Skip to content

70-698: Installing and Configuring Windows Devices Notes

Win10 HW Requirements

x86: 1GHZ, 1GB, 16GB
1GHZ, 2GB, 20GB
DirectX, WDDM1, 800×600

For Hyper-V you will need more spec or it will be slow
SSD disk performance is much faster

Deployment Tools

DISM – Deployment Image and Servicing Management Tool
This can perform pre-install and post-install tasks

MAP – Microsoft Assessment and Planning Toolkit

Assesses readiness for Win10, Office 365, Hyper-V and Azure

Azure hosted upgrade analytics is free but hosted as part of OMS (Operations Management Suite) subscription. This scans agents and uploads data to cloud to compare compatibility with millions of Win 10 machines. HW check to see if UEFI is supported. New hw could be bought to support this in your organisation. Drivers are also tested with this tool.

ACT – Application Compatibility Toolkit, create compatibility fixes (shims) for apps
You can right click an app and go into app properties and compatibility tab too, you can run as admin or Win 7. Upgrade readiness in MAP just shows what is/is not compatible but ACT can provide fixes.

Update the app from vendor if available, check for win 10 compatible version
Before deploying win 10 check hw requirements, device drivers, app compatibility
App compatibility app is compatible with Win 10 from Win7 as long as user is admin. You can make a shim for credentials then admin user is not required.
Old version:
New version:

MDT – MS Deployment Toolkit 2013 Update 2
For some reason the latest release is 2013 and they will leave it named like this

WICD provides limited customisation to Win 10 clients

Types of Installation

in-place upgrade – newest method works better for Win 10, good for small no of pcs and can roll back, user settings, apps retained. External storage not required for data and settings migration. Does not allow edition changes or to start with a clean standard configuration. You can use in-place update with win updates for win 7, 8 to 10. UI and OS language must match for successful upgrade. Display, bluetooth and some other drivers are not migrated as these can cause issues.

You can roll back win if windows.old folder exists in C: now the folder is removed after 10 days as no one is rolling back.

Setup.exe /auto
You can also run compatibility scan only with setup

side-by-side migration – install win 10 on another system then migrate stuff from win 81 system
wipe and load – uses MDT and SCCM
You can also use install media or WSUS

Bitlocker does not need to be disabled for upgrade this is automatic but will be required on 3rd party encryption sw. These can be hooked into SCCM but not WSUS
Language packs can be reinstalled and they can be provided to setup
You would wipe & load Win7 x86 to Win10 x64 there is no in-place upgrade for that
If going from x64 to x64 do in place upgrade if possible

Win 10 Creators Update 1703 includes tool to convert BIOS to UEFI in Wipe & load. In future will be available for in-place upgrade too. MBR to GPT tool part of converting to UEFI.

Provisioning – You can buy your own laptop connect USB and be connected to enterprise in 30 mins. Use Win Config Designer. Imaging option is now removed from WICD.exe

Win7Pro to Win10Pro – license key can be changed to enterprise later and reboot is not required.
Win8Pro to Win10Enterprise can also be done like this

USMT – User State Migration Tool for side by side migration this is included in Windows ADK – Application Deployment Toolkit – used for Win 10 Ent pilot to configure image for automated deployment

Windows easy transfer is a GUI tool for Win XP to 7 for side by side migration

Features in different versions of Win10

Win 10 Home – edge, cortana, continuum, hello, virtual desktops, universal Win apps
Win 10 Pro – domain join, azure ad join, bitlocker, ie enterprise, client hyper-v, Win store for business, enterprise data protection
Win 10 Enterprise – direct access, Win to go creator, applocker, branch cache, start screen GP, device guard, credential guard
Win 10 LTSB – gets security updates only not feature updates, no edge, cortana, universal apps, win store, photo viewer, uwp calculator. Used for ATM or warehouse machine which you can’t usually shutdown or run updates all the time (special systems) Certain hw such as surface, surfacebook does not support ltsb.
Win 10 Education – special academic license, similar features to enterprise
Mobile Edition
Mobile Enterprise
Windows 10 IoT

Win 10 Home – $119
Win 10 Pro – $199

Install 32bit only if hardware is old, can only see 4GB RAM
64 bit faster, stronger, new security features

Client Hyper-V
Prereqs: 64 bit OS (no RAM limit), Win Pro/Ent/Education
Processor with SLAT (Second Level Address Translation) for better performance i5, i7 and AMD

DEP – Data Execution Prevention
HW Assisted Virtualisation
4GB RAM, 8GB recommended to provide RAM to VMs
20GB+ Disk Storage
Can be used to run older Win on Win10. Also allowed nested VMs. Needs to be enabled as feature.
Enable in Win features, if greyed out CPU or bios don’t support virtualisation
store VMs in root of c to avoid sync with dropbox, onedrive etc
Gen 1 VM older, Gen 2 for newer OS’s
irtual network adapter
VHDX file 10GB
Standard and production checkpoints to go back (like snapshots)

PS: Get-VMCheckpoint Restore-VMCheckpoint

Cortana – designed for mic use
Continuum – designed for hybrid device like surface tablet or surfacebook
Miracast – uses WIFI direct
Touchscreen and active stylus, surface pro, wacom etc
OneDrive ms account required and to sync settings

Security Features:
Bitlocker – Pro/Ent, TPM Trusted Platform Module is nice to have but not required
Device Health Attestation – does require TPM 2.0
Virtual Smart Card – Requires TPM 1.2 (tpsvmcmgr.exe)
Secure Boot – works with UEFI Unified Extensible Firmware Interface v2.3.1 TPM not required
2 Factor Authentication – you need another device, mobile phone, illuminated infrared camera for hello, biometric for fingerprint scan, virtual smart card
Virtual Secure Mode – parts of the OS in Hyper-V secured area, enterprise only
TPM are physical hardware micro controllers

Installation Media
High Touch – In place upgrade where you interact with everything asked
Low Touch – suitable for large orgs, WDS, WDT
Zero Touch – use MDT and SCCM

setup.exe in root of ISO contains sources folder and file called install.wim

This file can be copied and edited using SIM – Windows System Image Manager ( to customise using an answer file. You can view components and packages of the installation image, customise prompts during install and add drivers

Example: You can add internet explorer package to answer file and customise the settings in there. Answer file can then be validated, saved as Autounattend.xml put this in root of install media. Windows looks for this file. You can open the XML file to view configuration
The SIM help file is useful
Can be placed on network path, DVD, USB, image based start computer using Win PE to bring down customised image

WDS Windows Deployment Services – PXE and DHCP support image is deployed using multicast – this is zero touch
DVD – lighter touch

Windows 10 Disk Management and Boot Options
Native Boot – in disk management you can see system reserved partition. This contains boot files to run Win10. Boot partition (c drive) contains the system files, recovery partition for recovery
Get-Volume PS Cmdlet can do the above

cmd: bcdedit /v – info about current boot device, boot manager and boot loader in cmd prompt. You can edit the info with this command

Multi Boot – You can choose win7 or win10 at startup. To do this in disk manager right click boot partition and shrink then tell win7 to install in that new partition

Data migration – USMT tool

Go to directory in cmd:
c:\program files x86\Win kits\10\assessment and deployment kit\ user state migration tool\amd64

scanstate on source machine to grab settings
loadstate on new win10 machine
scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log

config.xml You can choose what gets migrated. The config.xml file gets generated with above. Open file and edit yes to no for things you do not want migrated

Settings are migrated but not apps, local printers, drivers, custom shortcuts, shared folder permissions, files and settings in different languages
See here for full process for USMT

Unsupported on USMT – Server OS’s, XP, home editions of Win 7,8 10. Different versions for different Win OS’s.

Use compatible version of scanstate with Win7. Use loadstate from newer version for Win10. Hard links can be used even if disk gets wiped. No upgrade path for XP or Vista.


Good for native and dual boot configs. Select win partition in disk manager select action menu, create virtual hard disk, specify size etc for Win installation, VHD is attached then choose the VHD to install Win to, you can use shift+f10 during installation to get admin prompt then run diskpart and type list disk to view disks. Select vdisk file ? Attach vdisk file ?

Dual boot vdisk, right click and initialise with MBR, format the disk, then use DISM built into Win10 to apply win image to the VHD. Then use bcdboot utility from cmd to alter boot options of device adding in boot options to boot the VHD
VHD is another cool way to install Win10 other than using normal partitions
PS: New-VHD, Mount-VHD, Initialize-Disk, Get-Disk

Bootable USB – manual way or use MCT see below

Insert USB you want to make into bootable win 10 > Cmd admin > diskpart > insert usb > listdisk > find your disk in the list then > select disk X > clean > create partition primary > select partition 1 > active > format fs=ntfs quick > assign (allocates drive letter) > exit you can now copy contents of win 10 iso/dvd by typing xcopy g:*.* /s/e/f h: (change both letters to match source and destination)

MCT Media Creation Tool

Search online for media creation tool then download the tool button. Install and choose create installation media, USB flash
You can perform a clean install of Win10 from within the old Win OS, mount ISO file, right click setup.exe and run as administrator there is an option to ‘keep nothing’

Shutdown Is quite quick in Win10 compared to older versions of Win

Additional Win features you should know which are there by default and which ones you need to install.

Installed default in Win 10 Pro:
.Net Framework 4.6 advanced services, wcf services, tcp port sharing
Internet explorer 11
media features, media player
print to pdf
print and document services, internet printing client, Win fax and scan
remote differential compression api support
smb 1.0/cifs file sharing support (now disabled in Fall Update and Server 2016 RS3 for safety)
Win powershell 2.0
work folders client
xps services
xps viewer
install tftp feature, open cmd type tftp ? To test it is installed

Tool to add packages:
dism /online /Get-Features
shows enabled and disabled features on the command line

dism /online /Enable-Feature /FeatureName:TFTP /all

PS Command
get-windowsOptionalFeature -online (shows features)
enable-windowsOptionalFeature -online -FeatureName TFTP -All
disable-windowsOptionalFeature -online -FeatureName TFTP
More info:

To check the parent language settings: action center, all settings, time language, region and language
Default language here cannot be changed, need to reinstall win 10
It is easy to add a language however and set as default
You can switch the language keyboard in taskbar
To find specific chars that are not available you can choose the symbol option in word and set a keyboard shortcut if you do not want to install the whole language pack
Once this is done apps are now friendly to spellchecks after installing the language

Device Drivers

If icon has exclamation this is an unknown device, if it is down arrow then the device driver is disabled
If any problems for devices then those trees are auto expanded in device manager
When you plug in a device the drivers get installed automatically. These are stored in Win\system32\driverstore and dvstore
if device does not appear after connecting do scan for hw changes or go in devices/printers in CP and click add device
You can enable and disable driver updates by setting metered connections
you can remove drivers
you can remove Win updates under history
cmd util type: pnputil you can add and delete drivers

In a corp environment you might not want to auto update drivers as these are tested first. Go to devices and printers, right click your desktop and set: no do not auto update device drivers
you can rollback drivers to previous level – properties, driver tab, rollback driver, greyed out if driver not updated before

Win10 does not allow boot loader key sequence to improve the boot time
you can use msconfig instead, boot menu, and set start safe boot with minimal. This is for device driver issues
Win update can cause driver issues, Win update settings, update history you can uninstall Win updates

Trusted and signed drivers, use admin cmd type: sigverif
you can test drivers using admin cmd: verifier – to check drivers does not have any errors
select display info about drivers, add driver .sys file and it will run recommended checks

you can install drivers using pnputil
in PS use get-pnpdevice, get-pnpdeviceproperty enable-pnpdevice, disable-pnpdevice

Customise Start Menu and Tiles

All settings are in settings app, click start, show more tiles to have more tiles in start menu
you can click the titles in the tile display to change the names, you can drag to other tiles to group or make new row by moving to bottom and entering title to make new group
right click make small, large tiles and remove live tile function
in settings enable jumplists from start icon, this shows word recent docs and you can pin them there. If you want to clear the history disable feature in start settings app and re-enable
at bottom of settings click ‘what folders appear’ you can choose photos, downloads etc
start full screen is touch friendly start button which is full screen. This is default when ms recognises a tablet device
in action center you can click tablet mode button this will also show full start menu, you can edit settings in settings > system > tablet mode

group policy to save state of start menu tiles for the enterprise, type GP in search menu click edit group policy. You would normally do this on domain controller

user configuration > administrative templates > start menu and taskbar > start layout – you can use an xml file which is in a share on the network so users get the settings from there
to get xml file in PS type: export-startlayout mystart.xml

Desktop Settings and Cortana on Desktop

Virtual desktops button in taskbar > click and add new desktop you can drag Win to other desktops. You can use keyboard shortcuts to switch desktops
You can control action center icons in settings > system > notifications and actions

Accessibility options settings app > ease of access
narratior, magnifier, high contrast, closed captions, keyboard, mouse, other options (learn these for exam)
closed captions when watching movies and tv
sticky keys stays pressed on keyboard
toggle keys audio when click caps, num or scroll lock
filter keys – filter out repetition of key press
mouse pointer and size
Other options: animations, Win backgrounds, time for notifications, cursor thickness, visual notification for sounds

Cortana – click microphone icon to speak to cortana
search about pc to see version number
Cortana is configured post install of Win 10
In anniversary update 1607 it is harder to turn off cortana
in home edition use regedit to disable:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search
DWORD (32-bit), AllowCortana 0
In enterprise use gpedit > computer config > administrative templates, Win components > search > allow cortana, disable > signout and sign back in
You can also have cortana but without personalisation/customisation for more privacy

Edge Browser

Similar to chrome, stripped down and faster
less battery power and doesn’t support older tech
reading view button next to address bar
star button, favourites and reading list to read later
hub button next to star can view reading list
webnote button for onenote tools, good for touch screen, you can email the webnote
last button is more button, allow extensions, zoom, private browsing, pin page to start
open with internet explorer option so for legacy stuff like active x
edge is a safe browser
for enterprise you can enable edge enterprise mode

create xml file and save it in GP so users will run ie instead of edge when they go to that website
internet explorer can be used as default browser and pinned to taskbar if you want
ie smartscreen filter blocks known bad sites so good to enable
ie v11 there will not be any newer versions of ie. ms will still patch ie 11
ms wants developers to ditch older tech and use edge
file save as works in ie but not edge
internet options as usual don’t need to memorise, questions will be about edge
in enterprise gpedit will be used to edit the ie settings, users not allowed in private browsing for example.
Computer configuration > administrative templates > Win components > internet explorer > privacy
cmd admin > gpupdate (refresh GP without logging out)
the inprivate option in ie should now be gone once set in GP above

Power and battery saver settings
you can turn battery saver on automatically at 20% or use slider to adjust this
you can control battery usage by app
lower screen brightness while in saver mode
view apps battery usage
manage apps battery usage, always allowed in background, never allowed or managed by Win
additional power settings > opens in control panel > create custom power plan > always on > never turn off display
power saver > you can create more aggressive power save plan
you can pin power options to start by right clicking icon in control panel
in control panel you can click advanced power settings for much more granular settings, display > enable adaptive brightness. You can also restore defaults in here

WCD Windows Configuration Designer (Previously Win imaging and configuration designer tool (ICD) – see page 16 below for more on provisioning packages
new tool for Win10 provisioning is not the same as re-imaging
take image and modify for enterprise deployment
this is part of Win ADK there is a specific version for each Win version on the download page

view settings in image, create manage image file, build and flash image, build provisioning package
select new project, choose provisioning package for existing system, imaging to customise the image
you can use wim file and then import a provisioning package you already have
settings and customisation
you can add drivers, language packs, win updates, image time settings, display, runtime what will Win look like after installation then create production media > leave as wim, compact OS, audit boot mode to make sure it works properly, copy script, bootable USB or save to image.

SCCM and PS can push out provisioning

Windows Activation

volume activation for Win in the enterprise
retail pack and oem gives you a single key
for retail and oem, you go to settings > activation
MS would prefer you to use AD based activation
KMS, devices just contact kms server once for activation does not need to be on domain
Active directory based but devices need to check in to domain now and again
KMS can be installed as a service on a server that is web server or used for something else
Roles and features in server 2012 R2 – add role or feature in server manager
select server, volume activation services, remote server admin and volume activation tools also need to be installed
after install in server manager you will see VA Services, it will popup configuration is required
do your post deployment configuration, setup kms service, enter kms host keyboard

MAK Key baked into image itself

Misc activation tips
Win software licensing management tool: cmd tool for licensing type: slmgr ?
slmgr /xpr – status of licensing
slmgr /dli – general licensing info
slmgr /ipk <kms key> – install kms key
slmgr /ato – activate online
slui.exe 4 – activate by phone
After activating restart software protection service

you also have in win 10 VAMT Volume Activation Management Tool gui based this is part of ADK
connect to VAMT database running on server then you can manage it
you can play with a non activated copy of Win10 during install click the link I do not have a key. you will get activation messages and not be allowed to personalise in settings, there are some hacks to still change these
this could be useful for practice (slmgr /rearm)

4th license option is manual key
in CP > system view workgroup and join domain

Azure AD Join Settings app > Accounts > Access work or school, managed through MDM not GP
Device Registration: There is an object GUID for each device whether its on prem or cloud
For data from AzureAD about device write back to on prem infrastructure – This allowed conditional access
in server manager on Win server 2012 R2 when you open it takes inventory of system so wait until it loads by looking at items that have finished appearing in left column

Active Directory Install and Group Policy (AD and GP)

To install AD:
ad domain services and .net 4.5 features it needs
post config it says promote to dc, create forest then choose restore mode password
when you are a dc then you can see tools used to manage ad
reboot is required after installation
in start you will see ad tools
choose active directory administrative center tool
create test local ad, create ou remote staff then inside the ou create new group, user etc
then you can put GP’s on these items
this is good practice for GP
explore other ad tools that are available
you can use gpedit to modify local GP on a machine, important in non enterprise too

in win server 2016 > server manager > tools > ad admin center
create user John in remote staff ou group
you can create a gpo in the ou remote staff by right clicking on it
this gpo is then linked to the ou, right click it to edit the gpo and view all the thousands of gpo settings
there are computer settings and user settings

You can download RSAT Remote Server Admin Tools for Win10 to control gpo etc so you don’t need to login to the server directly

GP changes kick in straight away, sometimes manually need to push the settings using gpupdate, log user off and back on or restart

Learn Win10 GP

UAC User Account Control

create admin account for admin stuff only and use user account for general
least privilege concept – we want account with just right amount of access to do the task
if admin task appears you can run as the admin account using uac and do the other way around. UAC works better in WIn10.
standard users should not have access to firewall and installing apps
in CP > security and maintenance > change uac settings > slider
always notifiy, default is notify when apps make changes, notify when apps make changes do not dim desktop > never notify

In GP editor > computer configuration > Win settings > security settings > local policies > security options > user account control > control elevation prompt for users, prompt credentials, auto deny elevation request etc.
Core services: networking, storage, user areas, apps, remote tools


ip settings, right click network icon open network sharing center
change network adapter, ipv4 and ipv6
ping localhost (ipv6 is default) ping localhost -4 shows ipv4
ipconfig in cmd

if it shows fe80 as ipv6 then it is a link local address and can communicate with other machines on the network

ipv4 address 169. this is the apipa address, auto private ip address assignment this will allow local network communication with machines also getting this addressing

dhcp server setup with ipv4 and ipv6
private ip addresses,, (10.x private range) this is used with NAT
subnet mask identifies which part of ip is network and which is host
google dns servers, these can get you out to internet if you do not have dns server
ipv4 is 32bit, ipv6 128bit represented in hex
manual ipv6 2001:2323:34ef::1 (:: represents 0000)
gateway: manual ipv6 2001:2323:34ef::100
subnet prefix 64 (bit)
preferred dns 2001:2323:34ef::8888 google will also have ipv6 dns servers

default gateway is used to reach non-local subnets
in PS: get-ipnetaddress, new-netipaddress, remove-netipaddress, set-netipaddress

name resolution makes finding resources on the network simple, this is all about dns
advanced network settings you can add more dns servers, auto append, wins legacy method not really used but on by default
cmd type ipconfig /all shows dns settings set
nslookup to check if dns is working, name resolution for yahoo and its ipv4 and v6 addressing

hosts file: can contain name resolution entries. Malware will try to add entries in this file to redirect websites

add entry mycoolname
ping mycoolname will resolve to local loopback
join domain: go to system properties, click network id,
homegroup network for the home. Choose homegroup in CP
change network to private by making things discoverable
create homegroup, file, printer and devices, pics, vids, music, docs
password generated is entered on another computer in homegroup settings. If not found run homegroup troubleshooter
change what you are sharing and allow tvs and game consoles
in homegroup in file explorer you will see the other machine
you can leave the homegroup or stay connected but change what I am sharing
network profile is displayed in network and sharing center, in this case private network
if joined domain it will say domain network, in coffee shop guest or public network
Guest network used for less secure areas such as Coffee Shop
network location profile setting changes firewall, network discovery, file print sharing, homegroup option. Homegroup only available in private network

in settings app > network settings > ethernet or wifi > click the connection > make this pc discoverable on or off. This will toggle guest/private network
in CP you can change settings for these diff profiles
CP > network sharing settings > change advanced sharing settings > network discovery on/off, file and printer on/off, homegroup set Win manage or use accounts and passwords, media streaming, file sharing connections encryption, password protected sharing. The firewall has settings for private, guest and public networks separately

GP > computer config > Win settings > security settings > network list manager policies > you can control different networks here unidentified, identified networks. You can lockdown networks or specify names of them here. You can force a network to be private/public.

Windows Firewall

Access firewall in network & sharing center in bottom right of taskbar
It will expand the section based on which network you are using
the popup that appears when an app requires access when you allow access this changes firewall rules
change notification settings > you can block stuff here without notification so users do not even see popup
turn off firewall here, action center popup these can be silenced. If you use 3rd party firewall
to install av you sometimes need to disable fw
FW settings are in settings app and some in CP. Separate config for domain, private public networks.
we can preset the fw for users so they don’t get notifications
you can add \system32\ping as an allowed app for private and public

you can restore defaults if settings are incorrect
scripting can be done in admin cmd, type: netsh firewall add allowedprogram c:\Win\system32\tracert.exe “Trace Route” ENABLE
message appears this command is deprecated use new command

netsh advfirewall ?

netsh firewall add allowedprogram c:\Win\system32\tracert.exe “Trace Route” ENABLE custom standard (this adds to private as well as public)
netsh firewall add allowedprogram C:\ Program Files (x86)\MyApp\MyApp.exe “MyApplication” ENABLE

in PS:
New-NetFirewallRule -DisplayName “TRACE” -direction Inbound -program “C:\Win\system32\tracert.exe” -action allow
New-NetFirewallRule -DisplayName “Allow MyApp” -Direction Inbound -Program “C:\ProgramFiles (x86)\MyApp\MyApp.exe” -RemoteAddress LocalSubnet -Action Allow

Win firewall advanced settings interface
more granular controls, inbound and outbound rules
right click outbound rules and create new custom rule
you can ping yahoo get ip and setup a rule to block this for testing
you can script this using cmd: netsh advfirewall ? See netsh ? For more
Setup firewall then export to a file which can be imported

in PS:

get-netfirewallrule, enable-netfirewallrule, disable-netfirewallrule, new-netfirewallrule, set-netfirewallrule
network discovery in settings click the network name that is displayed, make this pc discoverable if switched off network will be public
netsh advfirewall firewall set rule group=”Network Discovery” new enable=No – you can disable discovery with this command
for network discovery the following services need to be running: dns client, function discovery resource publication, ssdp (simple service discovery) discovery, upnp device host
most devices do not have ethernet now so it is assumed you will connect using wifi

ad-hoc – direct device to device connections, no ap
infrastructure uses an ap

wifi direct – no ap, something like wifi direct printers

802.11b – 11mb 2.4ghz

802.11a – 54mbps 5ghz

802.11g – 54mbps 2.4ghz but more efficient than a

802.11n – 100mbps 2.4/5ghz

802.11ac – 433mbps 5ghz – modern day standard

wep wired equivalent privacy – not secure

wpa wifi protected access

wpa2 todays standard, personal enterprise, in ent you can use radius, extendible authentication protocol, 802.1x to make it even more secure

network status shows connection 5g or other

view network properties for wifi ap info

network sharing center -status, ssid, wireless properties, look for other networks, connect even if ssid is not broadcast, extra security

aes – advanced encryption standard

advanced security – FIPS, federal for very high security where it is required

network adapter settings, configure adapter, advanced can select prefer 5g settings

admin cmd > netsh wlan ? – add configure wifi, delete disconnect

wifi direct printer better performance than bluetooth

win10 supports this but net adapter needs to support this.

Check this in settings app > network and internet settings > view network properties > description should say ms direct virtual adapter

you can connect to the direct network as an ssid in networks

wifi sense will connect automatically to ms known wifi hotspots, can turn this off and enable show notification. Some of these networks may not be secure so this could be turned off

hotspot 2.0 can connect to roaming networks and seamlessly switch between wifi and cellular networks

paid wifi you connect then can pay for wifi, used on airplane for example

network troubleshooting

admin cmd: ping tests for dns and bidirectional connectivity

ipconfig /release /renew gets new dhcp details

tracert shows hops and can be used to troubleshoot

end users can use: network troubleshoot in network status page, network reset can be done will remove and reinstall network adapter and needs restart. This is more effective than just a reboot on its own

VPN – add vpn in network settings

vpn provider Win built in or another.

Vpn server/address

allow vpn, metered, roaming

in network adapter new wan miniport adapter will appear, properties will be populated, ppp advanced settings, type of vpn, auto or choose, data encryption, authentication and related settings. Ipv4 and v6, share to other users on network, you can be a vpn gateway

if thousands of users need access then you can use MS Intune. You can push vpn settings to the devices. Setup a vpn profile and push to devices

Intune is for small to medium business, sccm can be used for the largest of businesses

vpn always on, lockdown(only use vpn connection), apptriggered, traffic filters

IPSec – v6 devices mandatory, its built in. Win firewall and security takes advantage of this

it is built on top of tcp/ip and has confidentiality encryption des, 3des, aes, integrity make sure info reaches the same form at the other end, hashing algorithms, authenticity credentials in a secure fashion to make sure they are who they say they are

in vpn settings you can adjust these ipsec settings, type of vpn IKEv2 is an IPSec structure

this gives a secure tunnel then you can build an even more secure tunnel

in vpn advanced properties of the adapter, EAP – extensible authentication protocol, smartcard

there are a variety of options you choose what applies to you. You can violate laws if you encrypt info and send to another country or state

firewall rules, server to server between 2 computers

IPSec is going to be in win10 vpn settings and/or new connection security rules wizard of advanced firewall

you don’t have to use IPSec but it is built into all v6 devices

DirectAccess for devices that need workplace connection all the time like an always on VPN

this is limited to education or enterprise Win10

this is setup on a server using a GPO in domain

ipv6 and ipsec is used

if your home device does not have ipv6/ipsec you can tunnel the ipv6 settings using ipv4

network location server setup will determine when to use direct access, built in intelligence

ad ds, dns, gpo. Pki is optional public key infrastructure in large enterprises used for authentication against the domain

Disk Management

This can be scripted and in managed with powershell

right click start > disk management

new disks that are not initialised

right click disk 1 icon and initialise disk, partition style MBR and GPT, MBR is old. GPT recognises much larger disks

right click unallocated and choose volume: simple no raid, spanned fill one then next one no raid redundancy you can add space to just 1 drive with multiple disks, striped disks raid 0 better performance but no redundancy, mirrored raid has redundancy raid 1, raid-5 volume greyed out you need at least 3 disks parity data written for redundancy

scripting with diskpart still works and can be task sequenced in SCCM

cmd admin: diskpart Enter

type help for commands list

run PS as admin:

get-disk (like list disk in diskpart)

get-help initialize-disk

initialize-disk -number 2 -partitionstyle GPT

new-partition -disknumber 2 -usemaximumsize -assigndriveletter

get-help format-volume

format-volume -driveletter f -filesystem ntfs

VHDs usually used with VMs but they can be used as small disks and are portable, or differencing disks. Difference disk VHD only captures changes that occur so VHD is read only and new difference disk has the changes. Preserves original disk

to make VHDs use hyper-v manager, diskpart, disk manager, PS

VHD supports upto 2gb

VHDX supports up to 64tb but not supported with win7

You can create a VHD set – (win10 only) groups of VHDs back themselves up

you can copy a physical disks content to VHD, or from a VHD

you need to initialise VHD before mounting

you can detach the VHD but it still exists on file system

you can compact size of disk, convert to new disk, expand size of disk

you can copy VHD to USB drive plugin another computer then in disk manager click action > rescan disks otherwise click attach VHD

VHDs can get large

Storage Spaces

easy to virtualise storage from multiple storage types and sources

volumes – mirrored, spanned, striped

CP > storage spaces > create new pool

REFS – resilient file system good for redundancy types raid. It has auto heal, optimisation

but sometimes you would use ntfs as refs does not support some things such as data deduplication in servers

resiliency – simple(no resiliency), 2 way mirror – at least 2 drives, 3 way mirror – at least 5 drives, parity(raid5 parity at least 3 drives)

in storage pool you can add drive, optimise drive usage to spread existing data across all drives

you can use thin provisioning on new drives and enter a larger disk size

data is unaffected on the pool when adding disks

redundancy options occupies disk space

this is also a Win server technology and useful for servers

removable drives are disliked in the enterprise as data can be taken away or malware introduced

lock down USB drives, bitlocker on removable drive, password, smart card, backup recovery key to ms account or file or print the key

encrypt used space or entire disk

new encryption mode or compatibility mode

you can turn off bitlocker and decrypt the drive

gpo: comp config > admin templates > win components > bitlocker drive encryption > removable drives > deny write access to removable drives not protected with bitlocker (example of enterprise setting)

also setting in system > device installation > prevent install of removable devices, specify certain devices that will work and others that get blocked. Also prevent user access to USB port in the first place for higher security environments

troubleshoot storage, disk properties, low diskspace, disk cleanup, clean system files too

schedule this using task scheduler then it pops up

error checking on disk properties no reboot required for basic checking

under tools can see optimize drives and schedules this by default it recognises ssd disks and auto optimises and does not defrag

win will defrag mechanical disks

task manager disk option under performance, read/write

possible failures: logical failure, bad sectors requires reboot: cmd admin chkdsk /f/r this will ask to schedule after reboot

mechanical failure: with spinning disks

firmware failure: still issue with ssd

MS Accounts and shares

you can add family members and control spending in Win store, their own custom settings and kids stay safe.

You can add another user to the pc ms account or use a non ms account, create new basic local accounts

corporate MS Accounts (MSA’s) Hotmail, Live, MSN, Gmail. Sync settings between devices

right click folder share with and it can be opened on other pc on the workgroup

printer properties share printer and the printer has icon to show its shared

in security tab you add user permission

this is all working well together because both devices are in a private network, workgroup and in advanced sharing settings file printer sharing was enabled and network discovery

sharing option in properties and advanced sharing

limit users, specific users, share name, specific permissions read or write etc

in computer management you can view shared folders > share names and view sessions, no of client connections, you can stop sharing here and create new shares and set permission

cmd admin: net share MyShareName=c:\marys_sharedstuff /GRANT:MaryS,READ

you can see in gui if successful

in PS: get-help new-smbshare (server message block)

new-smbshare -path c:\marys_sharedstuff

ms does not show share icon on the folder itself anymore

get-smbshare (good command to show current shares)

Share permissions are only over the network SMB, if you RDP to a server then NTFS permissions apply within explorer.

public folders off by default and not used much

you want to give access to anyone – advanced sharing settings in network sharing center

c:\users\public anything in these public will be easily available

onedrive free

onedrive for business like dropbox more business features

green tick shows backed up to cloud and has its own recycle bin which clears after 30 days

system tray app to control settings

right click share onedrive link – paste from clipboard and share link

file system permissions: so you go to share permissions tab and give everyone full access then you control this with ntfs permissions. Go to properties > security tab > modify everyone – remove inheritance first. This will clear the user list then you can add marys as the user and give her specific permissions on the folder

we are given the restrictive permission via ntfs but the share permissions are wide open

this is granular control of the ntfs permissions. These take effect locally too not just over network

share permission is used only over network these get overidden with ntfs

so over the network the shared files can only be changed as set in the ntfs permissions

administrator can be set to have full control in advanced properties area

new option tab called effective access (in properties) select user

you need to be using an ntfs drive for these permissions

troubleshoot data access

you could be restricted by GP on dc

GP editor > comp config > Win settings > security settings > local policies > user rights assignment (you can see what you are restricted for)

homegroup troubleshooter for homegroup issues

if you lose bitlocker 2 go recovery key it is stored in onedrive

if encryption is removed you can delete these keys in onedrive

desktop apps

msiexec /?

you can assign or publish apps to users in GP

assign installs when user logs in domain

publish allows install as an option in programs applet of CP

group policy in ad > computer config > software settings >

MDT more advanced

SCCM is complex and even more advanced needs extra licensing

bootup options

power options > choose power button > turn on fast startup enabled default

this is a function of hibernate using c:\hiberfil.sys

this is referred as a hybrid startup mode as it relies a bit on hibernate

sometimes it is not enabled so

fast boot could be disabled under UEFI settings. In settings > choose update & security > recovery > restart with advanced setup > troubleshoot > advanced > edit UEFI > check if fast boot enabled

sometimes GP settings do not appear for user if fast boot is set so instead of shutdown get them to restart or force GP update

no option to disable fast startup – it can be done as a reg hack then added in GP

keylocal_machine\system\currentcontrolset\control\power hiberboot enabled option

to check if machine supports fast boot run admin cmd: powercfg /a

task manager startup tab and gives startup impact

some items and malware will not appear here these will be in registry



Win Store

simple install and launch, UWP Universal Windows Platform

you can login with personal or business MS account

does not open in full screen if you are desktop

to uninstall store apps you right click uninstall in start menu

apps are auto updated, you can go to account settings in store and control app auto update

you can check for updates and run manually

These apps can be managed by O365, Azure, DISM, GP or Intune

Universal Win Apps, Mobile Apps and MSI’s can be delivered using Intune, GP and SCCM.

you can change save location in settings app > system > storage

Allow apps option: settings app > Apps > Apps & features > Installing apps option

you can turn off Win store in GP:

user config > admin templates > win components > store

you can also display private store for business only instead of public store

businesses can make own store apps and silently push those known as side loading

check if win10 supports it settings app > update & security > for developers > check sideload apps

win store for business volume purchase of apps and private apps, you can upload your own. Public or corporate store

Get-AppxPackage -Name *.Net*

Get-AppxPackage -Name *paint* | gm

Get-AppxPackage -Name paint ? Select -Property ‘installlocation’

PS can be used to sideload apps using AppX file similar to Universal App File.
ADK and MDT can also be used to install Apps

Provisioning packages

ICD tool part of ADK now known as Win Configuration Designer

well after deploying images you can make further customisation using ICD tool and provisioning

you would use it for: deploying apps, enrol devices in MDM (Mobile device management) such as Intune.

Distribute certificates for secure connection, config and deploy connectivity profiles like VPN, apply device policies

ICD tool > file new project > provisioning package > you can import package and add to it > choose policies, browser, allowcookies and block cookies > file save > export package, owner IT Admin > can encrypt and sign if required then build. Created .ppkg file

you can bake this into a win image, save to network share advise users to install, push with GP and other options.

You can right click and open then add it this way, silent install then test if it worked

there is no easy way to undo these settings, you will need a new package that undoes the setting

These packages can be deployed from USB Media, email, triggered from cloud or corporate, NFC or QR

WSIM Windows System Image Manager – creates answer files contains config infor can be used with MDT and placed on a WDS server.

PowerShell, dos commands work


update-help, limited help default as most users don’t use PS so they didn’t want to take up storage space

get-process, can use tab autocomplete and tab through all parameters after the cmdlet

get-process | select-object * | out-gridview (like excel)

MMC MS management console

can be customised

search file explorer for *.msc these can be added to mmc

setup snap-ins in add/remove and remote management

you can lockdown the mmc after you customise

file > options > name it and console mode, user mode-full access, tick do not save changes

save this as a file on your disk, right click console and pin to start

taskpad view:

new console add snap-in local users and groups, highlight in left and then:
action menu > taskpad view > vertical list of tasks, list size large view > all tree items are the same next then finish, a task wizard appears

here you can add menu items such as add user and add group to make it more convenient in mmc

you can add edit more tasks in actions > edit taskpad > tasks tab

you can also run batch scripts and jump to shortcuts in your mmc favourites

add snapin GP Editor once for admin users and once for standard users

Remote management

remote assistance and remote desktop

3rd party tools like teamviewer

firewall settings allow apps, remote assistance on by default on private networks, remote desktop disabled

CP > system > remote tab > remote assistance > allow computer to be controlled, 6hrs invitations and which OS’s

type in search remote assistance, invite someone to pc. Send invitation as file, email or easy connect

peer name resolution protocol needs setup for easy connect. Most people will use email

save file then popups with password to give to helper

on other machine double click file and then enter password this will open the remote screen after acceptance. You can start chat box and control desktop

RDP is more used so enable under system > remote > allow connections select users

need to make sure Win firewall has been updated appropriately

Win update options

milestone builds: anniversary update, new features and security updates

servicing updates/feature upgrades

second Tuesday of each month is Win update day. Now 1 update to fully update machine instead of whole history of updates

LTSB no feature updates, no edge browser new version every 3yrs. You can change from LTSB to CB/CBB its a SKU change. If you want to go from CB > LTSB then its wipe & load

settings app > update & security > date when last checked, check updates, update history and uninstall. Reset pc reinstalls Win to a baseline copy

displays info on updates: updates will dl and install automatically unless on metered connection

change active hours: when the pc should not be restarted

restart options: when it can be restarted such as lunchtime

advanced options: defer feature updates can also be set in GP. This is not required if you are using SCCM or WSUS.

how updates delivered: on or off can update from other pcs and ms

gpedit > comp config > admin templates > win components > win updates

services > Win update server and bits – background intelligent transfer service, these are required for updates

settings app > updates > Win insider program > sign in with ms account

CB Current brance – get feature updates first (default for home environment)

CBB Current branch for business – delay about 4-6 months the feature upgrades

When new version of windows released 10% of machines get new version (business testers) and 90% stay on CBB. You can set GP so CB machines progress to CBB. This should be around 12 months later. Each deployment tool can implement this idea differently. IT Staff should get insider programme & pre release OS
Windows usually updates every 6 months. When MS sees enough companies running it successfully then it becomes CBB. You decide with Win Update, GP or SCCM when devices move to CBB.

New feature in Win10 GP if upgrade goes wrong on initial machines then you can delay upgrade.

Fast Ring – 5 day deferral

Slow Ring – 10 day deferral

LTSB Long term servicing branch – no feature upgrades

Insider Preview – Most aggressive

In sys info view win version and build number or cmd winver

Drivers are auto updated. Can be set in GP or enable metered connection to prevent updates. Updates can be copied from other PCs on the LAN.

update history and roll back updates options

update Win store apps is separate

Win Update common cmd switches

You can search technet also try setup.exe ?

Manage updates in PS: Get-Hotfix

Event Viewer

service called Win event log is what runs event viewer

Win logs: apps, security, setup, system, forwarded events from other devices

apps and service logs: hw events, ie, kms, powershell

other apps can tie into events

20mb size limit on logs, old stuff gets overwritten

the eventlogs are stored c:\win\sys32\winevt\logs

filter log: error, critical, warning

create custom view choose event level, logs, keywords

save log to text file or clear it

you can setup ntfs permissions and have auditing so if someone accesses an event appears in security

right click event viewer (local) connect to another computer

subscriptions: run service win event collector service. Create sub. Requires win remote management to be configured. Subscribe to events or only critical errors

you can select computers that will send events to your machine

search eventid on technet for more info on it and how to resolve

Task manager

basic view by default click more details for advanced view

background process gets killed when you kill app

performance tab: resource monitor

app history cpu usage, network etc

startup tab: onedrive startup impact high you could be syncing a lot of the files at start

user tab: see multiple users logged on

details tab: more details and right click to create dump file

services tab: view and right click to start stop services

Resource Monitor

more detailed performance, cpu memory, disk network.

File > restore default can be done if the view gets changed

monitor menu > stop monitoring to pause it

Performance Monitor

For even more detail you will go to performance monitor

samples cpu % of proc time per second

add counter: paging file, memory

system diagnostics and system performance data collector sets. Preset important counters, health info for system

click system diagnostics then green play button. This runs for 60 seconds then click report at bottom under system diagnostics

right click user defined: create own data set

good for baselining and comparing system performance to different times when the computer is being used for different tasks

report displays detailed info and health checks, warnings

good for sw developers to check cpu usage of an app

user defined data collector set: you can add counters such as processor info, logical disk

run as yourself if admin or choose account. This will run indefinitely as no stop time defined. You can stop it with stop button

this will appear under reports > user defined

this tool is used for baselining performance. Can be very specific

Monitor and Manage Printers

settings app > devices > printers & scanners. Add and manage existing ones. Set default printer most recently used or turn this off. Metered connections on/off for device updates

click printer > open queue, manage, remove

CP > devices printers > right click printer default, print prefs, printer props

device manager > printer settings, driver sw, disable, uninstall

Start > administrative tools > print management > printers, drivers, not ready, jobs, print servers, deployed printers

right click > deploy with GP, pause, open print queue

PS: Add-printer, add-printerdriver, add-printerport

get-printconfiguration, get-printer, get-printerdriver, get-printerport, get-printerproperty

remove-printer, remove-printerdriver, remove-printjob, rename-printer

restart-printjob, resume-printjob

set-printconfiguration, set-printer, set-printerproperty

print spooler service – restart if printing gets stuck

Win search indexing

best match, looks in, apps, settings, web

you can choose buttons at top just look in apps, docs, web

can search in file explorer window too

Win search powers this using indexing and then grep which search outside what win has indexed

services: Win search service is used

CP > indexing – takes place while pc is not being used as much

indexes: offline files, start menu, users excluding appdata

you can click modify > choose additional locations and choose show all and set for others users on the pc

you can index external hard drive if it had a lot of word docs

advanced options > index encrypted files, treat similar words differently if they have accent marks etc, rebuild index. Move index storage location (not required)

reboot first before rebuilding index

file types tab: exclude certain file types, choose to index properties only or file contents too

index troubleshooter: in settings app type fix search in the search bar

don’t index everything this could get too much overhead

Win Defender

right click taskbar > settings > always show icons

3 scan options: quick, full, custom

settings app > upd sec > win defender

real time protection, cloud protection, sample submission: on/off

exclusions and version info, enhanced notifications, win defender offline will run with restart

gpedit > comp config > admin temp > win comp > win defender > MAPS (ms active protection service) – this means are we going to use ms’s cloud based service?

Service running is win defender advanced threat protection service and

win defender service

PS Cmdlets:

Reliability monitor

CP > large icons > security & maintenance > expand maintenance with dropdown > reliability history

you can view errors check for solution or technical details of error

if you work on a machine then you can see the reliability of the system

displays info under informational events

you can save the reliability history report as xml

you can click view problem reports to see problems only

you can click check for solutions to all problems

troubleshoot performance issues – best practices

disk care and feeding – free space, remove temp files, disk optimisation, disk error check

internet bottleneck – io with storage, or bad memory

bad app – app could be causing issues, like gns3 can cause heavy resource use if not configured properly

malware makes machine run poorly

startup apps – can degrade performance

Win memory diagnostic tool (search for memory to launch)

this will check issues with ram

good metrics to look at in performance monitor to check bottlenecks

logical disk, physical disk, memory, processor, system, network

Recommended metrics to track:
LogicalDisk � % Free Space


PhysicalDisk � % Idle Time


PhysicalDisk � Avg. Disk Sec/Read


PhysicalDisk � Avg. Disk Sec/Write


PhysicalDisk – Avg. Disk Queue Length

Should not be larger than 2 times the number of physical disks

Memory � % Committed Bytes in Use


Memory � Available Mbytes

Greater than 5% of total RAM

Processor � % Processor Time


System � Processor Queue Length

Should not be more than twice the number of CPUs for an extended period

Network interface � Output Queue Length

<2 – search win 10 performance metrics

Recovery Options

you can remove recovery partition and create a recovery drive/disk

CP > recovery > USB drive at least 8gb > wizard can remove recovery partition on local disk at the end to free disk space. This USB will only work with same architecture 64 or 32 bit that it was created with

system restore is next option in recovery > turn on system protection in system properties

you can create restore point while the system is running well or use powershell

you can create manually or win will auto create restore point after sw install which the sw developer controls, when win update takes place, schedule tasks or restore point created when you actually run a restore point too

boot with recovery USB drive will give you advanced options and system restore can be done without requiring to boot into the failed Win OS

in recovery screen link: if your having problems with pc go to settings and try resetting it

this opens settings app > recovery > you can click advanced startup will restart pc and load screen same as recovery drive advanced screen

reset this pc option > keep my files or remove everything option

you can then load a provisioning package

Backup options

CP > backup and restore(win 7)

choose another internal disk or USB drive, checks size of data for system image

or you can click next and choose your own files/folders or Win can choose

win recovery environment can be added to system image and you can boot to it

turn on schedule for regular backups

cmd admin tool: wbadmin ?

Settings app > update security > backup > file history > auto or add drive

you can add folders or exclude

previous version of file right click file restore previous versions and choose which to restore

WRE – Win recovery environment can be included as part of a system image

Authorisation and Authentication

settings app > accounts > sign in options – require signin if you are away

win hello – face recognition or images of you

pin login

New feature dynamic lock: pair to bluetooth device and locks when you leave desk

picture password touchscreen device gestures on picture to signin (lower sec environment, someone can see smudges possibly)

privacy off/on – shows account details on signin screen email etc.

ms dual authentication, passport feature requires ms account you can add hello and pin number, very secure

CP > credential manager: web and Win cached credentials, manage saved passwords

enterprise features for win 10 ent with ad only, UEFI also required

credential guard, device guard, health attestation – these will require secure boot functionality

credential and device guard will require a TPM module in the machine

Credential Guard helps secure login to ad – kerberos, hashing some vulnerabilities to these and credential guard helps protect against them. Virtualises credentials

Device Guard – what apps users can run, apps can be forced to be digitally signed

Device Health Attestation – devices coming into ad domain meet certain guidelines. This is a network authentication access control type of technology

These are configured in GP


right click start > computer management > services

startup type, automatic, auto delayed, manual, disabled

start, stop, pause, resume

logon local service account or set user to run on another computer

recovery tab what to do on first, second or subsequent failure. Run actions on these failures

dependencies tab: what services this depends on and what is dependent on this service

cmd admin: net stop spooler

net start spooler

sc stop spooler

sc start spooler

sc query spooler (status)

PS: stop-service -name spooler

start-service -name spooler


msconfig – selective startup, choose to not load system services or startup items

to view services specific logs event viewer > Win logs > system > look for any messages reported as source: service control manager

Task Scheduler is an mmc

library dropdown > list of tasks

system restore tasks used when Win does a restore point

Win defender tasks running in background

you can change scheduled scan for defender to weekly at a late time

general tab: security credentials, select run with highest privileges

set new trigger: one time, daily, weekly, monthly, recur every 1 weeks on, delay task, repeat task, stop task if runs longer than, expire task, enabled tick box

actions the exe with appropriate switches

condiitons: idle, power on ac only, wait for computer, start only if certain network connection available

settings tab: run on demand, run asap, if task fails restart every, stop task if runs longer, if run task does not end force stop,

do not need to memorise these settings

history/tracking disabled by default as it would be a big job to track it all

you can right click and run the tasks on demand directly

you can create a new diskcleanup task in the diskcleanup folder under library

task weekly cleanup task, cleanmgr – checks free space and opens disk cleanup window each week

cmd admin: schtasks

PS: Get-scheduledtask

Other similar cmdlets New-JobTrigger Register-ScheduledJob

ACAD – Active Directory Admin Center

At the bottom there is a PS history viewer to see the PS output of anything done in the GUI

search box > Feedback Hub: type ‘edge’ in search to see other user feedback or add your own. Smiley face in apps can also be used.

Win 10 IoT –

Share this Post
  • 1

Comments are closed.