got network discovery enabled that's because we're connected to a private network at the moment and we have file and print sharing is turned on we don't have any home groups set up but we have the ability to allow windows to manage homegroup connections we can turn that on or off as we want if you scroll down and click on all networks you can specify an encryption level for accessing public sharing and you can turn on password-protected sharing or turn it off so if you enable public folder sharing within a workgroup by default users are prompted for passwords when they try to connect between folders on different machines there's nothing for me to reconfigure here i can turn on sharing so anyone with network access can read and write files in the public folders or turn it off so i'll turn it on now save changes and now the public folder content of my computer which is under users public is accessible from other computers in the work group i mean that's a bit of a security concern but in a work group environment two or three machines it's a convenient way i guess of sharing content and other resources one other thing that's worth looking at if i switch back to computer management you can also see under the shared folders node you've got a sessions and open files node this shows you who's connected to your computer and you can see here that a user called andrew is connected from a computer called cl1.person.com okay that's this computer actually and has been connected for a period of time they're not signed in as a guest they've got a legitimate user account on this machine if andrew was to open a file you'd see that listed under open files so let's see that now if i flip back to file explorer and i've mapped a network drive and there's a folder in marketing that contains a file i'm going to open that file with let's see wordpad now i don't have permissions to save that because i'm not in the appropriate group but i've opened the file to read it if i flip back to computer management now you can see that i've got a connection to the data folder and the marketing folder i don't have any file locks because i've only got read access so it's a very useful way of seeing who's connected to your computer and what they're doing i can also close files down if i want to in the demonstration you saw how to create a shared folder assign permissions on that shared folder manage the shared folder and enable public folder sharing assigning file and folder permissions allows you to control access to those file resources before you share any folder you should probably secure it using the file folder permissions both the ntfs and refs volumes can be configured with file and folder permissions ntfs is the more typical file system you'll encounter in windows 10. refs is usually encountered on servers but it's still supported on windows 10 in certain circumstances it's typically for very large volumes you can configure file folder permissions in a number of ways typically you'll use file explorer but you can also use the command prompt and of course windows powershell commanders to use file explorer navigate to the appropriate folder right click the folder and choose its properties and then as shown in the dialog here select the security tab on the security tab you can view and then if you want modify the permissions for particular users and groups it's a good school of thought actually to always try to use groups to assign permissions then if users move between job roles you merely need to add or remove them from groups rather than revisit the permissions that you've assigned to their user accounts you can see in the dialog here that some permissions have been assigned but they seem to be inaccessible they're they're greyed out they're faded those are permissions that have been inherited it's a good technique to group your folders together like folders together so that you can rely on the notion of inheritance because by default subfolders always have the same permissions as parent folders from the command prompt you can use the ica cls command and you specify the name of the folder in quotes here and then use the slash grant switch with the name of the group in this case accounts and then a colon and then the level of permissions that you want to specify the problem with using icacls assuming you can pronounce it is that it can be very easy to inadvertently overwrite permissions rather than to modify permissions that you've already created so if you wanted to make a change for instance i mean if you're very confident with the syntax that's fine but on more than one occasion i've overwritten when i meant to add additional permissions it's less easy to do that wrong when you're using the user interface so i feel that using file permissions or setting file permissions from the command prompt is something that you only do in relatively rare circumstances but it's important to know how to do it some of the options you can use with the ica cls command are slash grant which grants permissions and replace any existing explicit permissions that tends to be the thing that i always do wrong slash deny where you can deny specific permissions now it's worth mentioning at this point that permissions that have been denied override permissions that have been allowed so if you grant a permission that's an allow permission as opposed to you grant or deny permission the deny permission takes precedence you can use the reset command to replace any specified acls with default inherited acls or access controllers that's the permissions list using f allows you to specify full access m for modify access and this is a general point really always be sparing about assigning full access on folders or files full access gives the full range of all 13 individual permissions and in most circumstances that's not necessary if a user has that level of access they theoretically can grant themselves exclusive access to the file or folder because they can take ownership of the folder if they don't have sufficient permissions and if if they do have the change permission permission they can change permissions as well so those two extra permissions the take ownership and the change permission permissions should be granted sparingly modify is usually sufficient for a data area i would use full access for users personal storage areas and modify for departmental folders rx is read execute that's the typical level of access for application areas or for templates and things like that read only access that's okay if you want to look at the contents of things but not necessarily be able to run them so more typical for data areas rather than program areas right only access it's a curious permission that one again not likely you'll use that the three that you tend to use are full control modify and read execute but you may find specific circumstances where the write only access is appropriate oi and brackets is object inherit and np in brackets is do not propagate the inherit these are the available file and folder permissions obviously the positions vary slightly if you're applying them to an individual file because with a file there's no inheritance but a folder can contain files and of course can contain subfolders which in turn can contain files and folders full control allows reading writing changing and deletion of both files and subfolders and allows modification of permissions on folders slightly differently applied to a file allows reading writing changing and deletion of the file and allows modification of permissions on files modify allows reading writing changing and deletion of files and subfolders but does not allow changing to permissions and that's the key thing that's why modify is the more appropriate permission generally speaking to apply to data areas slightly different on a file allows reading writing changing deletion of the file but does not allow changes to permission so again you'd have no concept of of inheritance read execute allows the content to fold up to be accessed and executed and when applied to a file allows the specific file to be accessed and executed or run is what we mean by executed list folder contents doesn't mean anything when applied to a file because obviously it's not a folder but it allows you to view the contents of a folder when applied to a folder that can be useful when you're navigating through a folder structure to get to somewhere where you have a higher level of access read allows the content to be read similar to on when applied to a file but it doesn't allow you to execute the file and write allows the addition of files and subfolders and when applied to a file allows a user to modify but not to delete a file and that sounds a curious combination of permissions but there are circumstances where that is necessary for particular applications but once again generally you're going to be using full control modify and read execute and generally you will apply those to folders and use inheritance to apply to subfolders the advanced permissions is effectively all of the individual permissions so we've got traverse folder or execute file list folder read data and so on you can see them all here we don't normally use what are known as advanced permissions we tend to apply in the standard combinations of full control modify and read execute read execute is a combination of about four or five permissions it's the list folder read data read attributes read extended attributes permissions and traverse folder execute file whereas modifiers everything except change permissions and take ownership and full control is all of them advanced security settings allow you to view the current permissions you can see here in the screenshot we have allow permissions have been assigned for a number of users or principles the level of access is full control and modify and read execute depending on which group we're talking about and you can see also that the permissions on this folder which is e code on backslash data backslash accounts has been inherited from the root directory of e you'll also notice the auditing and effective access tabs if you've enabled auditing through the account policy then you can click the auditing tab here and you can configure auditing on this particular object but you must have enabled object level auditing already the effective access tab is useful for determining who has permissions sometimes that can be quite obscure if you've got lots of permissions that have been assigned directly to a user and others to a group of which the user is a member some of which are allow some of which are deny it can be sometimes quite difficult to work out what's going on so the effective access tab allows you to view the effective access for a specified principle you'll also notice down the bottom here we've got a disable inheritance button that allows me to remove the inheritance at the moment all permissions are being inherited if i remove inheritance then i can configure things to have a blank or empty access control list and start from fresh or i can say can you copy the permissions that i'm currently inheriting but make them explicit permissions from this point forward i've also got the option to replace all child object permissions with the inheritable missions from this object so if for example i had removed inheritable permissions further down the tree i could replace those explicit permissions with fresh inherited permission so there's a number of controls that you have from the top level but if you group things in a sensible manner you're probably going to be able to rely on an inheritance to configure permissions correctly so as we can see here in inheritance i select to disable inheritance i'm prompted for convert into explicit permissions or remove note by the way that explicit permissions override implicit or inherited permissions i mentioned earlier that deny permissions override allow permissions so now that raises an interesting question what happens when you've got allow and deny and the notion of inherited and explicit or implicit versus explicit i'll come back to that in a second when you copy files and folders they inherit the permissions of the target folder when you move files and folders in the same volume the same drive they retain their explicit permissions when you move files and folders to a new volume they inherit the permissions of the target folder when you're trying to determine what's going on the effective access tab as i already mentioned allows you as you can see here to select a user in this case sally and then determine her effective access as you can see here she has what looks like modify permissions because she doesn't have full control but she seems to have most of the others i'd have to scroll down to get a complete list that can be very useful in certain circumstances when you're not sure exactly what permissions people have in the demonstration i'm going to show you how to secure a folder and then verify effective access on the folder so open up file explorer and go to this pc and navigate to a folder called data let's have a look at the permissions on data first of all to see where we're starting from if i click on properties and click the security tab you can see that authenticated users system administrators and users have been assigned level of access you can also see what that access is but note it's light gray that's telling me that the permissions that have been assigned to this folder have actually been inherited so there are no explicit permissions on the c data folder they are all inherited permissions to change the permissions i click either advanced or edit depending what i'm trying to do so click edit here and add a new user let's say dave i think there's a user called dave there is click ok dave now has read execute list and so on down here i'm going to grant him full control and click ok and you can now see in the security list there's dave and he has these permissions which are not grey anymore they're listed in bold check marks because he has explicit permissions on the folder whereas these people have inherited or implicit permissions so that's easier that's how you change permissions very straightforward so i'll click ok to that let's go to the subfolder marketing and look at its permissions and we can see something interesting here dave has got inherited permissions on that subfolder this is the cornerstone of setting up file and folder security if you group your folders together in a sensible logical manner then it's very easy to configure file system security you do it from the top down and rely on inheritance but suppose dave doesn't or shouldn't have permissions on the marketing folder well in this instance then you could change things you could click edit here select dave and you can remove his permissions now as you can see it's telling me i can't do that hang on because i'm actually inheriting permissions so there's nothing actually to turn off so what i'm going to need to do is something slightly different i'm going to click on advanced and i'm going to have to disable inheritance on this folder i'm going to convert inherited permissions into explicit permissions i'm just going to show you what that looks like by clicking ok and you can now see that all the permissions that were previously inherited and were indicated as being such by having a gray checkbox are now specific permissions or explicit permissions on this folder and now i can choose edit and i can select dave and choose remove so that's the difference i hope you've seen that between implicit inherited permissions and explicit assigned permissions okay so now i'm going to say set some permissions on the sales folder i'm going to start by changing the data permissions let's go to data first of all right click choose properties select security i'm going to remove david from there authenticated users click ok and now click ok to that and something interesting suppose i've got a large folder structure in place beneath i've got two subfolders as it happens but suppose i had hundreds of subfolders what if i wanted to change the topic level permission and have that percolate down through the organization well i could do that too and click on advanced here and i can say replace all child object permission entries with inheritable permissions from the object so in other words i'm removing explicit permissions that are assigned further down the tree with implicit permissions from this point forward and if we were to take a look at the subfolder marketing for example we should now see only inherited permissions so you've got the option to from a child go to properties security and you can then choose to disable inheritance and from a parent you can go to the advanced button here and say replace all child object permissions once you've reconfigured so that's a very convenient way of managing the issue of inheritance so now let's set things up properly at the moment on the data folder authenticated users have modified permissions that's maybe a bit high so i'm going to change things a little bit go to advanced and disable inheritance and convert everything to specific permissions and then i should be able to remove authenticated users permissions i don't want them to have full control i want them to have the ability to read execute only so i'm going to remove modify i'm going to remove right and i'm just going to leave them with read execute list folder contents and read so they should be able to navigate through the data folder i'm going to leave the system administrators in as they are users already only have the appropriate permissions so if i sign in as a user and navigate through data i can't do anything with the data next i'm going to grant permissions on marketing for marketing users and the easiest way to do that is to use a group that's if i spell it correctly that's better marketing and i'm going to grant the marketing group modify permissions remember avoid using full control unless it's absolutely necessary and on the sales group i'm going to similarly change that and i'm going to grant the sales users modify permissions and everything else is inherited so i'm happy with that now i could sign in as a user that's a member of sales and a member of marketing but instead i'm just going to check who those people are let's open up computer management and click on local users and groups if i click on groups i've got sales and marketing who belongs to marketing sally and under sales i've got dave so let's look at the marketing properties security and i'm going to choose something i think there i'm going to click advanced and choose effective access i'm going to select a user called sally and then view effective access for sally so you can see that sally has permissions traverse folder execute files and so on doesn't have the ability to delete subfolders or change permissions or take ownership so she has modified permissions and i guess that's through the membership of her group let's now select a different user and you can see that dave because he doesn't belong to the marketing group and therefore hasn't got special permissions on the marketing folder has the ability to basically read so you can read attributes extended attributes read files list folder and read data and traverse folder and execute file so in other words read type permissions so that's looking exactly how i want things to be so in the demonstration you saw how to secure a folder and verify the effective access on the folder now earlier i posed a question what would happen if you had allow permissions and deny permissions and implicit versus explicit so let's just summarize that it's helpful for the exam actually if you've got allow permissions and deny permissions on the same object then the deny permissions take precedence so even if you've been allowed full control if you've been denied read control you'll have a quite complicated scenario but you'll have fewer permissions than full control because the ones you've been denied will be overriding those that you've been allowed if you've got explicit permissions versus implicit or inherited permissions the explicit permissions win so if you've got a subfolder where you have a higher level of access that you've been specifically assigned through explicit permissions then those will trump any that you have at a higher level that have been inherited but the question gets a bit more complicated when you're talking about deny and allow and inherited versus explicit effectively explicit permissions will always trump so explicit allow will beat inherited deny whereas usually deny always wins so that's the exception and that's definitely worth bearing in mind for the exam one final point to configure is how shared folder and ntfs permissions combine so you can see here we have a permissions for managers set for everyone to be full control on the shared folder and yet on the file system we have managers are having modified permissions they don't have full control so which level of access do they have well microsoft say that the least permissions apply so in this case the lease permissions the fewest businesses if you like are modify so even though a person signing in who belongs to the managers group also belongs to the everyone group and although they have full control permissions through the shared folder when they arrive at the file system they'll only ever get modified permissions and because that's the least permissions that's the level of access that they will have if someone else signs in with them who don't belong to the managers group then a different assignment takes place so the lease permissions apply i would tend therefore to do what i've done here which is to assign the everyone group full control of every shared folder that i create so long as the underlying folder is on the ntfs or rafs file system and has been secured properly because that means that the determining factor is the permissions on the folder not on the shared folder the shared folder merely then is a portal to the file system and you might wonder why we have two levels of permissions in the first place and that's historic that's because originally there was no mechanism to secure the file system the fat file system file allocation table system had no permissions and that was the file system that was used so it's historic some administrators would recommend mirroring the settings so they match and you can do that if you share things through the grant access to mechanism that i mentioned in the last lesson that synchronizes the permissions and that's a perfectly acceptable approach but to my mind it's unnecessary if the determining factor is the lowest level of permissions then simply set the permissions on the shared folder to be everyone full control and then the determining factor is the permissions that you have on the folder itself this is lesson five configuring devices by using local policies in this lesson we discussed the registry implementing local policies configuring group policy objects filtering gpos and troubleshooting gpos during the lesson you'll learn how to configure the registry implement local policy configure gpos filter gpos and troubleshoot the application of gpos the hands-on demonstrations in this lesson include viewing the registry hives and their contents editing the registry exporting entries from the registry editing the local policy creating a gpo configuring common gpo settings applying gpo settings filtering gpos blocking inheritance enabling enforcement troubleshooting the application of gpos from the client and testing the application of gpos from the server the registry is a configuration database it's stored physically in two component parts a single file nt user.dat is stored in the user's profile folder and a collection of files stored in the c colon backslash windows system32 config folder contains the computer element prior to the registry windows configuration was handled by simple text files which provides for little resilience and almost no security internally the registry consists of five hives h key classes root h key current user hkey local machine h key users and h key current config within the structure of the registry are values of a number of different types regs these are strings these may be bits of text or numbers but they're treated as strings reg multise are multiple strings usually values separated by a space or a comma reg expand sds contain variables you can see some examples of each of those here on the right hand side there's a reg sc which is a not set at the moment here's another which is a description there's a multi-sc here which contains several entries as you can see rpcss and prof svc and then there's an expand sc down here which contains a variable in this case system root slash system 32 the variable system root being the location of the operating system c column backslash windows in addition to these strings we've also got binary values reg binary and reg d word which are double words or 16 bits of information the most common that you'll use when you're editing the registry are strings regsses and reg d words it's important when you're editing the registry to create values where necessary and make sure that you create them of the right type in this demonstration i'll show you how you can view the registry hives and i'll talk a bit about their contents and what they do i'll show you how you can edit the registry directly and how you can export and import entries from the registry to access the registry editor click start and then type regedit.exe press enter to select the registry editor from the list of returned applications you can see here underneath the local computer the top level hives or h keys h key classes root h current user hkey local machine h key users and h current config so let's have a look at what each of these do h key classes root contains file association information amongst other things you can see here for example the list of file extensions that you might typically find in windows there's a bmp for bitmap and it tells us it's associated with an application called paint.picture so if you find a bmp file you double click it it will open up ms paint and you can change those file associations by reconfiguring which application opens which type of data file and that will have a consequent effect here in the registry for the next time that you try to access that type of data file now hq classes root is actually a shortcut to hkey local machine software classes you see the same information is stored here it's not to say it's a duplicate it's not a duplicate it's a shortcut so for simplifying things when we consider the bits of the registry the various hives of the registry we can discount h key classes root as being a separate hive because in reality it's merely a shortcut to a folder within the hive hkey local machine when a user signs in their settings are stored in hkey current user if they're signing in for the first ever time their settings will be retrieved from the default user profile when they sign out the hkey current user portion of the registry is updated with any changes they've made to applications and to their user interface hd current user points to a data file called nt user.dat in the user profile folder on the local hard drive you see a list of the sorts of settings that might appear underneath the top level hive it's worth noting that hkey current user is a shortcut to hkey users and then one of these accounts here each one of these represents a security id i'm signed in as an administrator so i suspect that it's this one but the point is we can discount hkey current user as being a separate entity as a separate hive because it's merely a shortcut to the list of users that have signed in on this computer in the past hq config contains software and system elements that define the characteristics of the computer at a moment in time typically this is used when a computer such as a laptop is plugged into a docking station that may change the hardware characteristics of the device so typically it might involve recognizing a new graphics adapter or a new connected monitor or an external keyboard or mouse or other peripherals that information is uh retrieved and stored in hq currentconfig so it's a representation of the current configuration that leads onto a couple of things first of all it's not something that we configure because it's a representation of the perception of what's out there so the operating system is aware of the peripherals to which it's connected so there's no point really in editing that because it's a map of the current hardware it's also a shortcut it's a shortcut to hkey local machine system current control set hardware profiles current and that's the same information there so once again we can discount worrying about hkey current config so although there are five hives we've actually managed to simplify things down into two of any significance we've got hkey current user as being the currently signed in user although that's a shortcut to hq users whichever we can't edit any of these other user accounts unless we're signed in with those user accounts so it's hkey current user that becomes important here an hkey local machine which contains the shortcuts for hkey classes root and h current config so hq current user is used to build the user environment when a user signs in and is updated when a user signs out so that those settings are retained whereas hq local machine contains the computer's configuration let's look at that in some more detail now if i expand out hq local machine you can see a number of folders bcd is the boot configuration data that's the boot store effectively so when you add operating systems if you configure multi-boot that sort of thing then those configuration changes to the startup environment are stored in the boot configuration data which is reflected here in the registry i wouldn't recommend that you edited bcd through the registry it's far more appropriate to use some of the command line tools or the automatic recovery tool for recovering the boot environment rather than using the registry to make those changes beneath that we've got hardware and again this is a map of the hardware the operating system is able to detect changes in hardware and attach peripherals so when you plug in a new peripheral it recognizes it configures it so on there was a time once when you had to manually configure pieces of hardware with interrupt requests and dma settings and so on that's long gone computers are sufficiently capable now that they can recognize and reconfigure devices to accommodate new peripherals but hardware presents us with a map of what's installed in the computer at a moment in time and therefore there's no point in editing it even if we could so we can disregard it sam and security provide for the security account manager database and the local security policy we don't edit either of those through the registry we would instead go to computer management and set up new user accounts or we would configure our account policy through the local security policy that only really leaves us with these two nodes here software and system software as the name suggests consists of a list of folders for each of the sorts of installed software that we have so there's some components from microsoft and from intel from pulit pack card all of these will vary depending on the type of hardware and software that you've got installed so this is a hewlett packard laptop that we're looking at so there'll be some hewlett packard and hp entries in here for various bits of software that that vendor has provided beneath that is perhaps the more significant element it's the system element the system consists of a large number of folders we don't really have time to go through them all but we can focus on a couple of quite significant points first of all is this thing here called current control set and immediately above it is a control set one each control set and there are usually two occasionally more but usually two contains the configuration the low level configuration by which i mean things like uh device drivers and uh perhaps some of the services that are used to initialize the operating system effectively it's a bit of an oversimplification but effectively the components that are required to start the operating system reside in the control set why are there several well the feeling was if you made a change to a device driver that resulted in the operating system having a blue screen or being unable to start in some other way you would need a means for performing recovery and at the time there was no easy way of doing that so microsoft built into the system this automatic rollback feature every time you make a change to the low level configuration it updates the current control set the current control set is the one that's being used it's the live one when you restart the computer following such a change if you experience a problem like a blue screen you restart a second time and press f8 during the boot sequence and select last known good last no good then takes the previous control set in this case control set 1 and changes it to make it the current control set therefore removing the changes that were made in that low level device driver update now windows 10 doesn't support last no good and it doesn't support pressing f8 during the boot sequence any longer so those in terms of recovery options are no longer available but for some reason they still reside here within the registry so for our purposes we'll only ever look at current control set for a number of reasons first of all because there are lots better ways of recovering windows when it won't start than using last no good which i always felt was somewhat hit and miss but also because there's no point making a change in the registry to the previous control set because it's not going to be used for anything so we only have a look at the current control set so the rest of this we can for the time being we can ignore so beneath the current console set there are a number of folders as you can see here control enum hardware profiles policy services and software for most of the time it's the services and control bits that we're interested in remember hardware profiles was a shortcut to the element that i mentioned earlier on the hq current config but what lives under control let's have a look well this is what we call services so when you stop and start a service net start service net stop service or you go into the services snap in services.msc these are the things that you might typically stop and start so they're not strictly speaking software they sort of sit in that middle area between hardware and between applications services on the other hand contains device drivers i've always was rather curious that services elements should contain device drivers but their software components low-level software components let's take a look at one for example here's one called atapi and on the right-hand side we have a number of values which i'll go through in a moment to sort of describe how these things work so each one of these nodes represents some sort of device driver or very low level software component in this case atapi is the disk controller that's used to start the operating system from a hard drive the image path value tells me what the name of the driver is atapi.sys for instance it tells me it's grouped together with others of a similar nature called scuzzy miniport and it has a start value of zero that means it's a very low level driver it's one of the first that load when the operating system starts so let's find one that's a little bit further up let's imagine a scenario where you have a computer to which you have connected an optical drive like a cd drive for listening to music cds if that's still a thing and if we have a look at cd-rom here we can see on the right-hand side that it has a start value of one it's slightly higher so that means it's not going to start at the very lowest level like the 80 api drop it will start slightly after that and that's a way in which microsoft have engineered the registry and its associated devices and services so that you have this hierarchy and there are interdependencies as well you'll notice for example that we've got a value called group here scuzzy cd-rom class and if i choose the cd file system driver up here a little bit higher up you can see that it's depend on group scuzzy cd-rom class so the cdfs driver will only load and that's the driver by the way that allows us to look at cd or dvd file systems it will only load if any drivers that are associated with the scuzzy cd-rom class are already in memory and if they're not it will demand it will autoload them it will demand load them so that's a way in which these drivers interrelate so those are the lowest level components in the operating system we'll talk more about that when we look at troubleshooting the startup process later in the course so when you come to make an edit to the registry obviously you can open up the registry editor like this if you know what you're doing navigate to the appropriate location so hq current user for instance go to control panel perhaps choose desktop and then look for some sort of setting if you scroll down here for example we've got wallpaper settings so at the moment it's configured to use a wallpaper let's double click on that you can see it's looking for a bitmap called img underscore0401.jpg located in a theme folder somewhere other so now obviously i can make a change that by typing in a new value it's a somewhat curious way of configuring the wallpaper it would actually be easier to configure the wallpaper and then you'd see this reflected in here for the next time that i signed in but nevertheless that's essentially how it works if you need to create a new entry suppose you've experienced a problem and you've done a search on the internet to try to locate a solution to a problem and it says create an entry you'll need to specify where by navigating to the appropriate location in this case hq current user control panel desktop and then it might be that you need to create a new entry in which case you need to choose the appropriate type of value string binary dword and so on and you choose the appropriate value type and then you type in the value that you want so in this instance we've got a value called patent upgrade of type string and it's set to true if you wanted to turn whatever that did off you could double click it and set it to false for instance sometimes true and false by the way is represented by ones and zeros it does largely depend which is why you really do need to know what you're doing if you have made some successful changes to the registry and want to import those onto another computer you can right click a particular node and export it let's put it on the desktop and we can call it um test.reg and save it away and if i open the file you can see here that it has this important header line and then in square brackets it's got the path to the appropriate entry so it's got the hive and the subfolders that are listed here and then it has a list of all of the values with their names in quotation marks then an equal sign and then what type of value it is and the current value that's been assigned to that entry okay so this one is probably a string because it doesn't say otherwise and it's assigned the value of zero clearly i could easily edit these if i wanted to and then import them back again and to import them you simply double click them now there are other ways of making changes to the registry i'll talk about those when we look at group policy in the next couple of lessons in the demonstration you saw how to view the registry hives and we learned about their contents you saw how you could edit the registry and how you could both export and import entries from the registry although you can easily edit the registry well relatively easily anyway to achieve configuration objectives it's probably a lot easier to use tools like the local policy editor this is useful in a standalone environment that's to say a computer that's part of a work group if you're configuring computers that are part of a domain environment an adds domain it's far easier to use the group policy editor on a domain controller and have the changes that you want to make apply to as many computers as irrelevant the local policy editor though allows you to exert local control only we're going to take a look at how to edit the local policy now in a short demonstration you can open the local group policy editor by running gpedit.msc on a local computer the structure that you can see here the computer configuration node and the user configuration node and this folders software settings windows settings and administrative templates is broadly mirrored by the same settings that you'll see in the next lesson when we look at group policies on a domain not all of these folders have any function on the local group policy editor but many do and they behave in a similar way the purpose of the local group policy editor then is to avoid having to edit the registry to make configuration changes on a workgroup machine if we expand out windows settings for example you can see that we've got the ability to configure security settings there's the account policy and local policy that we looked at earlier in the course there are also settings for configuring the windows defender firewall service so you can configure inbound and outbound rules we haven't really talked about that yet but it's perhaps far easier to implement configuration changes by using a policy that it is to manually configure the firewall on each individual computer i mean it's far easier if they're all part of the same active directory domain and you can use group policies to configure them but if you've configured group policies it's certainly possible to export those policies and then import them into the local group policy editor on standalone machines so that they have the same settings or be it's a slightly more manual process under administrative templates you've got a a lot of individual items that allow you to configure the computer so there are for example components that deal with services under windows components if i scroll down you can see windows update for example is covered here and i can configure how windows update works on a particular computer you'll observe here for instance there's a value that's been enabled configure automatic updates value has been set there are also values here for windows update for business work folders is a service that allows you to synchronize content between non-work devices you know bring your own device and work devices and there's only one value that you need to configure here double click that and click enabled and turn on a particular service as well as the computer configuration there are also user configuration elements and they tend to differ when you're configuring a user it's a different thing than when you're configuring a computer so the settings are different there are a few exceptions where the same value can be configured at the same point as on a computer in a user node but those are relatively infrequent so we've got some windows components here and we've got some windows update settings and work folder settings and you can see that they're slightly different than we looked at just a moment ago but some of them are the same the specified work folder setting for example now a quick word about administrative templates i'll cover this in the next lesson anyway but administrative templates are text files they are configured from text files at least xml files so if you get a new version of windows 10 you'll need to get the appropriate administrative template files for that version of windows 10 when you want to make configuration changes and that's more typically done on a domain controller to make an effective change for all of the computers within the particular domain so if for example you've deployed a feature update so that you're now running windows 10 1903 to optimize the configuration through group policy you'll need to obtain the latest administrative templates and import those i don't really want to say very much else about configuring things with a local group policy editor but it's the way in which you can more easily configure settings rather than using the registry editor so it's the same sort of user interface as you see in the group policy management at the domain level but applies to an individual computer in the demonstration you saw how you could edit the local policy with the local policy editor group policy provides a means to create rules that enable you to manage users computers and other objects stored in active directory domain services we already looked at local policies in the last lesson but local policies only allow you to administer a specific individual machine group policies applies configuration settings that your organization wants to enforce these settings are pushed out to targeted groups of user accounts or computer accounts on the computers of the target computers it's client-side extensions that are used to apply the group policies we'll look at those later standard users can't modify a managed setting so you'll typically find if you've configured something through group policy the corresponding entry in the user interface is inaccessible grayed out or otherwise disabled gpos are collections of settings these gpos are applied to container objects such as sites domains and ou's in a typical situation individual computers are added to active directory domains to represent their place in the world a physical world they may also be part of active directory site objects which represents the locality where the device is stored so it might be representative of a head office in london or a branch office in windsor or whatever in addition you may choose to group your computers together for management purposes to organizational units or ous you can apply policies onto individual computers as we discussed in the last lesson that's a local policy you can also configure group policies onto containers sites domains and ous now group policy is a collection of individual settings if you configure a group policy with the same settings at different levels then there's a possibility that those settings will conflict with one another so it's important to understand how they apply and which takes precedence the first set of policies to apply are the computer policies and that's because we haven't connected to the domain when we first start up the computer we examine the local database to see any group policies or local group policies that have been applied the local group policies then apply if you've configured group policy objects on sites and the computer is configured to a particular site to which is linked a group policy then that group policy will also now apply computers that are part of an active directory forest environment are configured to belong to a particular domain domains have at least one policy called the default domain policy there's also one called the default domain controllers policy but that doesn't normally well that never applies to standard computers only applies to domain controllers but there'll be at least one policy that will apply and probably far more that applies next finally if you've moved the computer from the default computer's container and placed it into an organizational unit based on its geography or its department then that policy will apply effectively the way this works is with the exception of the local policy the most specific setting applies so for instance if we configure the wallpaper setting for a computer on the local policy and also on the site policy and also on the domain policy and also on the ou of which a computer was a member then the policy setting for the wallpaper would take precedence at the ou level because that's the policy setting that that's the most specific now i know that you're probably thinking well hang on the computer policy must surely be the most specific that's true but in reality local policies are configured on standalone machines so this is rather an exception and it makes sense really that a domain policy should override a local administrative policy so that's an exception so look at it this way instead the processing order is local site domain and then ou if there are multiple ou's nested within each other then it will move down the hierarchy in turn so the setting that applies last applies longest and has the highest precedence so settings at the ou level are more specific and apply last and therefore take precedence over those at the domain level that's the default behavior but you can control that now what can you do with a group policy well typical settings include the ability to redirect folders folder redirection is the ability to point users libraries that's their documents videos pictures that kind of thing from the local drive which is typically c code on slash users slash user id slash documents slash pictures slash videos and so on to a server location using a universal naming convention or unc name the advantage of that then is that the user data is stored on a server which means that they can access their content from any workstation they don't have to be signed in on their own particular machine another side advantage of that is that of course you probably are performing backups of servers and not workstations and therefore users libraries will also be backed up you can use group policies to deploy software you can use um software or you can assign software to computers or you can assign or publish software to user accounts in a medium size network small to medium-sized network using group policy to deploy software is not an unreasonable thing to want to do but in a large network you probably want a bit more control you don't have a great deal of control over software deployment using group policies so it's not widely used in enterprise level networks you can use it to run a script there are two types of scripts startup scripts and shutdown scripts and also log on scripts and log off scripts so those will obviously run when the computer starts up and shuts down or when a user signs in and signs out that's a much better way of running a script than perhaps associating it with a user profile you can use it to deploy security templates in an earlier chapter of the course we looked at some of the security settings you can use group policies to import and export security settings from one part of your network to another and then apply those to a large collection of computers by using group policy and pointing the group policy or linking the group policy to the appropriate container group policy preferences are a curious thing you don't have group policy preferences on local computers only in the domain environment and a group policy preference unlike a group policy setting is the ability to specify an initial value for something or other it might be used for something like a drive mapping or a logon script or some other value that may be transitory in nature so when you use group policy preferences you create initial customizations for your workstations or for your users workstations users are perfectly able to bypass those or undo those settings so if you map a drive with a group party preference there's nothing stopping the user from unmapping that drive whereas if you configure a similar setting using group policy settings users can't override those settings because the user interface in that area is disabled and they lack the privilege necessary to make that change now to my mind i prefer using group policy settings because i like to mandate the setup on a workstation i don't want that degree of flexibility for users where they can do certain things so that their workstation becomes slightly different than everybody else's i mean i'm okay with customizations like user interface stuff but anything to do with configuration i'm a bit concerned about that i much prefer to lock things down nevertheless you may have a reason why you want to use preferences and initial values so we'll take a look at those in the demonstration in a moment there are a number of group policy management tools that you can use there's the group policy management console that's used to manage the linking and filtering and so forth that look at it's also used for testing purposes the group policy management editor as the name suggests is used for editing the values within a particular group policy and there are a number of windows powershell command lists that you can use both to modify group policies and to change the way in which they link let's have a look at a demonstration now i want to show you how to create a group policy object how to configure some of the common settings and how to apply that group policy to your domain environment so on my domain controller pause myself here i wouldn't recommend that you sit interactively at a domain controller to perform this particular task i would far rather that you sat at a workstation and installed the remote server administration tools and used those same tools that i'm about to show you from a workstation but nevertheless the tools remain the same so i'm going to choose the tools menu here and select group policy management it always loads behind the current window i don't know why that is but anyway there it is you can see the list of domains there's only one called contoso.com there beneath that is a policy called the default domain policy if i expand out the domain controllers ou you can see that it also has a policy called the default domain controllers policy those two exist by default the default domain controllers policy contains more restrictive settings because a domain controller is an important machine when you add a computer or you promote a computer to become a domain controller or more accurately you promote a server to become a domain controller it's automatically moved into the domain controllers oh you and that then means that it's uh affected by the more secure policy configured through the default domain controllers policy there's a an it policy that i've created here so that's a non-default one linked to an organizational unit called it which is representative of a department if i look at marketing there's also one under marketing and there's also one under sales if you want to look at all of your policies you can click on the group policy objects node and you can see them here if you want to edit a group policy you right click it and choose edit and it opens up the group policy management editor we'll have a look at that in just a moment here we've got something called wmi filters windows management instrumentation filters and those are used to control the default behavior of the way that policies apply you'll remember that policies apply first of all to the local computer then to site objects which we can see down here i've only got the default site actually created so that there's nothing listed here at all and then to the domain object and then to ous and ous within ous but you can use wmi filters to change that so you can change whether or not a policy applies based on the characteristics of a machine i'll show you that in a second so let's have a look at editing a policy i'm going to expand our it here and i'm going to right click the it group policy object and i'm going to choose edit and it opens up the group policy editor which looks quite similar to the local policy editor we looked at in an earlier lesson if i expand out policies you can see the software settings windows settings and administrative templates nodes that we talked about but also there's a preferences node preferences we just touched on they are initial settings that you can configure under user configuration we've also got policies that configure software windows settings and administrative templates and again also preferences although the preferences are somewhat different you'll remember in the previous lesson i talked about administrative templates being xml files okay well they are but they have an admx extension or an adml extension the admx is the xml configuration file and the adml file is a language file essentially then you can import new versions of these templates or admx files whenever you get a new version of windows 10. so you might search for windows 10 1903 admx files download the corresponding files and then import the templates why bother well as microsoft introduced new versions of windows 10 it introduces new features and new features mean that you've got new configuration options those configuration options would be ideal if you could configure them or access them through your group policies so what can we do with a group policy well let's look at some of the basic things under software settings we've got the ability to deploy software by creating packages point to new package you can assign applications to computers assigning means that they're automatically available so the user doesn't need to do anything they simply sit at a workstation and the application will always be there down on the user node you've got a software settings subfolder here but you can also use that to deploy software you can deploy a new package and the package can be assigned so that it's assigned to a user account what that means is it doesn't matter which computer a user sits at the software that they've got configured with their account goes with them you can also publish applications or programs to users which means that they're available in control panel for them to choose to install now as i said earlier on there's not a great deal of control that you've got over software deployment in group policy you can't specify when you can't create multicast groups there's all sorts of things that aren't available so it's okay for small packages or for the occasional ad hoc deployment but it's really not suitable for large scale application deployments now we already looked at the way that group policies work essentially if you create a group policy and link it to a container it applies to everything in that container whether that's a computer or whether that's a user but you can control that default behavior for instance it's possible to block inheritance if you block inheritance on a container like an organizational unit it stops that the settings from above that point in the hierarchy from applying below that point in the hierarchy so block inheritance is configured on containers i'll show you that in a second for administrators have configured policies at a high level that want those policies always to be enforced they can enforce those policies so you can enable enforcement enforcement will ensure that a policy at a high level applies all the way down the structure even if a lower level administrator has enabled block inheritance security filtering controls the default application of policies essentially a policy will apply to any object stored in a container to which a policy is linked but you can change that by changing the security settings for a policy to apply effectively a user or a computer has to have the apply policy permission if that object or that user doesn't have the apply policy permission even though they're in the appropriate container the policy is not going to apply that's called security filtering and winners management instrumentation filtering which i touched on in the last lesson allows you to control usually computers but not always which computers will be affected by a policy the default again is that the policy will apply to any computer that's in a container to which a policy is linked but you can control that with wmi filtering finally the link order can be used to control policies if you've got multiple policies configured on the same container there must be an order of precedence if you remember we looked at the fact that the policy applies locally then to the site then to the domain and then to the ou and then sub ous but what if you've got two three four even more policies applied to the same container which one will take precedence then so the demonstration i'll show you how you can filter group policies how you can block inheritance and how you can enable enforcement okay so i'm in group policy management on my domain controller and at the moment there's only one policy configured for the domain so i'm going to create a new policy and link it to the domain and i'm going to call this folder redirection i can spell it and click ok now there are two policies linked to the same container what happens if two of the settings within each of those policies conflict with one another well if i select the container object in this case domain and then select the linked group policy objects tab on the right here you can see a link order at the moment the default domain policy takes precedence because it has the lower link order number or put it another way it appears higher on the list so for you to assign a policy on the same container to take precedence over another policy on that container you must ensure that the policy with the highest precedence has the lowest link order number or appears further up the list so to change it so that the folder redirection policy has a higher precedence and therefore its settings were enforced and overrode those as the default domain policy i'd need to change the order by using this little up or down arrow to change the link order down here on it i can see that i've got a policy configured called it but i've also got two policies above it configured on the domain called default domain policy and folder redirection if i wanted to not be affected by those policy settings i can right click the organizational unit and block inheritance that will prevent the settings from the default domain policy and the folder redirection policy from applying to users and computers that are stored within the it organizational unit so block inheritance is applied on a container level however as a domain administrator i might not be particularly happy about that so i might want to configure the default domain policy to override and i can do that by enforcing the policy enforcement is configured on a per policy basis so we're now in the situation where on the it ou two policies apply there's the local i.t policy that's been configured on the container and the default domain policy which is being enforced folder redirection is being blocked through block inheritance the other two ways in which you can control the default behavior is to use either security filtering or wmi filtering let's have a look at wmi filtering first currently i don't have any wmi filters so if i want to create a new wi filter let's call this one windows 10 computers i can use a wmi query to specify the characteristics of in this case a computer so i'm going to click add here i'm going to bring up a query that i've got stored here and i'm going to paste that into the query click ok and that should hopefully represent a selection of all of the computers that are running windows 10. so now if i only want a policy to apply to windows 10 computers let's create a new policy i don't know let's call it windows 10 security settings i'm not going to actually define any settings in it but anyway there we go i can then click on the windows 10 security settings and then go to wmy filtering and say filter based on the basis that you are a windows 10 computer so it will now only apply to computers that meet the criteria of the wmi filter the final way which you can control things is through security filtering so with security filtering you will notice that at the moment authenticated users will have the policy applied now we don't actually use this window to configure security filtering rather curiously we use the delegation tab now that's important actually for the exam if you're taking the exam you'll need to remember the process that's involved so we go to the delegation tab and you can see that authenticated users has a level of access here so we can select that we're going to choose advanced in the bottom right hand corner here select authenticated users and if i scroll down you'll see that they have the ability to read the policy but they also have the apply group policy permission so that means that anybody that belongs to authenticated users which is one of these special groups and that means basically everybody will have the policy apply let's suppose that we want the policy to apply to everybody except lee now what i'd recommend is you create a group called i don't know i t policy exceptions or whatever because it's always better to assign permissions to groups in case people change their job roles but i'm going to short circuit that slightly and i'm just going to make that a little bit faster i'm going to add a permission for the user lee i'm going to check that user exists and i'll click ok to that and then if i choose advanced down here and select glee in the list you can see that lee has the allow read permission but i'm also going to grant lee the deny apply group policy permission because he's got the deny permission it will block the policy from applying to him it wouldn't be sufficient to simply not have the apply policy permissions set because of course lee will sign in and will be a member of the authenticated users group and therefore the policy will apply because of that group membership but by explicitly saying deny the applied policy permission it will not apply to lee so i'll click yes to that the scope hasn't changed here it still applies to authenticated users so you have to mentally remember that you've filtered it security filtered it to not apply and the only real way you can tell that is by going to the delegation tab one of those curious things now it's quite common well i know about common but it's certainly not unusual to use that sort of security filtering to stop a policy from applying to a person or to a computer and it could be either that it would normally or ordinarily apply to but it is quite unusual to do it the other way which is to say that you will create a group policy and you only want it to apply to lee so let's let's have a look at that you might right click and say create a new group policy and we'll call it lee's policy now the notion of creating a policy only applies to an individual user seems somewhat contrary really it's a whole notion of group policies it should apply to lots of users but just for sake of argument now we haven't configured any settings in it at all but if we click on these policy you can see that automatically it applies to authenticated users so that's everybody not just lee so if you wanted it to apply only to lee you go to delegation and you click advanced and then add and select lee and you select lee from the list here scroll down and select that lee has the apply group policy permission click ok then go to authenticated users and remove the apply group policy permission it's not necessary to deny it and in fact actually denying it would be a bad thing because denying it would also affect lee because lee is a member of authenticated users but we just simply remove the entry now if you go back to the scope tab you can see the effect of that immediately only lee has the policy now there aren't very many circumstances in which that's something that you do but i have seen it when you configure direct access which is a remote access technology it's used to determine which particular computers are direct access servers so a group policy is used to configure those servers but only explicitly named servers appear in the security filtering list in the demonstration you saw how to filter group policies how to block inheritance and how to enable enforcement so common issues with the application of group policy objects is incorrect security filtering we looked in the last lesson how you can use security filtering to control the default behavior but if you add a user to a group that doesn't have the apply policy permission or explicitly does have the don't apply policy permission then that would create a problem an incorrect wmi filter so perhaps a policy that normally applies suddenly doesn't because you meet the characteristics or don't meet the characteristics of a wmi filter perhaps one that requires a certain amount of free disk space which you no longer have and that creates an issue incorrect linking so a policy has been created but hasn't been linked correctly to a container object or it's in the wrong order so you've got the link order set incorrectly so that another policy takes precedence it may be the the way in which you've configured your organizational units is incorrect so you've nested them inappropriately and so policies are not applying as you would expect and inheritance which is related to the previous bullet really if you're relying on inheritance and you've got block inheritance configured or you've got enabled configured to override block inheritance then those two might create unexpected results when you're trying to troubleshoot group policy one tool that you have is the gp update tool which typically run from the command prompt as shown here update slash force will force it to reapply the computer and user policy bear in mind that by default group policy client-side extensions those are services that apply the group policies on the client machines when they start up and when a user signs in check to see if changes have been made and only pulls down changes to group policies otherwise it processes the local cache copy of the group policy if you want to troubleshoot by using the slash force you force it to update all the policies even if they haven't changed the gp result tool here are being used with the gp results slash r switch tells you which particular policies are applying so if you think that you ought to be affected by the it policy and the default folder redirection policy and the default domain policy and so on you can check that on the client computer by running gp results r you can also run from the command prompt rsop.exe which will open up a window that you can see here the resultant set of policies it shows you all of the various policies that have been configured on this computer and in the right hand detail pane not only the individual policy settings but which particular group policy was used to configure those settings in other words which is the winning policy if you have access to the server or the server administration tools you can use group policy management to perform two things you can use the group policy modeling wizard which is shown here you can specify a what-if scenario so what if i was signing in as a user that belonged to the marketing ou in the adatum.com domain what if i had a computer that was stored in the computer's container what if i was using a particular domain controller to service the login and it will perform that scenario for you now it doesn't process the group policies it doesn't actually process them it performs an estimate and it produces a report that gives you an indication as to which policies settings are coming from where but you can also use the group policies results wizard gp result i already showed you that on the command line but you can also use it from the server and it performs an actual assessment so it connects to the remote machine and runs or launches the client side extensions forces those to run and pull down the policies and then produces the report let's have a look at some of those tools now we're gonna have a look at troubleshooting the application of group policies from the client and also from the server so i've signed in on my windows 10 computer as lee who is a member of the it department i will open up a command prompt or an actual fact with this powershell prompt which is sufficient and i'm going to run gp result slash r and see what the policies are on my computer so you can see here for the user it only reports the user when i'm signed in as a standard user it shows me that the applied group policy objects are i t okay so that's fine and that's probably because we've got um policies being blocked i can also use the rsop tool the result set of policies can't generate computer information because i'm signed in as a standard user but it can generate the user information and report that back so for the user configuration i can have a look at software settings if any windows settings if any and it will tell me where these particular settings came from i don't have much configured in that line if i want to have a look at the computer policies then i'm going to need to open up an elevated prompt which i need to sign in as administrator or confirm elevation at the level of administrator anyway and now when i run rsop it will generate the settings for the computer as well as for the user but of course the user that's being tested here is administrator and not lee and then we can have a look at the computer configuration and determine where it's getting the particular settings from so if i go to event log settings for example or let's have a look password policy you can see here that the winning policy is configuring the value of 24 passwords remembered and it's the default domain policy that's being applied here so as a way of determining which particular policies are applying i can also use the gp result tool with the slash h switch if i then specify the name of a file possibly put that in a different location it generates a report in an html file and if i navigate to the root of drive c i can see the file here i'll open that with internet explorer as opposed to microsoft edge because it uses an activex control show all and you can see a report view here showing me where the policies were obtained from and what the current settings are and then how long it took to apply the group policies and there's a log file link here that i can follow so again a useful troubleshooting tool quite like using gp results h so from the client end of things you've got a number of tools rsop gp results r to see which policies apply gp result slash h together a report but what can you do from the server on the domain controller you've got the group policy modeling tool which i can launch here and i can produce a simulation i'm going to simulate the fact that i'm signing in using the domain controller called dc1 i'm going to select a particular user account let's choose lee i'm going to imagine that the computer is a specific computer or i can imagine that the computer is stored in the it location so let's do that let's imagine that that there's a computer lee's computer is stored in the it organizational unit it's not but let's imagine click next there are a number of other settings that i can configure here that i don't really want to go through i can configure additional group memberships to test i'm going to go with the group members that they actually belongs to i can apply w my filters if i want to we'll go with the default values and then say next and it will produce a report it's just add that page to intel explorer and if i click on the details page it looks very similar to the report that we just looked at on the client using the jeep resort h command it shows us what would happen so you can see here there is a restricted group setting for the group called administrators and that has been configured using a group policy called it as opposed to the default domain policy which seems to be the one that's doing most things scroll down and have a look at some of the user settings at the bottom here and the wmi filters and so on so there's a great deal of information there but that was a what if if we want to actually test group policy application we can use the gp results tool here so if i right click and choose group policy results wizard it's going to behave a little bit differently i have to specify a computer so i think there's a computer called contoso 565 there is that's the computer it has to be online and it has to be configured for remote management which i believe it is then i select those users that are signed in successfully on this computer in the past so there's adele and there's lee and admin and i can then choose say lee and then process group policies according to the fact that i'm signing in as lee on the computer called contoso 565. it now goes off and does that it connects to the remote machine instructs the client side extensions for processing group policies to process group policies and then produces a report for me i can then click on the details tab as before and click show all and seemingly that's the same information that we saw before but the significant difference is it actually processed and it tells you when it was started how long it took and which settings had been configured where and which were the winning gpos so although seemingly the same information it's quite different because it's actually executing the policies on the remote computer so here's that shortcut that we set up a long time ago earlier on in this lesson so to create a shortcut called test on the desktop and it's telling us where that's come from so using this information you can make a determination about whether policies have been configured correctly at the moment we've got a relatively simple scenario here we've got a couple of what one two three four five policies applying to it directly and indirectly we've got a block inheritance and we've got a an enforcement okay so relatively straightforward but as your active director environment grows and as you make changes it becomes more and more difficult to anticipate or to determine where settings have come from and that's where these tools become particularly useful so in that demonstration you saw how to troubleshoot the application of gpos from the client and also how to test the application of gpos from the server this is lesson 6 manage windows security in this lesson we discuss user account control windows defender firewall and file encryption in this lesson you'll learn how to configure user account control configure windows defender firewall and implement encryption the hands-on demonstrations in this lesson include configuring uac testing uac configuring a windows defender firewall allowing an app through the firewall creating an authentication rule testing the rule enabling bitlocker to go and implementing efs you sign in using an administrative account user account control limits the account's access to that of a standard user uac only elevates the account's privileges to administrative level when required and only after prompting the user for permissions to do so standard users can perform the following tasks without elevation change their passwords configure accessibility options configure power options install updates with windows update and view windows 10 settings they can install device drivers included in the operating system or with windows update they can pair bluetooth devices establish network connections reset network adapters and perform network diagnostics and repair tasks that require elevation include installing or removing apps installing a device driver not included in windows or windows update modifying user account control settings opening windows defender firewall and control panel adding or removing user accounts restoring system backups or configuring windows update settings when a user performs a task that requires elevation user account control prompts the user for elevation in one of two ways either it will prompt for consent which means you answer a yes no question or it will prompt for credentials in that case you'll need to enter administrative credentials in a password you can configure user account control options through control panel you can choose between never notify me in which case essentially user account control is turned off notify me only when apps try to make changes to my computer but don't dim the desktop the desktop being dimmed is an indication that you're on the secure desktop which effectively stops all processing until you've acknowledged the user account control prompt notifying me only when apps try to make changes to my computer the implication here is that you are switched to the secure desktop and finally always notify me in the demonstration i'll show you how you can configure user account control and test user account control so first i'm going to open up control panel and i can search for user account control you can see the default value is configured to notify me only when apps try to make changes to my computer the default but notice it also says don't notify me when i make changes to windows settings so effectively that's a less intrusive way of managing user account control in early versions of user account control back with windows vista uac was deemed to be quite intrusive with this setting if you're making changes to windows settings using microsoft programs you know standard administrative tools it's not always going to prompt you whereas if you try to do anything with a third-party tool or you download an additional program that tries to make a high-level change it will automatically stop and prompt so i can slide this slider bar down here ultimately to turning off user account control or making it far more intrusive by sliding the slider bar to the top to make a or to confirm the change i'm going to need to click ok and the little shield symbol there indicates that to perform that task i'm going to need to elevate my privileges okay now let's have a look at the security settings scroll down here and find under admin tools local security policy now bear in mind i'm configuring just this particular computer so if i wanted to exec control over user account control settings across the domain i'd use group policy settings and then configure the security node and it would be the same setting if i expand out the settings here under security options and the local policies fortunately it's sorted alphabetically for me i have the values down the bottom here for controlling user account control so this value at the top here i'm going to go through all of these but i'm going to go through some of the more important ones user account control admin approval mode for the built-in administrator account if i enable or disable that has quite a significant effect if i choose disabled effectively it's turning off user account control for the built-in administrator if i enable the value then the built-in administrator account is always prompted bear in mind that the built-in administrator account is often the only account on the standalone machine it's the account that is created during installation of the operating system this one here a behavior of the elevation prompt for administrators in admin approval mode that's configured when you connect your computer to a network you potentially expose it to security risks to help to mitigate those risks you can implement windows defender firewall windows defender firewall is a host based firewall it allows or blocks inbound and outbound traffic based on network rules wellness defender firewall also provides a means of authenticating network traffic and providing encryption for data in transit you can see windows defender firewall here is accessible through the new windows security app listed here we have the domain network private network and public network interfaces you'll remember perhaps that anytime you connect to a network it's categorized as being either private or public if you're connected to a domain network and your computer is a member of that domain your private network is automatically configured as a domain network these network location profiles are used to determine the firewall settings that's to say you can have different settings based on which network you're connected to or rather which type of network you're connected to as you can see here the currently active network is a public network the firewall is enabled on all interfaces but it may be that it's more restrictive on the public interface in addition to using the windows security app to view the windows defender firewall settings you can also use control panel you can see here private networks and guest or public networks are listed and we are currently connected to a public network on the left hand side of the display you can see links for allow an app or feature through windows defender firewall change notification settings turn windows defender firewall on or off restore defaults and advanced settings there are also links for network and sharing center and security and maintenance to allow an app through the firewall open up the allowed apps node in windows defender firewall and then for the appropriate network location profile select the particular service you want to allow so for instance in the dialog here you can see that remote service management app or feature has been selected to be allowed for the public network interface you can also use the netshish command netshish firewall add allowed program and then specify the name of the program and its path and then the switch enable i'm going to show you a demonstration now on how to configure windows defender firewall and how to allow an app through the firewall so on my windows 10 computer i'm going to run the windows security app and then i'm going to select windows firewall and network protection and then choose the option to allow an app through the firewall that switches to control panel now my computer is connected to a domain network at the moment and so that's the most important network location profile if the particular feature that i want to use is not listed then i can choose allow another app and browse and locate the application and the application will indicate the network traffic that it wants to use and then that will be allowed through the firewall but i can also do things by going to windows defender firewall here and choosing advanced settings and you can see that we are in the windows defender firmware with advanced security application now and i can define the behavior of inbound rules and outbound rules which obviously control the flow of inbound traffic and outbound traffic and later we'll talk about connection security rules to set up an inbound rule right click the inbound ruled node and choose new rule this launches a wizard you can then select from [Music] a rule defined by a program that you can browse and select or that's based on predefined traffic so a particular network service that microsoft provides like network discovery netlogon or whatever or a custom rule where you can go through the wizard to select the characteristics of the network traffic that you're interested in or if you happen to know it off the top of your head you can specify the rule for a tcp or udp port all network traffic over tcp network uses specific ports so for example if you want to open up a web page that uses http which runs over tcp port 80 for example i'm going to choose a custom rule here it prompts me is this a program it's not so i'm going to click past but it is a protocol i want to specify i can select the protocol from a drop-down list now what i want to enable is the ability to send a ping to a remote server and have that server respond so i'm going to enable icmp version 4 which is the type of network traffic that's used by ping if i want i can be specific about the ip addresses that will be used in this communication now since i'm configuring the local firewall in fact the rule will only apply to this particular computer but clearly if i apply windows defender firewall with advanced security inbound or outbound rules using group policy then there's the potential for the rule to apply to many computers and in that situation you might want to then be more specific by specifying ip addresses here i'm going to allow the connection i'll talk about these other options later but clearly block stops the traffic and i'm going to apply that change to any network interface domain private and public i'm going to call it ping allowed and then finish the rule over here on my server i need to configure the same settings i'll do that quite quickly i'm going to go into tools here and select windows firewall with advanced security new inbound rule it's going to be custom as before it's not a program it's a protocol of type icmp version 4. again the ip address will be the local computer because i'm applying that specifically here i'm going to allow the connection on all network interfaces i'm going to call it icmp allowed or i think i call it ping aloud before so let's be consistent being allowed that's now configured on both ends so both computers will allow for the propagation of icmp version 4 traffic so i'm going to flick to my windows 10 computer here and i'm going to open up a command prompt and i'm going to try a ping so i've got to remember the name of the server which i think is dc1 and press enter so that's successful the next thing is to see what happens if i change the rule at the other end to block traffic let's do that now so i'm going to open up the rule that i configured on my server machine here choose properties and i'm going to block the connection you see that changes to a sort of a no entry sign back on my workstation now if i repeat the ping command it fails which is what you'd expect to see so in the demonstration we saw how to configure windows defender firewall and allow an app or in this case a protocol through the firewall we've already had a quick look at windows defender firewall with advanced security and i've shown you how you can configure inbound and outbound rules but you can also configure something called connection security rules as we saw inbound rules define program characteristics particular tcp or udp ports you can select from amongst predefined rules or you can define as we did a custom rule likewise without bound rules you can do the same but connection security rules different a connection security rule provides for isolation of a number of devices you can configure a connection security rule that provides for authentication exemption situations you can define server to server rules so communications between two particular nodes will have a certain connection security rule applied you can also define tunnel rules such as when you're communicating between two sites across the internet for example and then you can bring all of that together and create a custom rule based on the characteristics of the network traffic that you perceive for a particular situation in this demonstration i'm going to show you how you can create an authentication rule and then how you can test that authentication rule so here we are on my client machine and you'll remember that the ping didn't work because we had blocked the traffic on the server let's flip back to that server now and i'm going to create a connection security rule you can see here the different types of rule isolation authentication exemption server to server tunnel and custom so i'm going to choose a server to server rule because i'm going to create a rule between the client and the server again because i'm configuring this individually with the windows firewall with advanced security tool at each end i already know that the ip address is concerned of the two computers that i'm configuring but if you were configuring advanced security rules using group policy you might want to be more specific about which ip addresses were affected by the rule i'm now going to choose my level of authentication i can choose that authentication is requested for both inbound and outbound connections so that means if the two communicating parties are capable of authenticating then they'll do so but remember what authentication is before we go any further authentication is the process of proving who you are that's the most important aspect of security if you don't know who you're talking to then nothing else really matters so it's a critical factor i can require authentication for inbound connections and request it for outbound connections or require for both inbound and outbound i'm going to choose the middle path here because that's the most appropriate in most situations now i have to choose the method of authentication some methods are stronger than others it's worth noting that these two computers because they're part of the same domain can already authenticate each other using the kerberos protocol when you sign into a domain as a computer you get a ticket granting ticket a kerberos ticket if you like that is used to identify you to computers with which you want to establish a session so theoretically because both these computers are part of the same active directory forest we could use kerb bros we can also use computer certificates which is probably the most rigorous way of doing things if we want to use a certificate then both communicating parties must use the same certificate authority in other words a certificate must be issued by an authority that's trusted by both parties for our purposes i'm just going to use advanced i'll show you here that with advance you can choose several different methods of authentication so you can use one and the second one depending on what your needs are i'm just going to choose one method of authentication i'm going to click add here now as i said that we can use kerberos authentication but i'm going to use a pre-shared key just to show that it's different than kerberos and also it comes without the hassle of having to set up a certificate in this case so i'm going to use a a password at both ends it's not exactly what you call secure i understand that but it's fine for demonstration purposes so i click ok there and then i determine which network location profiles this connection security rule will apply to our select all and i'm going to call this secure ping okay so we can see that rule is set up here the next thing i need to do on the inbound rule is change the behavior of the filtering rule here for the traffic and change it from block connection to allow the connection if it's secure so that changes that no entry sign to a padlock sign so for this to work i need to configure both ends so i flip back to my windows 10 client here let's minimize that command prompt i now need to create a connection security rule with the same characteristics so i'm going to create a new rule it's a server to server rule as it was before no ip addresses are relevant here i'm going to require authentication for inbound and request it for outbound i'm going to use an advanced security method of pre-shared key hopefully that's the same and then i'm going to apply that to all network location profiles i'm going to call it secure ping called anything but that's what i'm going to call it so that computer is now configured with the rule that will be used when it's required so it only now remains for me to test this rule okay so still on windows 10 i'm going to switch back to my command prompt and do a ping to dc1 again this is successful this time so that's great let's go and have a look at what's going on on dc1 so that's the connection security rule that we set up but under the monitoring node we can actually see if we go down to security associations we can see that the rule is in use here we can see that a remote computer on a local computer right the other way around actually so 172 160 100 that's the windows 10 device is communicating to 172 16010 that's the local domain controller using the pre-shared key authentication mechanism and it's using encryption aes cbc128 so we can see that the rule is in use that means that for that particular type of network traffic encryption is taking place between the two nodes so in the demonstration you saw how to create an authentication rule and how to test a rule in addition to the user interface you could also use windows powershell command list to manage the firewall get net firewall rule enable net firewall rule disable net firewall rule new net firewall rule and set net firewall rule you can also use the new windows security app you can access the app from windows 10 by typing it and you can see here that's a whole collection of security settings i'm on the firewall network protection page here or tab and you can see that the firewall is active on the domain network interface and i've got the options or links here to configure advanced settings and jump off into control panel and to allow an app through the firewall and various other settings we will later on be looking at virus and threat protection account protection app and browser control device security device performance and health family options bitlocker bitlocker drive encryption lets you encrypt the entire hard disk or all your disk volumes it protects both 32-bit and 64-bit computers running windows 10. it ensures that data is accessible only if the boot components of the computer haven't been compromised and if the disk is still installed in the original computer it offers you the option of requiring users to enter a password to unlock the drive when they want to use it it also provides the option of requiring multi-factor authentication you can manage bitlocker through group policy when you're considering bitlocker think about the following the requirements for hardware and software typically that might include a trusted platform module it needs to be a tp of at least version 1.2 there may be certain bios configuration settings or firmware requirements there may be a minimum drive size requirement so on to tell if your computer has a tpm you can run the tpm.msc management console you can also open up the windows security app and then take a look at device security it will tell you if you have a tpm if you don't have a tpm you can still use bitlocker but you need to take additional steps we'll discuss those later on only administrators can manage fixed data drives but standard users can manage removable data drives that's configurable through group policy as well how to automate bitlocker deployment in an enterprise you can use the manage bde.exe command line tool to help you can also use certain group policy settings to simplify the process when you consider using bitlocker you must also consider what happens if your computer's startup in recovery mode in a class recently a student told me that the introduction of android devices which were being plugged into usb ports for charging were recognized as mass storage devices and that changed the boot environment sufficiently that when the computer was started it thought it was a different computer and therefore bitlocker went into recovery mode it's not a big deal if a recovery mode comes up on an occasional basis the user merely needs to well either rectify the situation or in this case enter a 48-bit recovery number but you might want to consider how you can manage those numbers they're not easy to remember so with any sort of encryption system you have to look at recovery options if they exist and plan accordingly one way to manage your recovery keys is to store them in the microsoft account or a microsoft business account online such as a microsoft 365 as your ad account or you can synchronize them into active directory and there are other options that you also might have bitlocker offers a number of different authentication methods for protecting encrypted data these consist of a combination of a trusted platform module a startup pin and startup keys tpm plus startup pin plus startup key is the most secure combination because it's using three different methods your computer must have a tpm you must have a pin number that you enter and you also need a startup key tpm plus startup key in this instance the encryption key is stored on the tpm chip but the user needs to insert something like a memory sticker usb drive that contains the startup key tpin plus startup pin the encryption key is stored on the tpm chip but the user needs a pin to unlock the device that's probably a little bit more convenient than having to insert additional storage devices startup key only the user needs to insert a flash drive with a startup key you don't need a tpm chip the bios must support access to the usb flash drive before the operating system loads but that's pretty typical for most modern computers a tpm only is the easiest thing the user mainly needs to turn the computer on as long as nothing's changed in the boot environment everything's good removable drives are perhaps those most significant risk from causing data leakage it's extremely easy to leave a memory stick lying around on public transport or drop it as you get out of your car something like that i mean a lot of these are attached to key fobs or just slip in your pocket or whatever very simple to lose it's less easy to lose a laptop obviously it can happen laptops can be stolen but that's less i suppose of a risk so in terms of order of magnitude removable drives provide a great convenience but provide a significant risk so the ability to use bitlocker to secure removable devices is important when you do so it's called bitlocker to go and it provides for whole drive encryption of the file system whatever the file system is so you can still use the file system or you can use ntfs it makes no difference when you set it up you can encrypt either use disk space only or encrypt the entire drive depending on the situation hopefully you've planned ahead and you're encrypting an empty driver in the first place bitlocker to go is available for windows 10 pro enterprise and education editions if you need to recover a bit like a drive you're probably going to need to enter your 48 bit key bitlocker can save that as a text file up in somewhere like your microsoft account in one drive or you can save it to active directory or you can print it out but whatever mechanism that you use you're going to have to enter that key open a web browser navigate to onedrive assuming you've stored it in your microsoft account and select the recovery key folder sign in with your microsoft account and access your recovery key you can manage bitlocker with the manage bd commandlet there are several switches or parameters that you can use including status which provides information about all drives on the computer irrespective of whether they're protected with bitlocker on which will enable bitlocker on the specified drive off which conversely would disable bitlocker on the specified drive pause and resume which will temporarily resume encryption or decryption lock and unlock used with a drive letter to lock and unlock access to a bit locker protected drive auto unlock which enables the auto unlock feature when you insert a bitlocker encrypted usb memory stick into a computer on which you've configured auto unlock for that particular device it will automatically unlock without you having to enter password force recovery forces bitlocker protected drive into recovery mode on a restart finally change key which modifies the startup key for an operating system drive in the demonstration i'll show you how to enable bitlocker to go okay so i have a usb drive inserted in my computer here you can actually see i've got several removable storage devices in addition to the usb key here i've also got an sdhc card which you can see with the padlock symbol is currently unlocked and accessible and there's a signed drive letter of o the first thing to do probably is to check whether i've got a tpm on this computer and i do that by opening up the tpm snap in open up management console and add the tpm snap into it you can see here that it's telling me that there is a tpm and it's ready for use although this tpm firmware needs to be updated because there's a security issue with it so that's something i would want to resolve so to enable bitlocker to go right click the appropriate drive and choose turn bitlocker on i'm going to use a password to unlock the drive and now i can choose where i want to backup my recovery key so i can choose to save to a cloud domain account save to file or print it i will save to a cloud domain account and then click next now i can specify how much i want to encrypt this is a blank drive so it's not really going to make any difference in this instance but if you had a drive that contained a lot of information already then you can encrypt use disk space only which is faster and best for new pcs and drives or encrypt the entire drive which is slower but best for pcs and drives already in use so i would go for probably this option i can use a compatible mode for drives that are going to be moved between this device and other devices that also support bitlocker or a new encryption mode which is going to provide for a higher level of encryption a higher standard of encryption but may create compatibility issues if i'm moving the device between this version of windows and an earlier version of windows so for now i'm going to choose compatibility mode it's important i think for removable drives that compatibility is key factor otherwise why remove it when i'm ready i'm going to click start encrypting that won't take terribly long because it's empty you'll notice now it says it's done and you'll also see that there's a padlock symbol and that the drive is open at the moment because we've entered the password if i remove the drive and reinsert it i'll be prompted to unlock the drive i can also manage bitlocker for this particular device let's take a look at those options so it switches to the bitlocker drive encryption node in control panel and it's highlighted the various drives i've got my usb e and my data oh bitlocker is on on both of those removable devices and bitlocker is not currently enabled on my fixed disk you can see here i can backup the recovery key change the password remove the password add a smart card if i have one turn on auto unlock that's a very useful feature i use that a lot for the most part my removable devices stay inserted in my laptop i don't tend to move them very often to other devices but i like the idea that if i do take them out and drop them somewhere that my data is protected so that's why enable bitlocker but i want the convenience whenever i insert the device for it to auto unlock so i don't get prompted for the password repeatedly so that's quite handy in the demonstration you saw how to enable bitlocker to go you can use group policy to manage certain bitlocker settings navigate to computer configuration administrative templates windows components bitlocker drive encryption and then removable data drives and here you can configure the following values deny write access to removable drives not protected by bitlocker control use of bitlocker on removable drives and enforce drive encryption type on removable data drives you can also configure settings under computer configuration admin templates system device installation device installation restrictions and you can prevent installation of removable devices and allow installation of devices that match any of these device ids these settings allow you to control the way that portable storage is used within your organization the problem with portable storage was it's very convenient is that it does pose a risk in terms of data loss or data leakage version control management and even the introduction of malware inadvertently through the insertion of drives that have been elsewhere the microsoft bitlocker administration and monitoring tool performs the following management tasks it allows you to manage the deployment and recovery of encryption keys it centralizes compliance of monitoring and reporting of individual computers throughout the enterprise it automates the provisioning of encrypting volumes on client computers across your enterprise it reduces the workload this is lesson 7 configure networking in this lesson we discuss configuring both ipv4 and ipv6 name resolution mobile networking wi-fi and vpns we'll also look at troubleshooting network settings in this lesson you'll learn how to configure ipv4 settings configure ipv6 settings configure name resolution configure wi-fi settings configure vpns troubleshoot networking and configure mobile networking the hands-on demonstrations in this lesson include configuring ipv4 with graphical user interface configuring ipv4 with windows powershell enabling automatic ipv4 configuration configuring ipv6 with graphical user interface configuring ipv6 with windows powershell configuring dns settings managing wi-fi networks configuring a vpn connection testing the vpn connection verifying ipconfiguration testing ip connectivity and testing name resolution to configure an ip4 host you require an ip4 address a subnet mask a default gateway to enable routing and for name resolution purposes you require one or more preferred dns server addresses when you're assigning ip addresses you can configure either private or public ip addresses all ip4 devices that connect directly to the internet must have a public ip4 address iana assigns these addresses to internet service providers network address translation is used to enable conversion from private ip4 addresses to public ip4 addresses you'll often find nat devices in home hubs that connect to the internet and support wireless connections from your home network devices and elsewhere when you are looking at connecting a corporate network to the internet through routers some network address translation functionality will convert those addresses that reside on the private network with those that reside in the perimeter network and then those that face the internet directly class a addresses are provided those that spawn in the range 100 250 are class a private ip4 addresses class b are provided for in the 172-1600 network that's to say hosts with an ip address of 172 172-1600 through to 172-31-255-255 and finally for smaller networks class c provision is handled through 192-16800 specifically host with an ip address of six eight 192.168.01 one through the one nine two one six eight two five five two five five are considered to be class c private ip4 addresses subnetting is a process of using a portion of the network address to identify the network and using the remainder of the address to define the host in simple networks an address like 192.168.17.1 which is a private class c network address might typically use the subnetwork address of two five five two five five two five five zero that defines the subnet as being one nine two one six eight seventeen zero in this situation whole octets or groups of eight bits have been used to describe the network portion of the address and the host portion of the address is therefore relatively simple to say that other hosts in the network 192.168.17 will have a host address of one nine two one six eight seventeen two through to one nine two one six eight seventeen two five four because two five five is the broadcast for that network address when you're subnetting using default ip4 classes class a addresses start with the first octet in decimal in the range 1 to 127 they use the default subnet mask of 25500 which provides for 126 different class a networks each containing 16 million 777 214 hosts class b networks on the other hand start with the leading octet in the range 128 to 191 and they used a default mask of two five five two five five zero zero or 16 bits and that provides for 16 384 networks each containing 65 534 hosts class c networks start 192-223 the default mask uses 24 bits to render up two five five two five five two five five zero that provides for two million ninety seven thousand one hundred fifty two networks each containing 254 hosts for complex networks using whole octets is not normally useful so if we take the same ip address as before 192 168 17 1 but change the mask this time so that we're using only four bits of the third octet that changes the subnet mask to 240 instead of 255 and gives us 12 bits to play with for the host this means that the network id is 192.168.16.0 now that's not so obvious because the host has an ip address of 17.1 of those last two octets and yet the network id is 16.0 so you might expect to see the third octet be 16 but in fact because we've got those additional four bits to play with the network id although it's one nine two one six eight sixteen zero can yield up host addresses from one nine two one six eight sixteen 1 through to 192 168 31 254 by doing this we've given ourselves more hosts per network but fewer corresponding networks you can set the point of this slider bar wherever you want to give yourself extra hosts or extra networks so by incrementing the number of bits in the mask you reduce the number of hosts by about a half you double the number of networks by going the other direction you double the number of hosts just about and half the number of networks and then you could set that mask where it's most appropriate for your organization there are a number of tools for configuring ip4 you can use network and internet from the settings app the network and sharing center that's accessible through control panel but there is also a link for network and sharing from network and internet you can use the network setup wizard which you'll find under network and sharing center you can use windows powershell commandlets such as new netip address and then as you can see here we're specifying the interface alias of wi-fi and an ip address of 172 16 16 1. you can use net shell or net shish as it's known so for example here netshish interface ip4 set address name equals and then the interface name in quotes wi-fi and then source equals static and then the address with addr as the parameter specifying the same address as before 172 16 16 1 and then the mask is 255 255 2400 and then a gateway address in this case of one seven two sixteen thirty one two five four netshif is quite an old command but it's the kind of thing that might be on the test i'm not expecting you necessarily to remember the syntax of all these commands but a passing familiarity with configuring from the command line is probably quite important let's have a look now at configuring ip4 using the graphical user interface by using with this powershell and by enabling automatic ip4 configuration okay so there are a number of different ways that you can configure ip4 on a windows 10 host one possibility is to open up network and sharing center and then to click on change adapter settings right click the adapter you want to reconfigure and then click properties and then here you can see the ipv4 protocol click properties and then reconfigure it alternatively from within network and sharing center you can also click on in this case the ethernet link which represents a network connection and you can click details to view the configuration of of that particular interface and you can choose properties to reconfigure the network connection and then there you are you can see the ipv version 4 protocol again in the graphical user interface you can configure a number of things regarding ip4 let's click on properties here you can specify an ip address or you must specify an ip address a subnet mask and a default gateway the default gateway is used for routing so you can actually manage without it if you only want to communicate within the local subnet but i'll enter an ip address there for the local gateway and then there are some options you can configure on the advanced property page this is a summary of the ip settings but you can add additional ip addresses so you can configure multiple ip addresses on the same network interface if you need to down here we specify a preferred dns server for name resolution purposes if you want you can configure several dns servers so an alternate if the primary is not available and again on the advanced property sheet there's a dns tab that allows you to configure some additional characteristics this is a the first dns server here but you can add multiples and then set a preference order you'll also notice down here that the option to append the primary and connection specific dns suffixes is set i'll talk more about that when we look at dns later in this lesson but essentially you can configure several suffixes to a connection if you want to append them in a specific order a suffix is something like pearson.com or education.pearson.com we've also got the options down here to register the connection address in dns and to use the connections dns suffix and dns registration so a number of options that pertain to advanced dns settings the wins tab it's not really used anymore for those organizations that are not using dns or that have legacy net bios based applications the windows internet name service or wins can be used to perform name resolution these days most organizations and most applications rely on dns so this is something you're not going to see very often when you've configured the settings for ip4 you can click ok and then close you can see the network adapter is identifying the local network since we've changed some settings you can also configure ip settings using the command prompt and windows powershell let's take a look at the command prompt so there's an elevated command prompt i can use the ipconfig command by itself it will display the basic ip4 configuration as you can see here we've got the ip address the subnet mask and the default gateway it's also showing us the link local ip6 address if i want some more information i can use ipconfig all that allows me to see that this is a manually configured ip address because the dhcp enabled value is set to no and it provides me with information about the dns server address as well i can also use the netshift command from the command prompt to reconfigure network settings here i'm saying netshish interface ip4 and then set address name equals ethernet that's the interface name source equals static as opposed to dhcp and then the ip address the subnet mask and the gateway if i type ipconfig again we should see that the address has changed from 172160101 to 172 1616 2. and there we are so you can use the next command to interact with and reconfigure the network settings on your network interfaces from the command prompt you can also use windows powershell so for example similar to the ipconfig command we can use the get net ip address commandlet and it will show us some basic information about the network you can see here this ip address 172 1616 2 the one we just configured with netshish is applied to an interface which has an index number of three that's just a unique way of identifying each of the network interfaces it also has an interface alias of ethernet so that's its network interface name it's an ip4 address of type unicast and the prefix length in other words the subnet mask is 16 bits or 255.255.0.0 this is quite a lot of information there very similar to the output on ipconfig we can also use the get net ipv4 protocol command to find out a bit more about ip4 specifically so you can see some information about root cache limit here icmp redirect igmp level igmp version and so on so a bit of additional information about ip4 if you want to reconfigure the ip address by using windows powershell you can do that too by using the new netip address commandlet so here i'm saying new netip address interface index is three i could also use the interface name the address family is ip4 the ip address is going to be 172 160205 and a prefix length of 16 bits and you can see that's come back and reported it's made that correction if i type get net ip address you should see that that change has been reflected up here i can also see it with ipconfig and although ipconfig is a command line tool command line tools can be run within the windows powershell window so you can see we've got multiple ip addresses the primary one is two sixteen zero two o five we've also got one seven two sixteen sixteen two so it added that address rather than replaced it we can also use the remove net ip address to get rid of the old ip address if we want a single ip address assigned finally we can take a look at configuring the ip address automatically if i open up network and sharing center again and then click on change adapter settings right click the ethernet adapter and choose its properties and then click properties for the internet protocol version 4 i can choose the obtain an ip address automatically option and also obtain dns server address information automatically and then click ok and then close you can see immediately that it's recognized it's connected to domain network pearson.com if i click on the ethernet link here in network and sharing center and then click details you can see it has an ip address of 172 160 100. now we didn't assign that that was assigned by dhcp we can see that the ip address of the dhcp server is given here 172 16 0 10. you can see similar information if you open up a command prompt i don't need to run this particular command elevated but it's a force of habit if i type ipconfig you can see the ip address is 172 16 0 100. if i use the slash all switch we can see that it's dhcp enabled as yes and it tells us something here the lease obtained and the lease expires with dhcp you obtain the use of an address for a period of time or more accurately the use of an ip configuration for a period of time known as the lease period now this period defaults to eight days but that's configurable on the server so as you can see here we obtained it on wednesday march 14th and it's going to expire on thursday march the 22nd now obviously what we wouldn't want to have happen is for the address to expire and for us to cease communicating on the network so the client will automatically attempt renewal during the lease period typically that takes place when the computer starts up each day and also at half time to live or in other words halfway through the lease duration generally speaking it will simply renew the same address again from the same server but on rare occasions that may not be possible and we can talk a bit about that when we look in troubleshooting in a lesson later on in this particular chapter so in that demonstration you saw how to configure ip4 using the graphical user interface by using windows powershell and how to enable automatic ip4 configuration ip4 has a 32-bit address space ip6 has a 128-bit address space that's not just four times bigger that's doubled 96 times so with ip4 the maximum number of hosts that you can configure would be about 4.3 billion or 2-32 with ip6 you've got 3.4 times 10 to the 37 that's 3.4 with 37 zeros so it's a huge huge number so one of the benefits of using ip6 is the increased address space because of the nature of ip6 where component parts of the address are used to identify different parts of the organization so there's a bit that identifies where you are in the world there's a bit that identifies where you are in an organization and then there's the bit that identifies the particular host it provides for improved routing ip4 was designed at the time when routing wasn't really that widespread and the notion of being able to route packets through a complex environment like the internet wasn't really being considered too well with ip6 we know where we're at we know that we have a large number huge number of devices connected and large number of organizations throughout the world connected to the internet ever increasing so the ability to efficiently manage the routing is important so ip6 uses a more efficient system for managing routing through addressing it also supports simpler configuration although you can use dhcp to automatically manage an ip4 address you can do the same with ip6 but you don't necessarily need to you can use what's called stateless auto configuration where a computer will obtain its own ip6 configuration based on listening to router announcements so you don't have to do anything in terms of managing dhcp and the scope of addresses or anything of that nature it better handles additional components to support security features it's better at dealing with quality of service and real-time data delivery but it does have a slightly different ip address format the ip4 address format was relatively straightforward to work with it's a decimal notation consisting of four numbers fairly straightforward fairly easy to understand ip6 because it deals with much larger address space has to accommodate the much longer address 128 bits instead of 32 using a different system it uses hexadecimal now i've not written out all of the address here this is the binary representation of the first three chunks of the eight chunks that would make up a 128 bit address you can see that in binary it would be impossible to manage but that's converted into hexadecimal if you're not familiar with hexadecimal it's a system of notation that allows you to express 0 through 15 so 16 different numbers using numbers 0 through 9 and then letters a through f so 2 0 0 2 is the hexadecimal equivalent of that binary number zero zero one zero zero zero zero zero zero zero zero zero zero zero one zero in other words what happens is for each four group or each group of four digits the corresponding number is converted that's because four bits is the number of bits the maximum number of bits that is needed to express 16 and this is a hexadecimal system based on 16. a full address can be quite long as you can see here it consists of one two three four five six seven eight parts each consisting of 16 different bits grouped individually in four collections of four so two is one section of four bits zero is another section of four bits and so on throughout but trying to even memorize this number is quite challenging fairly straightforward to remember a number like 192.168.1.1 but to remember the equivalent when it's 128 bits is quite difficult so zero compression is used in zero compression all leading zeroes are removed we can see that db5 is not the complete address because we know it should consist of four digits and therefore we know that the leading zero has been removed we can't remove zeros from the middle of a grouping because we wouldn't know where it had come from but we can remove the leading zero so hence 2002 cannot be truncated in the same way as db5 can be truncated here we've got 0 0 0 0 that can be represented as a double colon over here we've also got a 0 0 0 0 but that cannot be represented as a double colon because we wouldn't know then exactly how many groupings were where so instead we have colon zero colon to represent that truncation and that address has become quite a bit shorter but it's still not exactly user friendly that's the leading zero missing there that's a group of zeros that's a single zero drop from the beginning of that grouping and that's the truncation of the second set of zeros ip addresses are of one of the following scopes and type unicast addresses can be either global unicast addresses which are used on the internet unique local addresses which are used on the intranet and are equivalent to private ip4 addresses or link local addresses all devices initialize with a linked local address that's used to determine or to listen to and configure yourself from routers so every interface on an ip6 host will have a linked local address associated with it that's a bit like an automatic private ip address in ip4 what we call a peeper address there are also additional special addresses multicast addresses you use to communicate with groups of hosts you can do that with ip4 as well any ip address that starts 224 to 239 is a multicast address and we can do that also with ip6 multicasting is used to communicate to groups of computers for example for software distribution purposes or for conferencing and anycast is like a broadcast in ip4 so it's for all hosts on a particular subnet as with ipv4 you can use a number of bits to identify this network and then the sub network and then the host is the remaining bits it's a bit more formalized in ip6 a prefix is used to identify the subnet the number of bits in the prefix is uses a similar notation to what we will find in ip4 so for example in classes inter-domain routing you might specify an ip4 address as something like 172.16.0.0.16. the slash 16 indicates the first 16 bits of the address are the network address and so it is with ip6 we'll use a prefix which will typically be much longer than 16 bits to identify which bits are the network bits and which bits are the host bits as indicated here in the example 2002 color db5 colon colon 48 says the first 48 bits represent the network and subnetwork you can identify the type of the unicast address by its prefix so global unicast addresses have the prefix of 2000 colon colon 3. unique local addresses have an address prefix of fd colon column 8 while link local addresses have a prefix of fe80 colon colon 64. to configure an ip6 host you must assign each particular device a unique configuration you can assign the configuration manually but that's quite unusual with ip6 because it's quite a complicated address as we've already mentioned it's not that hard to remember 192.168.1.1 and type it in and then remember that the next device must be sequentially higher 192.168.1.2 but that can be much more difficult when you're working with very large hexadecimal numbers most hosts are assigned multiple addresses they all automatically have a linked local address that's the one that starts fe80 and then a unicast address which is either global and can be routed onto the internet or a unique local one which is the equivalent of a private ip4 address generally speaking hosts are configured using stateless auto configuration which means that they don't require a database such as a dhcp database on windows server to record the fact they have a particular configuration they listen to router announcements and then send out a challenge and response onto the local network to say this is the address i want to use anybody that objects to that or any computer that objects to that will challenge it stateful auto configuration is where a computer will use a database to be assigned a specific configuration so that would typically be a dhcp version 6 host stateless addressing relies on router advertisements the process during stateless addressing goes like this first a unique linked local address is used this is used to discover routers on the network the prefixes are determined and configured on any discovered routers those prefixes are now applied locally next if configured a dhcp server is used to obtain other configuration information but that's only if the managed address configuration or other stateful configuration flags are set those are set by router advertisements so if the routers instruct the device not to use dhcp it won't be used if instructed it will apply dhcp settings now those dhcp settings could be the entire ip6 configuration or it could be just additional options where the address and prefix are set using the router but additional configuration options are set from dhcp so it can be a hybrid type configuration so you can see that graphically here in step one the host listens for router advertisements having configured itself with a link local address and applies any prefixes then determines whether or not it needs to check for a dhcp server if a dhcp server is online and an ip6 scope exists elements of the configuration or the entire configuration depending on the configuration of those flags are pulled down and the ip6 host configures itself to configure an ip6 address you need to enter an ip6 address a subnet prefix a gateway address and one or more dns server addresses the same tools can be used to configure ip6 as can be used for ip4 so network and internet in the settings app network and sharing center the network setup wizard which is accessible from the sharing center windows powershell commandlets netshish let's take a look now at configuring ip6 using the graphical user interface and also by using windows powershell configuring ip6 is really not all that different on windows 10 to configuring ip4 use the same tools with pretty much the same syntax if they're from the command line let's start out by looking at this graphically through the network and sharing center as before we open up the adapter settings right click the adapter we want to configure choose its properties and then this time click on internet protocol version 6 and view its properties at the moment it's obtaining an ip6 address automatically now although we have a dhcp server on this network it's not allocating ip6 addresses there are no ip6 address scopes set up so it's going to use the equivalent of an appear type address a locally routable address something that will only work on the local subnet to give a manual address or to assign a manual address i click use the following ip6 address and then in the ip6 address field i type an appropriate ip6 address specify the subnet prefix length as you will remember from the session the length of ip6 addresses is considerably greater than under ip4 and then if i want to configure our dns server i can do that here so click ok and close again and then if i open up a command prompt again i'll open an elevated prompt that's not necessary and type ipconfig we can see that there is an ip6 address listed that's the one we just created the link local address is the one that was being allocated automatically through an automated local process that doesn't require a dhcp server so we can also configure ip6 through windows powershell open up a powershell window and we'll use the same command new netip address as we use for ip4 but this time we're specifying the address family as ip6 and we're entering an appropriate ip6 address and a prefix length it's reconfigured that for us you can see that it's added the address which ends in one two three four and as before we can use the ipconfig command to view the configuration as you see as with ip4 the new netip address command adds the ip address we can use the remove address command let's get rid of it we can also use the get net ip address commandlet to view information in a similar way to ipconfig and we can also use the get net ipv6 protocol commandlet to find out a bit more about what's happening with ip6 so the process of configuring ip6 is very similar to the process for configuring ip4 you can use the same tools you can use the same interface as with ip4 you can also obtain an ip configuration automatically by configuring ip6 here to obtain an ip6 address automatically and to obtain a dns server address automatically clearly that requires that there's a dhcp version 6 scope set up somewhere for it to obtain its address from although it's rather more complex than that as we'll discuss in a later session routers can also allocate addresses in the demonstration you saw how to configure ip6 using the graphical user interface and also how to configure ip6 using windows powershell windows 10 computers have two names host names which are up to 255 characters for example scribbler.pearson.com scribbler is the name and pearson.com is the dns suffix the fully qualified domain name is made of a combination of the host name and the suffix by default the dns suffix is also the adds domain name of which the computer is a member if that's relevant netbios names are 16 character names they're based on the a truncated version if necessary of the prefix in this case scribbler the 16th character of a name in this case indicated by the square brackets and the 20 hex that's written in between indicates a particular service that's running over the netbias interface the net bias is not something you probably need to worry too much about it's an older format of name and it's not widely used now it's actually still enabled in windows 10 and something you could theoretically turn off through the network properties page so focus i think on the fully qualified domain name scribble.pearson.com in this instance when a computer wants to connect to another computer it does so with the name but the name must be resolved into an ip address the first thing that happens is the local computer verifies whether or not the name that you've requested the petitioned name is the local host name assuming that it's not it will check the contents of the hosts file hosts is a simple text file that lives in the c windows system 32 drivers etc folder it's a list of ip addresses and fully qualified domain names or fqdns any entries that reside within the host file also automatically reside in the dns resolver cache the dns resolver cache is used to store entries that have been recently resolved so if i successfully resolve a name into an ip address then that name and ip address combination is stored in cache for a period of time what's known as the ttl or time to live assuming the entry is not the local host name and is not in the hosts file and has not recently been resolved and therefore lives in the resolver cache will then query a dns server now this is somewhat a simplification because there are other steps depending on whether or not you're using net bios and whether or not you're using ll mnr which is the link layer multicast network resolution protocol but for the most part this is the process to configure dns settings for either ip4 or ip6 use the following procedure open network and sharing center select change adapter settings right click the appropriate network adapter and then select properties double-click either internet protocol version 4 or internet protocol version 6 as appropriate and then click use the following dns server address finally enter the ip4 or ip6 address for a dns server that's accessible to the client you can also configure dns settings using the netshift command as shown here netshish interface ip set dns name equals and then the name of the network interface static and then the ip address of the dns server windows powershell can also be used the set dns client server address command shown here allows you to configure the server address by specifying it in brackets there are a number of advanced dns client settings that you can also configure you can append primary and connection specific dns suffixes the primary suffix if a computer belongs to a domain is the domain name so if you join a computer to the active directory domain called pearson.com the primary suffix will be pearson.com if you've got multiple network cards perhaps one that connects to your domain network and one that connects to i don't know the internet possibly then you could specify a different connection suffix for that particular connection and you could then choose to append the primary and connection specific dns suffixes when you perform searches so if you type www in the web browser it will connect using www.pearson.com that's the primary suffix but it will also try maybe your secondary suffix for any other specific network adapters that you have installed it will also append the parent suffixes of the primary dns suffix so again if you type in www as a web server you want to connect to that's not the complete name but don't panic it will then append the suffix of pearson.com to see if that works if that doesn't work it will append com as being the parent of the parent and then it will append dot as being the root which is the parent of the parent of the parent so in that way hopefully you'll be able to fully form the name and perform the resolution for you you can also specify which particular order you want your dns suffixes to be applied in when you start a computer you can specify the dns suffix for a particular connection and then you can specify whether or not you want to register that particular connection suffix in dns by default windows 10 will use dynamic registration with a dns server the dns server is the server that provides for name resolution domain name system so it will connect to its petitioned dns server and dynamically register the fact that it has a particular name and one or several different suffixes and an ip address all of that will happen automatically or not depending on the settings that you configure here in the demonstration i'm going to show you how you can configure dns settings okay perhaps the best place to start when talking about dns is on the server so this is a windows server 2016 server computer it's installed as you can see in server manager here with active directory so it's a domain controller it is also using dhcp and it's providing dns as well as file and storage services so to configure dns let's take a look in tools and select the dns manager the server name is listed up here that's the local server and then we have things broken down into forward and reverse lookup zones and conditional folders probably outside the scope of the course to get into conditional forwarding but let's just say that it's a means for referring queries queries from client computers or other servers down a particular path forward lookup zones are other things you probably need to concern yourself with most you can see one here called pearson.com that happens to match the domain name that we're using in active directory which is fairly logical and then beneath that we have some active directory specific elements sites tcp udp all with an underscore prefix we don't need to worry too much about that either but we do have some information in the pearson.com zone zone is the term we use to describe an element of the dns namespace stored on the server somewhere a forward lookup zone is one which takes a name and converts it into an ip address so unsurprisingly within this zone we can see a server called dc it's got a type of host a so it's a host record and a data element of 172 16010 in other words if i were to query for the host dc.pearson.com i would get return the address 172.16.0.10. there are some other records here which i don't want you to concern yourself with too much that's getting a bit advanced but for every host out on the network you should see a corresponding record listed back here on windows 10 on the client computer we can configure the client-side dns settings you can do that through change adapter settings bring up the properties of the network adapter and in this instance open up the ip4 protocol we saw some of these pages earlier on we can specify one or more dns server addresses here so we can use a particular manually signed address 172.16.0.222 for example specify subnet mask a default gateway for communications outside the local subnet and then one or more servers that we want to use for name resolution as i mentioned in the last demonstration you can use the advanced page to configure some advanced dns properties here we see the dns server address to use if you've got several we can list them and we can shuffle the order now for most situations two is sufficient you'll remember i i mentioned in a previous demonstration about the primary and connection specific suffixes let's deal with that when a computer belongs to a domain its primary suffix is the domain name so for example if this computer called cl was added to the pearson.com domain then it would have a suffix of pearson.com as its primary suffix you can apply additional suffixes if you wish so for example the computer might be cited in education.pearson.com which is not a separate active directory domain but is a dns zone so you could configure a situation where its primary suffix differed from one of its other dns suffixes it's quite an advanced concept i suppose but this is where you would specify in which order that would apply now this is relevant when a client wants to perform a query because it needs to know which zone it sits in if you query or your application queries for a server called www and you don't provide any additional information how do we know where that server is well we assume it's in the primary suffix so we append the primary and then connection specific suffixes so the primary suffix would be pearson.com so if you say take me to the server www and don't say where it is it will assume it's www.pearson.com if that doesn't yield up a valid result then it will append the additional suffixes listed here it will also try the parent suffixes in order so for example the parent suffix of pearson.com is dot com and the parent suffix of dot com is dot so we'll go up the the dns hierarchy to try to resolve www i won't configure anything here but that's how it works it's also important when you troubleshoot to use the complete fully qualified domain name so if you want to test name resolution don't test www test www www.pearson.com dot to give it its full and complete fqdn the dnf suffix for a connection can be different than for its primary suffix so it's perfectly possible for you to have several network adapters and you might choose that one network adapter is connected to the education.pearson.com dns zone in which case you'd configure that suffix accordingly here otherwise you might just use the primary suffix the primary suffix is not configured here the primary suffix is configured on the computer's properties i'll show you that in a moment you will always want to register this connection address in dns and you will also want to use this connections dns suffix and dns registration possibly less likely but it is possible and this is where you enable it so if i wanted to enable education.pearson.com as a suffix i could be sure that be registered on the dns server for me leave that blank for now it's only going to confuse matters so i'm just going to click ok to that and then i'm going to open up a command prompt just to verify the settings i'll using an elevated prompt some of the commands require that some don't ipconfig slash all displays full information about the ip configuration including the dns servers down the bottom here if i type ipconfig slash display dns we can see whether or not there is any resolver cache resolver cache is generated when a query has been successfully resolved so if we were to perform that query for www.pearson.com if a successful result was returned we would cache that for a period of time typically an hour but that's configurable on the dns server and that will be displayed here so let's perform a quick test if i send a series of icmp packets by using ping to the domain controller we get a reply 172 16010 and it tells us a bit of information now bear in mind by the way if you attempt to use ping and it's unsuccessful that doesn't necessarily mean that the server you've tried to ping is not online quite often server administrator is disabled through a firewall the use of icmp echo packets that are used by ping for testing purposes anyway if we now use ipconfig display dns you can see we now have a record dc.pearson.com the time to live is five three five seven four it's a period of time that's configurable on the server if you remember and that this is the answer that we received if you want to test dns you can use a program called ns lookup from the command prompt then you enter the query that you want to test and then it will attempt to resolve that we've got a bit of a time out there but not to worry that's because i didn't form the name correctly it should have ended in the full stop and then we've got a result here there are some command switches you can use with ns lookup notably minus d1 and minus d2 which provide us with some additional debugging information but again we'll look at that in a troubleshooting session later so i mentioned the primary dns suffix let's just take a look at where that's configured i'll just open up the properties of this pc now this computer is in a work group at the moment as you can see it's called cl1 and it's in a work group so it doesn't have a fully qualified domain name yet let's go to advanced system settings and click the computer name tab and if i click change and then more you can see here the primary dns suffix of this computer can be configured you'll notice there is a checkbox change primary dns suffix when domain membership changes so by default if i add this computer to pearson.com the domain it will update the primary suffix to be pearson.com so the two tend to be the same but as this computer is a work group computer not part of the domain at the moment those are potentially separate so we could have an entirely different primary suffix from a domain membership i'm not going to reconfigure that now i will do that when we look at adding computers to domains in the demonstration you saw how to configure dns settings you can configure your wifi networks in one of three modes ad hoc which means without any infrastructure components so one computer can connect directly to another over wi-fi with wi-fi direct which is i suppose a more enhanced version of ad hoc once again you don't necessarily have any infrastructure components and an infrastructure network where you connect to a wireless access point as do other devices and you connect to one another through the wireless access point when connecting to a wi-fi network there are a number of wi-fi standards ao211a provides up to 54 megabits per second and uses a 5 gigahertz range 802.11b provides 11 megabits per second and uses 2.4 gigahertz 8211e provides for quality of service and supports multimedia edit 11g use over short distances of speeds of up to 54 megabits and is compatible with 8211b and uses the 2.4 gigahertz range ad211n uses speeds of up to 100 megabits per second and uses either 2.4 gigahertz or 5 gigahertz 802.11 ac achieves speeds of up to 433 megabits per second in the 5 gigahertz range if you've connected to wi-fi networks these are referred to as known networks to manage your existing wi-fi networks you can open the settings app and click network and internet and on the wi-fi tab you can configure the following options show available networks hardware properties manage known networks use a random hardware address that's an interesting option actually by using this it obscures your device a hardware address is often the unique characteristic of your computer and if you use the same hardware address every time you connect to a wi-fi network to some extent i suppose you could be tracked so if you use a random hardware address every time you connect to a wi-fi network it makes it harder for someone to determine where your device has been and you can configure support for hotspot 2 networks here you can see a screenshot of the wi-fi status dialog box to configure advanced wi-fi settings open network and sharing center and then under view your active networks click the wireless network you want to configure and then in the wi-fi status dialog box shown here click wireless properties wi-fi direct is a feature supported by windows 10 that enables you to connect your windows based device to other devices and peripherals without necessarily needing a wireless access point to set it up you first have to verify you have a compatible adapter from the command line type ipconfig all verify that one of the network adapters has a descriptive value of microsoft wi-fi direct virtual adapter to enable wi-fi direct use the following procedure open an elevated command prompt run netshish wlan set hosted network mode equals allow ssid equals wi-fi direct key equals a passphrase then run netshish wlan start hosted network to stop using wi-fi direct run the following command netshish wlan stop hosted network in the demonstration i'm going to go through how to manage wi-fi networks okay to enable wi-fi direct start by opening up a command prompt and then use the netshift command wlan set hosted network mode equals allow then the ssid wi-fi direct and then the passphrase which is easy enough to remember here and then the next command is to use netshish wlan start hosted network and then we can check to see if on another computer we can connect to this host using wi-fi direct okay so here we are click on the wi-fi symbol and there we can see the other network wi-fi direct and then to connect i would click connect and enter the passcode back on the other computer to shut down the wi-fi direct use the netshish wlan stop hosted network command you can also manage the additional or known wi-fi networks by opening up network and internet settings and then clicking the wi-fi tab and then you can use manage known networks here you can take a look at the network you've connected to before and you can view its properties or choose to forget it you can also use the netcommand to view your wi-fi profiles a list of all of the available profiles all the profiles to which you've connected if you want some information about a specific profile you can specify its name and you can see here it's a wireless lan connect manually the ssid name the network type the authentication mechanisms used and so on in the demonstration i showed you how you could manage wi-fi networks you can use a virtual private network to connect your workplace over the internet a vpn provides for a secure connection through a public network by using authentication and encryption protocols when you're connected to your workplace network you're considered to be a part of that workplace a vpn uses authentication to identify the two communicating hosts at opposite ends of a tunnel that's your computer and the vpn server at the remote end there are a variety of different authentication protocols in use some of which are fairly lacks some of which are extremely rigorous and you choose the appropriate level of security for your organizational's needs encryption is used to ensure privacy of the data whilst it's in transit across what is a public network encryption is also used to provide for assurance that the data has not been tampered with whilst it's in transit because a tunnel is used to connect to the workplace network in other words a tunnel is used to connect from one ip network to another ip network over a public network the data is encapsulated in a tunneling technology or tunneling protocol and there are a number of those that you can choose to use the point-to-point tunneling protocol or pptp is probably the oldest it's widely understood and it's probably not the optimum in terms of security but it's a good foundation and if you're setting up vpns and you're experiencing problems with some of the other tunneling protocols using pptp for testing purposes might offer the possibility to more easily resolve the problem that you're having the layer 2 tunneling protocol with internet protocol security or l2tpip sec is a more complex protocol and is more secure it can be sometimes a bit challenging to set up because of the use of certificates for authentication purposes but it provides for a reliable and secure tunneling experience sstp or the secure socket tunneling protocol has the advantage of being based on the same technology same protocol tls as is used for accessing a secure website https consequently it uses the same tcp ports through the firewall so one of the major advantages of configuring an sstp based vpn protocol is that you don't need to reconfigure your firewall to support it whereas both pptp and l2 tpip sec require additional changes internet key exchange version 2 or ike version 2 is the most recent tunneling protocol that microsoft supports in windows 10 and it comes with additional features like persistent connections and the ability to auto reconnect if a connection is lost say using your cell phone for example authentication is at the heart of creating your tunnel you have to identify yourself to the remote end and the remote end has to identify itself to you or rather to your machine there are a number of authentication options available whichever option you choose must match at both ends pap uses plain text a username and password is exchanged in clear text across the network now given the network is a public network that's highly undesirable the challenge handshake authentication protocol or chap is an enhancement whereby usernames and passwords are not directly exchanged but rather a challenge and a corresponding response are used to determine whether or not the remote end knows what your password is without you necessarily having to declare it it's considered to be more secure than pap but it's been around for a significant amount of time and is generally not considered to be sufficiently secure microsoft version two of chap or ms chat chatv2 is the minimum level of authentication that you should select to support a vpn connection you can also use the extensible authentication protocol or eap that provides for the most rigorous collection selection options for authentication that's possible with your vpn typically vpns are used for remote access purposes so you can see here a client vpn client establishes a collection over the internet which is represented by the globe to a vpn server which sits in the corporate network and facilitates an inbound connection to resources on the internet that's known as a remote access vpn the configuration for a vpn is stored in a profile when you use vpn profiles in windows 10 you can take advantage of a number of advanced features you can enable always on this is advantageous because it means the user doesn't need to remember to initiate a vpn it might be obvious to you or me as it support professionals that when you're sitting at home on your laptop you're no longer connected to the corporate network and therefore you need to do something to facilitate that connection but that's not necessarily obvious to a user sure they know they're at home but they don't necessarily understand the difference so by having an always-on vpn profile it means that they don't need to think about that as soon as they attempt to connect to a resource the vpn is already present if a user runs a particular application it can be configured to use or to take advantage of a feature known as app triggered vpn which will automatically establish a connection as soon as you run an application so if a particular app requires a vpn connection it will trigger that's particularly advantageous in today's connected world if you're sitting in a coffee shop and you run an application that's something that's quite secure quite sensitive and wants to access data in the corporate network you probably want to make sure you initialize a vpn to provide for authentication and privacy over what is an open network traffic filters allow you to control what sort of traffic can be used over the vpn so when you're connected to a local network pretty much any traffic can flow between you and servers and other users on the network there's not normally any filter but with vpns you can enable traffic filters to specify by type of application or by tcp or udp port or other characteristics of the protocol like icmp or whatever it might be you can specify that that traffic is or is not allowed a lockdown vpn profiles used to enforce the use of a vpn interface so in this scenario the device is secured to only allow network traffic over the vpn which is automatically always on and can never be disconnected if the vpn is unable to connect then there'll be no network traffic allowed in the demonstration i'll show you how to create a vpn connection and then how to test the connection before you can set up a vpn connection from your windows 10 computer you must have something to connect to assuming you're using windows server in this case windows server 2016 you'll need to install the remote access server role and optionally the network policy and access services role let's take a look at what each of those does from server manager i'm going to select tools and then choose routing and remote access the remote access role supports both routing and direct access and remote access in this instance i haven't installed direct access i've just got the vpn functionality in the routing and remote access console if i expand this out you can see via the properties of routing a road access local server that we have enabled ip4 routing and ip4 remote access security is not configured here it's been configured to use a network policy and access server so we'll take a look at that in a minute ip4 settings are to allocate ip addresses from a static pool of addresses on the server here rather than to use dhcp elsewhere so when a vpn client connects in it will be allocated an address from this pool on the remote access server to gain access using a vpn or other remote access method you must also be authenticated using a network policy server which is part of the network policy and access services role we can see here that there are some network policies network policies define the characteristics and constraints of a remote access attempt we have a policy here called connections to microsoft routing remote access server which is enabled and is configured to grant access now the conditions of this are anybody trying to connect from a microsoft type of device so the conditions are fairly wide pretty much anything can connect i've enabled this normally this is configured for deny access so in other words by default no one can connect remotely to this server you can create additional policies that are processed in turn based on conditions being met or not met you can also see down the bottom here some information that pertains to the settings of this policy so if a remote access attempt meets the conditions of a policy a network policy then it must also meet the settings in this instance we're specifying the types of protocol and also the authentication methods that are being supported so when we set up our vpn on the client side we must make sure we adhere to these particular settings otherwise we'll be denied access so on the client computer we need to set up a vpn connection we can do that by clicking settings network and internet and clicking the vpn tab and then clicking add a vpn connection in the add a vpn connection window we must specify a vpn provider at the moment the only provider is the built-in windows one so i'll select that but you may be using something from cisco or some other vendor here we need to give the connection a name so let's call it pearson vpn and then we need to specify the server name or ip address that's the remote access server now typically this will be on the other side of the internet somewhere and we must therefore specify a public address that we'll use to connect to it that must be matching or that must match the remote access server remote interface address the internet interface this is actually a private ip4 address i'm setting this up in a test environment but clearly you would require the public ip address or fully qualified domain name of the remote access server windows 10 supports a variety of vpn types by default it uses the automatic determination method so it will try each vpn type in order and verify eventually which one of them works on the remote access server if you know what it is you want to use you can choose between pptp l2 tp with certificate l2tp with pre-shared key sstp or ike version 2. i'm going to go for pptp that's generally easier to set up how will i sign in i'll default to a username and password but we can use certificates or smart cards depending on what's been configured on the server and what's available on the client we'll use a username and password i can enter the username and password here if i want to save it as part of the remote access profile i'm going to specify that i'll be prompted it will remember my information so we can see here that it set up our vpn connection we can view some advanced information about that or we can revisit the configuration if i click on it here i've got the option to connect or to look at advanced options and you can revisit the information that you entered here's the name and the ip address of the remote server and so on and then any proxy settings that you might need to configure you can also click change adapter options and that takes you to control panel and opens up the network connections option and you can see here there's a an iconic representation of the vpn configured for one mini port pptp if you want to reconfigure the vpn you can also do it from here so we can verify that's the server's hostname or ip address some options remember my credentials on the security page you can specify curiously the type of the vpn here you can also specify data encryption it's currently set to optional and connect even if there's no encryption again this characteristic or this property must match up to the same property on the server side and then what authentication protocols will be used so i'm going to choose allow these protocols and then specify ms chat version 2. as long as ms chat version 2 is one of the supported authentication protocols on the server i should be in good shape i can launch the connection from here or i can switch back over to here and then click connect i must enter a username and password then click ok and you can see i'm connected on the server if we switch back to the server here we can see what's going on if we go to tools and remote access management click on operational status or looking as if it's working properly click on remote client status and we can see that there is a username warren aj in the domain pearson has connected they've been given an allocation address of 100 50. they've been up for about a minute using the pptp protocol get some more details here if i want to authentication method is ms chat version 2. i can use this option over on the right here to disconnect all the vpn clients you can also use the rooting remote access console we expand out the local server and take a look at ports scroll down the list of ports there are a lot of them you should see one that's active somewhere there we go buried away there there's a one mini port pptp active and if we click on the remote access clients tab here you can also see the same client we looked at in the other console i can disconnect it or view the status from here as well so back on the client all that remains is for me to disconnect the vpn and close down the network connections in the demonstration i showed you how to create a vpn connection and how to test that vpn connection it's worth noting you can use the windows configuration designer to create vpn profiles as you can see here in this screenshot windows configuration designer is part of the windows assessment deployment toolkit which we looked at in lesson one you can also connect to device management or microsoft intune and configure a profile which will allow you to distribute vpn settings as shown in the screenshot here when you experience a network problem use the following procedure to help resolve the issue determine the scope of the problem you could do that by asking basic questions who else is affected when did the problem start what might have changed since it was last working determine the ip configuration so connecting to the remote computer running ipconfig all if you can't connect and ask the user to perform that task for you i mean if you've got a network problem device may not be accessible determine the network's hardware configuration so verify the network interface card is successfully installed these days that's less likely to be an issue because most of these are embedded chips and quite often we're using wi-fi devices which are part of the motherboard for whatever better term and are not therefore easily separable from the other components within a computer but if you're using wired components then make sure those wires are connected correctly that nobody's tripped over a wire or disconnected a wire inadvertently and then test communications your approach might vary you can start from the top by trying to establish a connection from that client computer to a server somewhere other or you can start at the bottom and verify basic ip communication and then work your way up so whichever way round you do it you verify basic communications that might require pinging to a remote computer you'll want to check the routing and firewall configuration of your network so that's the physical routers and firewalls if those are deployed and also host firewall configurations you want to verify that name resolution is working successfully that involves checking that the client computer can resolve names correctly but also that if a name server is being used such as dns that it's online and is working successfully and then finally you want to test connectivity to specific applications on the server somewhere other you'll want to make sure that the service that runs a server process is running and is listening on an appropriate port there are a number of troubleshooting tools that you can use to help these include event viewer this collects information about system activity and event logs so always worth starting there one is network diagnostics which presents possible descriptions of issues and might suggest a potential solution it's wizard driven ipconfig is probably a good starting point really it displays the current tcp configuration for your device ping you can use this to send a packet using icmp to a remote system and then if it responds then you know that you've got some basic connectivity bear in mind that lots of hosts and many firewalls block the packets that ping uses and so you might get false negatives traceed allows you to verify the path that packets are using to get to a designated computer that's useful for determining which particular routers are being routed through ns lookup is the primary tool for troubleshooting name resolution you can use that to perform a basic or complex query and then review the results path ping is a sort of a super ping it combines the functionality of ping and tray set and then of course windows passion not strictly speaking a troubleshooting tool but a command line tool which comes with a host of network connectivity command lists that you can use to configure and troubleshoot your network if you experiencing what you think might be a name resolution problem then use the following procedure to troubleshoot name resolution first of all clear the dns resolver cache that's important because if you've recently resolved the name and it's in cache then any test you now perform will be resolving from cache which means it's not communicating with the name server or using any other mechanism to try to resolve the name so all you're doing is saying display the name that i already have attempt to verify basic connectivity using an ip address if you can connect using an ip address to a service but you can't connect using the name then that suggests it might be a name resolution issue but if you can't even connect using the ip address then that might suggest a more basic problem bear in mind however that often when you connect to a service it's associated with the digital certificate which contains the subject name and that's normally the server name that you're using to connect to if you connect using an ip address you might get certificate errors now those may be obvious or they may be not obvious so you might just simply fail to connect without any kind of indication as to why that might be so although it's great to try to do this basic connectivity check it may not always yield up the expected results attempt to verify connectivity to a host name you can think about adding the hostname to the hosts file if you want to to see if that resolves the problem and that would then suggest that it's a name resolution problem in the name server rather than some other issue finally resolve or display the resolver cache and see if you've been able to resolve the name if you have then it will reside in resolver cache if not purge the cache and loop through these tests again trying some slightly different approaches until you're successful the other issue might be the name server itself so if you're able to resolve the name by putting it into the host file so that you're telling the computer what the name is and that then allows you to connect you know it's not a connectivity issue with the service it is then a name server issue so go to the name server and perform a test on the name server in the demonstration i'm going to show you how you can verify your ip configuration perform basic tests with ip to determine connectivity and then to test name resolution so troubleshooting networks is often about just understanding what the configuration of a particular device is supposed to be you can generally achieve that through the command prompt by using ipconfig on its own it tells us quite a bit we've got the ip address here subnet mask default gateway and then some ip6 related information down the bottom here if we need a bit more information we can use ipconfig slash all and it tells us that we're using a dhcp server and what its ip address is and information about the lease and so on if you are experiencing a dhcp problem then try renewing the address you can do that by using an ipconfig slash renew i usually drop the address first release then verify that the address has been dropped ipconfig it's not there anymore click the screen there and then do an ipconfig slash renew it will now hopefully obtain an ip configuration from in this case the router rather than the dhcp server there we go so if we check we should have a a new at least obtained at least expire information here so that's one thing that you can do the next thing possibly is to test communications to a remote host so you might try pinging your host pinging the local loopback ping 127001 verifies that the protocol stack is functioning correctly so you should get a response effectively you're pinging yourself then you might try pinging a particular server or interface we're going to reply so communications are looking good and then you might try to ping something that was in a different subnet somewhere and then if you experienced a problem you might determine that it was a routing issue that you needed to look at remember ping is not that reliable you sometimes get false negatives that's to say it's possible that a computer that you're trying to communicate with has blocked icmp version 4 packets we can also use windows powershell to perform some of those commands use the get net ip address commandlet you get similar information to what you see with ipconfig instead of ping you can use test connection and so on so if you don't think you've got a basic ip configuration issue then you might start to look at something like name resolution let's talk a bit about troubleshooting name resolution the first thing to check with name resolution is to verify that the dns client settings are configured correctly click on properties here we can see this is set to obtain the information dynamically so we can check that either using ipconfig or back in network and sharing we can click on ethernet and then click details and it will show us here that dhcp server is configured and what the name server is so that's looking as if it's configured correctly troubleshooting name resolution is that sometimes the problem can be at the name server end so you can perform a series of fairly reliable tests either at the command prompt or using windows powershell first thing to do is to attempt to communicate by using a name if you can ping to a particular host by its ip address then you know that it's online and it's accepting icmp packets if when you try to ping it by name it doesn't work that suggests that there's a name resolution issue if you do an ipconfig slash display dns you can see the servers that are in the name resolution cache because this computer is online there's quite a lot that are configured here if you want to perform name resolution tests you must clear the cache by using the ipconfig slash flush dns commandlet and then you can verify that there's nothing in the cache and then you can attempt to test a name again by you know pinging it or establishing a connection to it so if i opened up a web browser and attempted to communicate with the microsoft web server for example then i would expect to see that information in the cache similarly if you're using windows powershell you can use the get dns client cache command to view the cache there is nothing in there at the moment and we can also use the clear dns client cache commandlet to remove everything from the cache so those are the equivalents of ipconfig display dns and ipconfig flush dns if you want to test a particular name in powershell you can use the resolve dns name command and then enter a name and it comes back and it tells you how it resolved that you can see some information here about how it went around the process of resolving that and it's giving us the results here it's giving us an ip4 address and an ip6 address and so on so we know that name resolution appears to be working to that server we can do the equivalent from the command prompt by using the ns lookup command and we get an answer you can also use ns lookup with minus d1 and minus d2 switches and you can also output the details of your query to a text file for later analysis if after doing these tests you're still getting some problems with name resolution then it may well be worth escalating to server team to take a look at the dns server configuration in the demonstration i'll show you how to verify ip to test id connectivity and how to test name resolution some devices with windows 10 install can support connectivity using cellular networks this is useful for users who cannot always connect to wi-fi networks but still need access to corporate services and resources to enable and configure cellular remote access in windows 10 you must obtain a cellular data plan from a telecom provider some devices such as the surface support lte and faster data connections your telecom provider will give you a cellular data plan you can visit the website specified here to find out more typically your provider must provide a sim card however some hardware vendors including microsoft to support embedded sim or e-sim an e-sim enables cellular data access without a physical sim card to configure windows 10 for mobile connect to the internet select the network symbol on the taskbar search for get connected beneath the name of your mobile operator select connect with the data plan the mobile plan apps opens then either enter your mobile number and then select find my mobile operator or select a telecom provider go to their site sign in and then choose a plan if your windows 10 device has a connection to the internet you can set it up as a mobile hotspot as shown here to do so access the network and internet settings page and then select mobile hotspot tab as shown in the dialog box to enable a mobile hotspot after you've selected the settings app and selected the mobile hotspot tab in the share my internet connection from list choose the appropriate network connection select edit and enter a network name and a network password which is used for your users to connect through you to the internet select share my internet connection with other devices this is lesson 8 configure remote connectivity in this lesson we discuss how to perform remote management to enable remote desktop and how to use windows powershell remoting during the lesson you'll learn how to configure remote management configure remote desktop access and enabling windows powershell voting the hands-on demonstrations in this lesson include enabling remote desktop configuring remote desktop establishing a remote desktop session enabling windows powershell remoting and using windows powershell commandlets to remotely manage a computer it's always a good idea to perform management remotely if you're looking at the server or you want to perform a management task on the server far better to perform it from a remote console than to go to the server and interact directly if you're remote you can't spill coffee over it trip over the power cable or perhaps more realistically you can't cause a program to run that perhaps results in a server a bend and a blue screen by performing tasks remotely for servers you make the environment more secure more robust if you're looking at managing remote workstations then you might have your users distributed over a wide area and that then becomes impractical to visit each workstation to perform management tasks upon those particular devices windows 10 provides you with a number of tools that you can use for remote management first you have remote assistance this is based on the remote desktop protocol so it uses tcp port 3389 so it's relatively straightforward to configure through a firewall if that's necessary with remote assistance not only can you look at a remote workstation when you want to perform management on it but you can take remote control if the user allows and then you can interact directly you can also send messages to and from the remote console quick assist is a new feature in windows 10 it provides similar capabilities to remote assistances perhaps are arguably far easier to initialize let's have a look at both those two very quickly if i type remote assistance in the start search box here you can see that it says provides me with options to invite someone to connect to your pc and help you or allow remote assistance invitations to be sent from this computer so at the moment i need to turn that facility on so if i choose the invite someone to connect to your pc and help you i can then follow through a wizard to set up windows remote assistance quick assist works slightly differently it's a store app let's run that and then you can see here i can either give assistance by assisting another person or i can receive assistance so i need to use a code as you can see here allow someone who trusts to assist you by taking control of your computer please enter a six-digit security code that was provided to you so that code allows us to establish the sessions between the two computers this is a very convenient way of providing remote support now both of those remote assistants and quick assist are probably consider to be tools that you would use to manage a workstation where a user is sitting at the other end with a problem that you want to help them with however we've also got remote desktop remote desktop is a technology originally devised to allow you to take remote control of a computer the typical scenario was that you're working at home you've got your own personal laptop and you connect to your organizational desktop device and effectively you have complete control of it as if you were sitting at your workplace but remote desktop is also used to manage remote servers the difference between remote desktop and say remote assistance they're both based on the same protocol that's rdp port 3389 but with remote assistance you have the capability to interact with the user and take remote control of their machine whilst they watch whereas with remote desktop you take remote control there is no communication there's no messaging and when you take remote control you sign the other user out it's perfectly acceptable but it's not an ideal interactive tool for showing a user how to solve a particular problem windows powershell it's all pervasive in windows 10 now with windows powershot you can also do windows powershell remoting so any windows pass your commandlet or script that you can run locally you can also run remotely and achieve the same objectives given that all administrative tasks can be performed with windows powershell these days it's unlikely you'll find a situation where windows partial remoting could not solve your particular configuration problem the advantage of using windows powershell of course is that you don't have to interact directly with the remote computer you really need to launch the script or run the commandlet against that remote system and finally most management tools so anytime you open up something like computer management disk management device manager whatever it might be all of those run within the context of microsoft management console and all of those are configurable to connect to a remote computer generally that's no more difficult than opening up the appropriate console and then right clicking the top node in the tree and saying connect to another computer it's worth bearing in mind though that with microsoft management console when you connect to a remote computer in that way you use a number of different means for connecting remote procedure calls and name pipes are the two that i can think of they use a variety of different tcp ports to connect and so if you're using management console in that way remotely across the network especially if you're transiting multiple firewalls between you and a server device that might prove to be problematic in some ways then remote desktop is easier because you have complete control of the remote machine and you only need a single port to be opened for management purposes port 3389 so here's an example i've got computer management running here to connect to a remote computer i right click and say connect to another computer and then browse and select the other computer and then in this particular instance i can perform all of the tasks listed here however i must just check the firewall configuration to support that so let's open up the security app and then expand this here go to firewall network protection and i'm going to jump to allow an app through the firewall and if i scroll down you can see that for a variety of different remote technologies here we go if i want to perform event log management remotely i'm going to need to enable that through the firewall if i want to look at the event log or monitor events i need to enable the remote event monitor ports scheduled task management service management remote shutdown volume management and so on so each one of those would need to be configured whereas when you use something like remote desktop it's a single port that you need to enable as you can see here we'll talk about that in the next lesson when you're looking at using windows powershell remoting it uses the windows remote management interface which you can select down here again a single configuration so it's a lot easier to perform management in that way let's have a look at some of the scenarios that you might find yourself facing a user needs help and advice you must help the user perform a specific task in an application the appropriate tool of the ones we've seen is is probably remote assistance or possibly quick assist you must perform a single remote management task on a single computer without user interaction i'd recommend using remote desktop or management term console by the way when i say mmc probably referring if i'm thinking of servers to something like installing the remote server administration tools or rsat there are a collection of tools that you can download for certain versions of windows 10 or on the current version of windows 10 you can simply enable through control panel and then you can perform remote management of domain type tasks such as adding users and managing groups and computers and so forth you need to perform the same task on multiple remote computers i'd suggest using windows powershell because it has a an ability to run on a one-to-many basis you can name multiple computers to perform the same task in your script you need to perform a repetitive task on multiple computers and expect to repeat the same task in the future again windows powershell is the appropriate tool you want to view the configuration of a remote computer but are not yet sure of the problem remote desktop allows you to do that you need to perform the same management task using the same management tool on any computer the appropriate management console which you can then as i showed you briefly right click and select a remote computer as i showed you in the brief demonstration you'll need to reconfigure windows defender firewall to support the changes the the management interfaces that you want to use and that's why it's a lot easier probably to use something like remote assistance remote desktop or windows powershell remoting because they use a single port whereas using management console requires the configuration of multiple changes these are the available remote management features listed in the firewall list that we just glanced at i won't read them out but i'll just pick a few obviously got the remote assistance remote desktop at the top and then the various remote management features that i indicated in the demo if you may also want to be managing virtual machines and windows firewall remote management wmi is used for things well we looked at that earlier in the course we talked about group policy if you want to test group policy for example it will use the wmi interface to to run the gp result assessment against a remote computer so you must enable wmi through the firewall to support that and then windows remote management which is what we use for things like windows powershell so although i showed you the interface for managing the firewall you can also enable remote assistance remote desktop using a single step from the system properties dialog box by selecting the remote tab so right click this pc choose properties and then select the remote tab as shown here and then to enable remote assistant simply select the allow remote assistance connections to this computer check box and then click advanced to set some properties about the duration of invitations and so on for remote desktop which is shown at the bottom of the dialog then you can enable the allow remote connections to this computer setting and then you can select users when that's enabled by default the local administrator has access but you can configure additional settings we'll look at that much more closely in the next lesson remote assistance as you can see if you choose the advanced button shows you the option to allow the computer to be controlled remotely and sets the maximum amount of time invitations can remain open for six hours to use management console to connect remote computers as i showed you for the most part once the firewall is configured all you need to do is to right-click the top node in the particular management console and select connect to another computer so let's have a closer look at remote desktop now as i showed you earlier you can choose to configure the remote properties by looking at system properties right click this pc choose properties and then click the remote tab and then allow remote connections to the computer you can then specify which users you want to allow for remote desktop access it defaults to in this case it says android on the screenshot but that's just the local administrator account it's the default account on this particular pc created when windows 10 was installed but normally that would be members of the administrators group you'll notice there's an option also for allow connections only from computers running remote desktop with network level authentication that's for computers that are running windows vista later and that's an option that you should generally always accept once you've got it configured you'll want to establish a remote desktop connection using the remote desktop connection program you can run that by running mstsc.exe and then as you can see in the display here you can configure on the general tab the computer name and username and the option to save your credentials to connect to the remote computer on the display tab you can configure resolution of the display at the remote end and various other properties local resources allows you to configure how things like the pace buffer is handled and whether when you print to a printer whether that's going to print to a printer at the remote end or print to one of your printers at the local end experience allows you to define the characteristics of the connection based on the fact that you have a high speed or a low speed connection so that you can optimize your connectivity and then advanced allows you to configure a range of security related settings if you're using additional services on a server to handle remote desktop connectivity if you want to configure those behaviors using group policy objects you can navigate to the computer configuration policies administrative templates windows components remote desktop services node and then you can configure the remote desktop connection client do not allow passwords to be saved value the remote desktop connection client prompt for credentials on the client computer value and the remote desktop session host connections allow users to connect remotely by using remote desktop services value additionally under remote desktop session host you can configure device and resource redirection and under the security node set client connection encryption level you can also manage session time limits under the remote desktop session host node in the demonstration i'm going to show you how to use a remote desktop by enabling it configuring it and then establishing a remote desktop session to enable remote desktop i'm going to open up the properties of this pc and click on remote settings and then as you see here i can choose an option for remote desktop don't allow remote connections to the computer which is default allow remote connections but allow connections only from computers running remote desktop with network level authentication that's from windows vista onwards i think and then i can specify particularly which users have that capability andrew which is me who i'm signed in as on this local computer already has access and then i can click add and specify user accounts from the local security authority i can also if this computer is a member of a domain add user accounts from the domain best way to do this is through group membership so that's fine i've now allowed remote connections it's also a good idea to check the windows firewall configuration as well and then again allow an apple feature through the firewall if i scroll down to r i've got remote desktop enabled you'll see that it's enabled on private and public i might want to change that having enabled remote desktop i then need to open up the remote desktop program and configure it you can find that in windows accessories remote desktop connection or you can just click start and type mstsc and you'll see it in the start menu under remote desktop connection open that and i'm going to show more detail and then i entered the computer name that i want to connect to or its ip address so if i want to connect to a remote computer and then the username to connect to that remote computer and then allow me to save credentials if i want to do that and then that may be enough to connect but i may also want to configure the display properties so i can choose to use the full screen or i can specify some other resolution as you'll appreciate i'm in a demonstration environment here so my screen sizes is actually limited here to 1280x720 so that's not a particularly large expanse of screen space so i'm going to choose 800 by 600 to connect i can choose the color depth and obviously the higher the quality then the the more data is shifted across the link and the potentially slower things run but realistically remote desktop doesn't impose a great load on a remote connection how do i want local resources to work so configure remote audio settings so when something happens that generates a sound at the remote end do i want to hear it here do i want to hear it there or do i not want to hear it at all if i'm recording audio do i want to record it from this computer or not at all keyboard options so you can see that when you run certain keyboard combinations they will do something so alt tab and control delete so forth what will happen when i use those keyboard functions will they control the remote session or the local computer down here i've got local devices and resources so when i want to access printers choose the devices and resources that you want to use in your remote session i want to use the remote printers i want to use the remote clipboard and there are some more options that you can configure here in terms of disk drives and so on and so on so on if i've got a fairly low speed connection then i might want to configure that here and that dials everything down in terms of the features and what you see in the way that windows displays animations and visual styles and so forth are reduced in quality so that we use up less bandwidth these days that's not a tremendous concern with even high speed home broadband links on the advanced page you can configure server authentication when you connect to a server that just means the remote end if there is an issue with security so for example the certificate that's used by the server the remote end to identify itself has a date problem or a name problem or something then do you want to know about that so you can say yes warn me about it or you can say i'm you know i don't want to know about it but just don't connect and come up with an error message or connect and i don't even care so it depends i suppose on what you're connecting to if you're connecting to an internal server that you're managing then it probably doesn't matter if you're connecting to an external type resource then it possibly does matter because you need to know if you're connecting to the server that you think you're connecting to so when i'm happy i can click on general tab here and then click connect if um all of these settings work for me i can then save this as an rdp file for later use and i can then add that to my start menu as a shortcut if i want so to actually connect just click connect and i need to specify password that's because it's the same account on several different machines but with a different password and then click ok so we've asked it to warn us and it's telling us here the remote computer could not be authenticated due to problems with its certificate it may be unsafe to proceed the name in the certificate of the remote computer is scribbler two the certificate is not from a trustified certifying authority that's fine it's a self-certified certificate at the remote end but it's actually my other laptop that i'm connecting to so that's perfectly acceptable if i was a bit concerned about it i could view this certificate and you can see that it's it's not particularly exciting there but it would tell us more if it was issued from an external authority so i'm going to say i want to connect anyway and there we can now see a remote desktop connection to the other machine and it's fully functional i can do everything that i want and one of the advantages of remote desktop is it allows me to perform management on any device without needing to install the remote server administration tools locally so if i want to manage a server i establish a remote desktop connection to it and then use the built-in server tools on the server generally it's a maximum that says never go to a server and perform management interactively with it when you can perform the same management task remotely so remote desktop seems to be a bit of a go-to protocol for me when i want to perform management when i'm happy with the session though i'm finished doing what i need to do i can close it down and then next time i open up mstsc you can see that it's retained all of the information that i configured previously and i can save that or save it as and give it a name scribble 2 and save it to the desktop and then there it is so next time i want to establish a connection to scribbler 2 i can simply double click the shortcut in the demonstration you saw how to enable remote desktop how to configure remote desktop and how to establish and manage a remote desktop session one of the most useful and powerful ways of performing remote management is to use windows powershell remoting obviously it's not terribly interactive you can't use it to demonstrate to a user how to perform a particular task in ms word but whereas particularly useful is that if you're using a lot of repetitive tasks things that you keep finding yourself doing then once you've developed the script to do it you can very easily perform that management task without really thinking too much about it you can also use windows powershell remoting to connect to multiple systems at the same time so once you've learned how to perform management on a specific individual computer using a particular powershell command or script you can apply that to multiple devices before you can use windows powershell emotion you need to enable it or at least you need to enable the firewall connectivity and the listening ports for the windows remote management service now you can do that in a number of different ways on windows server it's already enabled so you don't need to do anything but if you want to remotely manage your windows 10 devices you need to perform these tasks you need to perform either wind room quick config as shown in the screenshot here and then accept the prompts to make changes and that will start the windows remote management service that's the service that listens for windows remote management requests which are the types of requests that windows powershell use and also enables any firewall exceptions alternatively you can use the enable ps remoting dash force commandlet that does exactly the same thing it's an either or if a network connection is assigned to public then that command will fail and you must then manually configure windows firewall exceptions that's an important point actually any network that you attach to in windows 10 is defined as being either private or public if the private network is a domain network then it will sense that if you're joined to a domain and it will identify it as a domain network so when you look at the windows firewall and you're configuring exceptions you'll see three options for any particular exception domain private and public so the point here is if you're connected to a public network you probably don't want to enable the remote management listening service and you probably don't want people being able to connect to your machine and perform management tasks because you're on a public network you don't know who they are if this is an oversight you simply change the nature of the network from public to private and then everything works perfectly but otherwise it's a good way of protecting you to use windows powershell remoting one way is to establish a remote connection from the powershell command line and use the invoke command commandlet so you can see here in the sample invoke command precedes the computer name parameter and i'm using the computer name of a datum one if there were multiple computers you can separate them by commas so for example minus computer name and then a datum one comma a datum 2 comma a datum 3 and that demonstrates the one to many nature of windows powershell remoting and then you use the script block parameter and then in squiggly brackets i don't know what they're properly called you have the command that you want to run on the remote computer or computers in this case it's doing a get event log and then requesting the contents of the system log to establish a persistent connection to the remote computer you can use the new ps workflow session commandlet so in this case i'm creating a variable called dollar r and i'm assigning to that variable the result of the new ps workflow session commandlet so specifically dollar r equals new dash ps workflow session and then minus computer name and then a list of computers in this case there's one called a datum one if you had multiple computers you want to establish a session with you could separate them by commas or indeed read them in from a file if that was what you wanted to do then you use the enter peer session commandlet as shown here so enter peer session r will establish a connection to the list of computer or computers that you defined in dollar r you then end up with a prompt that looks something like this indicating that you are remotely connected and then any command that you now run is running remotely let's have a look at the demonstration now i'm going to show you how you can enable windows powershell remoting and how you can use windows powershell commandlets to remotely manage a computer so this is my windows 10 client computer the first thing i need to do is to enable remoting a number of different ways of doing that but both of them are from the command prompt or rather from the windows powershell window one way is to use the enable ps remoting commandlet with the four switch and now you can see that it's performed that configuration change it's also updated the firewall another way to do it is to use the wind rim quick config command that's not a powershell command that's a command line tool that will have the same effect so on this computer cl pearson cl i've enabled ps remoting so now i need to switch to the other computer to perform management on this one remotely okay so switching to the server i'm just going to open up a powershell window so now essentially i can run any windows powershell commandlet against the remote machine and see the result here on my local computer one way of doing it let's use the invoke command command lit invoke command and then the remote computer name in this case cl1 and then what it is i want to run in squiggly brackets so i want it to retrieve information from the event log on cl1 and report it back to me here okay so that is information coming from cl1 it's being run at cl1 and the result is returned to me here i can also enter an interactive remote session by using the new ps workflow session commandlet so i'm going to assign that to a variable dollar r equals a new ps workflow session at computer name cl1 so that will establish a connection with a remote computer and assign the results to dollar r now if i enter ps session dollar r you see that my command prompt now changes to cl1 so that indicates to me that i've got my powershell connection remotely to that particular computer so now for example if i run the command get netip configuration that will return the result for cl1 to this computer it's also possible to create a new workflow session that connects to several computers assuming that they're all enabled for ps remoting so you'd modify the command to say something like dollar r equals new ps workflow session minus computer name and then several computers separated by commas cl1 comma cl2 comma cl3 then when you enter the session or when you execute a script against it those commands will run on all of those computers and return the results from all of them so you can make configuration changes all i'm doing here as you can see is is retrieving some very basic information from the remote computer but you can do anything remotely in this way so it's very powerful so in the demonstration you saw how to enable windows powershell remoting and how to use windows powershell commandlets to remotely manage a computer this is lesson nine configure system and data recovery in this lesson we discuss how to recover a non-functioning computer and how to recover previous versions of files in this lesson you learn how to troubleshoot windows 10 startup perform file recovery and configure system recovery the hands-on demonstrations in this lesson include performing a backup performing a restore enabling file history recovering files with file history enabling system restore creating a restore point applying a restore point accessing advanced startup options using tools in windows recovery environment and performing reset this pc when you turn on a windows device there are a number of components involved in the startup process these four main ones are the following windows secure boot all computers are potentially vulnerable to malicious software like viruses this is especially true during the early startup phases to help with this windows implements secure boot if your computer has a unified extensible firmware interface or ufe you can enable secure boot in the ufe settings this requires an appropriate certificate be installed to ensure that we are booting up from appropriate startup files the windows boot manager is a program called bootmgr this resides in the root directory of the active disk partition typically a windows 10 computer will have a single hard drive that's almost always the case the single hard drive will be formatted and separated into three partitions one of those partitions will be the recovery partition we'll talk about that later in the lesson another will be the operating system partition i would refer to that as the system partition but often microsoft referred to that as the boot partition the one that contains the system drive slash windows system32 the remaining partition is the one which is marked as primary and active it contains a boot sector and it's the one that the operating system starts from i would normally refer to that as the boot partition but curiously microsoft refer to that as the system partition that's maybe something you'll need to remember for the exam so that particular partition contains the windows boot manager it's not assigned a drive letter that partition although i suppose it could be boot manager resides within that partition and also within that partition is the boot configuration data or bcd that's the boot store that identifies information about the operating systems installed in earlier operating systems or early versions of windows the function of boot manager and the boot configuration database was handled by nt loader and boot.ini if you're familiar with those earlier versions so the boot configuration data identifies where operating systems are located on the attached hard drives having read the bcd control is passed to wind load windlow.exe is located in the windows system32 folder now we know where that is because we were able to extract that information from the bcd during the boot manager phase so wind load is responsible for initializing the operating system and passing control to the low level components initially including the kernel of the operating system that's a file called ntos krnl.exe sometimes the windows os loader is not used instead we use winresum.exe and that's if a computer is restoring itself from hibernation mode that's the function of the windows resume loader it would expect to find a hiberfill.cis file on the local computer which would contain the configuration of the computer when it went into hibernation mode and that's used to restore the computer to its earlier state this graphic might help us understand the startup process a little better when you first turn on your computer the power on self test will run that will check for attached devices what we're looking for here is a boot device so again we're looking for a hard drive typically but don't forget that windows can boot from a memory stick or you might be booting into a non-windows operating system or you might be booting into windows recovery all of those are possible so assuming that we're starting windows we're going to need to examine the boot configuration database which is stored on the boot partition which microsoft often refer to as the system partition that's the drive without a drive letter which is relatively small and contains the boot manager and the bcd so we're going to examine the bcd for entries that point to operating systems if there are multiple operating systems installed on your computer a multi-boot in other words there will be multiple entries in the bcd and you will be presented with a menu that you can select between usually however for most computers multi-boot's not an option so the next thing that happens is control is passed to wind load which is responsible for loading up the kernel of the operating system the kernel loads but doesn't initialize straight away it examines the registry and looks for device drivers that have a start value of zero and a start value of one those are the lowest level components we discussed those earlier in the course so things like disk controllers and optical drives the usb infrastructure not necessarily usb peripherals but the bus itself those kinds of fairly low level components are initialized then the kernel initializes it then passes control to something called the session manager the session manager does a number of things including things like checking the integrity of attached disks creating and configuring the necessary paging files and then importantly starting up the subsystems windows supports the capability to run operating systems or to give the impression of running an operating system within a subsystem the windows subsystem is one we're familiar with it's a graphical interface that runs windows programs but you can also run a linux subsystem as well and that will allow you to install a deployment of linux from the microsoft store and then to run linux applications our focus should probably still be on the windows element so the next thing you'll see is that the graphical user interface initializes mouse pointer comes up and then you'll see the sign in splash screen the exact look and feel of that is configurable based on group policy settings and security settings now it used to be the case that the startup of the operating system was comparatively slow you know 20 30 seconds was not unusual and so i'd be able to tell you when you see this on the screen this is what's going on but frankly i mean my surface go which is not a particularly powerful machine boots in about eight seconds and it signs me in almost immediately thereafter once it catches sight of me so the ability to identify where you're at in the boot sequence is slightly problematic if the operating system fails to start or fails to start correctly there are a number of recovery tools you can use the windows recovery environment or windows 3. there is a third partition which i mentioned that you'll typically have on a windows device which will potentially be used automatically if windows experiences a failover problem or startup problem so it will fail over into the windows recovery environment alternatively you can manually start from that either if your computer starts successfully but with problems or you can select it during the boot sequence some computers come with a fourth partition one of my laptops did for example it was vendor-specific a hewlett-packard recovery partition that had some specific hewlett packard tools but generally you'll always have the boot partition the system partition and the recovery partition you can also access the advanced startup settings it used to be possible to press f8 during the startup sequence now although you can still press f8 there's nothing stopping you from doing that it doesn't do anything if you want to access these advanced startup settings you need to boot into the recovery environment and then select the advanced startup settings i'll show you how you can do that in a second you've also got the system configuration tool this is a program called msconfig.exe and you can use that to configure startup behavior for example you can set the computer to always start in safe mode with or without networking or with or without command prompt and so on and then it will stay in that mode every time you restart until you say different and tell it to go back to the normal mode of operation the bootstore you can manipulate with a program called bcdedit.exe you can find out more by following the link on the page here but it contains low-level startup components it identifies where windows is installed if you have multiple operating systems installed it controls multi-boot configurations and can be managed from the command line by either using bcd edit or bootrec to examine the bootstore you can use the bcd edit command with the slash enum switch if you look at the graphic here you can see there are two entries windows boot manager which identifies where the boot manager program is it's a program called boot manage or boot mgfw.fe and it's located in the fe system partition in a folder called microsoft boot there's also a windows bootloader which identifies partition c as the location to start up from and a subfolder called slash windows system32 we'll be looking for a program called windload.fe that image file is used to initialize the winlow.exe program that then if you remember passes control to the operating system's kernel so these are low-level entries in windows xp and earlier this content didn't exist it resided in a simple text file called boot.ini and the syntax was quite different you can manage device drivers from the device manager interface device drivers seem to be the most common reasons for a computer to not start correctly if you've updated a device driver especially if it's a low level component you might experience problems the easiest thing to do in that circumstance is to start up in safe mode where a minimal set of drivers is used so that would require for you to start up in one of those advanced startup modes or into windows recovery and then to open up device manager and to select the device that you suspect is the problem right click it choose its properties and then click the driver tab and select the rollback driver option another possibility is to remove the device completely by right clicking it and saying to delete the device and then restart windows or scan for hardware changes that may be sufficient it will detect the device and it will install the default driver driver rollback is probably the first port of call if you're experiencing problems with a device or a driver it's the least intrusive most specific targeted problem or issue that you can attempt to fix if that doesn't work as i said you can uninstall the device failing that you can install a new driver so perhaps there's a more recent driver that might resolve the problem that you're having if you happen to have system restore enabled you can perform a system restore now that will be successful in terms of rolling back a driver to a working point but bear in mind it will roll back the complete system configuration to a point in time one of the first tools you can use is backup and restore windows 7 so called because it hasn't really changed since windows 7. you see a screenshot of it here you're able to configure a location for your backups and configure a schedule for your backups and the restore process is quite intuitive you can also use backup and restore windows 7 to create system images and system repair disks you can configure what's backed up but by default it's the libraries for the particular user however you can also check the box for include a system image of drives including the c drive and in this case the efi or fe system partition i'm going to show you a demonstration now on performing a backup and performing a restore to use backup open control panel and choose backup and restore windows 7. it hasn't been established yet so we can choose a setup backup i can choose to save on a network that will do i will connect as myself click ok and then i can let windows choose what to back up and it will locate where i've stored data or i can be very specific about what i want to back up let's go through that process backs up data for newly created users and backs up my libraries camera roll documents and so on so long as i've saved my data into these libraries which would be the default behavior then it will pick those up for the purposes of backup i know that actually i've also stored some data files in the data folder so i'm going to select that i can ask it to include a system image of system drives that would allow me to perform a complete computer recovery it can be quite time consuming to do that so i'm going to deselect that option but it's something i mentioned later i can now configure a schedule at the moment it's going to run a backup every sunday at 7 pm i can change that so run it back up on a scheduled basis weekly what day what time but i'm just going to save settings and run a backup right now so we see that the backup is in progress at the moment okay so that's mostly completed there we go so now i can have a look backup size is one gig i can manage the space data file backup is a gig system image is zero other files are 11 gig free space and so on so i can then view the backups here we go one gigabyte i can delete that if i want to to free up some space now let's take a look at restoring i can restore all users files that's for every user on the computer or i can select another backup to restore files from or i can restore the files for the currently signed in user and browse for particular files in the backup so you see here this is the backup that i performed to dc backups it's a backup of drive c performed earlier this morning and i can choose the users and data folder let's go into the data folder and i can choose to restore that particular file and then choose next i can restore it to the original location or i can restore it to another location i'm going to browse and say that i want to put it onto the desktop and then choose restore so there you can see how to restore an individual file i can select another backup to restore files from if another exists and i can browse in a network location to find another backup so you can see backup restore windows 7 is a very easy system to use you can configure a schedule and you can specify that windows just picks up the data libraries or you can be more specific and target particular folders you can also create a system image using backup and restore which you can use to recover the entire computer should the need arise now you'll notice that i backed up to a a network location that's because this is a virtual machine with a physical computer you can of course back up to removable devices like memory sticks or external hard disks clearly you don't want to back up to the same disk you're backing up that doesn't provide a great deal of protection in that demonstration you saw how to perform a backup and how to perform a restore perhaps one of the most useful tools your disposal is the file history tool or previous versions as it's sometimes referred to i like it because you can explain to your users how they can use it as a means to perform recovery so they don't necessarily need to come to you on the help desk as a first port of call instead if you've given them enough education they can recover individual files or versions of files themselves what's protected well by default contacts desktop documents downloads favorites links music onedrive pictures saved games searches videos and the following libraries documents music pictures and videos this is all configurable however to recover files you simply right click the appropriate file or folder if you've deleted the file and click previous versions tab and from there you should be able to see the previous versions the demonstration i'll show you how to enable file history and then how to recover files by using file history so to enable file history click start type file history and then choose backup settings you can see a link here to configure backup restore for windows 7 but you've also got the option to backup using file history you can turn that on or you can click more options i can specify how frequently it will perform the backup and how long it will retain the backups i can also specify additional folders by default it picks up the library files so i can click add a folder because i know that i've got a folder in c drive that contains some data files so i want to include that also and then i can specify any exclusions that i want and i can configure some advanced settings let's take a look advanced settings switches this over to control panel and you can see that it's already got a configuration here it's using the backups shared folder on dc i can now turn on file history you can see that it's now making a copy of the files and now we're good to go so recovering files is different with the backup and restore it's file centric so in other words you go to the file that you need to recover such as this one under the data folder right click it and choose properties and then click on the previous versions tab and it shows you the various versions that it has it has one at 5 4 here and one at 5 45 and you can ch or some from several days ago or week months ago years ago in fact and you can choose which one you want if you're not sure you can click open the file or open it in file history and you can see here that this document has configuring windows server 2012 network infrastructure as its title this one click on this you can click open in file history and it shows me slightly different information and based on that i can make a decision about whether this was the one i wanted to recover so i can now click restore to original location and i can then replace the file in the destination or compare the information and then i can store both if i want to i'm just going to say replace the file and that's now recovered the file to the correct version so file history is very easy for a user to use it works for a deleted file but it works slightly differently if a file's been deleted then you have to take a look at the parent folder so if we delete this file it's set completely that's now gone now obviously i can recover it from the recycle bin but we're testing file history here so let's assume that's not an option so now to recover i've got nothing to right click so instead i click on the parent folder and choose properties and select its previous versions and here's a previous version that i can see and i can now open that in file history and it shows me ah there's my file so although it's not present and i can't select it as an individual file because i've deleted it i can select the parent folder i'd want to be careful about recovering all these other files clearly because i wouldn't want to in the process of recovering this individual file overwrite those older ones so it's a very straightforward tool to use for recovery purposes in the demonstration you saw how to enable file history and how to perform file recovery using file history onedrive is a cloud-based service designed for storing files and enables you to synchronize data and optionally device settings it provides each user with five gigabytes of free space it requires that you use a microsoft account it requires that an app be installed on your device although windows 10 provides a built-in capability it creates a local folder in windows 10 that's c colon users slash whatever your username is slash onedrive by placing content into that folder locally it will synchronize to the cloud and thereby onto your other devices apps are available for ios and for android it provides microsoft office online those are versions of word excel and powerpoint that you can run in the cloud through a web browser onedrive provides a web portal by using the web portal you can manage your onedrive files access previous versions of files access the onedrive recycle bin if you've deleted a file you can recover it from there you can buy more storage if you require more than the default five gigabytes enable and configure sharing i do this a lot actually i place content up in onedrive and then share that particular folder with a password or an expiration date i specify whether users can read only or whether they can modify the contents it's a great way of saving myself from having to email comparatively large files and finally create microsoft excel surveys you can manage onedrive with the desktop app you can choose things like uh configure account settings you can specify auto save options a variety of options that you can configure i suggest that if you're planning on taking the exam you take a close look at the microsoft onedrive desktop app up in the web page or in the web portal these are the folders that you can modify obviously yours will vary but you've got the option to create new folders and you can select folders here you can recover them you can share them shared ones are indicated with a little you see down here as little um a couple of head and shoulder symbols there that show that that folder is being shared the recycle bin as you can see here shows those files that you've recently deleted and whether they're recoverable the recoverability period varies it depends on how much free space you have and the minimum period is between three and ninety days depending on the nature of the problem that you're facing you have a number of recovery options these include driver rollback that's probably your first port of call if you've been working with device drivers and therefore you suspect that that's the thing that's changed since the computer was last working it's not very intrusive you're only going back to a point in time for one specific component rather than the entire computer and so it's something you should always consider trying first if you don't have a driver rollback option it's because you haven't updated the driver you can enable system restore through system protection system restore creates periodic either automatic or manual or both snapshots of the computer's configuration it's quite efficient in terms of the disk space that it uses to do this one of the major advantages of system restore is that you don't need the clarity of what's causing a problem you really need to think well something's changed since you know day x i'm going to roll back to day x and hopefully everything will continue now to work the problem with system restore is just that you roll everything back in terms of configuration the data is unaffected but the system configuration rolls back entirely and that means you might may need to roll forward certain elements especially if for example you've received a number of updates or patches or security fixes then you'll need to reapply those startup recovery windows 10 is actually pretty reliable at starting up it requires for something very significant to have happened given that in the past the most significant sorts of things that might happen were the introduction of low-level viruses and that's controlled through secure boot now generally speaking start-up problems are quite rare i don't experience them terribly often in fact the only one i have experienced recently was because i had a problem with secure boot i think i turned it on without having properly configured things so i managed to resolve that fairly straightforwardly it's also the fact that windows 10 is fairly self-recovering with startup problems so it will scan the startup environment and attempt to fix even if it can't do that completely automatically you can go into the windows recovery environment and select the startup recovery option and have it check the startup environment for you and then ultimately if you have to you can use the command prompt tool and use tools like bcd edit to examine and fix up the startup environment reset this pc is probably a last port of call it's not really a recovery tool it's more useful for making a device available for someone else within your organization now in the past and maybe even now i suppose in certain organizations you may be using disk imaging and if you want to make a pc available to somebody who's a new start and you've got an existing pc you might just zap the machine and create or apply a new disk image that contains the operating system and applications that are required but not all companies are using those sorts of features and so a reset this pc allows you to put the computer back into its out of box experience mode so as if you were purchasing a new computer you'd open the box you turn it on and that's where you are a system image recovery is a less useful tool in my opinion it's okay if you're a home user and you're relying on yourself to provide for recovery options and therefore you can use the windows backup and restore windows 7 tool to perform a system image backup and then you can store that away whenever you want you can update it and then if you need to you can go back to that system image recovery by starting up into the recovery tools and choosing that recovery option i have to say that in a company or a sort of a business or other organizational environment i can't see that being particularly useful typically you'll have all sorts of tools that you use to provision a computer up to a point that you require it to fit into the context of a particular department you may even use disk imaging as we discussed earlier on the slide in which case those tools are far more useful far quicker to use and far more robust probably than system image recovery but nevertheless it's a tool it's there if you need it image recovery is obviously the thing that i've been alluding to throughout the slide using built-in tools or third-party tools system center configuration manager for example you can use that to apply an image to a computer to perform a recovery that way driver rollback fairly straightforward to perform as you can see here i'm looking at the intel dual band wireless adapter and i'm on the driver tab for this particular network card and you can see the option for rollback driver if the rollback driver option is not visible it's because you haven't updated the driver recently you'll also notice that the driver version is displayed together with its date very easy to go to a vendor in this case uh well let's see who this is so microsoft is the provider of this particular driver but it's an intel provider so go to the intel website and take a look at the version of the drivers that they're making available now for this particular device so you might search for intel dual band wireless ac7265 and then look at the version number so if you've got a problem you might want to wind it forward to a new driver then wind it back to an earlier driver it depends on the nature of the problem and it depends when you suspect the problem started system restore as i mentioned already allows you to restore the entire configuration system restore points are created automatically when you install an app or when windows installs updates but you can also manually create your own restore points you can configure a schedule to create your restore points as well whenever you perform a system restore to restore to a previous restore point winners automatically creates a restore point of where you are right now as well so if you effectively want to undo the restore of the restore point you can do so to enable system restore open up this pc select properties and then on the system protection tab you can click configure to enable system restore you can then specify that you want to turn on system protection and then you can define how much disk space you want to allocate to the restore points bearing in mind that the more space you allow the more space you're consuming but also the more restore points will be stored on the system it's quite efficient about the way that it stores the information in the restore points uses a block level differencing system rather than copying swathes of of information and using up all your disk space unless you've got a good reason to not have system restore turned on i would enable it to create the restore point you just click the option to create a restore point and give it a meaningful name you can use windows powershell to manage your restore points as you can see here we've got the enable computer restore disable computer restore checkpoint computer to create restore point and then get computer restore point or you can use the graphical user interface to use a particular restore point one of the useful options is the ability to scan for affected programs that will identify any programs that might be affected by the fact that you're performing a restore that therefore you might need to reinstall after the system restore assuming that it's successful if you can start up your computer albeit with errors you can boot into safe mode and access system restore through the running operating system but if you can't do that you can also access system restore from the advanced startup options so if you're experiencing a problem you start up into windows recovery environment and access system restore that way going to show a demonstration now how to enable system restore how to create a restore point and how to apply that restore point so i'm going to open up file explorer on my windows 10 computer right click and choose properties on this pc and then select system protection you can see here under protection settings that the local c drive is off so first i'm going to do is click configure and then turn on system protection and then set an amount of space i'm going to set it to 20 and then click ok and then to create a restore point i'm going to click create and then say initial restore point and click create take a moment to do that and then click close now assuming that my computer is starting successfully but with errors then to say that i'm booted into safe mode i might typically want to access the restore point by again opening up file explorer right click this pc choose properties select system protection and i can select system restore on that page click through the wizard and you can see that there's my restore point and if i were to select that it would identify if i click scan for affected programs any programs that would be affected so that assumes that the operating system will boot successfully what happens if the operating system doesn't start up successfully well either it will fail into windows recovery environment or alternatively you can boot into windows recovery environment from the product dvd or you might have a an iso burnt onto a memory stick for the same purpose or if you get into settings you can do it that way you can go to update security and then on the recovery tab you can select restart now to put it into the recovery environment so i'm just going to do that so this is the windows recovery environment uh you can see the option to continue just boot into windows 10 normally or to turn off your pc or to use some sort of recovery tool if you want so you can insert that now and then boot from that i'm going to choose troubleshoot and then reset this pc which i don't want to do at the moment i'm going to choose advanced options and then i've got the option to choose one of these and this this is system restore down here if i choose system restore i'm using a virtual machine here so you'll see a couple of hyper-v things flash up so i need to sign in and the password for the local admin account and then i can click through here and there's my initial restore point which i can then select i'm not going to perform the task because it can be quite time consuming and in fact of course i've not actually changed anything so i'm going to click cancel here and it goes back to the windows recovery environment and i can then continue normally so in the demonstration you saw how to enable system restore how to create a restore point and how variously to apply a restore point if your computer fails to start properly you can manually select windows recovery alternatively it may automatically start into windows recovery in certain circumstances windows recovery consists of an or provides a number of tools including reset this pc reset this pc allows you to put your computer back into its configuration state when it was first taken out of the box the oobe or ube experience there are also some advanced startup options for recovery purposes system restore which is useful if you can't start windows at all and you can still access your system restore points through windows recovery mode if you happen to have a complete system image backup you can use the system image recovery tool to apply that startup repair is useful where you experience some startup problems and you want windows to examine the startup environment and automatically fix problems that it encounters generally speaking windows is pretty recoverable in this area anyway if it identifies a problem would normally be able to fix it command prompt is as the name suggests a command prompt it's not the windows powershell so you can't run powershell commanders but you can run many command line tools but curiously you can also run some graphical tools so in the same way as if you run the command prompt in windows you can use it to launch graphical programs you type notepad it loads notepad and so on then you do the same here there are some restrictions you can't run things that require some kind of verification about who you are so there are some things that just don't work from the command prompt but there are many graphical programs that you can use so most notably registry editor if you want to access your yuffie firmware settings you can follow the link to do that here if you want to start up in what we used to call the advanced startup modes that's um safe mode safe mode networking with boot logging and so forth you can do that by selecting the startup settings option here you used to be able to press f8 during the boot sequence but that's no longer available if you've recently had some operating system updates you may be able to uninstall those updates following the uninstall updates link i should just say that depending on the version of windows 10 that you have will determine precisely what you see under advanced options these are the options that are available for windows 10 1903 which is the version that's available at the time of writing however you might be using 1803 in which case certain versions will or certain options will will not be visible to access windows recovery you can access it from the recovery tab in the update security node of the settings app you can choose the option to restart now under advanced startup or you can choose the option to perform recovery through reset this pc you can also boot into windows recovery yourself and then choose the option here troubleshoot once you've selected troubleshoot you can choose reset this pc or advanced options and it would be advanced options that you would normally select from advanced options the options that you see will vary based on the version of windows 10 that you're using so here we've got startup repair startup settings command prompt uninstall updates ufo firmware settings and system restore you can also use the see more recovery options if you can't see all of the options visible and that's what i've selected here and you can now also see system image recovery advanced startup options accessible through startup settings are enable debugging enable boot logging bootlogging can be useful because it will create a text file in the system folder which will you can then use to ex or you can examine to see if you can identify the cause of a startup problem generally speaking the last file that's referenced in the boot log is the one that's causing a problem so it'll probably be a device driver you can enable low resolution video video drivers can cause all sorts of problems because of the complexity of the driver and of the hardware that's being driven so if you're experiencing problems like that by enabling low resolution video mode you're using a generic video driver and you can bypass that problem safe mode turns off all unnecessary devices and services safe mode with networking and with a command prompt provide additional capabilities or reduce capabilities depending on what you're trying to do if you can get into safe mode you can normally then access things like system restore and driver rollback so it's always worth trying disabled driver signature enforcement windows 10 requires that all device drivers are digitally signed you can turn that feature off not quite sure why you'd want to do that but you can you can also disable early launch anti-malware protection but again i can't see a reason why you'd want to do that unless you suspected it was a problem and you wanted to test for that disable automatic restart after failure is useful if you get a blue screen you want to see what the problem is there's quite a lot of information on that blue screen that you can examine and it might help you pinpoint the nature of a failure and then launch the recovery environment which means going back into the recovery tools that we talked about earlier to access those advanced startup options from the troubleshoot menu which is advanced options choose startup settings and then you can select restart and then choose the tool that you want i'm going to show you a demonstration now about how to access the advanced startup options and how to access each of the tools in the windows recovery environment and how to at least launch reset this pc so on my windows 10 computer i'm going to settings and choose update security and choose recovery and i'm going to restart now into recovery mode so here we are i can now choose troubleshoot and then choose advanced options if i'm suspicious of the startup environment i can ask it to perform a startup repair or i can jump into command prompt so i have to sign in to the command prompt as a security setting and so here i am i'm in a command prompt and as i said you can do things like netstart which is a command line tool that allows you to see what services have started and obviously you can stop and start those with netstart and net stop i can also use the sc.exe tool i can use um bcd type it edit enum to show me the boot environment so to enumerate the boot entries i can use the disk part tool to manage disk partitioning so quite low level components that you can work with i can list the disks and then select a disk then list partitions oops this partition is singular there we go and then select a partition and so on so you get the idea i can create manage and reconfigure partitions and also just to show you you can in fact run some graphical tools so that's the registry editor but not all so ms config is a graphical tool as well but that's not allowed to load when i'm finished doing whatever it is i want to do in the command prompt i type exit from here i choose troubleshoot again advanced options again and i can then go on to do things like system restore which we looked at earlier or i can have a look at any additional recovery options i'm going to choose startup settings and i'm choosing restart here and i'm going to select one of those advanced startup options you can use the f keys function keys or the ordinary number keys to select the mode that you want so i'm going to choose to start up in safe mode so if i choose 4 it'll boot into safe mode for me so i need to sign in and here we can see that it's in safe mode because it says safe mode in the extremities of the screen you can't see it everywhere displayed here because as i said it's a virtual machine running in a window here so it's and um i would then possibly be able to access driver roll back or system restore let's have a look if i could do system restore here and go to advanced system settings yeah i don't even have that enabled at the moment i've got a quite a restricted environment i can probably access device manager though and roll back a driver if i want to so that's safe mode and when i'm done with that restart the computer so that's my computer restarting now signing in as admin that's the local administrator account so i'm going to show you how to do a reset this pc or at least launch the process so once again i can do that as you know through settings or through windows recovery whichever i'm going to go to windows recovery so let's push the computer into recovery mode so scroll down and select update security select recovery and just to reiterate remember i've got a working pc here so i'm forcing it into recovery mode if your computer doesn't start properly it will fail over into recovery mode or you can boot off that partition so i'm going to start up in advanced startup mode i'm going to choose troubleshoot and this time choosing reset this pc you can choose to remove everything or keep my files but it will remove the apps and settings but keep your personal data so that's a an intention of yours that you want to keep using this pc but you've got some pretty serious problems and you want to try and go back to the standard version of windows 10 that came when you open the box if that's possible and it's not always possible to go as far back as that or you want to remove everything so i'm going to choose remove everything and now i can choose just remove my files or fully clean the drive which case several hours might pass whilst it scans through and makes everything that was on my drive unrecoverable i mean these days with home banking and stored passwords for websites and so on it's important if you're going to give the pc to somebody else that you make sure all your earlier data is definitely not recoverable so i can choose whichever option i want and then it starts the process finally i've got the confirmation prompt here are you sure you want to do this reset i'm going to click cancel at this point and go back to the slide deck in the demonstration you saw how to access advanced startup options how to use the windows recovery environment tools and how to launch reset this pc this is lesson 10 manage and monitor windows in this lesson we discuss monitoring options how to manage performance and how to configure windows updates during the lesson you'll learn how to monitor windows manage performance and manage updates the hands-on demonstrations in this lesson include using event viewer logs configuring event subscriptions using task manager using resource monitor using reliability monitor creating a baseline gathering and interpreting performance data and configuring update rings in intune the most common and possibly most overlooked tool is event viewer it contains a number of logs the application security setup and system logs together with forwarded events from other computers and the applications and services logs node all of this provides a wealth of information that you can look at to help determine problems that you are experiencing on the network the application log contains errors warnings and informational events that pertain to the operation of applications so fairly high level components the security contains the audit trail if you enable auditing audit events are described as either successful or failed depending on what it was that's trying to be performed the setup log contains events related to application setup the system is a general event log and then forwarded events are those that you can collect from remote computers to do that you'll need to create a subscription to create an event subscription use the following procedure first of all on each source computer run win room quick config and an elevated command prompt the source computer is the one from which you want to collect events on the collector computer typically your own computer run webutil qc at an elevated command prompt then add the computer account of the collector computer that's your computer to the local administrators group on each of the source computers and all you need to do is to configure a filter for the forwarded events node in event viewer built into windows earn a number quite useful tools task manager is a sort of a go-to really it allows you to view information about currently running processes about the performance in the computer about application history about the startup environment that would be typically applications that are starting up and sitting in the system tray during the early initialization of the operating system you can have a look at signed in user you can examine details of running processes and you can examine running services on the performance tab as you can see here you get a snapshot of what's going on with the cpu memory and attach disks and the network interface bear in mind it's only a snapshot so it's of limited use when you're trying to determine a significant performance problem we'll look at performance problems in the next lesson you can see here the app history this is all the apps that i've been running recently and the amount of cpu time network resource and so forth that's been consumed by each of those apps these are the apps that load into the system tray microsoft onedrive and windows defender neither of those are a problem you can see that the impact of each of these is well in this case onedrive not measured but for the windows defender is low if you have any that have a high impact on startup you might decide not to turn those on users shows the currently signed in user andrew and the process is running for that particular user account percentage of each of these resources details shows you a list of processes that are running including the process id and then you can use that to truncate or terminate the program and then services is all of the stopped and started services that are configured on your particular device resource monitor gives us a bit more information about what's going on the performance side of things it has four tabs in addition to the overview tab cpu shows you the processor and what processes are running and if there are any that are experiencing problems memory shows you how memory is being allocated in your computer these are screenshots from my eight gigabyte machine the physical disk here showing you what's going on in terms of disk access and then network activity does it give us more information than task managers performance tab probably not but maybe it's more accessible it certainly seems a little bit more detailed but again i think i prefer to use the performance monitor tool which we'll discuss in the next lesson reliability monitor allows you to determine the reliability of a computer over a period of time it extracts events from the event log and displays them in a graphical format you can see here that the highlighted day had an application failure it can also measure windows failures miscellaneous failures warnings informational events and then if you select a particular day you can have a look at the events for that day at the bottom half of the dialogue it gives you an index of rough reliability so from one to ten it seems that this computer is very reliable except for that one particular day i'm gonna show you a demonstration now where i'm going to create an event subscription and then use task manager resource monitor and reliability monitor to view some basic characteristics of a computer okay to access event viewer right click start and choose event view you can see you've got the option to create custom views that there's one already here by default called administrative events but you can create your own then under windows logs you've got the standard logs application security and system but you've also got set up as well take a look at a standard log like the system log you can see that there are a number of informational events telling us that things have started or stopped as expected if we scroll through we might be able to find some errors so here we've got an error and it's telling us it's the service control manager and it'll be something that hasn't started correctly within a given time or whatever we can investigate the detail at the bottom half of the display here there are some warnings here disk 4 has the same disk identifies as one or more disks connected to the system so you know that's an issue perhaps and then something to do with an application pop-up with any of these logs you can create a filter by right-clicking and choosing filter current log and then you can specify you're only really interested in critical warning type events or errors rather than informational and then you can specify uh sources specific sources so you're interested in something to do with acpi power management or whatever so you can be quite specific quite granular about what you're viewing and then you can look for particular user or computer type events and then click ok so i filtered that down to just sort of major problems i need to have a look at so whenever you experience a problem in windows 10 it's always worth checking the appropriate logs in event viewer windows is very good at logging problems and it should be your first port of call if you're experiencing an issue if you want to gather statistics from several other computers you can create a subscription you do that by clicking subscriptions here and then you need to start up the windows event collector service you can do that from the command prompt as i explained in the slide session i click yes to this and then again at the remote computer and you'd have to do the same thing thereafter you can create a subscription and you then specify the name and a description and you designate the computer as being the collector initiated this computer contacts the selected source computers and provides the subscription or a source computer so a source computer is in the selected groups must be configured through policy or local configuration to contact this computer and receive the subscription so you define what it is that the computer is doing in this relationship when you've done that you will find forwarded events appear here so for any computers that you're monitoring remotely through a subscription the events will appear in the forwarded events log i won't show you that right now i think that's enough detail for more detailed information about a specific windows service if you expand our applications and services logs you can often find more information so let's expand microsoft windows and then you can scroll down here you can see a list of services we've got some information about bitlocker and you can have a look in the operational log or the management log depending on what information you're looking for likewise if you're troubleshooting branch cache click on the operational log and you can see events that pertain to issues with branch cache so you can be very very specific about tracking issues through event viewer so let's have a look at task manager you can access that by right-clicking the task bar and choosing task manager it shows you the fairly limited view if i click more details it shows me a lot more about what's going on you can see all of the background services running and um there's sort of hidden apps if i load up a program like uh well let's just pick out calculator there and then let's choose a desktop app like excel minimize those let's minimize that out of the way you can see those listed here it's indicated at microsoft excel as being a 32-bit app this is a 64-bit version of of windows 10. i can expand that i can have a look at some more detail if i want to find out what resources i'm using in more detail i can right click and say go to details it will open up the details tab and it will highlight the running application the one that i selected and it will show me information about the process id its status the connected user cpu and memory resources i can also customize the columns that are showing here by right clicking and choosing select columns and then if i wanted to know more for example cpu time repeat working set memory page faults and so on i can view that information here let's go back to the processes tab on processes i can see the basic information about cpu memory disk and network and percentage i can also change the order the way things are listed here so i can highlight those that are using the most memory by clicking that column so you can see now that it shows me the anti-malware services using the most memory at the moment and again i can right click and i if i want i can end a task or open the file location or view the properties if you click the performance tab you can also get an overview of what's happening right now in the system in terms of performance i wouldn't recommend this as being the ideal way to performance troubleshoot a computer because it's a snapshot but it can sometimes be helpful you can get an indication about what's going on with the cpu or what's going on with the memory now this virtual machine we're running for demonstration purposes only has a couple of gig available so it's going to be quite busy so it's unsurprising that it should be using 64 percent if this is a real computer with 8 or 16 gig and it was indicating 64 that would be an alarm bell but it would indicate to me that there was um there's quite a lot going on app history shows you the resource usage since a measured period for a particular user account the current user obviously that's not going to show a lot of information here because i've just started this vm for this demo startup allows you to control as we've seen already in the course the behavior of applications that are initialized at startup whether or not that has a high impact on the system or whether or not we stop the process from running on the users tab you can see the currently signed in users expand that and you can see what processes they're running we've already looked at the details tab far more information about running processes and if you're really experiencing problems with an application you can right click and you can end the process tree that's not only this particular executable but all sub processes spawned by that process you need to be pretty sure you know what you're doing before you do that and then on the services tab we can see the services in the local computer and we can examine those that are running and we can see what process id they have and that can help us troubleshoot things if we understand which process ids are being used you can see that two that are saying pid 560 and pid 560 down here so those are clearly related services so we've seen the on the processes tab sorry on the performance tab that we can view some basic information about performance but perhaps resource monitor is a more useful place to go we can access that from within task manager and it gives us perhaps a more detailed analysis of what's going on in the four key resources of the computer that's the processor the disk the network and the memory those are generally considered to be the four key system resources we've got a graphical output on the far right over here of what's going on and then we can click on the cpu page and find out more detail about particular processes on the memory page you can see what's going on with the physical memory disk utilization and network activity to be careful with analyzing the network because of the way that the information is reported it can tell us number of kilobits on the network i o and that's handy to know it can tell us a bit about tcp connections and listening ports that's good for troubleshooting purposes network utilization often though is an indicator and you can see that on an ethernet network and it doesn't have to be particularly high certainly doesn't need to be near 100 for that to start to be a problem just in the nature of a contention network like ethernet that even at sort of 20 30 percent that's a potential problem that you need to watch out for so although you can see this information knowing how to interpret it is more of an art form now the next tool you can use is the reliability history or reliability monitor to access that click start and then type part of the name of the program and then click view reliability history you'll find it in control panel now i'm not going to show it to you on this virtual machine because if i open it you can see there's not much to see the vm hasn't been running very long so it hasn't collected much in the way of statistics so instead i'm going to flick to the reliability history on my actual computer so you can see here under control panel we've got the reliability monitor and looking over the last few days since the beginning of the month we can see that there's a warning event highlighted back at the beginning of the month and there are a couple of errors dotted around throughout those would be the the days to take a look at let's have a look at this day here you can see on the right hand side that it's indicating application failures windows failures miscellaneous failures warnings information so this is a little red mark in the application failure area so let's take a look at what it was and it tells me here at the bottom that it was internet explorer stopped responding and was closed for whatever reason i can view the technical information if i want to and it's telling me that there was an application hang something to do with what looks like an acrobat reader so something to do with a pdf file probably tried to access a pdf file online and uh there was a problem with it and internet explorer became unresponsive it's very useful to know because this information's gathered over a period of time i can even go back weeks if i want to and then have a look at what's going on back as far as february so let's have a look at this warning here which is a down again another acrobat reader issue so clearly that's been giving me some problems maybe there's an update available for acrobat that i need to install let's look here a definition update for windows defender firewall a couple of things going on here we've got application failure of windows explorer and then some sort of hardware error let's have a look at that so live kernel event parameter 3003 looking at that it's not exactly obvious to me what i need to do about it so i'd probably resort to searching the internet to try to find out a bit more information about these numbers and maybe that would help i can also learn how to report problems and check for solutions automatically if i'm unsure how to proceed so a very very useful tool in the demonstration you saw how to use event viewer logs how to configure event subscriptions and how to use task manager resource monitor and reliability monitor when you're looking at the performance of a computer there are four key resources memory processor disk and network so when you're specifying a machine for somebody you tend to think in terms of processor spec memory and disk performance so i've got a an i5 with eight gig of memory and a 256 gig ssd the network card's a wi-fi card so the speed of the network is determined by the characteristics of the wi-fi network and the routing capabilities beyond that point so that's not particularly significant so memory disk and processor when you're thinking about windows 10 probably the critical factor is memory and to a lesser extent perhaps disk we deal in typicals really it may be that some of your users require a higher specification of processor because of what they do or particularly a lot more memory based on what they do or a high-end graphics engine because of the sort of work that they undertake but for most office workers something like an i5 8 gig 256 gig ssd configuration is pretty typical at this point the performance monitor tool which i prefer over the resource monitor and task manager's performance tab provides both real-time and historic data collection capabilities so although i can take a snapshot of what's going on as you can see in the graphic here that's less meaningful to me perhaps than using a data collector set to gather information over a period of time when you are using a data collector set you need to collect common counters counters are the name we give to the properties of objects objects are things like memory paging file physical disk and the counters are the specific elements of say memory or physical disk that we're interested in you can collect lots of statistics about lots of objects but you're probably collecting more than you need there are some fundamentals a bit like you know you pop to the doctor surgery or whatever and they will want to take your pulse and your blood pressure as two key indicators of overall system health and so it is with a computer there are a certain specific counters that are of interest in memory we've got percentage of committed bytes in use and my personal favorite is memory pages per second when windows doesn't have enough memory to perform a particular task it pages that's to say it moves memory pages out to the physical disk freeing up memory pages to perform whatever it is you've asked it to do because the disk is slower than memory by quite a considerable amount that slows down the system if you are doing a large amount of paging you will have a large number of pages per second and a high value for pages per second indicates you don't have enough memory you can also examine the paging file itself if you examine the percent usage property of the paging file and then look at the actual paging file which is a file called pagefile.cis you can determine precisely how much memory you could add to the system so let's say you've got a 10 gigabyte paging file and the percent usage is 50 that tends to indicate that you would benefit by adding five gigabytes of memory because 50 of 10 gig is five i mean i realize you can't add five gig and you may not in fact actually be able to add any many boxes these days laptops especially are so small that they come with a predetermined amount of memory and that's what you have and that's why that initial determination about what is an appropriate amount of memory is so critical but you could look at rotating machines around or replacing a particular machine but whatever pages per second and percent usage of the paging file are the two common counters i would look at for memory on the processor the processor time value and the system processor queue length are the two critical values processor time is how busy as a percentage of time the processor is so if it's 50 percent that's saying 50 of the time it's busy so 50 of the time it's not doing anything if you've got a process of value that's process a time value that's quite high 85 90 percent then you're not quite sure whether that's using the processor to its fullest advantage or whether it's that you're knocking on a limit that's where the system processor q length comes in because that tells us how many things are waiting to be processed the longer that cue the worse things are so you want a relatively short q length and processor time no greater than 85 percent probably would be a fair indication physical disk percent this time is similar to processor time it's a measurement of how busy the disk is over time and combine that with knowledge of the average disk q length at a moment in time again that's the number of items waiting to be processed to get onto the disk or be retrieved from the disk and the longer that queue the more of a problem you have with the disk processing subsystem and finally the network interface output queue length gives us an indication about what's happening with the network interface it's somewhat problematic measuring performance of the network because to some extent there's so much going on beyond the end of your wire that the problem with the network may not be a problem with your network interface card it may be being exacerbated by other things on the network when to take action well if your memory percent committed bytes in use exceeds 80 consider adding memory or reducing the workload of a computer if your memory pages per second increases over time it suggests you need to add memory or reduce workload on the computer if the paging file percent usage you can figure out how much memory to add using that value if the physical disk average this queue length exceeds twice the number of physical disks there could be a disk bottleneck so most computers have one physical disk so if you've got the disk q length greater than two then that suggests a problem if the physical disk percent disk time exceeds 85 as well as the average queue length being greater than two you probably do have a problem with the disk so consider finding a faster disk or reducing the workload or swapping the computer for a to a user that's not making such excessive demands also bear in mind if you don't have enough memory because of the way that windows works that will impose an additional load on the computer it swaps out to the disk so the reason you might be experiencing additional disk load is because you don't have enough memory the two quad tie in quite closely also bear in mind if you've got more memory than you need windows caches effectively which means that even though the disks are comparatively slow they don't seem to bottleneck so much for the processor if your processor time is greater than 85 and your system processor queue length is more than twice the number of processes the processors are overloaded if your network interface output queue length exceeds two the network is bottlenecked but that doesn't necessarily mean it's your computer it means something between you and the resources you're trying to connect to is causing a problem data collector sets give you the ability to add those particular counters and specify a sample interval and then collect the data over a period of time you can use user-defined templates which are basic system diagnostic system performance or wdac diagnostics or you can create manual data collector sets there are also systems diagnostic data collector sets built into the system so performance monitors not only about performance it's also about system monitoring as well once you create a data collector set it will automatically once you've stopped collecting data create a corresponding report that can be viewed graphically as here although i'd have to say that's pretty meaningless because it's such a jumble of colored lines or more useful to my mind is selecting a text report and you can then take your time to look at the information on the report a baseline is the principle of establishing a measured set of responses for a specific workload and then comparing what you see subsequently over time with your initial baseline and perhaps a bit like using my health analogy earlier on if your normal pulses i don't know 60 to 70 or whatever at rest and then one day it's 90 to 100 then you you could reasonably say that there was a problem perhaps you've been drinking too much coffee or something so the point is that a baseline allows us to make some kind of comparison we make baselines all the time you turn your computer on in the morning it usually takes eight seconds you don't think about that one day you turn it on you go make a cup of coffee you come back and it still hasn't started then you know that's a problem you're mentally comparing that to the baseline so the baseline is very useful for comparative purposes it helps you determine a workload to monitor resources identify changes in resource use and to test a reconfiguration if you're experiencing problems by comparing to the baseline you might be able to identify that it's a processor or a network related problem and help you diagnose the nature of the problem in the demonstration i'll show you how to create a baseline and gather and interpret performance data okay so having a look at performance monitor you can see there are a number of tools the performance monitor tool itself this defaults to showing you a live graph or a live chart of processor time it's not particularly useful that but you can customize that using the control tools up top here data collector sets allow you to gather statistics over a period of time and then reports allow you to view and analyze the data collector sets let's take a look at using performance monitor so we'll get rid of this counter we will start a new one now it's worth bearing in mind if you use performance monitor to gather live data you're just getting a snapshot of the computer system that's not particularly useful for analysis purposes you'll scroll through and you'll select the appropriate object the typical objects will be things like let's go to memory and then beneath the given object you have the ability to select particular counters so when you're looking at live data it makes sense to to be fairly specific because otherwise it's quite confusing looking at all that's going on so choose a particular command value pages per second click add to put it over onto the chart and then click ok you can now see pages per second as indicated here and you then add additional information to the chart but as i said that's a fairly limited use it's more useful really to use a data collector set data collector sets will measure performance or any other statistics that you want over a particular period of time for baseline you need to determine what's an appropriate period no point measuring the activity when people aren't on the network likewise when they're very busy signing in or signing out so look for a representative period maybe 10 a.m till noon and 2 p.m until 4 pm something like that whatever works in your organization you can create a user-defined data collector set either from a template or manually i'm going to create a manual one and then i can go for a counter alert in this case a performance counter alert or by using create data logs based on performance counters in this case i'm going to go for performance counters an alert would be a situation where you are monitoring the system to see if for example the usage of the processor exceeded 85 percent for more than 10 seconds and then it would do something based on that so it would tell you if a user is experiencing problems intermittent problems you could use that technique to be alerted that that problem looks about ready to manifest itself so i'm just going to go for a create data log option and choose performance counters then i need to specify what the performance counters are and also an interval sample interval the shorter you make the interval so if i set it to one second for example the more data you'll collect but the more load you impose on the system purely through the collection process it makes sense actually to use one computer to monitor another so that allows you to gather more statistics without actually generating an excessive load on the computer that you're monitoring and thereby invalidating the data that you're collecting i'm actually going to monitor my own computer so i accept that that's a not valid way of performing performance monitoring and i'm also going to set the sample interval to a very low value very short value simply because i want to collect a lot of data in a short amount of time because it's a demonstration but typically you might want to gather every 15 seconds and you'd certainly want to gather remotely i'm now going to specify which particular counters i want so i need to select the appropriate objects let's start at the top here and scroll down and there may be something specific you're looking for something to do with branch cache or browser behavior or whatever or it may be more generic so for performance purposes the four key areas are the processor and now you can either collect all the available data about the processor or you can be specific and except look for the percent processor time value and down here if there are several processes you can select it for a particular processor or for all processors so i'm going to select it for all processes and i add that over here processor time is a measurement of how busy the processor is against time the other significant counter for processor is actually not part of the processor object itself it's part of the system object there we are and if i find a processor queue length then that will give me an indication of how many tasks are waiting to be processed by the processor the next thing to look at would be physical disk if i scroll up here find that there we go physical disk as opposed to logical disk so we want to know what's actually happening on disks and this computer has a lot of disks so i'll just select them all rather than focus on a specific but once you've got an idea where your problem might lie and you suspect it's disk related you can then drill down look at specific disks so there are two counters we want to have a look at the average disk queue length again that's how many items are waiting to be serviced by the i o manager so obviously the longer the queue the more load there appears to be on the disk subsystem and then percent disk usage yes there we go so that's the percent disk time value and again i'll collect that for all so those two things together the percent disc time and the average disk q length tell me how busy the disk subsystem is and the processor time and the system processor queue length tell me how busy the processors are the other thing i need to know is about memory so if i scroll down and find the memory object number of different ways of looking at this one possible way is to look at the number of pages per second the more pages per second that there are the more the computer is using the paging file it uses the paging file while it doesn't have enough physical memory so an indication of excessive paging gives us a good indication of the fact that the computer's memory might be an issue so pages per second worth counting you can also then take a look at the available bytes and the committed bytes and so on here gives us an indication maybe more accurate of what's happening available megabytes that can be misleading because the available megabytes will increase if you page so for me the significant count is probably memory pages per second now most things take place on a network so the other thing you need to consider is the network itself so have a look at the network interface and you can see what the bandwidth is bear in mind that the bandwidth figure of 20 on a contention network like ethernet may still indicate a problem seemingly you have 80 capacity but that's just not how ethernet works so that may be an issue it's worth knowing that it's not picking up the network for some reason now that's better so we'll say show me that or i can have a look at the output queue length that's the number of things waiting to get onto the network that might be useful and then when i'm happy with that i can click ok once you've got your data collector set set up with all of the properties you want to gather click next specify where you want to save the data it defaults to the currently signed in user and then we can open the properties for the data collector set after saving it so we can just view them and we can start the data collector set now if you want to start gathering statistics i just want to have a look at them to make sure that i've set everything up as i wanted so click finish and as you can see it opens it up here it tells me what it's going to do i don't have a schedule here so this is going to be manually configured but i could create a schedule where it will start and stop the data collector set i can also set a stop condition that says once it's been running for a period of time or once it reaches certain limits then it will stop i can also configure a task to run once the data collector set stops so it might be that it launches a script that tells me that that data collector has stopped or that sends me the data that was collected whatever it is so i'm ready now to start the collection if i click on the baseline data collector set you can see that there's some data data collectors zero one that doesn't contain anything yet if i right click and say start it will start gathering statistics for me so you gather that for a measured and appropriate period of time and then you've got your baseline periodically thereafter you need to collect the same information and you compare what you saw before with what you're seeing now and that might indicate that there's a problem so you look at the report and you see that memory usage has changed or you see that disk usage has changed or the queue length is higher on the system object and you think okay so maybe i need to add some processor capacity to this computer or offload some of its workload so let's do some work see if we can generate some information open up a worksheet here let's open up some other applications don't have a camera so that's probably a silly app to to load up let's open up help and let's open up music and let's open up onenote and so it's doing some work and maybe that's a representative number of tasks so let's go back to performance monitor now and let's stop the collection now i can take a look at what's going on with that by looking in reports or i can take a look in the performance monitor tool under reports you can see user-defined baseline and you can actually see the collector that's been generated so in other words it's automatic here as soon as i create a data collector set it creates a corresponding report once data has been collected and i can now click on that report and you can see some activity going on over here it's a bit confusing you can see a lot of stuff up and down in the graph so sometimes it's easier to take a look at a report itself and we can see that the pages per second were 524. that's quite a lot of paging so i would suggest that maybe if we added physical memory to this computer and ran the same tests again you'd see that being reduced the network interface is not reporting anything because we weren't doing anything on the network so hence the output queue length is zero and the current bandwidth was you know fully available disk time is quite low and the queue length is quite low so it wasn't really doing anything on the disk that was very taxing processor 25 capacity that's again nothing to worry about and the queue length is quite short as well so this indicates that this computer is working within its capabilities there's nothing to worry about particularly so i would now run the exact same tests again over a typical period of time and then you know perhaps monthly once a month or a couple of days once a month and then i could compare against what was collected here so you can view this information a number of different ways over a period of time and you can even look at it in a line graph which you saw already or a histogram bar that may be useful for certain of these counters and then you can export this information to a spreadsheet and you can then produce that as part of a report for your management team so performance monitor is a very useful tool the actual performance monitor node itself allows you to gather live statistics that's of limited practical use data collector sets allow you to gather information over a period of time and reports allow you to view that information in a variety of different forms in the demonstration you saw how to create a baseline and how to gather and interpret performance data windows 10 receives security updates as and when they're required feature updates are released twice a year usually in the spring and in the autumn these feature updates are numbered by year and then by month of release so for example 1903 the current release at the time of writing was released in the beginning of 2019 you could reasonably expect the next feature update to be around in 1909 towards the end of the year these feature updates as the name suggests introduce new features and you could consider them to be in effect new versions of windows 10. you may not wish to deploy feature updates straight away and therefore you have a degree of control about how that would work in your organization quality updates are released as they're needed generally speaking these are on a second tuesday monthly basis so the second tuesday of each month you would expect to receive a quality update quality updates don't introduce new features but they fix or repair or enhance existing features you can use the settings app to configure an individual's computer's update settings you can use group policy to configure multiple computers update settings that of course assumes that these are computers which are members of an active directory forest you can also use intune or microsoft device management to configure multiple computers update settings in azure ad there are a number of servicing options semi-annual targeted this makes feature updates available immediately so if you subscribe to the semi-annual channel targeted if microsoft produced an update say in the spring of 2018 you would expect to start receiving that on your computers fairly quickly after 1803 this is available for all main editions of windows semi-annual channel on the other hand feature updates are available from about four months after the initial release so typically if you were subscribing to the semi-annual channel your computers would receive updates for say 1803 around about the summer to the early autumn this is available for all editions of windows 10 except windows 10 home the long term servicing channel is different it's a specific version of windows 10 enterprise that does not receive feature updates so it remains static in terms of feature updates it's only available in specific windows enterprise versions you can also use the windows insider program for testing purposes with the windows insider program you receive updates before they're released to the general public that might give you time to check whether something might generate an issue with an application or a piece of hardware that you're using you can apply updates manually as part of a maintenance process automatically by using windows update by using system center configuration manager or by using microsoft intune you can see from the screenshot the options that are available for configuring windows update settings a user can check for updates pause updates for a period of time change the active hours now that's significant in as much as active hours we try to avoid restarts following the application of updates you can view update history and you can configure additional advanced options i should mention that this is a screenshot from windows 10 1903 the screenshot from windows 10 1809 would look significantly different there are some additional options here if you want to change your active hours you can select that option then specify automatic which is based on device activity or you can specify a particular value range in this case it would default to 8 am to 5pm if you've installed updates you can view those updates and uninstall them from this option here and under advanced you've got the option to receive updates for other microsoft products when you choose to update windows you can turn off updating over metered connections you can also specify that you need to receive a notification when your pc requires a restart to finish up updating if we scroll down you can also pause updates for a period of time and then you can choose deferment values a feature update includes new capabilities and can be deferred for up to a year and quality updates can also be deferred for up to 30 days now if you think about that if you're on the semiannual channel targeted you're receiving updates fairly quickly after they're released if you're on the semi-annual channel then you'll be getting updates about four to six months after they're released if you also defer them by another 365 days effectively after an update is released a feature update you'll be deferring it for almost up to 18 months delivery optimization allows you to store a cache of updates on your computers on the local network when a computer receives an update it will store that locally and make that available to other computers that have configured the option allow downloads from other pcs and selected the option for pcs on my local network it would then obtain the updates without having to pull those down from windows update you can control further the bandwidth settings and the amount of space that's to be allocated to that purpose you can use a number of group policy settings to control updates under windows components if you select the data collection and preview builds option there are some values that you can configure on the right hand side that determine how you'll receive preview builds further down you've got the delivery optimization node which will allow you to configure the way in which you will handle accessing updates from other pcs on your local network and then finally under the winner's update node you've got a number of values for example configure automatic updates and you can control how exactly you're prompted do you automatically download and install do you automatically download and notify for install or you simply notified a range of different options you'll also notice a windows update for business node that allows you to control how preview and feature updates are received and how quality updates are received so you can configure your deferment values and you can select the appropriate channel for your devices bear in mind you don't configure someone to use the long term servicing channel that's something that's configured on the device based on the version of the operating system but you can if you're using windows 10 enterprise windows 10 professional switch between the semi-annual channel and semi-annual channel targeted or any of the preview rings so remember you use the deferment values to determine exactly how long you want to wait before you get the updates you want to make that long enough that you can do your testing if you think about it you can use multiple group policy objects linked to different containers for the purposes of managing updates in rings so you might create an organizational unit and put into that computers that contain or are part of your general population and then others that are used for testing purposes in a different ou and you could apply different group policy settings by assigning a different group policy to each of those containers an alternative is to use security filtering so you could create security groups that contained individual collections of computers and then you could set group policy settings here for windows update for business that had particular values that you wanted for deferment and for channel and then you could use security filtering to determine whether or not a policy applied you could create a collection of rings called for example test early standard and slow you can call them whatever you like and then you could set to each of those an appropriate channel so windows insider so you can get the releases very early semi-annual channel targets so you get them as they arrive semi-annual channel so you get them within a couple of months and then semi-annual channel with a slip different deferment value and then by using the feature deferral and quality deferral values you can control precisely when each of these rings will receive their updates so in group policy terms then you might create different group policies you might have a group policy called windows update test windows update early windows update standard and so on and then use a security group called test computers early computer standard computers and the new security filtering which we discussed earlier in the course to target the group policy settings appropriately you can also use microsoft intune or microsoft device management to configure windows 10 update rings as shown here let's have a look at how that might work and we'll show you a short demonstration on configuring update rings in intune so here i am in intune i'm going to select software updates windows 10 update rings you can see there's early and standard already configured here but let's just go through the process of configuring one i click create and that's called list test and this is for early adopters i'm going to configure the settings so i'm going to set the channel you can see semi-annual channel targeted windows insider fast slow release windows inside i'm going to choose windows insider fast am i going to also receive microsoft updates at the same time yes or no windows driver updates yes or no and then i can set the deferment values for quality and feature updates i can also specify maintenance times you can see it's auto install at maintenance time but i can set that of another value notify download auto install and restart at maintenance time whatever i want to do in terms of how that update will apply and then a variety of other settings i'm not going to go through all of those when i'm happy with that i click ok and then click create and then if i click on assignments it's necessary and in tune to assign something like a software update ring to a collection of groups it can be to all devices all users all users and all devices or selected i'm going to choose selected and then i can select a group the groups can be groups of users who have certain devices or groups of devices and it can be specific devices based on a name or it can be a dynamic group based on some sort of search criteria it's entirely up to me but but however i do it i choose the appropriate group save the settings and then i should find if i look here i've got an early standard and test and you can see the various values and i've got the early adopters are using semi-annual channel targeted standard using semi-annual channel and then an additional deferment of 90 and 15 for the respective feature and quality updates so in the demonstration you saw how to configure update rings using microsoft intune that brings us to the end of the course we cover the exam objectives for the md100 windows 10 exam to recap lesson one covered windows 10 deployment and lesson two covered post installation configuration lessons one and two covered the content required for the deploy windows exam od and account for 15 to 20 of the exam lesson three described how to manage accounts and devices lesson four dealt with data access and protection lesson five was all about device configuration using policies and lesson six covered windows security these lessons covered the managed devices and data exam od accounting for around 35 to 40 percent of the exam lesson 7 described windows networking while lesson 8 was about remote connectivity lessons 7 and 8 cover the configure connectivity exam od and account for 15 to 20 percent of the exam lesson 9 looked at both system and data recovery lesson 10 described monitoring and management of windows 10. these last two lessons dealt with the content for the maintain windows exam od and represent around 25 to 30 percent of the exam mark what to do now well i'd recommend you put into practice what you've learned during the course and work with windows 10. build yourself a test lab based around virtual machines and work through some of the demonstrations you'll need a domain controller and two windows 10 virtual machines one of which is in a work group the other of which is part of an adds domain that environment should enable you to perform the tasks you've seen during the course it only remains for me to thank you for your participation in this course and to wish you the best of luck either in the exam or in your application of this knowledge at your workplace if you want to discuss anything about the course or you want to talk to me about windows 10 issues please feel free to contact me at linkedin

Info

Channel: IT Cloud Training

Views: 1,665

Rating: 5 out of 5

Keywords:

Id: mWNv9qhKGsQ

Channel Id: undefined

Length: 492min 27sec (29547 seconds)

Published: Thu Nov 11 2021