1B ENU TrainerHandbook PDF
1B ENU TrainerHandbook PDF
1B ENU TrainerHandbook PDF
20697-1B
Installing and Configuring Windows 10
MCT USE ONLY. STUDENT USE PROHIBITED
ii Configuring Windows 8.1
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
email addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
Released: 01/2016
MCT USE ONLY. STUDENT USE PROHIBITED
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. MPN Member means an active Microsoft Partner Network program member in good standing.
MCT USE ONLY. STUDENT USE PROHIBITED
l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
MCT USE ONLY. STUDENT USE PROHIBITED
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.
EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.
EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Acknowledgments
Microsoft Learning would like to acknowledge and thank the following for their contribution towards
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Contents
Module 1: Overview of Windows 10
Module Overview 1-1
Lab A: Installing and Updating Apps from the Windows Store 7-13
Module 7 Lab A: Installing and Updating Apps from the Windows Store L7-43
Module 7 Lab B: Configuring Windows 10 Web Browsers L7-46
Course Description
This course provides students with the knowledge and skills required to install and configure Windows 10
desktops and devices in a corporate Windows Server domain environment. The skills that this course
details include learning how to install and customize Windows 10 operating systems and apps, and
configure local and remote network connectivity and storage. Students also will learn how to configure
security for data, devices, and networks, and maintain, update, and recover Windows 10.
Audience
This course is for information technology (IT) professionals who administer and support Windows 10
desktops, devices, users, and associated network and security resources. The networks with which these
professionals typically work are configured as Windows Server domain-based environments with
managed access to the Internet and cloud services. Students who seek certification in the 70-697
Windows 10 Configuring exam also will benefit from this course. Additionally, this course builds skills
for Enterprise Desktop/Device Support Technicians who provide Tier 2 support to users who are running
Windows 10 desktops and devices within a Windows domain environment in medium-sized and larger
organizations.
Student Prerequisites
This course requires that you meet the following prerequisites:
Knowledge of networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and
Domain Name System (DNS).
Knowledge of Active Directory Domain Services (AD DS) principles, and fundamentals of AD DS
management.
Understanding of certificate-based security.
Course Objectives
After completing this course, students will be able to:
Manage apps.
Course Outline
The course outline is as follows:
Module 1, Overview of Windows 10," describes the Windows 10 operating system. It describes the new
features in Windows 10, and the important changes since Windows 8.1. It describes the use, navigation,
and customization of the enhanced Windows 10 user interface. Additionally, module 1 describes the
Windows 10 features that make it beneficial for organizations of different sizes.
Module 2, Installing Windows 10, introduces the different editions of Windows 10, and the differences
between them. It describes the requirements and available options for installing Windows 10 on a device,
and provides instructions for installing, or upgrading to, Windows 10. Additionally, module 2 provides
points that you should consider when deciding between an upgrade or migration to Windows 10, and
the supported upgrade paths from older versions of the Windows operating system.
Module 3, Configuring Your Device, explains how to configure Windows 10 by using tools such as the
Settings app, Control Panel, Windows PowerShell, RSAT, and GPOs. It describes the different types of user
accounts, and the benefits of using a Microsoft account. Module 4 also describes Microsoft OneDrive and
its integration with Windows 10.
Module 4, Configuring Network Connectivity," explains the use of tools to configure network settings,
including the Settings app, the Network and Sharing Center, and Windows PowerShell. It describes the
differences between Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) settings,
and the benefits of IPv6. Additionally, it describes name resolution and provides an overview of the
DNS service. Lastly, module 4 describes how you can configure wireless connectivity in Windows 10,
and explains remote access methods that are available in Windows 10, such as virtual private networks
(VPNs), DirectAccess, and Remote Desktop.
Module 5, Managing Storage," provides an overview of storage options, including hard disks, server-
based storage, and virtual hard disks. It describes network storage options, including network-attached
storage (NAS) and storage area networks (SANs), and cloud-based storage options, such as OneDrive and
Microsoft Azure Storage. Additionally, module 5 describes the management and maintenance of disks,
partitions, and volumes, and the configuration and use of the Storage Spaces feature.
Module 6, Managing Files and Printers," provides an overview of the file systems that Windows 10
supports. It explains how to configure file permissions, the effect of file permissions, how explicit and
inherited permissions work, and how to include user and device claims in access permissions. This
module also explains how to share folders, the tools that you can use to share folders, and the effective
permissions when a user tries to access data in a shared folder that is protected by file permissions. The
last lesson in module 6 describes how to add and share a printer, and how to manage client and server-
side printing.
Module 7, Managing Apps in Windows 10," describes how to install and configure desktop apps and
Windows Store apps in Windows 10. It explains how to install apps manually and automatically, and how
to use Microsoft System Center Configuration Manager and Microsoft Intune to deploy apps. Additionally,
it describes the Windows Store and the way in which you can manage access to it. Lastly, module 7
describes the Internet Explorer 11 and Edge browsers, and explains how to configure and manage both
browsers.
MCT USE ONLY. STUDENT USE PROHIBITED
About This Course xix
Module 8, Managing Data Security," explains how the technologies available with Windows 10 work
together to protect against data-related security threats. It provides an overview of these threats, and
discusses possible mitigations and best practices for dealing with them. It describes defense-in-depth
and Encrypting File System (EFS), and how you can use those methods to counter security threats.
Additionally, module 8 describes how to configure, administer, and monitor BitLocker drive encryption.
Module 9, Managing Device Security," explains how to mitigate security threats with the use of Security
Compliance Manager, the Enhanced Mitigation Experience Toolkit, and security settings in GPOs. It also
describes how to configure and utilize User Account Control (UAC).
Module 10, Managing Network Security," describes common network-related security threats and
options to mitigate them. It also describes Windows Firewall, Internet Protocol security (IPsec) connection
security rules, and Windows Defender, and how you can configure these tools to manage network
security.
Module 11, Troubleshooting and Recovery," describes device drivers and how you can use Device
Manager to view, configure, update, and roll back device drivers. It explains the Windows 10 file recovery
methods, including Backup and Restore, File History, and Previous Versions. Additionally, module 12
explains features such as System Restore, Startup Recovery, and System Image Recovery, and describes
how you can use restore points to roll back device configuration.
Module 12, Maintaining Windows 10," describes Windows Update and Windows Update for Business,
and how you can configure Windows 10 settings to ensure updates occur. It describes how to use
Windows Server Update Services (WSUS), Configuration Manager, or Microsoft Intune to distribute
updates within organizations. Additionally, module 11 also explains how to use the Action Center,
Event Viewer, and Performance Monitor in Windows 10.
MCT USE ONLY. STUDENT USE PROHIBITED
xx About This Course
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
o Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
o Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
o Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
o Lab Answer Keys: provide step-by-step lab solution guidance.
Modules: include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and answers
and Module Reviews and Takeaways sections, which contain the review questions and answers, best
practices, common issues and troubleshooting tips with answers, and real-world issues and scenarios
with answers.
Resources: include well-categorized additional resources that give you immediate access to the most
current premium content on TechNet, MSDN, or Microsoft Press.
Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
Note: At the end of each lab, you must revert the virtual machines to a snapshot. You can
find the instructions for this procedure at the end of each lab.
The following table shows the role of each virtual machine that is used in this course:
Software Configuration
The following software is installed on each VM:
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
MCT USE ONLY. STUDENT USE PROHIBITED
xxii About This Course
DVD drive
Network adapter
* Striped
Additionally, the instructors computer must be connected to a projection display device that supports
SVGA 1024768 pixels, 16-bit colors.
Note: We do not recommend using preexisting Microsoft accounts for completing the labs
in this course.
MCT USE ONLY. STUDENT USE PROHIBITED
1-1
Module 1
Overview of Windows 10
Contents:
Module Overview 1-1
Module Overview
Windows 10 is the latest version of client operating system offered by Microsoft. Windows 10 is designed
for touch devices, and it introduces new features and a new interface, which touch-device users will find
more applicable for their needs. Windows 10 builds on the core functionality of both Windows 7 and
Windows 8.1 to provide a stable client experience across a number of processor architectures and device
types. This module introduces the new Windows 10 features and the enhanced user interface.
Objectives
After completing this module, you will be able to:
Describe the important new features of Windows 10.
Lesson 1
Introducing Windows 10
Windows 10 operates across a wide range of devices, including desktop computers, laptops, tablets, and
other touch-enabled devices and phones. To optimize your users experience, you can choose between
several Windows 10 editions, each of which has slightly different features. This lesson describes the new
features in Windows 10 and provides guidance with respect to navigating and customizing the user
interface.
Lesson Objectives
After completing this lesson, you will be able to:
Explain the benefits of using Windows 10 for small and medium-sized organizations.
Determine whether your organization is ready for Windows 10.
Determine whether your organization will enable users to connect their own devices to the corporate
network.
Windows 8 introduced a touch-centric interface that enabled users to utilize the operating system on
handheld devices, such as tablets, as well as more traditional computing platforms, such as desktop
computers and laptops. At the same time, modifications to the operating systems architecture enabled
support for non-Intel, processor-based devices, including devices installed with ARM processors.
Note: ARM provides a lightweight form factor with excellent battery life specifically for
mobile devices. However, please note that Windows 10 does not support ARM.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 1-3
Windows 8 also supported touch-enabled versions of Microsoft apps, including Microsoft Office.
Additionally, the operating system allowed users to install small, more task-focused apps from an
online store, similar to what users might do with their other computing devices, such as Android
phones and tablets, or the Apple iPhone.
Note: Later sections of this course provide more detail about these small, task-focused
apps, known as Windows Store apps. Windows 10 includes a new Windows Store, from which
users can download and install desktop and Windows Store apps.
Windows 10 is the latest version of Microsofts client operating system. It offers many improvements
over Windows 7, and provides numerous important enhancements and functional improvements over
Windows 8.1. You can install and run it on a variety of hardware platforms, ranging from traditional
desktop and laptop computers to tablets, phones, and other devices, such as the Xbox.
Note: The Windows 10 hardware requirements, in terms of processor, memory, and disk
space, do not vary greatly from those of Windows 8.1. The next module provides more details
regarding these requirements.
The release of Windows 10 incorporates feedback that Microsoft received from Windows 8.1 users
regarding interacting with the user interface when users installed the operating system on desktop
computers. The operating system now senses its own environment. When it discovers a desktop
computer, Windows 10 runs in desktop mode. In this mode, apps are resizable, and a more familiar,
although enhanced, Start menu is available to navigate the operating system. When running on a tablet,
Windows 10 runs in the tablet mode with apps defaulting to a full-screen layout, and the Start menu
becomes a full-screen app. These subtle changes greatly increase the usability of the operating system.
Cloud integration. Windows 10 provides increased integration with cloud-based services and
information. Users signing in to a Windows 10 device can connect instantly to the information
and settings that are important to them. Windows 10 ensures a consistent user experience across
devices, regardless of a specific devices location.
o Reset this PC. By using the Reset this PC feature, you can return a device to its initial state, or
recover Windows 10 from corrupted operating system files and other errors. When you launch
Reset this PC, you can choose to:
Keep my files. This option retains your personal files, but removes apps and settings, and
reinstalls Windows.
Remove everything. This option removes all personal data, apps, and settings from the
device, and reinstalls Windows.
o Advanced start-up options. These recovery features enable you to recover Windows 10 from
common errors. Options include:
Use a device. Enables you to recover Windows by using a universal serial bus (USB) drive,
network connection, or recovery disk.
Troubleshoot. Enables you to access Advanced options, including System Restore, System
Image Recovery, Startup Repair, Command Prompt, and Unified Extensible Firmware
Interface (UEFI) settings.
Note: A section at the end of this course provides more detail about these recovery
options.
Windows To Go. This feature enables you to supply a fully functioning copy of Windows 10 that users
can start and run from a USB storage device. When users boot from a Windows To Goenabled USB
device, they get a complete Windows 10 experience, including all of their apps, files, and settings.
Client Hyper-V. Client Hyper-V on Windows 10 provides a flexible and high-performing client
virtualization environment. You can use this environment to use a single device to test applications
and IT scenarios in multiple operating system configurations. By using Client Hyper-V, IT departments
can provide a consolidated and efficient virtual environment through virtual-machine compatibility
with Windows Server 2012 R2.
Note: Client Hyper-V is available in the Windows 10 Pro, Windows 10 Enterprise, and
Windows 10 Education editions. Your computer hardware must support hardware virtualization
and Second Level Address Translation (SLAT). Furthermore, you must ensure that these features
are enabled in the devices BIOS or firmware settings.
Support for multiple device types. Windows 10 runs on desktop and laptop computers, tablets and
similar devices, phones, the Xbox platform, and Microsoft HoloLens, thereby providing users with very
extensive access to the Windows 10 environment.
Bring Your Own Device support. Many users have their own personal computing devices, and they
might wish to connect these devices to their corporate networks so that they can access apps and
services, and work with data files. Bring Your Own Device (BYOD) is the ability to connect users
personal devices to a corporate network. Windows 10 introduces a number of features that improve
the support of users who wish to bring their own devices.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 1-5
Note: A later section in this lesson provides more information about Bring Your Own
Device support.
Mobility improvements. Windows 10 includes a number of features that improve support for mobile
devices, including:
o Mobile broadband. Windows 10 provides support for embedded wireless radio. This support
helps to improve power efficiency and reduce the size of some devices.
o Broadband tethering. You can turn your Windows 10 device into a Wi-Fi hotspot.
o Auto-triggered VPN. If an app requires access to your companys intranet, Windows 10 can
automatically trigger a virtual private network (VPN) connection.
o Remote Business Data Removal. With Windows 10 and Windows Server 2012 R2, you can use
Remote Business Data Removal to classify and flag corporate files, and to differentiate between
these files and user files. With this classification, the remote wipe of a Windows 10 device will not
remove user-owned data when securing or removing corporate data on the device.
o Improved biometrics. Windows 10 provides a number of improvements in the area of biometrics,
including the use of Windows sign-in, remote access, and user account control (UAC).
Furthermore, you can configure biometric authentication to enable Windows Store access.
o Pervasive device encryption. On Microsoft Surface devices, device encryption is enabled by
default, and you can configure additional BitLocker Drive Encryption protection. You also can
enable additional management capability on the Windows 10 Pro and Enterprise editions.
o Malware resistance. Windows Defender now includes network-behavior monitoring that can help
to detect and prevent the execution of known and unknown malware.
o Device lockdown. The Assigned Access feature enables you to restrict the Windows Store app
experience on a device to a specific subset of apps, or even to a single app. This could be a line-
of-business (LOB) app in a kiosk scenario, or a set of educational apps for children in a school
setting.
o Virtual secure mode. This is a secure process-execution environment that Windows 10 introduces.
This execution environment helps protect system processes by running them in a separate,
virtualized container, known as a trustlet, rather than in the operating system itself. Because the
Windows operating system does not have access to these trustlets, processes and data within
them are safer.
MCT USE ONLY. STUDENT USE PROHIBITED
1-6 Overview of Windows 10
Note: For face recognition to function, your device must have an infrared camera. This
enables Windows to verify your identify, and ensure that another person is not trying to sign into
your account by using your photograph.
o Improved Start. Windows 95 introduced the Start button, which gave users access to a list of
installed programs and links to management tools. Windows 8 replaced the Start button with a
single screen that has customizable tiles. Windows 10 provides a hybrid approach: users can
continue using the Start button, which is vastly improved, or use a Start screen, with customizable
tiles, on touch-enabled devices.
o Cortana. Cortana is a search and control assistant that you can control with voice commands,
and was available initially on Windows Phone devices. You can use Cortana to search for your
installed apps, documents, and Internet results. You access Cortana from a search box on the
taskbar or by activating search verbally.
o Continuum. This feature enables Windows to switch between desktop mode and tablet mode,
based on what the operating system detects during startup. This allows apps to run in full-screen
when Windows 10 is running on a tablet and when the Windows operating system is running on
a nontouch device, such as a desktop computer. If you have a convertible device, and you rotate
it to act as a tablet, Windows enables the tablet mode. When you rotate the device to act as a
laptop, Windows switches to the desktop mode. However, you can override this behavior
manually.
o Multiple desktops. You can enable multiple desktops even if your device does not have multiple
monitors. This allows you to separate apps and views into distinct desktops. This feature can be
useful when you want to share your desktop during a Skype for Business meeting, but want to
share certain apps only.
o Task switcher. There is a Task View icon in the taskbar that you can use to view the running apps,
and switch between them easily.
o Taskbar improvements. Aside from the Cortana search box and the Task View icon, other running
apps are highlighted with a subtle underline. This reduces the space that a running app occupies
on the taskbar.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 1-7
o Snap Assist. In Windows 8.1, it was possible to drag apps to split the screen, so that each app
takes up half of the available screen space. In Windows 10, Snap Assist allows you to position
apps to the desktops four corners, enabling four apps to occupy a quarter of the available space.
This is partly because all apps, whether they are desktop apps or Windows Store apps, now run
on the desktop when in desktop mode.
Action Center. Many phones and tablet devices provide quick access to commonly used operating-
system features. For example, swiping down the display on an Android phone accesses notifications
and options, such as Wi-Fi, mobile data, and brightness settings. Windows 10 now provides an
improved Action Center, which consolidates information that was available previously in the Windows
8.1 Action Center with configurable notifications. You can access the Action Center by swiping from
the right on the desktop or Start screen. This displays a notification list with tiles, at the ribbons
bottom, for actions such as accessing Settings, configuring brightness, enabling Airplane mode, and
other settings.
Universal Windows Platform (UWP) apps. In Windows 8.1, you can install desktop apps from the
desktop by using local or network sources. Windows 10 includes a new Windows Store from which
users can download and install both desktop and Windows Store apps. Specific versions of apps run
on Windows Phone and Windows 8.1. Many of these apps are universal, which means you can install
them on multiple hardware platforms, such as an Intel tablet that is running Windows 10 Pro, the
Xbox One, and Windows Phone 10.
Note: Microsoft Office apps, such as Microsoft Office Word and Office Excel, are available
as both desktop apps and Universal Windows apps that share the same code across devices, such
as a PC, a Windows Phone, and an Xbox One.
Microsoft Edge. Although Internet Explorer is still included in Windows 10, indeed, it is necessary to
support some websites or internal corporate apps that require ActiveX controls, Microsoft also
provides a new browser. The Microsoft Edge browser is lighter, faster, more efficient, and designed
for touch-enabled devices. It also is available across multiple platforms, including Windows Phone,
so users will be familiar with the interface when they switch between their devices.
Consolidated settings. One of the issues with earlier Windows versions is that you must access the
operating-system settings by using a variety of disparate tools and interfaces. However, with Windows
8.1, Microsoft consolidated many settings into a single place: the Settings app. In Windows 10, this
consolidation continues. Many of the settings that are accessible through Control Panel in Windows
8.1 now are accessible in Settings. This makes it easier to locate the appropriate settings and
configure your operating system.
Note: Control Panel is still available, and you can use it when you want to make
configuration changes.
Multiple update sources. Windows 10 supports multiple sources for obtaining updates. These sources
include the Microsoft Update server, and configurable local sources, such as file servers and other
Windows 10 devices have the updates you desire.
MCT USE ONLY. STUDENT USE PROHIBITED
1-8 Overview of Windows 10
Despite the investment required, both in terms of software licenses, as well as increasing employees
knowledge and skills with new hardware, there are compelling reasons for small and medium
organizations to update to Windows 10 from Windows 7, including:
Easier to use. Windows 10 is easier to use, which means fewer calls to your support desk. The features
that make Windows 10 more easy to use include:
o Support for touch. Using a touch device is intuitive. For example, working with images and
navigating an operating system is easier when you are using touch rather than a mouse and
keyboard, especially if the user is not in a traditional office environment. Windows 10 supports
touch-enabled devices and optimizes itself for this environment, while continuing to support
more traditional input methods where required. An intuitive, user-friendly interface helps to
reduce calls for support.
o A consistent user interface and Universal Windows apps. If your users are using phones, tablets,
and computers, they can work more effectively and efficiently if you provide a consistent
interface and access to Windows Universal apps that they can use on any device.
o Performance improvements. Windows 10 starts up more quickly, and due to improvements in the
architecture, navigating the operating system is faster, as well.
Continuous updates. Microsoft plans to provide updates on a continuous basis. This means that rather
than periodic upgrades, such as from Windows 7 to Windows 10, there will be a constant process of
smaller updates. Therefore, you will not have to perform wipe-and-load upgrades when a new
Windows version arrives. This reduces support efforts and costs.
Improved device management. You can choose to manage your Windows 10 devices by using System
Center Configuration Manager, or Microsoft Intune. The method that you choose depends on your
needs, the number of devices you have, and the complexity of your environment. For example, with
Microsoft Intune, you can provide for cloud-based management of mobile devices, apps, and PCs.
You can provide your users with access to your corporate apps, data, and resources from virtually
anywhere and on almost any device.
Note: Course: 20697-2B. Deploying and Managing Windows 10 Using Enterprise Services
provides more details about System Center Configuration Manager and Microsoft Intune.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 1-9
Distribution of apps by using the Windows Store. Microsoft will provide organizations with the
ability to acquire Windows Store apps, and then by using a web portal, make those apps available
to their users. Additionally, Microsoft will allow organizations to create an organizational private app
repository within Windows Store for Business. These changes will allow you to deploy and manage
apps within your organization more easily.
More secure. Several new and improved Windows 7 features make Windows 10 more secure. Keeping
users devices safe and secure helps reduce supports costs.
Free upgrade to Windows 10. Microsoft is providing a free upgrade to Windows 10 Pro for users of
Windows 7 Pro and Windows 8.1 Pro, and to Windows 10 Home from users of Windows 7 Home and
Windows 8.1 Home editions.
Note: This free upgrade is for a limited period only, currently one year from the release of
Windows 10. The upgrade is not available currently to users of Windows 7 Enterprise or Windows
8.1 Enterprise.
BYOD Features
Many of your organizations users likely have
smartphones and tablets. In some circumstances,
users might wish to use their own devices to
access corporate data because their devices form
factor is better suited to the environment in which
that user is working. For example, a user who is
moving between meetings and requires a device
for taking notes might wish to use a tablet rather
than a laptop. Unless your organization wishes to
equip all its users with multiple devices, the
solution might be to allow users to connect their
own equipment. Windows 10 supports the idea of
Bring Your Own Device (BYOD) to work, and includes several useful features that make it easier to
integrate users personal devices into your network, including:
Device Registration. Enables a device to neither completely join, nor completely be removed from,
your Active Directory Domain Services (AD DS) domain. The Device Registration features allows your
users to work on the devices that they choose, while continuing to access to enterprise network
resources. You can control access to resources and provide a finer level of control over devices that
register through Device Registration.
MCT USE ONLY. STUDENT USE PROHIBITED
1-10 Overview of Windows 10
Work Folders. Work Folders enable a user to synchronize their data from their network user folder to
their device. When you implement Work Folders, locally created files also synchronize to the network
folder location. The client-computing device does not need to be domain-joined to access this shared
content.
Mobile Device Management. After users enroll their devices, they join them to the Microsoft Intune
management service and get access to the company portal. This provides them with a consistent user
experience while accessing their applications and data, which enables them to manage their own
devices. You have improved management over these devices, and can manage them as mobile
devices without having to deploy a full management client.
RemoteApp. This feature enables users to run apps remotely from their device through Remote
Desktop Services. This makes it appear as if the app is running locally on the users own device, when
in reality, it runs securely on the Remote Desktop Session Host server. Using RemoteApp apps allows
you to be sure that users with even the most esoteric devices can run all required apps.
What are the benefits to small and medium-sized organizations of using Windows
10? (Choose all that apply)
Lesson 2
Navigating the Windows 10 User Interface
Windows 10 has an improved user interface that allows you to navigate the operating system by using
touch-enabled devices as well as devices that are equipped with a keyboard and mouse. This lesson
explores the user interface, and identifies the important interface elements. It also explains how to
perform common navigation tasks by using touch, as well as a keyboard and mouse.
Lesson Objectives
After completing this lesson, you will be able to:
Determine how to perform actions within the interface with both touch, as well as mouse and
keyboard.
You are doubtless familiar with the concept of using a mouse to navigate the Windows operating system.
For example, you click an item to select it, double-click an item to open it, and right-click an item to
access a context menu. These actions remain the same for Windows 10 when you use a mouse to
navigate. However, when you use touch, you must use gestures to complete the same tasks. Therefore,
to select an item, you tap it. To open an item, use double-tap. To access an items context menu, use tap
and hold.
Sign in. You can sign in to Windows 10 by swiping up from the bottom of your tablets display to
access the sign-in page.
Note: If you are using a device with a keyboard, you can press <Ctrl><Alt><Del> to access
the sign-in page.
MCT USE ONLY. STUDENT USE PROHIBITED
1-12 Overview of Windows 10
Tap the Username box, and the virtual keyboard appears. Enter your username and password, and
then tap the right arrow. If you want to sign in with a different account, tap Other user in the lower
left of your display.
Note: Windows 10 also supports sign-in by using a personal identification number (PIN), as
well as biometric and multi-factor authentication options enabled by Windows Hello.
Start. The device type and orientation controls the behavior of Start:
o Nontouch. If you sign in by using a device that does not support touch, Windows starts in
Desktop mode. This means that a Start menu represents the Start screen, and this menu is
accessible when you click Start in the lower left of the taskbar.
Note: You can force Windows manually to switch between Desktop and Tablet modes by
using the Tablet mode tile in the Action Center to toggle between settings.
Start consists of a list, on the left side of the display, of your Most used apps and shortcuts for File
Explorer, Settings, Power, and All apps. The right-hand side of Start has tiles that you can use to
launch apps. You can configure which tiles display and how, and you can group the tiles into
meaningful collections.
Action Center. The Action Center consolidates notifications from the operating system with shortcut
tiles that enable you to perform common or frequently accessed tasks. To access the Action Center,
click the Notifications icon in the notification area in the Desktop mode, or swipe from the right in
the Tablet mode. Available tiles include:
o Tablet mode. Switches between Desktop and Tablet modes. In the Tablet mode, all apps run full
screen, and Start displays as a full-screen app. The Desktop mode runs apps in resizable windows,
with Start appearing as a menu.
o Rotation lock. Enables you to lock the display in either portrait or landscape modes.
o Connect. Searches for and allows you to connect to wireless display and audio devices in the local
area.
o Note. Opens a new note in Microsoft OneNote.
o All settings. Launches the Settings app, which provides access to options for the devices
configuration and settings.
o Battery saver. Toggles into battery saver mode. This reduces power consumption by reducing
display brightness and configuring other power-intensive operating-system components.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 1-13
Note: You can configure Battery saver settings by using All settings, accessing System, and
then Battery saver.
o Flight mode. Enables you to disable all radios so that your device can safely be used onboard an
aircraft.
o Quiet hours. Toggles into a setting that reduces the notifications that you receive.
o Location. Toggles the location setting. Many apps use location to customize behavior and to
provide geographically pertinent information to the user.
Note: The specific tiles that you see vary depending upon the type of device that you are
using. For example, a desktop computer does not display the Rotation lock tile.
Settings. You can access Settings from the All settings tile in the Action Center or by tapping Settings
in Start. You can configure almost all device settings within the Settings app.
Demonstration Steps
1. Sign in as ADATUM\April.
2. Open the Action Center.
4. Switch to Start.
5. View All apps.
Pin to the taskbar. You also can pin apps to the taskbar, in addition to (or rather than) pinning them
to Start. To do this, tap All apps. A list of all installed apps appears. Tap and hold (or right-click) the
desired app, and then tap Pin to taskbar. The app appears as an icon on the taskbar.
Resize tiles. To resize a tile, tap and hold the tile, tap Resize, and then tap the desired size. You can
resize most tiles as Small, Medium, Wide, and Large.
Live tiles. You can make many tiles, such as News and Weather, update automatically. Live tiles
display content relevant to the app, such as continuously updated news in the News tile or weather
information in the Weather tile. To enable live tiles, tap and hold the relevant tile, and then tap Turn
live tile on. To disable a live tile, tap and hold the tile, and then tap Turn live tile off.
Grouping tiles. You can group tiles into specific categories. Windows creates two default groups
during installation: Life at a glance, and Play and explore. You can rename groups by tapping the title
bar of the group and entering a new name. To create new groups, drag tiles to a new area on the
Start screen. Windows creates a new, unnamed group for the moved tile. You then can add tiles to
the group, and rename it as applicable.
Demonstration Steps
1. Sign in as ADATUM\April.
Statement Answer
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
o Domain: Adatum
Note: If the tiles at the bottom of Action Center do not display, close and then open
Action Center again.
5. Open Calculator.
Results: After completing this exercise, you will have navigated the Windows 10 user interface
successfully.
2. Group tiles.
o Word 2013
o PowerPoint 2013
o Excel 2013
o Calculator
MCT USE ONLY. STUDENT USE PROHIBITED
1-18 Overview of Windows 10
Results: After completing this exercise, you will have customized Windows 10 Start successfully.
2. Add a new shortcut to the desktop for the This PC\Pictures folder.
o Color: Select a color from the Choose your accent color list.
o Lock screen:
Choose an app to show detailed status: Calendar
Choose apps to show quick status: Alarms & Clock
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 1-19
Note: If you do not see Alarms & Clock, choose another app from the list.
o Start:
Show most used apps: Off
Show recently added apps: Off
5. Sign out, and then sign back in as ADATUM\April to verify your settings.
6. Verify the color and background changes that you made do appear. Open Start to view the changes
that you configured.
Note: Due to a limitation in the virtual machine, this setting is not retained but should
display.
Results: After completing this exercise, you will have configured the Windows 10 desktop successfully.
2. In the Virtual Machines list, right-click 20697-1B-LON-CL1, and then click Revert.
Module 2
Installing Windows 10
Contents:
Module Overview 2-1
Module Overview
Windows 10 is the first client operating system from Microsoft that provides the same look and feel
across all device types. With Windows 10, Microsoft recommends performing an in-place upgrade over
a migration, unlike previous operating systems. This module introduces the different editions of
Windows 10, and provides instructions on installing and upgrading to Windows 10.
Objectives
After completing this module, you will be able to:
Lesson 1
Installing Windows 10
You can use Windows 10 on a variety of computing devices, from traditional platforms to the latest tablet,
phone, and gaming platforms. This lesson introduces the different editions of Windows 10 and the
features of each. The lesson also describes why and when you might select a specific Windows edition.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the minimum recommended hardware requirements for installing Windows 10.
Describe the options available for installing and deploying Windows 10.
Describe the tools available in the Windows Assessment and Deployment Kit.
Windows 10 Editions
Before you can install Windows 10, you
must select the most suitable edition for
your organization. The different editions of
Windows 10 address the needs of consumers
ranging from individuals to large enterprises.
This topic describes the different features of each
edition and the differences between the 32-bit
and 64-bit editions of Windows 10.
Windows 10 Home
Windows 10 Home is the consumer-oriented desktop edition of Windows 10. It offers the familiar
Windows experience for PCs, tablets, and the new hybrid laptop/tablets. Windows 10 Home includes
several new features:
Virtual Desktops
Photos, Maps, Mail, Calendar, Music and Video, and other built-in universal Windows apps
Windows 10 Pro
Windows 10 Pro builds on the features of Windows 10 Home, with many extra features to meet the needs
of small and medium-sized businesses. Windows 10 Pro is also suitable for advanced consumers who are
looking for features such as BitLocker and virtualization. Windows 10 Pro offers the new Windows Update
for Business, which will:
BitLocker
Enterprise Mode Internet Explorer
Client Hyper-V
Windows 10 Enterprise
Windows 10 Enterprise builds on the features of Windows 10 Pro, with additional features that meet the
needs of large enterprises. Windows 10 Enterprise is available to Volume Licensing customers only. They
can choose the pace at which they adopt new technology, including the option to use the new Windows
Update for Business. Windows 10 Enterprise also gives customers access to the Long Term Servicing
Branch as a special deployment option for their mission-critical devices and environments.
Windows 10 Enterprise offers new featuresCredential Guard and Device Guardto protect against
security threats. Windows 10 Enterprise also supports a broad range of options for operating system
deployment and device and app management. Windows 10 Enterprise provides the following additional
features:
DirectAccess
Windows To Go Creator
AppLocker
Windows BranchCache
Credential Guard
Device Guard
MCT USE ONLY. STUDENT USE PROHIBITED
2-4 Installing Windows 10
Windows 10 Education
Windows 10 Education offers the same features as Windows 10 Enterprise, except for Long Term Servicing
Branch. This edition of Windows 10 is suitable for school staff, administrators, teachers, and students.
Windows 10 Education is only available through academic Volume Licensing.
Windows 10 Mobile
Windows 10 Mobile is for smaller, mobile, touch-centric devices, such as smartphones and small tablets.
It offers the same new universal Windows apps that Windows 10 Home includes, in addition to a new
touch-optimized version of Microsoft Office. On new devices, Windows 10 Mobile can take advantage of
Continuum for phone, so you can use the phone like a PC when it is connected to a monitor with larger
screen resolution. Windows 10 Mobile runs universal apps only. You cannot run desktop applications.
Windows 10 IoT
There are also three editions for Internet of Things (IoT):
Windows 10 IoT Core is suitable for small devices such as robots, toy cars, and sensors.
Windows 10 IoT Enterprise is suitable for devices such as ATMs and industrial robotics.
Note: Further details on Windows Mobile and IoT editions are outside the scope of
this course. The mention here is for reference only. Unless otherwise noted, all references to
Windows 10 in this course are for the 32-bit and 64-bit editions.
Improved performance. The 64-bit processors can process more data for each clock cycle, enabling
you to scale your applications to run faster or support more users. However, to benefit from this
improved processor capacity, you must install a 64-bit edition of the operating system.
Enhanced memory. A 64-bit operating system can make more efficient use of random access memory
(RAM). It can address memory above 4 gigabytes (GB). This is different from all 32-bit operating
systems, including all 32-bit editions of Windows 10, which are limited to 4 GB of addressable
memory.
Improved security. The architecture of 64-bit processors enables a more secure operating system
environment through Kernel Patch Protection, mandatory kernel-mode driver signing, and Data
Execution Prevention (DEP).
Support for the Client Hyper-V feature. This feature is only available in the 64-bit versions of Windows
10, except Windows 10 Home. Client Hyper-V requires 64-bit processor architecture that supports
second-level address translation.
Note: It is worth noting that the 64-bit editions of Windows 10 do not support the 16-bit
Windows on Win32 (WOW) environment. If your organization requires earlier versions of 16-bit
applications, they will not run natively in Windows 10. One solution is to run the application
within a virtual environment by using Client Hyper-V.
32-bit drivers will not work in 64-bit editions of Windows 10. If you have hardware for which
only 32-bit drivers are available, you must use a 32-bit edition of Windows 10, regardless of the
computers processor architecture.
You can install 32-bit editions of Windows 10 on 64-bit architecture computers to support earlier
versions of applications or for testing purposes.
MCT USE ONLY. STUDENT USE PROHIBITED
2-6 Installing Windows 10
Form factors
Prior to Windows 8, Microsoft had three types of
devices: traditional PCs, mobile phones, and Xbox.
The release of Windows 8 saw new device types
emerge, including tablets and other touch-
enabled devices. With Windows 10, Microsoft
introduces two new types of devices: Microsoft Surface Hub and Microsoft HoloLens. Here is a list of the
different form factors and their typical use in a work environment:
Desktop PC. The desktop PC is the form factor of choice in businesses where the need for high
performance is predominant, such as computer-aided design (CAD).
Laptop. Traditionally, travelling users were the primary users of laptops. However, recently laptop
sales have surpassed desktop PC sales, perhaps due to increasing workforce mobility and superior
laptop performance. When a consumer uses a laptop as an office computer, the addition of an
external keyboard, mouse, and monitor can remedy the lack of workplace ergonomics.
Tablet. Tablets are popular for reading emails, doing presentations, or as entertainment devices. The
latest developments bring improved performance, but still lack in expansion possibilities.
Hybrid. The popularity of the tablet has led to the innovation of a hybrid device that converts from a
normal laptop to a tablet. Hybrid devices are more popular than tablets among users whose work
involves more typing. These devices also offer better performance than typical tablets.
Mobile phone or smartphone. It is best to use these devices for apps, where the smaller screen size is
not important. However, Windows 10 Continuum enables users to connect to a large monitor and
switch the Windows 10 Mobile edition to the Windows 10 desktop experience.
Xbox. The Xbox is a device that is most popular for gaming and entertainment.
HoloLens. The HoloLens is one of the first holographic computers. It has many uses for educational
purposes, design, and constructing businesses.
Surface Hub. The Surface Hub is a large-format, touch-friendly monitor used in meetings.
Scenario 1
Contoso Pharmaceuticals considers purchasing new computers to control and supervise its production
lines. The production lines require special hardware with sensors in the computers that employees will use
to perform the supervision. The production line software is sensitive to major changes in the operating
system.
Which edition of Windows 10 would you recommend for purchase by Contoso Pharmaceuticals for
supervision of its production lines?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 2-7
Scenario 2
A hospital is doing satisfaction surveys among its patients. The administration wants to replace the laptops
currently used, as they are too heavy. The employees use a newly developed universal Windows app to do
the surveys. No typing is necessary, because all input is touch-based.
Which edition of Windows 10 is the most suitable for the hospital employees doing surveys?
Scenario 3
Contoso Pharmaceuticals is trying to secure their information technology (IT) infrastructure by limiting the
apps that users can run. Some employees install unauthorized apps on their devices. Contoso wants to
limit users to apps that are on the companys list of approved apps.
Which edition of Windows 10 would you recommend to Contoso Pharmaceuticals to use on its devices?
Question: Which edition of Windows 10 would you recommend for purchase by Contoso
Pharmaceuticals for supervision of its production lines?
Question: Which edition of Windows 10 is the most suitable for the hospital employees
doing surveys?
Hardware requirements
The following section lists the minimum
recommended hardware requirements for
Windows 10. Windows 10 will install if some of
these requirements are not met. However, user
experience and operating system performance
might be compromised if the computer does not
meet or exceed the following specifications:
Graphics card: DirectX 9 or newer with Windows Display Driver Model (WDDM) 1.0 driver
Display: 800x600 pixels
Windows 10 offers additional features if the correct hardware is present. The following are some of the
hardware and software requirements for various additional features:
Windows Hello requires a specialized illuminated infrared camera for facial recognition or iris
detection, or a fingerprint reader that supports the Windows Biometric Framework.
Two-factor authentication requires the use of a PIN, fingerprint reader, or illuminated infrared
camera, or a phone with Wi-Fi or Bluetooth capabilities.
MCT USE ONLY. STUDENT USE PROHIBITED
2-8 Installing Windows 10
Depending on the resolution of the monitor, the number of simultaneously snapped applications
might be limited.
Touch requires a tablet or a monitor that supports multi-touch for full functionality.
Users need a Microsoft account for some Windows 10 features.
Secure boot requires firmware that supports Unified Extensible Firmware Interface (UEFI) and has the
Microsoft Windows Certification Authority in the UEFI signature database. The secure boot process
takes advantage of UEFI to prevent the launching of unknown or potentially unwanted operating-
system boot loaders between the systems BIOS start and the Windows 10 operating system start.
While the secure boot process is not mandatory for Windows 10, it greatly increases the integrity of
the boot process.
Some applications might require a graphics card that is compatible with DirectX 10 or newer versions
for optimal performance.
BitLocker requires either Trusted Platform Module (TPM) or a USB flash drive (Windows 10 Pro,
Windows 10 Enterprise, and Windows 10 Education).
Client Hyper-V requires a 64-bit system with second level address translation capabilities and an
additional 2 GB of RAM (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education).
Second level address translation reduces the overhead incurred during the virtual-to-physical address
mapping process performed for virtual machines.
Miracast requires a display adapter that supports WDDM, and a Wi-Fi adapter that supports Wi-Fi
Direct.
Wi-Fi Direct Printing requires a Wi-Fi adapter that supports Wi-Fi Direct and a device that supports
Wi-Fi Direct Printing.
InstantGo works only with computers designed for connected standby. InstantGo allows network
connectivity in standby mode and allows for receiving updates, mail, and Skype calls with the screen
turned off.
Device encryption requires a PC with InstantGo and TPM 2.0.
64-bit architecture
Windows 10 fully supports the 64-bit architecture. The 64-bit version of Windows 10 can run all 32-bit
applications with the help of the WOW64 emulator. Considerations for the 64-bit Windows 10 include:
Applications or components that use 16-bit executable programs or 32-bit kernel drivers will fail to
start or function properly on a 64-bit edition of Windows 10.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer adds a driver manually
by editing the registry, the system will not load this driver, and this can cause a system failure.
Installation of 64-bit unsigned drivers will fail by default on the 64-bit system. If an installer manually
adds a driver by editing the registry, the system will not load the driver.
Device drivers
Finding device drivers for Windows 10 for all your legacy hardware might be difficult. Many companies
producing hardware have their drivers tested and certified at the Windows Hardware Quality Labs.
However, you might not be able to find a built-in driver for a specific piece of hardware. The best way to
find drivers for legacy hardware is to search the manufacturers website.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 2-9
Low-touch deployment
The low-touch deployment strategy is suitable for medium-sized organizations with 200500 client
computers. This strategy uses Microsoft Deployment Toolkit (MDT) together with Windows Deployment
Services. It is an easier deployment strategy, because MDT automates most of the installation and handles
application, device driver, and update installation.
Zero-touch deployment
The zero-touch deployment strategy is suitable for large organizations that typically have more than 500
client computers. This deployment strategy uses MDT together with Microsoft System Center 2012 R2
Configuration Manager SP1 to deliver a more streamlined, fully automated deployment that does not
require user interaction.
Note: If you want to know more about Windows 10 deployment, course 20697-2A:
Deploying and Managing Windows 10 Using Enterprise Services covers how to deploy
Windows 10 in more detail.
Provisioning packages
Beginning with Windows Vista, the standard Windows operating system deployment changed to an
image-based deployment. This typically required the IT department to create a custom image or at least
an answer file to do an unattended installation. Windows 10 introduces provisioning, which enables you
to modify your existing Windows 10 installation. Provisioning eases the process of installation, and helps
to reduce the cost of deploying Windows-based PCs and devices such as tablets and phones by removing
the need to reimage new PCs before first use.
MCT USE ONLY. STUDENT USE PROHIBITED
2-10 Installing Windows 10
You use the Windows Imaging and Configuration Designer (ICD) from the Windows Assessment and
Deployment Kit (Windows ADK) to create provisioning packages. The packages contain rules that can:
Removable media
Network share
Windows ADK
Windows ADK for Windows 10 is a collection
of tools that you can use to automate the
deployment of Windows operating systems
and mitigate application compatibility issues.
Previously, Windows ADK was called Business
Desktop Deployment (for Windows Vista) and
Windows Automated Installation Kit (for
Windows 7).
ACT
The Microsoft Application Compatibility Toolkit
(ACT) is a graphical tool that can evaluate and
mitigate application compatibility issues before
deploying a new version of Windows. ACT requires access to a database. The database must be Microsoft
SQL Server 2008 (or SQL Server 2008 Express Edition) or a newer version. You can install SQL Server or use
an existing installation.
DISM
Deployment Image Servicing and Management (DISM) is a command-line tool that enables you to
capture, deploy, service, and manage Windows images. You can use it to apply updates, drivers, and
language packs to a Windows image, offline or online.
Windows SIM
Windows System Image Manager (Windows SIM) is a graphical tool that you can use to create
unattended installation answer files and distribution shares, or modify the files that a configuration
set contains.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 2-11
Windows PE
Windows PreInstallation Environment (Windows PE) is a minimal 32-bit or 64-bit operating system
with limited services, built on the Windows 10 kernel. Use Windows PE during Windows installation
and deployment to boot the computer and start the setup program. Windows PE provides read and
write access to Windows file systems, and supports a range of hardware drivers, including network
connectivity, which makes it useful for troubleshooting and system recovery. You can run Windows PE
from the CD/DVD, USB flash drive, or a network, by using the Pre-Boot EXecution Environment (PXE).
The Windows ADK includes the tools to build and configure Windows PE.
USMT
User State Migration Tool (USMT) is a command-line tool that you can use to migrate user settings from
a previous Windows operating system to Windows 10 or from one Windows 10based computer to
another.
VAMT
Volume Activation Management Tool (VAMT) is a graphical tool that you can use to automate and
manage activation of Windows, Windows Server, and Microsoft Office.
The VAMT PowerShell cmdlets require Windows PowerShell 3.0. VAMT requires a connection to SQL
Server, version 2008 or newer (including Express Edition).
Other tools
Windows ADK also includes the following tools:
Windows Performance Toolkit. It consists of performance-monitoring tools that produce in-depth
performance profiles of Windows operating systems and applications.
SQL Server 2012 Express. It is included here for the tools that require a connection to a SQL Server.
MCT USE ONLY. STUDENT USE PROHIBITED
2-12 Installing Windows 10
o Connect a specially prepared USB drive that hosts the Windows 10 installation files.
o Perform a PXE boot, and connect to a Windows Deployment Services server.
2. On the first page of the Windows Setup Wizard, select the following:
o Language to install
o Time and currency format
3. On the second page of the Windows Setup Wizard, click Install now. You also can use this page to
select Repair Your Computer. You use this option in the event that an installation has become
corrupt, and you are no longer able to boot into Windows 10.
4. On the License Terms page, review the terms of the operating system license. You must choose to
accept the license terms before you can proceed with the installation process.
5. On the Which Type Of Installation Do You Want page, you have the following options:
o Upgrade. Select this option if you have an existing installation of Windows that you want to
upgrade to Windows 10. You should launch upgrades from within the previous version of
Windows rather than booting from the installation source.
7. On the Set up for you, so you can get going fast page, click Use Express settings.
8. If the computer does not have Internet access, you might see a page telling you something went
wrong. Click Skip to continue the installation. The installation will then skip to number 12 in this list,
Create an account for this PC.
9. On the Who owns this PC? page, click This device belongs to my company, and then click Next.
Depending on your choice in this step, the installation will take two different directions. If you
indicate that this is a private computer, the setup program asks you to sign in with your Microsoft
account or create a new one or a local account. If you indicate that this is a company computer, the
setup program asks you to sign in with your Office 365 account or create a local account. Depending
on which edition of Windows 10 you install, you may or may not see this page.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 2-13
11. On the Lets get you signed in page, click Skip this step.
12. On the Create an account for this PC page, type the username you want to use together with a
password and a password hint, and then click Next.
13. This concludes the installation of Windows 10. You have signed in and you have installed the built-in
universal apps. It will take a few minutes before you see the desktop.
Demonstration Steps
Mount the Windows 10 DVD
In Hyper-V Manager, mount the Win10Ent_Eval.iso file for the 20697-1B-LON-CL5 virtual machine
(VM). This file should be located at C:\Program Files\Microsoft Learning\20697-1\Drives\.
Install Windows 10
1. On the first page of the Windows setup program, accept the default settings.
2. On the second page of the Windows Setup Wizard, click Install now.
3. On the License Terms page, accept the license terms.
4. On the Which Type Of Installation Do You Want page, choose a custom installation.
5. On the Where do you want to install Windows page, use the default drive. The install begins, it will
take a few minutes to complete.
o Username: LocalAdmin
o Password: Pa$$w0rd
Activating Windows 10
All editions of Windows 10 require activation.
Activation confirms the licensing status of a
Windows product and ensures that the product
key has not been compromised. The activation
process links the softwares product key to a
particular installation of that software on a device.
If the device hardware changes considerably, you
need to activate the software again. Activation
assures software integrity and provides you with
access to Microsoft support and a full range of
updates. Activation is also necessary if you want to
comply with licensing requirements. Depending
on the license type, you may find that the license is locked to that particular hardware. In this case, you
may not install Windows 10 on another computer with the same license.
Unlike Windows 7, Windows 10 does not have a grace period. You must activate Windows 10 immediately
upon installation. Failure to activate a Windows operating system will prevent users from completing
customization. In older versions of the Windows operating system, activation and validation with the
Windows Genuine Advantage tool occurred separately. This caused confusion for users who thought the
terms were interchangeable. In Windows 10, activation and validation occur at the same time. If you wish
to evaluate Windows 10, Microsoft provides a separate evaluation edition that is available as an .iso image
file to Microsoft Developer Network (MSDN) subscribers and Microsoft partners.
Activation methods
There are three main methods for activation:
Retail. Any Windows 10 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete activation after installing the
operating system.
OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 10. You can perform OEM activation by associating the operating system to the computer
system.
Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization.
Volume customers set up volume licensing agreements with Microsoft. These agreements include
Windows upgrade benefits and other benefits related to value-added software and services. Microsoft
Volume Licensing customers use Volume Activation Services to assist in activation tasks, which consist
of Active Directorybased activation, Key Management Service (KMS), and multiple activation key
(MAK) models.
You can view the Windows 10 activation status on the System properties page or by running the
following command:
Windows PE
You want to secure your laptop by enabling BitLocker. Which editions of Windows 10
include BitLocker?
Windows 10 Home
Windows 10 Pro
Windows 10 Enterprise
Windows 10 Education
MCT USE ONLY. STUDENT USE PROHIBITED
2-16 Installing Windows 10
Lesson 2
Upgrading to Windows 10
The decision to upgrade or migrate from a previous Windows version can be complicated. You must also
decide how to perform the upgrade or migration. A large number of parameters can contribute to the
upgrade decision. However, at the end of the process, the goal is always the same. You want to have your
computer running the newest operating system, while retaining settings or data that existed in the
Windows operating system prior to installing Windows 10.
This lesson examines the upgrade process, identifies different methods that you can use for upgrading
and migrating your operating system, and introduces you to the tools and processes that you can use to
perform an upgrade or migration.
Lesson Objectives
After completing this lesson, you will be able to:
Windows 8/8.1 X
Windows RT
Windows 7 Starter X
Windows 7 Home X
Premium
Windows 7 Professional X
Windows 7 Ultimate X
Windows 7 Enterprise X
If your computer has the latest updates and service packs and you are running Windows 8.1 Pro,
Windows 7 Home Basic, Windows 7 Home Premium, or Windows 7 Professional, you will receive the
update to Windows 10 from Windows Update. If you do not have the latest updates, you can still
upgrade to Windows 10, but you will have to perform the upgrade from media, such as a DVD.
Windows 8 X
Windows RT
Windows 7 SP1 X X
Windows 7 RTM X
Deprecated features
When you upgrade to Windows 10, there may be some features in your old operating system that will no
longer be available. The following list details the deprecated features that are not a part of Windows 10:
If you are running Windows 8.1 Pro with Media Center, Windows 8 Pro with Media Center,
Windows 7 Home Premium, Windows 7 Professional, or Windows 7 Ultimate, Windows Media Center
will no longer be available.
Windows 7 desktop gadgets will no longer be available when you install Windows 10.
Windows 10 Home users will have updates from Windows Update automatically available.
Solitaire, Minesweeper, and Hearts Games that come preinstalled on Windows 7 will no longer be
available when you upgrade to Windows 10. Microsoft has released universal apps called the
Microsoft Solitaire Collection and Microsoft Minesweeper.
If you have a USB floppy drive, you can download the latest driver from Windows Update or the
manufacturer's website.
If you have Windows Live Essentials installed, the installation of Windows 10 will replace the Microsoft
OneDrive application with the inbox version of OneDrive.
In-place upgrade
The in-place upgrade is now the recommended
way to move from an existing Windows operating system to Windows 10. You perform an in-place
upgrade when you want to replace an existing Windows version with Windows 10, and you need to
retain all user applications, files, and settings. To perform an in-place upgrade to Windows 10, run the
Windows 10 installation program (setup.exe), and click Upgrade. You can run setup.exe from the product
DVD or from a shared folder on the network. During an in-place upgrade, the Windows 10 installation
program retains all user settings, data, hardware device settings, applications, and other configuration
information automatically.
Best Practice: Always back up all of your important data before performing an upgrade.
Migration
You perform a migration when you have a computer already running the Windows operating system,
and you need to move files and settings from your old operating system (source computer) to the
Windows 10based computer (destination computer). Perform a migration by doing the following:
There are two migration scenarios: side-by-side, and wipe-and-load. In side-by-side migration, the source
computer and the destination computer are two different computers. In wipe-and-load migration, the
destination computer and the source computer are the same. To perform wipe-and-load migration, you
perform a clean installation of Windows 10 on a computer that already has an operating system, by
running the Windows 10 installation program, and then clicking Custom (advanced).
Note: Previously, migration was the recommended way to do upgrades, but now the
in-place upgrade is preferable.
Windows as a Service
Windows 10 will use a new method of delivering new features and functional changes. This method is
known as Windows as a Service. This is a major change from the past, when new Windows versions arrived
approximately every three years. This new way of delivering new functionality is comparable to when the
Windows 8.1 update came one year after the Windows 8 release.
With Windows 10, you can expect shorter release cycles, with bigger changes happening once a year.
Updates will no longer just be available on the second Tuesday of each month. Security and driver
updates will automatically download and install as soon as they become available for some Windows 10
editions. Other editions can defer some updates for a nonconfigurable period.
Note: The support for Windows 10 will continue for 10 years, until 2025.
Advantages Disadvantages
Retains user settings, application settings, Does not take advantage of the opportunity to start
and files with no additional effort fresh with standardized reference configurations
Preserves installed applications, and Preserved applications may not work correctly after
typically does not require reinstallation of upgrading from an older Windows version
applications
Does not require additional storage space Remnant files or settings from in-place upgrade may
for migration files contribute to performance and security issues
MCT USE ONLY. STUDENT USE PROHIBITED
2-20 Installing Windows 10
Advantages Disadvantages
Affects user productivity minimally, and Does not allow for edition changes
preserves user settings and data just as in
the source computer
Rollback is available in case of a problem Computer has to meet the minimum hardware
requirements
Considering migration
As an alternative, you might consider using the migration process. The following table outlines the
advantages and disadvantages of migrations.
Advantages Disadvantages
Offers a fresh start with the opportunity to Requires the use of migration tools, such as USMT, to
clean up existing computers and create capture and restore user settings and data
more stable and secure desktop
environments, a significant advantage
when creating a managed environment
Provides the opportunity to reconfigure Requires storage space for user settings and files to be
hardware-level settings, such as disk migrated
partitioning, before installation
Viruses, spyware, and other malicious May have an impact on user productivity because of
software do not migrate to the new the reconfiguration of applications and settings
installation of Windows
In-place upgrade
Side-by-side migration
Wipe-and-load migration
Scenario 1
Contoso Pharmaceuticals owns 100 workstations on which Windows 7 was manually installed. They want
to upgrade these workstations to Windows 10, and switch to a more standardized and managed
deployment. What is the best upgrade method for Contoso?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 2-21
Scenario 2
Litware, Inc. has only 25 computers of different models. They do not employ any IT staff. Their users are all
local administrators who are skilled in managing their own computers. All their computers run Windows 7
or Windows 8.1. They want to upgrade to Windows 10. What is the best upgrade method for Litware?
Scenario 3
A. Datum Corporation has 5000 client computers running Windows 8.1 in a managed environment. All
computers have the same set of applications installed. They want to upgrade to Windows 10. What is the
best upgrade method for A. Datum?
Scenario 4
Contoso Pharmaceuticals discovers that not all computers will have hardware drivers for Windows 10.
They will need to purchase 50 new computers. What is the best upgrade method for the 50 users who are
getting new computers?
Question: What is the best upgrade method for the 100 workstations running Windows 7 at
Contoso Pharmaceuticals?
Question: What is the best upgrade method for the 25 computers at Litware, Inc.?
Question: What is the best upgrade method for the 5,000 client computers at A. Datum?
Question: What is the best upgrade method for the 50 users who are getting new
computers at Contoso Pharmaceuticals?
2. Back up
3. Upgrade
4. Verify
5. Update
Evaluate
Before starting the upgrade, you must evaluate whether your computer meets the requirements needed
to run Windows 10. If you are upgrading more than one computer, you should consider using the ACT
and Microsoft Assessment and Planning Toolkit (MAP) to assess your organizations readiness.
You must determine whether any installed applications will have compatibility problems while running on
Windows 10. ACT, which is a part of the Windows ADK for Windows 10, provides several tools that can
assist with evaluating potential compatibility problems.
MCT USE ONLY. STUDENT USE PROHIBITED
2-22 Installing Windows 10
Back up
To prevent data loss during the upgrade process, back up any data and personal settings before starting
the upgrade. You can back up data to any appropriate media, such as tape, removable storage, writable
disc media, or a network shared folder.
Upgrade
After evaluating your computer requirements, and backing up your data and personal settings, you are
ready to perform the actual upgrade. To perform the upgrade, run the Windows 10 installation program
(setup.exe) from the product DVD, removable media, or a network share. If your computer supports an in-
place upgrade to Windows 10, you can select Upgrade during the installation process. The installation
program prevents you from selecting the upgrade option if an in-place upgrade is not possible. This
might occur for several reasons, such as your computer lacking sufficient disk space, or your current
Windows edition not supporting a direct upgrade to the Windows 10 edition that you want to install. In
this case, stop the upgrade process and resolve the indicated problem before attempting the upgrade
again.
Note: We recommend that you disable antivirus programs before attempting an upgrade.
Verify
When the upgrade completes, sign in to your computer, and verify that all of the applications and
hardware devices function correctly.
Update
Finally, determine whether there are any relevant updates to the Windows 10 operating system, and apply
them to your computer. It is important to keep the operating system up to date to protect against
security threats. You also can check for updates during the upgrade process. Dynamic Update is a feature
of Windows 10 Setup that downloads any critical fixes and drivers that the setup process requires. With
Windows as a Service, it is more important than ever to make sure your Windows-based computer is up
to date, because you m also receive new functionality via Windows Update.
1. Back up
2. Install Windows 10
3. Update
4. Install applications
5. Restore
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 2-23
Back up
Before installing the new operating system, you must back up all user-related settings and program
settings with USMT. Additionally, you should consider backing up the user data. Although the
Windows 10 installation will not erase user data by default, it is a good practice to back up your
data to protect against accidental loss or damage during installation.
Note: Before the installation begins, you can choose to repartition or reformat the hard
disk. If you choose one of these actions, all user data will be deleted from the hard disk.
Note: When you do a clean installation of Windows 10 without reformatting the hard disk,
the existing Windows installation will be moved to a windows.old directory containing the
Windows, Program Files, and Users directories. All remaining directories and files stay in place.
Install Windows 10
Run the Windows 10 installation program (setup.exe) from the product DVD, removable media, or a
network share, and perform a clean installation by selecting Custom (advanced) during the installation
process. Then follow the on-screen instructions to complete the installation.
Update
If you chose not to check for updates during the installation process, it is important to do so after
verifying the installation. Keep your computer protected by ensuring that you have the most current
updates installed.
Install applications
Performing an upgrade by using a clean installation and migration process does not migrate the installed
applications. When you complete the Windows 10 installation, you must reinstall all applications.
Windows 10 may block the installation of any incompatible programs. To install any of these programs,
contact the software vendor for an updated version that is compatible with Windows 10.
Restore
After installing your applications, use USMT to migrate your application settings and user-related settings.
Note: In Windows 7 and Windows 8.1, you can also use Windows Easy Transfer to migrate
settings and data. Windows Easy Transfer is not available in Windows 10. Microsoft has partnered
with LapLink to provide PCmover Express, which is free to use for personal use.
File types, files, folders, and settings. When you plan your migration, identify the file types, files,
folders, and settings to migrate. For example, you need to determine and locate the standard file
locations on each computer, such as the My Documents folder and company-specified locations.
You also must determine and locate the non-standard file locations.
You can use the following tools to perform migration:
Windows Easy Transfer. Use Windows Easy Transfer to perform a migration for a single computer or a
small number of computers. Windows Easy Transfer is not available in Windows 10. You can copy it
from a Windows 7based computer. It is located in the C:\Windows\system32\migwiz directory.
USMT. Use USMT to perform a migration for a large number of computers and to automate the
process as much as possible. USMT is available as part of the Windows ADK. You will use USMT in
the lab.
USMT
USMT is a scriptable command-line tool that provides a highly customizable user-profile migration
experience for IT professionals. The components of USMT include:
ScanState.exe. The ScanState tool scans the source computer, collects the files and settings, and then
creates a store.
LoadState.exe. The LoadState tool migrates the files and settings, one at a time, from the store to a
temporary location on the destination computer.
Migration .xml files. The .xml files that the USMT uses for migrations are the MigApp.xml,
MigUser.xml, or MigDocs.xml, and any custom .xml files that you create.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 2-25
The MigApp.xml file. Specify this file with both the ScanState and LoadState commands to migrate
application settings to computers that are running Windows 8.
The MigUser.xml file. Specify this file with both the ScanState and LoadState commands to migrate
user folders, files, and file types to computers that are running Windows 8.
The MigDocs.xml file. Use this file with both the ScanState and LoadState tools to migrate all user
folders and files.
Custom .xml files. You can customize the migration for your organizations needs by making custom
.xml files. For example, you can migrate an application or modify the default migration behavior with
the use of a custom .xml file.
Note: The course 20697-2A: Deploying and Managing Windows 10 Using Enterprise
Services includes more information about USMT and migrating user state.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Objectives
After completing this lab, you will have:
Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL2, 20697-1B-LON-CL3
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
5. Repeat steps 2 and 3 for 20697-1B-LON-CL2 and 20697-1B-LON-CL3.
2. Use System properties and Windows Explorer to check whether LON-CL3 matches the minimum
hardware requirements.
3. Write down the settings for:
o Processor: _____________________
Note: The setup program will now upgrade your Windows 7 installation to Windows 10.
This will take approximately 30 minutes.
8. Finish the setup program by selecting the default values, selecting the express settings, and clicking
the appropriate buttons.
9. On the Create an account for this PC page, provide the following, and then click Next:
o Username: LocalAdmin
o Password: Pa$$w0rd
10. After the setup finishes, you should be at the desktop of the new installation.
MCT USE ONLY. STUDENT USE PROHIBITED
2-28 Installing Windows 10
Results: After completing this exercise, you will have upgraded your Windows 7based computer to
Windows 10.
2. Create a new text file named Demofile on the desktop and put some random text in it.
3. Mount \\LON-DC1\USMT as the F drive.
Results: After completing this exercise, you will have migrated your settings from your Windows 7based
computer to a new Windows 10based computer.
Question: You have a few computers running Windows Vista. What is a supported method
of upgrading the computers to Windows 10?
Tools
Tool Use to Where to find it
Module 3
Configuring Your Device
Contents:
Module Overview 3-1
Module Overview
After you install the Windows 10 operating system with its various apps and programs, you need to
configure the device for use. Windows 10 provides a number of tools that you can use to do this, some of
which are new and some that have been available in older Windows versions. Proper device configuration
is an important part of managing a Windows 10 system. In this module, you will learn about the tools that
you can use to configure Windows 10 devices. You also will learn about several common configuration
options, user accounts, and Microsoft OneDrive integration with Windows 10.
Objectives
After completing this module, you will be able to:
Describe the different tools that you can use to configure Windows 10.
Lesson 1
Overview of Tools You Can Use to Configure Windows 10
Windows 10 provides a variety of tools that you can use to configure a device. The new Settings app and
the Control Panel both provide you with extensive configurable settings that you can set. You often will
use the Control Panel, which has not changed significantly since Windows 8.1, in conjunction with the
Settings app. For example, many of the configurable items in the Settings app have direct links to specific
Control Panel items and functions. Additionally, Windows PowerShell is a powerful tool that you can use
to configure a Windows 10 device and create reusable scripts to make complex configuration changes
quickly. Finally, you can manage multiple devices centrally by using Active Directory Domain Services
(AD DS) Group Policy Objects (GPOs), and use GPOs to configure a wide range of settings.
Lesson Objectives
After completing this lesson, you will be able to:
Note: One of the key differences between Windows 8.1 and Windows 10 is that the latter
features the return of the Start menu. However, you can retain or reapply the Start screen
functionality if you want to.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-3
Open the Action Center, and in the lower portion, click the All Settings tile.
Click the Start menu icon, and then click Settings on the menu.
Type Settings in the search box located on the taskbar, and then press the Enter key.
The Settings app page has nine separate icons that represent the main categories that you can configure.
When you click any of these icons, you will access a page with subcategories that appear in a console tree
on the left of the page. Depending on the subcategory that you select, more items and configurable
settings appear in the details pane.
Programs
User Accounts
Ease of Access
MCT USE ONLY. STUDENT USE PROHIBITED
3-4 Configuring Your Device
Note: The 32-bit version of Windows 10 does not contain the 64-bit version of Windows
PowerShell.
There is another Windows PowerShell app in the same app area called Windows PowerShell Integrated
Scripting Environment (ISE) that provides command-completion functionality, and enables you to see all
available commands and the parameters that you can use with those commands.
You also can use a scripting window within Windows PowerShell ISE to construct and save Windows
PowerShell scripts. The ability to view cmdlet parameters ensures that you are aware of the full
functionality of each cmdlet, and can create syntactically correct Windows PowerShell commands.
Windows PowerShell ISE provides colorcoded cmdlets to assist with troubleshooting. Windows
PowerShell Integrated Scripting Environment also provides debugging tools that you can use to debug
simple and complex Windows PowerShell scripts. You can use the Windows PowerShell ISE to view
available cmdlets by module.
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to
retrieve a list of services, you would use the Get-Service cmdlet. This standardization makes it easier to
learn how to accomplish administrative tasks.
Some common cmdlet verbs are:
The following example shows how to start the Application Identity service by using the Name parameter.
Note: The cmdlets that are available for use on a computer system vary depending on its
Windows PowerShell version and the snap-ins with cmdlets that are installed.
In some cases, commands or options for commands contain reserved words or characters for
Windows PowerShell. In such a case, you can enclose the command in single quotation marks to
prevent Windows PowerShell from evaluating the reserved word or combination of words. You also
can use the grave accent (`) character to prevent the evaluation of a single character.
In rare cases, an executable file does not run correctly at a Windows PowerShell command prompt. You
should test batch files to ensure that they work properly at a Windows PowerShell command prompt.
NAME
Set-Item
SYNOPSIS
Changes the value of an item to the value specified in the command.
SYNTAX
Set-Item [-Path] <String[]> [[-Value] <Object>] [-Credential <PSCredential>]
[-Exclude <String[]>] [-Filter
<String>] [-Force] [-Include <String[]>] [-PassThru] [-Confirm] [-WhatIf]
[-UseTransaction [<SwitchParameter>]]
[<CommonParameters>]
Set-Item [[-Value] <Object>] [-Credential <PSCredential>] [-Exclude <String[]>] [-Filter <String>] [-Force]
[-Include <String[]>] [-PassThru] -LiteralPath <String[]> [-Confirm] [-WhatIf]
[-UseTransaction
[<SwitchParameter>]] [<CommonParameters>]
DESCRIPTION
The Set-Item cmdlet changes the value of an item, such as a variable or registry key, to the value specified in the
command.
RELATED LINKS
Online Version: http://go.microsoft.com/fwlink/p/?linkid=293910
Clear-Item
Copy-Item
Get-Item
Invoke-Item
Move-Item
New-Item
Remove-Item
Rename-Item
about_Providers
REMARKS
To see the examples, type: "get-help Set-Item -examples".
For more information, type: "get-help Set-Item -detailed".
For technical information, type: "get-help Set-Item -full".
For online help, type: "get-help Set-Item -online"
Another useful cmdlet is Get-Command. This cmdlet shows a list of all cmdlets, aliases, functions,
workflows, filters, scripts, and applications installed on your version of Windows PowerShell.
There are numerous websites that can help you learn Windows PowerShell. Microsoft TechNet has the
Microsoft Script Center, where you can search for Windows PowerShell scripts based on what you want
the script to do. Examples include deleting files older than X number of days, controlling Windows Update
on your computer, and a wide variety of other functions.
Demonstration Steps
Explore and use the Settings app
1. On LON-CL1, open Settings, and go to System.
2. In the Display item, go to Advanced Display Settings, and then set the Resolution to 1280 X 800.
6. Scroll down, and then select the Devices and printers hyperlink.
7. Note that the Control Panel, Devices and Printer item appears. Click the Add a printer hyperlink.
Note: To make some configurations at the Settings level, you will need to use the Control
Panel.
8. In the Choose a device or printer to add to this PC window, select The printer that I want isnt
listed hyperlink.
9. Select Add a local printer or network printer with manual settings, and then accept the default
port. Click Next.
10. For the print driver, select HP and HP Photosmart 7520 series Class Driver, and then name the
printer HP Photosmart 7520.
11. On the Printers & Scanners page, in Settings, click the HP Photosmart 7520 icon. Notice that the
Remove device option appears.
12. Spend some time going through other Settings items. When finished, close the Settings app.
Note: Spend a few moments reviewing items in Control Panel. However, please note that
most of it has not changed.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-9
2. Use of the Get-Command. Examine the results that Windows PowerShell returns.
3. Add the parameter ListImported to Get-Command. Review the results that Windows PowerShell
returns.
4. Review the cmdlet Get-Help New-Item. Note the Remarks section of the reply, and how you would
want to use the Online parameter to get the additional content.
2. Use the cmdlet Get-ExecutionPolicy to confirm that the current execution policy is Unrestricted.
3. If it is Restricted, use the cmdlet Set-ExecutionPolicy Unrestricted to ensure that the execution
policy is now at Unrestricted.
3. Run the script, and then read the output. Notice that it does not have multiple colors.
5. Run the script, and then read the output. Notice that running services are green and services that are
not running are red.
o BackgroundColor: Gray
o ForegroundColor: Black
o Object: Script execution is complete
MCT USE ONLY. STUDENT USE PROHIBITED
3-10 Configuring Your Device
2. At the command prompt, type Set-Location E:\Labfiles\Mod03, and then press Enter.
3. Type .\Services.ps1, and then press Enter.
Using GPOs
Group Policy is a system that you can use to apply
configuration settings to Windows clients and
servers. You create GPOs that contain Group
Policy settings, and domain-joined Windows 10
based computers download and apply the settings
in GPOs.
GPOs
A GPO is an object that contains one or more
policy settings that apply configuration settings
for users, computers, or both. GPOs in AD DS are
stored in the SYSVOL share on domain controllers,
and you can manage them by using the Group
Policy Management Console (GPMC). Within the GPMC, you can open and edit a GPO by using the Group
Policy Management Editor window. GPOs logically link to AD DS containers to apply settings to the
objects in those containers.
Note: GPOs can link to AD DS sites, domains, and organizational units (OUs). GPOs cannot
link to the default Computers or Users containers in AD DS.
Not Configured. The GPO will not modify the existing configuration of the particular setting for the
user or computer.
Note: By default, most Group Policy settings are set to Not Configured.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-11
Note: Some settings are multivalued or have text string values. These typically provide
specific configuration details to applications or operating system components. For example, a
setting might provide the URL of the home page for Internet Explorer or for blocked applications.
The effect of the configuration change depends on the Group Policy setting. For example, if you enable
the Prohibit Access to Control Panel Group Policy setting, users will be unable to open Control Panel. If
you disable the Group Policy setting, you ensure that users can open Control Panel. Notice the double
negative in this Group Policy setting: you disable a policy setting that prevents an action, thereby allowing
the action.
User settings. These settings modify the HKEY_CURRENT_USER hive of the registry.
Computer settings. These settings modify the HKEY_LOCAL_MACHINE hive of the registry.
User settings and computer settings each have three areas of configuration, as described in the following
table.
Section Description
Software settings Contains software settings that can deploy to either the user
or the computer. Software that deploys or publishes to a
user is specific to that user. Software that deploys to a
computer is available to all users of that computer.
Windows operating system settings Contains script settings and security settings for both user
and computer, and Internet Explorer maintenance for the
user configuration.
3. Domain GPOs. Policies that link to the domain process next. There often are multiple policies at the
domain level. These policies process in order of preference.
4. OU GPOs. Policies linked to OUs process next. These policies contain settings that are unique to the
objects in that OU. For example, Sales users might have special required settings. You can link a policy
to the Sales OU to deliver those settings.
5. Child OU policies. Any policies that link to child OUs process last.
AD DS objects in the containers receive the cumulative effect of all policies in their processing order. In
the case of a conflict between settings, the last policy applied takes effect. For example, a domain-level
policy might restrict access to registry editing tools, but you could configure an OU-level policy and link it
to the Information Technology (IT) OU to reverse that policy. Because the OU-level policy applies later in
the process, access to registry tools would be available to users in the IT OU.
If multiple policies apply at the same level, an administrator can assign a preference value to control the
order of processing. The default preference order is the order in which the policies were linked. You also
can disable the user or computer configuration of a particular GPO.
Local GPOs
A local GPO is the least influential object in an AD DS environment because its settings can be overwritten
by GPOs that are associated with sites, domains, and OUs. In a non-networked environment, or in a
networked environment that does not have a domain controller, local GPO settings are important because
other GPOs do not overwrite them. Stand-alone computers only use local GPOs to control the
environment.
Each Windows 10based computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default local
GPO, you can create custom local user GPOs.
Windows Vista and newer Windows client operating systems, and Windows Server 2008 and newer
Windows Server operating systems, have an added feature: multiple local GPOs. Since Windows 8 and
Windows Server 2012, you also can have different user settings for different local users, but this is only
available for users configurations that are in Group Policy. In fact, there is only one set of computer
configurations available that affects all users of the computer.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-13
Computers that run Windows 7 and newer versions provide this ability with the following three layers of
local GPOs:
Domain GPOs
You can use Group Policy in an AD DS environment to provide centralized configuration management.
Domain GPOs are created and linked to objects within an AD DS infrastructure. The settings in the GPO
then affect the computers and users that are within those objects, depending on how you configure the
application of the GPO.
Enforcement. You can use enforcement to ensure that settings in a specific GPO apply regardless of
any lower-level GPOs that would normally override this GPO. For example, you could specify
standardized security settings at the domain level.
Block inheritance. You can use block inheritance to prevent a lower-level OU from inheriting settings
from a higher-level OU. For example, you could block settings applied at the domain level from
affecting users in the IT OU.
Note: When a link is enforced and a lower-level OU blocks inheritance, the settings in the
enforced GPO apply.
Explore the Group Policy Editor on the local Windows 10-based computer.
Configure and test a domain GPO that alters Windows 10 display settings.
Demonstration Steps
Explore the Group Policy Editor on the local Windows 10-based computer
1. On LON-CL1, open the Local Group Policy Editor (gpedit.msc).
2. Spend a few moments exploring the various console tree items and what appears in the details pane.
Configure and test a domain GPO that alters Windows 10 display settings
1. On LON-DC1, in Group Policy Management, create a new GPO named Win10 Display.
3. In the Group Policy Management Editor, in the console tree under Computer Configuration, expand
Policies, expand Windows Settings, expand Security Settings, expand Local Policies, and then
select Security Options.
MCT USE ONLY. STUDENT USE PROHIBITED
3-14 Configuring Your Device
4. In the Interactive Logon: Message title for users attempting to log on text box, type Attention!
5. In the Interactive Logon: Message text for users attempting to log on text box, type This
computer belongs to the A. Datum Corporation.
6. Close the Group Policy Object Management Editor, and then link the Win10 Display GPO to
Adatum.com.
7. Close the Group Policy Management Console, and then return to LON-CL1.
Categorize Activity
Categorize each item below.
Items
4 Find out all the cmdlets you can use with the Get verb.
Categorize Activity
Categorize each item below.
Items
2 Query IP address
Objectives
After completing this lab, you will have configured a Windows 10 device with the Settings app, Control
Panel, Windows PowerShell, and GPOs.
Lab Setup
Estimated Time: 45 minutes
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
o Domain: Adatum
2. Go to Windows Defender, and then add the E:\Labfiles folder to the Folder Exclusion list.
5. Click Add a printer or scanner. Notice that the printer is not found.
6. Scroll down, and then select the Devices & printers hyperlink.
7. Note that the Control Panel, Devices and Printer item appears. Some Settings-level configurations
still use the Control Panel.
8. Click Add a printer, and then click the The printer that I want isnt listed hyperlink.
9. Click the Add a local printer or network printer with manual settings, and then accept the
default port.
10. For the print driver, select HP and HP Photosmart 7520 series Class Driver, and then name the
printer HP Photosmart 7520.
11. Return to Settings, and on the Printers & scanners page, click the HP Photosmart 7520 icon. Note
that the Remove device option appears. Close the Settings app.
Results: After completing this exercise, you will have successfully used the Settings app to configure a
device.
3. Check the printing preferences to see if you can turn on the duplex printing. Note that Print on both
sides is not an option.
4. Open the HP Photosmart 7520 Properties, and then under the Device settings tab, install the
Automatic Duplexing Unit.
MCT USE ONLY. STUDENT USE PROHIBITED
3-18 Configuring Your Device
5. Check the printing preferences to see if you can now enable the duplex printing. Set the Print on
both sides preference to Flip on Long Edge. Close all open windows.
Results: After completing this exercise, you will have successfully used the Control Panel to configure a
device.
2. Check the Execution Policy. If set to Restricted, change to Unrestricted with the following cmdlet:
Set-ExecutionPolicy Unrestricted
5. Use a Windows PowerShell cmdlet to query the printer preferences, and then change the DuplexUnit
value to FALSE with the following syntax:
Note: In Windows PowerShell, a dash symbol precedes each cmdlets parameter name,
such as the Value parameter above. Please note, when you copy and paste text from a file, word
wrap may separate the dash from the parameter. Therefore, you should inspect all pasted
cmdlets and parameters to ensure they follow Windows PowerShell syntax requirements.
9. Read the script, and then note what the script is doing, according to the legend below.
10. Select line 3 in the script, and then run the selection.
11. In the console pane, view the contents of the $services variable.
12. Run the script, and then read the output. Notice that it does not have multiple colors.
14. Run the script, and then read the output. Notice that running services are green and services that are
not running are red.
15. On line 16, type Write-Host A total of $services.count services were evaluated.
17. In the Commands pane, build a Write-Host cmdlet with the following options:
o BackgroundColor: Gray
o ForegroundColor: Black
18. Copy the command, and then paste it on line 17 of the script.
23. Type .\Services.ps1, and then press Enter. Close all open windows.
Results: After completing this exercise, you will have successfully configured the device with Windows
PowerShell.
2. Edit Win10 Display, and in the Group Policy Management Editor, click Computer Configuration,
click Policies, click Windows Settings, click Security Settings, click Local Policies, and then click
Security Options.
3. In the Interactive Logon: Message title for users attempting to log on text box, type Attention!
MCT USE ONLY. STUDENT USE PROHIBITED
3-20 Configuring Your Device
4. In the Interactive Logon: Message text for users attempting to log on text box, type This
computer is used for A. Datum Corp Development and Testing Only! Do not use on production
network!
5. In Control Panel Settings, in Services, create a Computer Configuration Preference with the following
parameters:
o Startup: Disabled
o Item-level Targeting on
6. Close the Group Policy Object Management Editor, and then link the Win10 Display GPO to
Adatum.com.
7. Close the Group Policy Management Console and all open windows, and then sign out.
8. Return to LON-CL1, run gpupdate /force at a command prompt, and then when it completes
successfully, run Shutdown /r /t 0.
9. After LON-CL1 restarts, press Ctrl+Alt+Delete in the Virtual Machine Connection window. You should
see the message Attention! This computer is used for A. Datum Corp Development and Testing
Only! Do not use on production network!
10. Click OK, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
11. Open the Services Control Panel item, and then confirm that Encrypting File System (EFS) service is
now disabled.
12. Close all open windows, and then sign out.
Results: After completing this exercise, you will have successfully used GPOs to configure devices.
2. In Hyper-V Manager, click MSL-TMG1, and then in the Actions pane, click Start.
Lesson 2
Common Configuration Options
Setting a devices display capabilities and screen effects is an important part of getting the most from
your computing environment. Many users find it important to have a crisp, sharp display that is capable of
vibrant colors and fast movement. However, such displays often result in high power consumption, which
is a disadvantage, especially for those using mobile devices on battery power. As a result, it is equally
important to be able to configure the power consumption options.
Lesson Objectives
After completing this lesson, you will be able to:
Display Options
Most of the display settings in Windows 10 are
new, but some of the settings still use the same
configuration options available in older Windows
versions. For many people, changing the display
options starts with right-clicking the desktop, and
then clicking the Display settings menu item.
This procedure remains the same in Windows 10.
However, by doing so, you open the new Display
item in the System category of the Settings app.
Here, you can configure a wide variety of settings.
The Display item contains the following
configurable items:
Large Display icon. A large rectangle or multiple large rectangles at the top of the Display area
represent your displays. When you have more than one display, you can change the placement of
these display rectangles. For example, you can move one rectangle to the left and the other to the
right. However, if you extend these displays, the mouse cursor will not necessarily move from left to
right across the gap between displays as expected. To fix this issue, you can switch the two display
rectangles--or more if you have them--so that the mouses cursor moves between them.
Identify. If you have more than one display, each display rectangle will have a number on it, starting
with the number 1. Even if you only have one display, you will see the rectangle with the number 1 on
it. If you click the Identify hyperlink under the rectangle, a large number will appear in a pop-up
window on your screen, corresponding to the displays you have. Therefore, if you have one display,
you will see a pop-up window with a large number 1 on your only display. If you have two displays,
one display will have a large number 1 in a pop-up window, while the other display will have a large
number 2 in a pop-up window.
Detect. When you click this hyperlink, it detects other displays that are connected, but which have
not come up in the Display settings. However, any connected displays should show automatically.
MCT USE ONLY. STUDENT USE PROHIBITED
3-22 Configuring Your Device
Change the size of text, apps, and other items. You can use this slider bar to edit the size from 100
percent, on the far left, to 125 percent on the far right.
Orientation. Not all Windows 10 devices will have this drop-down option. Virtual machines and
desktops normally do not, because this is primarily a mobility function. Tablets and certain laptops
will change automatically from landscape to portrait view based on how users hold them, due to a
gyroscopic sensor in the device. Not every device has such sensors, and the Display settings provide
the orientation drop-down to manage this manually.
Brightness level. You can move the toggle on this slider bar from left to right to set the brightness
level from 0 at 100 percent. A corresponding number will appear right above the slider toggle as you
move it, to show the brightness percentage.
Multiple displays. This drop-down list box is unavailable if you only have one display. The choices
you can make include Duplicate these displays, Extend these displays, Show only on 1, Show only
on 2, and more if you have more than two connected displays.
Make this my main display. This check box is only available when you have two or more displays.
You must select one of the large rectangular Display icons to make the change. Otherwise, the main
display will be the monitor you are on, and because that is already the main display, it will be grayed
out. The display that you select will be the display on which you sign in and get the first items on the
desktop.
Apply. Some of the changes will not take place until you click Apply. When you do so, the changed
display appears with an overlay screen with a Keep these display settings? Reverting to previous
display in x seconds message. The overlay screen also includes two options: Keep changes and
Revert. If you click Keep changes, you will return to the Display Settings page with the new settings
applied. If you click Revertor wait for the seconds to elapsethe display reverts back to the way it
was before you clicked Apply. The Display Settings page appears again.
Cancel. Removes any changes you may have made previously.
Advanced Display Settings. This hyperlink takes you to another page that is virtually identical to the
Display page but with the Resolution check box described below. The page also has an Apply
option and a Cancel option at the bottom.
Resolution. This drop-down box contains all the resolution sizes that are available to the graphics
device and monitor that make up your display(s). Sizes will vary, but the drop-down box normally has
several choices, including the recommended choice for a particular display and that setting, such as
1366X768 (Recommended).
The Personalization category of the Settings app contains several configurable items that affect the
display, such as background, colors, and other functions such as Themes, Lock screen, and Start menu.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-23
Demonstration Steps
1. On LON-CL1, open Settings, and then go to System.
2. In the Display item, in Change the size of text, apps, and other items, slide the slider toggle all the
way to the right, so that it zooms to 125%. Apply this, sign out, and then sign back in as
Adatum\Administrator.
Note: If a windows opens that says "Attention! This computer belongs to the A. Datum
Corporation", click OK.
3. Return to the Display Settings page, go to Advanced Display Settings, and then set the
Resolution to 1366 X 768.
4. Return to the main Settings page.
5. Open the Personalization category, and then navigate through all of the various settings.
Tablets
Windows 10 Mobile phone devices
You can access and configure mobile computer settings by using the various Settings app category pages
of configuration settings. You can access various settings such as System, including Display, which the
previous topic detailed, and Power, which the next topic covers. The System setting also includes the
tablet mode settings, which allows you to use tablet devices with full touch capabilities and reverts the
Start menu to a Start screen similar to that in Windows 8.
MCT USE ONLY. STUDENT USE PROHIBITED
3-24 Configuring Your Device
The Action Center can help you manage many of the mobile-device settings with simple tiles referred
to as Quick Actions. To open the Action Center, click the Notifications balloon icon in the taskbars
notification area. You can click the Quick Actions tiles, or touch them on a touch-capable device. The
Quick Actions tiles let you edit different settings quickly. These tiles are:
Tablet mode. Enables you to go into tablet mode with one click, and back to normal mode by clicking
or touching it again. When tablet mode is in effect, this tile is live.
Connect. Connects searches for wireless display and audio device by using Bluetooth, wireless,
Miracast, or WiGig-capable components. In the computing industry, WiGig refers to Wireless
Gigabyte Alliance, Institute of Electrical and Electronics Engineers (IEEE) standard 802.11ah.
Quiet hours. Turns off all Windows notifications during the time that you configure. This means that
a new email or friends Skype status will not trigger an audio alarm and a pop-up notification. The
benefit of this Quick Action is that you do not have to turn off all notifications manually, and when
you disable Quiet hours, you then see all your notifications.
Location. Turn on or off the location-based settings that many apps use.
Battery saver. Switches the Battery saver mode on and off, which lowers the screen brightness and
limits background tasks, and adjusts other settings to reduce your devices power consumption.
Airplane mode. Turns airplane mode on or off. Airplane mode turns off wireless, cellular, and
Bluetooth transmissions while keeping the device running for local tasks.
WiFi. Turns your wireless adapter on or off.
Note: Not all Quick Actions tiles will be available on your device. Some of these tiles
require that your device has specific hardware or software installed.
Power Plans
Computing devices need electrical power,
regardless of whether they are stationary or
mobile. One of the main concerns with mobile
devices that use stored electrical power is that the
power in the battery is limited and depletes over
time. Another issue for many organizations is the
power consumption by all of the different devices
that they may own. Conserving power helps to
reduce business expenses and benefits the
environment.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-25
Power Plans
You can create power plans in Windows 10 that govern power consumption and operations. By default,
there are three preconfigured power plans: Balanced, Power saver, and High performance. You can
adjust and save any of these power plans, or create your own power plan. The following table provides
details about each plan.
High performance Highest Sets the screen at its Keeps the systems disk drive,
highest brightness. memory, and processor
continuously supplied with
power.
If the computer is a portable device, such as a tablet or laptop, you can use separate settings within each
plan for when the device is on battery or plugged in. Because you can adjust and save each plan, there is
also an option in the plan to restore default settings. You can use this option to return the plan to where
you started.
You can access the power plans by performing the following procedure:
1. Open the Settings app, click System Category, and then click Power & Sleep.
2. Click the Additional power settings hyperlink, or alternatively, type Power Plans in the Search the
web and Windows text box in the taskbar. This will open up the Control Panel Power Options page.
Note: By default, you will see only the Balanced and Power saver plans in the Preferred
plans section. If you click the down arrow by the Show additional plans section, the High
performance plan appears. The three plans are the Windows 10 default plans. However, any new
plans that you create will appear on this page as well.
Configuration options
There are different options available in the Setting apps System Category section, on the Power & Sleep
page. The options that are available on your device depend on its hardware configuration. For example,
on a laptop or other mobile device, you will have the following configurable options, with a drop-down
list box for various minutes, hours, and never:
Screen
o On battery power, turn off after
Sleep
o On battery power, PC goes to sleep after
The Additional power settings hyperlink appears below the settings discussed above, and you can click
it to access the Power Options configuration page in the Hardware and Sound section of the Control
Panel. The Power Options configuration page includes many options.
Note: Not all devices will have all of the settings that the following section lists. Several of
these settings apply to particular hardware that may not be present on all devices.
Require a password on wakeup. Use this setting to access the Define power buttons and turn on
password protection page. On this page, there is a Password protection on wakeup section that
allows you to ensure that when a computer resumes from a hibernated state, the screen is locked
until the user presents credentials. This setting is turned on, by default.
Choose what the power buttons do. Use this setting to access the Define power buttons and turn
on password protection page. Most devices have a power button, and additionally, many have a
sleep button. For mobile devices with both power and sleep buttons, both buttons include the On
battery and Plugged in columns with four choices: Do nothing, Hibernate, Sleep, and Shut down.
Some devices do not have a Sleep or Hibernate option. Certain devices also have a Shutdown
settings section on the Define Power buttons and turn on password protection page, which
includes check boxes for:
o Turn on fast startup. Allows the Windows operating system to save system information into a
file that it uses to start up when you reapply power.
o Sleep. Suspends power to the hard drive and display, but continues supplying power to the
processor and memory.
o Hibernate. Writes all activity in memory to a file and shuts down all power, but allows the file to
reanimate memory with the same values once you supply power.
o Lock. Locks the screen, and requires the user to reenter credentials before resuming operations.
Choose what closing the lid does. Use this setting to access the Define power buttons and turn
on password protection page, and drop-down list boxes for On Battery and Plugged in. You also
can select an option for Choose what closing the lid does, including Do nothing, Sleep,
Hibernate, and Shut down.
Create a power plan. When you click this setting, the Create a Power Plan Wizard appears, in which
you can select one of the three default power-plan options: Turn off the display, Put the computer
to sleep, and Adjust plan brightness. You can save one of these options to a custom name, and
then change the default plan settings on the wizards Edit Plan Settings page. If you select the Turn
off the display and Put the computer to sleep values from a drop-down menu that has options
from 1 minute to five hours, or never. You also can configure the Adjust plan brightness setting
from fully dim to the highest brightness setting by using its slider bar.
Choose when to turn off the display. Use this setting to access the Edit Plan Settings page, which
is identical to the one in the Create a Power Plan Wizard.
Change when the computer sleeps. This setting is identical to the Choose when to turn off the
display setting.
The Power Options screen also lists the default and custom power plans. When you click the Change plan
settings setting and access a particular power plan, the Change advanced power settings setting becomes
available. This setting opens the Power Options window, with a list of options that you can expand and
individually select. These options include settings for the battery, hard disk, graphics settings, multimedia
settings, and USB, which refers to universal serial bus.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-27
Demonstration Steps
1. On LON-CL4, go to the Control Panel Power Options page.
2. Review all of the different plans and hyperlinks. Click the Show additional plans down arrow.
3. Create a new plan based on the High performance plan, and then name it Demo Plan. Adjust the
Turn off the display setting to Never, or if it is set to Never, set it to 5 hours.
4. Set the Turn off the Display setting to 4 hours. In the Change advanced power settings, Advanced
settings window, set the Wireless Adapter Settings to Medium power saving, and then save the
changes.
Which default power plan offers the greatest savings of electrical power?
High Performance
Balanced
Power Saver
Economy
Lightning Speed
GPO
Settings app
Control Panel
Windows PowerShell
Preference
MCT USE ONLY. STUDENT USE PROHIBITED
3-28 Configuring Your Device
Lesson 3
Managing User Accounts
A user account is far more than just properties that relate to a users security identity. It is the cornerstone
of identity and access in Windows.
In this lesson, you will learn about managing users accounts, which involves much more than just creating
and deleting them. User accounts have many attributes that you can use for a variety of purposes, such as
storing additional user contact information or application-specific information for Active Directoryaware
applications. Additionally, you can use a Microsoft account, which allows access to the Microsoft Store and
allows personal devices to share data and settings. You also will learn about Azure Active Directory (Azure
AD) accounts, and learn how to use an Azure AD to authenticate on a Windows 10 device, even if you do
not add the device to Azure AD. Finally, you will learn when to use each type of user account.
Lesson Objectives
After completing this lesson, students will be able to:
Describe user accounts.
Grant users access to processes and services for a specific security context.
Manage users' access to resources such as AD DS objects and their properties, shared folders, files,
directories, and printer queues.
To maximize security, you should avoid multiple users sharing one account. Then each user who signs in
to the network needs to have a unique user account and password.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-29
When you create a user account, you must provide a user name. The preferred method to sign in to a
Windows 10-based computer that belongs to a business or organization is to use a domain account. For
a personally owned device, sign-in usually uses a Microsoft account, which the next topic covers. You can
still create a local user account, but the process is different in Windows 10. The following section details
those changes.
1. Open the Settings app, and then click the Accounts category.
2. In the Accounts category, in the console tree, click the Family & other users node. If you are on an
AD DS joined Windows 10 computer, than the Family & other users node is now Other users.
Note: There are two main categories here: Your family or Other users. If you wish to
add a family member, click the Sign in with a Microsoft account hyperlink under the Family
category for that option. In the dialog box that appears, add their email address to create an
account, or create an email address in the Outlook.com domain by clicking The person I want
to add doesnt have an email address.
3. If you click The person I want to add doesnt have an email address, the Lets create an
account page opens, in which you can create an email account in Microsoft Outlook.
Note: If you are adding a child and creating an email address, you will be prompted to
enter the childs birthday. If you are using a Microsoft account while making the childs account,
and want to allow the child to go online to use Microsoft services, you will be charged .50 cents
(in U.S. dollars), as US law requires this for validation of creating a child account. The process of
creating an account for an adult family member is similar, but you do not have to pay for it.
Note: You cannot create an account on an AD DS joined computer if you are signed in
as the AD DS domain administrator. To accomplish the steps below on an AD DS joined
Windows 10 computer, you must sign out and then sign in by using credentials for an
account with local administrator permissions.
You can create a local user account on an AD DS joined or standalone Windows 10 computer by the
following procedure:
To create a local user account without a Microsoft account, perform the following procedure:
1. Open the Settings app, and then click the Accounts category.
2. In the Accounts category, in the console tree, click the Family and other users node, if standalone
or workgroup, or, if AD DS joined, Other users.
3. Scroll down, and under Other users, click the plus sign for Add someone else to this PC. Another
window appears, asking for that persons email address or telephone number.
4. Enter the required information, or click the The person I want to add doesnt have an email
address hyperlink at the bottom of the window.
5. If you click the The person I want to add doesnt have an email address hyperlink, you have
option to create an email account or continue without an account. To create an email account, in the
Lets create your account page, you can create an email address for the person in Outlook.com.
MCT USE ONLY. STUDENT USE PROHIBITED
3-30 Configuring Your Device
6. If you do not wish to create an email address, click the Add a user without a Microsoft account
hyperlink at the bottom of the page.
7. On the Create an account for this PC page, type the name, type the new password twice, and then
click Next to create the local account.
Note: All Microsoft account credentials pass back to the Microsoft authentication server
through a Secure Sockets Layer (SSL) connection by using the HTTPS protocol.
Windows 10 is highly integrated with Microsoft account functionality. You can sign in to Windows 10
as a local or domain user, and you can sign in by using a Microsoft account if your computer has Internet
connectivity and the account is associated with a local or domain account. When you use a Microsoft
account, you can synchronize some Windows 10 settings between devices. You can control these settings
in the Accounts category in the Settings app. To access this category, click the Start icon, click Settings,
and then click the Accounts category icon. In Accounts, you can set your account picture and desktop
background, among other settings. If you do not have a Microsoft account, you can create one and an
Outlook.com email address at the same time. After you configure your Windows account the first time,
your settings will synchronize between every computer to which you sign in by using your Microsoft
account.
When you connect a Microsoft account with your local or domain account, you can access Microsoft
cloud services such as OneDrive, Mail, Calendar, People, and other personal apps. You can browse the
Windows Store even if you do not have a Microsoft account. However, if you want to download and
install an app from the Windows Store, you first must sign up for a Microsoft account.
To connect your Microsoft account with your domain account, go to the Settings app. On the Settings
page, click the Accounts category. In the console tree, click Your account. At the bottom of the details
pane, click the Add a work or school account hyperlink. A pop-up window appears with the message
Lets get you signed in, with text boxes for your work or school email address and password. Type your
email address and password, and then click Sign in.
Small and medium-sized environments typically use a Microsoft account to provide users access to, and
integration with, public cloud services such as OneDrive. Enterprise environments typically implement
strict control and allow access only to company-owned resources. Typically, these environments use
integration with a Microsoft account less often.
Note: Your domain account or Group Policy settings might not allow you to connect a
Microsoft account or synchronize some settings.
You can disconnect your Microsoft account from your domain account at any time by going to the
Settings app, clicking Accounts, and then clicking Disconnect your Microsoft account.
1. Go to https://signup.live.com.
2. To use your own email address for your Microsoft account, enter it. If your email provider supports
Post Office Protocol version 3 (POP3), you can even manage your existing email account in Hotmail
or Outlook.com.
3. If you want to create a Hotmail or Outlook account, click the Get a new email address hyperlink,
and then fill out the new email name line for your Microsoft account. There is a drop down list to
choose the Hotmail or Outlook.com domains. Press the Tab key on the keyboard to see if the name
you entered is available. If not, try another email name. Repeat until the line account is available
appears.
4. Provide the rest of the information, and then read the Microsoft service agreement and the privacy
statement. If you agree to the terms, click I accept.
5. If you sign up by using an existing email address, you will need to verify it to prove that it is yours.
Demonstration Steps
1. In the Settings app, in the Accounts category, click the Other users node.
2. Click Add someone else to this PC, click the I dont have this persons sign-in information
hyperlink, and then create a Microsoft account with the following values:
o First name: Your first name + last names first letter (for example, KariT)
Note: This should return a check mark with the statement Your first name + last initial-
[email protected] is available. If not, go back and add the second letter of your last
name to the email address (for example, KariTr). You may have to continue to add letters until
you create a name that is unique enough for the system to accept it.
Note: If you select another country/region instead of the United States, the birth text boxes
do not appear. This is expected behavior, and you do not need to a birth date in this scenario.
o Password: Pa$$w0rd
o Country/region: Select your country/region
o Birth day: 1
o Year: 1990
However, in some cases, you may have joined a domain already; you might be using a device that your
organization owns, and are required to join the domain; or the device is already joined to the domain for
you. In these scenarios, Microsoft allows you to use AD DS and Azure AD together. When you connect the
two, users can automatically sign in to cloud-based services such as Office 365, Microsoft Intune, and the
Windows Store, even when signing in to their machines by using Active Directory accounts. This will mean
that users no longer need to remember additional account names or passwords.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-33
1. Open the Settings app, and in the System category, click the About section at the bottom of the
console tree.
2. Click Join Azure AD. You will use your Azure credentials to add the device.
3. Once you join Azure AD, you must restart your machine. After the restart, you or an administrator can
check your Azure AD to see if your device has joined the domain.
If you are already in a domain, you must use the Disconnect from organization hyperlink that is in
the Settings apps About item in the System category, and then click the Join Azure AD hyperlink.
Disconnecting from the domain is not something the average user should do unless their administrator
directs them to do so.
The staff at a military base has a special computer that they use to encrypt orders. They want to install
Windows 10 on it. Due to security issues, the computer cannot connect to a network. What kind of
account should you use?
Contoso, Ltd. has a vigorous Office 365 and Azure cloud-service presence. They have tied in their on-
premises AD DS infrastructure with Azure AD. What might Contoso do to ensure that users do not
have to sign in to Windows 10 on one account, and then into Office 365 and Azure on another?
Question: When would you use a domain account?
Question: Under what circumstances would you not be able to use a domain account on a
Windows 10 device?
Xbox Live
Hotmail
Windows Live ID
Microsoft Passport
Lesson 4
Using OneDrive
OneDrive, the free cloud storage service for every Microsoft account, integrates with Windows 10 to allow
you to access your files from any location by using a Windows device and an Internet connection. In this
lesson, you will see how OneDrive works, and how it integrates with Windows 10.
Lesson Objectives
After completing this lesson, students will be able to:
Describe OneDrive.
Explain how to enable OneDrive.
What Is OneDrive?
OneDrive is the free cloud-based file service that
is available to Microsoft account holders. The
OneDrive service is a consumer-oriented solution,
which allows for 15 gigabytes (GB) of free cloud
storage. You can use OneDrive to save personal
files in your private store or in your public store,
so that you can share files with anyone. OneDrive
is designed for personal files and not as an
enterprise solution. For corporate organizations,
Microsoft provides a different service named
OneDrive for Business.
Features
OneDrive offers many useful features, such as:
Integration with Windows 10 File Explorer. You can view OneDrive from File Explorer, and you can
save files directly to OneDrive from Office or any other app.
Microsoft Office Online. You can use Microsoft Office Online to view and edit documents that are
stored in OneDrive.
PDF and OpenDocument Format (ODF) support. You can view PDF and ODF documents that are
saved in OneDrive.
OneDrive
http://aka.ms/lv5n2s
MCT USE ONLY. STUDENT USE PROHIBITED
3-36 Configuring Your Device
Accessing OneDrive
There are several different methods and operating systems that you can use to access OneDrive. You can
access it from any currently supported Windows-based computer or Apple iOS device. You can use a web
browser to go directly to OneDrive at http://www.OneDrive.com, and you also can access OneDrive by
using File Explorer or by installing the OneDrive app to a Windows 10 computer.
OneDrive Privacy
The Microsoft Online Privacy Statement specifies the terms of use of the personal information that you
provide when you use OneDrive. Before you use Microsoft online services, you must read and understand
the privacy statement. The main points in the privacy statement include that Microsoft:
Collects personal information from you when you register, and may combine this information with
data that other companies and Microsoft services collect.
Tracks your interaction with Microsoft sites by using cookies and other technologies, to personalize
your online experience.
Does not share your personal information with third parties, but may provide this information to
companies that work on behalf of Microsoft.
Uses your personal information to provide services, such as personalized content and advertising, to
inform you about Microsoft products and services, and to invite you to complete surveys about
Microsoft services.
Terms of Service
The OneDrive terms of service specify how you and Microsoft can use the information you post on
OneDrive. Some of the main terms of service are:
Ownership of Content. You own content such as documents, videos, photos, and email that you
upload to the services store. The same is true of content that you store on OneDrive, or transfer
through it. Microsoft does not claim ownership of your content, except for Microsoft material, such
as clip art, that Microsoft licenses to you, and that you may use in your content.
Access of Content. You can choose with whom you share your content. You can choose to not share
your content, to share your content publicly, or to choose other users with whom you want to share
your content. If you share your content with other users, they may use, reproduce, distribute, or
display your content for free.
Microsoft Use of Content. Microsoft may use, modify, adapt, save, reproduce, distribute, and display
your content to protect you, and to improve Microsoft services. In such cases, Microsoft protects your
privacy by taking necessary steps. Examples of such usage of your content include isolation of
information from content to prevent and protect you from spam and malware.
Removal of Content. Microsoft may ask you to remove content that is in violation of the anti-spam
policy, the Microsoft Code of Conduct, or your local law. Microsoft also may ask you to remove
content if it infringes on a third partys intellectual property. If you fail to comply, you might lose
access to your account, or Microsoft may cancel your account. In such cases, Microsoft may also
remove your content without asking you.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-37
Enabling OneDrive
Before you can use OneDrive from the
Windows 10 OneDrive tile, you must connect
your domain or local account with your Microsoft
account. To begin the process, click the OneDrive
item in the File Explorer console tree. You then
will receive a prompt to sign in with your
Microsoft account or to create an account if
you do not have one.
1. From the taskbar, open File Explorer, and then click the OneDrive node.
2. In the Welcome to OneDrive Wizard, click Get started.
4. After you successfully sign in, in the Introducing your OneDrive folder page, you can apply the
default local folder location, which is C:\users\username\OneDrive. Alternatively, you can select
another location by clicking Change. However, if you accept the default location, simply click Next.
5. If you click Change, the Browse for folder window appears, where you can select a different location
from a file tree or create a new folder. After selecting the location, click OK, and then Next.
6. The Sync your OneDrive files to this PC page shows all your OneDrive folders, with a check box
next to each. You can leave the folder check boxes selected to sync them, or clear the folder check
boxes to skip syncing. The bottom of the window indicates how much free space you have remaining
on the local hard drive. After making your selections, click Next.
7. On the Fetch your files from anywhere page, click Done to sync your OneDrive contents to your
hard drive.
You can manage, share, and synchronize your OneDrive files and folders from the OneDrive node in File
Explorer. To do so, right-click any of the OneDrive folders in the node, and then click one of the following
options:
Share a OneDrive link. This option creates and saves a link in the Clipboard. To provide others with
instant access, you need to paste the link into an email, instant message, or document.
More OneDrive sharing options. This option opens the OneDrive webpage, which provides more
traditional OneDrive web-based sharing functionality.
View on OneDrive.com. This option opens the OneDrive.com web-based version of the folder that
you right-click within File Explorer.
Choose OneDrive folders to sync. This option opens the Sync your OneDrive files to this PC page
in the Getting started Wizard. Here, you can synchronize individual folders, or all folders.
Unlike the Windows 8 version of OneDrive, which synchronized with File Explorer, Windows 10 only allows
you to synchronize files in the root of OneDrive or an entire subfolders contents.
MCT USE ONLY. STUDENT USE PROHIBITED
3-38 Configuring Your Device
Demonstration Steps
1. On LON-CL2, in the Start menu. click the Settings app, and in Accounts, select Other users, and
then click the Add someone else to this PC plus sign.
2. In the How will this person sign in? page, in the Email or phone text box, type Your first name +
last [email protected].
3. In the Start menu, select the Admin account. change it to Your first name + last initial-20697-
[email protected], and then enter your password. It may take a moment to build your profile.
Note: It may take a few minutes before the OneDrive node appears for the first time.
6. In the OneDrive node, in the Documents folder, create a new text document named I was here.txt.
7. Open the document, type the line I was here on LON-CL2., and then save and close the file.
8. Return to LON-CL1. You should be signed in as Your first name + last initial-20697-
[email protected]. Open File Explorer, and then select the OneDrive node.
9. Open the Documents folder under the OneDrive node. After a few moments (it can take up to five
minutes), the I was here.txt document should appear.
10. Add the following line to the document: Now Im here on LON-CL1. Save and close the document.
Make note of the documents date and time.
11. Return to LON-CL2. In the Documents folder, under the OneDrive node, you should see that the
date and time matches the date and time, which were on the I was here.txt document previously
created on LON-CL1. Open the document, and then confirm that both lines of text appear.
12. Close all open windows, and then sign out of all virtual machines.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-39
When you finish the demonstration, revert the virtual machines to their initial state. To do this, perform
the following steps:
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You must enable and test the users ability to synchronize their Windows 10 settings between their
devices. You have set up a test lab for this purpose.
Objectives
After completing this lab, you will have:
Lab Setup
Estimated Time: 40 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1, MSL-TMG1, and 20697-1B-LON-CL2
Password: Pa$$w0rd
LON-CL1
Password: Pa$$w0rd
LON-CL2
User name: LON-CL2\Admin
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
If the MSL-TMG1 virtual machine is not running, then in Hyper-V Manager, click MSL-TMG1, and in
the Actions pane, click Start. You do not need to sign in on this virtual machine or 20697-1B-LON-DC1,
but ensure both are running at the Sign in screen before starting 20697-1B-LON-CL1 or
20697-1B-LON-CL2.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-41
2. Perform verification.
4. Perform verification.
2. Click Add someone else to this PC, and then I don't have this person's sign-in information
hyperlink and then create a Microsoft account with the following values:
a. First name: Your first name + last names first letter (for example, KariT)
b. Last name: 20697-1B
c. Click the Get a new email address hyperlink, in the New email text box, type Your first name
+ last initial-20697-1B, and then press Tab.
Note: This should return a check mark with the statement Your first name + last initial-
[email protected] is available. If not, go back and add the second letter of your last
name to the email address (for example, KariTr). You may have to continue to add letters until
you reach a name that is unique enough for the system to accept it.
d. Password: Pa$$w0rd
e. Country/region: Select your country/region
g. Birth day: 1
h. Year: 1990
3. If either the Passwords are so yesterday or Set up a PIN pages appear, click Skip this step.
6. If you encounter a message that states "Please sign in to your Outlook.com account", click sign in to
validate the account.
7. When the test message arrives, confirm it, close all open windows, and then sign out.
2. In the Start menu, click the Settings app, in Accounts, select Other users, and then click the Add
someone else to this PC plus sign.
3. In the How will this person sign in? page, in the Email or phone text box, type Your first name +
last [email protected].
4. In the Start menu, select the Admin account and change it to Your first name + last initial-20697-
[email protected], and then enter your password. It may take a moment to build your profile.
6. In the Get your files here, there and everywhere page, click Next.
7. Close all open windows, and then sign out.
4. Open your test message, reply to it, and then send it back to yourself.
5. Close all open Windows, and then sign out.
Results: After you complete this exercise, you will have successfully:
Connected your Microsoft
account to a device.
Performed verification.
Signed in with your Microsoft account.
2. Sign in to LON-CL1 with your Microsoft account, and update the synchronized document.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 3-43
Note: The OneDrive node in File Explorer may take several minutes to appear. Please wait
for it to appear before proceeding. If it takes longer than 15 minutes, sign out, and then sign
back in by using your Microsoft account.
3. In the OneDrive node, in the Documents folder, create a new text document named I was here.txt.
4. Open the document and type the line I was here on LON-CL2., and then save and close the file.
Task 2: Sign in to LON-CL1 with your Microsoft account, and update the
synchronized document
1. Return to LON-CL1, and sign in as Your first name + last [email protected], with the
password Pa$$w0rd, and then open the Documents folder under the OneDrive node. After a few
moments (it can take up to five minutes), the I was here.txt document should appear.
2. Add the following line to the document: Now Im here on LON-CL1. Save and close the document,
and then make note of the documents date and time.
3. Return to LON-CL2. In the Documents folder, under the OneDrive node, you should see that the
date and time matches the date and time, which were on the I was here.txt document previously
created on LON-CL1. Open the document, and then confirm that both lines of text appear.
4. Close all open windows, and then sign out of all virtual machines.
Results: After you complete this exercise, you will have successfully:
Question: What is the difference between a child and adult family member Windows 10
account?
Tools
Tool Used to Where to find it
Settings app Configure almost any Windows 10 In the Start menu. This tool is a
setting part of the Windows 10
operating system.
Action Center Quickly provide broad changes to the In the notification area on the
Windows 10 device, such as putting the taskbar in the Notifications icon.
device in Airplane or Tablet mode or This tool is a part of the
connecting to a Miracast capable device. Windows 10 operating system.
Module 4
Configuring Network Connectivity
Contents:
Module Overview 4-1
Module Overview
Configuring network connectivity is a common administrative task. In many organizations, it can account
for a significant percentage of overall administrative effort. Windows 10 includes several tools that enable
you to set up and troubleshoot both wired and wireless network connections more efficiently. To support
your organizations network infrastructure, it is important that you understand how to configure and
troubleshoot network connections.
Objectives
After completing this module, you will be able to:
Lesson 1
Configuring IP Network Connectivity
By default, Windows 10 implements both Internet Protocol version 4 (IPv4) and Internet Protocol
version 6 (IPv6). It is important that you understand the fundamentals of both IPv4 and IPv6, and
know how to configure them in Windows 10 within the context of your organizations network
infrastructure.
Lesson Objectives
After completing this lesson, you will be able to:
Describe IPv4.
Describe IPv6.
1. A host sends a request to connect to Server1. The name Server1 must be resolved to an IPv4 address.
You will learn about name resolution later in the module.
2. Once the sender knows the recipients IPv4 address, it uses the subnet mask to determine whether the
IPv4 address is remote or on the local subnet.
3. If it is local, an Address Resolution Protocol (ARP) request is broadcast on the local subnet. If it is
remote, an ARP request is sent to the default gateway and then routed to the correct subnet.
4. The host that owns that IPv4 address will respond with its MAC address and a request for the senders
MAC address.
5. Once the exchange of MAC addresses completes, IPv4 communication negotiation and the exchange
of IP data packets can occur.
11000000101010000000000111001000
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in
decimal form, as the following example shows:
192.168.1.200
The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed
environment.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses, whereas
you can use Class D for multicasting. Additionally, IANA reserves Class E for experimental use.
MCT USE ONLY. STUDENT USE PROHIBITED
4-4 Configuring Network Connectivity
Defining Subnets
A subnet is a network segment. Single or multiple
routers separate the subnet from the rest of the
network. When your Internet service provider (ISP)
assigns a network to a Class A, B, or C address
range, you often must subdivide the range to
match the networks physical layout. Subdividing
enables you to break a large network into smaller,
logical subnets.
Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome the limitations of current technologies, such as exceeding the maximum number of hosts
that each segment can have.
A subnet mask specifies which part of an IPv4 address is the network ID and which is the host ID. A subnet
mask has four octets, similar to an IPv4 address.
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-5
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called
CIDR. This subnet mask in binary notation would look like this:
11111111.11111111.11110000.00000000
The first 20 bits are set to 1 and indicate the subnet ID, and the last 12 zero placeholders represent how
many bits are used to identify the host.
When a host delivers an IPv4 packet, it performs an internal calculation by using the subnet mask to
determine whether the destination host is on the same network or on a remote network. If the destination
host is on the same network, the local host delivers the packet. If the destination host is on a different
network, the host transmits the packet to a router for delivery.
Note: The host determines the MAC address of the router for delivery, and the initiating
host addresses the router explicitly, at the media access layer.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults the
internal routing table to determine the appropriate router to ensure that the packet reaches the
destination subnet. If the routing table does not contain any routing information about the destination
subnet, IPv4 forwards the packet to the default gateway. The host assumes that the default gateway
contains the required routing information.
In most cases, you can use a Dynamic Host Configuration Protocol (DHCP) server to assign the default
gateway automatically to a DHCP client. This is more straightforward than manually assigning a default
gateway on each host.
IANA defines the following address ranges as private. Internet-based routers do not forward packets
originating from, or destined to, these ranges.
C 192.168.0.0/16 192.168.0.0 -
192.168.255.255
In todays network environments, it is most common for organizations to have one or more public,
routable IP addresses from an ISP assigned to the external interfaces of their firewall appliances.
Additionally, they use the designated private IP subnets internally.
Static configuration
You can configure static IPv4 configuration
manually for each of your networks computers.
When you perform IPv4 configuration, you must
configure the:
IPv4 address
Subnet mask
Default gateway
Static configuration requires that you visit each computer and input the IPv4 configuration. This method
of computer management is time-consuming if your network has more than 10 to 12 computers.
Additionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large number of computers without
having to assign each one individually. The DHCP service receives requests for IPv4 configuration from
computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4 information
from scopes that you define for each of your networks subnets. The DHCP service identifies the subnet
from which the request originated, and assigns IP configuration from the relevant scope.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-7
DHCP helps simplify the IP configuration process. However, keep in mind that if you use DHCP to assign
IPv4 information and the service is business-critical, you must:
Include resilience in your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network, and it can prevent communication.
When you configure Windows 10 devices to obtain IPv4 addresses from DHCP, use the Alternate
Configuration tab to control the behavior if a DHCP server is not available. By default, Windows 10
uses APIPA to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address
range. This enables you to use a DHCP server at work and the APIPA address range at home, without
reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the computer has an
address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP
server.
Change adapter options. You can configure the network adapter settings. A list of network adapters
displays, and you can then configure the properties for each, including:
o Internet Protocol Version 6 (TCP/IPv6). Enables you to manually configure the IPv6 settings for a
given adapter.
o Internet Protocol Version 4 (TCP/IPv4). Enables you to manually configure the IPv4 settings for a
given adapter.
Change advanced sharing options. You can configure network discovery, file and print sharing, public
folder sharing, media streaming options, and the encryption level to use for file sharing connections.
MCT USE ONLY. STUDENT USE PROHIBITED
4-8 Configuring Network Connectivity
Launch the Network and Sharing Center. You can use this tool to configure most network settings.
You will learn more about it below.
Enable and configure a homegroup. You can enable and configure homegroups, which are collections
of computers that you deploy on a home network and that share resources such as files and printers.
When your computer is part of a homegroup, you can share images, media files, documents, and
printer devices with others in your homegroup. Once you enable a homegroup, you can then define
which libraries you will share, such as Pictures, Documents, or Videos. You can enable a homegroup
only on network interfaces that are defined as part of a private network location profile. To provide
for basic security, you can enable a password on your homegroup.
Note: Although domain-joined computers cannot create homegroups, they can connect to
existing homegroups.
Configure Internet options. You can configure the options your web browsers use.
Configure Windows Firewall. You can launch the Windows Firewall tool and configure Windows
Firewall rules, notifications, and advanced settings.
Internet Options
Windows Firewall
Network and Internet Troubleshooting Wizard
Windows PowerShell
Although you can use the graphical tools previously described to perform all network configuration and
management tasks, sometimes it can be quicker to use command-line tools and scripts. Windows has
always provided the command prompt for certain network management tools. However, Windows
PowerShell provides a number of network-specific cmdlets that you can use to configure, manage, and
troubleshoot Windows network connections.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-9
The following table lists some of the network-related Windows PowerShell cmdlets and their purposes.
Cmdlet Purpose
Cmdlet Purpose
For example, to configure the IPv4 settings for a network connection by using Windows PowerShell, use
the following cmdlet:
Netsh
You can also use the Netsh command-line tool to configure network settings. For example, to configure
IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection" source=static addr=172.16.16.3
mask=255.255.255.0 gateway=172.16.16.1
IPConfig
Ping
Tracert
NSLookup
Pathping
Windows PowerShell
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. IP conflicts are reflected in the system log and might prevent services from starting. When these
events occur, Windows records the event in an appropriate event log. You can use Event Viewer to read
the log. When you troubleshoot errors on Windows 10, you can view the events in the event logs to
determine the cause of the problem.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-11
You can use Event Viewer to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings related to
network services in the System log.
IPConfig
The IPConfig command displays the current TCP/IP network configuration. Additionally, you can use
IPConfig to refresh DHCP and DNS settings. For example, you might need to flush the DNS cache. The
following table provides a brief description of some of the IPConfig command switches.
Command Description
ipconfig /release Release the leased configuration back to the DHCP server.
ipconfig /registerdns Register/update the clients host name with the DNS server.
Ping
You use the Ping command to verify IP-level connectivity to another TCP/IP computer. This command
sends and receives Internet Control Message Protocol (ICMP) echo request messages, and displays the
receipt of corresponding echo reply messages. The Ping command is the primary TCP/IP command used
to troubleshoot connectivity.
Note: Firewalls might block the ICMP requests. As a result, you may receive false negatives
when using ping as a troubleshooting tool.
Tracert
The Tracert tool determines the path taken to a destination computer by sending ICMP echo requests.
The path displayed is the list of router interfaces between a source and a destination. This tool also
determines which router has failed, and what the latency, or speed, is. These results may not be accurate
if the router is busy, because the router will assign the packets a low priority.
Pathping
The Pathping command traces a route through the network in a manner similar to the Tracert tool.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the
network. The command can provide greater detail because it sends 100 packets for each router, which
enables it to establish trends.
MCT USE ONLY. STUDENT USE PROHIBITED
4-12 Configuring Network Connectivity
NSLookup
The NSLookup tool displays information that you can use to diagnose the DNS infrastructure. You can
use the tool to confirm connection to the DNS server, in addition to the existence of the required records.
Windows PowerShell
You can use Windows PowerShell to configure network connection settings. In addition to this, you can
use Windows PowerShell cmdlets for troubleshooting network settings.
Test connectivity.
Demonstration Steps
View IPv4 configuration from a GUI
1. Launch Network and Sharing Center.
2. View the TCP/IPv4 configuration.
3. Run netsh interface ipv4 show config. The current IPv4 configuration is displayed.
Test connectivity
1. Run test-connection LON-DC1.
2. Run netstat n. Observe the active connections to 172.16.0.10. Most connections to services are
transient. If no connections appear, create a connection.
3. Run netstat -n. Identify the services that LON-CL1 had connections to on LON-DC1.
2. In Windows PowerShell, run netsh advfirewall firewall show rule name=all dir=in. Review the
results, which display all inbound rules.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-13
2. Verify your configuration change from the command prompt by using Get-NetIPAddress.
Benefits of IPv6
The IPv6 protocol provides the following benefits:
Large address space. A 32-bit address space
can have 2^32 or 4,294,967,296 possible
addresses. IPv6 uses 128-bit address spaces, which can have 2^128 or
340,282,366,920,938,463,463,374,607,431,768,211,456 (or 3.4x10^38 or 340 undecillion) possible
addresses.
Hierarchical addressing and routing infrastructure. The IPv6 address space is more efficient for
routers, which means that even though there are many more addresses, routers can process data
much more efficiently because of address optimization.
Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP,
and it can discover router information so that hosts can access the Internet. This is a stateless address
configuration. A stateful address configuration is when you use the DHCP version 6 (DHCPv6) protocol.
Stateful configuration has two additional configuration levels: one in which DHCP provides all the
information, including the IP address and configuration settings, and another in which DHCP provides
just configuration settings.
Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the
Authentication Header (AH) and encapsulating security payload (ESP) headers that IPsec defines.
Although IPsec does not define support for its specific authentication methods and cryptographic
algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
Note: IPsec provides for authentication and, optionally, encryption for communications
between hosts.
Restored end-to-end communication. The global addressing model for IPv6 traffic means that
translation between different types of addresses is not necessary, such as the translation done by
NAT devices for IPv4 traffic. This simplifies communication because you do not need to use NAT
devices for peer-to-peer applications, such as video conferencing.
MCT USE ONLY. STUDENT USE PROHIBITED
4-14 Configuring Network Connectivity
Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that
the packet processing should occur at a rate that you specify. This enables traffic prioritization. For
example, when you are streaming video traffic, it is critical that the packets arrive in a timely manner.
You can set this field to ensure that network devices determine that the packet delivery is time-
sensitive.
Support for single-subnet environments. IPv6 has much better support of automatic configuration
and operation on networks consisting of a single subnet. You can use this to create temporary, ad
hoc networks through which you can connect and share information.
Extensibility. The design of IPv6 enables you to extend it with less constraint than IPv4.
IPv6 in Windows 10
Windows 10 uses IPv6 by default. Windows 10 includes several features that support IPv6, as described
below.
Consistent performance, security, and support for both IPv6 and IPv4.
When you connect to a new network that advertises IPv6 routability, Windows 10 tests IPv6 connectivity,
and it will only use IPv6 if IPv6 connectivity is actually functioning. Windows 10 also supports a
functionality called address sorting. This functionality helps the Windows 10 operating system determine
which protocol to use when applications that support both IPv4 and IPv6 addresses are configured for
both protocol stacks.
The Windows 10 operating system supports remote troubleshooting capabilities such as Windows Remote
Assistance and Remote Desktop. Remote Desktop enables administrators to connect to multiple Windows
Server sessions for remote administration purposes. You can use IPv6 addresses to make remote desktop
connections. Windows Remote Assistance and Remote Desktop use the Remote Desktop Protocol to
enable users to access files on their office computers from other computers, such as their home
computers.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-15
11000000.10101000.00000001.00000001
2001:DB8::2F3B:2AA:FF:FE28:9C5A
This might seem complex for end users, but the assumption is that users will rely on DNS names to resolve
hosts, meaning they will rarely type IPv6 addresses manually. The IPv6 address in hexadecimal also is
easier to convert to binary. This makes it simpler to work with subnets and calculate hosts and networks.
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this address
type for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses.
There are three types of unicast addresses:
o Global unicast addresses. These are equivalent to public IPv4 addresses. They are globally
routable and reachable on the IPv6 portion of the Internet.
o Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts
on the same link. For example, on a single-link IPv6 network with no router, hosts communicate
by using link-local addresses. Link-local addresses are local-use unicast addresses with the
following properties:
IPv6 link-local addresses are equivalent to IPv4 APIPA addresses.
Link-local addresses always begin with FE80.
o Unique local unicast addresses. Unique local addresses provide an equivalent to the private IPv4
address space for organizations, without the overlap in address space when organizations
combine.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type for
one-to-many communication between computers that you define as using the same multicast
address.
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communicate to an anycast address, only the closest host responds. You typically use
this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, you must know
the purposes for which IPv6 uses each of these addresses.
MCT USE ONLY. STUDENT USE PROHIBITED
4-16 Configuring Network Connectivity
Interface identifiers
The last 64 bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify
hosts uniquely.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Which command would you use to obtain a new lease from a DHCP server?
Ping
Tracert
Netsh
Ipconfig
NSLookup
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-17
Lesson 2
Implementing Name Resolution
Windows 10 devices communicate over a network by using names in place of IP addresses. Devices use
name resolution to find an IP address that corresponds to a name, such as a host name. This lesson
focuses on different types of computer names and the methods to resolve them.
Lesson Objectives
After completing this lesson, you will be able to:
Computer names
A host name is a user-friendly name that is
associated with a hosts IP address and identifies it
as a TCP/IP host. A host name can be no more than 255 characters in length, and must contain only
alphanumeric characters, periods, and hyphens. A host name is an alias or a fully qualified domain name
(FQDN).
Note: An alias is a single name associated with an IP address, and the host name combines
an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet.
Locate domain controllers and global catalog servers. Apps use this functionality when you sign in to
Active Directory Domain Services (AD DS).
Resolve IP addresses to host names. Apps use this functionality when a log file contains only a hosts
IP address.
Locate a mail server for email delivery. Apps use this functionality for the delivery of all Internet email.
When an app specifies a host name, TCP/IP uses the DNS resolver cache, DNS, and Link-Local Multicast
Name Resolution when it attempts to resolve the host name. The Hosts file is loaded into the DNS
resolver cache.
Note: If NetBIOS over TCP/IP is enabled, TCP/IP also uses NetBIOS name resolution
methods when resolving single-label, unqualified host names.
Depending on the configuration, Windows 10 resolves host names by performing the following actions:
1. Checking whether the host name is the same as the local host name.
2. Searching the DNS resolver cache which is populated from the local Hosts file.
3. Sending a DNS request to its configured DNS servers.
Note: Windows 10 can use Link-Local Multicast Name Resolution for networks that do not
have a DNS server.
Overview of DNS
DNS is a service that manages the resolution of
host names to IP addresses. Microsoft provides
a DNS Server role on Windows Server 2012 R2
that you can use to resolve host names in your
organization. Typically, you will deploy multiple
DNS servers in your organization to help improve
both the performance and the reliability of name
resolution.
Structure of DNS
The DNS namespace consists of a hierarchy of domains and subdomains. A DNS zone is a specific portion
of that namespace that resides on a DNS server in a zone file. DNS uses both forward and reverse lookup
zones to satisfy name resolution requests.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-19
SRV. Service records are used to locate domain controllers and global catalog servers.
MX. Mail exchange records are used to locate the mail servers responsible for a domain.
CNAME. Canonical name records (CNAME records) resolve to another host name, also referred to as
an alias.
1. A workstation queries the local DNS server for the IP address www.microsoft.com.
2. If the local DNS server does not have the information, it queries a root DNS server for the location of
the .com DNS servers.
3. The local DNS server queries a .com DNS server for the location of the microsoft.com DNS servers.
4. The local DNS server queries the microsoft.com DNS server for the IP address of www.microsoft.com.
5. The microsoft.com DNS server returns the IP address of www.microsoft.com to the local DNS server.
Caching. After a local DNS server resolves a DNS name, it caches the results for the period that the
Time to Live (TTL) value defines in the Start of Authority (SOA) record for the DNS zone. The default
TTL is one hour. Subsequent resolution requests for the DNS name receive the cached information.
Note that it is not the caching server that sets the TTL, but the authoritative DNS server that resolved
the name from its zone. When the TTL expires, the caching server must delete it. Subsequent requests
for the same name would require a new name resolution request to the authoritative server.
Forwarding. Instead of querying root servers, you can configure a DNS server to forward DNS
requests to another DNS server. For example, requests for all Internet names can be forwarded to a
DNS server at an ISP.
MCT USE ONLY. STUDENT USE PROHIBITED
4-20 Configuring Network Connectivity
The primary tools for troubleshooting host name resolution are IPConfig and NSLookup, and their
Windows PowerShell equivalents Get-NetIPAddress, Get-NetIPv4Protocol, and Resolve-dnsname.
Best Practice: Be sure to clear the DNS resolver cache between resolution attempts.
IPConfig /flushdns
Note: Alternately, you can use the Windows PowerShell cmdlet Clear-DnsClientCache.
2. Attempt to verify connectivity to a remote host by using its IP address. This helps you identify
whether the issue is due to name resolution. You can use the Ping command or the test-connection
Windows PowerShell cmdlet. If the Ping command succeeds with the IP address but fails by the host
name, the problem is with name resolution.
Note: Remember that the remote host must allow inbound ICMP echo packets through its
firewall for this test to be viable.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-21
3. Attempt to verify connectivity to the remote host by its host name, by using the FQDN followed by a
period. For example, type the following command at the command prompt:
Test-connection LON-cl1.adatum.com.
5. If the test is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and then add
the appropriate entry to the end of the file. For example, add this line, and then save the file:
172.16.0.51 LON-cl1.adatum.com
6. Perform the test-by-host-name procedure again. Name resolution should now be successful.
7. Examine the DNS resolver cache to verify that the name resolved correctly. To examine the DNS
resolver cache, type the following command at a command prompt:
IPConfig /displaydns
Note: You can also use the Windows PowerShell cmdlet Get-DnsClientCache.
8. Remove the entry that you added to the Hosts file, and then clear the resolver cache once more.
At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (73 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.0.16.172.in-addr.arpa
type = PTR, class = IN, dlen = 20
name = LON-dc1.adatum.com
ttl = 1200 (20 mins)
------------
Server: LON-dc1.adatum.com
Address: 172.16.0.10
Demonstration Steps
o Get-DnsClientCache
o ipconfig /flushdns
o Clear-DnsClientCache
o ipconfig /displaydns
o test-connection lon-dc1
o Get-DnsClientCache | fl
o ipconfig /displaydns
o nslookup LON-DC1
o Resolve-Dnsname LON-DC1 | fl
o notepad file.txt
2. Review the information, and then close Notepad.
MCT USE ONLY. STUDENT USE PROHIBITED
4-24 Configuring Network Connectivity
Which command(s) should you always use before starting to test name resolution?
Choose all that apply.
Ipconfig /release
Ipconfig /flushdns
Clear-DnsClientCache
Purge-DnsClientCache
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-25
Lesson 3
Implementing Wireless Network Connectivity
An increasing number of devices use wireless connections as the primary method for accessing corporate
intranets and the Internet. Additionally, many users have come to expect a wireless infrastructure in a
corporate workplace. As a result, a good working knowledge of wireless connectivity is a requirement for
todays networking environment. This lesson discusses the various wireless standards and the
configuration and support of Windows 10 wireless clients.
Lesson Objectives
After completing this lesson, you will be able to:
Ad hoc. Ad hoc networks can connect wireless devices dynamically in a peer-to-peer configuration
without the use of any infrastructure devices.
Specification Description
802.11a This is the first extension to the original 802.11 specification. It provides up to 54
megabits per second (mbps) and operates in the 5 gigahertz (GHz) range. It is not
compatible with 802.11b.
802.11b This specification provides 11 mbps and operates in the 2.4 GHz range.
Specification Description
802.11g This specification is for transmission over short distances at speeds up to 54 mbps. It is
backward-compatible with 802.11b, and operates in the 2.4 GHz range.
802.11n This specification adds multiple-input and multiple-output, thereby providing increased
data throughput at speeds up to 100 mbps. It vastly improves speed over previous
specifications, and it supports both 2.4 GHz and 5 GHz ranges.
802.11ac This specification builds on 802.11n to attain data rates of 433 mbps. 802.11ac operates
only in the 5 GHz frequency range.
Wireless security
Wireless security has been the biggest consideration by organizations planning a wireless implementation.
Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers.
Therefore, organizations utilize several security technologies to address these concerns. Most Wi-Fi
devices support multiple security standards. The following table describes the current security methods
available for wireless networks.
Wired Equivalent Privacy WEP is the oldest form of wireless security. Some devices support different
(WEP) versions:
WEP 64-bit key
WEP 128-bit key
WEP 256-bit key
The security issues surrounding WEP are well-documented, and you should
avoid using WEP unless it is the only alternative.
Wi-Fi Protected Access Developed to replace WEP, WPA has two variations:
(WPA) WPA-Personal. WPA-Personal is for home and small business networks,
and is easier to implement than WPA-Enterprise. It involves providing a
security password, and uses a technology called Temporal Key Integrity
Protocol. The password and the network Service Set Identifier (SSID)
generate constantly changing encryption keys for each wireless client.
WPA-Enterprise. WPA-Enterprise is for corporate networks. It involves the
use of a Remote Authentication Dial-In User Service (RADIUS) server for
authentication.
WPA2 This is an improved version of WPA that has become the Wi-Fi security
standard. WPA2 employs Advanced Encryption Standard (AES), which
employs larger encryption key sizes.
The security methods that a given wireless device supports depend on the vendor and the devices age.
All modern wireless devices should support WPA2.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-27
3. Tap Connect.
4. When prompted, enter the security information required by the wireless hub to which you are
connecting your device, and then tap Next.
3. Choose options:
o Select how you will share your networks with your contacts. Choose from:
Outlook.com
Skype
Facebook
4. At the bottom of the page, beneath Manage known networks, tap the network you wish
to manage.
In the Wi-Fi Status dialog box, you can view the properties of your wireless connection.
Tap Wireless Properties to view additional information, including the security settings of the
connection.
Note: You can use Windows Server Group Policy Objects (GPOs) to configure wireless
profiles. This saves your users from having to configure their wireless connections manually.
MCT USE ONLY. STUDENT USE PROHIBITED
4-28 Configuring Network Connectivity
Lesson 4
Overview of Remote Access
Windows 10 helps users improve their productivity, regardless of their location, or that of the data they
need. Windows 10 supports the use of either VPNs or DirectAccess to enable users to access their work
environments from anywhere they connect.
Lesson Objectives
After completing this lesson, you will be able to:
Overview of VPNs
A VPN provides a point-to-point connection
between components of a private network,
through a public network such as the Internet.
Tunneling protocols enable a VPN client to
establish and maintain a connection to the
listening virtual port of a VPN server. To emulate
a point-to-point link, the data is encapsulated, or
wrapped, and prefixed with a header. This header
provides routing information that enables the
data to traverse the public network to reach its
endpoint.
From the users perspective, the VPN is a point-to-point connection between the computer, the VPN
client, and your organizations server. The exact infrastructure of the shared or public network is
irrelevant, because it logically appears as if the data is sent over a dedicated private link.
Site-to-site. Site-to-site VPN connections, which also are known as router-to-router VPN connections,
enable your organization to have routed connections between separate offices or with other
organizations over a public network, while maintaining secure communications.
Note: An IKEv2 VPN provides resilience to the VPN client when the client either moves
from one wireless hotspot to another or switches from a wireless to a wired connection. This
ability is a requirement of VPN Reconnect.
All VPN connections, irrespective of tunneling protocol, share some common characteristics:
Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing
information, which allows the data to traverse the transit network.
Authentication. Authentication ensures that the two communicating parties know with whom they
are communicating.
Data encryption. To ensure data confidentiality as the data traverses the shared or public transit
network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption
processes depend on both the sender and the receiver using a common encryption key. Intercepted
packets sent along the VPN connection in the transit network will be unintelligible to anyone who
does not have the common encryption key.
5. In the Connection name box, enter a meaningful name, such as Office Network.
6. In the Server name or address box, type the FQDN of the server to which you want to connect. This
is usually the name of the VPN server.
7. In the VPN type list, select between Point to Point Tunneling Protocol (PPTP), Layer Two
Tunneling Protocol with IPsec (L2TP/IPsec), Secure Socket Tunneling Protocol (SSTP), and
IKEv2. This setting must match the setting and policies configured on your VPN server. In you are
unsure, tap Automatic.
8. In the Type of sign-in info list, select either User name and password, Smart card, or One-time
password. Again, this setting must match your VPN server policies.
9. In the User name (optional) box, type your user name, and then in the Password (optional) box,
type your password. Select the Remember my sign-in info check box, and then tap Save.
To manage your VPN connection, from within NETWORK & INTERNET, on the VPN tab, tap the VPN
connection, and then tap Advanced options. You can then reconfigure the VPN settings as needed.
Note: Your VPN connection will appear on the list of available networks when you tap the
network icon in the notification area.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-31
Overview of DirectAccess
The DirectAccess feature in Windows 10 enables
seamless remote access to intranet resources
without first establishing a user-initiated VPN
connection. The DirectAccess feature also
ensures seamless connectivity to an application
infrastructure for internal users and remote users.
IPv6 in DirectAccess
DirectAccess uses IPv6 and IPsec when clients connect to internal resources. However, many organizations
do not have native IPv6 infrastructure. Therefore, DirectAccess uses transitioning tunneling technologies
and communication through IPv4-based Internet to connect IPv6 clients to IPv4 internal resources.
DirectAccess tunneling protocols include:
ISATAP. ISATAP enables DirectAccess clients to connect to the DirectAccess server over the IPv4
networks for intranet communication. By using ISATAP, an IPv4 network emulates a logical IPv6
subnet to other ISATAP hosts, where ISATAP hosts automatically tunnel to each other for IPv6
connectivity. ISATAP does not need changes on IPv4 routers because IPv6 packets are tunneled
within an IPv4 header. To use ISATAP, you have to configure DNS servers to answer ISATAP queries,
and enable IPv6 on network hosts.
6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over IPv4-based
Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in
an IPv4 header and sent over the 6to4 tunnel adapter to the DirectAccess server. You can use a GPO
to configure the 6to4 tunnel adapter for DirectAccess clients and the DirectAccess server.
Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4
Internet, when clients are located behind an IPv4 NAT device. Clients that have a private IPv4 address
use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over IPv4-based Internet.
You can use a GPO to configure Teredo for DirectAccess clients and the DirectAccess server.
IP-HTTPS. IP-HTTPS enables DirectAccess clients to connect to the DirectAccess server over IPv4-
based Internet. Clients that are unable to connect to the DirectAccess server by using ISATAP, 6to4,
or Teredo use IP-HTTPS. You can use a GPO to configure IP-HTTPS for DirectAccess clients and the
DirectAccess server.
Components of DirectAccess
To deploy and configure DirectAccess, your organization must support the following infrastructure
components:
DirectAccess server. The DirectAccess server can be any computer running Windows Server 2012 or
Windows Server 2012 R2 that you join to a domain, that accepts connections from DirectAccess
clients, and that establishes communication with intranet resources.
DirectAccess clients. A DirectAccess client can be any domain-joined computer that is running the
Enterprise edition of Windows 10, Windows 8.1, Windows 8, or Windows 7.
MCT USE ONLY. STUDENT USE PROHIBITED
4-32 Configuring Network Connectivity
Network Location Server. A DirectAccess client uses the Network Location Server to determine its
location. If the client computer can securely connect to the Network Location Server by using HTTPS,
then the client computer assumes it is on the intranet, and the DirectAccess policies are not enforced.
If the client computer cannot contact the Network Location Server, the client assumes it is on the
Internet.
Internal resources. These are the server-based resources to which users want to connect.
An AD DS domain. You must deploy at least one AD DS domain running, at a minimum, Windows
Server 2003 domain functional level.
Group Policy. You need to use Group Policy for the centralized administration and deployment of
DirectAccess settings.
Public key infrastructure (PKI). This is optional for the internal network. It provides the security
infrastructure (in terms of certificates) for authentication in some configurations of DirectAccess.
DNS server. You use the DNS server to enable name resolution of the servers in the DirectAccess
topology.
Which VPN tunneling protocol supports the VPN auto reconnect feature?
PPTP
L2TP
SSTP
IKEv2
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-33
Objectives
After completing this lab, you will have:
Lab Setup
Estimated Time: 45 minutes
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
o Domain: Adatum
Task 1: Verify the IPv4 settings from Network and Sharing Center
1. Switch to LON-CL1.
o IPv4 Address
5. Click Properties, and then double-click Internet Protocol Version 4 (TCP/IPv4). You can configure
the IP address, subnet mask, default gateway, and DNS servers in this window.
6. Verify that the configuration matches what you just recorded.
Task 2: Verify the current IPv4 settings from the command line
1. Open Windows PowerShell, and then run Get-NetIPAddress. The IPv4 address should match what
you recorded earlier.
2. Run netsh interface ipv4 show config. The current IPv4 configuration is displayed and should
match what you recorded earlier.
3. Run ipconfig /all. Again, the information should match what you recorded earlier.
4. Leave Windows PowerShell open.
3. Run netstat -n. Identify the services that LON-CL1 had connections to on LON-DC1.
Results: After completing this exercise, you will have successfully verified Internet Protocol version 4 (IPv4)
settings.
2. Verify your configuration change from the Windows PowerShell prompt by using Ipconfig /all.
2. Run netstat n. Observe the active connections to 172.16.0.10. Most connections to services are
transient. If no connections appear, create a connection.
3. Run netstat -n. Identify the services that LON-CL1 had connections to on LON-DC1.
4. In the details pane, you should see the address lease for your Windows 10 client.
Results: After completing this exercise, you will have successfully configured IPv4 settings to be assigned
automatically.
2. Notice that DHCP is enabled, and that the IP address of the DHCP server displays. Notice the DNS
server address.
MCT USE ONLY. STUDENT USE PROHIBITED
4-36 Configuring Network Connectivity
o Clear-DnsClientCache. This flushes the current DNS resolver cache. It is not necessary to run this
in addition to the preceding command.
o ipconfig /displaydns. This verifies that you have no entries in the cache.
o Get-DnsClientCache | fl
o ipconfig /displaydns. This should display similar information to the preceding command.
2. Create a host record 172.16.0.10 www, and then save the file.
2. Review the information. Note that you must scroll to the section starting Got answer.
o What was the question that was asked of the DNS server?
o What was the response?
Results: After completing this exercise, you will have successfully verified your DNS settings and tested
name resolution.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 4-37
2. In the Virtual Machines list, right-click 20697-1B-LON-CL1, and then click Revert.
Question: You are troubleshooting a network-related problem, and you suspect a name-
resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do
you do that?
MCT USE ONLY. STUDENT USE PROHIBITED
5-1
Module 5
Managing Storage
Contents:
Module Overview 5-1
Module Overview
The Windows 10 operating system simplifies common tasks for information technology (IT) professionals
who manage and deploy desktops and laptops, devices, or virtual environments. IT professionals can take
advantage of tools and capabilities similar to those that they use in Windows 7 and Windows 8.
Although most computers that run Windows 10 have a single physical disk configured as a single volume,
this might not always be the case. For example, there might be times when you want to run multiple
operating systems on a single computer, or you might want to have the paging file on a different volume.
Therefore, it is important that you understand how to create and manage simple, mirrored, spanned, and
striped volumes. Windows 10 provides the Storage Spaces feature, which enables you to simplify multiple
hard disk storage administration from within the operating system installed on a physical computer. In
addition to traditional storage, you can use Windows 10 to create and access virtual hard disks. Windows
10 also introduces the Storage Sense feature that provides an overview of what files are stored on your
computer and where to store different types of files by default. To help maintain and optimize file system
performance, you must be familiar with file system fragmentation and the tools that you can use to
defragment a volume. Additionally, a good understanding of disk quotas is helpful if you want to manage
available disk space for volumes on computers.
Objectives
After completing this module, you will be able to:
Lesson 1
Overview of Storage Options
Although you can save files to the local hard disk in Windows 10, several additional storage options are
available. This lesson describes some of the different storage technologies, including different types of
server-based and cloud-based storage. You also can use the virtual hard disk feature in Windows 10 to
present a portion of a hard drive as an independent hard drive.
Lesson Objectives
After completing this lesson, you will be able to:
Explain the difference between network-attached storage (NAS) and storage area networks (SANs).
Describe how to use the cloud-based storage options available in Windows 10.
Depending on the hard disk controller installed in your computer, you might need to acquire a driver for
the hard disk before you can install Windows 10.
Availability. The local hard disk is always available, including in situations where there is no network
connectivity.
Performance. Only a single user uses the local hard disk. In addition, the bandwidth of your network
connection does not limit you.
Physical failures. If your local hard disk fails, you will not be able to start your computer.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-3
Virtual hard disks are an integral part of virtual machine environments such as Client Hyper-V. You can
use virtual hard disks for several purposes and in any scenario where you might use a physical hard disk.
If you plan to use a virtual hard disk in place of a physical disk, consider the following advantages and
disadvantages.
Portability. Virtual hard disk files might be easier to move between systems, particularly when you use
shared storage.
Performance. In high I/O scenarios, the additional overhead of using a virtual hard disk can affect
performance.
Physical failures. A .vhd file does not protect against cluster failure on the underlying physical disks.
Server-based storage
Using Windows Server 2012 R2 as a file server gives you central access to your files. Although the file
server contains local storage, larger organizations will often acquire separate storage systems optimized
for performance and security. You connect these separate storage systems to the server, like a NAS and a
SAN, which you will learn about later in this module. Windows Server 2012 R2 adds functionality, such as
Work Folders, offline files, and failover clustering, that makes it suitable as a file server for both small,
medium, and large enterprises.
Redundancy. Because most server-based storage protects data by using redundant disk systems, you
will not suffer data loss due to the failure of a single hard disk.
Performance. Server-based storage is often faster than local hard disks because it uses faster disks,
which you configure in a performance-optimized way.
Availability. You need a network connection to access server-based storage. If you are outside your
companys network, you might not be able to access the storage remotely, unless you use some kind
of caching technique, such as offline files.
Performance. You can experience bottlenecks in both network connectivity and access to server-
based storage because many users are accessing the same storage simultaneously.
MCT USE ONLY. STUDENT USE PROHIBITED
5-4 Managing Storage
NAS
NAS is storage that is connected to a dedicated
storage device. You can access it over the
network. Unlike DAS, NAS is not directly attached
to a computer or server, and users access it over the network. NAS has two distinct solutions: a low-end
appliance (NAS only), and an enterprise-class NAS that integrates with SAN.
Each NAS device has a dedicated operating system that controls access to the data on the device, which
reduces the overhead associated with sharing the storage device with other server services. An example of
NAS software is Windows Storage Server, a special edition of Windows Server 2012 R2.
NAS devices typically provide file-level access to the storage, which means that you can access the data
on the storage only as files. You must use protocols such as Common Internet File System (CIFS), Server
Message Block (SMB), or network file system (NFS) to access the files.
To enable NAS storage, you need a storage device. Frequently, these devices do not have any server
interfaces such as keyboards, mice, and monitors. To configure the device, you need to provide a network
configuration, and then access the device across the network. You can then create network shares on the
device by using the name of the NAS and the share created. The networks users can then access these
shares.
SAN
SAN is a highspeed network that connects computer systems or host servers to high-performance
storage subsystems. A SAN usually includes various components such as host bus adapters (HBAs), special
switches to help route traffic, and storage disk arrays with logical unit numbers (LUNs) for storage.
A SAN enables multiple servers to access a pool of storage in which any server can potentially access any
storage unit. Because a SAN is a network, you can use a SAN to connect many different devices and hosts
and provide access to any connected device from anywhere.
SANs provide block-level access. This means that, rather than accessing the content on the disks as files by
using a file access protocol, SANs write blocks of data directly to the disks by using protocols such as Fibre
Channel over Ethernet or Internet Small Computer System Interface (iSCSI).
Today, most SAN solutions offer SAN and NAS together. The backend head units, disks, and technologies
are identical, and only the access method differs. Enterprises often provision block storage from the SAN
to the servers by using Fibre Channel over Ethernet or iSCSI. NAS services use the CIFS and NFS protocols.
If you want to use a SAN, Windows 10 supports the iSCSI protocol with the iSCSI initiator.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-5
Cloud-Based Storage
Cloud storage simplifies access to your files as
long as you have Internet access. When you sign
in with your Microsoft account, you can access all
the files on your Microsoft OneDrive. Microsoft
also offers enterprise cloud storage with Microsoft
Azure Storage. Cloud storage provides several
benefits:
Microsoft OneDrive
OneDrive is free online storage that your Microsoft account provides. It is like an extra hard drive that is
available from any of the devices you use. When you create your Microsoft account, you get 15 gigabytes
(GB) of storage with options to get more storage space. You no longer need to email files to yourself
or carry around a USB flash drive that you might easily misplace. Instead, you can access your files on
OneDrive irrespective of whether you are on your laptop working on a presentation, on your new tablet
viewing photos from your last family vacation, or on your phone reviewing your shopping list.
Getting started with OneDrive is easy. You can add files already on your PC to OneDrive by either copying
them over or moving them from your PC. When you save new files, you can choose to save them to
OneDrive so that you can access them from any device and share them with other people. From devices
with a built-in camera, you can automatically save copies of the photos in your camera roll to OneDrive,
so you will always have a backup.
You can access OneDrive natively from Windows 8 and Windows 10 or you can access it through a
browser at onedrive.com to access additional enabled features, such as sharing and accessing files on
your devices remotely.
Windows 10 does not support smart files. Instead, the selective sync feature in Windows 10 allows you to
choose which files and folders you want available for offline access. This change is due to the increased
storage available in OneDrive. Because some customers have unlimited space on their OneDrive, the
smart files take up a significant amount of local storage, placeholders, and index, which might not be
available on devices with limited local storage, such as tablets.
MCT USE ONLY. STUDENT USE PROHIBITED
5-6 Managing Storage
Azure Storage
Microsoft Azure Storage is a cloud storage solution that developers and IT professionals use to build
applications. Azure Storage saves data in the cloud. You can access Azure Storage by using any type of
device and by using any type of application, from the smallest app to applications with terabytes of data.
Blob storage stores any type of text or binary data. This includes documents and media files.
Table storage stores structured datasets. Table storage is a NoSQL key-attribute data store.
Queue storage provides messaging for workflows. Communication between different components of
cloud services is also one of the uses of queue storage.
File storage uses the standard SMB protocol. Azure virtual machines and cloud services can share file
data with file storage. On-premises applications can also access file data in a share via file storage.
What are the advantages of using virtual hard disks? (Select all that apply)
Backup
Performance
Portability
Availability
Physical failures
Which features do you get with Microsoft OneDrive in Windows 10? (Select all that
apply)
15 GB free storage
Lesson 2
Managing Disks, Partitions, and Volumes
Before you can use a disk in Windows 10, you must prepare it for use. You must first partition the disk by
using the master boot record (MBR) partitioning scheme or the globally unique identifier (GUID) partition
table-partitioning scheme. After partitioning the disk, you must create and format one or more volumes
before an operating system can use the disk.
You can use disk management tools to perform disk-related tasks, such as creating and formatting
partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
After completing this lesson, you will be able to:
Create volumes.
Manage volumes
Resize a volume.
MBR disks
The MBR contains the partition table for a disk
and a small amount of executable code called the
master boot code. Partitioning a disk creates the
MBR automatically on the first sector of the hard
disk. The MBR contains a four-partition entry table
that describes the size and location of a disk
partition by using 32-bit logical block addressing
(LBA) fields. Most Windows 10 editions, such as
the 32-bit and 64-bit versions that run on
motherboards with BIOS firmware, require an
MBR-partitioned system disk and are not bootable with a larger capacity disk. Newer motherboards
enabled with Unified Extensible Firmware Interface (UEFI) can read both MBR and the newer GPT disks.
Four partitions on each disk. MBR-based disks are limited to four partitions. All of these can be
primary partitions, or one can be an extended partition with logical volumes inside. You can configure
the extended partition to contain multiple volumes.
No redundancy provided. The MBR is a single point of failure. If it is corrupt or suffers damage, it can
render a computer incapable of starting.
MBR disks can be either basic or dynamic disk types. Dynamic disks support additional options that are
not available on a basic disk, including volumes that are able to span multiple disks and fault-tolerant
volumes.
GPT disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a
disk. Each GPT partition has a unique GUID and partition-content type. Each LBA that the partition table
describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI systems.
Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems. However,
they cannot boot from them. 64-bit Windows operating systems support GPT for boot disks on UEFI
systems.
128 partitions per disk. This is a vast improvement over MBR-based disks.
18 exabytes of volume size. This is a theoretical maximum because hard-disk hardware that can
support such vast volume sizes is not yet available.
Redundancy. Cyclic redundancy check (CRC) duplicates and protects the GPT.
You can implement GPT disks on Windows Server 2008 and newer versions, Windows 10, Windows 8.1,
Windows 8, Windows 7, and Windows Vista. You cannot use the GPT partition style on removable disks.
GPT architecture
A GPT-partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the
entire disk:
o The protective MBR protects GPT disks from previously released MBR disk tools, such as the
MS-DOS fdisk or Windows NT Disk Administrator. These tools view a GPT disk as a single
encompassing (possibly unrecognized) partition by interpreting the protected MBR, rather than
mistaking the disk for one that does not have any partitions. This means that the tools will not
view a GPT-initialized disk as having no partitions, making it less vulnerable to incidental data
loss.
o Legacy software that is not aware of GPT interprets only the protected MBR when it accesses a
GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID,
the number of partition entries (usually 128), and pointers to the partition table.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-9
The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 10 creates when you install it on a GPT disk.
Dynamic Disks
Dynamic disks provide features that basic disks
do not. You can create volumes that span multiple
disks and fault-tolerant volumes. Dynamic disks
can also use the MBR or GPT partition styles.
You cannot convert a basic disk to a dynamic disk unless there is at least 1 MB of unused space on
the disk because of the Logical Disk Manager database.
You cannot convert a dynamic disk to a basic disk without losing data. You need to delete all dynamic
volumes on the disk. Disk Management automatically converts the disk to basic when you delete the
last volume.
You cannot use Windows PowerShell to manage dynamic disks. The storage cmdlets will not
recognize dynamic disks.
Note: In a multiboot scenario, if you are in one operating system, and you convert a basic
MBR disk that contains an alternate operating system to a dynamic MBR disk, you will not be
able to start in the alternate operating system.
Advantages Disadvantages
Basic disks Compatible with most operating Only uses contiguous space on one disk.
systems.
Limited number of partitions on MBR
Convert to dynamic disk without disks.
data loss.
Note: Windows 10 does not support remote connections in workgroups. Both the local
computer and the remote computer must be in a domain for you to use Disk Management to
manage a disk remotely.
Note: Do not use disk-editing tools such as dskprobe.exe to make changes to GPT disks.
Any change that you make renders the checksums invalid, which might cause the disk to become
inaccessible. To make changes to GPT disks, use Windows PowerShell, DiskPart, or Disk
Management.
With either tool, you can initialize disks, create volumes, and format a volume file system. Additional
common tasks include moving disks between computers, changing disks between basic and dynamic
types, and changing the partition style of disks. You can perform most disk-related tasks without
restarting a system or interrupting users, and most configuration changes take effect immediately.
Disk Management
By using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators
can manage volumes quickly and confirm the health of each volume. Disk Management in Windows 10
provides the same features as previous versions, including:
Simpler partition creation. When you right-click a volume, you can choose whether to create a basic,
spanned, or striped partition directly from the menu.
Disk conversion options. When you try to extend a partition to a noncontiguous area on the same or
another disk, Disk Management prompts you to convert the disk to dynamic. You also can convert
basic disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic
is not possible without first deleting all of the volumes.
Extend and shrink partitions. You can extend and shrink partitions from Disk Management.
MCT USE ONLY. STUDENT USE PROHIBITED
5-12 Managing Storage
1. Click Start and type disk. This will display the search window.
2. Continue typing diskmgmt.msc in the search box, and then click diskmgmt.msc in the results list.
DiskPart
By using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the
command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart
command prompt. The following are common DiskPart actions:
To view a list of DiskPart commands, at the DiskPart command prompt, type commands.
To create a DiskPart script in a text file and then run the script, type a script similar to diskpart /s
testscript.txt.
To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently.
Command Description
select disk Selects the specified disk, where disknumber is the disk number, and gives it
disknumber focus.
convert gpt Converts a disk with the MBR partition style to a basic disk with the GPT
partition style.
Windows PowerShell
Prior to Windows PowerShell 3.0, if you wanted to script disk management tasks, you had to make calls
to Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows
PowerShell 3.0 and newer versions include commands for natively managing disks. The following table
details some Windows PowerShell commands.
Clear-Disk Cleans a disk by removing all -ZeroOutEntireDisk writes zeros to all sectors
partition information. of a disk.
Initialize-Disk Prepares a disk for use. By -PartitionStyle PartitionStyle specifies the type
default, it creates a GPT of the partition, either MBR or GPT.
partition.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-13
Set-Disk Updates a physical disk with -PartitionStyle PartitionStyle specifies the type
the specified attributes. of the partition, either MBR or GPT. You can use
this to convert a disk that was initialized
previously.
Get-Volume Returns information on all -DriveLetter Char gets information about the
file systems volumes, or specified drive letter.
those volumes that you -FileSystemLabel String returns information on
specify with a filter. the NTFS file systems or Resilient File System
(ReFS) volumes.
Simple Volumes
The most commonly used disk arrangement is
a simple volume. This volume is a contiguous,
unallocated area of a physical hard disk that you
format to create a file system. You then assign a
drive letter to it or mount it in an existing volume
by using a volume mount point.
Scenario Description
Business desktop Most business users require a basic disk and one basic volume for storage,
computer with one disk but do not require a computer with volumes that span multiple disks or
that provide fault tolerance. This is the best choice for those who require
simplicity and ease of use.
Business desktop If small business users want to upgrade their operating systems and reduce
computer with one disk the impact on their business data, they must store the operating system in
and more than one a separate location from business data.
volume This scenario requires a basic disk with two or more simple volumes. Users
can install an operating system on the first volume, creating a boot volume
or system volume, and use the second volume to store data.
When a new version of an operating system releases, users can reformat
the boot or system volume, and then install the new operating system. The
business data, located on the second volume, remains untouched.
MCT USE ONLY. STUDENT USE PROHIBITED
5-14 Managing Storage
A simple volume might provide better performance than striped data layout schemes. For example, when
serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream.
Workloads composed of small, random requests do not always result in performance benefits when you
move them from a simple to a striped data layout.
The emergence of SSDs, which offer extremely fast data transfer rates, offers the Windows 10 user another
decision related to storing data. SSDs currently are more expensive and have smaller capacities compared
to traditional magnetic hard disk drives. This combination of performance, size, and cost is an acceptable
compromise when used in small form factor devices. However, a desktop PC might benefit from a
combination of an SSD for Windows system files and a large capacity hard disk drive for business data.
When creating a mirrored volume, the disk for the shadow volume must be at least the same size as the
volume you want to mirror. Once you establish the mirror, you cannot resize the mirrored volume.
There are two main benefits of using mirrored volumes. Recovering from a disk failure is very quick as
there is no data to rebuild. Additionally, read operations have a slight performance boost because you
can read from both disks simultaneously.
There are two main disadvantages of using mirrored volumes. Write operations are slightly slower as every
write needs to occur on both disks. Mirrored volumes are the least efficient use of space compared with
other disk configurations.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-15
You can create a spanned volume by extending a simple volume to an area of unallocated space on a
second disk, or you can designate multiple disks during the volume-creation process. The benefits of
using spanned volumes include uncomplicated capacity planning and straightforward performance
analysis.
If you create a new spanned volume, you must define the same properties as when you create a simple
volume in terms of size, file system, and drive letter. In addition, you must define how much space to
allocate to the spanned volume from each physical disk.
You can create spanned volumes on dynamic disks only. If you attempt to create a spanned volume on
basic disks, the Windows operating system prompts you to convert the disk to dynamic after you have
defined the volumes properties and confirmed the choices.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific
disk. For example, if a spanned volume consists of three 100-MB partitions on each of three disks, you
cannot delete the third element.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of
unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk
limit for spanned volumes.
Striped volumes also are well suited for isolating the paging file. By creating a volume where Pagefile.sys
is the only file on the entire volume, the paging file is less likely to become fragmented, which helps
improve performance. Redundancy is not required for the paging file normally. Striped volumes provide
a better solution than RAID-5 for paging file isolation. This is because the paging file activity is write-
intensive, and RAID-5 is better suited for read performance than write performance.
Because there is no allocated capacity for redundant data, striped volumes do not provide data-recovery
mechanisms such as those in RAID-1 and RAID-5. The failure of any disk results in data loss on a larger
scale than it would on a simple volume, because it disrupts the entire file system that spreads across
multiple physical disks. The more disks that you combine in RAID-0, the less reliable the volume becomes.
MCT USE ONLY. STUDENT USE PROHIBITED
5-16 Managing Storage
When you create a striped volume, you define the file system, drive letter, and other standard volume
properties. Additionally, you must define the disks from which to allocate free space. The allocated space
from each disk must be identical in size. It is possible to delete a striped volume, but it is not possible to
extend or to shrink the volume.
Note: RAID-5 is a striped set with parity volume. It combines the speed of striped volumes
with fault tolerance. It is not possible to create RAID-5 in Disk Management in Windows 10.
Demonstration Steps
Initialize disks
In Windows PowerShell, type the following command:
Get-Disk -Number 2
New-Partition Size 5350879232 Disknumber 2| Format-Volume -Confirm:$false FileSystem NTFS
NewFileSystemLabel Simple2
Get-Partition DiskNumber 2
(Note the partition number you just created, as you will use that in the next step)
To perform a shrink operation, ensure that the disk is formatted with the NTFS file system or, if it is
unformatted, ensure that you are part of the Backup operator or Administrators group. When you shrink
a volume, contiguous free space relocates to the end of a volume. If you want to ensure that the
maximum amount of space is available, make sure you perform the following tasks before shrinking:
Defragment the disk. This rearranges the disk sector so that unused space is at the end of the disk.
Ensure that the volume you are shrinking is not storing any page files.
When you shrink a volume, unmovable files (for example, a page file) do not relocate automatically. It is
not possible to decrease the allocated space beyond the point where the unmovable files are located. If
you need to shrink a partition further, transfer the unmovable file to another disk, shrink the volume, and
then transfer the unmovable file back to the disk. You can shrink simple and spanned volumes, but not
others. You can increase the size of a simple volume in the following ways:
Extend the simple volume on the same disk. The disk remains a basic disk if the free space is adjacent
to the volume you want to extend. If it is not contiguous space, then the disk will convert to a
dynamic disk.
Extend a simple volume to include unallocated space on other disks on the same computer. This
creates a spanned volume.
Demonstration Steps
Shrink partition in Windows PowerShell
In Windows PowerShell, type the following command:
What are the features of a GPT-initialized disk? (Select all that apply)
Up to four partitions
Up to 128 partitions
Maximum size of 2 TB
Redundancy
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can shrink a volume to the size of the used storage space on the
volume.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-19
Lesson 3
Maintaining Disks and Volumes
The Storage Sense feature in Windows 10 can give you an overview of what types of files the volumes are
storing. When you first create a volume, you typically create new files and folders on a volumes available
free space in contiguous blocks. This provides an optimized file system environment. As the volume
becomes full, the availability of contiguous blocks diminishes. This can lead to suboptimal performance.
This lesson explores file system fragmentation and the tools that you can use to reduce fragmentation.
You also will see how Windows 10 can compress files to take up less space on the hard disk. You will see
how you can configure disk quotas to monitor and control the use of disk space.
Lesson Objectives
After completing this lesson, you will be able to:
Storage
In Storage, you get an overview of all the volumes currently attached to your PC. This includes hard disks,
USB drives, and other external storage, except OneDrive. The drive that contains the Windows installation
has the label This PC. You identify the other drives by label and drive letter. When you click a drive, you
will get a more detailed view of the categories of files that are taking the most space. The categories are
color-coded to make it easier to see how the space is divided. Storage Sense shows the size for the
following categories of files:
Documents
Pictures
Music
Videos
OneDrive
Desktop
Maps
Other users
Temporary files
Other
Depending on the drive and category that you click, you will have different management options. If
you click one of the file type categories on drives other than This PC, you will see a list of directories
containing files from that category. For This PC, you have a choice to open File Explorer with that
particular file types folder within the users profile.
OneDrive
You will be able to select which folders synchronize to this device to save disk space. This is particularly
useful on devices with limited storage space, such as tablets.
Temporary files
This category gives you a list of disk space used by temporary files, downloads, the recycle bin, and
previous versions of Windows. For each item, there is an option to delete the files.
Save locations
Storage Sense also allows you to choose the drive to save new files. You can choose between the drives
connected to your computer. If you are signed in with a Microsoft account, you can also choose OneDrive.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-21
Demonstration Steps
1. Open Storage in Settings.
4. Change the default drive where documents are saved to Simple (E:).
Disk Fragmentation
Fragmentation of a file system occurs over time
as you save, change, and delete files. Initially,
Windows saves files in contiguous areas on a
given volume. This is efficient for the physical
disk, as the read/write heads are able to access
these contiguous blocks most quickly.
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this
fragmentation still presents a potential performance problem. Combined hardware and software
advances in the Windows operating system help to mitigate the impact of fragmentation and deliver
better responsiveness.
Optimizing a disk
When you optimize a disk, files are relocated optimally. This ability to relocate files is beneficial when you
are shrinking a volume, because it frees up space that you can later reclaim. Windows 10 defragments
drives automatically on a scheduled basis, running weekly in the background to rearrange data and
reunite fragmented files. You can check the status of a defragmentation or perform a manual
optimization at any time by launching the Optimize Drives tool.
MCT USE ONLY. STUDENT USE PROHIBITED
5-22 Managing Storage
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a
volume in File Explorer, click Properties, click the Tools tab, and then click Optimize. You can perform
the following tasks:
You can also start the optimization process by launching Defragment and Optimize Your Drives from the
Administrative Tools section within the System and Security section in Control Panel.
To verify that a disk requires defragmentation, in the Optimize Drives tool, select the disk that you want to
defragment, and then click Analyze. After Windows finishes analyzing the disk, check the percentage of
fragmentation on the disk in the Current status column. If the number is high, you should defragment
the disk. The Optimize Drives tool might take several minutes to a few hours to finish defragmenting,
depending on the size and degree of fragmentation of the disk or USB device, such as an external hard
drive. You can use the computer during the defragmentation process, although disk access might be
slower and the defragmentation might take longer.
You can configure and run disk defragmentation from an elevated command prompt by using the defrag
command-line tool. Use Defrag /? at a command prompt for available options.
You can minimize file system fragmentation by using the following methods:
Partition a disk so that you isolate static files from those that users create and delete frequently, such
as some user-profile files and temporary Internet files.
Use the Disk Cleanup feature (cleanmgr.exe) to free disk space that is consumed by each users
preferences for console files that the profile saves.
Use the Optimize Drives tool to help reduce the impact of disk fragmentation on disk volumes,
including USB drives. The Optimize Drives tool rearranges fragmented data so that disks and drives
can work more efficiently.
You should not defragment newer drives, such as SSDs. If a SSD or USB flash drive becomes fragmented,
you will gain only a small amount of performance benefit by optimizing the drive. This is because all files
are accessed at equally high speed, regardless of the location or level of fragmentation. Because of the
volume of read/write operations that the optimization process requires, you should not defragment SSDs.
Note: Defragmenting an SSD or a USB flash drive can decrease the life span of a drive
significantly.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-23
Demonstration Steps
1. Open File Explorer.
2. Start the Optimize Drives tool from the Tools tab on Properties of the C drive.
3. Analyze and optimize the C drive.
Configuring compression
You set compression from the properties of a file
or folder on the General tab. You click Advanced
and set or clear the compression attribute. You
can also configure compression from the command line by using the compact command.
Volumes, folders, and files on an NTFS volume are either compressed or uncompressed.
o When you open a compressed file, the Windows operating system automatically decompresses it
for you.
o When the file closes, the Windows operating system compresses it again.
NTFS-compressed file and folder names display in a different color, by default, to make them easier
to identify.
MCT USE ONLY. STUDENT USE PROHIBITED
5-24 Managing Storage
NTFS-compressed files and folders only remain compressed while an NTFS volume is storing them.
The compressed bytes of a file are not accessible to applications, which see only the uncompressed
data:
o Applications that open a compressed file can perform tasks on it as if the file was not
compressed.
o If you copy compressed files to a file allocation table (FAT) or Resilient File System (ReFS) volume,
the copy of the file will not be compressed because those file systems do not support NTFS
compression.
When you copy a file to a folder that already contains a file of the same name, the copied file takes
on the compression attribute of the target file, regardless of the compression state of the folder.
Compressed files that you copy to a FAT partition are uncompressed because FAT volumes do not
support compression. However, when you copy or move files from a FAT partition to an NTFS
partition, they inherit the compression attribute of the folder into which you copy them.
When you copy a file, NTFS calculates disk space based on the uncompressed files size. This is important
because files are uncompressed during the copy process, and the system must ensure there is enough
space. If you copy a compressed file to an NTFS partition that does not have enough space for the
uncompressed file, an error message notifies you that there is not enough disk space.
Files and folders that you compress by using the Compressed (zipped) Folder feature can compress on
both FAT-formatted and NTFS-formatted volumes. A zipper icon identifies files and folders that you
compress by using this feature.
You can open files directly from these compressed folders, and you can run some of these programs
directly from compressed folders without uncompressing them. Files in compressed folders are
compatible with other file compression programs and files. You also can move compressed files and
folders to any drive or folder on your computer, the Internet, or your network.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-25
Compressing folders by using Compressed (zipped) Folder does not affect a computers overall
performance. Central processing unit (CPU) utilization increases only when you use Compressed (zipped)
Folder to compress a file. Compressed files take up less storage space, and you can transfer them to other
computers more quickly than uncompressed files. You can work with compressed files and folders the
same way you work with uncompressed files and folders.
In contrast, NTFS compression compresses individual files within a folder. Therefore, NTFS compression
does not affect data access as zipped folders do, because it occurs at the individual file system level and
not the folder level. Additionally, zipped folders are useful for combining multiple files into a single email
attachment, whereas NTFS compression is not.
File and folder compression that uses the Send To Compressed (zipped) Folder command is different
from NTFS file and folder compression:
For selected files or folders, the Send To Compressed (zipped) Folder command compresses the
selected content into a portable zip file. The original file or folder does not change, and a new,
compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the
size of the selected file, folder, or volume by compressing its content.
Demonstration Steps
1. In File Explorer, open Properties for the C:\Users\Admin folder.
You configure disk quotas from the Quota tab on the properties dialog box of an NTFS-formatted
volume. You can also manage quotas by using the fsutil quota and fsutil behavior commands from
the command prompt.
After you create a quota, you can export it and import it to a different volume. In addition to establishing
quota settings on a single computer by using the methods outlined above, you can use Group Policy
settings to configure disk quotas. This enables administrators to configure multiple computers with the
same settings.
Over time, the amount of available disk space decreases, so make sure that you have a plan to increase
storage capacity.
Note: An alternative to disk quotas is using quotas in File Server Resource Manager (FSRM)
on Windows Server 2012 R2. Quotas in FSRM can track disk space usage per folder instead of per
volume.
Demonstration Steps
Enable disk quotas
1. In File Explorer, open Quotas from the Properties of the E drive.
Create files
1. Sign in as the local user Admin with the password Pa$$w0rd.
E:
MKDIR files
CD files
Fsutil file createnew file1.txt 104857600
Fsutil file createnew file2.txt 104857600
3. Open Quota Entries and notice the warning for LON-CL2\Admin for the disk space used.
Storage Sense
Defragmenting disks
Folder compression
ZIP compression
Disk quotas
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 4
Managing Storage Spaces
Managing multiple physical disks attached directly to a computer can often be a tedious task for
administrators. To overcome this problem, many organizations use SANs that essentially group physical
disks together. SANs require specialized configuration and sometimes specialized hardware, which makes
them expensive.
To overcome these issues, you can use the Storage Spaces feature. It pools disks together, and presents
them to the operating system as a single disk. This lesson explains how to configure and implement the
Storage Spaces feature.
Lesson Objectives
After completing this lesson, you will be able to:
Physical disk. Physical disks are disks such as Serial ATA (SATA) or Serially Attached SCSI (SAS) disks. If
you want to add physical disks to a storage pool, the disks need to satisfy the following requirements:
o Creating a resilient mirror virtual disk requires a minimum of two physical disks.
o Creating a virtual disk with resiliency through parity requires a minimum of three physical disks.
Storage pool. A storage pool is a collection of one or more physical disks that you can use to create
virtual disks. You can add all nonformatted physical disks and disks that do not have an attachment to
another storage pool to a storage pool.
Storage space. This is similar to a physical disk from the perspective of users and programs. However,
storage spaces are more flexible because they include thin provisioning or just-in-time (JIT)
allocations, and they include resiliency to physical disk failures with built-in functionality such as
mirroring.
Disk drive. You can access this volume from your Windows operating system, for example, by using a
drive letter.
Storage layout
Configure this feature to define the number of
disks from the storage pool that you allocate to
a virtual disk. Valid options include:
Simple. A simple space has data striping but no redundancy. In data striping, logically sequential
data is segmented across all disks in such a way that provides access for these sequential segments
to different physical storage drives. Striping makes it possible to access multiple segments of data
concurrently. Do not host important data on a simple volume, because it provides no failover
capabilities when the disk that is storing the data fails. This is similar to the striped volumes discussed
earlier.
Two-way and three-way mirrors. Mirror spaces maintain two or three copies of the data that they
host (two data copies for two-way mirrors and three data copies for three-way mirrors). Data
duplication happens with every write to ensure that all data copies are always current. Mirror spaces
also stripe the data across multiple physical drives. Mirror spaces provide the benefit of greater data
throughput and lower access latency. They also do not introduce a risk of corrupting at-rest data, and
do not require the extra journaling stage when writing data. Two-way mirrors are similar to the
mirrored volumes discussed earlier.
Parity. A parity space is similar to RAID 5. Storage Spaces stores data, along with parity information,
striped across multiple physical drives. Parity enables Storage Spaces to continue servicing read and
write requests even when a drive has failed. Parity always rotates across available disks to enable I/O
optimization. Storage Spaces require a minimum of three physical drives for parity spaces. Parity
spaces have increased resiliency through journaling. There is no equivalent to parity in volumes on
dynamic disks.
MCT USE ONLY. STUDENT USE PROHIBITED
5-30 Managing Storage
Provisioning schemes
You can provision a virtual disk by using two different schemes:
Thin provisioning space. Thin provisioning is a mechanism that enables you to allocate storage when
the storage space needs it. The storage pool organizes the storage capacity into provisioning slabs.
The allocation does not happen until the point when datasets grow to require the storage. As
opposed to the traditional fixed storage allocation method, in which you might allocate large pools
of storage capacity that remain unused, thin provisioning optimizes utilization of available storage.
Organizations also can save on operating costs, such as electricity and floor space, associated with
keeping the unused drives operating. The disadvantage of using thin provisioning is lower disk
performance because storage allocation occurs when the pool needs extra storage.
Fixed provisioning space. With Storage Spaces, fixed provisioned spaces also employ the flexible
provisioning slabs. The difference between thin provisioning and a fixed provisioning space is that the
storage capacity allocation in the fixed provisioning space happens at the same time as storage space
creation.
Question: What is the name for a storage space that is larger than the amount of disk space
available on the physical disks portion of the storage pool?
Reliable storage
Small businesses often do not have the funds for acquiring enterprise-grade storage solutions. Storage
Spaces can help these companies get fault-tolerant storage for an affordable price. Storage Spaces has
two resiliency types that provide fault tolerance. These will help to make the storage highly available in
case of disk failures. Two-way mirror and parity can function even when one drive fails. Three-way mirror
can function with two drive failures.
High-performance storage
Users who have computing needs with high-performance storage, such as video editing, might also
benefit from Storage Spaces. When you create a storage space with parity resilience, the striping will give
a better performance reading and writing to the storage. When you use SSDs as the physical drives, you
should be able to get the required disk I/O.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-31
Demonstration Steps
Clear disks in Windows PowerShell
1. In Windows PowerShell, type the following command:
4. In File Explorer, verify that the size of Storage Space (E:) is 17.3 GB.
2. In the Virtual Machines list, right-click 20697-1B-LON-CL2, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
MCT USE ONLY. STUDENT USE PROHIBITED
5-32 Managing Storage
Which types of storage spaces can you create in Windows 10? (Select 4)
Simple
Advanced
Two-way mirror
Three-way mirror
Parity
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You have bought a number of hard disk drives and SSDs, and your task is to create a storage solution that
can fully utilize these new devices. You decide to implement a storage solution based on the Storage
Spaces feature.
Objectives
After completing this lab, you will be able to:
Enable a disk.
Create and configure a volume.
Compress a folder.
Enable disk quotas.
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL2
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
2. Initialize Disk 1 only. You can see that Disk 1 now has a status of Online.
Results: After completing this exercise, you will have initialized one hard disk.
o Size: 5120 MB
o Drive letter: E
2. In Disk Management, verify that the E volume now occupies the entire Disk 1.
Results: After completing this exercise, you will have created a simple volume and then extended the
volume.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-35
Results: After completing this exercise, you will have compressed a folder with files.
E:
MKDIR research
CD research
Fsutil file createnew file1.txt 209715200
Fsutil file createnew file2.txt 209715200
Results: After completing this exercise, you will have configured disk quotas.
Results: After completing this exercise, you will have created a two-way mirror storage space.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 5-37
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
Tools
The following table lists some of the tools that are available for managing hard disks.
The Optimize Drives tool Rearranging fragmented data so In File Explorer, right-click a
that disks and drives can work volume, click Properties, click
more efficiently the Tools tab, and then click
Optimize
Module 6
Managing Files and Printers
Contents:
Module Overview 6-1
Module Overview
The ability to control permissions to stored files is a critical aspect of data security. File permissions control
who can access files and what type of permissions a user has. You can configure basic permissions, such
as Read, Write, Modify, and Full Control, although each of those is comprised of additional advanced
permissions. You can configure these permissions for each file individually, for folders, for a single user,
or for a group of users. You should be aware of how permissions apply in different scenarios to ensure
that you do not grant access inadvertently to unauthorized users.
You can use the Work Folders feature in Windows 10, which allows users to access their data from
Windows 10 devices that are not joined to Active Directory Domain Services (AD DS) or connected to
your corporate network. Work Folders enable users to synchronize their data between all of their devices,
regardless of whether their device belongs to a domain.
Windows 10 enables you to manage locally attached printers, in addition to other print servers, by using
the Print Management feature. However, you must have network connectivity and permissions to use it.
Type 4 printer drivers no longer require a different printer driver for each printer model, and you can use
it with local and network printers in Windows 10.
MCT USE ONLY. STUDENT USE PROHIBITED
6-2 Managing Files and Printers
Objectives
After completing this module, you will be able to:
Lesson 1
Overview of File Systems
Before you can store data on a volume, you must first format the volume. To format a volume, you must
select the file system that the volume should use. Windows 10 supports different file systems, including
file allocation table (FAT), FAT32, and extended file allocation table (exFAT); NTFS file system and Resilient
File System (ReFS); and Compact Disc File System (CDFS) and Universal Disk Format (UDF), which are used
on optical and read-only media.
In this lesson, you will learn about the differences and benefits of the file systems that Windows 10
supports.
Lesson Objectives
After completing this lesson, you will be able to:
Note: A cluster is the smallest unit of disk space that you can allocate to store a file. For
example, if a volume cluster is 4 kilobytes (KB) and you store a file with a size of 100 bytes on that
volume, it will use one cluster, which is 4 KB.
MCT USE ONLY. STUDENT USE PROHIBITED
6-4 Managing Files and Printers
Note: The exFAT file system supports clusters from 512 bytes to 32 megabytes (MB).
When you compare any version of FAT with the NTFS file system, which is the default file system in
Windows 10, you will find that many NTFS features are not available with FAT, such as:
Security. You cannot configure file permissions and limit user actions on a FAT volume. Any user
has unlimited permissions to data stored on a FAT volume, which includes reading, modifying, and
deleting. You cannot limit user permissions to data that the FAT file system stores.
Auditing. You cannot audit user actions on the FAT file system. For example, if a user deletes a file,
Event Viewer will not log that action.
Compression. The FAT file system does not support compression and each file uses its full original
size, rounded to the closest cluster size. You can use compression that is not file-system dependent
on the FAT file system, such as compressed (zipped) folders.
Encryption. Encrypting File System (EFS) is not supported, and you cannot use it on ExFAT volumes.
You can use encryption that is not file-system dependent, such as non-Microsoft Pretty Good Privacy
(PGP) solution.
Disk Quota. The FAT file system does not support quotas. This means that you cannot limit the disk
space that users can use on a FAT volume. Each user can store as much data as there is available
space on the FAT volume.
Note: Windows 10 adds support for encryption on FAT and FAT32 volumes.
Note: You select a file system and cluster size when you format a volume. However, you
cannot change the file system or cluster size that you are using on the volume. You can only
perform a backup, and then reformat the volume with different parameters. The only exception
is that you can convert FAT or FAT32 to NTFS file system.
Question: Why would you use the FAT file system in Windows 10?
Question: Can you format a 40 GB volume with the FAT32 file system?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-5
Advanced features. The NTFS file system includes multiple advanced features, such as distributed link
tracing, sparse files, and multiple data streams.
Note: By using the Convert.exe utility, you can convert FAT or FAT32 to NTFS file system on
data volumes without downtime or data loss.
You cannot convert NTFS to FAT. You first must back up data, and then format the volume by
using the NTFS system and restore the data.
Question: What are the main benefits of the NTFS file system?
MCT USE ONLY. STUDENT USE PROHIBITED
6-6 Managing Files and Printers
ReFS periodically scans volumes. If it detects corruption, ReFS tries to correct the corruption
automatically. If it cannot repair the corruption automatically, ReFS localizes the salvaging process
to the corruption area. This does not require any downtime for the volume.
ReFS supports extremly large volumes, even larger than the NTFS file system, without impacting
performance . ReFS volumes can have multiple petabytes of data and a theoretical size limit for ReFS
volume is 278 bytes.
ReFS allows you to control file permissions and configure auditing as you would with the NTFS file
system. But several other NTFS features, such as compression, disk quotas, EFS, and volume shrinking,
are not available with ReFS volumes.
Windows 10 provided limited support for ReFS. You can use it only with two-way or three-way storage
spaces. You cannot format ReFS for nonmirrored storage spaces, such as simple or parity storage spaces.
Question: Can you use Disk Management or File Explorer to format a volume with ReFS in
Windows 10?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-7
Demonstration Steps
1. On LON-CL1, use Disk Management to show that when you create a 100 MB volume on Disk 2, you
can select between FAT, FAT32, and NTFS file systems. Additionally, note that you can mount a new
volume only to an empty folder on the NTFS volume.
2. Use Disk Management to show that if you are creating a 40,000 MB volume on Disk 2, you can
select only between exFAT and NTFS file systems. FAT32 supports volume sizes up to 32 GB.
Therefore, it is not available for a 40 GB volume.
3. Use Disk Management to create a 30,000 MB volume on Disk 2, formatted with FAT32 file system.
Note that the available options for file system are FAT32 and the NTFS file system only.
4. Use File Explorer to see that in volume F: properties, there is no Security and Quota tab, because
FAT does not support permissions and disk quotas.
5. At the command prompt, convert a file system on the F drive to the NTFS system by running the
following command: convert f: /fs:ntfs.
6. Use File Explorer to note that in the F volume properties, there now is a Security and Quota tab, as
the NTFS system supports permissions and disk quotas. Note also the Compress this drive to save
disk space check box, because the NTFS system supports compression.
7. Use Storage Spaces to create a new pool and two-way mirror resiliency type with the ReFS file
system. If you select Simple (no resiliency) or Parity resiliency type, ReFS file system is not available.
It is available only with two-way or three-way mirror resiliency types.
8. Use Disk Management to verify that Disk 3 and Disk 4 no longer appear, but that Disk 5 appears.
Disk 5 has a primary partition that is formatted with ReFS file system.
9. Use File Explorer to note that in the volume G properties, there is a Security tab, but there is no
Quota tab and no Compress this drive to save disk space check box. This is because ReFS does
not support disk quotas and compression.
Which two of the following file systems can you use on the 100-GB simple volume
that you created on a single disk?
FAT
FAT32
exFAT
NTFS
ReFS
MCT USE ONLY. STUDENT USE PROHIBITED
6-8 Managing Files and Printers
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You cannot convert a partition with the exFAT file system to the NTFS file
system.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can format a 1-TB volume on a single physical disk in Windows 10 with
ReFS.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-9
Lesson 2
Configuring and Managing File Access
You can control user access to files by configuring file and folder permissions. If file permissions are
supported by the file system, such as the NTFS file system or ReFS, you can configure permissions at
the volume (root folder), folder, and file levels.
You also can assign permissions explicitly or you can inherit them from the higher levels. If you are unsure
whether you can inherit permissions, you can use the effective permissions feature to review what type of
permissions a user or group has to a file.
While permissions typically use group membership to control access, if Windows 10 is an AD DS member,
you also can use conditions to limit access. Conditions use claims, which are user-property values in
AD DS.
Lesson Objectives
After completing this lesson, you will be able to:
Describe the tools for managing files and folders.
File Explorer
File Explorer, called Windows Explorer in previous
Windows versions, is a tool that you typically use
to manage files and folders. File Explorer provides
a simple interface that is familiar to most Windows
users. You can use File Explorer to perform several
functions, including:
By default, File Explorer is pinned to the Windows 10 taskbar. It includes the navigation and the details
pane, in addition to the address bar and ribbon, which makes it easier to use on touch devices. Depending
on your permissions, you can right-click or use the ribbon option in File Explorer to access the properties
of any file or folder. You also can manage file permissions, and create, open, and delete files. The ribbon is
case-sensitive, and it provides fast access to common options. For example, you can map a network drive
from the ribbon when you have This PC selected and you can create a new folder when you have Local
Disk (C:) selected. If you need to access the same folder often, you can pin it to Quick access, and it will
appear in the navigation pane.
If you need to manage file permissions in File Explorer, right-click the object, and then select Properties,
or select the object, and then click Properties on the Home tab of the ribbon. You can configure
permissions on the Security tab of the Properties dialog box.
Command prompt
If you prefer, you can use a command prompt to access files and folders. You can access a command
prompt by right-clicking Start or by typing cmd in the Search the web and Windows text box on the
taskbar. The following table lists some common commands for managing files and folders.
Command Purpose
For additional information on the icacls tool, refer to the following URL:
icacls
http://aka.ms/e898bk
Windows PowerShell
You can access Windows PowerShell by typing PowerShell in the Search the web and Windows text
box on the taskbar. Windows PowerShell provides multiple cmdlets that you can use to manage files and
folders, such as Get-Childitem, which displays a directorys list of files and subdirectories, or Set-
Location, which changes the parent directory. It also includes many aliases, which are the same as the
familiar tools in command prompt, such as dir and cd, and you can use them instead of the Windows
PowerShell cmdlets. Run the Get-Alias cmdlet to view the list of all aliases.
To manage file permissions, you can use the Get-ACL and Set-ACL cmdlets. For example, to see the
current ACL on the C:\Perflogs directory, with the output in list format, run the following command:
To modify a file or folders ACL, use the Set-ACL cmdlet. You also can use the Get-ACL cmdlet in
conjunction with the Set-ACL cmdlet. You can use the Get-ACL cmdlet to provide the input by getting
the object that represents the file or folders ACL, and then use the Set-ACL cmdlet to change the ACL
of the target file or folder to match the values that the Get-ACL cmdlet provides. For example, to set the
ACL on the C:\Folder2 folder to be the same as the permissions on CL\Folder1, including inheritance
settings, you would run the following command:
Set-Acl
http://aka.ms/xxgj91
Question: Which Windows 10 graphical tool is used most often to manage files and folders?
Permissions example
Consider the following example. Adam is a member of the Marketing group, which has Read permission
to the Pictures folder. If an administrator assigns Write permissions to Adam for the Pictures folder, Adam
will have Read permissions, because he is a member of the Marketing group, and Write permissions,
because the administrator assigned them directly to him.
Types of permissions
You can configure two types of permissions for files and folders on NTFS and ReFS volumes: basic and
advanced. The difference is that:
Basic permissions are the most commonly used permissions. You most often will work with basic
permissions and assign them to groups and users. Each basic permission is built from multiple special
permissions.
Advanced permissions provide a finer degree of control. However, advanced permissions are more
complex to document and manage than basic permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
6-12 Managing Files and Printers
Full control Provides complete control of the file or folder and control of permissions.
Modify Allows you to read a file, write changes to it, and modify permissions. The
advanced permissions that comprise Modify permissions are Traverse
folder/execute file, List folder/read data, Read attributes, Read extended
attributes, Create files/write data, Create folders/append data, Write attributes,
Write extended attributes, Delete, and Read permissions.
Read & execute Allows you to see folder content, read files, and start programs. This applies to
an object and any child objects by default. The advanced permissions that make
up Read & execute permissions are Traverse folder/execute file, List folder/read
data, Read attributes, Read extended attributes, and Read permissions.
Read Allows you only the ability to read a file, not make any changes to it. This
applies to an object and any child objects by default. The advanced permissions
that make up Read permissions are List folder/read data, Read attributes and
Read extended attributes, and Read permissions.
Write Allow you to change folder and file content. This applies to an object and any
child objects by default.
The advanced permissions that make up Write permissions are Create files/write
data, Create folders/append data, Write attributes, and Write extended
attributes.
Note: Groups or users that are have the Full Control permission on a folder can delete any
files in that folder, regardless of the permissions that protect the file.
To modify permissions, you must have the Full Control permission for a folder or file. The one exception is
for file and folder owners. The owner of a file or folder can modify permissions, even if they do not have
any current permission. Administrators can take ownership of files and folders to make modifications to
permissions.
Question: If a users permissions are shown as Special permissions, what file permissions
does the user have?
Question: If user with Read permissions only is a member of a group that has Write
permissions, what type of permissions does the user actually have?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-13
For example, when you create a folder called Folder1, all subfolders and files created within Folder1
automatically inherit that folders permissions. Therefore, Folder1 has explicit permissions, while all
subfolders and files within it have inherited permissions.
Permissions on a file are a combination of inherited and explicit permissions. For example, if you assign
Group1 Read permissions on a folder and Write permissions on a file in the folder, members of Group1
can read and write in the file. If inherited and explicit permissions conflict, explicit permissions take
precedence.
Make changes to a parent folder at which you set permissions explicitly. The file or folder will inherit
these modified permissions.
Choose not to inherit permissions from a parent object. You then can make changes to the
permissions or remove a user or group from the permissions list of the file or folder.
Note: You can make changes to inherited permissions also by selecting the opposite
permission (Allow or Deny) to override the inherited permission. You should be aware that this
might cause a different result than many users expect, because when you set both the Deny and
the Allow permissions at the same level, Deny has a higher precedence than Allow. Therefore, we
recommend that you avoid using this option.
MCT USE ONLY. STUDENT USE PROHIBITED
6-14 Managing Files and Printers
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file, even though he is a member of the Marketing group, which has Read permissions. She can exclude
Bob by explicitly denying him permission to read the file. Typically, you use explicit denial to exclude a
subset, such as Bob, from a larger group, such as Marketing, that has permission to perform an operation.
Please note that although explicit denials are possible, their use increases the complexity of the
authorization policy, which can create unexpected errors. For example, you might want to allow domain
administrators to perform an action, but deny domain users the ability to perform it. If you attempt to
implement this by explicitly denying domain users, you also deny any domain administrators who are
domain users. Though it is sometimes necessary, you should avoid the use of explicit denials.
In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In
that case, the setting inherited from the parent closest to the object in the subtree takes precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited permissions,
including inherited Deny permissions.
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a
parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the
following procedure to assign permissions that child objects can inherit:
1. In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2. In the Advanced Security Settings for file or folder dialog box, the Inherited From column lists
from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files
to which the permissions are applied.
3. Double-click the user or group for which you want to adjust permissions.
4. In the Permissions Entry for name dialog box, click the Applies to drop-down list, and then select
one of the following options:
o This folder only
o Files only
5. Click OK in the Permission Entry for name dialog box, click OK in the Advanced Security Settings
for name dialog box, and then click OK in the Properties dialog box.
If the Special permissions entry in Permissions for User or Group box is shaded, it does not imply
that this permission is inherited. Rather, this means that a special permission is selected.
Note: If you add permissions for CREATOR OWNER at the folder level, those permissions
will apply to the user who created the file in the folder.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-15
Preventing inheritance
After you set permissions on a parent folder, new files and subfolders that users create in the folder inherit
these permissions. You can block permission inheritance to restrict access to these files and subfolders. For
example, you can assign all Accounting users the Modify permission to the Accounting folder. On the
subfolder Invoices, you can block inherited permissions and grant only a few specific users permissions
to the folder.
Note: When you block permission inheritance, you have the option to convert inherited
permissions into explicit permissions, or you can remove all inherited permissions. If you want to
restrict a particular group or user, you can convert inherited permissions into explicit permissions
to simplify configuration.
To prevent a child file or folder from inheriting permissions from a parent folder, select This folder
only in the Applies to drop-down list box when you configure permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following
procedure:
1. In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2. In the Advanced Security Settings for file or folder dialog box, click Disable inheritance.
3. In the Block Inheritance dialog box, select any of the following options:
o Cancel
4. Click OK in the Advanced Security Settings for name dialog box, and then click OK in the
Properties dialog box.
Even if an administrator does not specify in AD DS which properties to use as claims, you can use
conditions to limit access to files or folders based on user or device-group membership. When viewing
the permissions for a file or folder, the Condition column in the Advanced Security Settings lists the
applied conditions. Please note that when you specify conditions:
You use a Group condition so that you can specify that the permission will apply to the user based on
the following group-membership rules:
o Member of Any of the specified groups.
o Member of Each of the specified groups.
Question: What conditions should you include so that you limit access to files in the NTFS
file system or the ReFS file system?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-17
Demonstration Steps
1. Use File Explorer to create a folder called C:\Data.
2. View security for C:\Data, and then explain why check boxes in the Permissions for Authenticated
Users section are dimmed.
3. Verify that you cannot remove permissions for Authenticated Users on the C:\Data folder.
4. Add default permissions to Managers on the C:\Data folder, and then explain why permissions for
Managers are not dimmed.
5. Remove Read & execute and List folder contents permissions for Managers on C:\Data.
6. View advanced permissions for Managers on C:\Data, and then explain that basic Read permission
contains multiple advanced permissions.
8. View the advanced security settings for File1.txt, and then note that permissions for Managers are
inherited from C:\Data\, and all other permissions are inherited from C:\.
9. Verify that you cannot remove permissions for Managers from File1.
10. Convert inherited permissions into explicit permissions on File1.txt, explain the options in the Block
Inheritance dialog box, and then verify that all permissions entries now are set explicitly at this level.
Effective Permissions
Each file or folder on the NTFS file system or
ReFS has inherited or explicit permissions
assigned, or both. Windows 10 determines
effective permissions by combining the user
and group permissions and comparing them
to the permissions of the selected user. You also
can evaluate what the effective permissions will
be if you add a user or a device to additional
groups, and configure whether to include user
and device claims. For example, if you assign a
user Read permission and assign the Modify
permission to a group of which the user is a
member, the effective permissions are a superset of the Read and Modify permissions. This superset is the
Modify permission, because Modify permission also includes Read permission. You also can evaluate what
type of permissions the user would have if you add the user to the IT and Managers groups (without
actually doing so) and whether the effective permissions should be different if the users token includes
a Country = US user claim.
MCT USE ONLY. STUDENT USE PROHIBITED
6-18 Managing Files and Printers
Note: When you combine permissions, Windows 10 evaluates the Deny permissions before
the Allow permissions that are set at the same level. Therefore, the Deny permission takes
precedence and overrides the Allow permission set on the same level.
If you set Deny and Allow permissions at different levels (for example, if Deny is set at the folder
and Allow is set at its subfolder) Allow can take precedence and override Deny.
Note: The Effective Access feature always includes the Everyone group when calculating
effective permissions, as long as the selected user or group is not a member of the Anonymous
Logon group.
The Effective Access feature only produces an approximation of the permissions that a user has. The actual
permissions a user has might be different, because permissions can be granted or denied based on how a
user signs in. The Effective Permissions feature cannot determine this information specific to the sign-in,
because the user might not sign in. Therefore, the effective permissions it displays reflect only those
permissions that a user or group specifies, not the permissions that the sign-in specifies. For example, if a
user connects to a computer through a file share, the sign-in for that user is marked as a Network Logon.
You then can grant or deny permissions to the well-known security identifier Network that the connected
user receives. This way, users have different permissions when they sign in locally than when they sign in
over a network.
You can view effective access permissions in the Advanced Security Settings dialog box for files or
folders stored on the NTFS or ReFS file system. You can access this dialog box from a folders Properties
dialog box by using the Advanced button on the Security tab, or directly from the Share menu on the
ribbon.
Note: Windows 10 supports claims, so you can include the user and device claims when
evaluating effective access. A claim is information about a user or device that a domain controller
published, and you can use it to evaluate if a user has access to data.
Question: How can you include the calculation of conditions that limit access to the Effective
Access feature?
Question: Can the Effective Access feature consider only the current group membership
when it is calculating effective permissions for a selected user or group?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-19
When you copy a file or folder within a single volume, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a different volume, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a volume that does not support permissions (non-NTFS and non-
ReFS), such as a FAT file system, the copy of the folder or file loses its permissions. This is because the
target volume does not support permissions.
Note: When you copy a file or folder within a single volume or between volumes, you must
have the Read permission for the source folder and the Write permission for the destination
folder.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit
permissions from their parent folder. If you move files that have only inherited permissions,
they do not retain the inherited permissions during the move.
When you move a file or folder to a different volume, the folder or file inherits the destination folders
permissions, but it does not retain the explicitly assigned or inherited permissions from the source
location. When you move a folder or file between volumes, Windows 10 copies the folder or file to
the new location and deletes the original file from the source location.
When you move a file or folder to a volume that does not support permissions (non-NTFS and non-
ReFS), the folder or file loses its permissions because the target volume does not support permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
6-20 Managing Files and Printers
Note: When you move a file or folder within a volume or between volumes, you must have
both the Write permission for the destination folder and the Modify permission for the source file
or folder. You require the Modify permission to move a folder or file, because Windows 10
deletes the folder or file from the source folder after it copies it to the destination folder.
The Copy command is not aware of the security settings on folders or files. However, commands that are
more robust have this awareness. For example:
Question: You have FileA on the NTFS volume on Computer1. You grant the user John
explicit Full control permissions on FileA, and then you move FileA to the NTFS partition on
Computer2. Will John still have explicit permissions on FileA?
On which two file systems can you assign permissions in Windows 10?
FAT
FAT32
exFAT
NTFS
ReFS
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 3
Configuring and Managing Shared Folders
Collaboration is an important part of an administrators job. Your team might create documents that
only team members can share, or you might work with a remote team member who needs access to your
teams files. Because of collaboration requirements, you must understand how to manage shared folders
in a network environment.
Sharing folders enables users to connect to a shared folder over a network, and to access the folders
and files that it contains. Shared folders can contain applications, public data, or a users personal data.
Managing shared folders helps you provide a central location for users to access common files, and it
simplifies the task of backing up data that those folders contain. This lesson examines various methods
of sharing folders, along with the effect this has on file and folder permissions when you create shared
folders on an NTFS-formatted partition.
Lesson Objectives
After completing this lesson, you will be able to:
Describe shared folders.
Note: Sharing is limited to folders. You cannot share an individual file or group of files
within a folder that is not shared. Windows 10 allows you to right-click a file in a users profile,
and then click Share with. However, this will share the Users folder, in which all user profiles are
stored.
After you share a folder, all users will see the share name over your network. However, only users
with Read permissions can view its content.
Windows 10 restricts sharing of folders to members of the Administrators group only. If you want to share
a folder, you will have to provide administrative credentials to User Account Control (UAC).
Note: File and printer sharing is disabled by default. When you share the first folder on
a Windows 10 device, Windows 10 turns on file and printer sharing automatically. This setting
remains turned on even if you remove all shared folders. You can configure it manually in
Advanced sharing settings in Control Panel.
Change. Users can also modify, delete, and create content, but they cannot modify permissions.
Includes Read permission.
Full Control. Users can perform all actions, including modifying the permissions. Includes Change
permission.
Basic sharing permissions are simplified and can have one of two options:
Read. The look but do not modify option. Users can open, but not modify or delete a file.
Read/Write. The Full Control option. Users can open, modify, or delete a file, and modify permissions.
Note: In older Windows versions, you could recognize shared folders in File Explorer,
because there was a different icon for folders that were shared than for folders that were not
shared. In File Explorer in Windows 10, the same icon is used regardless of whether a folder is
shared or not.
File Explorer.
A command prompt.
Using the Share with option (Network File and Folder Sharing)
The Share with option is a quick and easy way to share a folder. When you right-click a folder, and then
select Share with, you see a submenu that allows you to stop sharing the folder or share the folder with
specific people. When you share with specific people, you can select Everyone or use Find people to
share the folder with specific groups. After selecting the users with whom you want to share with a folder,
you can set Read or Read/Write permissions. You cannot remove a folders owner. You also might notice
users or groups that have Permission Level value Custom. This is because they have file-specific file
permissions.
Be aware that Network File and Folder Sharing will set share permissions and file permissions. The Share
permissions will be set as Everyone Full Control, and the file permissions will be set based on what you
select. The share name will be the same as the folder name. You cannot share the same folder multiple
times by using Network File and Folder Sharing.
grant that group Full Control share permissions. However, when a group member tries to connect to the
share, an error returns, even if that user has sufficient share permissions. This is because the user does not
have file permissions, and therefore cannot access the shares files.
This will create a simple share, which uses the share name that you specify, and which grants all users
Read permissions. You can specify additional parameters when creating a share, which the following
table lists.
Option Description
/Grant:user Allows you to specify Read, Change, or Full share permissions for
permission the specified user.
/Users:number Allows you to limit the number of users who can connect to the
share.
/Cache:option Allows you to specify the caching options for the share.
The following table lists additional Windows PowerShell commands that you can use to manage shares.
Command Description
Question: What is the main difference between sharing a folder by using Network File and
Folder Sharing and by using Advanced Sharing?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-25
You can configure the following basic properties for a share by using Advanced Sharing:
Share name. Each share must have a share name, and it must be unique for each Windows 10based
computer. The share name can be any string that does not contain special characters, and it is part of
the UNC path, which Windows users use when connecting to a share. You can share the same folder
multiple times and with different properties, but each share name must be unique. If the share name
ends with a dollar sign ($), the share is hidden and not visible on the network. However, you can
connect to it if you know the share name and have appropriate permissions.
Number of simultaneous users. This limits the number of users that can have an open connection to
the share. The connection to the share is open when a user accesses the share for the first time, and it
closes automatically after a period of inactivity. The default value in Windows 10 is no more than 20
users. However, you can configure this to a lower number.
Caching/offline settings. You can control which of the shares files and programs are available to
offline users, or those who do not have network connectivity. You can configure files to:
o Cache on the client computer automatically when a user has network connectivity and opens
them for the first time.
o Cache offline, only if the user manually configures this and has the necessary permissions.
o Not cache at all.
Permissions. You can configure shared folder permissions, which Windows uses in conjunction with
file system permissions when a user tries to use a shared folder to access data over a network. Shared
folder permissions can allow Read, Change, or Full control permissions.
If you try to use a share name that is already in use on the computer, Windows 10 provides you with an
option to stop sharing an old folder and use the share name for sharing the current folder.
If you rename a folder that is shared currently, you do not receive a warning. However, the folder is no
longer shared.
MCT USE ONLY. STUDENT USE PROHIBITED
6-26 Managing Files and Printers
Note: If you share a folder by using Network File and Folder Sharing, you can share a folder
only once, and you cannot configure its properties manually. The share name is set automatically
and is the same as the folder name. The share permissions, number of simultaneous users, and
caching properties retain the same value.
You can configure advanced share properties only by using Windows PowerShell. You cannot configure or
view them by using the GUI tool. Advanced share settings that you can configure in Windows 10 include
access-based enumeration and SMB encryption. For example, you can enable access-based enumeration
for the share name Folder1 by using the following cmdlet:
Note: Access-based enumeration displays only the content for which a user has
permissions. If the user does not have Read permission to a file or folder, that file or folder does
not display when the user connects to the shared folder.
You can view all shared folder properties for the share name Folder1 by using the following cmdlet:
Get-SmbShare
http://aka.ms/dwc4lz
Question: What is the maximum number of users who can connect to a share
simultaneously on Windows 10?
Question: Can you configure Caching (Offline Settings) when you share a folder by using
Network File and Folder Sharing?
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
If users have the Change share permission, they can take ownership of the
files when they access the share over the network.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-27
Users must have appropriate file system permissions for each file and subfolder in a shared folder to
access those resources, in addition to appropriate shared folder permissions.
When you combine file-system and shared-folder permissions, the resulting permission is the most
restrictive one of the effective permissions between the two types. Typically, this is the highest
common denominator of the file-system and shared-folder permissions.
When a user attempts to connect to content through a share, the share permissions on a folder apply
to that folder, all of its files and subfolders, and all files in those subfolders.
When you configure shared folder permissions per shared folder, you can allow or deny only Read,
Change, and Full Control permissions, and these permissions apply to content in all folders and
subfolders. You have much more granularity when you configure file-system permissions. You can
configure permissions for each file, and you can allow or deny many more file-system permissions than
share permissions.
Note: If you enable the Guest user account on your computer, the Everyone group includes
anyone. Therefore, as a best practice, remove the Everyone group from any permission lists, and
replace it with the Authenticated Users group.
The following analogy can help you understand what happens when you combine file system and share
permissions. If you want to access a shared folders files over a network, you must go through the shared
folder. Therefore, you can think of the shared folder permissions as a filter that only allows users to
perform those actions that are acceptable to the share permissions. All file system permissions that are
less restrictive than the share permissions filter out, so that only the most restrictive permissions remain.
For example, if a share permission is set to Read, the most that you can do when connecting through a
shared folder is read the file, even if the individual file system permission is set to Full Control. If you
configure the share permission to Modify, you are allowed to read or modify the shares data. If the file
system permission is set to Full Control, the share permissions filter the effective permission to Modify.
MCT USE ONLY. STUDENT USE PROHIBITED
6-28 Managing Files and Printers
Demonstration Steps
1. On LON-CL1, view security for the C:\Data folder. Use File Explorer to confirm that the Managers
group has permissions on the folder and that the folder is not shared.
2. Use Network File and Folder Sharing to share the C:\Data folder. Remove permissions for
Managers, and then add Read/Write permissions for the IT group.
3. Use File Explorer to note that the Managers group no longer has permissions on the folder but the
IT group does, and that the folder C:\Data is now shared.
4. Use Advanced Sharing to review the share name, limit the number of simultaneous users to five, and
review the share permissions that were set when using Network File and Folder Sharing.
5. Create an additional share for the C:\Data folder, called IT Data, and grant Everyone Full Control
permissions for the share.
6. Use File Explorer to view the Data and IT Data shares on LON-CL1 and File1.txt in the IT Data
share.
7. Use the Shared Folders console to view shares on LON-CL1.
Statement Answer
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Your company is planning to implement dynamic access control, so you also will implement a pilot project
for the Research department, where you will utilize user claims to limit access to its share.
Objectives
After completing this lab, you will be able to:
Share a folder by using Network File and Folder Sharing and Advanced Sharing.
Understand the differences between using Network File and Folder Sharing and Advanced Sharing.
Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1, 20697-1B-LON-CL2
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
5. Repeat steps 2 and 3 for 20697-1B-LON-CL1 and 20697-1B-LON-CL2. Do not sign in until directed
to do so.
MCT USE ONLY. STUDENT USE PROHIBITED
6-30 Managing Files and Printers
2. Use File Explorer to create the following folders: C:\Data, C:\Data\Marketing, and C:\Data\IT.
2. Verify that all permissions entries for the C:\Data\IT folder are inherited from C:\. Also, verify that
Users (LON-CL1\Users) have Read & execute Access, while Authenticated Users have Modify
Access.
3. Verify that all permissions entries for the C:\Data\Marketing folder are inherited from C:\. Also,
verify that Users (LON-CL1\Users) have Read & execute Access, while Authenticated Users have
Modify Access.
2. Use Advanced Sharing to share the C:\Data\Marketing folder with the Marketing group only, and
then provide them with Change share permissions.
4. Use the Shared Folders tool in Computer Management to view shares on LON-CL1.
2. View the advanced sharing properties for the C:\Data\IT folder, and then verify that Everyone and
Administrators have Full Control permissions to the share.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-31
Note: If you share a folder by using the File Sharing dialog box, you will modify the local
file permissions to match your configuration, while the Everyone and Administrators groups will
have the Full Control share permission.
3. View the advanced security settings for the C:\Data\Marketing folder. Verify that all of the
permissions entries are inherited from C:\. Also, verify that Users (LON-CL1\Users) have Read &
execute permission, while Authenticated Users have Modify permission.
Note: If you share a folder by using the Advanced Sharing feature, this does not modify
local file permissions. You only modify share permissions if you use the Advanced Sharing
feature.
Note: Adam has local file permissions to create a new file in the Marketing folder, because
permissions were configured by using the Advanced Sharing feature. This modified only the share
permissions, while the default local file permissions were not modified. By default, Authenticated
Users have the Modify permission.
Note: You will get an error, because Adam does not have local file permissions to the IT
folder. Permissions were configured by File Sharing, and only members of IT group have local file
permissions to the folder.
5. Sign in to LON-CL1 as Adatum\April with the password Pa$$w0rd. April is a member of the IT
group, but she is not a member of the Marketing group.
Note: April has local file permissions to create a new file in the Marketing folder, because
permissions were configured by using the Advanced Sharing feature. This modified only the share
permissions, while the default local file permissions were not modified. By default, Authenticated
Users have the Modify permission.
Note: April is able to create a file, because permissions were configured by File Sharing.
Members of the IT group have local file permissions to the IT folder.
MCT USE ONLY. STUDENT USE PROHIBITED
6-32 Managing Files and Printers
Note: Be aware that Network File and Folder Sharing, which sometimes is referred to as
simple file sharing, modifies file permissions and shared folder permissions. However, Advanced
Sharing does not modify file permissions. It modifies only share permissions.
2. Verify that you can see the IT and Marketing shares on LON-CL1.
3. Create a text document named File30 in the \\LON-CL1\Marketing share.
Note: Adam is not a member of the IT group, so he does not have permissions to access
the IT share.
7. Verify that you can see the IT and Marketing shares on LON-CL1.
Note: April is not a member of the Marketing group, so she does not have permissions to
access the Marketing share.
Note: Users can access only the shares that were shared for groups in which they are
members, regardless of whether they were shared by File Sharing or Advanced Sharing.
Results: After completing this exercise, you will have created a folder structure for the Marketing and
information technology (IT) departments, shared their folders, and tested local and share permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-33
In this exercise, you will implement a pilot project to protect data for the Research department by using
user claims. You also will demonstrate how you can limit access to IT data to only those users who live in
the U.S. You will test user access by using the Effective Permissions tool.
The main tasks for this exercise are as follows:
4. Disable security inheritance for the C:\Data\Research folder, and then convert inherited permissions
into explicit permissions.
5. Remove the Users (LON-CL1\Users) permissions on the C:\Data\Research folder.
6. Edit advanced security settings for the C:\Data\Research folder, and then add the condition User
department Equals Value research for Authenticated Users. You will need to type research
manually in the last box.
7. Edit the advanced security settings for the C:\Data\IT folder, and then add the condition User
Country Equals Value US for the IT (ADATUM\it) group. You will need to type US manually in the
last box.
Note: April has a department claim value of IT and she cannot connect to the Research
share.
Note: April has permissions to create a new file in the IT share because she is a member of
the IT group and her Country claim has a value of US.
5. Sign in to LON-CL2 as Adatum\Jesper with the password Pa$$w0rd. Jesper is a member of the
IT group.
Note: Jesper has a Country claim with the value of GB, so he cannot connect to the
IT share, even though he is a member of the IT group.
Note: Anil has permissions to create a new file in the Research share because his
department claim has a value of Research.
Note: As Authenticated Users have the Modify permissions to the Marketing folder, you
can see that Joel has the most permissions allowed.
2. View the effective permissions to the C:\Data\Research folder for the user named Ales, who is a
member of Development group.
Note: Only users who have the department-claim value of Research can access the folder.
Therefore, Ales does not have the required permissions to access it.
3. View the effective access to the C:\Data\Research folder for the user named Ales when you include
a user claim of department = Research.
Note: You can see that if Ales had the user claim of department with the value of
Research, he would have the most permissions allowed.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-35
4. View effective access to the C:\Data\Research folder for the user named Aziz, who is a member of
the Research group, when you include user claim of department = Research.
Note: If Aziz had the user claim of department with the value of Research, he would have
the most permissions allowed.
Results: After completing this exercise, you will have configured and tested conditions to control access.
You will have also viewed effective permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
6-36 Managing Files and Printers
Lesson 4
Work Folders
Work Folders is a Windows 10 feature that enables users to sync their local copy of files with files on a
server, which must be running Windows Server 2012 R2 or a newer operating system. Users can use Work
Folders, even if their Windows 10 device is not joined to the domain, and an administrator can configure a
policy for the local copy. For example, you can encrypt a local copy, and if a device is lost or an employee
has left the company, you can wipe the local copy remotely in a Work Folder, while leaving the user data
on the device intact.
Lesson Objectives
After completing this lesson, you will be able to:
Work Folders allow home and office users to access their individual data, regardless of whether their
devices are connected to a company network or whether their devices are domain-joined. Work Folders
only store the individual files of users, and users can access only their own Work Folders. A traditional file
server stores Work Folders data, but devices also keep a local copy of the users subfolders in a sync share.
This is known as a user work folder. Users can access a local copy of their Work Folders even without
network connectivity, and any modifications they make synchronize with their Work Folders on a file
server immediately or after their connectivity to the file server is restored. Users can access and use Work
Folders from various devices, irrespective of their domain membership. Windows 10 and Windows 8.1
support Work Folders natively, and you can add Work Folders support to Windows 7, Apple iPad, and
Apple iPhone devices.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-37
If users use multiple devices that are configured with Work Folders, changes they make on one device
synchronize with their other devices automatically. A file server stores Work Folders content, so you can
use all the features that are available on a file server, such as dynamic access control, auditing, quotas,
file-classification infrastructure, and protecting content with Active Directory Rights Management Services
(AD RMS). You can define a policy for devices that access Work Folders. For example, you can create a
policy that requires encryption of a devices local copy of the Work Folders data. You also can use the
Remote Business Data Removal feature to prevent access or remotely wipe a devices local copy of Work
Folders data if the device is lost or stolen, or if the employee leaves the company.
For more information on Work Folders, refer to the following webpage on the Microsoft TechNet website:
Work Folders Overview
http://aka.ms/cdspcf
Question: Can you share your Work Folders content with your coworkers?
User devices. These are the devices from which you can access, modify, and synchronize content
that is stored in Work Folders. You can access Work Folders from workgroup devices, devices that
are workplace-joined, or from domain member devices. Windows 10 and Windows 8.1 devices
support Work Folders by default, and you can add Work Folders support to Windows 7, iPad, and
iPhone devices. Devices also must trust the SSL certificate that the Work Folders server is using. If
you configure devices to use Work Folders, Windows detects the changes to the local copies of data,
and then synchronizes them with the server. By default, devices check the Work Folders server every
10 minutes and synchronize changes with local copies of the Work Folders data.
When you configure Work Folders on a device, you establish a Work Folders sync partnership between
the device and the file server. During initialization, the data directory, version database, and download-
staging directory are created on a device. Version database keeps a local copy of the data in sync with the
file servers data file. On the server side, when a user first synchronizes, similar structures are created. You
provision the server Work Folders only once per user, while the client side is provisioned for each device
on which the user is using Work Folders. When users modify their Work Folders content, the following
process takes place:
1. Users modify local Work Folders content, and the Work Folders server detects the changes on the
client in real time. The client then initiates a sync session with the Work Folders server, and uploads
the changes.
2. After the upload is complete, the Work Folders server applies uploaded changes to the users Work
Folders content. The server is configured, by default, to perform all modifications to the users data. If
the file changes on multiple user devices in the same synchronization cycle, based on the time stamp,
the latest version of the file keeps the original file name. The Work Folders server preserves the other
copies of the file in the same directory, but the devices name on which the conflict occurred is
appended to the file name, and a number is appended if there are multiple conflicts for the same
file. The Work Folders server keeps 100 conflict files. If more than 100 conflict files are generated,
Work Folders synchronization stops for the user until the user manually resolves the problem.
3. The second client device initiates synchronization. This occurs because data is modified also on the
second client device, and the second client device initiates synchronization of those modifications.
Alternatively, this occurs if there are no local changes, but the second device initiates synchronization
based on the pooling interval, which is 10 minutes, by default. The second client downloads changes
from the Work Folders server and applies them to the local copy of the data.
When you use Work Folders, you should be aware of following considerations:
Work Folders synchronization is limited to one partnership per user, per device. If multiple users
use the same device, all users can have their own partnership with the sync folder on the same, or
different, Work Folders servers, but the same user cannot create a sync partnership with a second
sync share on the same or different Work Folders servers.
Clients always initiate synchronization. A Work Folders server is passive and responds only to sync
requests.
Clients synchronize only with the Work Folders server. If users are using multiple devices, and they are
all configured with Work Folders, devices do not synchronize changes between themselves. Devices
synchronize changes only with the server. After one device synchronizes changes with a server, other
devices are synchronized with the changes from the server.
The system that applies the change, which can be either the user device or the Work Folders server, is
responsible for conflict resolution. Conflicts are resolved automatically by renaming the conflicting
files with older time stamps.
Install-WindowsFeaturef FS-SyncShareService
2. Create a sync share for Work Folders. A sync share is the unit of synchronization that can be
synchronized with a user device. You can create a sync share by using Server Manager or by using
the New-SyncShare cmdlet. A sync share can be an existing SMB share, or you can point it to a new
folder. Multiple users can have access to the same sync share. Therefore, you must specify the naming
syntax for the user subfolders. Use either user_alias or user_alias@domain. The first syntax maintains
compatibility with existing user folders that use aliases for their names, while the second syntax
eliminates conflicts between identical user aliases in multiple domains in the same AD DS forest. By
default, users synchronize their whole Work Folders structure, but you can limit the synchronization
to specific subfolders. You also can configure who has permissions to access the sync folder and
device policy, in which you define requirements for devices that will be used for accessing sync shares.
After you configure Work Folders on a file server, you can deploy Work Folders to client devices. Based on
the client device type and whether it is domain-joined or not, you have different options for deploying
Work Folders:
Manual. You can configure Work Folders by using the Manage Work Folders option in Control Panel.
You can add Work Folders either by entering an email address or the Work Folders URL. If you enter
an email address, the word workfolders is appended to the email domain to create the URL. For
example, if you enter [email protected], the URL is https://workfolders.adatum.com. If this URL
does not resolve to the Work Folders server, then auto discovery fails and you must enter the Work
Folders URL.
Opt-in. You can configure Work Folders settings by using domain-based Group Policy, Microsoft
Intune, or Microsoft System Center Configuration Manager. However, those settings are not
mandatory. Users can decide if they want to use those settings and configure Work Folders on
the device or not.
Mandatory. You can use the same three methodsdomain-based Group Policy, Microsoft Intune,
or Configuration Managerto deliver Work Folders settings to a device. However, these settings are
mandatory and users cannot modify them. Work Folders are configured transparently on devices
without user interaction.
Question: Can you use Group Policy to deploy Work Folders centrally to devices that are not
domain-joined?
MCT USE ONLY. STUDENT USE PROHIBITED
6-40 Managing Files and Printers
Demonstration Steps
1. On LON-CL1, sign in as user adatum\adam with the password Pa$$w0rd.
2. Use File Explorer to create a new text document named On LON-CL1.txt in Work Folders.
4. On LON-CL4, use Work Folders to set up Work Folders with the following settings:
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can use Work Folders only if a Windows 10 device is joined to AD DS.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1, 20697-1B-LON-CL4
2. In Hyper-V Manager, click 20697-1B-LON-CL4, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
Task 1: Install the Work Folders feature and create a sync share
1. On LON-DC1, install the FS-SyncShareService feature by using the Install-WindowsFeature cmdlet.
2. Use Server Manager to create New Sync Share, by using the following data:
o Local path: C:\MarketingSync
3. Use Server Manager to verify that MarketingSync is listed in the WORK FOLDERS section and that
user Adam Barr is listed in the USERS section.
4. Use File Explorer to create a New Text Document named On LON-CL1 in Work Folders.
5. Verify that the On LON-CL1 file is encrypted.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-43
2. On LON-CL4, open Control Panel and use Work Folders to set up Work Folders with the following
settings:
o Work Folders URL: https://lon-dc1.adatum.com
2. On LON-CL1, verify that only the On LON-CL1.txt file displays in Work Folders.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option
to trigger synchronization manually.
4. Use File Explorer to verify that both files, On LON-CL1 and On LON-CL4, display in Work Folders.
5. Disable the Ethernet network connection by using Administrator and the password Pa$$w0rd as the
credentials.
6. Modify the On LON-CL1.txt file in Work Folders by adding the following content: Modified offline.
9. On LON-CL1, enable the Ethernet network connection. Use Administrator and the password
Pa$$w0rd as the credentials.
10. On LON-CL1, verify that four files are displayed in Work Folders, including On LON-CL1.txt and
On LON-CL1-LON-CL1.txt. The file was modified at two locations, so a conflict occurred, and one
of the copies was renamed.
Note: File On LON-CL1-LON-CL1 will appear after few seconds, when sync happens.
Results: After completing this exercise, you will have configured and used the Work Folders feature
successfully.
Question: Can a user access the same Work Folders from domain devices and from
workgroup devices?
MCT USE ONLY. STUDENT USE PROHIBITED
6-44 Managing Files and Printers
Lesson 5
Managing Printers
To be able to print over the network in Windows 10, you must understand the Windows 10 printing
components and how to manage them.
This lesson examines the printing components in a Windows 10 environment, including the relation
between printing devices, printers, ports, and drivers. You will see how to install, share, and manage a
printer, and you will review how to use the Print Management tool to administer multiple printers and
print servers.
Lesson Objectives
After completing this lesson, you will be able to:
Printing device
A printing device is a physical device that is available locally, connected to the network, or connected
to the print server. You use it to produce the print job output, which is typically a printed document. By
default, Windows 10 supports many printing devices and includes drivers for communicating with those
devices. You can add support for additional devices if needed.
Printer port
Windows 10 can automatically detect printers when you connect them to your computer, and it installs
the printer driver without interaction if the driver is available in the driver store. However, a Windows
operating system might not detect printers that you connect by using older ports, such as serial or parallel
ports, or network printers. In these cases, you must configure a printer port manually.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-45
In most cases, printer drivers are included with the Windows 10 operating system. If you are missing
a driver for your printer, you can try to download it through Windows Update or from the printer
manufacturers web page, or you can access it on the media that came with the printer
Note: The Add Printer Wizard presents you with an exhaustive list of currently installed
printer types. However, if your printer is not on the list, you must obtain and install the necessary
driver.
You can preinstall printer drivers in the driver store, thereby making them available in the printer
list by using the pnputil.exe command-line tool.
Question: Can you add multiple printers in Windows 10, while they are all using the same
physical printing device?
Type 4 printer drivers typically are delivered by using Windows Update or Windows Software Update
Services (WSUS). Unlike Type 3 drivers, Type 4 drivers do not download from a print server.
Sharing a printer does not require adding additional drivers that match the client architecture
A single Type 4 driver can support multiple printer models
Driver files are isolated on a per-driver basis, which prevents potential driver file-naming conflicts
Driver packages are smaller and more streamlined than Type 3 drivers, and Type 4 drivers install faster
than Type 3 drivers
MCT USE ONLY. STUDENT USE PROHIBITED
6-46 Managing Files and Printers
Printer driver and the printer user interface can be deployed independently with Type 4 drivers
You can read additional information about Type 4 printer drivers at the following URL:
Question: Do you need a specific Type 4 printer driver for each printer?
Demonstration Steps
1. On LON-CL1, add a local printer with the following manual settings:
o Printer driver: Microsoft PCL6 Class Driver
Printer-sharing functionality.
You can view all printer-related cmdlets by running Get-Command Module PrintManagement.
If a print job is printing in the wrong color or the wrong size, you can start over. To restart a print job,
right-click the specific print job, and then click Restart.
If you start a print job by mistake, it is simple to cancel the print job, even if printing is underway. To
cancel an individual print job, right-click the print job that you want to remove, and then click Cancel.
To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item that is printing
currently might finish, but the remaining items will be cancelled.
MCT USE ONLY. STUDENT USE PROHIBITED
6-48 Managing Files and Printers
Question: Which Windows PowerShell cmdlet can you use to modify printer properties?
Question: Can you manage printers that are connected to a remote Windows 10based
computer by using Devices and Printers?
Note: You can use the Devices and Printers tool to manage printers only on local
Windows 10based computers. When you use the Print Management Console, you can manage
printers on local Windows 10based computers, in addition to printers that are connected to
other Windowsbased printer servers.
Question: Do you need to turn on any Windows feature to be able to install and share
printers on Windows 10 and use the Print Management tool?
Question: Can you use the Print Management tool for managing printers only on
Windows 10based and Windows 8.1based computers?
MCT USE ONLY. STUDENT USE PROHIBITED
6-50 Managing Files and Printers
Which tool would you use to manage printers on multiple Windows 10based
computers in the AD DS environment?
Device Manager
Print Management
Computer Management
Connected Devices
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can add multiple printers in Windows 10 for a single printing device
that is connected to your computer.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-51
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. If virtual machines are already running
from the previous lab, you do not need to start any virtual machines. Before you begin the lab, all virtual
machines that are used in this lab must be running. You can start them by completing the following steps:
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
5. Repeat steps 2 and 3 for 20697-1B-LON-CL1 and 20697-1B-LON-CL2. Do not sign in until directed
to do so.
MCT USE ONLY. STUDENT USE PROHIBITED
6-52 Managing Files and Printers
2. Use Print Management to add a printer on LON-CL2 with the following settings:
o Printer driver: Microsoft PS Class Driver
2. Verify that you can see the PostScript printer that you added remotely in the previous task.
3. Try to add the \\LON-CL1\Managers Printer printer by using the Select a shared printer by name
option.
Note: Because April is not member of the Managers group, and she does not have
permissions to \\LON-CL1\Managers Printer, you were asked to enter credentials with the
appropriate permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 6-53
5. Verify that Printer1 on lon-dc1 is added and that it is the default printer.
2. On LON-CL1, use Print Management to verify that Printer1 is listed as the only printer with jobs
pending.
3. On LON-CL1, view the printing jobs on Printer1 on lon-dc1.
4. Review the properties of the Untitled Notepad printing job on Printer1 on lon-dc1.
Results: After completing this exercise, you will have added a local and remote printer. You also will have
configured printer security, and used the Print Management feature to manage printers.
To simplify the assignment of permissions, you can grant the Everyone group Full Control share
permission to all shares, and then you can configure file permissions to control access. Restrict share
permissions to the minimum required to provide an extra layer of security in case file permissions are
configured incorrectly.
When you disable permission inheritance, you have options to convert inherited permissions into
explicit permissions, or you can remove all inherited permissions. If you only want to restrict a
particular group or user, then you should convert inherited permissions into explicit permissions to
simplify the configuration process.
Be aware that Network File and Folder Sharing (sometimes referred also as Simple File Sharing)
modifies file permissions and share folder permissions, while Advanced Sharing does not modify file
permissions, only set share permissions.
If the guest user account is enabled on your computer, the Everyone group includes anyone. In
practice, remove the Everyone group from any permission lists, and replace it with the Authenticated
Users group.
Be aware that if you use a different firewall than the one that Windows 10 includes, it can interfere
with the network discovery and file sharing features.
Review Questions
Question: On which objects can you set file-level permissions?
Question: Robin recently created a spreadsheet and assigned it file permissions that
restricted file access only to her. Following the system reorganization, the file moved to a
folder on a different NTFS volume, and Robin discovered that other users were able to open
the spreadsheet. What is the probable cause of this situation?
Question: Can you access Work Folders content on a computer without network
connectivity?
MCT USE ONLY. STUDENT USE PROHIBITED
7-1
Module 7
Managing Apps in Windows 10
Contents:
Module Overview 7-1
Module Overview
Users require apps for every task that they perform on their computers, such as editing documents,
querying databases, and generating reports. As part of administering the Windows 10 operating system,
you need a strategy for deploying and managing the apps that your organizations users will run on their
new Windows 10 computers and devices. Based on your organizations specific needs, you can choose
from a variety of methods to deploy and manage apps, including manual deployment methods to
management that you partially or fully automate.
Objectives
After completing this module, you will be able to:
Describe Windows 10 options for app deployment.
Lesson 1
Overview of Providing Apps to Users
In your organization, you may face scenarios in which certain app-deployment methods are better for
your organization than other methods. In this lesson, you will learn about traditional app-deployment
methods, as well as methods that you can use to help to automate app deployment.
Lesson Objectives
After completing this lesson, you will be able to:
Desktop apps
Desktop apps are traditional apps, such as
Microsoft Office 2013. Most users and network
administrators are familiar with desktop apps.
An administrator can install desktop apps on
Windows 10 computers locally by using one of three methods: with a product DVD that contains a
desktop app, over the network, or by downloading an app from a vendors website. As an administrator,
when you install Windows desktop apps, you can:
Replace apps by using distributed app installation and execution methods in larger environments.
Are designed for touch. With Windows 8.1, you can run two Windows Store apps side by side, each
using half the screen. In Windows 10, you can run Windows Store apps in windows that you can resize
in the same way as desktop apps.
RemoteApp apps
Windows Server 2012 R2 RemoteApp apps display locally but run remotely. From a users perspective, a
RemoteApp app appears to be the same as any other app that runs on a computer. Consider deploying
RemoteApp in situations where an app does not run on a client computer.
Some scenarios in which you can use RemoteApp to deploy an app include when users of:
Windows RT 8.1 computers need to access an app that only runs on the x64 version of Windows 10.
Computers that run the x86 version of Windows 10 need to access an application that is available
only in an x64 version.
Computers that have 4 gigabytes (GB) of random access memory (RAM) need to run an application
that requires 8 GB of RAM.
In each of the preceding scenarios, you can provide the app by using RemoteApp. The app displays
locally, but runs on a platform that has appropriate hardware resources to support the app.
The installation process for a desktop app begins, and the app installs. By default, all users run as standard
users. Windows 10 prompts you to elevate to full administrator privileges through User Account Control
(UAC) to install the app.
Note: Apps that you install across a network can install automatically without your
intervention, depending on the app packages configuration.
MCT USE ONLY. STUDENT USE PROHIBITED
7-4 Managing Apps in Windows 10
A Windows Installer package in the .msi format includes the information that is necessary to add, remove,
and repair an app. You can install an app installer in the .msi format locally, or you can deploy it through
an automatic app-deployment solution, such as Group Policy or System Center Configuration Manager.
Because of the way that Windows Installer packages manage changes to an operating system, apps that
you deploy from these packages are more likely to uninstall cleanly than those that you deploy by using
apps installers in executable files. This is important from an app-management perspective, because the
ability to remove an app cleanly, without leaving any trace of it on a device, is as important as installing it
correctly in the first place.
If an app is packaged as an .msi file, and is accessible from the target device, you can run Msiexec.exe
from an elevated command prompt to install a desktop app. For example, to install an app from a shared
folder, type the following command at a command prompt, and then press Enter:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
Administrators also can use Windows Installer to update and repair installed desktop apps.
Group Policy software deployment has the following requirements and properties:
The target computers must belong to an AD DS domain.
You must package the software in the Windows Installer .msi file format.
Assign. You can assign apps to users or computers. When you assign an app to a user, the app installs
when the user signs in. When you assign an app to a computer, the app installs when the computer
starts.
Publish. You can publish apps to users. Doing so makes an app available through the Programs and
Features item in Control Panel. You cannot publish apps to computers.
1. Deploy MDT on a computer that will function as the management computer, create a deployment
share on this computer, and then import the image files that you will use.
2. Create a task sequence and a boot image for the computer that will function as the reference
computer.
3. Start the reference computer by using the medium that contains MDT. The task sequence files, task
sequence, and boot image transfer to the reference computer.
4. Use the Windows Deployment Wizard to deploy the operating system and required apps. After
deployment, capture the reference computer as an image.
6. Create a new boot image and task sequence for deployment to the target computers.
7. Start the deployment target computers by using the medium that contains MDT. The task sequence
files, task sequence, and boot image transfer to the reference computer.
Collections. Configuration Manager enables you to create collections that consist of manually created
groups of users or computers, or collections based on the results of queries of user or computer
properties. You then can target app deployment to these collections. For example, you can create a
collection that includes only the computers that are located at a specific site with a certain deployed
app and a specific piece of installed hardware.
Multiple deployment types. Configuration Manager enables you to use multiple deployment
types. With this feature, you can configure a single app deployment but make it possible for
that deployment to occur in different ways, depending on the conditions that apply to the target
computer or user. For example, you can configure an app to install locally if a user is logged on
to his or her primary device, but to stream as an App-V app if the user is logged on to another device.
Note: App V, which is part of the Microsoft Desktop Optimization Pack, is a Microsoft
solution that allows users to run virtualized applications on their computers without having to
install or configure them locally.
Deployment types also enable you to configure the deployment of the x86 version of an app if the
target computer has a 32-bit processor, or to configure the deployment of the x64 version if the
target computer has a 64-bit processor.
Reporting. This feature enables you to determine how successful an app deployment was after its
completion. Configuration Manager also enables you to simulate app deployments before
performing them, enabling you to determine if any factors that you have not considered might
block a successful app deployment.
Wake on LAN (WOL). Instead of interrupting a user with an app installation that might require a
restart, which could disrupt his or her current productivity WOL functionality allows you to schedule
app deployment to occur after normal business hours. Typically, users are done working during this
time, and compatible computers are in a low power state.
Software inventory, software metering, and Asset Intelligence. A software inventory provides you with
a list of which apps are installed on your organizations computers. You can use software metering to
monitor how often particular apps are used. You can use the Asset Intelligence feature to check
software-licensing compliance. This helps you ensure that the number of apps deployed in your
organization equals the number of software licenses that you have available.
Note: If users have local Administrator rights, they can perform this operation themselves
by downloading Microsoft Intune client software from their organizations Microsoft Intune site.
If users do not have Administrator rights, they can install a Microsoft Intune client by using
Windows Remote Assistance or by bringing their computers to a branch office location.
Use Microsoft Intune to manage Windows computers, irrespective of whether they are members of an
AD DS domain.
Use Microsoft Intune to deploy apps to Microsoft Intune clients, in both the .exe and .msi file formats.
Note: You must upload apps to Microsoft Intune before you can deploy them.
Use reporting features of Microsoft Intune. This provides reporting on the success and failure of
targeted app deployment, and it means that you can determine how many clients out of the target
group successfully installed the deployed app.
Remove apps that previously were deployed to client computers.
Integrate Microsoft Intune with Configuration Manager. You then can manage devices that are
hosted in both platforms from a single console.
Desktop apps are installed with either .exe or .appx installer files.
RemoteApp apps allow users of Windows RT computers to run apps that are
designed for 64-bit versions of Windows 10.
Lesson 2
The Windows Store
Windows 10 supports Windows Store apps, which were introduced with Windows 8 and Windows RT.
Windows Store apps are small, light, and easily accessible. It is important that you know how to manage
user access to the Windows Store, which will enable you to control the installation and use of these apps.
Lesson Objectives
After completing this lesson, you will be able to:
These apps can communicate with one another and with Windows 10 so that it is easier to search for and
share information, such as photographs. After an app installs, users can see tiles on Start. Some of those
tiles continuously update with live information from installed apps.
Note: Windows 10 enables you to determine the installation location of apps. In Windows
8.1, Windows Store apps installed on the C drive. In Windows 10, you can move apps after you
install them. To do this, perform the following procedure: open Settings, and then select System.
Then tap Apps & features. A list of your apps should appear. Tap each app that you want to
move, and then tap Move. This feature is useful especially on smaller tablet and phone devices
that are running Windows 10, because free storage space can be limited on the system drive.
However, users can add storage by using micro secure digital (SD) cards.
Note: You can synchronize Windows Store apps between your Windows 8.1 devices.
However, in Windows 10, you must manually install your apps on each device.
Note: Windows also displays a counter on the menu bar of the Windows Store app. This
counter displays how many apps you can update.
However, you can control this behavior and manually select which apps you wish to update.
To control app update behavior, perform the following procedure:
2. Next to the Search box at the top of the display, tap the account symbol, and then tap Settings.
2. Next to the Search box at the top of the display, tap the account symbol, and then then tap
Downloads.
3. All apps with updates pending are displayed. You can tap Update all. Alternatively, you can select
which apps to update manually.
Note: You also can access a list of all your apps from the Settings menu. Tap My Library,
and a list of your apps is displayed. These apps may not be installed on your device currently, but
you may have installed them previously on one of the devices associated with your Microsoft
account.
MCT USE ONLY. STUDENT USE PROHIBITED
7-10 Managing Apps in Windows 10
What Is Sideloading?
If your organization has developed custom
Windows Store apps, you can use sideloading
to install these apps. When sideloading a
Windows Store app, you use an .appx installer
file. You can use Dism.exe or the Windows
PowerShell command-line interface to sideload
and manage Windows Store apps.
To prevent malware from deploying through the sideloading process, Windows 10 only allows installation
of apps that the developer has signed by using a trusted root certificate. If your organization creates a line
of business (LOB) app, it must be signed by using the organizational trusted root certificate.
Note: You can use a self-signed certificate to sideload an app, but this is not a best practice
in a production environment.
Note: In Windows 8.1, it is necessary to either edit the devices registry or use GPOs to
configure this behavior by enabling the Allow all trusted apps to install option in the App
Package Deployment node.
If the app is signed with a trusted certificate, proceed to installing the app. However, if the app is signed
by a certificate that your device does not trust, you must install the certificate into the computers Trusted
Root Certification Authorities node. To do this, perform the following procedure:
2. Locate the certificate that came with the app. Tap and hold the certificate, and then tap Install
Certificate.
3. On the Certificate Import Wizard page, tap Local Machine, and then tap Next.
4. On the Certificate Store page, tap Place all certificates in the following store, tap Browse, tap
Trusted Root Certification Authorities, tap OK, tap Next, and then tap Finish.
5. In the Certificate Import Wizard dialog box, confirm that the import was successful, and then
tap OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 7-11
You now can install the app by performing the following procedure:
2. Run the add-appxpackage PATH\APP.appx cmdlet, replacing PATH with the full pathname to the
app, and then replacing APP.appx with your apps name.
Enable sideloading.
Install a certificate.
Sideload an app.
Demonstration Steps
Enable sideloading
1. Sign in to LON-CL1 as Adatum\Chad with the password Pa$$w0rd.
2. Open Settings, and then navigate to Update & Security/For developers.
2. Install the certificate into the Local Machine Trusted Root Certification Authorities certificate
store.
3. On the Start screen, from All apps, click TestAppTKL1. Verify that the app runs.
MCT USE ONLY. STUDENT USE PROHIBITED
7-12 Managing Apps in Windows 10
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
To install Windows Store apps by using sideloading, you must first configure
GPOs to enable the Windows 10 sideloading feature.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 7-13
Your users require access to apps available in the Windows Store, so you decide to offer a trial of the
installation and update process for apps in the Store.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 40 minutes
Virtual machines: 20697-1B-LON-DC1 and 20697-1B-LON-CL1
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
1. Enable sideloading.
4. Remove an app.
3. Install the certificate into the Local Machine Trusted Root Certification Authorities certificate
store.
4. Confirm that the import was successful.
Results: After completing this exercise, you will have successfully sideloaded an app.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 7-15
2. Open Settings, open Accounts, and then click Sign in with a Microsoft account instead.
Note: In Module 3, you created a Microsoft account with the following properties:
Results: After completing this exercise, you will have signed in successfully with a Microsoft account.
2. Install an app.
Results: After completing this exercise, you will have installed and maintained Windows Store apps
successfully.
Lesson 3
Web Browsers
Microsoft provides two web browsers in Windows 10: the new Microsoft Edge browser, and Internet
Explorer 11. The Microsoft Edge browser provides a consistent browsing interface across devices,
including Windows Phones, tablets, and laptops. Internet Explorer provides backwards compatibility
with websites that require some features that Microsoft Edge does not support. This lesson explores the
features of both web browsers.
Lesson Objectives
After completing this lesson, you will be able to:
Internet Explorer 11
Windows 10 includes Internet Explorer to
ensure that any legacy or LOB apps that your
organization uses can continue to function.
Internet Explorer includes a number of security
and compatibility features that enable users to
browse with safety and confidence. This in turn
helps maintain customer trust in the Internet and
the apps based on Internet technologies.
Additionally, it helps protect your IT environment
from the evolving threats that the web presents.
InPrivate Browsing
InPrivate Filtering
Active X controls, which help prevent a browser from becoming an attack agent. You can use the
following features for more detailed control over the installation of ActiveX controls:
o Per-site ActiveX features
Note: Some users might attempt to use InPrivate Browsing to conceal their tracks when
browsing prohibited or websites that do not pertain to work. However, you can use Group Policy
to configure how your organization uses InPrivate Browsing, to provide you with full
manageability control on users work devices.
Every piece of content that a browser requests from a website discloses information to that site,
sometimes even if a user blocks all cookies. Often, users are not fully aware that websites are tracking
their web- browsing activities are tracked by websites other than those they have consciously chosen
to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites
that a user visits. You can configure a frequency level or alert which by default is set to 10. The Tracking
Protection feature blocks third-party content that appears with high incidence when users reach the
frequency level. Tracking Protection does not discriminate between different types of third-party content.
It blocks content only when it appears more than the predetermined frequency level.
Note: Tracking Protection Lists can help increase your browsing privacy. When you install
a Tracking Protection List, you will prevent the websites specified in the list from sending your
browsing history to other content providers. Microsoft maintains a website that contains Tracking
Protection Lists that you can install.
You can configure Delete Browsing history options by using Group Policy. You also can configure which
sites the Preserve Favorites feature includes automatically in a users Favorites list. This allows you to
create policies that help ensure security, without affecting users daily interactions with their preferred and
favorite websites. The Delete browsing history on exit check box in Internet options allows you to delete
your browsing history automatically when Internet Explorer 11 closes.
o Windows SmartScreen, which is a client feature. You can configure these settings from within
Control Panel.
o SmartScreen Filter, which is the spam-filtering solution that is built into Microsoft email solutions.
The SmartScreen Filter component of Internet Explorer 11 relies on a web service that is backed by
a Microsoft-hosted URL reputation database. The SmartScreen Filters reputation-based analysis
works with other signature-based antimalware technologies, such as Windows Defender, to provide
comprehensive protection against malware. When you enable the SmartScreen Filter, Internet
Explorer 11 performs a detailed examination of an entire URL string, and then compares it to a
database of sites known to distribute malware. The SmartScreen Filter then checks the website that
a user is visiting against a dynamic list of reported phishing and malware sites. If the SmartScreen
Filter determines that the website is unsafe, it blocks the site, and notifies the user.
Controls and management features to mitigate ActiveX. Improvement to controls and management
features allow you to increase security and trust by controlling how and where an ActiveX control
loads and which users can load them. ActiveX controls are relatively straightforward to create and
deploy, and they provide extra functionality beyond regular webpages. Organizations cannot control
the inclusion of ActiveX controls or how they are written. Therefore, organizations need a browser
that provides flexibility in dealing with ActiveX controls, so that they are usable, highly secure, and
pose as small a threat as possible. The improved ActiveX controls include:
o Per-user ActiveX. By default, Internet Explorer 11 employs ActiveX Opt-In, which disables most
controls on a user's computer. Per-user ActiveX makes it possible for standard users to install
ActiveX controls in their own user profile without requiring administrative permissions. This helps
organizations realize the full benefit of UAC, and allow standard users the ability to install ActiveX
controls that are necessary in their daily browsing.
In most situations, if a user installs a malicious ActiveX control, the overall system remains
unaffected because the control is installed under the users account only. Therefore, because
installations are restricted to a user profile, you are lowering the cost and risk of a compromise
significantly.
When a webpage attempts to install a control, an information bar displays to the user, who then
can install the control system-wide or only for his or her user account. The options in the ActiveX
menu vary depending on a users rights, which you manage by using Group Policy settings, and
whether the control allows per-user installation. You can disable this feature in Group Policy.
o Per-site ActiveX. When a user navigates to a website that contains an ActiveX control, Internet
Explorer 11 performs a number of checks, including a determination of where a control has
permission to run. If a control is installed, but does not have permission to run on a specific site,
an information bar appears that asks the users permission to run on the current website or on all
websites. Administrators can use Group Policy to preset Internet Explorer configurations with
allowed ActiveX controls and their related trusted domains.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 7-21
Cross-Site Scripting Filter. The Cross-Site Scripting Filter helps block cross-site scripting attacks, one of
the most common website vulnerabilities today.
Most sites include a combination of content from local site servers and content obtained from other
sites or partner organizations. Cross-site scripting attacks exploit vulnerabilities in web applications,
and attackers then can control the relationship between a user and a website or web application that
they trust. Malicious users who utilize cross-site scripting can enable attacks, including the following:
o Stealing cookies, including session cookies, which can lead to account hijacking.
o Monitoring keystrokes.
Internet Explorer 11 includes a filter that helps protect against cross-site scripting attacks. The Cross-
Site Scripting Filter has visibility into all requests and responses that flow through a browser. When
the filter discovers suspected cross-site scripting in a request, it identifies and neutralizes the attack if
it replays in the servers response. The Cross-Site Scripting filter helps protect users from website
vulnerabilities. It does not ask difficult questions that users are unable to answer, nor does it harm
functionality on a website.
Data Execution Prevention (DEP). DEP is enabled by default to help prevent system attacks in which
malware exploits memory-related vulnerabilities to execute code. Internet Explorer 7 introduced the
DEP/NX option in Control Panel to provide memory protection that helps mitigate online attacks.
DEP or no execute (NX) helps thwart attacks by preventing code that is marked as non-executable
from running in memory, such as a virus disguised as a picture or video. DEP/NX also makes it harder
for attackers to exploit certain types of memory-related vulnerabilities, such as buffer overruns.
DEP/NX protection applies to both Internet Explorer and its add-ons. No additional user interaction
is required to activate this protection. Unlike Internet Explorer 7, Internet Explorer 11 enables this
feature by default.
Enhanced Protected Mode. You can reduce the amount of permissions that a browser has to modify
system settings or to write to a computers hard disk by using Enhanced Protected Mode, which is
turned on by default in Internet Explorer 11.
Managing Add-Ons
Most websites will display normally when you
use Internet Explorer without any add-ons or
modifications. Internet Explorer 11, which
Windows 10 includes by default, provides an
experience that is free from add-ons. Add-ons
that enhance the browsing experience by
providing multimedia content also are referred
to as:
ActiveX controls
Plug-ins
Browser extensions
Toolbars
MCT USE ONLY. STUDENT USE PROHIBITED
7-22 Managing Apps in Windows 10
Explorer bars
Search providers
Accelerators
Microsoft Silverlight
Apple QuickTime
Java applets
Two popular multimedia extensions--HTML5 and Adobe Flash--are supported out-of-box as a platform
feature on Internet Explorer. In previous Internet Explorer versions, some multimedia add-ons could cause
security concerns, which Internet Explorer 11 addresses with the Automatic Updates feature, which
provides updates to help remediate problems quickly when identified.
Sometimes an add-on, such as a pop-up advertisement, can annoy users or create problems that affect
browser performance. A user can disable an individual add-on or all add-ons within Internet Explorer 11
by using the Manage Add-ons dialog box. To do this, a user would perform the following steps:
4. Find the name of the add-on that you want to modify in the reading pane. To disable an add-on, tap
or click it, and then click Disable. To enable an add-on, tap or click it, and then click Enable.
5. Close the Manage Add-ons dialog box.
Compatibility View
None of the improvements in Internet Explorer 11
matter if websites look bad or work poorly.
Internet Explorer 11 includes features that comply
with web standards and that allow websites to
display better and operate more predictably.
Each new version of Internet Explorer must try
to maintain compatibility with existing websites.
Internet Explorer 11 includes multiple layout
engines, which provides web developers with the
ability to determine whether Internet Explorer 11
needs to support legacy behaviors or strict
standards, by allowing them to specify which
layout engine to use on a page-by-page basis.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 7-23
Internet Explorer 11 provides an automatic Compatibility View feature that invokes an older Internet
Explorer engine to display webpages whenever it detects a legacy website. This helps improve
compatibility with applications written for older Internet Explorer versions. If you do not see the
Compatibility View button appear in the Address bar, there is no need to turn on Compatibility View
because Internet Explorer 11 will have detected that the webpage has loaded correctly.
Note: By default, intranet sites and apps continue to run in Internet Explorer 11, which
supports the Compatibility View feature.
The Compatibility View feature in Internet Explorer 11 helps display a webpage as the web developer
intended. This view provides a straightforward way to fix display problems, such as out-of-place menus,
images, and text. The main benefits of the Compatibility View feature include:
Internet websites display in Internet Explorer 11 standards mode by default. You can use the
Compatibility View button to fix sites that render differently than expected.
Internet Explorer 11 remembers sites that have been set to Compatibility View so that a user only
needs to press the button once for a site. After that, the site always renders in Compatibility View
unless users remove it from the list.
Intranet websites display in Compatibility View by default. This means that internal websites that were
created for older Internet Explorer versions will work correctly.
You can use Group Policy to set a list of websites to render in Compatibility View.
Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button displays only if is not stated clearly how the website is to render. In other
cases, the button is hidden. These cases include viewing intranet sites or viewing sites with a <META> tag
or a / HTTP header that indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet
Explorer 10 standards.
When you activate Compatibility View, the page refreshes, and a balloon tip in the taskbar notification
area indicates that the site is now running in Compatibility View.
Enterprise Mode
Enterprise Mode is a compatibility mode in Internet Explorer 11 that supports legacy apps that require
Internet Explorer 8 features, and it includes:
Improved web app and website compatibility. Enterprise Mode allows legacy web apps to run
unmodified on Internet Explorer 11.
Tool-based management for website lists. You can use the Enterprise Mode Site List Manager tool to
add website domains and domain paths, and to specify whether a site renders by using Enterprise
Mode.
Note: You can download the Enterprise Mode Site List Manager tool from the Internet
Explorer Download Center.
MCT USE ONLY. STUDENT USE PROHIBITED
7-24 Managing Apps in Windows 10
Centralized control. You can specify the websites or web apps that use Enterprise Mode by using an
XML file on a website or that is stored locally.
You can configure the domains and paths within those domains to receive different treatment, which
provides you with granular control.
Note: You can use GPOs to configure Internet Explorer to allow users to turn Enterprise
Mode on or off from the Tools menu.
Integrated browsing. When you enable and configure Enterprise Mode, users can browse the web
normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
Demonstration Steps
Configure Compatibility View
1. Sign in to LON-CL1 as ADATUM\April with the password Pa$$w0rd.
2. Open Internet Explorer.
3. Verify that the browsing history has not retained the websites address.
Download a file
1. Navigate to http://LON-DC1, and then click the Download Current Projects link.
o Reading list
o Browser history
o Downloads
Web notes, which you can enable for webpages that you visit. In tablet mode, you can use tools to
take notes, write, draw, and highlight webpage elements. You then can store these notes in OneDrive
or locally in your Favorites.
Open a New InPrivate window. This provides the same privacy benefits of InPrivate browsing in
Internet Explorer 11.
Zoom. This allows you to zoom in or out.
Find on page. This is a box in which you can enter text to search for on the open webpage.
Open with Internet Explorer. This opens the current webpage in Internet Explorer. Some websites use
ActiveX controls or other features that require Internet Explorer to render them.
MCT USE ONLY. STUDENT USE PROHIBITED
7-26 Managing Apps in Windows 10
o Choose a theme. This allows you to choose between light and dark themes. Sometimes, the dark
display is better suited for ambient lighting conditions, such as when reading webpages in poor
light.
o Show the favorites bar. This allows you to expose a list of the sites on your favorites bar.
o Import favorites from another browser. This copies the favorites you have in another web
browser, such as Internet Explorer.
o Open with. This allows you to specify what you see when you open Microsoft Edge, such as a
specific webpage or multiple tabbed webpages(s).
o Open new tabs with. This determines what you see. You can configure it to match the preceding
setting, or you can define another value.
o Clear browsing data. This allows you to delete browsing history. As with Internet Explorer, you
can define what you want to delete.
Open a webpage.
Load a webpage that requires an ActiveX control.
Configure settings.
Download a file.
Make a web note.
Demonstration Steps
Open a webpage
1. On LON-CL1, open Microsoft Edge, and then navigate to http://lon-dc1.
2. Use the Open with Internet Explorer option. The same webpage displays, but with the data
extracted from the comma-separated value (CSV) file and displayed in the appropriate columns.
Configure settings
1. Open Settings.
2. Configure Reading view style to Dark.
4. Verify Help protect me from malicious sites and downloads with SmartScreen Filter is enabled.
Download a file
1. In Microsoft Edge, on the A Datum Intranet tab, click Download Current Projects.
2. In Microsoft Edge, on the A Datum Intranet tab, on the menu bar, click Make a Web Note.
3. Draw a square.
4. Highlight two of the hyperlinks on the webpage.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20697-1B-LON-DC1 and 20697-1B-LON-CL1
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
1. Open a webpage.
2. Configure settings.
3. Download a file.
o Clear about:Start
3. Open View advanced settings, and then configure the following settings:
4. Close Settings.
7. Open a new tab, and then verify that clicking the Home button displays the A. Datum Intranet site.
3. Draw a shape.
2. Open Current Projects. A new tab opens with columns displayed for Project and Project Lead. No
data displays.
3. Use the Open with Internet Explorer option. The same webpage displays, but with the data
extracted from the CSV file and displayed in the appropriate columns.
Results: After completing this exercise, you will have configured and used Microsoft Edge successfully in
Windows 10.
4. Verify that the website address has not been retained in the browsing history.
3. On the A Datum Intranet Home Page, open the link for Current Projects.
4. A new tab opens, but the data does not populate the table.
Results: After completing this exercise, you will have configured and used Internet Explorer 11
successfully.
Question: You are installing apps from the Windows Store on a tablet that has a small
internal hard disk. However, you have added a micro SD card with 64 GB of space. How can
you utilize this storage for your apps?
Question: You want to know which apps you have previously installed or purchased on your
Windows devices, regardless of whether they are installed on your current device. How can
you access this information in Windows 10?
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
8-1
Module 8
Managing Data Security
Contents:
Module Overview 8-1
Module Overview
Most organizations are concerned about unauthorized release of data. Although they might act in an
ethical manner, these organizations still are responsible for working with data that needs to remain
private and removed from malicious users. This data includes credit-card accounts, customers personal
information, and medical records. This module details how the technologies in Windows 10 work together
to protect against data-related security threats.
Objectives
After completing this module, you will be able to:
Describe data-related security threats.
Lesson 1
Overview of Data-Related Security Threats
The information technology (IT) media frequently reports on the theft and public release of sensitive
organizational data. Security breaches of this kind receive significant attention. However, many
organizations find that many of the data-security issues they experience involve their own users. Insiders
are not deliberately attacking resources to gain access to confidential data. Rather, insiders are able to
access confidential data because it does not have adequate protection. In this lesson, you will learn about
the defense in depth strategies for protecting data, common data-related security threats, and potential
mitigations for those threats.
Lesson Objectives
After completing this lesson, you will be able to:
A full-volume encryption solution, such as BitLocker, to protect all data on the volume.
A file-encryption level solution, such as EFS.
It is important to remember that you should implement defense in depth in conjunction with other
protection methods. Furthermore, the methods that you use to protect data should be commensurate
with the datas value. The steps that you take to protect an Excel worksheet that contains a grocery list
should be different from the steps to protect an Excel worksheet that contains salary information.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-3
Discuss the possible ways in which data exposure can occur, such as:
Lost or stolen laptop computers and USB drives.
Discuss scenarios that have been in the media recently, in which private data became public, either
maliciously or inadvertently.
MCT USE ONLY. STUDENT USE PROHIBITED
8-4 Managing Data Security
Lost or stolen laptop that is storing Enforce BitLocker data protection on laptops
confidential information
User emailing protected content to Apply AD RMS or Azure Rights Management Services
unintended recipient inadvertently protection to files
Configure password protection for files if the
application provides support for this functionality
Apply policies for data-loss prevention by using
Microsoft Exchange or Exchange Online
Your coworker lost his USB drive, which contained confidential information about a
new project. Which security feature could have prevented unauthorized users from
accessing that data? (Choose all that apply)
Utilizing BitLocker To Go
Lesson 2
Securing Data with EFS
The EFS technology allows you to encrypt files to be used with Windows operating systems. However, IT
professionals who want to implement EFS should research it thoroughly before using it. For example, it is
not possible to encrypt files with the System attribute. You need to have a comprehensive understanding
of EFS to implement a secure and recoverable EFS policy. If you implement EFS without implementing
proper recovery operations or without understanding how the feature works, you can expose your data
unnecessarily or leave it in a state from which you cannot recover it. This lesson provides a brief overview
of EFS.
Lesson Objectives
After completing this lesson, you will be able to:
Describe EFS.
Describe how to encrypt and decrypt files and folders with EFS.
What Is EFS?
EFS is a built-in file encryption tool for Windows-
based systems. EFS is a component of the NTFS
file system, and it uses advanced, standard
cryptographic algorithms to allow transparent
file encryption and decryption. Through the
Enterprise Data Protection functionality of
Windows 10, EFS functionality is also simulated
on volumes that use the FAT32 file system. Any
individual or app that does not have access to
a certificate store that holds an appropriate
cryptographic key cannot read encrypted data.
You can protect encrypted files even from those
who gain physical possession of a computer on which files are stored. Even people who have the
authorization to access a computer and its file system cannot view the encrypted data.
Encryption is a powerful addition to any defensive plan. However, you must use additional defensive
strategies, because encryption is not the correct countermeasure for every threat. Furthermore, every
defensive weapon has the potential to harm your data, if you use it incorrectly.
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another
users EFS certificate, that user may make those files available to yet another users EFS certificates.
Note: You can issue EFS certificates only to individual users. You cannot issue EFS
certificates to groups.
MCT USE ONLY. STUDENT USE PROHIBITED
8-6 Managing Data Security
Backing up certificates
Certification authorities (CAs) can archive and recover CA-issued EFS certificates. Users must back up their
self-generated EFS certificates and private keys manually. To do this, they can export the certificate and
private key to a Personal Exchange File (.pfx), which is password-protected during the export process. This
password is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private
key to Canonical Encoding Rules (.cer) files. A users private key is stored in the users profile in the RSA
folder, which you can access by expanding AppData, expanding Roaming, expanding Microsoft, and
then expanding Crypto. However, please note that because there is only one instance of the key, it is
vulnerable to hard-disk failure or data corruption.
The Microsoft Management Console (MMC) snap-in, Certificates, exports certificates and private keys. The
Personal Certificates store contains the EFS certificates.
Users who elect to share encrypted files must be aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over a network,
you will need to provide them with a file share or web folder. Alternatively, users can use Remote
Desktop Services to establish remote sessions with computers that store encrypted files.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting
access is not limited to the file owner. Caution users to share files only with trusted accounts, because
those accounts can authorize other accounts. Removing the Write permission from a user or group of
users can prevent this problem, but it also prevents the user or group from modifying the file. EFS
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-7
sharing requires that the users who will have authorization to access the encrypted file have EFS
certificates. These certificates can be located in roaming profiles, in the user profiles on the computer
that is storing the file, or in AD DS.
If a user chooses to remotely access an encrypted file that is stored on a file share, and that user
authorizes other users to access the file, the authorization process and requirements are the same as
on the local computer. Additionally, EFS must impersonate the user to perform this operation, and all
the requirements for remote EFS operations on files stored on file shares apply.
If a user chooses to remotely access an encrypted file that is stored on a web folder, and that user
authorizes other users to access the file, the file transmits automatically to the local computer in
ciphertext. The authorization process takes place on the local computer, and it has the same
requirements as locally stored, encrypted files.
If a private key incurs damage or is lost, the file cannot be decrypted. If a recovery agent exists,
the file is recoverable. If you implement key archival, you can recover the key and decrypt the file.
Otherwise, the file might be lost. This encryption system is referred to as public key infrastructure
(PKI).
You can archive a users certificate that contains his or her public and private keys. For example, you
can export it to a USB flash drive, and then keep the USB flash drive in a safe place for recovery if the
keys incur damage or are lost.
A users password protects the public and private keys. Any user who can obtain the user ID and
password can sign in as that user and decrypt that users files. Therefore, an organizations security
practices should include a strong password policy and user education to protect EFS-encrypted files.
EFS-encrypted files do not remain encrypted when crossing the network, such as when you work
with the files on a shared folder. The file is decrypted, and it then traverses the network in an
unencrypted state. EFS encrypts it locally if you save it to a folder on the local drive that is configured
for encryption. EFS-encrypted files can remain encrypted while traversing a network if you save them
to a web folder by using the World Wide Web Distributed Authoring and Versioning (WebDAV)
protocol.
Additionally, be aware of the following features when implementing EFS on Windows 10:
Support for storing private keys on smart cards. Windows 10 includes full support for storing users
private keys on smart cards. If a user signs in to Windows 10 with a smart card, EFS also can use the
smart card for file encryption. Administrators can store their domains recovery keys on a smart card.
Recovering files is then as simple as signing in to the affected machine, either locally or by using
Remote Desktop, and using the recovery smart card to access the files.
The Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users
to choose an EFS certificate, then select and migrate the existing files that will use the newly chosen
EFS certificate. Administrators can use the wizard to migrate users in existing installations from
software certificates to smart cards. The wizard also is helpful in recovery situations, because it is
more efficient than decrypting and reencrypting files.
Group Policy settings for EFS. You can use Group Policy to control and configure EFS protection
policies centrally for an entire enterprise. For example, Windows 10 allows page file encryption
through the local security policy or Group Policy.
Per-user encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote
servers. When you enable this option, each file in the offline cache is encrypted with a public key from
the user who cached the file. Thus, only that user has access to the file, and even local administrators
cannot read the file without access to the user's private keys.
Selective Wipe. A feature of Windows 10 in a corporate environment is Selective Wipe. If a device
is lost or stolen, an administrator can revoke the EFS key that was used to protect the files on the
device. Revoking a key prevents all access to data files that are stored on a users device.
Note: When users encrypt files in remote shared folders, their keys are stored on the
file server.
By generating them. If a CA is unavailable, Windows 10 will generate a key pair. These keys have a
lifespan of 100 years. This method is more difficult than using a CA because there is no centralized
management, and users become responsible for managing their own keys. Additionally, it is more
difficult to manage for recovery. However, it is still a popular method because it requires no setup.
Question: How would you protect files in transit across your organizational network?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-9
Demonstration Steps
1. Sign in to LON-CL1 as Adatum\Don, and then create the folder C:\SecretDon.
2. Edit the advanced properties of the SecretDon folder, and then enable the Encrypt contents to
secure data option.
3. Sign in to LON-CL1 as ADATUM\Adam, and then verify that the user is unable to access the contents
of the file c:\SecretDon\Secrets.txt.
MCT USE ONLY. STUDENT USE PROHIBITED
8-10 Managing Data Security
Automatic certificate deployment. You can configure Group Policy and a certificate template to
deploy EFS certificates automatically to users by using certificate auto-enrollment. This means that
the first time that a user encrypts a file, certificates are present and do not have to be generated.
This also simplifies encrypting files for other users, because AD DS stores the public keys, which are
necessary to encrypt files, for other users.
Ability to issue, manage, secure, and revoke the certificate for the data recovery agent. Using a
CA simplifies the process of managing a data recovery agent that is separate from the default
administrator account.
Ability to restrict the process of data recovery by using Key Recovery Agents. Key Recovery Agents
allow recovery of private keys used to encrypt EFS-protected files on a per-user basis from a CA
database. Instead of a user being able to recover all EFS-protected files, configuring a Key Recovery
Agent will allow per-user recovery of EFS-protected content. Limiting the scope of recovery reduces
the chance that an unauthorized user can access protected content, such as a privileged user who is
asked to recover a peers encrypted files, but instead attempts to examine their bosss encrypted files.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-11
Categorize Activity
Categorize each item below.
Items
2 Authorized person can recover the EFS-encrypted data for all users
in the organization
3 Authorized person can recover the EFS-encrypted data only for that
specific user
Category 1 Category 2
Lesson 3
Implementing and Managing BitLocker
BitLocker is another defensive strategy that complements EFS. BitLocker protects against data theft or
exposure on computers that are lost or stolen, and it offers more secure data deletion when you
decommission computers. Data on a lost or stolen computer is vulnerable to unauthorized access, either
by a malicious user running a software-attack tool against it or by transferring the computer's hard disk
to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers
by combining two major data-protection procedures. It encrypts the entire Windows operating-system
volume on a hard disk, and it encrypts multiple fixed volumes.
Lesson Objectives
After completing this lesson, you will be able to:
What Is BitLocker?
BitLocker provides protection for an operating
system and the data that an operating system
volume stores in addition to other volumes on the
computer. It helps ensure that data stored on a
computer remains encrypted, even if someone
tampers with the computer when the operating
system is not running. BitLocker provides a closely
integrated solution in Windows 10 to address the
threats of data theft or exposure from lost, stolen,
or inappropriately decommissioned computers.
BitLocker performs two functions that provide offline data protection and system-integrity verification:
It encrypts all data that is stored on a Windows operating system volume and configured data
volumes. This includes the Windows operating system, hibernation and paging files, applications,
and application data. BitLocker also provides umbrella protection for non-Microsoft applications,
which benefits applications automatically when you install them on an encrypted volume.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-13
It is configured, by default, to use a Trusted Platform Module (TPM) to help ensure the integrity of the
startup components that an operating system uses in the early stages of the startup process. BitLocker
locks any BitLocker-protected volumes, so they remain protected even if someone tampers with the
computer when the operating system is not running. A later section of this module describes how you
can enable BitLocker on devices without a TPM chip.
Providing a method to check that early boot-file integrity has been maintained, and to help
ensure that there has been no adverse modification of those files, such as with boot-sector viruses
or root kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for a Windows operating system volume.
Locking the system when it detects tampering. If BitLocker determines that tampering has occurred
with any monitored files, the system does not start. This alerts a user to tampering because the system
fails to start as usual. In the event that system lockout occurs, BitLocker offers a simple recovery
process.
In conjunction with a TPM, BitLocker verifies the integrity of early startup components, which helps
prevent additional offline attacks, such as attempts to insert malicious code into those components. This
functionality is important because the components in the earliest part of the startup process must remain
unencrypted so that the computer can start.
As a result, an attacker can change the code of those early startup components and then gain access to
a computer even though the disk data is encrypted. Then, if the attacker gains access to confidential
information, such as the BitLocker keys or user passwords, the attacker can circumvent BitLocker and
other Windows security protections.
Protects the operating system from modification. Does not protect the operating
system from modification.
Device encryption
Device encryption is a built-in Windows 10 feature. By default, device encryption protects the operating
system drive and any fixed data drives on the system by using Advanced Encryption Standard (AES) 128-
bit encryption, which uses the same technology as BitLocker. You can use device encryption with a
Microsoft account or a domain account.
Device encryption is enabled automatically on all Windows 10 versions on new devices, so that the device
is always protected. Supported devices that you upgrade to Windows 10 with a clean installation also
have device encryption automatically enabled.
MCT USE ONLY. STUDENT USE PROHIBITED
8-14 Managing Data Security
BitLocker To Go
When a laptop is lost or stolen, the loss of data typically has more impact than the loss of the computer
asset. As more people use removable storage devices, they can lose data without losing a computer.
BitLocker To Go provides enhanced protection against data theft and exposure by extending BitLocker
support to removable storage devices, such as USB flash drives. You can manage BitLocker To Go by using
Group Policy, from Windows PowerShell, and by using the BitLocker Drive Encryption Control Panel app.
In Windows 10, users can encrypt their removable media by opening File Explorer, right-clicking the drive,
and clicking Turn On BitLocker. Users then can choose a method with which to unlock the drive,
including using a:
Password. This is a combination of letters, symbols, and numbers that a user will enter to unlock a
drive.
Smart card. In most cases, an organization issues a smart card, and a user enters a smart card PIN to
unlock a drive.
After choosing an unlock method, users must print or save their recovery key. You can store this 48-digit
key in AD DS, so that you can use it if other unlocking methods fail, such as when users forget their
passwords. Finally, users must confirm their unlocking selections to begin encryption. When you insert a
BitLocker-protected drive into your computer, the Windows operating system will detect the encrypted
drive and prompt you to unlock it.
BitLocker Requirements
In Windows 10, Windows 8.1, and Windows 7,
BitLocker automatically prepares drives for use.
As a result, there is no need to create separate
partitions before turning on BitLocker. This is an
improvement over BitLocker in Windows Vista,
which required that users manually partition their
hard drive.
Windows 10 automatically creates the system
partition on a hard drive. In a default installation,
a computer will have a separate system partition
and an operating-system drive. The system
partition is smaller in Windows 10, Windows 8.1,
and Windows 7 than in Windows Vista, requiring only 100 megabytes (MB) of space.
You can use BitLocker to encrypt operating-system drives, fixed data drives, and removable data drives
in Windows 10. When you use BitLocker with data drives, you can format the drive with the extended
file allocation table (exFAT), FAT, FAT32, or NTFS file system, but the drive must have at least 64 MB of
available disk space. When you use BitLocker with operating-system drives, you must format the drive
with the NTFS file system.
BitLocker stores its own encryption and decryption key in a hardware device that is separate from the
hard disk. Therefore, you must have one of the following:
A computer with TPM 1.2 or newer.
On computers that do not have TPM 1.2, you still can use BitLocker to encrypt the Windows operating
system volume. However, this implementation requires the user to insert a USB startup key to start the
computer or resume from hibernation, and it does not provide the prestartup system-integrity verification
that BitLocker provides when working with a TPM.
Additionally, BitLocker offers the option to lock the normal startup process until a user supplies a PIN or
inserts a removable USB device that contains a startup key. These additional security measures provide
multifactor authentication and assurance that a computer will not start or resume from hibernation until
a user enters the correct PIN or startup key.
Hardware requirements
To turn on BitLocker, a computer must:
Have the hard drive space necessary for Windows 10 to create two disk partitionsone for the
operating system volume and one for the system volume:
o Operating system volume. This partition includes the drive on which you install Windows.
BitLocker encrypts this drive.
o System volume. A second partition is created as needed when you enable BitLocker in Windows
10. This partition must remain unencrypted so that you can start the computer. This partition
must be at least 100 MB, and you must set it as the active partition.
Have a BIOS or Unified Extensible Firmware Interface (UEFI) environment that is compatible with TPM
or supports USB devices during computer startup. The BIOS must be:
o Compliant with Trusted Computing Group (TCG).
o Set to start first from the hard disk, not the USB or CD drives.
1. Open Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. In the lower left corner, click TPM Administration. The TPM Management on Local Computer
console opens. If the computer does not have a TPM 1.2 chip, the Compatible TPM cannot be
found message appears.
BitLocker Modes
BitLocker can run on two types of computers:
BitLocker supports TPM 1.2, but it does not support older TPMs. Version 1.2 TPMs provide increased
standardization, security enhancement, and improved functionality compared with previous versions.
On computers that have TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure
that your data is accessible only if the computer's startup components appear unaltered and the
encrypted disk is located in the original computer.
If you enable BitLocker on a Windows 10based computer that has TPM 1.2 or newer, you can add the
following additional authentication factors to the TPM protection:
Configure BitLocker to lock the normal startup process until a user supplies a PIN or inserts a USB
device, such as a flash drive, that contains a BitLocker startup key.
These additional security measures provide multifactor authentication and help ensure that a computer
will not start or resume from hibernation until a user presents the correct authentication method.
As part of its verification process for system integrity, BitLocker examines and seals keys to the
measurements of the following:
If any of these items change unexpectedly, BitLocker locks the drive to prevent access or decryption.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-17
You can enable BitLocker on a computer without TPM 1.2 as long as the BIOS has the ability to read from
a USB flash drive in the boot environment. This is because BitLocker will not unlock a protected volume
until BitLocker's own volume master key is released by the computer's TPM or by a USB flash drive that
contains the computers BitLocker startup key. However, computers without TPMs will not be able to use
the system-integrity verification that BitLocker provides.
If a startup key is located on a USB flash drive, your computer must have a BIOS that can read USB flash
drives in the preoperating system environment (at startup). You can check your BIOS by running the
hardware test that is near the end of the BitLocker setup wizard.
To help determine whether a computer can read from a USB device during the boot process, use the
BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm
that the computer can read from USB devices properly at the appropriate time and that the computer
meets other BitLocker requirements.
To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker
user interface. When you enable the advanced options, the non-TPM settings appear in the BitLocker
setup wizard.
Question: What is a disadvantage of running BitLocker on a computer that does not have
TPM 1.2?
Prevent BitLocker from activating if it is not possible to back up the keys to AD DS.
You also can use Group Policy to configure a domain-wide data recovery agent that will permit an
administrator to unlock any drive encrypted with BitLocker. Before you can use a data recovery agent,
you must add it from the Public Key Policies item in the Group Policy Management Console (GPMC) or
the Local Group Policy Editor MMC snap-in.
MCT USE ONLY. STUDENT USE PROHIBITED
8-18 Managing Data Security
To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the
drives that you use with BitLocker. These policy settings are:
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy
setting for each type of drive, so you can configure individual recovery policies for each type of drive on
which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy
setting to associate a unique identifier with a new drive that BitLocker is protecting. BitLocker manages
and updates data recovery agents only when an identification field is present on a drive and is identical
to the value that is configured on the computer.
You can use these policy settings to enforce a standard BitLocker deployment in your organization.
Group Policy settings that affect BitLocker are located in Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy
settings are located in this folder. Subfolders for fixed data drives, operating system drives, and removable
drives support the configuration of policy settings specific to those drives.
Note: If you want to use BitLocker to protect an operating-system drive on a computer that
does not have a TPM, you must enable the Require additional authentication at startup policy
setting, and then within that setting, click Allow BitLocker without a compatible TPM.
The following table summarizes some of the key policy settings that affect Windows 10 client computers.
Each setting includes the following options: Not configured, Enabled, and Disabled. The default setting
for each setting is Not configured.
Choose default folder BitLocker Drive Specifies a default location to which the user can save
for recovery Encryption folder recovery keys. This can be a local or network location.
password The user also can choose other locations.
Choose drive BitLocker Drive Allows you to configure the algorithm and cipher
encryption method Encryption folder strength that BitLocker uses to encrypt files. If you
and cipher strength enable this setting, you will be able to choose an
encryption algorithm and key cipher strength. If you
do not configure this setting, or you disable it,
BitLocker will use the default encryption method of
AES 128-bit with a diffuser or the encryption method
that the setup script specifies.
Provide the unique BitLocker Drive Allows you to associate unique organizational
identifiers for your Encryption folder identifiers to a new drive that you enable with
organization BitLocker. BitLocker will manage and update data
recovery agents only when the identification field on
the drive matches the value that you configure in the
identification field. This also applies to removable
drives that you configure by using BitLocker To Go.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-19
Deny write access to Fixed Data Drives Controls whether BitLocker protection is required if
fixed drives not folder users are going to write data to fixed data drives on
protected by a computer. If you enable this setting, all fixed data
BitLocker drives that are not BitLocker-protected will be
mounted as read-only. If the drive is BitLocker-
protected, or if you disable or do not configure this
setting, all fixed data drives will be mounted with
read/write permission.
Allow access to Fixed Data Drives Configures whether fixed data drives formatted with
BitLocker-protected folder the FAT file system can be unlocked and viewed on
data drives from computers that are running Windows Server 2008,
earlier versions of Windows Vista, or Windows XP with Service Pack 3
Windows (SP3) or Service Pack 2 (SP2) operating systems.
Choose how Fixed Data Drives Allows you to control how BitLocker-protected fixed
BitLocker-protected folder data drives are recovered in the absence of the
fixed drives can be required credentials.
recovered
Require additional Operating System Allows you to configure whether you can enable
authentication at Drives folder BitLocker on computers without a TPM, and whether
startup you can use multifactor authentication on computers
with a TPM.
Configure TPM Operating System Configures which TPM platform measurements that
platform validation Drives folder are stored in the Platform Configuration Register
profile indices are used to seal BitLocker keys.
Control use of Removable Data Controls the use of BitLocker on removable data
BitLocker on Drives folder drives.
removable drives
Configure use of Removable Data Allows you to specify whether smart cards can
smart cards on Drives folder authenticate user access to BitLocker-protected
removable data removable drives on a computer.
drives
Deny write access to Removable Data Configures whether BitLocker protection is required
removable drives not Drives folder for a computer to be able to write data to a
protected by removable data drive.
BitLocker
MCT USE ONLY. STUDENT USE PROHIBITED
8-20 Managing Data Security
Allow access to Removable Data Configures whether removable data drives formatted
BitLocker-protected Drives folder with the FAT file system can be unlocked and viewed
removable drives on computers that are running Windows Server 2008,
from earlier versions Windows Vista, and Windows XP with SP3 or SP2
of Windows operating systems.
Choose how Removable Data Allows you to control the recovery of BitLocker-
BitLocker-protected Drives folder protected removable data drives if the required
removable drives can startup key information is not available.
be recovered
Turn on TPM backup Disabled Controls whether the password information of the TPM
to Active Directory owner is backed up in AD DS. If you enable this setting,
Domain Services it also can control whether backup is required or
optional.
Configure the list of None Allows you to disable or enable specific TPM functions.
blocked TPM However, please note that the next two settings can
commands restrict which commands are available. Group Policy
based lists override local lists. You can configure local
lists in the TPM Management Console.
Ignore the default list Disabled By default, BitLocker blocks certain TPM commands. To
of blocked TPM enable these commands, you must enable this policy
commands setting.
Ignore the local list Disabled By default, a local administrator can block commands in
of blocked TPM the TPM Management Console. You can use this setting
commands to prevent that behavior.
Question: How can you use Microsoft BitLocker Administration and Monitoring 2.5 SP1 to
reduce the time that the help desk spends recovering a BitLocker unlock key for a remote
user?
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-21
Demonstration Steps
1. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.
5. Refresh the Group Policy settings on the local computer by running gpupdate /force.
6. On LON-CL1, open the Manage BitLocker control panel item, and then turn on BitLocker for
Allfiles (E:):
10. Open the BitLocker control panel item, and then unlock volume E:.
11. Enter password Pa$$w0rd to unlock the drive, and then verify access to the drive.
12. Close all open windows.
A recovery key in a format that the BitLocker recovery console can read directly.
MCT USE ONLY. STUDENT USE PROHIBITED
8-22 Managing Data Security
You will require the recovery password if you need to move the encrypted drive to another computer or
make changes to the system startup information. This password is so important that you should make
additional copies of the password and store it in safe places to ensure access to your data.
You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a
locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to
recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password that is unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords that are stored
in AD DS. To locate a password, the following conditions must be true:
Search for the password in Active Directory Users and Computers by using one of the following:
A drive label
Password ID
To search by drive label, perform the following procedure. Locate the computer, right-click the drive label,
click Properties, and then click the BitLocker Recovery tab to view associated passwords.
To search by password ID, perform the following procedure. Right-click the domain container, and then
click Find BitLocker Recovery Password. In the Find BitLocker Recovery Password dialog box, enter
the first eight characters of the password ID in the Password ID field, and then click Search.
Examine the returned recovery password to ensure that it matches the password ID that the user provides.
Performing this step helps verify that you have obtained the unique recovery password.
Support for the data recovery agent allows you to dictate that all BitLocker-protected volumes, such as
operating-system, fixed, and new portable volumes, are encrypted with an appropriate data recovery
agent. The data recovery agent is a new key protector that is written to each data volume so that
authorized IT administrators always have access to BitLocker-protected volumes.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-23
Save it to a file.
Print it.
To obtain your saved BitLocker recovery key, open an Internet browser, go to
https://onedrive.live.com/recoverykey, and then sign in with your Microsoft account.
You will find recovery keys for all of your BitLocker-protected drives.
Question: What is the difference between the recovery password and the password ID?
Microsoft BitLocker Administration and Monitoring 2.5 SP1 allows administrators to enforce
organizational BitLocker-encryption policies across an enterprise. It also allows administrators to
monitor policy compliance of client computers, providing centralized reporting on the encryption
status of devices that are in use on a network.
Note: Microsoft BitLocker Administration and Monitoring 2.5 SP1 is available only as part
of the Microsoft Desktop Optimization Pack, which offers Microsoft Software Assurance
customers a suite of premium utilities that are useful for administrators to manage desktop
computers and devices within an organization.
MCT USE ONLY. STUDENT USE PROHIBITED
8-24 Managing Data Security
Additionally, Microsoft BitLocker Administration and Monitoring lets you access recovery key information,
which is helpful when users forget their PINs or passwords, or when their BIOS or UEFI firmware or boot
records change. If you adopt an enterprise BitLocker management solution, you can increase BitLockers
level of effectiveness significantly, and reduce your administrative overhead and total cost of ownership.
Upgrade to the Microsoft BitLocker Administration and Monitoring 2.5 SP1 client from the Microsoft
BitLocker Administration and Monitoring 1.0 and 2.0 clients.
Upgrade to the Microsoft BitLocker Administration and Monitoring 2.5 from previous versions of the
Microsoft BitLocker Administration and Monitoring Server.
Support by Microsoft BitLocker Administration and Monitoring 2.5 SP1 for BitLockers enterprise
scenarios on Windows 10.
A Self-Service Portal so that end users can recover their recovery keys.
For more information on Microsoft BitLocker Administration and Monitoring 2.5, refer to:
Categorize Activity
Categorize each item below.
Items
3 Encrypts files
Category 1 Category 2
BitLocker EFS
MCT USE ONLY. STUDENT USE PROHIBITED
8-26 Managing Data Security
Your manager also wants to ensure that volumes containing critical data are locked. Unfortunately, several
of the computers in your office lack TPM chips. You wish to explore the functionality of using BitLocker
without a TPM chip.
Objectives
After completing this lab, you will be able to:
Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20697-1B-LON-DC1 and 20697-1B-LON-CL1
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
2. In the SecretDon folder, create a new text document named Secrets. Open the file and enter This is
a secret file.
3. Save the file and then close Notepad.
Results: After completing this exercise, you will have created a folder that automatically encrypts files
placed inside it to the Don account. You also will have verified this by using the Adam account.
2. Enable BitLocker.
3. Verify BitLocker.
5. Refresh the Group Policy settings on the local computer by running gpupdate /force.
6. Restart LON-CL1.
7. After the computer restarts, sign in as Adatum\Administrator with the password Pa$$w0rd.
MCT USE ONLY. STUDENT USE PROHIBITED
8-28 Managing Data Security
3. Open the BitLocker control panel item, and then unlock volume E:.
4. Enter the password Pa$$w0rd to unlock the drive, and then verify access to the drive.
5. Close all open windows.
Results: After completing this exercise, you will have encrypted the hard drive.
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 and 3 for 20697-1B-LON-CL1.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 8-29
Module 9
Managing Device Security
Contents:
Module Overview 9-1
Module Overview
This module has three lessons. The first lesson describes three different tools that you can use to mitigate
security threats: security settings in Group Policy Objects (GPOs), the Security Compliance Manager, and
the Enhanced Mitigation Experience Toolkit. In the second lesson, you will learn how to configure User
Account Control (UAC). In the third lesson, you learn about AppLocker policies.
Objectives
After completing this module, students will be able to:
Use security settings to mitigate threats.
Configure UAC.
Lesson 1
Using Security Settings to Mitigate Threats
You can use appropriately configured Group Policy settings and tools, such as the Security Compliance
Manager and the Enhanced Mitigation Experience Toolkit, mitigate many threats against computers
that are running Windows 10 in your organization. A defense-in-depth approach is appropriate when
attempting to mitigate one threat. Administrators should assume that no single device will be able to
mitigate most threats, and should instead use a suite of tools with overlapping functionality to help
mitigate threats.
Lesson Objectives
After completing this lesson, you will be able to:
Logon prompts
UAC
AppLocker policies
Account lockout policies. Locks out a user account after a user enters a specific number of incorrect
passwords in succession.
Prompt user to change password before expiration. Determines how many days in advance of a user-
password expiration the operating system will provide a warning.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-3
Interactive logon: Do not display last user name. Determines whether the name of the last user to sign
in to a computer displays in the Windows logon window.
Accounts: Rename administrator account. Determines whether a different account name is associated
with the security identifier (SID) for the administrator account.
Devices: Restrict CD-ROM access to locally enact user only. Determines whether a CD-ROM is
accessible simultaneously to both local and remote users.
Demonstration Steps
1. Sign in to LON-DC1 as Adatum\Administrator, and then open the Group Policy Management
Console.
2. Edit the Default Domain policy, and then navigate to the Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies\Password Policy node.
6. Configure the Account Lockout Threshold policy to lock out accounts after 2 invalid logon
attempts.
7. Close the Group Policy Management Editor and the Group Policy Management Console.
8. Use the Active Directory Users and Computers Console to edit the properties of the Don Funk user
account, located in the IT OU, so that the user is required to change his password during his next
sign-in attempt.
9. On LON-DC1, open a Windows PowerShell prompt, and trigger a Group Policy update by typing
the following command, and then pressing Enter:
Gpupdate /force
10. Sign in to LON-CL1 as Adatum\Don. When prompted, attempt to change the password to
Pa$$w0rd12.
11. Review the informational message that appears, and then change the password to Pa$$w0rd1234.
12. When signed in, open a command prompt, and force a Group Policy update by typing the following
command at the command prompt, and then pressing Enter:
Gpupdate /force
Baselines that have Microsoft security guide recommendations and industry best practices as their
basis. You can compare your configuration against industry best practices for the latest Windows
client and Microsoft applications.
Centralized features for security baseline management so that you can manage your organizations
security and compliance process efficiently.
Gold master support that allows you to import your existing Group Policy settings for reuse and
deployment.
Standalone machine configuration that allows you to deploy your configurations to computers that
are not domain-joined.
Updated security guides that provide security expertise and best practices.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-5
After you install the Enhanced Mitigation Experience Toolkit, you configure protection on a
per-application basis. When configuring protection for an application, you enable specific mitigations
that protect the application from exploits that use specific techniques. A drawback of the Enhanced
Mitigation Experience Toolkit is that it can cause compatibility issues with some applications. This is
because the tool might enable mitigations that stop the application from functioning correctly. You
can restore application functionality by disabling specific mitigations. Prior to implementing a set of
mitigations to protect applications, you should perform extensive testing to ensure that Enhanced
Mitigation Experience Toolkit mitigations do not adversely affect application functionality.
Device Guard
Device Guard locks down a device so that it
only runs applications that are signed digitally.
Device Guard uses virtualization-based security
to isolate the service that verifies the digital
signatures of apps. Device Guard differs from
other protection technologies in that it only
allows verified applications. Other protection
technologies block applications that meet specific
signatures or exhibit specific behaviors. The
Device Guard feature works with universal apps and classic Windows applications. Device Guard requires
hardware that supports Unified Extensible Firmware Interface (UEFI) version 2.3.1 or newer, virtualization
extensions enabled, and Second Level Address Translation (SLAT).
Credential Guard
Credential Guard is a virtualization-based technology that stores credentials, such as NTLM hashes and
Kerberos tickets, in a protected virtualized container. Credential Guard provides a defense against pass
the hash and other credential theft attacks. Credential Guard requires hardware that supports UEFI 2.3.1
or newer, virtualization extensions enabled, and SLAT.
Which of the following options best describes the gold master support feature of
Security Compliance Manager?
You can use it to compare your configuration against industry best practices.
You can use it to deploy your configurations to computers that are not domain-
joined.
You can use it to manage the security and compliance process efficiently.
You can use it to import your existing GPO settings for reuse and deployment.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 2
Configuring UAC
Many users sign in to their computers with a user account that has more rights than are necessary to run
their applications and access their data files. Using an administrative user account for day-to-day user
tasks poses significant security risks. In older versions of the Windows operating system, administrators
were encouraged to use an ordinary user account for most tasks, and to use the Run As account to enact
tasks that required additional rights.
Windows 10 provides UAC to simplify and help secure the process of elevating your account rights.
However, unless you know how UAC works, and how it can affect your users, you might have problems
when you attempt to carry out typical end-user support tasks. This lesson introduces how UAC works
and how you can use UAC-related desktop features.
Lesson Objectives
After completing this lesson, you will be able to:
Describe UAC.
What Is UAC?
UAC is a security feature that provides a way for
users to elevate their status from a standard user
account to an administrator account, without
having to sign out or switch user profiles. UAC is
a collection of features rather than just a prompt.
These features, which include File and Registry
Redirection, Installer Detection, the UAC prompt,
the ActiveX Installer Service, and more, allow
Windows users to operate with user accounts that
are not members of the Administrators group.
These accounts, typically referred to as standard
users, are broadly described as operating with
least privilege. The most important fact is that when users sign in with standard user accounts, the
experience typically is much more secure and reliable.
In Windows 10, the number of operating system applications and tasks that require elevation is fewer
when compared to older operating systems. This allows standard users to do more while experiencing
fewer elevation prompts, and this improves interaction with UAC while upholding high security standards.
When you need to make changes to your computer that require administrator-level permissions, UAC
notifies you as follows:
If you are an administrator, click Yes to continue.
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
MCT USE ONLY. STUDENT USE PROHIBITED
9-8 Managing Device Security
If you are a standard user, providing administrative credentials gives you administrator rights to complete
the task. When you complete the task, permissions will revert to those that a standard user has. This
ensures that even if you are using an administrator account, no one can make changes to your computer
without your knowledge. This helps prevent malicious users from installing malware and spyware on, or
making changes to, your computer.
Standard users
In previous versions of the Windows operating
system, many users were configured to use
administrative permissions rather than standard
user permissions. This was because previous Windows versions required that users have administrator
permissions to perform basic system tasks, such as adding a printer or configuring a time zone. In
Windows 10, many of these tasks no longer require administrative permissions.
When users have administrative permissions on their computers, they can install additional software.
Despite organizational policies against installing unauthorized software, many users still do it, which can
make their systems less stable and drive up support costs.
When you enable UAC, and a user needs to perform a task that requires administrative permissions, UAC
prompts the user for administrative credentials. In an enterprise environment, the help desk can give a
user temporary credentials that have local administrative permissions to complete a task.
The default UAC setting allows a standard user to perform the following tasks without receiving a UAC
prompt:
Install updates from Windows Update.
Install drivers from Windows Update or those that are included with the operating system.
View Windows settings. However, a standard user is prompted for elevated permissions when
changing Windows settings.
Reset the network adapter and perform other network-diagnostic and repair tasks.
Administrative users
Administrative users automatically have:
One of the benefits of UAC is that it allows users with administrative permissions to operate as standard
users most of the time. When users with administrative permissions perform a task that requires
administrative permissions, UAC prompts the user for permission to complete the task. When the
user grants permission, the task is performed by using full administrative rights, and then the account
reverts to a lower level of permission.
Open Date and Time in Control Panel, and change the time zone.
Use Remote Desktop to connect to another computer.
Change a users own account password.
Set up computer synchronization with a mobile device, including a smartphone, laptop, or personal
digital assistant (PDA).
The following list details some of the tasks that require elevation to an administrator account:
Install and uninstall applications.
Install a driver for a device, such as a digital camera driver.
Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the Microsoft Management
Console (MMC).
Configure Remote Desktop access.
When you enable UAC, members of the local Administrators group run with the same access token as
standard users. A process can use an administrators full access token only when a member of the local
Administrators group gives approval.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that
require an administrator access token. When a standard user attempts to perform an administrative task,
UAC prompts the user to enter valid credentials for an administrator account. This is the default for
standard user-prompt behavior.
The elevation prompt displays contextual information about the executable that is requesting elevation.
The context is different, depending on whether the application is signed by Authenticode technology. The
elevation prompt has two variations that the following table describes: the consent prompt and the
credential prompt.
Elevation entry points do not remember that elevation has occurred, such as when you return from a
shielded location or task. As a result, the user must reelevate to enter the task again.
The Windows 10 operating system reduces the number of UAC elevation prompts for a standard user who
performs everyday tasks. However, there are times when it is appropriate for an elevation prompt to be
returned. For example, viewing firewall settings does not require elevation. However, changing the
settings does require elevation because the changes have a system-wide impact.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-11
A setting or feature that is part of Windows This item has a valid digital signature that verifies
needs your permission to start. that Microsoft is the publisher of this item. If this
type of dialog box displays, it usually is safe to
continue. If you are unsure, check the name of the
program or function to decide if it is something
that you want to run.
A program that is not part of Windows This program has a valid digital signature, which
needs your permission to start. helps to ensure that the program actually is what
it claims to be, and it verifies the identity of the
programs publisher. If this type of dialog box
displays, make sure the program is the one that
you want to run and that you trust the publisher.
A program with an unknown publisher This program does not have a valid digital
needs your permission to start. signature from its publisher. This does not
necessarily indicate danger, because many older,
legitimate apps lack signatures. However, use extra
caution, and only allow a program to run if you
obtained it from a trusted source, such as the
product CD or a publishers website. If you are
unsure, search the Internet for the programs name
to determine if it is a known program or malware.
Most of the time, you should sign in to your computer with a standard user account. You can browse the
Internet, send email, and use a word processor, all without an administrator account. When you want to
perform an administrative task, such as installing a new program or changing a setting that will affect
other users, you do not have to switch to an administrator account. The Windows operating system will
prompt you for permission or an administrator password before performing the task. We also recommend
that you create standard user accounts for all of the people that use your computer.
MCT USE ONLY. STUDENT USE PROHIBITED
9-12 Managing Device Security
Prompt Description
Notify me only when apps try to make changes When a program makes a change, a prompt
to my computer (do not dim my desktop) appears, and the desktop dims to provide a
visual cue that an installation is being
attempted. Otherwise, the user is not
prompted.
Notify me only when apps try to make changes When a program makes a change, a prompt
to my computer (default) appears, but the desktop does not dim.
Otherwise, the user is not prompted.
You can configure varying user experiences by using different Group Policy settings. The configuration
choices that you make for your environment affect the prompts and dialog boxes that standard users,
administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify
me or Always notify me and wait for my response. When you configure this type of configuration, a
yellow notification appears at the bottom of the User Account Control Settings page, indicating the
requirement.
Demonstration Steps
View the current UAC settings
1. Sign in to LON-CL1 as administrator.
Categorize Activity
Categorize each item below.
Items
6 Install drivers from Windows Update or those that are included with the operating system
Items
Tasks a Standard User Can Tasks That Require Elevation Tasks that the default UAC
Perform to an Administrator setting allows a standard
Account user to perform without
receiving a UAC prompt
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-15
Which of the following is the default setting for the UAC elevation prompt?
Never notify me
Notify me only when apps try to make changes to my computer (do not dim my desktop)
Always notify me
MCT USE ONLY. STUDENT USE PROHIBITED
9-16 Managing Device Security
Lesson 3
Configuring Application Restrictions
The reliability and security of enterprise devices significantly increases with the ability to control which
applications a user, or set of users, can run. Overall, an application lockdown policy can lower the total
cost of computer ownership in an enterprise. AppLocker controls application execution and simplifies the
process of authoring an enterprise application lockdown policy. It also reduces administrative overhead,
and helps administrators control how users access and use files, such as .exe and .appx files, scripts,
Windows Installer files (.msi, .mst, and .msp files), and .dll files.
Lesson Objectives
After completing this lesson, you will be able to:
What Is AppLocker?
Todays organizations face a number of challenges
in controlling which applications run on client
computers, including:
The packaged and custom applications that
users can access.
Windows Vista addressed this issue by supporting software restriction policies, which administrators used
to define the list of applications that users were allowed to run. AppLocker builds on this security layer,
providing you with the ability to control how users run all types of applications, such as executable files,
Windows Store .appx apps, scripts, Windows Installer files (.msi, .mst, and .msp), and .dll files.
Benefits of AppLocker
You can use AppLocker to specify exactly what you will allow users to run on their PCs and devices. This
allows users to run the applications, installation programs, and scripts that they require to be productive,
while still providing the security, operational, and compliance benefits of application standardization.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-17
Limit the number and types of files that they allow users to run, by preventing unlicensed software
or malware from running, and by restricting the ActiveX controls that are installed.
Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise and that users only run software and applications that an enterprise approves.
AppLocker Rules
You can prevent many problems in your work
environment by controlling which applications
users can run. AppLocker lets you do this by
creating rules that specify exactly what
applications users can run, and you also can
configure AppLocker to continue to function
even when applications are updated.
AppLocker is an additional Group Policy
mechanism, so IT professionals and system
administrators need to be comfortable with
Group Policy creation and deployment. This
makes AppLocker ideal for organizations that
currently use Group Policy to manage their Windows 10 computers or have per-user application
installations.
A new AppLocker MMC snap-in in the Group Policy Management Console (GPMC) offers an improvement
to the process of creating AppLocker rules. AppLocker provides several rule-specific wizards. You can use
one wizard to create a single rule and another wizard to generate rules automatically, based on your rule
preferences and the folder that you select. The four wizards that AppLocker offers administrators to
author rules are:
Executable Rules
Windows Installer Rules
Script Rules
Packaged app Rules.
At the end of the wizards, you can review a list of analyzed files. You then can modify the list to remove
any file before rules are created for the remaining files. You also can receive useful statistics about how
often a file has been blocked, or test the AppLocker policy for a specific computer.
Accessing AppLocker
To access AppLocker, perform the following steps:
3. Expand the Application Control Policies node, and then click AppLocker.
MCT USE ONLY. STUDENT USE PROHIBITED
9-18 Managing Device Security
In AppLocker, you can configure Executable, Windows Installer, and Script rules. For example, you can
right-click the Executable Rules node, and then click Create New Rule. You then can create a rule that
allows or denies access to an executable file based on criteria such as the file path or publisher. AppLocker
also will let you apply both default and automatically generated rules.
With AppLocker, you can prevent users from installing and running per-user applications by creating a set
of default AppLocker rules. Default rules also ensure that the key operating-system files are allowed to run
for all users.
Note: Before you manually create new rules or automatically generate rules for a specific
folder, you must create default AppLocker rules.
2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3. Right-click Executable Rules, and then click Create Default Rules.
By creating these rules, you also have automatically prevented all non-administrator users from being
able to run programs that are installed in their user profile directory. You can recreate the rules at any
time.
Note: Without default rules, critical system files might not run. Once you have created one
or more rules in a rule collection, only applications that those rules affect can run. If you have not
created default rules, and you are prevented from performing administrative tasks, restart the
computer in safe mode, add the default rules, delete any Deny rules that are preventing access,
and then refresh the computer policy.
When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable
applications to run, whereas Deny rules prevent applications from running. The Automatically Generate
Rules Wizard only creates Allow rules.
You can create exceptions for executable files. For example, you can create a rule that allows all Windows
processes to run except Regedit.exe, and then use audit-only mode to identify files that will not be
allowed to run if the policy is in effect. You can create rules automatically by running the wizard and
specifying a folder that contains the executable files for applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. It might not be secure
to create rules to allow executable files in user profiles.
Before you create the rules at the end of the wizards, review the analyzed files and view information
about the rules that you are creating. After you create the rules, edit them to make them more or
less specific. For example, if you selected the Program Files directory as the source for automatically
generating the rules, and you created the default rules, there is an extra rule in the Executable Rules
collection.
2. In the console tree under Application Control Policies\AppLocker, right-click Executable Rules,
and then click Automatically Generate Rules.
3. On the Folder and Permissions page, click Browse.
4. In the Browse For Folder dialog box, select the folder that contains the executable files that you
want to create the rules for, and then click OK.
5. Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the
name that you provide is used as a prefix for the name of each rule that you create.
6. On the Rule Preferences page, click Next without changing any of the default values. The Rule
generation progress dialog box is displayed while the files are processed.
7. On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable
Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them
more detailed.
Creating rules based on the digital signature of an application helps make it possible to build rules that
survive application updates. For example, an organization can create a rule to allow all versions greater
than 9.0 of a program to run if it is signed by the software publisher. This allows IT professionals to deploy
an application update safely without having to build another rule.
Note: Before performing the following procedure, ensure that you have created
default rules.
MCT USE ONLY. STUDENT USE PROHIBITED
9-20 Managing Device Security
1. To open the Local Security Policy MMC snap-in, in the Run dialog box, type secpol.msc, and then
press Enter.
2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.
7. On the Publisher page, note that the default setting is to allow any signed file to run, and then
click Next.
9. On the Name and Description page, accept the default name or enter a custom name and
description, and then click Create.
By using this rule, and ensuring that all applications are signed within your organization, you can be sure
that users only run applications from known publishers.
Note: This rule prevents unsigned applications from running. Before implementing this
rule, ensure that all of the files that you want to run in your organization are signed digitally. If
any applications are not signed, consider implementing an internal signing process to sign
unsigned applications with an internal signing key.
2. In the console tree under Application Control Policies\AppLocker, click Executable Rules.
3. In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then
click Delete.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement
mode.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-21
1. Click Start, type Services, and then click View local services.
3. In the Application Identity Properties dialog box, in the Startup type list, click Automatic, click
Start, and then click OK.
Note: If an AppLocker rule is not working, check to see that the Application Identity service
has started. This service is required to be running for AppLocker to work.
Demonstration Steps
Create a custom AppLocker rule
1. Sign in as administrator.
o Group: Marketing
o Program: C:\Windows\Regedit.exe
After you create new AppLocker rules, you must configure enforcement for the rule collections and
refresh the computer's policy. Enforcement is configured in the Local Security Policy console in the
Configure Rule Enforcement area. The following table outlines the three enforcement options for each
rule type.
Enforce rules with Group Policy inheritance Default setting. If linked GPOs contain a different
setting, that setting is used. If any rules are
present in the corresponding rule collection, they
are enforced.
To view information about applications that AppLocker rules affect, use Event Viewer. Each event in the
AppLocker operational log contains detailed information, such as the following:
Which file was affected and the path of that file
The security identifier for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following
table identifies three events to use in determining which applications are affected.
8003 Warning Access to <file_name> Applied only when in the Audit only
is monitored by an enforcement mode. Specifies that the
administrator. file will be blocked if the Enforce rules
enforcement mode is enabled.
8004 Error Access to <file_name> Applied only when the Enforce rules
is restricted by an enforcement mode is either directly
administrator. or indirectly set through Group Policy
inheritance. The file cannot run.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-23
Demonstration
This demonstration will show the different enforcement options and how to configure the enforcement
for the rule that was created in the previous demonstration. The demonstration then will verify the
enforcement with gpupdate.
Demonstration Steps
3. Configure Enforcement:
3. Review the System log for Event ID 1502, which indicates that the Group Policy settings were
refreshed.
4. Start the Application Identity service, which is required for AppLocker enforcement.
3. Sign in as Adatum\Administrator.
4. Open Event Viewer, and in Application and Services Logs\Microsoft\Windows\ AppLocker,
select the EXE and DLL log.
5. Review the entries. Locate Event ID 8004. It indicates that an attempt was made to run Regedit.exe,
which was not allowed to run.
Question: What are some of the drawbacks of enforcing a more rigorous account lockout
policy?
MCT USE ONLY. STUDENT USE PROHIBITED
9-24 Managing Device Security
You also are interested in configuring UAC so that when the UAC dialog box prompts a standard user, he
or she can enter the credentials of an administrator account to gain elevated privileges. You also want to
restrict the execution of certain applications.
Objectives
After completing this lab, you will have:
Lab Setup
Estimated Time: 50 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
2. Refresh GPOs.
2. Edit the Default Domain policy, and then navigate to the Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies\Password Policy node.
5. Configure the Account lockout duration policy, and then set the value to 20 minutes.
6. Configure the Account lockout threshold policy to lock out accounts after 2 invalid logon attempts.
7. Close the Group Policy Management Editor and the Group Policy Management Console.
8. Use the Active Directory Users and Computers Console to edit the properties of the Don Funk user
account, located in the IT OU, so that the user is required to change his password during his next
sign-in attempt.
Gpupdate /force
Results: After completing this exercise, you will have configured password policies to require a
12-character password and an account lockout policy that will lock out a user account if a user enters
more than two incorrect passwords in succession.
2. Review the informational message, and then change the password to Pa$$w0rd1234.
3. After you sign in, open a command prompt, and then force a Group Policy update by typing the
following command, and then pressing Enter:
Gpupdate /force
Results: After completing this exercise, you will have verified that the policies, with respect to password
length and account lockout, were applied correctly.
2. Open the Local Group Policy Editor, and then navigate to Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options.
3. Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to Prompt for credentials on the secure desktop.
4. Enable the User Account Control: Only elevate executables that are signed and validated policy
setting.
5. Enable the User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode policy setting, and then select the Prompt for consent on the secure
desktop option.
2. Open an administrative command prompt. UAC prompts you for credentials on the secure desktop.
Provide the necessary credentials, and after the administrative command prompt opens, close it, and
then sign out.
Results: After completing this exercise, you will have reconfigured UAC notification behavior and
prompts.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-27
2. Open the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
o Group: IT
3. Sign out, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
Results: After completing this exercise, you will have created and tested executable and default
AppLocker rules.
2. In the Virtual Machines list, right-click 20697-1B-LON-CL1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
4. Repeat steps 2 and 3 for 20697-1B-LON-DC1.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 9-29
Module 10
Managing Network Security
Contents:
Module Overview 10-1
Module Overview
Protecting data from malicious attacks is one of an administrators foremost concerns. Windows 10
includes Windows Firewall, which you can use to prevent unauthorized network traffic from entering or
existing in a computer. It provides the basic protection that you expect from Windows Firewall, and also
allows you to configure connection security rules to protect network traffic from interception and
modification. Windows 10 also includes the Windows Defender feature, which helps protects computers
from malware.
Objectives
After completing this module, you will be able to:
Describe network-related security threats.
Lesson 1
Overview of Network-Related Security Threats
A computer that is running Windows 10 is more likely to face threats that originate from the network than
from any other location. This is because attacks from the network can target a large number of computers
and malicious users perform them remotely, whereas other forms of attacks require physical access to the
computer. In this lesson, you will learn about common network-related security threats and the steps that
you can take to mitigate them.
Lesson Objectives
After completing this lesson, you will be able to:
Port scanning. Apps that run on a computer using the TCP/IP protocol use Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) ports to identify themselves. One way that attackers
exploit a network is to query hosts for open ports on which they listen for client requests. Once
attackers identify an open port, they can use other attack techniques to access the services that are
running on the computer.
Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legitimate
host on the network with which your computers are communicating. The attacker intercepts all of the
communications that are intended for a destination host. The attacker might wish to view the data in
transit between the two hosts, but also can modify that data before forwarding the packets to the
destination host.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-3
Internet Protocol security (IPsec), which authenticates IP-based communications between two hosts
and, where desirable, encrypt that network traffic.
Firewalls, which allow or block network traffic based on the type of traffic.
Perimeter networks, which are isolated areas on your network to and from which you can define
network traffic flow. When you need to make network services available on the Internet, it is not
advisable to connect hosting servers directly to the Internet. However, by placing these servers in a
perimeter network, you can make them available to Internet users without allowing those users access
to your corporate intranet.
VPNs and DirectAccess. It is important that users have the ability to connect to their organizations
intranet from the Internet as securely as possible. The Internet is a public network, and data in transit
across the Internet is susceptible to eavesdropping or MITM attacks. However, by using virtual private
networks (VPNs) or DirectAccess, you can authenticate and encrypt connections between remote
users and your organizations intranet. This can help to mitigate risk.
Server hardening. When you run only the services that you need, you can make servers inherently
more secure. To determine what services you require, you must establish a security baseline among
your servers. To determine precisely which Windows Server services you need to support the
functionality that you or your enterprise requires, you can use tools such as the Security Configuration
Wizard or the Microsoft Baseline Security Analyzer.
Intrusion detection. It is important to implement the preceding techniques to secure your network,
and it also is sensible to monitor your network regularly for signs of attack. You can use intrusion-
detection systems to do this by implementing them on perimeter devices, such as Internet-facing
routers.
Domain Name System Security Extensions (DNSSEC), which use digital signatures for validation, so
that DNS servers and resolvers can trust DNS responses. The DNS zone contains all signatures that are
generated in the new resource records. When a resolver issues a query for a name, the DNS server
returns the accompanying digital signature in the response. The resolver then validates the signature
by using a preconfigured trust anchor. Successful validation proves that no data modification or
tampering has occurred.
MCT USE ONLY. STUDENT USE PROHIBITED
10-4 Managing Network Security
Lesson 2
Windows Firewall
Windows Firewall provides built-in functionality that you can use to protect Windows 10 computers
from unauthorized access attempts or other unwanted incoming or outgoing network traffic. Unwanted
traffic often comes from Internet-based sources, but traffic from a local area network (LAN) or wide area
network (WAN) also can compromise your network. You can use Windows Firewall to filter incoming and
outgoing traffic based on the traffics characteristics and the type of network to which a Windows 10
computer is connected.
Lesson Objectives
After completing this lesson, you will be able to:
What Is a Firewall?
Firewalls block or allow network traffic, based on
the traffics properties. You can utilize hardware-
based firewalls or software firewalls that run on a
device.
Traffic protocol.
Packet contents.
For example, a sophisticated firewall analyzes network traffic and filters out harmful traffic, such as
attempts to cause a denial-of-service attack or an SQL injection attack.
Administrators often place firewalls at a network perimeter, between an organizations screened subnet
and the Internet, and between the screened subnet and the internal network. Today, it also is common for
each host to have its own additional firewall.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-5
Firewall exceptions
When you add a program to the list of allowed
programs, or open a firewall port, you are
allowing that program to send information to or from your computer. Allowing a program to
communicate through a firewall is like making an opening in the firewall. Each time that you create
another opening, the computer becomes less secure.
Generally, it is safer to add a program to the list of allowed programs than to open a port for an app. If
you open a port without scoping the port to a specific app, the opening in the firewall stays open until
you close the port, regardless of whether a program is using it. If you add a program to the list of allowed
programs, you are allowing the app itself to create an opening in the firewall, but only when necessary.
The openings are available for communication only when required by an allowed program or computer.
To add, change, or remove allowed programs and ports, you should perform the following steps. Click
Allow an app or feature through Windows Firewall in the left pane of the Windows Firewall page,
and then click Change settings. For example, to view performance counters from a remote computer,
you must enable the Performance Logs and Alerts firewall exception on the remote computer.
Remove programs from the list of allowed programs, or close ports when you do not require them.
Never allow a program that you do not recognize to communicate through the firewall.
Domain networks. These typically are workplace networks that attach to a domain. Use this option for
any network that allows communication with a domain controller. Network discovery is on by default,
and you cannot create or join a HomeGroup.
Private networks. These are networks at home or work where you know and trust the people and
devices on the network. When you select Home or work (private) networks, this turns on network
discovery. Computers on a home network can belong to a HomeGroup.
Guest or public networks. These are networks in public places. This location keeps the computer from
being visible to other computers. When you select the Public place network location, HomeGroup is
not available, and Windows 10 turns off network discovery.
You can modify the firewall settings for each type of network location from the main Windows Firewall
page. Click Turn Windows Firewall on or off, select the network location, and then make your selection.
You also can modify the following options:
Block all incoming connections, including those in the list of allowed programs.
Notify me when Windows Firewall blocks a new program.
The Public networks location blocks certain programs and services from running, which protects a
computer from unauthorized access. If you connect to a Public network, and Windows Firewall is on, some
programs or services might ask you to allow them to communicate through the firewall so that they can
work properly.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-7
Note: To access the global profile settings in Windows Firewall with Advanced Security
Properties, perform one of the following procedures:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click
Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the
Overview section, click Windows Firewall Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Actions
pane, click Properties.
The options that you can configure for each of the three network profiles are:
Inbound connections. Configure to block connections that do not match any active firewall rules,
block all connections regardless of inbound rule specifications, or allow inbound connections that
do not match an active firewall rule.
Outbound connections. Configure to allow connections that do not match any active firewall rules, or
block outbound connections that do not match an active firewall rule.
MCT USE ONLY. STUDENT USE PROHIBITED
10-8 Managing Network Security
Settings. Configure display notifications, unicast responses, local firewall rules, and local connection
security rules.
o Size limit (KB). The default size is 4,096. Adjust this if necessary when troubleshooting.
o No logging occurs until you set one or both of following two options to Yes:
Log dropped packets
Log successful connections
Inbound
Outbound
Inbound rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can
configure a rule to allow traffic for Remote Desktop from the local network segment through the firewall,
but block traffic if the source is a different network segment.
When you first install the Windows operating system, Windows Firewall blocks all unsolicited inbound
traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that
describes that traffic. For example, if you want to run a Web server, you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows
Firewall with Advanced Security takes, which is whether to allow or block connections when an inbound
rule does not apply.
Outbound rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from a computer that matches a rules criteria. For example, you can configure a
rule to explicitly block outbound traffic to a computer by IP address through the firewall, but allow the
same traffic for other computers.
Program rules. These control connections for a program. Use this type of firewall rule to allow a
connection based on the program that is trying to connect. These rules are useful when you are not
sure of the port or other required settings, because you only specify the path to the programs
executable (.exe) file.
Port rules. These control connections for a TCP or UDP port. Use this type of firewall rule to allow a
connection based on the TCP or UDP port number over which the computer is trying to connect. You
specify the protocol and the individual or multiple local ports to which the rule applies.
Predefined rules. These control connections for a Windows-based experience. Use this type of firewall
rule to allow a connection by selecting one of the programs or experiences from the list. Network-
aware programs that you install typically add their own entries to this list, so that you can enable and
disable them as a group.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-9
Custom rules. Configure these as necessary. Use this type of firewall rule to allow a connection based
on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the
Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote
Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the
predefined rule type on an inbound rule.
Alternatively, you might want to block all web traffic on the default TCP Web server port 80. In this
scenario, you create an outbound port rule that blocks the specified port. The next topic discusses well-
known ports, such as port 80.
Tunnel rules. These secure communications that travel between two computers by using tunnel mode
in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you
route between two defined endpoints.
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or
specify a gateway computer that connects to a private network onto which the received traffic is
routed after extracting it from the tunnel.
Custom rules. Configure these as necessary. Custom rules authenticate connections between two
endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules,
connection security rules, and security associations (SAs). The Monitoring page displays which profiles
are active (domain, private, or public), and the settings for the active profiles.
MCT USE ONLY. STUDENT USE PROHIBITED
10-10 Managing Network Security
The Windows Firewall with Advanced Security events also is available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The
operational log is always on, and it contains events for connection security rules.
Windows PowerShell commands
You can use the following Windows PowerShell cmdlets to manage Windows Firewall rules:
Show-NetFirewallRule. Use this cmdlet to view all firewall rules in the policy store.
Well-Known Ports
Before you configure either inbound or outbound
firewall rules, you must understand how apps
communicate on a TCP/IP network. At a high
level, when an app wants to establish
communications with an app on a remote host,
it creates a connection to a defined TCP or UDP
socket.
The Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) addresses of the source and
destination hosts.
The TCP or UDP port number that the apps are using. TCP or UDP communications use ports to name
the ends of logical connections that transfer data.
Well-known ports
The Internet Assigned Numbers Authority (IANA) assigns the well-known ports on most systems. Typically,
only system processes or programs that privileged users execute can use these ports. Ports receive a
number between 0 and 65,535:
Dynamic and private ports are those from 49,152 through 65,535.
To view the current TCP/IP network connections and listening ports, use the netstat -a command or the
Get-NetTCPConnection Windows PowerShell command-line interface cmdlet.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-11
IANA assigns well-known ports to specific apps so that client apps can locate them on remote systems.
Therefore, to the extent that is possible, use the same port assignments with TCP and UDP. To view a list
of well-known ports and the associated services that Windows 10 recognizes, open the C:\Windows
\System32\drivers\etc\Services file. The following table identifies some well-known ports.
25 TCP Simple Mail Transfer Protocol (SMTP) that email servers and clients
use to send email
53 UDP DNS
53 TCP DNS
110 TCP Post Office Protocol version 3 (POP3) that email clients use for
email retrieval
143 TCP Internet Message Access Protocol (IMAP) used for email retrieval
from email clients
443 TCP Hypertext Transfer Protocol Secure (HTTPS) for secured Web
servers
Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of
the ports that applications use to ensure that the required ports are open through your firewall when you
use a port rule.
Remember that when you add a TCP or UDP port to the rules list, the port is open whenever Windows
Firewall with Advanced Security is running, regardless of whether a program or system service is listening
for incoming traffic on the port. Therefore, if you need to allow unsolicited incoming traffic, create a
program rule instead of a port rule. When you use a program rule, the port opens and closes dynamically
as the program requires. You also do not need to be aware of the port number that the application uses.
If you change the application port number, the firewall automatically continues communication on the
new port.
MCT USE ONLY. STUDENT USE PROHIBITED
10-12 Managing Network Security
Demonstration Steps
2. In the search box on the taskbar, type mstsc, and then click mstsc. This opens a Remote Desktop
Connection.
3. Connect to LON-CL1, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
2. Connect to LON-CL1.
2. In the search box on the taskbar, type mstsc, and then click mstsc. This will open Remote Desktop
Connection.
4. Open the properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
5. Modify the scope so that the rule applies only to the remote IP address 172.16.0.10.
You need to open a firewall port to allow Lightweight Directory Access Protocol
(LDAP) traffic. Which port would you open to accomplish this task?
143
389
443
161
MCT USE ONLY. STUDENT USE PROHIBITED
10-14 Managing Network Security
Lesson 3
Connection Security Rules
Windows 10 does not authenticate or encrypt connections made from one computer to another, by
default. However, by configuring and using connection security rules, you can verify the identity of each
computer that is communicating. You also can encrypt the connection between those computers, and
then ensure that no tampering has occurred with respect to the transmission between the two computers.
Lesson Objectives
After completing this lesson, you will be able to:
Monitor connections.
What Is IPsec?
You can use IPsec to ensure confidentiality,
integrity, and authentication in data transport
across channels that are not secure. Though its
original purpose was to secure traffic across public
networks, many organizations have chosen to
implement IPsec to address perceived weaknesses
in their own private networks that might be
susceptible to exploitation.
If you implement IPsec properly, it provides a
private channel for sending and exchanging
potentially sensitive or vulnerable data, whether
it is email, FTP traffic, news feeds, partner and
supply-chain data, medical records, or any other type of TCP/IP-based data.
IPsec:
IPsec modes
IPsec has two modes:
Encapsulating security payload (ESP). This mode encrypts data using one of several available
algorithms.
Authentication Header (AH). This mode signs traffic, but does not encrypt it.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-15
Domain isolation. You can isolate a domain by using Active Directory domain membership to ensure
that computers that are domain members accept only authenticated and secured communications
from other domain-member computers. The isolated network consists only of that domains member
computers, and domain isolation uses an IPsec policy to protect traffic between domain members,
including all client and server computers.
Tunnel. A tunnel rule allows you to protect connections between gateway computers, and typically,
you use it when you are connecting across the Internet between two security gateways.
Custom. There might be situations in which you cannot configure the authentication rules that you
need by using the rules available in the New Connection Security Rule Wizard. However, you can use
a custom rule to authenticate connections between two endpoints.
You can configure connection security rules by using Group Policy, Windows Firewall with Advanced
Security, or Windows PowerShell.
Authentication Options
When you use the New Connection Security Rule
Wizard to create a new rule, you can use the
Requirements page to specify how you want
authentication to apply to inbound and outbound
connections. If you request authentication, this
enables communications when authentication
fails. If you require authentication, this causes the
connection to drop if authentication fails.
The Require authentication for inbound connections and Request authentication for
outbound connections option
Use the Require authentication for inbound connections and request authentication for outbound
connections option if you want to ensure that all inbound traffic is authenticated or blocked. This allows
you to allow outbound traffic for which authentication fails. If authentication succeeds for outbound
traffic, the firewall authenticates that traffic. You typically use this option in most IT environments in which
the computers that need to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-17
The New Connection Security Rule Wizard has a page on which you can configure the authentication
method and the authentication credentials that you want clients to use. If the rule exists already, you can
use the Authentication tab in the Properties dialog box of the rule that you wish to edit.
Default
Select the Default option to use the authentication method that you configured on the IPsec Settings tab
of the Windows Firewall with Advanced Security Properties dialog box.
Computer certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and
you must have certificates from a CA trusted by both computers. s. Use this method if the computers are
not part of the same AD DS domain.
Advanced
You can configure any available method, and you can specify methods for first authentication and second
authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and a
Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User
NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates issued by
trusted CAs. Only computers that are running Windows Vista, Windows 7, Windows 8, Windows 10,
Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2
support second authentication methods.
MCT USE ONLY. STUDENT USE PROHIBITED
10-18 Managing Network Security
Monitoring Connections
Windows Firewall with Advanced Security is
a stateful, host-based firewall that blocks
incoming and outgoing connections based
on its configuration. Although you can perform
a typical end-user configuration for Windows
Firewall by using the Windows Firewall control
panel item, you can perform advanced
configuration in the Microsoft Management
Console (MMC) snap-in named Windows Firewall
with Advanced Security.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that
there are some issues to consider when enabling DNS. For example, it only works in a specific filter view
for Quick Mode and in SAs view for Quick Mode and Main Mode monitoring. There also is the possibility
that you can affect a servers performance if several items in the view require name resolution. Finally, the
DNS record name resolution requires a proper pointer (PTR) resource record in DNS.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-19
To view the connection security rules in the active policy store, you can use the following Windows
PowerShell command:
A Quick Mode SA depends on the successful establishment of a Main Mode SA. An IPsec or Phase 2 SA is
another name for a Quick Mode SA. This process establishes keys based on the information that the policy
specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that
the policy specifies.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information
about their settings and endpoints.
Main Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode
Quick Mode provides more-detailed information about connections. If you are having issues with an IPsec
connection, Quick Mode statistics can provide insight into the problem.
Demonstration Steps
1. Switch to LON-CL2.
2. Ping LON-CL1.
3. Open Control Panel, open Windows Firewall, and then open the Advanced settings.
6. To examine the Main Mode Security Associations, at the command prompt, type the following
command, and then press Enter:
Get-NetIPsecMainModeSA
MCT USE ONLY. STUDENT USE PROHIBITED
10-20 Managing Network Security
7. To examine the Quick Mode Security Associations, at the command prompt, type the following
command, and then press Enter:
Get-NetIPsecQuickModeSA
9. On LON-CL1, open Control Panel, open Windows Firewall, and then open Windows Firewall with
Advance Security.
10. Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o Rule: Isolation
11. On LON-CL2, open Control Panel, open Windows Firewall, and then open Windows Firewall with
Advance Security.
12. Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o Rule: Isolation
o Requirements: Require authentication for inbound connections and request authentication
for outbound connections
14. Open Control Panel, open Windows Firewall, and then open the Advanced settings.
17. To examine the Main Mode Security Associations, at the Windows PowerShell prompt, type the
following command, and then press Enter:
Get-NetIPsecMainModeSA
19. To examine the Quick Mode Security Associations, at the command prompt, type the following
command, and then press Enter:
Get-NetIPsecQuickModeSA
Which of the following authentication options allows you to use a preshared key
when configuring a connection security rule?
Computer Certificate
Advanced
MCT USE ONLY. STUDENT USE PROHIBITED
10-22 Managing Network Security
Lesson 4
Windows Defender
Malware might show up on your organizations computers and devices, despite your efforts to prevent it.
When this occurs, you must investigate it immediately and take appropriate action. Windows 10 includes
components that can help you identify and remove malware from your environments computers.
Lesson Objectives
After completing this lesson, you will be able to:
Describe malware.
Understand the sources of malware.
What Is Malware?
Malicious software, or malware, is software
that attackers design to harm computer systems.
Malware can do many things, from causing
damage to the computer, to allowing
unauthorized parties remote access to the
computer, to collecting and transmitting sensitive
information to unauthorized third parties. There
are several types of malware, including:
Computer worms. Worms are a special form of malware that replicate without direct intervention.
Worms spread across networks and can infect other computers on a network, without requiring a user
to open an email attachment or file.
Trojan horses. This type of malware provides an attacker with remote access to the infected computer.
Ransomware. This type of malware encrypts user data, and you can recover your data only if you pay
a ransom to the malware authors.
Spyware. This type of malware tracks how a computer is used without the users consent.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-23
Point out to students that malware can infect the devices of even the most diligent people. For example,
users with good malware-avoidance habits might visit a reputable website that has been compromised
and that leverages an undisclosed exploit in popular software. These users devices could become
infected. An example could be that the software vendor has not fixed that software because they are
unaware that the exploit exists.
Additionally, point out that no anti-malware solution has a perfect detection rate. It is possible to take all
necessary precautions and still have your devices infected. Taking precautions only reduces the probability
that a persons device will be compromised by malware. It does not eliminate that possibility.
MCT USE ONLY. STUDENT USE PROHIBITED
10-24 Managing Network Security
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Windows Defender behavior when a scan identifies unwanted software. You also receive an alert if
software attempts to change important Windows operating system settings.
To help prevent spyware and other unwanted software from running on a computer, turn on Windows
Defender real-time protection.
Windows Defender includes automatic scanning options that provide regular scanning and on-demand
scanning for malware. The following table identifies scanning options.
Quick Checks the areas that malware, including viruses, spyware, and unwanted software,
are most likely to infect.
Full Checks all files on your hard disk and all running programs.
As a best practice, you should schedule a daily Quick scan. At any time, if you suspect that spyware has
infected a computer, run a Full scan. When you run a scan, the progress displays on the Windows
Defender Home page. When Windows Defender detects a potentially harmful file, it moves the file to a
quarantine area, and it does not allow it to run or allow other processes to access it. Once the scan is
complete, you can perform the following steps. You can select Remove or Restore Quarantined items
and to maintain the Allowed list, and then a list of Quarantined items is available from the Settings page.
Click View to see all items. Review each item, and then individually Remove or Restore each.
Alternatively, if you want to remove all Quarantined items, click Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your
privacy and your computers security at risk.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-25
If you trust detected software, stop Windows Defender from alerting you to risks that the software might
pose by adding it to the Allowed list. If you decide to monitor the software later, remove it from the
Allowed list.
The next time Windows Defender alerts you about software that you want to include in the Allowed list,
you can perform the following steps. In the Alert dialog box, on the Action menu, click Allow, and then
click Apply actions. Review and remove software that you have allowed from the Excluded files and
locations list on the Settings page.
Demonstration Steps
1. On LON-CL1, open Control Panel, and then open Windows Defender.
2. On the Home page, perform a Quick scan, and then review the results.
6. In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
7. Save and close the file. Immediately, Windows Defender detects a potential threat.
10. On the History tab, click View Details, and then review the results.
A. Datum Corporation uses many outside consultants. The enterprises management has a concern that if
consultants were on the company network, they might be able to connect to unauthorized computers.
You are planning to use Window Defender to check for malware every day. You also want to ensure that
Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
After completing this lab, you will be able to:
Create and test an inbound firewall rule.
Lab Setup
Estimated Time: 55 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1, 20697-1B-LON-CL2
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
2. Open the Search box, and then run mstsc to start a Remote Desktop Connection.
Results: After completing this exercise, you will have created and verified inbound firewall rules.
MCT USE ONLY. STUDENT USE PROHIBITED
10-28 Managing Network Security
2. Open the Start menu, and then run mstsc to start Remote Desktop Connection.
3. Connect to LON-DC1, and then sign in as Adatum\Administrator.
4. Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Results: After completing this exercise, you will have created and tested outbound firewall rules.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 10-29
2. Ping LON-CL1.
3. Open Control Panel, open Windows Firewall, and then open the Advanced settings.
Get-NetIPsecMainModeSA
6. To examine the Quick Mode Security Associations, at the Windows PowerShell command prompt,
type the following cmdlet, and then press Enter:
Get-NetIPsecQuickModeSA
2. Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o Rule: Isolation
o Requirements: Require authentication for inbound connections and request authentication
for outbound connections
3. On LON-CL2, open Control Panel, open Windows Firewall, and then open Windows Firewall with
Advance Security.
4. Create a connection security rule that allows traffic on LON-CL1 with the following settings:
o Rule: Isolation
o Requirements: Require authentication for inbound connections and request authentication
for outbound connections
2. Open Control Panel, open Windows Firewall, and then open the Advanced settings.
4. Switch to LON-CL1.
5. To examine the Main Mode Security Associations, at the Windows PowerShell command prompt, type
the following cmdlet, and then press Enter:
Get-NetIPsecMainModeSA
7. To examine the Quick Mode Security Associations, at the command prompt, type the following
cmdlet, and then press Enter:
Get-NetIPsecQuickModeSA
Results: After completing this exercise, you will have created and tested connection security rules.
2. On the Home page, perform a Quick scan, and then review the results.
3. Close Windows Defender.
2. In the Mod10 folder, open sample.txt in Notepad. The sample.txt file contains a text string to test
malware detection.
3. In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
4. Save and close the file. Immediately, Windows Defender detects a potential threat.
2. On the History tab, click View Details, and then review the results.
Results: After completing this exercise, you will have configured and tested Windows Defender.
Module 11
Troubleshooting and Recovery
Contents:
Module Overview 11-1
Module Overview
Users often do not think about troubleshooting and recovery unless they are dealing with computer
failure or outages due to natural disasters. By then, it might be too late to recover data or devices.
Therefore, it is important that you familiarize yourself with recovery and restore tools in Windows 10, and
learn how to use them. Some of these tools, such as the Previous Versions feature, are very user-friendly
and show several improvements in Windows 10. Other tools, such as Backup and Recovery (Windows 7)
tool and advanced startup tools from the recovery environment, require administrator credentials and
more experience. In this module, you will learn about file and device recovery features in Windows 10.
You will also test these features in the hands-on lab at the end of the module.
Objectives
After completing this module, you will be able to:
Describe and manage device drivers.
Lesson 1
Managing Devices and Drivers
Windows 10 uses device drivers to control and communicate with a variety of hardware devices. A device
driver is a program that communicates with a hardware device on one side and the operating system on
the other. Device drivers are a critical part of the operating system. The operating system cannot use a
device if its driver is unavailable.
Device drivers execute in the operating system kernel and have access to all system resources. Thorough
testing of device drivers is very important to ensure that they do not include malicious code. A digital
signature from a trusted authority is proof that you can safely use a device driver. The 64-bit versions of
Windows 10 enforce this requirement, and do not permit the use of drivers that a trusted authority has
not digitally signed. The 32-bit versions of Windows 10 warn users about unsigned drivers, but permit
their use.
In this lesson, you will learn about device drivers and how you can install them in Windows 10. You will
also learn more about tools for managing device drivers, particularly Device Manager, and how to use
them. Because device drivers are critical for operating system stability, you will also learn how to revert to
previous versions of device drivers by using Driver Roll Back, if a newer version of the device driver causes
problems.
Lesson Objectives
After completing this lesson, you will be able to:
Explain the use and importance of device drivers.
Driver packages
A driver package is a set of files that make up a driver. A driver package includes:
The catalog (.cat) file that contains the digital signature of the device driver.
Note: The device drivers that Windows 10 includes have a Microsoft digital signature that
indicates whether a particular driver or file is stable and reliable, has met a certain level of testing,
and has not been altered since it was digitally signed. The 32-bit versions of Windows 10 check
for a drivers digital signature during driver installation and prompt the user if the driver is
unsigned. The 64-bit versions of Windows 10 require that all drivers have a digital signature,
and do not allow you to install unsigned device drivers.
Driver store
The driver store is the Windows 10 driver package repository. Because the driver store is a trusted
location, when you connect compatible hardware, Windows 10 installs the driver for the appropriate
device automatically from the driver store. Standard users can install any device driver from the driver
store. Therefore, users can attach and use new devices without help from the IT helpdesk, if their driver
package is in the driver store. Information technology (IT) administrators can preload the driver store
with the necessary driver packages for commonly used devices. The driver store is located at
%SystemRoot%\System32\DriverStore.
Depending on the packaging of the device, you can install it in different ways. If the device driver has its
own installation program (for example, setup.exe), you run the installation program, which installs the
driver package in the driver store. If you attach a device to the computer and its device driver package is
not in the driver store, Windows 10 searches for a matching driver package in several locations. You can
customize these locations and include folders specified by the DevicePath registry entry and the Windows
Update site. If Windows 10 finds the driver package, Windows 10 first installs the driver package into the
driver store, and then installs it from the driver store to the system. You can also manually install the driver
package, by using the pnputil.exe command.
MCT USE ONLY. STUDENT USE PROHIBITED
11-4 Troubleshooting and Recovery
Note: If there are multiple driver packages available for the same device, Windows 10 uses
ranking to decide which driver to use. The ranking process includes evaluation of criteria such as:
Is the driver specific to the attached device or for a compatible set of devices?
Note: You can view the list of installed device drivers by using the driverquery.exe tool.
Question: Can you use a 32-bit device driver with the 64-bit versions of Windows 10?
Question: Can you use an unsigned device driver with a 32-bit version of Windows 10?
Device Manager
You can use Device Manager to install and update device drivers, disable or enable devices, use Driver
Roll Back, change resources that devices use, such as interrupt requests (IRQs), and troubleshoot device
problems. You can also view currently connected devices and the resources they use by device type or
by connection. Device Manager view is updated dynamically when the status of the connected devices
changes, or you can update it manually by clicking the option to scan for hardware changes.
Typing Device Manager or devmgmt.msc in the Search the web and Windows box.
View detailed properties for the connected devices. This is the data that the system obtains from the
connected device, such as device Hardware IDs, Model, and Friendly name.
Uninstall a device. Uninstall the device driver and remove the driver software from the computer.
Enable or disable devices. If you want a device to remain attached to a computer without enabling it,
you can disable the device instead of uninstalling it. Disabling a device is different from uninstalling it,
because you disable only the drivers, and the hardware configuration remains unchanged. You can
recognize disabled devices by the downward-pointing arrow next to the device icon in Device
Manager.
Update device drivers. If you have an updated driver for a device, you can use Device Manager to
update it in the driver store.
Roll back drivers. If you experience system problems after updating a driver, you can roll back to a
previous driver. By using this feature, you can reinstall the last device driver that was functioning
before the installation of the current device driver.
Device Manager shows each connected device by using an icon. The status of a device shows whether a
device has drivers installed and whether the Windows operating system is able to communicate with the
device. For example, if a device is missing the device driver, the device icon appears below the Other
devices node, and has an exclamation point (!) in a yellow triangle next to it. The device icon will also
have an exclamation point in a yellow triangle next to it, if it has some other issue, such as the device
driver not starting. If you disable the device, its icon displays a downward-pointing arrow next to it. You
can also view the status of a device by right-clicking it and then clicking Properties.
By default, Device Manager does not show hidden devices. The most common types of hidden devices are
devices that do not support Plug and Play (PnP), storage volumes, and internal network adapters. To view
hidden devices in Device Manager, click View, and then click Show hidden devices.
Note: You can only use Device Manager to manage devices on a local computer. The
remote access to the PnP remote procedure call (RPC) interface that Windows 8 included is not
available in Windows 10. As a result, you cannot use Device Manager to connect to a remote
Windows 10based computer. If you try to use Device Manager to connect to a remote
computer, you will get an error message saying that access is denied.
Windows PowerShell
Windows 10 includes several Windows PowerShell cmdlets for managing devices.
Cmdlet Description
Question: Can you use Device Manager to manage devices on a remote Windows 10based
computer?
Question: How does Devices and Printers display a multifunction device that you connect to
a Windows 10based computer differently than Device Manager?
Note: The Roll Back Driver button is available only if a previous version of the driver was
updated. If the current driver for the device is the only one ever installed on the computer, the
Roll Back Driver button is grayed out and unavailable.
Windows 10 will only back up drivers that are active and functional. It will not back up inactive or
malfunctioning drivers. Driver Roll Back is available for any device except printers (Print queues). Printers
cannot use Driver Roll Back, because you cannot manage printers through Device Manager. You have to
use Devices and Printers to configure printers.
Note: If a malfunctioning driver is preventing Windows 10 from starting normally, you can
start the computer in safe mode and then use the Roll Back Driver option.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-7
3. In the Properties dialog box, click the Drivers tab, and then click Roll Back Driver.
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce
problems that the newer version addressed.
Driver Roll Back only replaces the current device driver with the previous device driver. Therefore, it is a
nondestructive operation. Sometimes, when you install a device driver, the installation program also
modifies some other system settings. In such cases, Driver Roll Back might not resolve all the issues, and
you might have to consider System Restore, which reverts system settings, but preserves user data. As a
last resort, you can use the Reset PC option, System image recovery, or Backup and Restore (Windows 7).
System Restore
In rare cases, after you install a device or update a device driver, a computer might not start. This problem
might occur because:
The new device or driver causes conflicts with other drivers on the computer.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are
unable to recover a computer by performing a driver rollback, consider using System Restore. You can
use System Restore when you want to retain all new data and changes to existing files, but still want to
perform a restoration of the system from when it was running well. Windows 10 lets you return a
computer to the way it was at a previous point without deleting any personal files. System Restore is
reversible, because it creates an undo restore point before the restore operation starts.
Note: You can learn more about System Restore later in this module.
Question: Why is the Roll Back Driver option unavailable for some devices?
Question: Can you roll back device drivers for printers in Device Manager?
Demonstration Steps
1. In LON-CL1, use Device Manager to show the properties of the Standard PS/2 Keyboard. Look at the
Driver tab and note that the Roll Back Driver button is not available.
2. Update the driver for Standard PS/2 Keyboard with driver for PC/AT Enhanced PS/2 Keyboard
(101/102 Key).
3. Note that the dialog box is now titled PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties,
and that the Roll Back Driver button is available.
4. Roll back the driver for PC/AT Enhanced PS/2 Keyboard (101/102 Key), and do not restart the
computer.
5. Note that the dialog box is now titled Standard PS/2 Keyboard Properties, and the Roll Back
Driver option is not available, because driver rollback can go back by only one version.
pnputil a E:\Labfiles\Mod11\dc3dh\*.inf
8. In File Explorer, note that the top folder was created when you installed the driver package. View the
contents of the folder, and note that it contains driver package files.
From which tool or tools can you perform a driver rollback operation for printers?
Device Manager
Which command or Windows PowerShell cmdlet can you use to install a driver
package in the driver store of a Windows 10based computer running in normal
mode?
Msconfig.exe
Driverquery.exe
Pnputil.exe
Add-WindowsDriver
Get-SystemDriver
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
Lesson 2
Recovering Files
Although you might implement a file-recovery strategy for user data that is stored on network file servers
or network-accessible storage devices, you should remember that users often save their work to local
storage. Consequently, it is important that you provide some method of local file recovery so that you
can recover these data files if users delete them accidentally or they become corrupted.
In this lesson, you will learn about file backup and recovery tools in Windows 10. If you are a long-time
Windows user, you will recognize some of these tools, such as Backup and Restore (Windows 7) or the
Previous Versions feature. Previous Versions enables users to view and recover files that they modified or
deleted by mistake. As the name suggests, the Backup and Restore (Windows 7) tool provides backup and
recovery in Windows 7, but you can also use it in Windows 10. File History is a user data protection
mechanism, which periodically copies user data to a local or network drive, and enables users to recover
files if needed.
Lesson Objectives
After completing this lesson, you will be able to:
Configure and use Backup and Restore (Windows 7) tool in Windows 10.
Describe and use the Previous Versions feature.
A user modifies a file several times but later decides that all the changes were unnecessary, and
requires the original file.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-11
A users data does not synchronize with the file server for a month, and during this period, someone
steals the users laptop.
A computer stores data files and settings in several locations, and you need to ensure that you protect all
of them. Windows 10 includes several tools that can help you protect data and make backup copies of
local files. Some of these tools and features are:
Folder Redirection and Offline Files. In a domain environment, Folder Redirection redirects local
folders from the user profile to the file server. Offline Files makes a local copy of redirected files and
makes them available even when there is no network connectivity to the file server.
Work Folders. You can use Work Folders regardless of domain membership. Work Folders synchronize
user data files between the file server and user devices.
File History. After you enable File History, it automatically creates a backup of modified user files on
the local drive, removable drive, or network location. File History backs up the folders in user profiles
and libraries, and you can add additional folders to protect. By default, File History copies the
modified files in protected folders every hour, and Windows 10 keeps them indefinitely, as long as
there is enough storage space.
Backup and Restore (Windows 7). Although the name of the tool includes Windows 7, it is a part of
Windows 10. You can use this tool to create backups of individual folders, volumes, users libraries,
and the entire computer on an additional disk, removable disk (preferably), or network location. In
the event of failure, you can use this tool to restore affected files and data.
Synchronization of user data with Microsoft OneDrive or OneDrive for Business. If your user account
is connected with a Microsoft account, or your company is using OneDrive for Business, you can
synchronize data files with the cloud and between the devices you are using.
System Image. Although it is not designed as a backup and restore solution, a system image contains
the exact copy of all the data that was on your computer when you created the system image. There
is no option to create a schedule for system image creation. You can copy system images to hard
disks, sets of DVDs, or network locations. A system image contains a virtual hard disk (.vhdx file) for
each volume of the computer for which you created the image. You can mount the virtual disk in File
Explorer, and access and restore each file individually. If you want to restore the entire system image,
you can use the System Image Recovery option from Windows Recovery Environment (Windows RE).
Wbadmin.exe. This is a command-line tool that you can use to create backups and restore backup
content.
File Explorer or robocopy.exe. You can use File Explorer or the robocopy.exe command to copy files
to other media or network locations manually.
Microsoft Azure Backup. Windows 10 does not include Azure Backup. However, if you have a
Microsoft Azure subscription, you can create a Backup Vault, download and install Azure Backup
Agent, and back up Windows 10 to Microsoft Azure.
Question: Does Windows 10 include a backup tool?
Question: What is the simplest way to recover a locally stored document that a user
accidentally deleted in Windows 10?
MCT USE ONLY. STUDENT USE PROHIBITED
11-12 Troubleshooting and Recovery
File History
With File History, Windows 10 can save copies
of your files automatically to a removable local
drive or to a shared folder on a network. After
you enable File History, it periodically saves a copy
of your modified files to a designated location.
Windows 10 saves modified files every hour and
keeps file versions indefinitely by default.
However, you can configure the interval at which
saves occur and how long Windows 10 will keep
saved files.
Using the Backup option in the Update & security section in the Settings app. To access this option, in
the Settings app, click Update & security. Click Backup, and then in the Back up using File History
section, click More options.
Note: You cannot add additional folders in the File History item in the Control Panel.
Adding folders to the libraries that File History is protecting. By doing so, File History will also protect
folders that you add to one of the protected libraries. You can do this by configuring File Explorer to
show Libraries, and then modifying library properties to include additional folders.
You can modify File History settings by using the File History item in the Control Panel. You can also
modify these settings by going to the Settings app, clicking Update & security, clicking Backup, and
then in the Back up using File History section, clicking More options. You can manually start the backup
by using the File History item in the Control Panel. Alternatively, you can configure how often to perform
backups, configure how long to keep backups, specify the drive that will keep the File History backups,
and exclude folders and libraries from File History.
You can use File Explorer to revert to previous versions of files that File History is protecting. You can use
it to restore files by right-clicking the file or folder, and clicking the Previous version tab. You can also
navigate to the folder that contains a modified or deleted file, and then on the Home ribbon, click
History to open File History and view the recoverable files. Alternatively, you can use the Restore your
files with File History option directly, allowing you to compare modified files and restore deleted or
modified files.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-13
Note: File History backs up protected folders into a folder hierarchy, in which the top folder
has as its name the user principal name (UPN), the first-level subfolder has as its name the name
of the computer from which it is protecting data, and the second-level subfolders are named
Configuration and Data. File History backs up the data itself into subfolders of the Data folder.
For example, the folder hierarchy for a user named Don in the Adatum.com domain from the
LON-CL1 computer will be in the following folder: [email protected]\LON-CL1\Data.
Demonstration Steps
1. In LON-CL1, in the Documents folder, create a text document named Report.txt that contains the
text This is a report.
2. Use File History to add \\LON-DC1\Backup2 as an available drive, and then turn on File History.
8. Use the File History settings app to add the C:\Data folder to the folders that File History is
backing up.
10. Use File Explorer and the Previous Versions tab of the Reports.txt file to confirm that there is
one previous version. This previous version was created when you ran File History.
11. Use File Explorer and the History option to confirm that File History is now protecting the
Data folder.
MCT USE ONLY. STUDENT USE PROHIBITED
11-14 Troubleshooting and Recovery
Note: If you let Windows choose the data to back up, it will include only user libraries and
the system image in the backups, and will exclude volumes.
Note: You can manage the Backup and Restore (Windows 7) tool by using Control Panel,
but it gives you limited options to configure your backup schedule. If you want more granularity,
or if you want to create backups automatically multiple times per day, you should edit triggers
for the AutomaticBackup job in Task Scheduler.
The Backup and Restore (Windows 7) tool uses the Volume Shadow Copy Service when creating a backup.
It can store multiple versions of the backup on the same location. The first backup contains a backup of all
the selected data (full backup). When the tool performs the next backup, it backs up and stores only the
data that has changed since the previous backup. If only a small amount of data has changed, then the
next backup (incremental backup) will be smaller, and the tool will create it faster than the first time. You
can also use the Backup and Restore (Windows 7) tool to create a system image and system repair disk.
You can include system image in the backup, but you can only create a system repair disk manually.
After a backup, you can restore files or folders to their original locations or to different locations. If you
performed backups multiple times, you can select from which backup to restore data. You can also
manage the space that the backup is using. The Backup and Restore (Windows 7) tool creates a restore
point each time you run a backup. The Previous Versions tab in File Explorer lists those restore points for
the data that you included in the backup.
Note: The Backup and Restore (Windows 7) tool uses virtual hard disk (.vhdx) files to store
backup data. You can view the backup data by mounting the .vhdx file in File Explorer.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-15
Note: You can only use the Backup and Restore (Windows 7) tool to back up data that is
stored on New Technology File System (NTFS) volumes. You cannot use it to back up data that is
on file allocation table (FAT), FAT32, exFAT, or Resilient File System (ReFS) volumes.
Question: Can you use the Backup and Restore (Windows 7) tool to back up a single file
automatically in a folder with multiple documents?
Question: How can you modify the default backup schedule for the Backup and Restore
(Windows 7) tool, which performs a backup every Sunday at 7 PM, by default?
Previous Versions
Similar to the Backup and Restore (Windows 7)
tool, the Previous Versions tab in File Explorer
is a feature that Windows 10 reintroduced. This
feature enables users to view, restore, or revert
previous versions of files, folders, or volumes. Data
from File History or restore points populates the
Previous Versions tab. Therefore, you must
configure either File History or restore points to
be able to use the Previous Versions feature.
Until File History runs for the first time or until you create the initial backup by using the Backup and
Restore (Windows 7) tool, the Previous Versions tab for all files is empty. Data from File History
populates the Previous Versions tab only for files that File History protects. For example, you can modify
File1.txt in the Folder1 folder, but if File History is not protecting Folder1, then the Previous Versions tab
will remain empty. The Backup and Restore (Windows 7) tool works in a similar manner. It enables you to
use previous versions for any file that is on an NTFS volume and is included in the backup. For example, if
you use the Backup and Restore (Windows 7) tool to back up Folder1, only data from restore points for
Folder1 and all of its contents will populate the Previous Versions tab.
If you configure File History and use the Backup and Restore (Windows 7) tool, then data from both
sources will populate the Previous Versions tab. Each time File History runs, an additional file version
becomes available for any file that File History is protecting. When the Backup and Restore (Windows 7)
tool creates a backup, it also automatically adds an additional file version. If File History or Backup and
Restore (Windows 7) created the backup, you can revert files and folders only to the versions that are in
the backup.
MCT USE ONLY. STUDENT USE PROHIBITED
11-16 Troubleshooting and Recovery
Note: The Previous Versions feature is available, regardless of the file system. However, the
Backup and Restore (Windows 7) can only back up data from NTFS volumes. If you want to use
Previous Versions for files on the FAT file system, File History must be protecting those files.
Question: What must you configure if you want the Previous Versions tab in File Explorer
to list previous versions of files?
Question: When will the Previous Versions tab include the previous versions of a file that
the Backup and Restore (Windows 7) tool is backing up?
Demonstration Steps
1. In LON-CL1, use File Explorer to confirm that the Sales.txt file in C:\Data folder has only one
previous version. Note that it was created when File History ran in the previous demonstration.
2. Add the text Before restore point to the Sales.txt file.
3. Note that the Sales.txt file still has only one previous version.
4. Use Backup and Restore (Windows 7) to create a backup with the following settings:
o Where to save backup: \\lon-dc1\Backup2
5. Wait until backup is created. Note that the Sales.txt file now has two previous versions. Note that the
second previous version was added when the backup was created.
6. Delete the C:\Data\Sales.txt file.
7. Use the Previous Versions tab of the C:\Data folder to restore the Sales.txt file.
8. Note that the file has been restored to the original location.
9. Note that the C:\Misc\Temp.txt file does not have any previous versions. Note that this is because
the backup did not include C:\Misc.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-17
C:\
D:\Backup
\\172.16.10.256\Share1
E:\
https://azure.microsoft.com/backup
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can use the Backup and Restore (Windows 7) tool to back up data that
an ReFS volume is storing.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can use the Previous Versions feature only with files that NTFS volumes
are storing.
MCT USE ONLY. STUDENT USE PROHIBITED
11-18 Troubleshooting and Recovery
Lesson 3
Recovering Devices
When device failure happens, you need to recover the device. Windows 10 includes several device
recovery features, which can help you to recover the device, while leaving user data on the device intact.
You can also completely remove all the data from the device and leave it only with the default installation
of Windows 10 or with the content of system image, which you prepared in advance.
Lesson Objectives
After completing this lesson, you will be able to:
Windows 10 is a device-oriented operating system that includes several features that you can use for
device recovery:
Driver Roll Back. A nonintrusive feature that only reverts a device driver to the previous version that
the same device used. This feature is only useful in situations where driver updates cause problems,
but it is very effective.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-19
System Protection and System Restore. When turned on, System Protection automatically creates
snapshots, called restore points, before important changes to your device happen. Such changes
could include installation of an app or application of updates. You can also create restore points
manually. Restore points enable you to revert the operating system on your device to a previous
restore point, while leaving user data intact. You can use System Restore from a functioning Windows
10 device, but you can also run System Restore from the recovery environment, as long as the device
storage is accessible.
Startup Recovery. This feature detects and automatically corrects Windows 10 startup issues. It is
invoked automatically if the system fails to start up normally three times in a row. You can also invoke
it manually from the recovery environment. This feature is nonintrusive and leaves all device data
intact, but it can repair startup problems only.
Reset this PC. This feature enables you to either keep your files and reinstall the operating system, or
remove everything from the device and then reinstall the operating system. Windows 10 provides
considerable improvements to Reset this PC, which combines the functionality of the Refresh your PC
and Reset your PC features that were available in Windows 8 and Windows 8.1. You can run the Reset
this PC feature from the recovery environment.
System Image Recovery. This feature completely replaces any data on the device, including the
operating system, settings, and user data, with the information in a system image. To be able to use
this feature, you must create the system image in advance. Unlike the Reset this PC feature, System
Image Recovery does not differentiate between operating system and user data.
Command prompt. This is a powerful but nonautomated option. You can start the command prompt
from the recovery environment and then run other built-in commands or third-party tools.
After you recover your operating system, you can restore access to your data by doing one of the
following:
Signing in to the recovered device, if you use Folder Redirection, Offline Files, or OneDrive for
Business.
Restoring the user data by using Azure Backup or the Backup and Restore (Windows 7) tool, as
explained in the previous lesson.
Question: Can you run the Reset this PC feature from a computer running Windows 10 in
the normal mode?
Question: Why would you use Startup Repair instead of System Image Recovery if the Boot
Configuration Data (BCD) store is corrupted on a Windows 10based computer?
MCT USE ONLY. STUDENT USE PROHIBITED
11-20 Troubleshooting and Recovery
Installation of the app, if the app uses an installer that is System Restorecompliant.
Based on a schedule. Windows 10 includes scheduled tasks, which can trigger restore point creation.
Automatically, if you choose to use System Restore to restore to a previous restore point. In this
instance, System Restore creates a new restore point before it restores the system to a previous state.
This provides you with a recovery option should the restore operation fail or result in problems.
You can enable System Protection for each drive individually and configure disk space that the restore
points can use. System Protection maintains that space itself. System Protection compresses restore points
when storing them on a hard disk, and if System Protection is running out of space, it will automatically
delete the oldest restore points.
If you want to restore your computer to the state it was in before a certain event, you can access
System Restore from Windows 10 by opening System Protection, or from the Windows RE environment.
This means that you can restore your computer to an earlier restore point even if you cannot start
Windows 10. If you want to restore your computer to an earlier restore point from Windows RE, you
need to select a user and provide the users password before you can use System Restore. Before restoring
the computer to an earlier state, you can scan the restore point for the affected programs and drivers;
applying the restore point can delete some programs and drivers, and restore others. If you changed the
password recently, you should create a password reset disk before using System Restore. You cannot
interrupt System Restore once it starts, and the computer restarts during the System Restore process.
Note: Windows 10 includes a System Restore scheduled task named SR, which you can
configure to create restore points automatically at scheduled intervals. By default, SR does not
have any triggers defined.
Consider the following example. You have a Windows 10 device and at time T1, you install Microsoft
Office. At time T2, you install an app that you downloaded from the web. At time T3, you decide to create
a restore point manually, because the system seems to be responding more slowly. At time T4, you decide
that the app that you downloaded from the web might be causing reduced responsiveness. You use
System Restore to revert your system to T2, to the system state before the installation of the app.
Microsoft Office, in addition to all your personal data and documents, remains intact.
Question: How can you configure Windows 10 to create restore points automatically?
Question: Can you enable System Protection on an ReFS volume?
Demonstration Steps
1. On LON-CL1, use System Properties to turn on System protection and specify a maximum disk
space usage between 5 and 10 gigabytes (GB).
2. Create a restore point named Initial settings.
4. Use Device Manager to update the driver for Microsoft Hyper-V Virtual Keyboard with a driver for
Microsoft Wireless Keyboard 700 v2.0 (106/109).
Note: Be aware that you must clear the Show compatible hardware check box to be able
to select Microsoft Wireless Keyboard 700 v2.0 (106/109).
5. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) appears with an
exclamation point (!).
9. Use Device Manager to verify that Microsoft Hyper-V Virtual Keyboard is present. Microsoft
Wireless Keyboard 700 v2.0 (106/109) was removed, as you added it after creating the restore point.
10. Use System Restore to verify that an additional restore point with the description Restore
Operation and the type Undo was created.
If you perform any of the above steps, the computer starts in Windows RE. From Windows RE, you need to
select Troubleshooting, select Advanced options, and then select Startup Settings.
Note: In Windows 10, you cannot access advanced startup settings by pressing F8 during
the startup process, as you were able to do in older versions of Windows operating systems.
Enable debugging. By selecting the debugging mode, you can start Windows 10 in a special
troubleshooting mode. In this mode, you can monitor the behavior of device drivers and determine
whether a specific device driver is causing Windows 10 to stop unexpectedly.
Enable boot logging. When you use this mode, the Windows 10 start process creates and writes to a
file named Ntbtlog.txt. This file records the device drivers that Windows 10 installs and loads during
startup.
Enable low-resolution video. In this mode, you can start Windows 10 in a special low-resolution
mode. This mode can be necessary when you attempt to resolve incorrectly applied graphics
resolution settings.
Enable Safe Mode. In safe mode, Windows 10 can start with a minimal set of drivers, services, and
apps. You can use safe mode to disable services and apps that might be causing the Windows
operating system to stop. Computers often start in safe mode when they are unable to start normally.
Safe mode does not load network drivers, so network connectivity is not possible in safe mode.
Enable Safe Mode with Networking. Safe mode with networking is similar to safe mode, except that it
allows network connectivity.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-23
Enable Safe Mode with Command Prompt. This version of safe mode starts with a command prompt
window rather than the Windows interface. In this mode, you can disable apps and services from the
command line if you are unable to perform this operation by using safe mode.
Disable driver signature enforcement. In this mode, you can load device drivers that do not have a
digital signature. This might be necessary when testing device drivers with a 64-bit version of
Windows 10.
Disable early launch anti-malware protection. In this mode, you can start Windows 10 without the
early launch anti-malware functionality running. This functionality might stop Windows 10 from
starting in certain circumstances, but you should disable it only after trying other options.
Disable automatic restart after failure. Use this option to stop Windows 10 from automatically
restarting after a failure occurs.
Launch recovery environment. Use this option to start Windows RE. You can use the recovery
environment to trigger the Reset this PC function.
Note: In older versions of Windows, you could use the Last Known Good Configuration
startup option to revert registry settings to the most recent version that worked correctly. The
Last Known Good Configuration startup option is not available in Windows 10.
Question: Can you access startup settings options by pressing F8 during computer startup?
Question: How can you access the Last Known Good Configuration startup option in
Windows 10?
Reset this PC
Selecting this option will reinstall the Windows 10
operating system, but you can decide whether
to keep your files or remove everything. If you
select to keep your files, during Windows 10
reinstallation, Reset this PC will remove all settings
and all the apps that did not come with the
operating system, but it will keep your personal
files. Reset this PC will also preserve system
settings, such as computer name and domain membership. After the reset process, when you sign in, you
will have a list of removed apps on the desktop.
If you select to remove everything, you can choose to remove your files only or to fully clean the PC. Fully
cleaning the PC can take much longer, but it is more secure, because it fully wipes the disk and overwrites
all the content before it reinstalls Windows 10. Reset this PC will set all system settings to initial values.
You do not need Windows 10 installation media or recovery media if you want to use the Reset this PC
option, but you need to provide administrative credentials. This option will restart the computer multiple
times during the reset process.
MCT USE ONLY. STUDENT USE PROHIBITED
11-24 Troubleshooting and Recovery
Note: Reset this PC consolidates two options, Refresh your PC and Reset your PC, which
were available in Windows 8 and Windows 8.1.
System Restore
Windows 10 provides System Restore capabilities that you can access from the System Tools folder. If you
have a system failure or another significant problem with your computer, you can use System Restore to
return your computer to an earlier state. The primary benefit of System Restore is that it restores your
system to a workable state without reinstalling the operating system or causing data loss. Additionally, if
a computer does not start successfully, you can use System Restore by starting Windows RE from
Windows 10 media. You need to provide administrative credentials if you want to use System Restore
from Windows RE.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. Before you can use Startup Repair, you must provide administrative
credentials. Startup Repair detects the most common startup issues and automatically corrects them.
It performs the following functions:
Replaces or repairs disk metadata. Disk metadata consists of several components, including the boot
sector and the master boot record (MBR). If these files are missing or corrupted, the startup process
fails. If you suspect that an issue has caused the damage or deletion of these files, use Startup Repair
to check for problems with the disk metadata. Startup Repair automatically checks and, if necessary,
repairs the disk metadata. Damage to disk metadata often occurs because of unsuccessful attempts to
install multiple operating systems on a single computer. Another possible cause of metadata
corruption is a virus infection.
Repairs boot configuration settings. Windows 10 uses a configuration store that is stored in a Boot
folder on an active partition. If the boot configuration data is damaged or deleted, the operating
system fails to start. The Startup Repair tool checks and, if necessary, rebuilds BCD by scanning for
Windows installations on the local hard disks, and then storing the necessary BCD.
Resolves incompatible driver issues. Installing a new hardware device and its associated device driver
can cause the Windows operating system to start incorrectly. The Startup Repair tool performs device
driver checks as part of its analysis of your computer. If Startup Repair detects a driver problem, it
uses System Restore points to attempt a resolution by rolling back the configuration to a known
working state.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-25
Command Prompt
Windows 10 uses the Command Prompt tool from the Windows RE tool set as its command-line interface.
The Command Prompt tool features are similar to the command prompt that is available when
Windows 10 is running normally. The Command Prompt tool performs the following functions:
Resolves problems with a service or device driver. If a computer that is running Windows 10
experiences problems with a device driver or Windows service, use the Command Prompt tool to
attempt a resolution. For example, if a device driver fails to start, use the Command Prompt tool to
install a replacement driver or disable the existing driver from the registry.
Recovers missing files. The Command Prompt tool enables you to copy missing files to your
computers hard disk from the original source media, such as the Windows 10 installation media.
Accesses and configure BCD. Windows 10 uses a BCD store to retain information about the operating
systems that you install on the computer. You can access this information by using the BCDEdit.exe
tool at the command prompt. You also can reconfigure the store if necessary. For example, you can
reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id
command.
Repairs the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 10 will fail to start successfully. You can launch the
BootRec.exe command at the command prompt to resolve problems with the disk metadata.
Runs diagnostic and troubleshooting tools. The Command Prompt tool provides access to many
programs that you can also access from Windows 10 during normal operations. These programs
include several troubleshooting and diagnostics tools, such as the Registry Editor (regedit.exe), a disk
and partition management tool (diskpart.exe), and several networking configuration tools (net.exe,
ipconfig.exe, and netcfg.exe). Another option is to load Task Manager (taskmgr.exe), which you can
use to determine which programs and services are running currently.
Question: Can you use System Image Recovery without any previous preparation?
Question: What are the options for the Reset this PC tool?
MCT USE ONLY. STUDENT USE PROHIBITED
11-26 Troubleshooting and Recovery
Demonstration Steps
1. In LON-CL1, view local services and note that more than 75 services are running.
5. Sign in as Adatum\Administrator with the password Pa$$w0rd. Note that the words Safe Mode
appear in all four corners of the desktop.
6. Note that Device Manager cannot show device status when it is running in safe mode. Note that you
can still update or uninstall drivers while running in safe mode.
7. Try to use the Search the web and Windows box. Confirm that you cannot search because the
computer is running in safe mode.
8. Use Computer Management to verify that less than 30 services are running in safe mode.
9. On 20697-1B-LON-CL1, mount the Windows 10 installation DVD from C:\Program Files\Microsoft
Learning\20697-1\Drives\ Win10Ent_Eval.iso, and then start the virtual machine. If virtual
machines are extracted to a different drive than C:, use that drive letter instead of C:.
10. Initialize setup from the DVD, and then click Repair your computer.
11. Click Troubleshoot from the available options, and then click Advanced options.
12. Note that only the Startup Settings option is not available when you started the recovery
environment from DVD media.
13. Note that you can run and use System Restore, even if you started the computer from the
Windows 10 installation media.
data loss and would take considerably longer. The order in which you should use device recovery
methods depends on the specific situation, but as a rule of thumb, you should consider them in the
following order:
1. Startup Repair. If the hardware is functional, but the device does not start, you should consider the
Startup Repair option from the recovery environment. This option is quite fast, and will automatically
detect and fix most common startup issues, while leaving all the user data intact. Device can restart
several times during the process.
2. Driver Roll Back. If an updated device driver causes an issue, Driver Roll Back is the best option. You
can access this option from Device Manager, whether you are in normal mode in Windows 10 or in
safe mode. This option leaves the data intact. It can only fix issues related to device drivers.
3. Safe Mode. This advanced startup mode starts Windows 10 by starting only basic services and using
basic device drivers. You can use it to replace missing or damaged system files manually or to
perform diagnostics and configuration changes that are not possible when Windows 10 is running
in normal mode. You can also use System Restore and Driver Roll Back from safe mode. You can also
use safe mode by selecting Safe Mode with Networking or Safe Mode with Command Prompt.
4. System Restore. If System Protection is enabled and it has created restore points, you can use System
Restore to revert system settings to an earlier restore point. You can use System Restore from
Windows 10 running in the normal mode, from safe mode, or from the recovery environment. This
operation is nondestructive, because it leaves user data intact.
5. Command Prompt. This advanced startup option is not automated and it is suitable for experienced
users. You can use it to perform diagnostics, which is not possible when the system is running. For
example, you can use the command prompt to scan for rootkits, replace damaged system files,
change the state of the services, and run third-party apps. This option is generally not destructive,
but it could be, depending on your actions.
6. Reset this PC. If you select this option from the recovery environment, keep in mind that it will
remove apps that are not part of Windows 10, and reinstall the operating system. This option is faster
than it used to be, but it still takes some time. Based on the options that you select, Reset this PC
might also remove user data on the device during the reset process.
7. System Image Recovery. You can perform system image recovery only if you already have the system
image. This recovery process takes time and replaces all the data on the device with the system image
content. Files that you created or modified since you created the system image will not be available in
the system image.
Question: Can you start System Recovery only from Windows 10 running in the normal
mode?
Which of the following tools cannot preserve user data that is stored on the C drive?
Reset this PC
Startup Repair
Diskpart.exe
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
System Image Recovery is the easiest and fastest tool for repairing startup
problems in Windows 10.
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can use System Restore even if your Windows 10based computer has
startup problems.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-29
Users also complain that they cannot access previous versions of the documents that they modified or
deleted by mistake. You want to show technicians how they can configure the Previous Versions feature in
Windows 10. You also want to show end users how they can use the Previous Versions feature to access
previous versions of the documents.
Lastly, you need to demonstrate to technicians how they can use the advanced startup options to
diagnose and troubleshoot a Windows 10 device.
Objectives
After completing this lab, you will have:
Lab Setup
Estimated Time: 70 minutes
Virtual machines: 20697-1B-LON-DC1, 20697-1B-LON-CL1, 20697-1B-LON-CL2
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, all virtual
machines that you will use in this lab must be running. You can start the virtual machines by completing
the following steps:
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
5. Repeat steps 2 through 4 for 20697-1B-LON-CL1 and 20697-1B-LON-CL2.
MCT USE ONLY. STUDENT USE PROHIBITED
11-30 Troubleshooting and Recovery
4. Use File Explorer to confirm that that the top subfolder in FileRepository was created when you
installed the driver package.
5. Review the content of the top subfolder in FileRepository, and confirm that it contains the same files
as the driver package that you added to the driver store.
2. Update the driver for Standard PS/2 Keyboard with the driver for Microsoft USB Internet Keyboard,
and then restart the computer.
Note: To be able to select Microsoft USB Internet Keyboard, you must clear the Show
compatible hardware check box.
2. Try to open Notepad and type your name to verify if the keyboard is still working.
5. Try to type your name again in Notepad, to confirm that the keyboard is no longer working in
LON-CL1.
6. Verify that the Roll Back Driver option is available for Microsoft USB Internet Keyboard, and then
perform Driver Roll Back for that device.
7. Confirm that the Roll Back Driver option is no longer available for Standard PC/2 Keyboard, as driver
rollback can go back by only one version.
8. Type your name in Notepad to confirm that the keyboard is working again.
Results: After completing this exercise, you will have added a driver package to the driver store, and used
Device Manager to update and roll back the driver.
6. Use the Report.txt File History window to navigate to Home File History. Review the folders and
libraries that File History is protecting, and then confirm that File History is not protecting the Data
folder or the Reports folder.
MCT USE ONLY. STUDENT USE PROHIBITED
11-32 Troubleshooting and Recovery
2. Verify that there are no previous versions available on the Previous Versions tab of the
C:\Data\Sales.txt file.
3. Add the C:\Data folder to the Documents library. As File History protects the Documents library,
it will also protect the Data folder.
4. Verify that there are no previous versions available on the Previous Versions tab of the
C:\Reports\Report.txt file.
5. Use the File History settings app to add the C:\Reports folder to the folders that File History
backs up.
6. Run File History.
7. Verify that now there is one previous version of the C:\Reports\Report.txt file listed on the Previous
Versions tab.
8. Verify that now there is one previous version of the C:\Data folder listed on the Previous Versions
tab and that you can restore the previous version either to the original location or to a custom
location.
9. Open the previous version of the C:\Data folder in File History and use it to verify that File History is
now protecting the Data and Reports folders.
10. Navigate to C:\ - File History and view all files and libraries that File History is protecting.
Results: After completing this exercise, you will have configured and used File History. You should have
also added additional folders for File History to protect.
3. Verify that the Sales.txt file still has only one previous version.
4. Use Backup and Restore (Windows 7) to create backup with the following settings:
o Where to save backup: \\lon-dc1\Backup2
o Clear the Include a system image of drives: System Reserved, (C:) check box
3. Use the Previous Versions tab of the C:\Data folder to restore the Sales.txt file.
4. Verify that the Sales.txt file has been restored to the original location.
5. Verify that the C:\Misc\Temp.txt file does not have any previous versions available, as the backup
did not include the C:\Misc folder.
Results: After completing this exercise, you will have configured and performed initial backup by using
the Backup and Restore (Windows 7) tool. You should also have recovered deleted files by using the
previous versions of those files from restore points.
3. Install XML Notepad from the E:\Labfiles\Mod11 folder, and then verify that the XML Notepad 2007
shortcut appears on the desktop.
5. Use Device Manager to update the driver for Standard PS/2 Keyboard with a driver for PC/AT
Enhanced PS/2 Keyboard (101/102-Key), and do not restart the computer.
4. Verify that My document.txt is still on desktop and that the XML Notepad 2007 shortcut is no
longer present on the desktop.
5. Use Device Manager to verify that Standard PS/2 Keyboard is present. PC/AT Enhanced PS/2
Keyboard (101/102-Key) was removed, as you added it after creating the restore point.
6. Use System Restore to verify that an additional restore point with the description Restore
Operation and the type Undo was created.
Results: After completing this exercise, you will have used System Restore to revert the computer to an
earlier restore point, and explored the effects of applying the restore point.
3. Verify that the computer name is LON-CL2 and that it is a member of the Adatum.com domain.
4. Use the Reset this PC option and select the option to keep your files. Use Pa$$w0rd as the password
of the Admin account.
5. While the Reset this PC process is happening in LON-CL2, continue with the next task. You will review
the results of the reset process at the end of this lab.
4. Use Device Manager to verify that it cannot show device status when it is running in safe mode.
Verify that you can still use the Update or Uninstall drivers options while running in safe mode. You
can also perform Driver Roll Back, if a previous version of the driver exists.
5. Verify that you cannot search by typing something in the Search the web and Windows box.
6. Use Computer Manager to verify how many services are running in safe mode.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 11-35
2. Click Troubleshoot from the available options, and then click Advanced options.
3. Use System Restore to verify that restore points that were created can be restored when you start
the computer from DVD. Verify which programs you would affect if you restored the Restore
Operation restore point. Do not restore any restore point, and then return to the Advanced options
screen.
4. Use the Command Prompt option to run the following commands to view the startup environment:
o Bcdedit
o Diskpart
5. In Diskpart, type the following commands to view information about disks and volumes installed on
LON-CL1:
o List disk
o List volume
Note: You can perform this task only after Reset this PC on LON-CL2 has finished. If the
Reset operation on LON-CL2 is not yet complete, the instructor may start with the lecture. You
can perform this task and the next before the lab in Module 12.
2. Confirm that initial sign-in takes some time, as Windows 10 is setting up your apps.
3. Verify that the Report document that you created earlier is still on the desktop.
4. Verify that after the Reset this PC operation, the computer obtained its IP address from the DHCP
server and that it is no longer using the IP address 172.16.0.41.
5. Verify that the computer name remains LON-CL2 and that the computer is member of the
Adatum.com domain.
Results: After completing this exercise, you will have used the Reset this PC option, safe mode, and
advanced startup options.
MCT USE ONLY. STUDENT USE PROHIBITED
11-36 Troubleshooting and Recovery
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
Question: Which Windows 10 features can help end users restore previous versions of their
files?
Question: Can a nonadministrative user use System Restore from the recovery environment?
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
12-1
Module 12
Maintaining Windows 10
Contents:
Module Overview 12-1
Module Overview
It is important to take a proactive approach to maintaining your organizations computing devices.
This approach involves keeping Windows 10 updated to help ensure the operating systems reliability.
Additionally, by monitoring your Windows devices, you can identify problems that have occurred and
respond quickly. Finally, by using performance-monitoring tools, you can optimize the performance of
your Windows 10 devices.
Objectives
After completing this module, you will be able to:
Explain how to keep Windows 10 up to date.
Lesson 1
Updating Windows
To keep computers that are running Windows 10 stable and protected, you must update them regularly
with the latest security updates and fixes. Windows Update enables you to download and install important
and recommended updates automatically, instead of visiting the Windows Update website. To utilize
Windows Update effectively, you must be aware of the configuration options that it provides, and you
must be able to guide users on how to configure these options.
Lesson Objectives
After completing this lesson, you will be able to:
Explain the Group Policy Object (GPO) settings available for configuring Windows Update.
Configure Windows Update.
Describe how to use Windows Server Update Services (WSUS) to provide updates to Windows 10.
Current branch for business. This servicing option makes feature updates available approximately four
months after Microsoft publishes them, which gives IT staff at organizations the time to test and
evaluate feature updates before applying them to devices. This servicing option is not available for
the Home edition of Windows 10.
Long-term servicing branch. This servicing option enables long-term deployment of selected
Windows 10 releases with minimal feature updating. This option is for low-change environments,
and it available only on the Enterprise Long Term Servicing Branch edition of Windows 10.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-3
Note: Microsoft delivers servicing updates when they become available, across all servicing
options, just as they are today for other Windows versions.
You can use a number of different methods and technologies to apply updates to Windows 10.
Windows Update
Windows Update is a service that provides software updates that keep your computer up to date and
protected. In the Settings app, in Update & security, on the Windows Update tab, you can view the
updates that are available for your Windows 10 device. Under Advanced options, you can configure
how Windows Update downloads and installs updates for your computer.
Generally, you must configure computers that are running Windows 10 to download and install updates
automatically to ensure that the computer has the most up-to-date and protected configuration possible.
Windows Update also can update non-Microsoft software components.
System Center 2012 R2 Configuration Manager. Microsoft System Center 2012 R2 Configuration
Manager performs many configuration managementbased tasks in an enterprise, including update
management. You can use Configuration Manager to incorporate WSUS into your configuration
management environment, and to provide greater control over update scheduling, deployment,
and reporting. You can also use Configuration Manager to deploy non-Microsoft updates.
MCT USE ONLY. STUDENT USE PROHIBITED
12-4 Maintaining Windows 10
Microsoft Intune. Microsoft Intune is a management tool that provides central update management.
With Microsoft Intune, you can send out updates for Windows operating systems, and also non-
Microsoft updates for non-Microsoft apps. With Microsoft Intune, you can perform the following
tasks:
o Approve and deploy updates after you test them, and not immediately after Microsoft releases
them.
o Approve different updates for different computer groups.
o Uninstall updates.
o Deploy both Microsoft updates and non-Microsoft updates in the same way.
Microsoft Intune also provides reports about which updates clients require, which updates are
pending, and which updates are installed already.
Microsoft updates are available through Microsoft Intune automatically, as soon as Microsoft releases
them to Windows Update. However, with non-Microsoft updates, you must obtain and upload the
updates to Microsoft Intune cloud storage before you can approve and deploy them to client
computers.
o Notify to schedule restart. This option enables you to determine a scheduled time for a
necessary restart following the automatic application of updates.
Give me updates for other Microsoft products when I update Windows. If you have Microsoft
Office or other Microsoft products installed, selecting this option enables Windows Update to keep
those products up to date simultaneously.
Defer upgrades. Some Windows 10 editions allow you to defer upgrades to your computer. When
you defer upgrades, Windows 10 does not download or install new Windows 10 features for several
months.
Note: Deferring upgrades does not affect security updates, but it does prevent you from
getting the latest Windows features as soon as they are available.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-5
View your update history. You can use this option to see the updates that applied, and those that
failed to apply. You can also tap Uninstall updates. This option opens the Installed Updates node
of Programs and Features in Control Panel. You can then choose to remove any undesirable updates.
Choose how updates are delivered. Windows Update enables you to obtain updates from more
than one place. By default, the Updates from more than one place option is enabled. This setting
means that Windows obtains updates from Microsoft, but also from computers on the local network
and on the Internet. The advantage of this scenario is that Windows can apply settings more quickly.
Once one device has updates installed, other devices can obtain the same updates without needing
to download from Microsoft. You can configure the additional sources as either:
Alternatively, you can disable the Updates from more than one place setting. Then Windows
Update will only update from the Microsoft update servers.
The first of these nodes is the Windows Update node. Open the Group Policy Management Console on a
domain controller, and then navigate to Computer Configuration/Administrative Templates
/Windows Components/Windows Update. You can configure the following settings:
Configure Automatic Updates
This policy setting specifies whether the computer will receive security updates and other important
downloads through the Windows automatic updating service.
This setting lets you specify whether to enable automatic updates on your computer. If you enable
this service, you must select one of the four options in the Group Policy setting:
When Windows finds updates that apply to your computer, an icon displays in the status area,
with a message that updates are ready for download.
Clicking the icon or the message provides the option to select the specific updates that you want
to download. Windows then downloads your selected updates in the background.
MCT USE ONLY. STUDENT USE PROHIBITED
12-6 Maintaining Windows 10
When the download completes, the icon displays in the status area again, with notification that
the updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
When the download completes, the icon displays in the status area, with a notification that the
updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
If any of the updates require a restart to complete the installation, the Windows operating system
will restart the computer automatically. If a user is signed in to the computer when the Windows
operating system is ready to restart, it will notify the user and give the option to delay the restart.
To use the Configure Automatic Updates setting, click Enabled, and then select one of the options (2,
3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all
installations will occur every day at 03:00.
If you set the status to Enabled, Windows recognizes when the computer is online, and then uses its
Internet connection to search Windows Update for updates that apply to your computer.
If you set the status to Disabled, you must manually download and install any updates that are
available on Windows Update.
If you set the status to Not Configured, the use of Automatic Updates is not specified at the Group
Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
This setting specifies an intranet server to host updates from Microsoft Update. You can then use this
update service to update your networks computers automatically.
This setting lets you specify a server on your network to function as an internal update service. The
Automatic Updates client will search this service for updates that apply to the computers on your
network.
To use this setting, you must set two server name values, including the:
o Server from which the Automatic Updates client detects and downloads updates
If you set the status to Enabled, the Automatic Updates client connects to the specified intranet
location, instead of Windows Update, to search for and download updates. Enabling this setting
means that end users in your organization do not have to go through a firewall to get updates, and
it gives you the opportunity to test updates before deploying them.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-7
If you set the status to Disabled or Not Configured, and if Automatic Updates is not disabled by
policy or user preference, the Automatic Updates client connects directly to the Windows Update site
on the Internet.
Note: The preceding settings do not have an obvious effect on the user interface, because
in Windows 10, these options are not visible in the ADVANCED OPTIONS pane of Windows
Update. They are visible in Windows 8.1. However, these settings do affect the way in which
Windows Update delivers updates.
Defer Upgrade
If you enable this policy setting, in Windows 10 Pro and Windows 10 Enterprise editions, you can
defer upgrades until the next upgrade period (at least a few months).
If you do not enable this policy, you will receive upgrades as they become available, and Windows
Update will then install them as part of your update policies.
In addition to the Windows Update node, you also can configure update settings in Computer
Configuration/Administrative Templates/Windows Components/Data Collection and Preview
Builds. You can configure the following settings:
This policy setting determines whether users can access the Insider build controls in the Advanced
Options for Windows Update. These controls are located under Get Insider builds, and enable users to
make their devices available for downloading and installing Windows preview software.
If you enable or do not configure this policy setting, users can download and install Windows preview
software on their devices.
If you disable this policy setting, the Get Insider builds item will be unavailable.
Allow Telemetry
This policy setting determines the amount of diagnostic and usage data reported to Microsoft. A
value of 0 indicates that operating system (OS) components will send no telemetry data to Microsoft.
Setting a value of 0 is applicable for enterprise and server devices only. Setting a value of 0 for other
devices is equivalent to choosing a value of 1. A value of 1 sends only a limited amount of diagnostic
and usage data. Note that setting values of 0 or 1 will degrade certain experiences on the device. A
value of 2 sends enhanced diagnostic and usage data. A value of 3 sends the same data as a value of
2, plus additional diagnostics data, such as the system state at the time of a system halt or crash, and
the files and content that may have caused the problem.
If you disable or do not configure this policy setting, users can configure the Telemetry level in
Settings.
This policy setting determines the level to which Microsoft can experiment with the product to study
user preferences or device behavior. A value of 1 permits Microsoft to configure device settings only.
A value of 2 allows Microsoft to conduct full experimentations.
If you do not configure this policy setting, user can configure the Let Microsoft try features on this
build option in Settings.
MCT USE ONLY. STUDENT USE PROHIBITED
12-8 Maintaining Windows 10
Download Mode
Set this policy to configure the use of Windows Update Delivery Optimization in downloads of
Windows apps and updates.
Available modes are: 0=disable, 1=peers on same NAT only, 2=Local Network/Private Peering (PCs in
the same domain by default), and 3= Internet Peering.
Group ID
Set this policy to specify an arbitrary group ID to which the device belongs. Use this if you need to:
o Limit the number of devices participating in peering in a domain network with many users.
o Create a single group for Local Network Peering for branches that are on different domains or
are not on the same network address translation (NAT).
Note: This is a best effort optimization. You should not rely on it for an authentication of
identity. You must use a globally unique identifier (GUID) as the group ID.
Set this policy to define a limit for the upload bandwidth that a device will utilize for all concurrent
upload activity via Delivery Optimization (set in kilobytes per second).
Set this policy to define the maximum cache size Delivery Optimization can utilize as a percentage of
the internal disk size.
Max Cache Age
Set this policy to define the maximum time that the Delivery Optimization cache holds each file.
Demonstration Steps
Configure Windows Update manually
1. On LON-CL1, open Settings.
2. In Update & security, on the Windows Update tab, in Advanced options, configure the following
options:
o Automatic (recommended)
o Give me updates for other Microsoft products when I update Windows: Off
o Defer upgrades: Off
WSUS is a server role included in the Windows Server 2012 operating system that downloads and
distributes updates to Windows clients and servers. WSUS can obtain updates that are applicable to the
Windows operating system and common Microsoft programs, such as the Microsoft Office suite and
Microsoft SQL Server.
In the simplest configuration, a small organization can have a single WSUS server that downloads updates
from the Microsoft Update website. The WSUS server then distributes the updates to computers that you
have configured to obtain automatic updates from the WSUS server. You must approve the updates
before clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS
server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the
centralized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can
configure a pilot group to be the first set of computers that you use for testing updates.
MCT USE ONLY. STUDENT USE PROHIBITED
12-10 Maintaining Windows 10
WSUS can generate reports to help monitor update installation. These reports can identify which
computers have not applied recently approved updates. Based on these reports, you can investigate
why this is happening.
Assess. The goal of the assess phase is to set up a production environment that supports update
management for routine and emergency scenarios. The assess phase is an ongoing process that you
use to determine the most efficient topology for scaling the WSUS components. As your organization
changes, you might identify a need to add more WSUS servers in different locations.
Identify. During the identify phase, you identify new updates that are available, and determine
whether they are relevant to your organization. You have the option to configure WSUS to retrieve
all updates automatically, or to retrieve only specific types of updates. WSUS also identifies which
updates are relevant to registered computers.
Evaluate and plan. After you identify the relevant updates, you need to evaluate whether they work
properly in your environment. There is always the possibility that the specific combination of software
in your environment might have problems with an update.
To evaluate updates, you should have a test environment in which you can apply updates to verify
proper functionality. During this time, you might identify dependencies that an update requires to
function properly, and you can plan any changes that you need to make. You can achieve this if you
use one or more computer groups for testing purposes. For example, you may have a computer
group with client computers that run all of the operating systems and applications that are updated
by using WSUS. You can use another computer group for servers that run the different applications
and operating systems that are updated by WSUS. Before you deploy updates to the entire
organization, you can push updates to these computer groups, and then test them. Only after
making sure they work as expected should you move on to the deploy phase.
Deploy. After you have thoroughly tested an update and determined any dependencies, you can
approve it for deployment in the production network. Ideally, you should approve the update for a
pilot group of computers before approving the update for the entire organization. You also can
configure WSUS to use automatic updates.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-11
Integration with other update tools. Windows Update for Business can coexist with other update
technologies, such as Configuration Manager or Microsoft Intune.
Note: Windows Update for Business requires Windows 10 Pro or Windows 10 Enterprise.
Windows 10 also supports a peer-to-peer delivery mechanism for updates, in which clients that receive a
particular update can serve as a source for other clients in the local network. Delivering updates this way
can be beneficial in branch offices where network bandwidth may not be as high as is desirable for quick
update delivery.
Aside from using WSUS to apply updates, what other technologies could you use to
help keep your Windows 10 devices up to date? (Choose all that apply)
Microsoft Intune
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
You can use Windows Update for Business to update all editions of
Windows 10.
MCT USE ONLY. STUDENT USE PROHIBITED
12-12 Maintaining Windows 10
Lesson 2
Monitoring Windows 10
Windows 10 includes a number of tools that you can use to monitor your Windows 10 devices proactively.
Understanding how to use these tools will help you track notifications, events, and reliability issues on
your computers.
Lesson Objectives
After completing this lesson, you will be able to:
Task Manager
In Windows 10, Task Manager provides
information that can help you identify and
resolve problems with apps. Task Manager
includes the following tabs:
App history. The App history tab displays statistics and resource consumption by apps. This is useful
for identifying a specific app that is consuming excessive resources.
Startup. The Startup tab displays items that run at startup. You can choose to disable any listed
programs.
Users. The Users tab displays resource consumption on a per-user basis. You also can expand the
user view to see more detailed information about the specific processes that a user is running.
Details. The Details tab lists all the running processes on a server, providing statistics about CPU,
memory, and other resource consumption. You can use this tab to manage running processes. For
example, you can stop a process, stop a process and all related processes, or change the priority
values of processes. By changing the priority of a process, you determine the degree to which the
process can consume CPU resources. By increasing the priority, you allow the process to request more
CPU resources.
Services. The Services tab provides a list of running Windows services with related information,
including whether a service is running and the process identifier (PID) value of a running service. You
can start and stop services by using the list on the Services tab.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-13
You also might consider using Task Manager when a performance-related problem first becomes
apparent. For example, you might examine running processes to determine if a particular program
is using excessive CPU resources. Remember that Task Manager only shows current local resource
consumption. You also might need to examine historical data to get a better understanding of a server
or computers performance and response under load.
Event Viewer
Windows Event Viewer provides access to the
Windows 10 event logs. Event logs provide
information regarding events that occur within
Windows. These events include information,
warning, and error messages about Windows
components and installed applications.
The ability to view multiple logs. You can filter for specific events across multiple logs, making it
simple to investigate issues and troubleshoot problems that might appear in several logs.
The inclusion of customized views. You can use filtering to narrow searches to only those events in
which you are interested, and you can save these filtered views.
The ability to configure tasks scheduled to run in response to events. You can automate responses to
events. Event Viewer is integrated with Task Scheduler.
The ability to create and manage event subscriptions. You can collect events from remote computers,
and then store them locally.
Note: To collect events from remote computers, you must create an inbound rule in
Windows Firewall to permit Windows Event Log Management.
Event Viewer tracks information in several different logs. These logs provide detailed information that
includes:
A description of the event
An event ID number
Windows Logs
Event Viewer has many built-in logs, including those in the following table.
Application This log contains errors, warnings, and informational events that
pertain to the operation of applications.
Security This log reports the results of auditing, if you enable it. Audit
events are described as successful or failed, depending on the
event. For instance, the log would report success or failure
regarding whether a user was able to access a file.
Forwarded events This log stores events collected from remote computers. To collect
events from remote computers, you must create an event
subscription.
By default, Windows log files are 20,480 kilobytes (KB) in size, and events are overwritten as needed.
Hardware Events
Internet Explorer
Key Management Service
TuneUp
Microsoft Azure
Windows PowerShell
The Applications and Services logs also contain a node called Microsoft. This contains a subnode called
Windows, which includes many nodes that contain very granular log information.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-15
Managing logs
If you want to clear a log manually, you must sign in as a local administrator. If you want to configure
event log settings centrally, you can do so by using Group Policy. Open the Group Policy Management
Console for your selected GPO, and then navigate to Computer Configuration\Policies\Administrative
Templates\Windows Components\Event Log Service.
Custom views
Event logs contain vast amounts of data, so it can be a challenge to narrow your search to only those
events that interest you. In Windows 10, custom views enable you to query and sort only the events that
you want to analyze. You also can save, export, import, and share these custom views.
Event Viewer allows you to filter for specific events across multiple logs, and display all events that may
relate to an issue that you are investigating. To specify a filter that spans multiple logs, you need to create
a custom view.
Create custom views in the Action pane in Event Viewer. You can filter custom views based on multiple
criteria, including:
To use the event-collecting feature, you must configure the forwarding and the collecting computers. The
event-collecting functionality depends on the Windows Remote Management (WinRM) service and the
Windows Event Collector service (Wecsvc). Both of these services must be running on computers that are
participating in the forwarding and collecting process.
Enabling subscriptions
To enable subscriptions, perform the following steps:
1. On each source computer, to enable Windows Remote Management, type the following command at
an elevated command prompt, and then press Enter:
winrm quickconfig
2. On the collector computer, to enable the Windows Event Collector service, type the following
command at an elevated command prompt, and then press Enter:
wecutil qc
3. Add the computer account of the collector computer to the local Event Log Readers group on each
of the source computers.
Demonstration Steps
Explore custom views
1. On LON-CL1, open Event Viewer.
2. In Event Viewer, in the right pane, view the events that are visible within your custom view.
2. In Active Directory Users and Computers, add the collector computer, LON-CL1, as a member of the
local Administrators group.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-17
Reliability History
Reliability Monitor reviews a computers reliability
and problem history. You can use the Reliability
Monitor to obtain several kinds of reports and
charts to help you identify the source of reliability
issues. You can access the Reliability Monitor by
clicking View reliability history in the
Maintenance section of the Action Center.
The following section explains the main features
of the Reliability Monitor in more detail.
Software Installs
Software Uninstalls
Application Failures
MCT USE ONLY. STUDENT USE PROHIBITED
12-18 Maintaining Windows 10
Hardware Failures
Windows Failures
Miscellaneous Failures
Memory problems
Hard-disk problems
Driver problems
Application failures
Operating-system failures
Reliability Monitor is a useful tool that provides a timeline of system changes and then reports on a
systems reliability. You can use this timeline to determine whether a particular system change correlates
with the start of system instability.
If an error occurs while an app is running, Windows Error Reporting prompts the user to choose if he or
she wants to send error information to Microsoft over the Internet. If information is available that can help
a user resolve a problem, Windows displays a message to the user with a link to information about how to
resolve the issue.
You can use the Problem Reports and Solutions tool to track resolution information and to recheck and
find new solutions. You can start the Problem Reports and Solutions tool from Reliability Monitor. The
following options are available in the tool:
Save reliability history
Verify the correctness of the statement by placing a mark in the column to the right.
Statement Answer
To establish event subscriptions, at the collector computer, you must run the
winrm quickconfig command to configure firewall rules.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-19
Lesson 3
Optimizing Performance
By using the performance-monitoring tools in Windows 10, you can verify that your Windows 10 devices
are optimized. By understanding how Windows uses computer resources, such as memory and processor,
and by learning how to monitor these resources, you can ensure that your users computers are running
smoothly and efficiently.
Lesson Objectives
After completing this lesson, you will be able to:
Performance Considerations
Decreased computer system performance is a
common source of user complaints. Performance
is a measure of how quickly a computer
completes application and system tasks.
Performance problems can occur when available
resources are lacking. Computers respond slowly
for several reasons, including disorganized files,
unnecessary software that consumes resources,
too many startup apps, or perhaps even malware
or a virus. Factors that can influence computer
system performance include:
Out-of-date or inappropriate drivers for system components and peripherals, including the graphics
subsystem.
Disk
Memory
Network
MCT USE ONLY. STUDENT USE PROHIBITED
12-20 Maintaining Windows 10
Note: Although not considered a core component, the graphics adapter and its driver can
have a significant impact on the performance of graphics-intensive apps. If your users intend to
run apps that are graphically demanding, ensure that you select a device with a powerful
graphics subsystem, and that you install the latest vendor-specific driver, rather than relying
on a generic driver.
By understanding how the operating system utilizes these four key hardware components and how
they interact, you can optimize computer workstation performance. When monitoring workstation
performance, you should consider:
The measurement of all key components in the users workstation.
The workstation role and its workload, to determine which hardware components are likely to restrict
performance.
The ability to increase workstation performance by adding power or reducing the number of
applications that the user is running.
Processor
One important factor in determining your computers overall processor capacity is processor speed. The
number of operations that the processor performs over a specific period determines its speed. Computers
with multiple processors or processors with multiple cores generally perform processor-intensive tasks
with greater efficiency, and as a result, are faster than single processor or single-core processor
computers.
Processor architecture is also important. 64-bit processors can access more memory and have a significant
positive effect on performance. This is true especially when applications running on your users
workstations require a large amount of memory.
Disk
Hard disks store apps and data. Consequently, the throughput of a workstations disk affects its speed,
especially when the workstation is performing disk-intensive tasks. Many hard disks have moving parts,
and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
Note: Most Windows 10 tablet devices use solid-state drives (SSDs), which have no moving
parts.
By selecting faster disks and by using collections of disks to optimize access times, such as Redundant
Array of Independent Disks (RAID), you can alleviate the risk of the disk subsystem creating a performance
bottleneck.
Windows 10 moves information on the disk into memory before it uses it. Therefore, if a surplus of
memory exists, the Windows 10 operating system creates a file cache for items recently written to or read
from disks. Installing additional memory in a workstation often improves the disk subsystem performance,
because accessing the cache is faster than moving the information into memory.
It is important to consider the type of work for which the user will use the device. Different work profiles
use disks in different ways. For example, some applications read from a disk more frequently than they
write to the disk (read-intensive), and therefore good read performance is important, whereas other
applications are more write-intensive.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-21
Note: SSDs have different read and write performance profiles. Determine the workload
profile, and then attempt to match the disks performance profile to optimize the devices
performance.
Memory
Apps and data load from disk into memory before the app manipulates the data. In devices that run
multiple apps, or where datasets are very large, you can improve device performance by installing more
memory.
Windows 10 uses a memory model that does not reject excessive memory requests. Instead, Windows 10
manages them by using a process known as paging. During paging, Windows 10 moves the data and
apps in memory that processes are not currently using to the paging file on the hard disk. This frees up
physical memory to satisfy the excessive memory requests. However, because a hard disk is comparatively
slow, it has a negative effect on device performance. By adding more memory, and by using a 64-bit
processor architecture that supports larger memory, you can reduce the need for paging.
Network
It is important not to underestimate the effects that a poorly performing network may have on
workstation performance. Network performance problems may be harder to detect or measure than
problems with other workstation components. However, the network is a critical component for
performance monitoring, because network devices store so many of the apps and data being processed.
Understanding bottlenecks
A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package may cause a bottleneck.
By using performance-monitoring tools on a regular basis, and by comparing the results to your baseline
and to historical data, you can identify performance bottlenecks before they impact users.
Once you identify a bottleneck, you must decide how to remove it. Your options for removing a
bottleneck include:
A computer suffering from a severe resource shortage may stop processing user requests. This situation
requires immediate attention. However, if your computer experiences a bottleneck but still operates
within acceptable limits, you might decide to defer any changes until you resolve the situation, or until
you have an opportunity to take corrective action.
Note: As you identify and resolve a performance problem that is affecting one system
component, another component may experience issues. Therefore, performance monitoring is an
ongoing process.
MCT USE ONLY. STUDENT USE PROHIBITED
12-22 Maintaining Windows 10
Performance Monitoring
By calculating performance baselines for your
client computer environment, you can interpret
real-time monitoring information more accurately.
A baseline for a Windows 10 devices performance
indicates what your performance-monitoring
statistics look like during normal use. You can
establish a baseline by monitoring performance
statistics over a specific period. When an issue or
symptom occurs in real time, you can compare
your baseline statistics to your real-time statistics,
and then identify anomalies.
Diagnosing problems.
By collecting performance data, you can establish a baseline to use as a standard for comparison. Create a
baseline when you first configure the computer, at regular intervals of typical usage, and when you make
any changes to the computers hardware or software configuration. If you have appropriate baselines, you
can determine the resources that are affecting your computers performance. Windows 10 provides a
number of performance-monitoring tools that you can use to help identify performance-related issues.
Task Manager
You can use the Performance tab in Task Manager to help to identify performance problems. The
Performance tab displays a summary of CPU and memory usage, and network statistics.
Generally, you might consider using Task Manager when a performance-related problem first becomes
apparent. For example, you might examine the running processes to determine if a particular program is
using excessive CPU resources. Remember that Task Manager shows a snapshot of current resource
consumption. You may need to examine historical data to get a better understanding of a server
computers performance and response under load.
Resource Monitor
Resource Monitor provides a snapshot of system performance. Because the four key system components
are processor, memory, disk, and network, Resource Monitor provides a summary of these four
components and a detailed tab for each. If a users computer is running slowly, you can use Resource
Monitor to view current activity in each of the four component areas. You can then determine which of
the key components might be causing a performance bottleneck.
When the Resource Monitor first opens, the initial view is of the Overview tab. On the right side are
four graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for excessive
peaks in CPU, Disk, Network, or Memory activity. In the main pane, you can examine details about each
component by expanding each components information list. It lists each process that is running on the
computer, and includes information about resource consumption for each process. For example, the
number of threads and the percentage of CPU capacity in use displays for each running process.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-23
Having determined that a particular component is causing a bottleneck, you can use the appropriate
component tab to view more information. Remember that a snapshot of current activity, which Resource
Monitor provides, tells only a partial story. For instance, you might see a peak in activity, which is not
representative of average performance.
Performance Monitor
Performance Monitor is a Microsoft Management Console (MMC) snap-in that you can use to obtain
system performance information. You can use this tool to analyze the performance effect that applications
and services have on your computer. You can also use it to obtain an overview of system performance or
collect detailed information for troubleshooting.
Monitoring Tools
Reports
Monitoring tools
Monitoring Tools contains Performance Monitor, which provides a visual display of built-in Windows
performance counters, either in real time or as historical data. Performance Monitor includes the following
features:
Performance Monitor features multiple graph views that give you a visual review of performance log data.
You can create custom views in Performance Monitor that you can export as data collector sets for use
with performance and logging features.
A data collector set organizes multiple data collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in Performance Monitor. You can configure a data collector set to generate alerts when it reaches
thresholds.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or until
it reaches a predefined size. For example, you can run the data collector set for 10 minutes every hour
during working hours to create a performance baseline. You also can set the data collector to restart when
set limits are reached, so that a separate file will be created for each interval.
You can use data collector sets and Performance Monitor tools to organize multiple data collection points
into a single component that you can use to review or log performance. Performance Monitor also
includes default data collector set templates to help system administrators begin the process of collecting
performance data specific to a server role or monitoring scenario.
MCT USE ONLY. STUDENT USE PROHIBITED
12-24 Maintaining Windows 10
In Performance Monitor, beneath the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which specific objects and counters you want to
include in the set for monitoring. To help you select appropriate objects and counters, you can access
templates to use for monitoring, including:
System Diagnostics. Selects objects and counters that report the status of hardware resources,
system response time, and processes on the local computer, along with system information and
configuration data. The report provides guidance on ways to optimize the computers responsiveness.
System Performance. Generates reports that detail the status of local hardware resources, system
response times, and processes.
WDAC Diagnostics. Enables you to trace debug information for Windows Data Access Components.
Note: It is not necessary for Performance Monitor to be running for data to be collected
into a data collector set.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using data
collector sets.
Examine a report.
Performance impacts can occur because of the number of counters being sampled and the frequency
with which sampling occurs. Therefore, it is important to test the number of counters and the frequency
of data collection. This helps you determine the right balance between your environments needs and the
provision of useful performance information. For the initial performance baseline, however, you should
use the highest number of counters possible and the highest frequency available. The following table
shows the commonly used performance counters.
Counter Usage
LogicalDisk\% Free Space This counter measures the percentage of free space on the
selected logical disk drive. Take note if this falls below 15
percent, because you risk running out of free space for the
operating system to use to store critical files. One solution
is to add more disk space.
PhysicalDisk\% Idle Time This counter measures the percentage of time the disk was
idle during the sample interval. If this counter falls below
20 percent, the disk system is saturated. You should
consider replacing the current disk system with a faster
one.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-25
Counter Usage
PhysicalDisk\Avg. Disk Sec/Read This counter measures the average time, in seconds, it takes
to read data from the disk. If the number is larger than 25
milliseconds (ms), the disk system is experiencing latency
when it is reading from the disk.
PhysicalDisk\Avg. Disk Sec/Write This counter measures the average time, in seconds, it takes
to write data to the disk. If the number is larger than 25 ms,
the disk system experiences latency when it is writing to the
disk.
PhysicalDisk\Avg. Disk Queue Length This counter indicates how many I/O operations are waiting
for the hard drive to become available. If the value is larger
than two times the number of spindles, the disk itself may
be the bottleneck.
Memory\Cache Bytes This counter indicates the amount of memory that the file-
system cache is using. There may be a disk bottleneck if
this value is greater than 300 megabytes (MB).
Memory\% Committed Bytes in Use This counter measures the ratio of Committed Bytes to the
Commit Limit, or in other words, the amount of virtual
memory in use. If the value is greater than 80 percent, it
indicates insufficient memory.
Memory\Free System Page Table Entries This counter indicates the number of page table entries not
currently in use by the system. If the number is less than
5,000, there may be a memory leak.
Memory\Pool Non-Paged Bytes This counter measures the size, in bytes, of the nonpaged
pool. This is an area of system memory for objects that
cannot be written to disk but instead must remain in
physical memory as long as they are allocated. If the value
is greater than 175 MB, or 100 MB with a /3 gigabyte (GB)
switch, there is a possible memory leak.
Memory\Pool Paged Bytes This counter measures the size, in bytes, of the paged pool.
This is an area of system memory for objects that can be
written to disk when they are not in use. There may be a
memory leak if this value is greater than 250 MB (or 170
MB with the /3 GB switch).
Memory\Pages per Second This counter measures the rate at which pages are read
from, or written to, the disk to resolve hard page faults. If
the value is greater than 1,000 as a result of excessive
paging, there may be a memory leak.
MCT USE ONLY. STUDENT USE PROHIBITED
12-26 Maintaining Windows 10
Counter Usage
Processor\% Processor Time This counter measures the percentage of elapsed time that
the processor spends executing a nonidle thread. If the
percentage is greater than 85 percent, the processor is
overwhelmed, and the server may require a faster
processor.
Processor\% User Time This counter measures the percentage of elapsed time that
the processor spends in user mode. If this value is high, the
server is busy with the application.
Processor\% Interrupt Time This counter measures the time that the processor spends
receiving and servicing hardware interruptions during
specific sample intervals. If the value is greater than 15
percent, this counter indicates a possible hardware issue.
System\Processor Queue Length This counter indicates the number of threads in the
processor queue. The server does not have enough
processor power if the value is more than two times the
number of CPUs for an extended period.
Network Interface\Bytes Total/Sec This counter measures the rate at which bytes are sent and
received over each network adapter, including framing
characters. The network is saturated if you discover that
more than 70 percent of the interface is consumed.
Network Interface\Output Queue Length This counter measures the length of the output packet
queue, in packets. There is network saturation if the value is
more than 2.
Process\Handle Count This counter measures the total number of handles that a
process currently has open. This counter indicates a
possible handle leak if the number is greater than 10,000.
Process\Private Bytes This counter indicates the amount of memory that this
process has allocated that it cannot share with other
processes. If the value is greater than 250 between the
minimum and maximum number of threads, there may be
a memory leak.
Demonstration Steps
Open Performance Monitor
1. Open the Performance tool.
2. Select the Performance Monitor node. Notice that only % Processor Time is displayed by default.
3. Click the Directory tab. This tab lets you define information about how to store collected data.
4. Click the Security tab. This tab lets you configure which users can change this data collector set.
5. Click the Schedule tab. This tab lets you define when the data collector set is active and collecting
data.
6. Click the Stop Condition tab. This tab lets you define when to stop data collection, based on time or
collected data.
7. Click the Task tab. This tab lets you run a scheduled task when the data collector set stops. You can
use this to process the collected data.
8. Click Cancel. Notice that there are three kinds of logs in the right pane:
o Performance Counter collects data that you can view in Performance Monitor.
o Kernel Trace collects detailed information about system events and activities.
9. In the right pane, double-click Performance Counter. Notice that all Processor counters are
collected, by default.
Examine a Report
1. Wait a few moments for the data collector set to stop automatically.
2. Right-click CPU and Disk Activity, and then click Latest Report.
3. Review the report, which shows the data that the data collector set collects.
Processor
System
Disk
Memory
Network
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-29
It is important to ensure that the Windows 10 devices are operating correctly and that you can quickly
discover any problems. You can accomplish this by using a proactive approach to supporting your users.
Objectives
After completing this lab, you will have:
Lab Setup
Estimated Time: 60 minutes
Virtual machine(s): 20697-1B-LON-DC1 and 20697-1B-LON-CL1
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V Manager, click 20697-1B-LON-DC1, and then in the Actions pane, click Start.
3. In the Actions pane, click Connect. Wait until the virtual machine starts.
o Password: Pa$$w0rd
o Domain: Adatum
2. In Update & security, on the Windows Update tab, in Advanced options, configure the following
options:
o Automatic (recommended)
o Give me updates for other Microsoft products when I update Windows: On
o Defer upgrades: On
3. Notice that the Get started option beneath Get Insider builds is available.
o Enable When this is turned on, your PC may also send parts of previously downloaded
Windows updates and apps to PCs on your local network, or PCs on the Internet,
depending on whats selected below.
Results: After completing this exercise, you will have successfully configured Windows Update settings.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-31
Task 2: Verify that the devices update settings are managed centrally
1. Refresh the Group Policy settings by using gpupdate /force.
2. Switch to UPDATE & SECURITY, and then click Advanced options. Notice the Some settings are
managed by your organization banner.
3. Notice that the option to Get started with Insider builds is unavailable.
4. Close all open apps and windows.
Results: After completing this exercise, you will have successfully configured Group Policy Objects (GPOs)
to configure Windows Update settings.
MCT USE ONLY. STUDENT USE PROHIBITED
12-32 Maintaining Windows 10
Note: This is just a check, as the remote management feature is probably enabled.
2. In Active Directory Users and Computers, add the collector computer, LON-CL1, as a member of the
local Event Log Readers group.
3. On LON-CL1, from an elevated command prompt, run the wecutil qc command.
4. Create a custom view called LON-DC1 errors to show only errors and critical events.
Results: After completing this exercise, you will have successfully configured monitoring by using Event
Viewer.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-33
o Counters to include:
Memory > Pages/sec
Network Interface > Packets/sec
Physical Disk > % Disk Time
Physical Disk > Avg. Disk Queue Length
Processor > % Processor Time
System > Processor Queue Length
3. Start the data collector set, and then start the following programs:
o Password: Pa$$w0rd
b. Load perfmon /res to view which resources are under load. In Resource Monitor, which
components are under strain?
c. When the batch file is complete, stop the Adatum Baseline data collector set.
d. In Performance Monitor, locate Reports > User Defined > Adatum Baseline, and then click the
report that has a name beginning with LON-CL1.
e. Record the following values:
Memory Pages per second
Network Interface Packets per second
Physical Disk % Disk Time
Physical Disk Avg. Disk Queue Length
Processor % Processor Time
System Processor Queue Length
2. In your opinion, which components is the script affecting the most?
3. Be prepared to discuss your investigations with the class as directed by your instructor.
Results: After completing this exercise, you will have successfully determined the cause of a performance
bottleneck.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 12-35
Course Evaluation
Your evaluation of this course will help Microsoft understand the quality of your learning experience.
Please work with your training provider to access the course evaluation form.
Microsoft will keep your answers to this survey private and confidential and will use your responses to
improve your future learning experience. Your open and honest feedback is valuable and appreciated.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-1
Note: If the tiles at the bottom of Action Center do not display, close and then open
Action Center again.
11. Click All apps, and then click Alarms & Clock.
12. On the taskbar, click Task View.
6. Drag Alarms & Clock to the right side of the display, and then release it.
7. On the taskbar, click Task View, and then click Calculator. Both apps should display, side by side.
Results: After completing this exercise, you will have navigated the Windows 10 user interface
successfully.
MCT USE ONLY. STUDENT USE PROHIBITED
L1-2 Overview of Windows 10
5. Click Microsoft Office 2013, right-click Word 2013, and then click Pin to Start.
6. Right-click PowerPoint 2013, and then click Pin to Start.
3. Click and hold the Microsoft Office group, and then drag it to the top of the display above the
default groups. Release it.
3. In Start, in the Life at a glance group, right-click Mail, point to Resize, and then click Large.
Results: After completing this exercise, you will have customized Windows 10 Start successfully.
5. On the taskbar, click Task View. Both desktops should display side by side. Move the mouse pointer
over each desktop.
4. In the Browse for Files of Folders dialog box, expand This PC, click Pictures, and then click OK.
5. In the Create Shortcut Wizard, click Next, and then click Finish.
7. In Settings, in PERSONALIZATION, beneath Choose your picture, select the middle image, and then
click the Colors tab.
8. In Choose a color, beneath the Choose your accent color, click the top left square, and then click the
Lock screen tab.
9. Beneath Choose an app to show detailed status, click the plus symbol.
11. Under Choose apps to show quick status, click the plus symbol.
12. Click Alarms & Clock, and then click the Start tab.
Note: If you do not see Alarms & Clock, choose another app from the list.
13. On the Start tab, disable both Show most used apps and Show recently added apps.
14. Right-click Start, point to Shut down or sign out, and then click Sign out.
15. On the Sign in screen, in the Password box, type Pa$$w0rd, and then press Enter.
16. Verify that the background is correct. Verify that the color scheme is what you configured.
Note: Due to a limitation in the virtual machine, this setting is not retained but should
display.
17. Click Start. Verify that Most used does not appear.
Results: After completing this exercise, you will have configured the Windows 10 desktop successfully.
2. In the Virtual Machines list, right-click 20697-1B-LON-CL1, and then click Revert.
2. In the 20697-1B-LON-CL3 On Host computer - Virtual Machine Connection window, click Action, and
then press Ctrl+Alt+Delete.
3. Sign in as Adatum\Administrator with the password Pa$$w0rd.
5. If a Windows Activation dialog box opens, click Ask me later. Click OK.
6. On the taskbar, click Start. Right-click Computer, and then click Properties.
7. Write down the settings for:
13. Write down the available disk space for drive C: ________________
14. Do the noted values match the minimum requirements? ________________
15. Which setting does not match the minimum requirements? _________________
16. Click Start, and then click Shut down.
2. In the Settings for 20697-1B-LON-CL3 on Host computer window, click Memory, and then in Startup
RAM, type 2048. Click OK.
3. In Hyper-V Manager, click 20697-1B-LON-CL3, in the Actions pane, click Start, and then click
Connect.
4. In the 20697-1B-LON-CL3 on Host computer Virtual Machine Connection window, click Media in the
menu, hover over DVD Drive, and then click Insert disk.
9. If a Windows Activation dialog box opens, click Ask me later. Click OK.
13. On the Get important updates page, click Not right now, and then click Next.
15. On the Choose what to keep page, click Nothing. Click Next, and then click Yes.
16. Click Install. The setup program will now upgrade your Windows 7 installation to Windows 10. This
will take approximately 30 minutes.
17. On the Hi there page, click Next.
18. On the Get going fast page, click Use Express settings.
19. On the Create an account for this PC page, provide the following, and then click Next:
o Username: LocalAdmin
o Password: Pa$$w0rd
4. In the Virtual Machines list, right-click 20697-1B-LON-CL3, and then click Revert.
5. In the Revert Virtual Machine dialog box, click Revert.
Results: After completing this exercise, you will have upgraded your Windows 7based computer to
Windows 10.
2. Right-click the desktop, hover over the New menu item, and then click Text Document. Type
Demofile and press Enter.
3. Double-click Demofile.txt and type some random text. Press Alt+F4, and then click the Save button.
5. At the command prompt, type the following command, and then press Enter:
7. At the command prompt, type the following, and then press Enter:
7. At the command prompt, type the following, and then press Enter:
Results: After completing this exercise, you will have migrated your settings from your Windows 7based
computer to a new Windows 10based computer.
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
4. Click the Windows Defender item in the console tree, and then in the details pane, click the Add an
exclusion hyperlink.
5. Click the Exclude a folder plus sign, and in the Select Folder window, navigate to E:\Labfiles, and
then click Exclude this folder.
6. At the upper left of the screen, note the back arrow by Settings. Click the back arrow twice. This will
return you to the main Settings page.
Note: The Settings app scans for printers or scanners, but finds none.
12. Click The printer that I want isnt listed, select Add a local printer or network printer with
manual settings, and then click Next.
14. On the Install the printer driver page, under the Manufacturer column, select HP, and in the
Printers column, scroll down and choose HP Photosmart 7520 series Class Driver, and then click
Next.
15. On the Type a printer name page, delete the part of the text that says series Class Driver, leaving
only the HP Photosmart 7520 text, and then click Next.
17. On the Youve successfully added HP Photosmart 7520 page, click Finish.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-10 Configuring Your Device
19. This will return to the Printers & scanners page of the Settings app. Click the HP Photosmart 7520
icon. Note the Remove device option that appears. Without selecting it, close the Settings app.
Results: After completing this exercise, you will have successfully used the Settings app to configure a
device.
2. In the Control Panel, in the Hardware and Sound category, click the View devices and printers
hyperlink.
3. You should see the printer named HP Photosmart 7520. Double-click it.
4. In the HP Photosmart 7520 window, click the Printer menu, and then select Printing Preferences.
5. In the HP Photosmart 7520 Printing Preferences window, note that Print on Both Sides is not found.
Click Cancel, and then close the HP Photosmart 7520 window
6. Right-click HP Photosmart 7520, and then click Printer Properties. In the HP Photosmart 7520
Properties sheet, select the Device Settings tab.
7. Note the installable options. To the right of Automatic Duplexing Unit:, click Not installed, change
the drop-down selection to Installed, and then click OK.
8. Double-click the HP Photosmart 7520 item.
9. In the HP Photosmart 7520 window, click the Printer menu, and then select Printer Preferences.
10. In the HP Photosmart 7520 Printing Preferences window, in the Print on both sides: drop-down list,
select Flip on Long Edge, and then click OK.
Results: After completing this exercise, you will have successfully used the Control Panel to configure a
device.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L3-11
2. At the Windows PowerShell command prompt, type Get-ExecutionPolicy, and then press Enter.
Confirm that the current execution policy is Unrestricted. If the execution policy is Unrestricted, skip
steps 3 and 4, and proceed to step 5.
3. If set to Restricted, then in the Windows PowerShell command prompt, type Set-ExecutionPolicy
Unrestricted, and then press Enter.
4. Select Yes to All [A] by typing an A, and then press Enter. Leave the Windows PowerShell command
prompt open.
5. Click the Start Menu icon, and then in the Start menu, select Settings.
6. On the Settings page, click Devices.
7. Ensure that Printers & Scanners is selected in the console tree, and then scroll down in the details
pane, and click the Devices and Printers hyperlink.
8. In the Devices and Printers Control Panel item, double-click the HP Photosmart 7520 icon.
9. In the HP Photosmart 7520 window, click the Printer menu, and then select Printing Preferences.
10. In the HP Photosmart 7520 Printing Preferences window, note that the Print on Both Sides drop-
down box is available, and then click Cancel.
11. Return to the Windows PowerShell command prompt.
12. At the Windows PowerShell command prompt, type the following, and then press Enter:
13. At the Windows PowerShell command prompt, type the following, and then press Enter:
Note: You must use all caps for the TRUE or FALSE values.
Note: Note that in Windows PowerShell, each cmdlet parameter name is preceded
immediately by a dash symbol, such as the Value parameter, which you used above. However,
the word wrap feature may separate the dash from the parameter when you copy and paste from
a file. Therefore, you need to ensure that you inspect all pasted cmdlets and parameters to
ensure they follow Windows PowerShell syntax requirements.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-12 Configuring Your Device
14. At the Windows PowerShell command prompt, type the following, and then press Enter:
15. In the HP Photosmart 7520 window, click the Printer menu, and then select Printing Preferences.
Note: In the HP Photosmart 7520 Printing Preferences window, note that the Print on
Both Sides drop-down list box is gone.
18. In Windows PowerShell ISE, open E:\Labfiles\Mod03\Services.ps1, and then read the script.
19. Select line 3 in the script, and then run the selection.
20. In the console pane, view the contents of the $services variable.
21. Run the script, and then read the output. Notice that it does not have multiple colors.
22. At the end of line 14, type ForegroundColor $color.
23. Run the script by clicking the green arrow on the ribbon, and then read the output. Click OK in the
Windows PowerShell ISE window if prompted to save the script.
Note: Running services are green and services that are not running are red.
24. On line 16, type Write-Host A total of $services.count services were evaluated.
25. Run the script. Click OK in the Windows PowerShell ISE window if prompted to save the script.
26. In the Commands pane, build a Write-Host cmdlet with the following options:
o BackgroundColor: Gray
o ForegroundColor: Black
27. Copy the command, and then paste it on line 17 of the script.
28. Run the script. Click OK in the Windows PowerShell ISE window if prompted to save the script.
31. At the command prompt, type Set-Location E:\Labfiles\Mod03, and then press Enter.
32. Type .\Services.ps1, and then press Enter. Close all open windows.
Results: After completing this exercise, you will have successfully configured the device with Windows
PowerShell.
2. Maximize the Group Policy window, from the console tree, expand Forest: Adatum.com, expand
Domains, and then expand Adatum.com. Select the Group Policy Objects node.
3. Right-click the Group Policy Objects node, and then click New.
4. In the New GPO pop-up, in the Name: text box, type Win10 Display and then click OK.
5. In the details pane, right-click Win10 Display, and then select Edit.
6. This brings up the Group Policy Management Editor. Maximize the console.
7. In the console tree under Computer Configuration, expand Policies, expand Windows Settings,
expand Security Settings, expand Local Policies, and then select Security Options. In the details
pane, scroll down, select Interactive Logon: Message title for users attempting to log on, and
then double-click it.
8. In the Interactive Logon: Message title for users attempting to log on pop-up window, enable the
option, and in the text box, type Attention!, and then click OK.
9. In the details pane, scroll down, select Interactive Logon: Message text for users attempting to
log on, and then double-click it.
10. In the Interactive Logon: Message text for users attempting to log on pop-up window, select the
check box of Define this policy setting in the template, in the text box, type This computer is
used for A. Datum Corp Development and Testing Only! Do not use on production network!,
and then click OK.
11. In the console tree under Computer Configuration, expand Preferences, expand Control Panel
Settings, and then select Services.
12. Right-click the empty space in the details pane, click New, and then click Service.
13. In the New Service Properties window, select the following by using the drop-down arrow:
o Startup: Disabled
15. Select the Item-level targeting check box, and then click Targeting.
17. In the Computer Name text box, type LON-CL1, click OK, and then click OK again.
19. In the Group Policy Management Console, select the Adatum.com item in the console tree, right-
click it, and then select Link an Existing GPO.
20. In the Select GPO window, select the Win10 Display item, and then click OK.
21. Close the Group Policy Management Console. Close all open windows, and then sign out.
22. Return to LON-CL1, and in the taskbar, in the Search the web and Windows text box, type cmd,
and then press Enter.
23. At the command prompt, type gpupdate /force, and then press Enter. After the update reports
success, type Shutdown /r /t 0.
27. In the Services details pane, scroll down until you see the Encrypted File System (EFS) service.
Confirm that it is disabled. Close all open windows, and then sign out.
Results: After completing this exercise, you will have successfully used GPOs to configure devices.
2. In Hyper-V Manager, click MSL-TMG1, and then in the Actions pane, click Start.
3. You do not need to sign in to this virtual machine.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L3-15
2. Click Accounts, in the console tree, select Other users, and then click the Add someone else to this
PC plus sign.
3. In the How will this person sign in? window, click the I don't have this person's sign-in information
hyperlink.
4. In the Lets create your account window, create a Microsoft account with the following values as
follows, and then click Next:
o First name: Your first name + last names first letter (for example, KariT)
o Last name: 20697-1B
o Click the Get a new email address hyperlink, in the New email text box, type Your first name
+ last initial-20697-1B, and then press Tab.
Note: This should return a check mark with the statement Your first name + last initial-
[email protected] is available. If not, go back and add the second letter of your last name
to the email address (for example, KariTr). You may have to continue to add letters until you
reach a name that is unique enough for the system to accept it.
o Password: Pa$$w0rd
o Birth day: 1
Note: Because the telephone number will not be called or texted through this account, it
does not matter as long as the pattern fits your country/regions telephone system.
7. If either the Passwords are so yesterday or Set up a PIN pages appear, click Skip this step.
8. Close all open windows, and then sign out.
MCT USE ONLY. STUDENT USE PROHIBITED
L3-16 Configuring Your Device
3. Click the Windows icon, and then in the Start menu, click the Mail tile.
o Click the New mail plus sign, in the To: line, type Your first name + last initial-20697-
[email protected].
7. If you encounter a message that states "Please sign in to your Outlook.com account", click sign in to
validate the account.
8. In the upper right, click the Refresh icon, which features two arrows in a circle. You should see your
test message. Close all open windows, and then sign out.
3. Click Accounts, in the console tree, select Other users, and then click the Add someone else to this
PC plus sign.
4. In the How will this person sign in? page, in the Email or phone text box, type Your first name +
last [email protected], and click Next.
6. Close the Settings app, and in the Start menu, click the Admin button, and then click Your first
name + last [email protected].
7. In the Password text box, type Pa$$w0rd, and press the Enter key.
9. At the Set up a PIN page, click Skip this step and then click Next.
10. In the Get your files here, there and everywhere page, click Next.
3. In the Accounts page, note that Your first name + last [email protected] is selected,
and then click Ready to go.
4. You should see all your messages from the previous task on LON-CL1.
5. Open your test message, reply by adding some text, and then click Send.
6. Close all open windows, and then sign out.
Results: After you complete this exercise, you will have successfully:
Connected your Microsoft account to a device.
Performed verification.
Note: The OneDrive node in File Explorer may take several minutes to appear. Please wait
for it to appear before proceeding. If it takes longer than 15 minutes, sign out, and then sign
back in by using your Microsoft account.
3. In the console tree, under OneDrive, select the Documents folder, and in the details pane, right-click
the empty space, point to New, click Text Document, in the name text box, type I was here.txt,
and then press Enter.
4. Double-click the I was here.txt document and when Notepad opens, type I was here on LON-CL2.
Press Ctrl+S, and then close Notepad.
Task 2: Sign in to LON-CL1 with your Microsoft account, and update the
synchronized document
1. Return to LON-CL1 and then sign in as Your first name + last [email protected], with
a password of Pa$$w0rd. From the taskbar, click the File Explorer icon, and then select the
OneDrive node.
2. Open the Documents folder in the OneDrive node. After a few minutes, the I was here.txt
document should appear (it can take up to five minutes).
5. Press Ctrl+S, and then close Notepad. Make note of the date and time of the I was here.txt file.
6. Return to LON-CL2, and if File Explorer is not still open, on the taskbar, click the File Explorer icon,
and then select the OneDrive node. Select the Documents folder in the OneDrive node.
7. Make note of the date and time of the I was here.txt document. When it changes to the date and
time you noted on LON-CL1, double-click the file (it takes up to five minutes to change).
8. Close all open windows, and then sign out of all virtual machines.
Results: After you complete this exercise, you will have successfully:
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
2. Click the Network icon in the notification area, and then click Network settings.
4. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
5. In the Ethernet Status dialog box, click Details. This window displays the same configuration
information for this adapter as would the Ipconfig command.
6. Record the following information:
o IPv4 Address
8. In the Ethernet Status dialog box, click Properties. You can configure protocols in this window.
9. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. You can configure the IP
address, subnet mask, default gateway, and Domain Name System (DNS) servers in this window.
Task 2: Verify the current IPv4 settings from the command line
1. Right-click Start, and then click Command Prompt (Admin).
2. Type PowerShell, and then press Enter.
3. At the Windows PowerShell command prompt, type Get-NetIPAddress, and then press Enter. The
IPv4 address should match what you recorded earlier.
4. At the command prompt, type netsh interface ipv4 show config, and then press Enter. The current
IPv4 configuration is displayed and should match what you recorded earlier.
5. At the Windows PowerShell command prompt, type ipconfig /all, and then press Enter. Again, the
information should match what you recorded earlier.
2. At the command prompt, type netstat -n, and then press Enter. Observe and describe the active
connections to 172.16.0.10. Most connections to services are transient.
3. If no connections appear, create a connection. To create a connection, click Start, in the Search box,
type \\LON-DC1, and then press Enter.
5. At the command prompt, type netstat -n, and then press Enter. Identify the services that LON-CL1
had connections to on LON-DC1.
Results: After completing this exercise, you will have successfully verified Internet Protocol version 4 (IPv4)
settings.
4. In the Ethernet Status dialog box, click Properties. In this window, you can configure protocols.
10. In the Ethernet Status dialog box, click Details. Notice that Dynamic Host Configuration Protocol
(DHCP) is enabled, and that the IP address of the DHCP server displays.
11. Switch to the Windows PowerShell command prompt, type ipconfig /all, and then press Enter. Verify
that the IPv4 address is obtained from DHCP.
3. If no connections appear, create a connection. To create a connection, click Start, in the Search box,
type \\LON-DC1, and then press Enter.
5. At the command prompt, type netstat -n, and then press Enter. Identify the services that LON-CL1
had connections to on LON-DC1.
3. Expand lon-dc1.adatum.com, expand IPv4, expand Scope [172.16.0.0] Adatum, and then click
Address Leases.
4. In the details pane, you should see the address lease for your Windows 10 client.
Results: After completing this exercise, you will have successfully configured IPv4 settings to be assigned
automatically.
6. Notice that DHCP is enabled, and that the IP address of the DHCP server displays. Notice the DNS
server address.
7. In the Network Connection Details dialog box, click Close.
2. At the Windows PowerShell command prompt, type Get-DnsClientCache, and then press Enter. This
displays the current DNS resolver cache.
3. At the Windows PowerShell command prompt, type ipconfig /flushdns, and then press Enter. This
flushes the current DNS resolver cache.
4. At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.
This flushes the current DNS resolver cache. It is not necessary to run this in addition to the preceding
command.
5. At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter. This
verifies that you have no entries in the cache.
MCT USE ONLY. STUDENT USE PROHIBITED
L4-22 Configuring Network Connectivity
2. At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
3. At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter. This
should display similar information to the preceding command.
2. Scroll to the end of the file, type 172.16.0.10 www, and then press Enter.
3. Click File, and then click Save.
4. Close Notepad.
5. At the Windows PowerShell command prompt, type test-connection www, and then press Enter.
6. At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
3. At the Windows PowerShell command prompt, type nslookup d1 LON-DC1 > file.txt, and then
press Enter.
4. At the command prompt, type notepad file.txt, and then press Enter.
5. Review the information. Note that you must scroll to the section starting Got answer.
6. What was the question that was asked of the DNS server?
ANSWERS: lon-dc1.Adatum.com
internet address = 172.16.0.10
ttl = 3600 (1 hour)
8. How long will the record be cached?
1 hour
9. What is the fully qualified domain name (FQDN) for the primary name server?
lon-dc1.Adatum.com
Results: After completing this exercise, you will have successfully verified your DNS settings and tested
name resolution.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L4-23
2. In the Virtual Machines list, right-click 20697-1B-LON-CL1, and then click Revert.
2. In the Initialize Disk window, clear the Disk 2 and Disk 3 check boxes, and then click OK. You can see
that Disk 1 now has a status of Online.
Results: After completing this exercise, you will have initialized one hard disk.
3. On the Specify Volume Size page, type 5120, and then click Next.
4. On the Assign Drive Letter or Path page, make sure that drive E is selected, and then click Next.
5. On the Format partition page, in the Volume Label text box, type Data, and then click Next.
6. On the Completing the New Simple Volume Wizard page, click Finish.
3. Switch to the Disk Management window, and then verify that the E volume now occupies the entire
Disk 1.
If the change is not visible, press F5 to refresh the view in Disk Management.
Results: After completing this exercise, you will have created a simple volume and then extended the
volume.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-26 Managing Storage
2. Navigate to the C:\Users folder. Right-click the Admin folder, and then click Properties.
3. On the General tab, note the Size on Disk in megabytes (MB):___________
2. Click Compress contents to save disk space, and then click OK.
3. Click Apply, and then in the Confirm Attribute Changes window, click OK.
Results: After completing this exercise, you will have compressed a folder with files.
3. In the Properties window, select the Deny disk space to users exceeding quota limit check box.
4. Click Limit disk space to, in the Limit disk space to text box, type 500, and then in the Set warning
level to text box, type 250.
2. Wait for April to sign in. This might take some time.
E:
MKDIR research
CD research
Fsutil file createnew file1.txt 209715200
Fsutil file createnew file2.txt 209715200
5. Click Start, click April Reagan, and then click Sign out.
3. In the File Explorer window, right-click Data (E:), and then click Properties.
4. Click the Quota tab, and then click Quota Entries.
5. Notice the warning for April Reagan for the disk space used. You might need to expand some
columns to read the full name and Logon Name.
Results: After completing this exercise, you will have configured disk quotas.
(Press Y and then press Enter to confirm that you want to delete all partitions from disk 1.)
4. Notice that a resilience type of Two-way mirror is selected. Click Create storage space.
MCT USE ONLY. STUDENT USE PROHIBITED
L5-28 Managing Storage
Results: After completing this exercise, you will have created a two-way mirror storage space.
3. In File Explorer, in the navigation pane, expand This PC, and then click Local Disk (C:). In the details
pane, right-click the empty space, select New, select Folder, and then type Data for the new folders
name.
4. In File Explorer, in the navigation pane, expand Local Disk (C:), and then click Data. In the details
pane, right-click the empty space, select New, select Folder, and then type Marketing for the new
folders name.
5. In File Explorer, in the details pane, right-click the empty space, select New, select Folder, and then
type IT for the new folders name.
3. In the Permissions for IT dialog box, verify that Authenticated Users is selected in the Group or
user names section, and then click Remove. Read the text in the Windows Security dialog box that
appears, which explains why you cannot remove an authenticated user. Click OK, and then click
Cancel.
7. In the Marketing Properties window, click the Security tab, and then click Advanced.
8. In the Advanced Security Settings for Marketing dialog box, verify that all permissions entries are
inherited from C:\. Also, verify that Users (LON-CL1\Users) have Read & execute Access, while
Authenticated Users have Modify Access. Click OK twice.
2. In the File Sharing dialog box, verify that Administrator is selected, click Read/Write in the
Permission Level column, and then select Remove.
3. In the Type a name and then click Add, or click the arrow to find someone text box, enter IT, and
then click Add.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-30 Managing Files and Printers
4. Verify that IT is added and selected. Click Read in the Permission Level column, select Read/Write,
click Share, and then click Done.
5. In File Explorer, in the navigation pane, right-click Marketing, and then select Properties.
6. In the Marketing Properties dialog box, select the Sharing tab. In the Network File and Folder
Sharing section, verify that Marketing is not shared, and then in the Advanced Sharing section,
click Advanced Sharing.
7. In the Advanced Sharing dialog box, select the Share this folder check box. Verify that the share
name is Marketing (the same as the folder name), and that Limit the number of simultaneous
users to is set to 20. Click Permissions.
8. In the Permissions for Marketing dialog box, click Remove. Click Add, in the Enter the object
names to select (examples) box, type Marketing, and then click OK. In the Permissions for
Marketing section, select the Change check box in the Allow column, and then click OK twice.
9. In the Marketing Properties dialog box, in the Network File and Folder Sharing section, verify that
Marketing is now shared as \\LON-CL1\Marketing, and then click Close.
10. Right-click the Start icon, and then select Command Prompt.
11. At the command prompt, view shares created on LON-CL1 by typing net view \\lon-cl1, and then
pressing Enter. Close the command prompt.
12. Right-click the Start icon, and then select Computer Management.
13. In Computer Management, in the navigation pane, expand Shared Folders, and then click Shares. In
the details pane, verify that you see IT and Marketing shares, and the default Windows 10 shares.
Close Computer Management.
3. In the Advanced Security Settings for IT dialog box, verify that all the permissions entries are set
explicitly at this level, because their permission inheritance is set to None.
4. Verify that only an Administrator, Administrators [LON-CL1\Administrators group, SYSTEM and IT
(ADATUM\IT)] group have access to the IT folder. These settings match the permissions that you
configured in the File Sharing dialog box.
5. In the Advanced Security Settings for IT dialog box, click OK. In the IT Properties dialog box,
select the Sharing tab, in the Network File and Folder Sharing section, verify that IT now is shared
as \\Lon-cl1\it, and then click Advanced Sharing.
6. In the Advanced Sharing dialog box, click Permissions. In the Permissions for IT dialog box, verify
that the Everyone and Administrators groups have Full Control permissions to the share, click OK
twice, and then click Close.
Note: If you share a folder by using the File Sharing dialog box, you will modify the local
file permissions to match your configuration, while the Everyone and Administrators groups will
have the Full Control share permission.
7. In File Explorer, in the navigation pane, right-click Marketing, and then select Properties.
8. In the Marketing Properties window, click the Security tab, and then click Advanced.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L6-31
9. In the Advanced Security Settings for Marketing dialog box, verify that all of the permissions
entries are inherited from C:\. Also verify that Users (LON-CL1\Users) have Read & execute Access,
while Authenticated Users have Modify Access, which are the same file permissions as before you
shared the Marketing folder. Click OK twice.
Note: If you share a folder by using the Advanced Sharing feature, this does not modify
local file permissions. You only modify share permissions if you use Advanced Sharing.
10. Right-click the Start icon, select Shut down or sign out, and then select Sign out.
2. On the taskbar, click File Explorer. In File Explorer, in the navigation pane, expand This PC, expand
Local Disk (C:), expand Data, and then select Marketing.
3. In the details pane, right-click the empty space, select New, select Text Document, and then enter
File10 as the name of the file.
Note: Adam has local file permissions to create a new file in the Marketing folder, because
permissions were configured by using the Advanced Sharing feature. This modified only the share
permissions, while the default local file permissions were not modified. By default, Authenticated
Users have the Modify permission.
4. In File Explorer, in the navigation pane, select IT, and then click Cancel.
Note: You will get an error, because Adam does not have local file permissions to the IT
folder. Permissions were configured by File Sharing, and only members of the IT group have local
file permissions to the folder.
5. Right-click the Start icon, select Shut down or sign out, and then select Sign out.
6. On LON-CL1, sign in as Adatum\April with the password Pa$$w0rd. April is member of the IT
group, and she is not member of the Marketing group.
7. On the taskbar, click File Explorer. In File Explorer, in the navigation pane, expand This PC, expand
Local Disk (C:), expand Data, and then select Marketing.
8. In the details pane, verify that you can see File10 that was created by Adam. Right-click the empty
space, select New, select Text Document, and then type File20 as the name of the file.
Note: April has local file permissions to create a new file in the Marketing folder because
you configured permissions by using the Advanced Sharing feature. This modified only the share
permissions, while the default local file permissions were not modified. By default, Authenticated
Users have the Modify permission.
9. In File Explorer, in the navigation pane, select IT. In the details pane, right-click the empty space,
select New, select Text Document, and then enter File21 as the name of the file.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-32 Managing Files and Printers
Note: April is able to create a file, because you configured permissions by using File
Sharing. Members of the IT group have local file permissions to the IT folder.
Note: Be aware that Network File and Folder Sharing modifies file permissions and share
permissions. However, the Advanced Sharing feature does not modify file permissions, and only
sets share permissions.
10. Right-click the Start icon, select Shut down or sign out, and then select Sign out.
2. On the taskbar, click File Explorer. In File Explorer, click the arrow in the Address bar, type
\\LON-CL1, and then press Enter.
3. Verify that you can see the IT and Marketing shares in the details pane. Double-click Marketing.
Verify that you can see the files that Adam and April created locally.
4. In the details pane, right-click the empty space, select New, select Text Document, and then enter
File30 as the name of the file. Adam has permissions to create a new file in the Marketing share
because he is a member of the Marketing group.
5. In File Explorer, click LON-CL1 in the address bar. In the details pane, double-click IT. Read the text in
the Network Error dialog box, and then click Close.
Note: Adam is not a member of the IT group, so he does not have permissions to the IT
share.
6. Right-click the Start icon, select Shut down or sign out, and then select Sign out.
7. Sign in as Adatum\April with the password Pa$$w0rd. April is a member of the IT group, but she is
not a member of the Marketing group.
8. On the taskbar, click File Explorer. In File Explorer, click the arrow in the Address bar, type
\\LON-CL1, and then press Enter.
9. Verify that you can see the IT and Marketing shares in the details pane. Double-click Marketing.
10. Read the text in the Network Error dialog box. April is not a member of the Marketing group, so she
does not have permissions to the Marketing share. Click Close.
11. In the details pane, double-click IT. Right-click the empty space in the details pane, select New, select
Text Document, and then enter File40 as the name of the file. April has permissions to create a new
file in the IT share because she is a member of the IT group.
Note: Users can connect only to shares that were shared for groups in which they are
members, regardless of whether they were shared by File Sharing or Advanced Sharing.
Results: After completing this exercise, you will have created a folder structure for the Marketing and
information technology (IT) departments, shared their folders, and tested local and share permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L6-33
4. Right-click Research, select Properties, select the Sharing tab, and then click Advanced Sharing.
5. In the Advanced Sharing dialog box, select the Share this folder check box, and then click
Permissions.
6. In the Permissions for Research dialog box, in the Permissions for Everyone section, select the
Change check box in the Allow column, and then click OK twice.
7. In the Research Properties dialog box, select the Security tab, click Advanced, and then verify that
all permissions entries are inherited from C:\.
8. In the Advanced Security Settings for Research dialog box, select Users (LON-CL1\Users), and
then click Remove. Read the text in the Windows Security dialog box that appears, click OK, and
then click Disable inheritance.
9. In the Block Inheritance dialog box, click Convert inherited permissions into explicit permissions
on this object, and then verify that all permissions entries are set explicitly at this level because their
permission inheritance is set to None.
10. In the Advanced Security Settings for Research dialog box, select Users (LON-CL1\Users), and
then click Remove. Entry for Users is removed from the Permission entries because it was explicitly
set at this level.
11. Verify that Authenticated Users is selected, and then click Edit.
12. In the Permission Entry for Research dialog box, click Add a condition, and compose the following
expression: User department Equals Value research. You will need to type research manually in the
last box. Click OK twice, and then click Close.
13. In File Explorer, in the navigation pane, expand Data, right-click IT, select Properties, select the
Security tab, and then click Advanced.
14. In the Advanced Security Settings for IT dialog box, select IT (ADATUM\it), and then click Edit.
15. In the Permission Entry for IT dialog box, click Add a condition, and compose the following
expression: User Country Equals Value US. You will need to type US manually in the last field. Click
OK three times.
3. At the command prompt, view user claims by typing whoami /claims, and then press Enter. Review
the output, and then close the command prompt.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-34 Managing Files and Printers
Note: April has a department claim value of IT and she cannot connect to the Research
share.
4. In File Explorer, in the address bar, click LON-CL1. In the details pane, double-click IT.
5. In the details pane, right-click the empty space, select New, select Text Document, and then enter
File50 as the name of the file.
Note: April has permissions to create a new file in the IT share because she is a member of
the IT group and her Country claim has a value of US.
6. Right-click the Start icon, select Shut down or sign out, and then select Sign out.
7. Sign in as Adatum\Jesper with the password Pa$$w0rd. Jesper is a member of the IT group.
8. On the taskbar, click File Explorer. In File Explorer, click the arrow in the Address bar, type
\\LON-CL1, and then press Enter.
9. In the details pane, double-click IT. Jesper is a member of the IT group, but he cannot connect to
the IT share. Click Close.
10. Right-click the Start icon, and then select Command Prompt.
11. At the command prompt, view user claims by typing whoami /claims, and then press Enter. Review
the output, and then close the command prompt.
Note: Jesper has a Country claim with the value of GB, so he cannot connect to the IT
share, even though he is a member of the IT group.
12. Right-click the Start icon, select Shut down or sign out, and then select Sign out.
14. Right-click the Start icon, and then select Command Prompt.
15. At the command prompt, view user claims by typing whoami /claims, and then pressing Enter.
Review the output, and then close the command prompt.
Note: Anil is in the Research department, and his department claim has the value of
Research.
16. On the taskbar, click File Explorer. In File Explorer, click the arrow in the Address bar, type
\\LON-CL1, and then press Enter.
17. In the details pane, double-click Research, and then verify that Anil can view the contents of the
Research folder.
18. In the details pane, right-click the empty space, select New, select Text Document, and then enter
File60 as the name of the file.
Note: Anil has permissions to create a new file in the Research share because his
department claim has a value of Research.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L6-35
2. In the Advanced Security Settings for Marketing dialog box, click Select a user, in the Enter the
object name to select (examples) box, enter Joel, click OK, and then click View effective access.
View the effective permissions, and then click OK twice.
Note: As Authenticated Users have the Modify permission to the Marketing folder, you can
see that Joel has the most permissions allowed.
3. In File Explorer, in the navigation pane, right-click Research, select Properties, select the Security
tab, click Advanced, and then select the Effective Access tab.
4. In the Advanced Security Settings for Research dialog box, click Select a user, in the Enter the
object name to select (examples) text box, enter Ales, click OK, and then click View effective
access. Ales is a member of Development group.
Note: Only users with the department claim with a value of Research have permissions to
the folder, you can see that Ales has no permissions allowed.
5. In the Advanced Security Settings for Research dialog box, click Include a user claim, select
department in the drop-down list, enter Research in the Enter value here text box, and then click
View effective access.
Note: You can see that if Ales had the department user claim with the value of Research,
he would have most permissions allowed.
6. In the Advanced Security Settings for Research dialog box, click Select a user, in the Enter the
object name to select (examples) box, enter Aziz, click OK, and then click View effective access.
Review the effective permissions, and then click OK twice.
Note: If Aziz had the user claim of department with the value of Research, he would have
the most permissions allowed.
Results: After completing this exercise, you will have configured and tested conditions to control access.
You will have also viewed effective permissions.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-36 Managing Files and Printers
Install-WindowsFeature FS-SyncShareService
Note: After the feature installs, you will receive a warning message because Windows
automatic updating is not enabled. You can ignore the warning.
2. Minimize the Windows PowerShell window, and then click the Server Manager icon on the taskbar.
3. In Server Manager, in the navigation pane, click File and Storage Services, click Work Folders, click
TASKS in the WORK FOLDERS section, and then click New Sync Share.
4. In the New Sync Share Wizard, on the Before you begin page, click Next.
5. On the Select the server and path page, in the Enter a local path field, type C:\MarketingSync,
click Next, and then click OK.
Note: If LON-DC1 is not listed in the Servers section, click Cancel. In Server Manager, click
Refresh, and then repeat this task from step 3.
6. On the Specify the structure for user folders page, verify that User alias is selected, and then click
Next.
7. On the Enter the sync share name page, click Next to accept the default sync share name.
8. On the Grant sync access to groups page, click Add, and in the Enter the object name to select
(examples) field, type Marketing, click OK, and then click Next.
9. On the Specify device policies page, verify the two available options. Clear the Automatically lock
screen, and require a password check box, select the Encrypt Work Folders check box, and then
click Next.
10. On the Confirm selections page, click Create.
3. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
5. In Add Site Binding, select https as Type. In the SSL certificate box, select LON-DC1.adatum.com,
click OK, and then click Close.
2. In the Group Policy Management Console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, and then select Marketing.
3. Right-click Marketing, and then select Create a GPO in this domain, and Link it here. In the Name
field, type Deploy Work Folders, and then click OK.
5. In the Group Policy Management Editor, under User Configuration, in the navigation pane, expand
Policies, Administrative Templates, Windows Components, and then click the Work Folders
node.
6. In the details pane, right-click Specify Work Folder settings, and then select Edit.
7. In the Specify Work Folders settings dialog box, select Enabled. In the Work Folders URL field,
type https://lon-dc1.adatum.com, select the Force automatic setup check box, click OK, and then
close the Group Policy Management Editor.
8. On LON-CL1, sign in as adatum\adam with the password Pa$$w0rd.
11. Right-click the On LON-CL1 file, and then select Properties. Click Advanced, and then verify that the
Encrypt contents to secure data check box is selected. Click Cancel, and then click OK.
2. On LON-CL4, on the taskbar, right-click the Start icon, and then click Control Panel.
3. In Control Panel, in the Search Control Panel field, type work, and then click Work Folders.
4. On the Manage Work Folders page, click Set up Work Folders, and then on the Enter your work
email address page, click Enter a Work Folders URL instead.
5. On the Enter a Work Folders URL page, in the Work Folders URL box, type
https://lon-dc1.adatum.com, and then click Next.
6. In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password
field, type Pa$$w0rd, and then click OK.
7. On the Introducing Work Folders page, review the local Work Folders location, and then click Next.
8. On the Security policies page, select the I accept these policies on my PC check box, and then
click Set up Work Folders.
9. On the Work Folders has started syncing with this PC page, click Close.
10. On the Work Folders page, verify that the On LON-CL1.txt file displays.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-38 Managing Files and Printers
2. On LON-CL1, in Work Folders, verify that only the On LON-CL1 file displays.
Note: Work Folders synchronizes every 10 minutes automatically. You also have an option
to trigger synchronization manually.
3. In File Explorer, in the navigation pane, right-click Work Folders, and then click Sync Now. Verify
that both files, On LON-CL1.txt and On LON-CL4.txt, display in the details pane.
4. On the taskbar, right-click the Start button, and then select Control Panel.
5. In Control Panel, in the Search Control Panel field, type network, and then click View network
connections under Network and Sharing Center. Right-click Ethernet, and then select Disable. In
the User Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password,
and then click Yes.
6. On LON-CL1, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
7. In Notepad, type Modified offline, close Notepad, and then click Save.
8. In Work Folders, right-click in the details pane, select New, select Text Document, and then name
the file Offline LON-CL1.
9. On LON-CL4, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
10. In Notepad, type Online modification, close Notepad, and then click Save.
11. On LON-CL1, in Network Connections, right-click Ethernet, and then select Enable. In the User
Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password, and then
click Yes.
12. Switch to Work Folders. Verify that four files display in the details pane, including On LON-CL1 and
On LON-CL1-LON-CL1. The file was modified at two locations, so a conflict occurred, and one of the
copies was renamed.
Note: File On LON-CL1-LON-CL1 will appear after few seconds, when sync happens.
Results: After completing this exercise, you will have configured and used the Work Folders feature
successfully.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L6-39
2. On the taskbar, in the Search the web and Windows field, enter printer, and then click Devices and
Printers.
4. In the Add a device dialog box, click The printer that I want isnt listed.
5. On the Find a printer by other options page, select the Add a local printer or network printer
with manual settings option, and then click Next.
6. On the Choose a printer port page, verify that Use an existing port is selected, and then click Next.
7. On the Install the printer driver page, in the Manufacturer list, select Microsoft. In the Printers
list, select Microsoft PCL6 Class Driver, and then click Next.
8. On the Type a printer name page, in the Printer name field, type Managers Printer, and then click
Next.
9. On the Printer Sharing page, click Next, and then click Finish.
2. In the Managers Printer Properties dialog box, verify that Everyone is selected, and then click
Remove. Click Add, in the Enter the object names to select (examples) box, enter Managers, and
then click OK. In the Permissions for Managers section, verify that Print check box is selected in the
Allow column, and then click OK.
2. In the Administrative Tools window, double-click Print Management. Close the Administrative Tools
window.
3. In Print Management, in the navigation pane, expand Print Servers, and then verify that LON-CL1 is
the only print server listed. Right-click Print Servers, and then select Add/Remove Servers.
4. In the Add/Remove Servers dialog box, in the Add Servers field, enter LON-DC1, and then click
Add to List. Type LON-CL2 in the Add Servers field, click Add to List, and then click OK. Verify that
the navigation pane lists three print servers.
6. On the Printer Installation page, select Add a new printer using an existing port, and then
click Next.
7. On the Printer Driver page, verify that the Install a new driver option is selected, and then
click Next.
8. On the Printer Installation page, in the Manufacturer list, select Microsoft. In the Printers list,
select Microsoft PS Class Driver, and then click Next.
MCT USE ONLY. STUDENT USE PROHIBITED
L6-40 Managing Files and Printers
9. On the Printer Name and Sharing Settings page, in the Printer Name box, enter PostScript
Printer, then in the Share Name box, enter PostScript Printer, click Next twice, and then click
Finish.
2. On the taskbar, in the Search the web and Windows field, enter printer, and then click Devices and
Printers.
3. In Devices and Printers, verify that you can see PostScript Printer, which you added remotely in the
previous task. Click Add a printer.
4. In the Add a device dialog box, click The printer that I want isnt listed.
5. On the Find a printer by other options page, select Select a shared printer by name, type
\\LON-CL1\Managers Printer in the box, and then click Next.
6. In the Connect to lon-cl1 dialog box, click Cancel. In the box, type \\LON-DC1\Printer1, click Next
twice, and then click Finish.
Note: Because April is not a member of the Managers group, and she does not have
permissions to \\LON-CL1\Managers Printer, you were asked to enter credentials that have the
appropriate permissions.
7. In Devices and Printers, verify that Printer1 on lon-dc1 is added and that it has a green check mark,
which indicates that it is the default printer.
3. In the Print dialog box, verify that Printer1 on lon-dc1 is selected, and then click Print.
4. On LON-CL1, in Print Management, in the navigation pane, click Printers With Jobs. In the details
pane, view that Printer1 is listed and that it has one job in the queue.
5. On LON-CL2, on the notification bar, right-click the printer icon, and then select
Printer1 on lon-dc1.
6. In the Printer1 on lon-dc1 window, verify that you can see a single document called Untitled
Notepad. Right-click Untitled Notepad, review its properties, and then click OK.
7. Right-click Untitled-Notepad, select Cancel, and then click Yes. You now have canceled Adams
print job.
8. On LON-CL1, in Print Management, verify that there are no longer any printers listed under the
Printers With Jobs node.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L6-41
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
Results: After completing this exercise, you will have added a local and remote printer. You also will have
configured printer security, and used the Print Management feature to manage printers.
MCT USE ONLY. STUDENT USE PROHIBITED
MCT USE ONLY. STUDENT USE PROHIBITED
L7-43
2. In the notification area, click Notifications, and then click All settings.
6. Close Settings.
6. On the Certificate Store page, click Place all certificates in the following store, click Browse, click
Trusted Root Certification Authorities, click OK, click Next, and then click Finish.
7. In the Certificate Import Wizard dialog box, confirm that the import was successful, and then
click OK.
3. At the User Account Control prompt, in the User name box, type Administrator.
4. In the Password box, type Pa$$w0rd, and then click Yes.
2. In the This app and its related info will be uninstalled dialog box, click Uninstall.
Results: After completing this exercise, you will have successfully sideloaded an app.
2. In the notification area, click Notifications, and then click All settings.
3. In Settings, click Accounts, and then click Sign in with a Microsoft account instead.
4. On the Make it yours page, in the Email or phone box, type your Microsoft account email address,
and then in the Password box, type the associated password.
Note: In Module 3, you created a Microsoft account with the following properties:
6. On the Enter your old password one last time page, in the Old password box, type Pa$$w0rd,
and then click Next.
7. On the Set up a PIN page, click Set a PIN.
8. In the Set up a PIN dialog box, in the New PIN and Confirm PIN boxes, type 1212, and then
click OK.
Results: After completing this exercise, you will have signed in successfully with a Microsoft account.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L7-45
4. In Settings, under App updates, click Update apps automatically to disable the setting.
5. Click Back.
Note: If prompted by the Your account is missing some key info dialog box, complete
the information regarding Birthdate and Country/Region and click Next.
6. In the This app and its related info will be uninstalled dialog box, click Uninstall.
7. Sign out of LON-CL1.
Results: After completing this exercise, you will have installed and maintained Windows Store apps
successfully.
4. In the Where to next box, type http://lon-dc1, and then press Enter.
3. Under Open with, click A specific page or pages, and then in the list that appears, click Custom.
4. In the Enter a web address box, type http://lon-dc1, and then click the + symbol to the right.
5. Click X next to about:Start.
14. Open a new tab, and then click Home. Verify that the A. Datum Intranet site displays.
Note: If prompted by Office, click Next three times, and then click All Done!
5. Close Excel.
2. In Microsoft Edge, on the A Datum Intranet tab, on the menu bar, click Make a Web Note.
6. Click Add a typed note, and then click the cursor somewhere on the webpage.
7. Type This is my note, and then on the menu, click Save Web Note.
9. Click Exit.
11. Click the Web Notes A Datum Intranet link. Your web note opens.
12. In system tray, click Notifications, and then click Tablet mode.
2. In Microsoft Edge, on the A Datum Intranet Home Page, click Current Projects. A new tab opens
with columns displayed for Project and Project Lead. No data displays.
4. Click Open with Internet Explorer. The same webpage displays, but with the data extracted from
the CSV file and displayed in the appropriate columns.
5. Close Internet Explorer.
Results: After completing this exercise, you will have configured and used Microsoft Edge successfully in
Windows 10.
8. On the menu bar, click Tools, and then click Compatibility View settings.
9. In the Compatibility View Settings dialog box, click Add to add the LON-DC1 website to
Compatibility View, and then click Close.
4. In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box,
select the Temporary Internet files and website files, Cookies and website data, and History
check boxes, and then click Delete.
6. Confirm that there are no addresses stored in the Address bar by clicking the down arrow next to the
Address bar.
9. Confirm that the address you entered is not stored by clicking the down arrow next to the Address
bar.
4. Click Close.
Results: After completing this exercise, you will have configured and used Internet Explorer 11
successfully.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L7-49
2. In the Virtual Machines list, right-click 20697-1B-LON-CL1, and then click Revert.
2. On the taskbar, click the File Explorer icon, click This PC, and then double-click Local Disk (C:).
3. On the title bar, click the New Folder icon. Name the new folder SecretDon.
3. In the Advanced Attributes dialog box, select the Encrypt contents to secure data check box.
4. Click OK twice.
5. Verify that the SecretDon folder appears in green.
7. In the blank area, right-click and click New, and then click Text Document.
8. Name the new file Secrets, and then double-click the file to open it.
10. Close the file, and then when prompted, click Save.
Results: After completing this exercise, you will have created a folder that automatically encrypts files
placed inside it to the Don account. You also will have verified this by using the Adam account.
MCT USE ONLY. STUDENT USE PROHIBITED
L8-52 Managing Data Security
2. In the search box on the taskbar, type gpedit.msc, and then press Enter.
3. In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then expand BitLocker Drive Encryption.
4. Click Operating System Drives, and then double-click Require additional authentication at
startup.
5. In the Require additional authentication at startup dialog box, click Enabled, and then click OK.
6. Close the Local Group Policy Editor.
8. At the command prompt, type gpupdate /force, and then press Enter.
9. Close all open windows.
11. After the computer restarts, sign in as Adatum\Administrator with the password Pa$$w0rd.
6. On the How do you want to back up your recovery key? page, click Save to a file.
7. In the Save BitLocker recovery key as dialog box, click Local Disk (C:).
8. On the File Explorer toolbar, click New folder, type BitLocker, and then press Enter.
9. In the Save BitLocker recovery key as dialog box, click Open, click Save, click Yes, and then click
Next.
10. On the BitLocker Drive Encryption (E:) page, click Start encrypting, and then click Close.
8. Enter the password Pa$$w0rd, press Enter to unlock the drive, and then verify access to the drive
contents.
9. Close all open windows.
Results: After completing this exercise, you will have encrypted the hard drive.
2. On the Tools menu of the Server Manager Console, click Group Policy Management.
4. In the Group Policy Objects in Adatum.com window, right-click the Default Domain Policy policy,
and then click Edit.
5. In the Group Policy Management Editor, expand the Computer Configuration\Policies
\Windows Settings\Security Settings\Account Policies node, and then click Password Policy.
7. On the Minimum password length Properties page, set the Password must be at least value to
12 characters, and then click OK.
13. In the Account Lockout Threshold dialog box, set the Account Will Lock Out After settings to 2
invalid logon attempts, and then click OK.
14. Close the Group Policy Management Editor.
16. On the Tools menu of the Server Manager Console, click Active Directory Users and Computers.
17. Expand the Adatum.com node, and then click the IT OU.
18. Right-click the Don Funk user account, and then click Properties.
19. In the Don Funk Properties dialog box, click the Account tab.
20. In the list of Account Options, deselect the Password never expires option, and then select the
User must change password at next logon option. Click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-56 Managing Device Security
2. In the Administrator: Windows PowerShell window, type the following command, and then press
Enter:
Gpupdate /force
Results: After completing this exercise, you will have configured password policies to require a
12-character password and an account lockout policy that will lock out a user account if a user enters
more than two incorrect passwords in succession.
3. In the New Password box and the Confirm Password box, type Pa$$w0rd12, and then press Enter.
4. When the message displays that indicates that the new password does not meet the length,
complexity, or history requirements of the domain, click OK. Type the old password Pa$$w0rd.
5. In the New Password box and the Confirm Password box, type Pa$$w0rd1234, and then press
Enter.
6. When a message displays that indicates that the password has been changed, click OK.
7. After signing in, right-click Start, and then click Command Prompt.
8. At the command prompt, type the following command, and then press Enter:
Gpupdate /force
9. Click Start, click Don Funk, and then click Sign Out.
3. Attempt again to sign in to LON-CL1 as Adatum\Don with the incorrect password, Banana.
4. When a message displays that indicates that the password is incorrect, click OK.
5. Attempt again to sign in to LON-CL1 as Adatum\Don with the incorrect password, Banana.
6. When the message displays that indicates that the referenced account is locked, and you may not
sign in, click OK.
Results: After completing this exercise, you will have verified that the policies, with respect to password
length and account lockout, were applied correctly.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L9-57
2. In the Search the web and Windows box on the taskbar, type gpedit.msc, and then press Enter.
3. In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Local Policies, and then click Security Options.
4. In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5. In the User Account Control: Behavior of the elevation prompt for standard users dialog box,
click Prompt for credentials on the secure desktop, and then click OK.
6. In the results pane, double-click User Account Control: Only elevate executables that are signed
and validated.
7. In the User Account Control: Only elevate executables that are signed and validated dialog box,
click Enabled, and then click OK.
8. In the results pane, double-click User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode.
9. In the User Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode dialog box, click Prompt for consent on the secure desktop, and then click OK.
10. Close the Local Group Policy Editor, and then sign out.
2. Open the Administrative menu by pressing the Windows logo key+X, and then click Command
Prompt (Admin). The Windows operating system displays the User Account Control prompt.
3. In the User name box, type Administrator, and in the Password box, type Pa$$w0rd, and then
click Yes.
5. Sign out.
2. Open the Administrative menu by pressing the Windows logo key+X, and then click Control Panel.
3. In Control Panel, click System and Security.
Results: After completing this exercise, you will have reconfigured UAC notification behavior and
prompts.
MCT USE ONLY. STUDENT USE PROHIBITED
L9-58 Managing Device Security
4. In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
10. Click Browse Files, in the File name box, type C:\Program Files\Windows Media Player
\wmplayer.exe, and then click Open.
11. Click Next twice, and then click Create.
12. Click Yes when prompted to create default rules.
6. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait for
the policy to update.
2. Select Computer Management from the Administrative menu by pressing the Windows logo
key+X. Expand Event Viewer, expand Windows Logs, and then click System.
3. In the results pane, locate and click the latest event with Event ID 1502.
2. Type Media Player in the Search the web and Windows box, and then click Windows Media Player.
4. Sign out, and then sign in as Adatum\Administrator with the password Pa$$w0rd.
5. Select Event Viewer from the Administrative menu by pressing the Windows logo key+X.
6. In Event Viewer, expand Application and Services Logs, expand Microsoft, expand Windows,
expand AppLocker, and then click EXE and DLL.
7. Review the entries in the results pane. Locate Event ID 8004. This shows that Holly attempted to run
a prohibited application.
Results: After completing this exercise, you will have created and tested executable and default
AppLocker rules.
2. Right-click Start, click Run, type mstsc.exe, and then press Enter.
5. Open the Start menu on LON-CL1, click Administrator, and then click Sign out.
4. In the left pane, click Advanced settings, right-click Inbound Rules, and then click New Rule.
5. In the New Inbound Rule Wizard window, select Predefined, click the drop-down list, click Remote
Desktop, and then click Next.
6. On the Predefined Rules page, select all available rules, and then click Next.
7. On the Action page, select Block the connection, and then click Finish.
8. Minimize the Windows Firewall with Advanced Security window.
Results: After completing this exercise, you will have created and verified inbound firewall rules.
MCT USE ONLY. STUDENT USE PROHIBITED
L10-62 Managing Network Security
2. Right-click Start, click Run, type mstsc.exe, and then press Enter.
3. In the Computer box, type LON-DC1, and then press Enter.
5. Open the Start screen on LON-DC1, click Administrator, and then click Sign out.
4. On the Program page, browse and select C:\Windows\System32\mstsc.exe, click Open, and then
click Next.
5. On the Action page, verify that the action is Block the Connection, and then click Next.
6. On the Profile page, verify that all profiles are selected, and then click Next.
7. On the Name page, type Block Outbound RDP to LON-DC1 in the Name box, and then click
Finish.
8. In the Windows Firewall with Advanced Security window, click the Block Outbound RDP to LON-
DC1 rule, and then in the Actions pane, click Properties.
9. Click the Scope tab, and then under the Remote IP address heading, select the These IP addresses
option.
10. Under the Remote IP address heading, click Add, in the This IP address or subnet box, type
172.16.0.10, and then click OK.
11. In the Block Outbound RDP to LON-DC1 Properties dialog box, click OK.
Results: After completing this exercise, you will have created and tested outbound firewall rules.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L10-63
2. In the search box on the taskbar, type PowerShell, and then click PowerShell.
3. In the Administrator: Windows PowerShell window, type ping LON-CL1, and then press Enter.
4. Verify that the ping generated four Reply from 172.16.0.40: bytes=32 time=xms TTL=128 messages.
Please note, the times that the message lists may vary from the example.
5. Right-click Start, click Control Panel, click System and Security, and then click Windows Firewall.
7. In the left pane, expand Monitoring, and then expand Security Associations.
8. Click Main Mode, and then examine the information in the center pane. No information should be
present.
9. Click Quick Mode, and then examine the information in the center pane. No information should be
present.
Get-NetIPsecMainModeSA
13. To examine the Quick Mode SAs, at the Windows PowerShell prompt, type the following cmdlet, and
then press Enter:
Get-NetIPsecQuickModeSA
3. In the left pane, click Advanced settings, and then click Connection Security Rules.
6. On the Requirements page, select Require authentication for inbound connections and request
authentication for outbound connections, and then click Next.
7. On the Authentication Method page, select Computer and user (Kerberos V5), and then click
Next.
9. On the Name page, in the Name text box, type Authenticate all inbound connections, and then
click Finish.
13. Click System and Security, and then click Windows Firewall.
14. In the left pane, click Advanced settings, and then click Connection Security Rules.
16. On the Rule Type page, verify that Isolation is selected, and then click Next.
17. On the Requirements page, select Require authentication for inbound connections and request
authentication for outbound connections, and then click Next.
18. On the Authentication Method page, select Computer and user (Kerberos V5), and then click
Next.
20. On the Name page, in the Name text box, type Authenticate all inbound connections, and then
click Finish.
3. Right-click Start, click Control Panel, click System and Security, and then click Windows Firewall.
4. In the left pane, click Advanced settings.
5. In the left pane, expand Monitoring, and then expand Security Associations.
6. Click Main Mode, and then examine the information in the center pane.
7. Click Quick Mode, and then examine the information in the center pane.
10. To examine the Main Mode Security Associations (SAs), at the Windows PowerShell command
prompt, type the following cmdlet, and then press Enter:
Get-NetIPsecMainModeSA
Get-NetIPsecQuickModeSA
Results: After completing this exercise, you will have created and tested connection security rules.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L10-65
2. Click View by, select Large Icons, and then click Windows Defender.
3. On the Windows Defender Home tab, ensure that the Quick scan option is selected.
2. In the Mod10 folder, open sample.txt in Notepad. The sample.txt file contains a text string to test
malware detection.
3. In the sample.txt file, delete both instances of <remove>, including the brackets and any extra lines
or blank spaces.
4. Save and close the file. Immediately, Windows Defender detects a potential threat.
5. Windows Defender then removes sample.txt from the Malware folder.
Results: After completing this exercise, you will have configured and tested Windows Defender.
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
2. In File Explorer, in the navigation pane, expand This PC, expand Local Disk (C:), expand Windows,
expand System32, expand DriverStore, and then click FileRepository.
3. In the details pane, click the Date modified column, and then verify that the highest folder was
created most recently.
4. Right-click the Start icon, and then click Command Prompt (Admin).
5. At the command prompt, type the following commands, and press Enter after each command:
cd e:\Labfiles\mod11\dc3dh
e:
dir
pnputil a dc3dh.inf
7. In File Explorer, in the Address bar, click FileRepository to refresh the view. In the details pane,
confirm that the top folder was created when you installed the driver package and that its name
starts with dc3dh, as was the name of the .inf file.
8. In the details pane, double-click the top folder and confirm that it contains the same driver package
files that you listed in step 5.
2. In the Settings dialog box, click Accounts, click Sign-in options, and then in the Picture password
section, click Add. In the Windows Security dialog box, enter Pa$$w0rd as the password, and then
click OK.
3. In the Welcome to picture password window, click Choose picture, select Tiger.jpg, click Open, and
then click Use this picture.
4. Follow the on-screen instructions, and then draw three gestures on the picture. Remember which
gestures you are using, as you will repeat them later to sign in!
5. Repeat the pattern to confirm, click Finish, and then close the Settings window.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-68 Troubleshooting and Recovery
2. In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click
Properties.
3. In the Standard PS/2 Keyboard Properties dialog box, select the Driver tab, and then confirm that
the Roll Back Driver button is not available. Click Update Driver.
4. In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
5. On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
6. On the Select the device driver you want to install for this hardware page, clear the Show
compatible hardware check box. In the Manufacturer section, select Microsoft, in the Model
section, select Microsoft USB Internet Keyboard, click Next, in the Update Driver Warning box,
click Yes, and then click Close twice.
7. In the System Settings Change dialog box, click Yes, and then wait until the computer restarts.
Note: If the keyboard is not working, you should skip steps 2, 3 and 7.
3. In Notepad, type your name to confirm that the keyboard is still working.
4. Right-click the Start icon, and then click Device Manager.
5. In Device Manager, right-click Microsoft Hyper-V Virtual Keyboard, click Disable, and then
click Yes.
6. Right-click Microsoft USB Internet Keyboard, click Properties, and then read the device status.
7. In Notepad, try to type your name again. As neither keyboard is operational, you cannot use a
keyboard in LON-CL1.
8. In the Microsoft USB Internet Keyboard Properties dialog box, select the Driver tab. Confirm that
Roll Back Driver is available, click Roll Back Driver, and then click Yes.
9. Confirm that the Roll Back Driver option is no longer available, as driver rollback can go back by
only one version, and then click Close.
10. In Notepad, type your name to confirm that the keyboard is working again, and then close Notepad
without saving changes.
11. In Device Manager, right-click Microsoft Hyper-V Virtual Keyboard, click Enable, and then close
Device Manager.
Results: After completing this exercise, you will have added a driver package to the driver store, and used
Device Manager to update and roll back the driver.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L11-69
2. In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type FileHistory as the folder name, and then press Enter.
4. In the FileHistory Properties dialog box, on the Security tab, click Edit. Click Add, in the Enter the
object names to select box, type Domain, and then click OK.
8. Select the Share this folder check box, and then click Permissions. In the Permissions for Everyone
section, in the Allow column, click Full Control, and then click OK twice.
3. Double-click Report.txt, and in Notepad, type This is a report. Close the Notepad file, and then click
Save to save the changes.
4. On the taskbar, in the Search the web and Windows box, type file, and then click File History.
5. In the File History dialog box, in the navigation pane, click Select drive.
7. In the Folder box, type \\LON-DC1\FileHistory, click Select Folder, and then click OK.
8. In the File History dialog box, in the details pane, click Turn on.
9. In the navigation pane, click Advanced settings, review the default values for how often to save
copies of files and how long to keep them, and then click Cancel.
10. In File Explorer, in the navigation pane, click Documents, right-click Report.txt, and then click
Delete.
11. In File Explorer, click the Home tab, and then click History.
12. In the Documents File History window, right-click Report.txt, and click Preview. Confirm that you
can see the text This is a report, and then click the green round button with the arrow to restore the
file to the original location.
13. File Explorer opens. In the navigation pane, click Documents and verify that Report.txt has been
recovered to the original location. Double-click Report.txt, confirm that it contains the text that you
typed, close Notepad, and then close File Explorer.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-70 Troubleshooting and Recovery
14. In the Report.txt File History window, on the left of the address box, click the upward-pointing
arrow twice.
15. Review the folders and libraries that File History is protecting, and confirm that the Data folder and
Reports folder are not among them. Close the Home File History window.
2. In File Explorer, in the navigation pane, expand Local Disk (C:), and then click Data. In the details
pane, right-click Sales.txt, click Properties, click the Previous Versions tab, confirm that there are
no previous versions available, and then click OK.
3. In the navigation pane, right-click Data, select Include in library, and then select Documents. As File
History protects the Documents library, where you added the folder, File History is now also
protecting the Data folder.
4. In File Explorer, in the navigation pane, click Reports. In the details pane, right-click Report.txt, click
Properties, click the Previous Versions tab, confirm that there are no previous versions available,
and then click OK.
5. On the taskbar, in the Search the web and Windows box, enter file, and then click File History
settings.
6. In the Settings dialog box, in the Back up using File History section, click More options.
7. In the BACKUP OPTIONS window, in the Back up these folders section, click Add a folder, in the
Folder box, type C:\Reports, click Choose this folder, and then close the BACKUP OPTIONS
window.
8. In the File History dialog box, in the File History is on section, click Run now.
9. In File Explorer, in the details pane, right-click Report.txt, click Properties, click the Previous
Versions tab, verify that there is now one previous version, and then click OK.
10. In the navigation pane, right-click Data, click Properties, click the Previous Versions tab, and then
select Data in the Folder versions section.
11. Click the arrow near the Restore button, and then verify that you can restore the previous version
either to the original location or to a custom location.
12. In the Data Properties dialog box, click the arrow near the Open button, and then select Open in
File History.
13. In the Data File History window, on the left of the address box, click the upward-pointing arrow
once. Notice that File History is protecting the Data and Reports folders, in addition to the Users
folder, which is protected by default.
14. In the C:\ - File History window, click the upward-pointing arrow again to view all folders and libraries
that File History is protecting.
15. Close the Home File History window, in the Data Properties dialog box, click OK, and then close
the File History window.
Results: After completing this exercise, you will have configured and used File History. You should have
also added additional folders for File History to protect.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L11-71
2. Double-click Sales.txt, in Notepad, type Before restore point in a new line, close Notepad, and then
click Save to save the changes.
3. Right-click Sales.txt, click Properties, click the Previous Versions tab, verify that there is still only
one previous version, and then click OK.
4. On the taskbar, in the Search the web and Windows box, enter backup, and then click Backup and
Restore (Windows 7).
8. On the Review your backup settings page, click Save settings and run backup, and wait until
backup finishes.
3. In the details pane, right-click an empty space, click Properties, click the Previous Versions tab, click
the top folder, called Data, click Restore, and then click OK.
4. In File Explorer, in the details pane, double-click Data, and then point out that the Sales.txt file was
restored.
5. In File Explorer, in the navigation pane, expand Local Disk (C:), and then click Misc.
6. In the details pane, right-click Temp.txt, click Properties, click the Previous Versions tab, confirm
that no previous version is available because the backup did not include the C:\Misc folder, in which
the Temp.txt file is located, and then click OK.
7. Close File Explorer, and then close the Backup and Restore (Windows 7) window.
Results: After completing this exercise, you will have configured and performed initial backup by using
the Backup and Restore (Windows 7) tool. You should also have recovered deleted files by using the
previous versions of those files from restore points.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-72 Troubleshooting and Recovery
5. In the System Protection dialog box, type Initial settings, click Create, and then click Close.
6. In the System Properties dialog box, click OK.
7. In File Explorer, navigate to the E:\Labfiles\Mod11 folder, and then double-click XmlNotepad.msi.
8. In the XML Notepad 2007 Setup Wizard, click Next, select I accept the terms in the License
Agreement, click Next twice, click Install, and then click Finish.
9. Close Internet Explorer, and click Close all tabs.
12. Right-click the Start icon, and then click Device Manager.
13. In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update
Driver Software.
14. In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software. Click Let me pick from a list of device drivers on my computer, click PC/AT
Enhanced PS/2 Keyboard (101/102-Key), click Next, click Close, and then click No.
15. In Device Manager, verify that PC/AT Enhanced PS/2 Keyboard (101/102-Key) is visible.
6. In the System Restore dialog box, click Next, click Finish, and then click Yes. Wait until LON-CL1 has
restarted.
7. Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd. You will need to click
Sign-in options first and then click the key icon, which represents Password.
8. In the System Restore dialog box, click Close. Verify that My document.txt is still on the desktop,
and that the XML Notepad 2007 shortcut is no longer present on the desktop.
10. In Device Manager, expand Keyboards, and then verify that Standard PS/2 Keyboard is present.
PC/AT Enhanced PS/2 Keyboard (101/102-Key) was removed, because you added it after creating the
restore point.
13. In the System window, in the navigation pane, click System protection.
16. In the System Restore dialog box, verify that the additional restore point with the description
Restore Operation and the type Undo was created. Click Cancel, click OK, and then close the
System window.
Results: After completing this exercise, you will have used System Restore to revert the computer to an
earlier restore point, and explored the effects of applying the restore point.
2. Right-click the Start icon, select Network Connections, double-click Ethernet, click Details, and
then verify that the connection is not Dynamic Host Configuration Protocolenabled (DHCP-enabled)
and that it has the IPv4 address 172.16.0.41. Click Close twice.
3. Right-click the Start icon, select System, and then verify that the computer name is LON-CL2 and
that it is in the Adatum.com domain.
4. On the taskbar, in the Search the web and Windows box, type advanced, and then click Change
advanced startup options.
5. On the UPDATE & SECURITY page, in the Advanced startup section, click Restart now, and wait a
few seconds.
8. On the Reset this PC page, click Keep my files, and wait while the computer restarts.
9. On the Reset this PC page, click Admin. In the Enter the password for this account box, enter
Pa$$w0rd, click Continue, and then click Reset.
10. While the Reset this PC process is happening in LON-CL2, continue with the next task. You will review
the results of the reset process at the end of this lab.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-74 Troubleshooting and Recovery
2. In the Services window, click the Status column to sort the services, scroll down, verify that many
services (more than 75 services) are running, and then close Services.
3. On the taskbar, in the Search the web and Windows box, type advanced, and then click Change
advanced startup options.
4. On the UPDATE & SECURITY page, in the Advanced startup section, click Restart now, and wait a
few seconds.
7. On the Advanced options page, click Startup Settings, click Restart, and then press 4 to select
Enable Safe Mode.
8. When the computer starts, sign in as Adatum\Administrator and use Pa$$w0rd as the password.
9. Verify that the words Safe Mode appear in all four corners of the desktop. Right-click the Start icon,
and then click Device Manager.
10. In Device Manager, right-click Generic PnP Monitor, click Properties, and then verify that the status
of the device is not available when the computer is running in safe mode.
11. Click the Driver tab and verify that you can still use the Update or Uninstall drivers options while
the computer is running in safe mode. Click OK.
12. On the taskbar, try to enter something in the Search the web and Windows box. You cannot search,
because the computer is running in safe mode.
13. Right-click the Start icon, and then click Computer Management.
14. In Computer Management, in the navigation pane, expand Services and Applications, and then click
Services. In the details pane, click the Status column to sort the services, scroll down, and verify that
only a few services (less than 25 services) are running when the computer is in safe mode.
15. On your host computer, in the 20697-1B-LON-CL1 on localhost Virtual Machine Connection
dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk.
16. In the Open dialog box, in the File name box, type C:\Program Files\Microsoft Learning\20697-1
\Drives\Win10Ent_Eval.iso, and then click Open. If virtual machines are extracted to a different
drive than C:, use that drive letter instead of C:.
5. On the Choose an option page, select Troubleshoot, and then click Advanced options.
8. In the System Restore dialog box, click Next. Select the Restore Operation restore point, and then
click Scan for affected programs. Verify that the list includes XML Notepad 2007 as a program that
might be restored. Click Close, and then click Cancel.
Note: You can use System Restore from the Windows Recovery Environment
(Windows RE).
9. On the Choose an option page, click Troubleshoot, and then click Advanced options.
11. At the command prompt, type bcdedit, and then press Enter.
12. Review the output and verify that Windows 10 appears as the default Windows Boot Loader
operating system.
13. At the command prompt, type diskpart, and then press Enter.
14. At the command prompt, type list disk, and then press Enter.
15. At the command prompt, type list volume, and then press Enter.
16. At the command prompt, type exit twice, and then press Enter.
17. On the Choose an option page, click Troubleshoot, and then click Advanced options.
18. On the Advanced options page, click Startup Repair.
19. On the Startup Repair page, click Windows 10. Startup Repair starts diagnosing your PC.
20. After a few seconds, the Startup Repair couldnt repair your PC page appears. This is because there
is nothing wrong with your computer. Click Advanced options, and then click Continue.
Note: You can perform this task only after Reset this PC on LON-CL2 has finished. If the
Reset operation on LON-CL2 is not yet complete, the instructor may start with the lecture. You
can perform this task and the next before the lab in Module 12.
2. Confirm that initial sign-in takes some time, as Windows 10 is setting up your apps.
3. Verify that the Report document that you created earlier is still on the desktop.
4. Right-click the Start icon, select Network Connections, double-click Ethernet, click Details, and
then verify that the connection is DHCP-enabled after the Reset this PC operation, and that the
computer no longer has the 172.16.0.41 IPv4 address. Click Close twice.
5. Right-click the Start icon, click System, and then verify that the computer name and domain
membership remain the same. The computer name is still LON-CL2 and the computer is a member
of the Adatum.com domain.
Results: After completing this exercise, you will have used the Reset this PC option, safe mode, and
advanced startup options.
MCT USE ONLY. STUDENT USE PROHIBITED
L11-76 Troubleshooting and Recovery
2. In the Virtual Machines list, right-click 20697-1B-LON-DC1, and then click Revert.
5. On the ADVANCED OPTIONS page, beneath Choose how updates are installed, in the list, click
Automatic (recommended).
6. Select the Give me updates for other Microsoft products when I update Windows and Defer
upgrades check boxes.
7. Notice that the Get started option beneath Get Insider builds is available.
Results: After completing this exercise, you will have successfully configured Windows Update settings.
3. In the right pane, double-click Toggle user control over Insider builds.
4. In the Toggle user control over Insider builds dialog box, click Disabled, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-78 Maintaining Windows 10
8. In the right pane, double-click Do not connect to any Windows Update Internet locations.
9. In the Do not connect to any Windows Update Internet locations dialog box, click Enabled, and
then click OK.
10. Close Local Group Policy Editor.
Task 2: Verify that the devices update settings are managed centrally
1. Right-click Start, and then click Command Prompt (Admin).
2. In the command prompt, type gpupdate /force, and then press Enter.
3. Switch to UPDATE & SECURITY.
4. On the Windows Update tab, click Advanced options. Notice the Some settings are managed by
your organization banner.
5. Notice that the option to Get started with Insider builds is unavailable.
Results: After completing this exercise, you will have successfully configured Group Policy Objects (GPOs)
to configure Windows Update settings.
winrm quickconfig
Note: This is just a check, as the remote management feature is probably enabled.
4. In Server Manager, click Tools, and then click Active Directory Users and Computers.
5. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click Builtin.
7. In the Event Log Readers Properties dialog box, click the Members tab.
8. Click Add, and then in the Select Users, Contacts, Computers, Service Accounts, or Groups dialog
box, click Object Types.
9. In the Object Types dialog box, select the Computers check box, and then click OK.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L12-79
10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, in the Enter
the object names to select (examples) box, type LON-CL1, and then click OK.
11. In the Event Log Readers Properties dialog box, click OK.
12. Switch to LON-CL1.
14. At the command prompt, type the following command, and then press Enter:
Wecutil qc
4. In the Subscription Properties dialog box, in the Subscription name box, type LON-DC1 Events.
5. Click Collector Initiated, and then click Select Computers.
7. In the Select Computer dialog box, in the Enter the object name to select (examples) box, type
LON-DC1, and then click OK.
8. In the Computers dialog box, click OK.
9. In the Subscription Properties LON-DC1 Events dialog box, click Select Events.
10. In the Query Filter dialog box, select the Critical, Warning, Information, Verbose, and Error check
boxes.
17. In the Create Custom View dialog box, select the Critical and Error check boxes, and then click OK.
18. In the Save Filter to Custom View dialog box, in the Name box, type LON-DC1 errors, and then
click OK.
Results: After completing this exercise, you will have successfully configured monitoring by using Event
Viewer.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-80 Maintaining Windows 10
3. Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
4. In the Create new Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name text box, type Adatum Baseline.
7. On the Which performance counters would you like to log? page, in the Sample interval field,
type 1, and then click Add.
8. In the Available counters list, expand Memory, click Pages/sec, and then click Add.
9. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
10. In the Available counters list, expand Physical Disk, click % Disk Time, and then click Add.
11. Under Physical Disk, click Avg. Disk Queue Length, and then click Add.
12. In the Available counters list, expand Processor, click % Processor Time, and then click Add.
13. In the Available counters list, expand System, click Processor Queue Length, click Add, and then
click OK.
14. On the Which performance counters would you like to log? page, click Next.
15. On the Where would you like the data to be saved? page, click Next.
16. On the Create the data collector set page, click Finish.
17. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start.
18. Click Start, click All Apps, click Microsoft Office 2013, and then click Word 2013.
19. Click Start, click All Apps, click Microsoft Office 2013, and then click Excel 2013.
20. Click Start, click All Apps, click Microsoft Office 2013, and then click PowerPoint 2013.
21. Close all open Microsoft Office 2013 apps, and then switch to Performance Monitor.
22. In the navigation pane, right-click Adatum Baseline, and then click Stop.
23. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the report that has a name beginning with LON-CL1.
24. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
MCT USE ONLY. STUDENT USE PROHIBITED
Installing and Configuring Windows 10 L12-81
Answers will vary depending upon the usage scenario and host configuration, although central
processing unit (CPU) and network are likely to be used heavily.
6. After a few minutes, in the Windows Script Host prompt, click OK.
10. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the second report that has a name beginning with LON-CL1.
12. On the menu bar, click the drop-down arrow, and then click Report.
MCT USE ONLY. STUDENT USE PROHIBITED
L12-82 Maintaining Windows 10
14. In your opinion, which components is the script affecting the most?
The script is affecting the CPU and network, but it is also affecting all counters.
Results: After completing this exercise, you will have successfully determined the cause of a performance
bottleneck.