Win10 HW Requirements
x86: 1GHZ, 1GB, 16GB
x64: 1GHZ, 2GB, 20GB
DirectX, WDDM1, 800×600
For Hyper-V you will need more spec or it will be slow
SSD disk performance is much faster
Deployment Tools
DISM – Deployment Image and Servicing Management Tool
This can perform pre-install and post-install tasks
MAP – Microsoft Assessment and Planning Toolkit
Assesses readiness for Win10, Office 365, Hyper-V and Azure
https://www.microsoft.com/en-us/download/details.aspx?id=7826
Azure hosted upgrade analytics is free but hosted as part of OMS (Operations Management Suite) subscription. This scans agents and uploads data to cloud to compare compatibility with millions of Win 10 machines. HW check to see if UEFI is supported. New hw could be bought to support this in your organisation. Drivers are also tested with this tool.
ACT – Application Compatibility Toolkit, create compatibility fixes (shims) for apps
You can right click an app and go into app properties and compatibility tab too, you can run as admin or Win 7. Upgrade readiness in MAP just shows what is/is not compatible but ACT can provide fixes.
Update the app from vendor if available, check for win 10 compatible version
Before deploying win 10 check hw requirements, device drivers, app compatibility
App compatibility app is compatible with Win 10 from Win7 as long as user is admin. You can make a shim for credentials then admin user is not required.
Old version: https://www.microsoft.com/en-us/download/details.aspx?id=7352
New version: https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit
MDT – MS Deployment Toolkit 2013 Update 2
For some reason the latest release is 2013 and they will leave it named like this
https://www.microsoft.com/en-us/download/details.aspx?id=50407
WICD provides limited customisation to Win 10 clients
Types of Installation
in-place upgrade – newest method works better for Win 10, good for small no of pcs and can roll back, user settings, apps retained. External storage not required for data and settings migration. Does not allow edition changes or to start with a clean standard configuration. You can use in-place update with win updates for win 7, 8 to 10. UI and OS language must match for successful upgrade. Display, bluetooth and some other drivers are not migrated as these can cause issues.
You can roll back win if windows.old folder exists in C: now the folder is removed after 10 days as no one is rolling back.
Setup.exe /auto
You can also run compatibility scan only with setup https://blogs.technet.microsoft.com/mniehaus/2015/08/23/windows-10-pre-upgrade-validation-using-setup-exe/
side-by-side migration – install win 10 on another system then migrate stuff from win 81 system
wipe and load – uses MDT and SCCM
You can also use install media or WSUS
Bitlocker does not need to be disabled for upgrade this is automatic but will be required on 3rd party encryption sw. These can be hooked into SCCM but not WSUS
Language packs can be reinstalled and they can be provided to setup
You would wipe & load Win7 x86 to Win10 x64 there is no in-place upgrade for that
If going from x64 to x64 do in place upgrade if possible
Win 10 Creators Update 1703 includes tool to convert BIOS to UEFI in Wipe & load. In future will be available for in-place upgrade too. MBR to GPT tool part of converting to UEFI.
Provisioning – You can buy your own laptop connect USB and be connected to enterprise in 30 mins. Use Win Config Designer. Imaging option is now removed from WICD.exe
Win7Pro to Win10Pro – license key can be changed to enterprise later and reboot is not required.
Win8Pro to Win10Enterprise can also be done like this
USMT – User State Migration Tool for side by side migration this is included in Windows ADK – Application Deployment Toolkit – used for Win 10 Ent pilot to configure image for automated deployment
Windows easy transfer is a GUI tool for Win XP to 7 for side by side migration
Features in different versions of Win10
Win 10 Home – edge, cortana, continuum, hello, virtual desktops, universal Win apps
Win 10 Pro – domain join, azure ad join, bitlocker, ie enterprise, client hyper-v, Win store for business, enterprise data protection
Win 10 Enterprise – direct access, Win to go creator, applocker, branch cache, start screen GP, device guard, credential guard
Win 10 LTSB – gets security updates only not feature updates, no edge, cortana, universal apps, win store, photo viewer, uwp calculator. Used for ATM or warehouse machine which you can’t usually shutdown or run updates all the time (special systems) Certain hw such as surface, surfacebook does not support ltsb.
Win 10 Education – special academic license, similar features to enterprise
Mobile Edition
Mobile Enterprise
Windows 10 IoT
Win 10 Home – $119
Win 10 Pro – $199
Install 32bit only if hardware is old, can only see 4GB RAM
64 bit faster, stronger, new security features
Client Hyper-V
Prereqs: 64 bit OS (no RAM limit), Win Pro/Ent/Education
Processor with SLAT (Second Level Address Translation) for better performance i5, i7 and AMD https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx
DEP – Data Execution Prevention
HW Assisted Virtualisation
4GB RAM, 8GB recommended to provide RAM to VMs
20GB+ Disk Storage
Can be used to run older Win on Win10. Also allowed nested VMs. Needs to be enabled as feature.
Enable in Win features, if greyed out CPU or bios don’t support virtualisation
store VMs in root of c to avoid sync with dropbox, onedrive etc
Gen 1 VM older, Gen 2 for newer OS’s
Virtual network adapter
VHDX file 10GB
Standard and production checkpoints to go back (like snapshots)
PS: Get-VMCheckpoint Restore-VMCheckpoint
Cortana – designed for mic use
Continuum – designed for hybrid device like surface tablet or surfacebook
Miracast – uses WIFI direct
Touchscreen and active stylus, surface pro, wacom etc
OneDrive ms account required and to sync settings
Security Features:
Bitlocker – Pro/Ent, TPM Trusted Platform Module is nice to have but not required
Device Health Attestation – does require TPM 2.0
Virtual Smart Card – Requires TPM 1.2 (tpsvmcmgr.exe)
Secure Boot – works with UEFI Unified Extensible Firmware Interface v2.3.1 TPM not required
2 Factor Authentication – you need another device, mobile phone, illuminated infrared camera for hello, biometric for fingerprint scan, virtual smart card
Virtual Secure Mode – parts of the OS in Hyper-V secured area, enterprise only
TPM are physical hardware micro controllers
Installation Media
High Touch – In place upgrade where you interact with everything asked
Low Touch – suitable for large orgs, WDS, WDT
Zero Touch – use MDT and SCCM
setup.exe in root of ISO contains sources folder and file called install.wim
This file can be copied and edited using SIM – Windows System Image Manager (https://technet.microsoft.com/en-us/library/cc766347(v=ws.10).aspx) to customise using an answer file. You can view components and packages of the installation image, customise prompts during install and add drivers
Example: You can add internet explorer package to answer file and customise the settings in there. Answer file can then be validated, saved as Autounattend.xml put this in root of install media. Windows looks for this file. You can open the XML file to view configuration
The SIM help file is useful
Can be placed on network path, DVD, USB, image based start computer using Win PE to bring down customised image
WDS Windows Deployment Services – PXE and DHCP support image is deployed using multicast – this is zero touch
DVD – lighter touch
Windows 10 Disk Management and Boot Options
Native Boot – in disk management you can see system reserved partition. This contains boot files to run Win10. Boot partition (c drive) contains the system files, recovery partition for recovery
Get-Volume PS Cmdlet can do the above
diskmgmt.msc
cmd: bcdedit /v – info about current boot device, boot manager and boot loader in cmd prompt. You can edit the info with this command
Multi Boot – You can choose win7 or win10 at startup. To do this in disk manager right click boot partition and shrink then tell win7 to install in that new partition
Data migration – USMT tool
Go to directory in cmd:
c:\program files x86\Win kits\10\assessment and deployment kit\ user state migration tool\amd64
scanstate on source machine to grab settings
loadstate on new win10 machine
scanstate /genconfig:config.xml /i:migdocs.xml /i:migapp.xml /v:13 /l:scanstate.log
config.xml You can choose what gets migrated. The config.xml file gets generated with above. Open file and edit yes to no for things you do not want migrated
Settings are migrated but not apps, local printers, drivers, custom shortcuts, shared folder permissions, files and settings in different languages
See here for full process for USMT https://technet.microsoft.com/en-us/itpro/Win/deploy/usmt-technical-reference
Unsupported on USMT – Server OS’s, XP, home editions of Win 7,8 10. Different versions for different Win OS’s.
Use compatible version of scanstate with Win7. Use loadstate from newer version for Win10. Hard links can be used even if disk gets wiped. No upgrade path for XP or Vista.
https://technet.microsoft.com/en-us/itpro/windows/deploy/usmt-technical-reference
VHD
Good for native and dual boot configs. Select win partition in disk manager select action menu, create virtual hard disk, specify size etc for Win installation, VHD is attached then choose the VHD to install Win to, you can use shift+f10 during installation to get admin prompt then run diskpart and type list disk to view disks. Select vdisk file ? Attach vdisk file ?
Dual boot vdisk, right click and initialise with MBR, format the disk, then use DISM built into Win10 to apply win image to the VHD. Then use bcdboot utility from cmd to alter boot options of device adding in boot options to boot the VHD
VHD is another cool way to install Win10 other than using normal partitions
PS: New-VHD, Mount-VHD, Initialize-Disk, Get-Disk
Bootable USB – manual way or use MCT see below
Insert USB you want to make into bootable win 10 > Cmd admin > diskpart > insert usb > listdisk > find your disk in the list then > select disk X > clean > create partition primary > select partition 1 > active > format fs=ntfs quick > assign (allocates drive letter) > exit you can now copy contents of win 10 iso/dvd by typing xcopy g:*.* /s/e/f h: (change both letters to match source and destination)
MCT Media Creation Tool
Search online for media creation tool then download the tool button. Install and choose create installation media, USB flash
You can perform a clean install of Win10 from within the old Win OS, mount ISO file, right click setup.exe and run as administrator there is an option to ‘keep nothing’
Shutdown Is quite quick in Win10 compared to older versions of Win
Additional Win features you should know which are there by default and which ones you need to install.
Installed default in Win 10 Pro:
.Net Framework 4.6 advanced services, wcf services, tcp port sharing
Internet explorer 11
media features, media player
print to pdf
print and document services, internet printing client, Win fax and scan
remote differential compression api support
smb 1.0/cifs file sharing support (now disabled in Fall Update and Server 2016 RS3 for safety)
Win powershell 2.0
work folders client
xps services
xps viewer
install tftp feature, open cmd type tftp ? To test it is installed
Tool to add packages:
dism /online /Get-Features
shows enabled and disabled features on the command line
dism /online /Enable-Feature /FeatureName:TFTP /all
PS Command
get-windowsOptionalFeature -online (shows features)
enable-windowsOptionalFeature -online -FeatureName TFTP -All
disable-windowsOptionalFeature -online -FeatureName TFTP
More info: https://technet.microsoft.com/library/hh824822.aspx
To check the parent language settings: action center, all settings, time language, region and language
Default language here cannot be changed, need to reinstall win 10
It is easy to add a language however and set as default
You can switch the language keyboard in taskbar
To find specific chars that are not available you can choose the symbol option in word and set a keyboard shortcut if you do not want to install the whole language pack
Once this is done apps are now friendly to spellchecks after installing the language
Device Drivers
If icon has exclamation this is an unknown device, if it is down arrow then the device driver is disabled
If any problems for devices then those trees are auto expanded in device manager
When you plug in a device the drivers get installed automatically. These are stored in Win\system32\driverstore and dvstore
if device does not appear after connecting do scan for hw changes or go in devices/printers in CP and click add device
You can enable and disable driver updates by setting metered connections
you can remove drivers
you can remove Win updates under history
cmd util type: pnputil you can add and delete drivers
In a corp environment you might not want to auto update drivers as these are tested first. Go to devices and printers, right click your desktop and set: no do not auto update device drivers
you can rollback drivers to previous level – properties, driver tab, rollback driver, greyed out if driver not updated before
Win10 does not allow boot loader key sequence to improve the boot time
you can use msconfig instead, boot menu, and set start safe boot with minimal. This is for device driver issues
Win update can cause driver issues, Win update settings, update history you can uninstall Win updates
Trusted and signed drivers, use admin cmd type: sigverif
you can test drivers using admin cmd: verifier – to check drivers does not have any errors
select display info about drivers, add driver .sys file and it will run recommended checks
you can install drivers using pnputil
in PS use get-pnpdevice, get-pnpdeviceproperty enable-pnpdevice, disable-pnpdevice
Customise Start Menu and Tiles
All settings are in settings app, click start, show more tiles to have more tiles in start menu
you can click the titles in the tile display to change the names, you can drag to other tiles to group or make new row by moving to bottom and entering title to make new group
right click make small, large tiles and remove live tile function
in settings enable jumplists from start icon, this shows word recent docs and you can pin them there. If you want to clear the history disable feature in start settings app and re-enable
at bottom of settings click ‘what folders appear’ you can choose photos, downloads etc
start full screen is touch friendly start button which is full screen. This is default when ms recognises a tablet device
in action center you can click tablet mode button this will also show full start menu, you can edit settings in settings > system > tablet mode
group policy to save state of start menu tiles for the enterprise, type GP in search menu click edit group policy. You would normally do this on domain controller
user configuration > administrative templates > start menu and taskbar > start layout – you can use an xml file which is in a share on the network so users get the settings from there
to get xml file in PS type: export-startlayout mystart.xml
Desktop Settings and Cortana on Desktop
Virtual desktops button in taskbar > click and add new desktop you can drag Win to other desktops. You can use keyboard shortcuts to switch desktops
You can control action center icons in settings > system > notifications and actions
Accessibility options settings app > ease of access
narratior, magnifier, high contrast, closed captions, keyboard, mouse, other options (learn these for exam)
closed captions when watching movies and tv
sticky keys stays pressed on keyboard
toggle keys audio when click caps, num or scroll lock
filter keys – filter out repetition of key press
mouse pointer and size
Other options: animations, Win backgrounds, time for notifications, cursor thickness, visual notification for sounds
Cortana – click microphone icon to speak to cortana
search about pc to see version number
Cortana is configured post install of Win 10
In anniversary update 1607 it is harder to turn off cortana
in home edition use regedit to disable:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search
DWORD (32-bit), AllowCortana 0
In enterprise use gpedit > computer config > administrative templates, Win components > search > allow cortana, disable > signout and sign back in
You can also have cortana but without personalisation/customisation for more privacy
Edge Browser
Similar to chrome, stripped down and faster
less battery power and doesn’t support older tech
reading view button next to address bar
star button, favourites and reading list to read later
hub button next to star can view reading list
webnote button for onenote tools, good for touch screen, you can email the webnote
last button is more button, allow extensions, zoom, private browsing, pin page to start
open with internet explorer option so for legacy stuff like active x
edge is a safe browser
for enterprise you can enable edge enterprise mode
https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility
https://docs.microsoft.com/en-us/microsoft-edge/deploy/enterprise-guidance-using-microsoft-edge-and-ie11
create xml file and save it in GP so users will run ie instead of edge when they go to that website
internet explorer can be used as default browser and pinned to taskbar if you want
ie smartscreen filter blocks known bad sites so good to enable
ie v11 there will not be any newer versions of ie. ms will still patch ie 11
ms wants developers to ditch older tech and use edge
file save as works in ie but not edge
internet options as usual don’t need to memorise, questions will be about edge
in enterprise gpedit will be used to edit the ie settings, users not allowed in private browsing for example.
Computer configuration > administrative templates > Win components > internet explorer > privacy
cmd admin > gpupdate (refresh GP without logging out)
the inprivate option in ie should now be gone once set in GP above
Power and battery saver settings
you can turn battery saver on automatically at 20% or use slider to adjust this
you can control battery usage by app
lower screen brightness while in saver mode
view apps battery usage
manage apps battery usage, always allowed in background, never allowed or managed by Win
additional power settings > opens in control panel > create custom power plan > always on > never turn off display
power saver > you can create more aggressive power save plan
you can pin power options to start by right clicking icon in control panel
in control panel you can click advanced power settings for much more granular settings, display > enable adaptive brightness. You can also restore defaults in here
WCD Windows Configuration Designer (Previously Win imaging and configuration designer tool (ICD) – see page 16 below for more on provisioning packages
new tool for Win10 provisioning is not the same as re-imaging
take image and modify for enterprise deployment
this is part of Win ADK there is a specific version for each Win version on the download page
https://developer.microsoft.com/en-us/Win/hardware/Win-assessment-deployment-kit
view settings in image, create manage image file, build and flash image, build provisioning package
select new project, choose provisioning package for existing system, imaging to customise the image
you can use wim file and then import a provisioning package you already have
settings and customisation
you can add drivers, language packs, win updates, image time settings, display, runtime what will Win look like after installation then create production media > leave as wim, compact OS, audit boot mode to make sure it works properly, copy script, bootable USB or save to image.
SCCM and PS can push out provisioning
Windows Activation
volume activation for Win in the enterprise
retail pack and oem gives you a single key
for retail and oem, you go to settings > activation
MS would prefer you to use AD based activation
KMS, devices just contact kms server once for activation does not need to be on domain
Active directory based but devices need to check in to domain now and again
KMS can be installed as a service on a server that is web server or used for something else
Roles and features in server 2012 R2 – add role or feature in server manager
select server, volume activation services, remote server admin and volume activation tools also need to be installed
after install in server manager you will see VA Services, it will popup configuration is required
do your post deployment configuration, setup kms service, enter kms host keyboard
MAK Key baked into image itself
Misc activation tips
Win software licensing management tool: cmd tool for licensing type: slmgr ?
slmgr /xpr – status of licensing
slmgr /dli – general licensing info
slmgr /ipk <kms key> – install kms key
slmgr /ato – activate online
slui.exe 4 – activate by phone
After activating restart software protection service
you also have in win 10 VAMT Volume Activation Management Tool gui based this is part of ADK
connect to VAMT database running on server then you can manage it
you can play with a non activated copy of Win10 during install click the link I do not have a key. you will get activation messages and not be allowed to personalise in settings, there are some hacks to still change these
this could be useful for practice (slmgr /rearm)
4th license option is manual key
in CP > system view workgroup and join domain
Azure AD Join Settings app > Accounts > Access work or school, managed through MDM not GP
Device Registration: There is an object GUID for each device whether its on prem or cloud
For data from AzureAD about device write back to on prem infrastructure – This allowed conditional access
in server manager on Win server 2012 R2 when you open it takes inventory of system so wait until it loads by looking at items that have finished appearing in left column
Active Directory Install and Group Policy (AD and GP)
To install AD:
ad domain services and .net 4.5 features it needs
post config it says promote to dc, create forest then choose restore mode password
when you are a dc then you can see tools used to manage ad
reboot is required after installation
in start you will see ad tools
choose active directory administrative center tool
create test local ad, create ou remote staff then inside the ou create new group, user etc
then you can put GP’s on these items
this is good practice for GP
explore other ad tools that are available
you can use gpedit to modify local GP on a machine, important in non enterprise too
in win server 2016 > server manager > tools > ad admin center
create user John in remote staff ou group
you can create a gpo in the ou remote staff by right clicking on it
this gpo is then linked to the ou, right click it to edit the gpo and view all the thousands of gpo settings
there are computer settings and user settings
You can download RSAT Remote Server Admin Tools for Win10 to control gpo etc so you don’t need to login to the server directly
https://www.microsoft.com/en-us/download/details.aspx?id=45520
GP changes kick in straight away, sometimes manually need to push the settings using gpupdate, log user off and back on or restart
Learn Win10 GP
https://www.microsoft.com/en-us/download/details.aspx?id=48257
https://www.microsoft.com/en-us/download/details.aspx?id=25250
UAC User Account Control
create admin account for admin stuff only and use user account for general
least privilege concept – we want account with just right amount of access to do the task
if admin task appears you can run as the admin account using uac and do the other way around. UAC works better in WIn10.
standard users should not have access to firewall and installing apps
in CP > security and maintenance > change uac settings > slider
always notifiy, default is notify when apps make changes, notify when apps make changes do not dim desktop > never notify
In GP editor > computer configuration > Win settings > security settings > local policies > security options > user account control > control elevation prompt for users, prompt credentials, auto deny elevation request etc.
Core services: networking, storage, user areas, apps, remote tools
Networking
ip settings, right click network icon open network sharing center
change network adapter, ipv4 and ipv6
ping localhost (ipv6 is default) ping localhost -4 shows ipv4
ipconfig in cmd
if it shows fe80 as ipv6 then it is a link local address and can communicate with other machines on the network
ipv4 address 169. this is the apipa address, auto private ip address assignment this will allow local network communication with machines also getting this addressing
dhcp server setup with ipv4 and ipv6
private ip addresses, 10.10.10.100, (10.x private range)
192.168.1.1 this is used with NAT
172.16.
subnet mask identifies which part of ip is network and which is host
google dns servers 8.8.8.8, 8.8.4.4 these can get you out to internet if you do not have dns server
ipv4 is 32bit, ipv6 128bit represented in hex
manual ipv6 2001:2323:34ef::1 (:: represents 0000)
gateway: manual ipv6 2001:2323:34ef::100
subnet prefix 64 (bit)
preferred dns 2001:2323:34ef::8888 google will also have ipv6 dns servers
https://developers.google.com/speed/public-dns/docs/using
default gateway is used to reach non-local subnets
in PS: get-ipnetaddress, new-netipaddress, remove-netipaddress, set-netipaddress
name resolution makes finding resources on the network simple, this is all about dns
advanced network settings you can add more dns servers, auto append, wins legacy method not really used but on by default
cmd type ipconfig /all shows dns settings set
nslookup www.yahoo.com to check if dns is working, name resolution for yahoo and its ipv4 and v6 addressing
hosts file: can contain name resolution entries. Malware will try to add entries in this file to redirect websites
Win\system32\drivers\etc\hosts
add entry 127.0.0.1 mycoolname
ping mycoolname will resolve to local loopback
join domain: go to system properties, click network id,
homegroup network for the home. Choose homegroup in CP
change network to private by making things discoverable
create homegroup, file, printer and devices, pics, vids, music, docs
password generated is entered on another computer in homegroup settings. If not found run homegroup troubleshooter
change what you are sharing and allow tvs and game consoles
in homegroup in file explorer you will see the other machine
you can leave the homegroup or stay connected but change what I am sharing
network profile is displayed in network and sharing center, in this case private network
if joined domain it will say domain network, in coffee shop guest or public network
Guest network used for less secure areas such as Coffee Shop
network location profile setting changes firewall, network discovery, file print sharing, homegroup option. Homegroup only available in private network
in settings app > network settings > ethernet or wifi > click the connection > make this pc discoverable on or off. This will toggle guest/private network
in CP you can change settings for these diff profiles
CP > network sharing settings > change advanced sharing settings > network discovery on/off, file and printer on/off, homegroup set Win manage or use accounts and passwords, media streaming, file sharing connections encryption, password protected sharing. The firewall has settings for private, guest and public networks separately
GP > computer config > Win settings > security settings > network list manager policies > you can control different networks here unidentified, identified networks. You can lockdown networks or specify names of them here. You can force a network to be private/public.
Windows Firewall
Access firewall in network & sharing center in bottom right of taskbar
It will expand the section based on which network you are using
the popup that appears when an app requires access when you allow access this changes firewall rules
change notification settings > you can block stuff here without notification so users do not even see popup
turn off firewall here, action center popup these can be silenced. If you use 3rd party firewall
to install av you sometimes need to disable fw
FW settings are in settings app and some in CP. Separate config for domain, private public networks.
we can preset the fw for users so they don’t get notifications
you can add \system32\ping as an allowed app for private and public
you can restore defaults if settings are incorrect
scripting can be done in admin cmd, type: netsh firewall add allowedprogram c:\Win\system32\tracert.exe “Trace Route” ENABLE
message appears this command is deprecated use new command
netsh advfirewall ?
netsh firewall add allowedprogram c:\Win\system32\tracert.exe “Trace Route” ENABLE custom 0.0.0.1-255.255.255.255 standard (this adds to private as well as public)
netsh firewall add allowedprogram C:\ Program Files (x86)\MyApp\MyApp.exe “MyApplication” ENABLE
in PS:
New-NetFirewallRule -DisplayName “TRACE” -direction Inbound -program “C:\Win\system32\tracert.exe” -action allow
New-NetFirewallRule -DisplayName “Allow MyApp” -Direction Inbound -Program “C:\ProgramFiles (x86)\MyApp\MyApp.exe” -RemoteAddress LocalSubnet -Action Allow
Win firewall advanced settings interface
more granular controls, inbound and outbound rules
right click outbound rules and create new custom rule
you can ping yahoo get ip and setup a rule to block this for testing
you can script this using cmd: netsh advfirewall ? See netsh ? For more
Setup firewall then export to a file which can be imported
in PS:
get-netfirewallrule, enable-netfirewallrule, disable-netfirewallrule, new-netfirewallrule, set-netfirewallrule
network discovery in settings click the network name that is displayed, make this pc discoverable if switched off network will be public
netsh advfirewall firewall set rule group=”Network Discovery” new enable=No – you can disable discovery with this command
for network discovery the following services need to be running: dns client, function discovery resource publication, ssdp (simple service discovery) discovery, upnp device host
most devices do not have ethernet now so it is assumed you will connect using wifi
ad-hoc – direct device to device connections, no ap
infrastructure uses an ap
wifi direct – no ap, something like wifi direct printers
802.11b – 11mb 2.4ghz
802.11a – 54mbps 5ghz
802.11g – 54mbps 2.4ghz but more efficient than a
802.11n – 100mbps 2.4/5ghz
802.11ac – 433mbps 5ghz – modern day standard
wep wired equivalent privacy – not secure
wpa wifi protected access
wpa2 todays standard, personal enterprise, in ent you can use radius, extendible authentication protocol, 802.1x to make it even more secure
network status shows connection 5g or other
view network properties for wifi ap info
network sharing center -status, ssid, wireless properties, look for other networks, connect even if ssid is not broadcast, extra security
aes – advanced encryption standard
advanced security – FIPS, federal for very high security where it is required
network adapter settings, configure adapter, advanced can select prefer 5g settings
admin cmd > netsh wlan ? – add configure wifi, delete disconnect
wifi direct printer better performance than bluetooth
win10 supports this but net adapter needs to support this.
Check this in settings app > network and internet settings > view network properties > description should say ms direct virtual adapter
you can connect to the direct network as an ssid in networks
wifi sense will connect automatically to ms known wifi hotspots, can turn this off and enable show notification. Some of these networks may not be secure so this could be turned off
hotspot 2.0 can connect to roaming networks and seamlessly switch between wifi and cellular networks
paid wifi you connect then can pay for wifi, used on airplane for example
network troubleshooting
admin cmd: ping tests for dns and bidirectional connectivity
ipconfig /release /renew gets new dhcp details
tracert www.yahoo.com shows hops and can be used to troubleshoot
end users can use: network troubleshoot in network status page, network reset can be done will remove and reinstall network adapter and needs restart. This is more effective than just a reboot on its own
VPN – add vpn in network settings
vpn provider Win built in or another.
Vpn server/address
allow vpn, metered, roaming
in network adapter new wan miniport adapter will appear, properties will be populated, ppp advanced settings, type of vpn, auto or choose, data encryption, authentication and related settings. Ipv4 and v6, share to other users on network, you can be a vpn gateway
if thousands of users need access then you can use MS Intune. You can push vpn settings to the devices. Setup a vpn profile and push to devices
Intune is for small to medium business, sccm can be used for the largest of businesses
vpn always on, lockdown(only use vpn connection), apptriggered, traffic filters
IPSec – v6 devices mandatory, its built in. Win firewall and security takes advantage of this
it is built on top of tcp/ip and has confidentiality encryption des, 3des, aes, integrity make sure info reaches the same form at the other end, hashing algorithms, authenticity credentials in a secure fashion to make sure they are who they say they are
in vpn settings you can adjust these ipsec settings, type of vpn IKEv2 is an IPSec structure
this gives a secure tunnel then you can build an even more secure tunnel
in vpn advanced properties of the adapter, EAP – extensible authentication protocol, smartcard
there are a variety of options you choose what applies to you. You can violate laws if you encrypt info and send to another country or state
firewall rules, server to server between 2 computers
IPSec is going to be in win10 vpn settings and/or new connection security rules wizard of advanced firewall
you don’t have to use IPSec but it is built into all v6 devices
DirectAccess for devices that need workplace connection all the time like an always on VPN
this is limited to education or enterprise Win10
this is setup on a server using a GPO in domain
ipv6 and ipsec is used
if your home device does not have ipv6/ipsec you can tunnel the ipv6 settings using ipv4
network location server setup will determine when to use direct access, built in intelligence
ad ds, dns, gpo. Pki is optional public key infrastructure in large enterprises used for authentication against the domain
Disk Management
This can be scripted and in managed with powershell
right click start > disk management
new disks that are not initialised
right click disk 1 icon and initialise disk, partition style MBR and GPT, MBR is old. GPT recognises much larger disks
right click unallocated and choose volume: simple no raid, spanned fill one then next one no raid redundancy you can add space to just 1 drive with multiple disks, striped disks raid 0 better performance but no redundancy, mirrored raid has redundancy raid 1, raid-5 volume greyed out you need at least 3 disks parity data written for redundancy
scripting with diskpart still works and can be task sequenced in SCCM
cmd admin: diskpart Enter
type help for commands list
https://technet.microsoft.com/en-us/library/cc766465(v=ws.10).aspx
run PS as admin:
get-disk (like list disk in diskpart)
get-help initialize-disk
initialize-disk -number 2 -partitionstyle GPT
new-partition -disknumber 2 -usemaximumsize -assigndriveletter
get-help format-volume
format-volume -driveletter f -filesystem ntfs
https://technet.microsoft.com/en-us/library/hh848705.aspx
VHDs usually used with VMs but they can be used as small disks and are portable, or differencing disks. Difference disk VHD only captures changes that occur so VHD is read only and new difference disk has the changes. Preserves original disk
to make VHDs use hyper-v manager, diskpart, disk manager, PS
VHD supports upto 2gb
VHDX supports up to 64tb but not supported with win7
You can create a VHD set – (win10 only) groups of VHDs back themselves up
you can copy a physical disks content to VHD, or from a VHD
you need to initialise VHD before mounting
you can detach the VHD but it still exists on file system
you can compact size of disk, convert to new disk, expand size of disk
you can copy VHD to USB drive plugin another computer then in disk manager click action > rescan disks otherwise click attach VHD
VHDs can get large
Storage Spaces
easy to virtualise storage from multiple storage types and sources
volumes – mirrored, spanned, striped
CP > storage spaces > create new pool
REFS – resilient file system good for redundancy types raid. It has auto heal, optimisation
but sometimes you would use ntfs as refs does not support some things such as data deduplication in servers
resiliency – simple(no resiliency), 2 way mirror – at least 2 drives, 3 way mirror – at least 5 drives, parity(raid5 parity at least 3 drives)
in storage pool you can add drive, optimise drive usage to spread existing data across all drives
you can use thin provisioning on new drives and enter a larger disk size
data is unaffected on the pool when adding disks
redundancy options occupies disk space
this is also a Win server technology and useful for servers
removable drives are disliked in the enterprise as data can be taken away or malware introduced
lock down USB drives, bitlocker on removable drive, password, smart card, backup recovery key to ms account or file or print the key
encrypt used space or entire disk
new encryption mode or compatibility mode
you can turn off bitlocker and decrypt the drive
gpo: comp config > admin templates > win components > bitlocker drive encryption > removable drives > deny write access to removable drives not protected with bitlocker (example of enterprise setting)
also setting in system > device installation > prevent install of removable devices, specify certain devices that will work and others that get blocked. Also prevent user access to USB port in the first place for higher security environments
troubleshoot storage, disk properties, low diskspace, disk cleanup, clean system files too
schedule this using task scheduler then it pops up
error checking on disk properties no reboot required for basic checking
under tools can see optimize drives and schedules this by default it recognises ssd disks and auto optimises and does not defrag
win will defrag mechanical disks
task manager disk option under performance, read/write
possible failures: logical failure, bad sectors requires reboot: cmd admin chkdsk /f/r this will ask to schedule after reboot
mechanical failure: with spinning disks
firmware failure: still issue with ssd
MS Accounts and shares
you can add family members and control spending in Win store, their own custom settings and kids stay safe.
You can add another user to the pc ms account or use a non ms account, create new basic local accounts
corporate MS Accounts (MSA’s) Hotmail, Live, MSN, Gmail. Sync settings between devices
right click folder share with and it can be opened on other pc on the workgroup
printer properties share printer and the printer has icon to show its shared
in security tab you add user permission
this is all working well together because both devices are in a private network, workgroup and in advanced sharing settings file printer sharing was enabled and network discovery
sharing option in properties and advanced sharing
limit users, specific users, share name, specific permissions read or write etc
in computer management you can view shared folders > share names and view sessions, no of client connections, you can stop sharing here and create new shares and set permission
cmd admin: net share MyShareName=c:\marys_sharedstuff /GRANT:MaryS,READ
you can see in gui if successful
in PS: get-help new-smbshare (server message block)
new-smbshare -path c:\marys_sharedstuff
ms does not show share icon on the folder itself anymore
get-smbshare (good command to show current shares)
Share permissions are only over the network SMB, if you RDP to a server then NTFS permissions apply within explorer.
public folders off by default and not used much
you want to give access to anyone – advanced sharing settings in network sharing center
c:\users\public anything in these public will be easily available
onedrive free
onedrive for business like dropbox more business features
green tick shows backed up to cloud and has its own recycle bin which clears after 30 days
system tray app to control settings
right click share onedrive link – paste from clipboard and share link
file system permissions: so you go to share permissions tab and give everyone full access then you control this with ntfs permissions. Go to properties > security tab > modify everyone – remove inheritance first. This will clear the user list then you can add marys as the user and give her specific permissions on the folder
we are given the restrictive permission via ntfs but the share permissions are wide open
this is granular control of the ntfs permissions. These take effect locally too not just over network
share permission is used only over network these get overidden with ntfs
so over the network the shared files can only be changed as set in the ntfs permissions
administrator can be set to have full control in advanced properties area
new option tab called effective access (in properties) select user
you need to be using an ntfs drive for these permissions
troubleshoot data access
you could be restricted by GP on dc
GP editor > comp config > Win settings > security settings > local policies > user rights assignment (you can see what you are restricted for)
homegroup troubleshooter for homegroup issues
if you lose bitlocker 2 go recovery key it is stored in onedrive
ondrive.live.com/recoverykey
if encryption is removed you can delete these keys in onedrive
desktop apps
msiexec /?
you can assign or publish apps to users in GP
assign installs when user logs in domain
publish allows install as an option in programs applet of CP
group policy in ad > computer config > software settings >
MDT more advanced
SCCM is complex and even more advanced needs extra licensing
bootup options
power options > choose power button > turn on fast startup enabled default
this is a function of hibernate using c:\hiberfil.sys
this is referred as a hybrid startup mode as it relies a bit on hibernate
sometimes it is not enabled so
fast boot could be disabled under UEFI settings. In settings > choose update & security > recovery > restart with advanced setup > troubleshoot > advanced > edit UEFI > check if fast boot enabled
sometimes GP settings do not appear for user if fast boot is set so instead of shutdown get them to restart or force GP update
no option to disable fast startup – it can be done as a reg hack then added in GP
keylocal_machine\system\currentcontrolset\control\power hiberboot enabled option
to check if machine supports fast boot run admin cmd: powercfg /a
task manager startup tab and gives startup impact
some items and malware will not appear here these will be in registry
hkey_currentuser\software\microsoft\Win\curerntversion\run
hkey_localmachine\software\microsoft\Win\curerntversion\run
Win Store
simple install and launch, UWP Universal Windows Platform
you can login with personal or business MS account
does not open in full screen if you are desktop
to uninstall store apps you right click uninstall in start menu
apps are auto updated, you can go to account settings in store and control app auto update
you can check for updates and run manually
These apps can be managed by O365, Azure, DISM, GP or Intune
Universal Win Apps, Mobile Apps and MSI’s can be delivered using Intune, GP and SCCM.
you can change save location in settings app > system > storage
Allow apps option: settings app > Apps > Apps & features > Installing apps option
you can turn off Win store in GP:
user config > admin templates > win components > store
you can also display private store for business only instead of public store
businesses can make own store apps and silently push those known as side loading
check if win10 supports it settings app > update & security > for developers > check sideload apps
https://technet.microsoft.com/en-us/itpro/windows/deploy/sideload-apps-in-windows-10
win store for business volume purchase of apps and private apps, you can upload your own. Public or corporate store
https://www.microsoft.com/en-us/business-store
appwiz.cpl
Get-AppxPackage -Name *.Net*
Get-AppxPackage -Name *paint* | gm
Get-AppxPackage -Name paint ? Select -Property ‘installlocation’
PS can be used to sideload apps using AppX file similar to Universal App File.
ADK and MDT can also be used to install Apps
Provisioning packages
ICD tool part of ADK now known as Win Configuration Designer
well after deploying images you can make further customisation using ICD tool and provisioning
you would use it for: deploying apps, enrol devices in MDM (Mobile device management) such as Intune.
Distribute certificates for secure connection, config and deploy connectivity profiles like VPN, apply device policies
ICD tool > file new project > provisioning package > you can import package and add to it > choose policies, browser, allowcookies and block cookies > file save > export package, owner IT Admin > can encrypt and sign if required then build. Created .ppkg file
you can bake this into a win image, save to network share advise users to install, push with GP and other options.
You can right click and open then add it this way, silent install then test if it worked
there is no easy way to undo these settings, you will need a new package that undoes the setting
These packages can be deployed from USB Media, email, triggered from cloud or corporate, NFC or QR
WSIM Windows System Image Manager – creates answer files contains config infor can be used with MDT and placed on a WDS server.
PowerShell, dos commands work
gpedit
update-help, limited help default as most users don’t use PS so they didn’t want to take up storage space
get-process, can use tab autocomplete and tab through all parameters after the cmdlet
get-process | select-object * | out-gridview (like excel)
MMC MS management console
can be customised
search file explorer for *.msc these can be added to mmc
setup snap-ins in add/remove and remote management
you can lockdown the mmc after you customise
file > options > name it and console mode, user mode-full access, tick do not save changes
save this as a file on your disk, right click console and pin to start
taskpad view:
new console add snap-in local users and groups, highlight in left and then:
action menu > taskpad view > vertical list of tasks, list size large view > all tree items are the same next then finish, a task wizard appears
here you can add menu items such as add user and add group to make it more convenient in mmc
you can add edit more tasks in actions > edit taskpad > tasks tab
you can also run batch scripts and jump to shortcuts in your mmc favourites
add snapin GP Editor once for admin users and once for standard users
Remote management
remote assistance and remote desktop
3rd party tools like teamviewer
firewall settings allow apps, remote assistance on by default on private networks, remote desktop disabled
CP > system > remote tab > remote assistance > allow computer to be controlled, 6hrs invitations and which OS’s
type in search remote assistance, invite someone to pc. Send invitation as file, email or easy connect
peer name resolution protocol needs setup for easy connect. Most people will use email
save file then popups with password to give to helper
on other machine double click file and then enter password this will open the remote screen after acceptance. You can start chat box and control desktop
RDP is more used so enable under system > remote > allow connections select users
need to make sure Win firewall has been updated appropriately
Win update options
milestone builds: anniversary update, new features and security updates
servicing updates/feature upgrades
second Tuesday of each month is Win update day. Now 1 update to fully update machine instead of whole history of updates
LTSB no feature updates, no edge browser new version every 3yrs. You can change from LTSB to CB/CBB its a SKU change. If you want to go from CB > LTSB then its wipe & load
settings app > update & security > date when last checked, check updates, update history and uninstall. Reset pc reinstalls Win to a baseline copy
displays info on updates: updates will dl and install automatically unless on metered connection
change active hours: when the pc should not be restarted
restart options: when it can be restarted such as lunchtime
advanced options: defer feature updates can also be set in GP. This is not required if you are using SCCM or WSUS.
how updates delivered: on or off can update from other pcs and ms
gpedit > comp config > admin templates > win components > win updates
services > Win update server and bits – background intelligent transfer service, these are required for updates
settings app > updates > Win insider program > sign in with ms account
CB Current brance – get feature updates first (default for home environment)
CBB Current branch for business – delay about 4-6 months the feature upgrades
When new version of windows released 10% of machines get new version (business testers) and 90% stay on CBB. You can set GP so CB machines progress to CBB. This should be around 12 months later. Each deployment tool can implement this idea differently. IT Staff should get insider programme & pre release OS
Windows usually updates every 6 months. When MS sees enough companies running it successfully then it becomes CBB. You decide with Win Update, GP or SCCM when devices move to CBB.
New feature in Win10 GP if upgrade goes wrong on initial machines then you can delay upgrade.
Fast Ring – 5 day deferral
Slow Ring – 10 day deferral
LTSB Long term servicing branch – no feature upgrades
Insider Preview – Most aggressive
In sys info view win version and build number or cmd winver
Drivers are auto updated. Can be set in GP or enable metered connection to prevent updates. Updates can be copied from other PCs on the LAN.
update history and roll back updates options
update Win store apps is separate
Win Update common cmd switches https://support.microsoft.com/en-us/help/262841/command-line-switches-for-windows-software-update-packages
You can search technet also try setup.exe ?
Manage updates in PS: Get-Hotfix
Event Viewer
service called Win event log is what runs event viewer
Win logs: apps, security, setup, system, forwarded events from other devices
apps and service logs: hw events, ie, kms, powershell
other apps can tie into events
20mb size limit on logs, old stuff gets overwritten
the eventlogs are stored c:\win\sys32\winevt\logs
filter log: error, critical, warning
create custom view choose event level, logs, keywords
save log to text file or clear it
you can setup ntfs permissions and have auditing so if someone accesses an event appears in security
right click event viewer (local) connect to another computer
subscriptions: run service win event collector service. Create sub. Requires win remote management to be configured. Subscribe to events or only critical errors
you can select computers that will send events to your machine
search eventid on technet for more info on it and how to resolve
Task manager
basic view by default click more details for advanced view
background process gets killed when you kill app
performance tab: resource monitor
app history cpu usage, network etc
startup tab: onedrive startup impact high you could be syncing a lot of the files at start
user tab: see multiple users logged on
details tab: more details and right click to create dump file
services tab: view and right click to start stop services
Resource Monitor
more detailed performance, cpu memory, disk network.
File > restore default can be done if the view gets changed
monitor menu > stop monitoring to pause it
Performance Monitor
For even more detail you will go to performance monitor
samples cpu % of proc time per second
add counter: paging file, memory
system diagnostics and system performance data collector sets. Preset important counters, health info for system
click system diagnostics then green play button. This runs for 60 seconds then click report at bottom under system diagnostics
right click user defined: create own data set
good for baselining and comparing system performance to different times when the computer is being used for different tasks
report displays detailed info and health checks, warnings
good for sw developers to check cpu usage of an app
user defined data collector set: you can add counters such as processor info, logical disk
run as yourself if admin or choose account. This will run indefinitely as no stop time defined. You can stop it with stop button
this will appear under reports > user defined
this tool is used for baselining performance. Can be very specific
Monitor and Manage Printers
settings app > devices > printers & scanners. Add and manage existing ones. Set default printer most recently used or turn this off. Metered connections on/off for device updates
click printer > open queue, manage, remove
CP > devices printers > right click printer default, print prefs, printer props
device manager > printer settings, driver sw, disable, uninstall
Start > administrative tools > print management > printers, drivers, not ready, jobs, print servers, deployed printers
right click > deploy with GP, pause, open print queue
PS: Add-printer, add-printerdriver, add-printerport
get-printconfiguration, get-printer, get-printerdriver, get-printerport, get-printerproperty
remove-printer, remove-printerdriver, remove-printjob, rename-printer
restart-printjob, resume-printjob
set-printconfiguration, set-printer, set-printerproperty
print spooler service – restart if printing gets stuck
Win search indexing
best match, looks in, apps, settings, web
you can choose buttons at top just look in apps, docs, web
can search in file explorer window too
Win search powers this using indexing and then grep which search outside what win has indexed
services: Win search service is used
CP > indexing – takes place while pc is not being used as much
indexes: offline files, start menu, users excluding appdata
you can click modify > choose additional locations and choose show all and set for others users on the pc
you can index external hard drive if it had a lot of word docs
advanced options > index encrypted files, treat similar words differently if they have accent marks etc, rebuild index. Move index storage location (not required)
reboot first before rebuilding index
file types tab: exclude certain file types, choose to index properties only or file contents too
index troubleshooter: in settings app type fix search in the search bar
don’t index everything this could get too much overhead
Win Defender
right click taskbar > settings > always show icons
3 scan options: quick, full, custom
settings app > upd sec > win defender
real time protection, cloud protection, sample submission: on/off
exclusions and version info, enhanced notifications, win defender offline will run with restart
gpedit > comp config > admin temp > win comp > win defender > MAPS (ms active protection service) – this means are we going to use ms’s cloud based service?
Service running is win defender advanced threat protection service and
win defender service
PS Cmdlets: https://technet.microsoft.com/en-us/itpro/powershell/windows/defender/defender
Reliability monitor
CP > large icons > security & maintenance > expand maintenance with dropdown > reliability history
you can view errors check for solution or technical details of error
if you work on a machine then you can see the reliability of the system
displays info under informational events
you can save the reliability history report as xml
you can click view problem reports to see problems only
you can click check for solutions to all problems
troubleshoot performance issues – best practices
disk care and feeding – free space, remove temp files, disk optimisation, disk error check
internet bottleneck – io with storage, or bad memory
bad app – app could be causing issues, like gns3 can cause heavy resource use if not configured properly
malware makes machine run poorly
startup apps – can degrade performance
Win memory diagnostic tool (search for memory to launch)
this will check issues with ram
good metrics to look at in performance monitor to check bottlenecks
logical disk, physical disk, memory, processor, system, network
Recommended metrics to track:
LogicalDisk � % Free Space
>15%
PhysicalDisk � % Idle Time
>20%
PhysicalDisk � Avg. Disk Sec/Read
<25ms
PhysicalDisk � Avg. Disk Sec/Write
<25ms
PhysicalDisk – Avg. Disk Queue Length
Should not be larger than 2 times the number of physical disks
Memory � % Committed Bytes in Use
<80%
Memory � Available Mbytes
Greater than 5% of total RAM
Processor � % Processor Time
<85%
System � Processor Queue Length
Should not be more than twice the number of CPUs for an extended period
Network interface � Output Queue Length
<2
ajsnetworking.com – search win 10 performance metrics
Recovery Options
you can remove recovery partition and create a recovery drive/disk
CP > recovery > USB drive at least 8gb > wizard can remove recovery partition on local disk at the end to free disk space. This USB will only work with same architecture 64 or 32 bit that it was created with
system restore is next option in recovery > turn on system protection in system properties
you can create restore point while the system is running well or use powershell
you can create manually or win will auto create restore point after sw install which the sw developer controls, when win update takes place, schedule tasks or restore point created when you actually run a restore point too
boot with recovery USB drive will give you advanced options and system restore can be done without requiring to boot into the failed Win OS
in recovery screen link: if your having problems with pc go to settings and try resetting it
this opens settings app > recovery > you can click advanced startup will restart pc and load screen same as recovery drive advanced screen
reset this pc option > keep my files or remove everything option
you can then load a provisioning package
Backup options
CP > backup and restore(win 7)
choose another internal disk or USB drive, checks size of data for system image
or you can click next and choose your own files/folders or Win can choose
win recovery environment can be added to system image and you can boot to it
turn on schedule for regular backups
cmd admin tool: wbadmin ?
Settings app > update security > backup > file history > auto or add drive
you can add folders or exclude
previous version of file right click file restore previous versions and choose which to restore
WRE – Win recovery environment can be included as part of a system image
Authorisation and Authentication
settings app > accounts > sign in options – require signin if you are away
win hello – face recognition or images of you
pin login
New feature dynamic lock: pair to bluetooth device and locks when you leave desk
picture password touchscreen device gestures on picture to signin (lower sec environment, someone can see smudges possibly)
privacy off/on – shows account details on signin screen email etc.
ms dual authentication, passport feature requires ms account you can add hello and pin number, very secure
CP > credential manager: web and Win cached credentials, manage saved passwords
enterprise features for win 10 ent with ad only, UEFI also required
credential guard, device guard, health attestation – these will require secure boot functionality
credential and device guard will require a TPM module in the machine
Credential Guard helps secure login to ad – kerberos, hashing some vulnerabilities to these and credential guard helps protect against them. Virtualises credentials
Device Guard – what apps users can run, apps can be forced to be digitally signed
Device Health Attestation – devices coming into ad domain meet certain guidelines. This is a network authentication access control type of technology
These are configured in GP
Services
right click start > computer management > services
startup type, automatic, auto delayed, manual, disabled
start, stop, pause, resume
logon local service account or set user to run on another computer
recovery tab what to do on first, second or subsequent failure. Run actions on these failures
dependencies tab: what services this depends on and what is dependent on this service
cmd admin: net stop spooler
net start spooler
sc stop spooler
sc start spooler
sc query spooler (status)
PS: stop-service -name spooler
start-service -name spooler
get-service
msconfig – selective startup, choose to not load system services or startup items
to view services specific logs event viewer > Win logs > system > look for any messages reported as source: service control manager
Task Scheduler is an mmc
library dropdown > list of tasks
system restore tasks used when Win does a restore point
Win defender tasks running in background
you can change scheduled scan for defender to weekly at a late time
general tab: security credentials, select run with highest privileges
set new trigger: one time, daily, weekly, monthly, recur every 1 weeks on, delay task, repeat task, stop task if runs longer than, expire task, enabled tick box
actions the exe with appropriate switches
condiitons: idle, power on ac only, wait for computer, start only if certain network connection available
settings tab: run on demand, run asap, if task fails restart every, stop task if runs longer, if run task does not end force stop,
do not need to memorise these settings
history/tracking disabled by default as it would be a big job to track it all
you can right click and run the tasks on demand directly
you can create a new diskcleanup task in the diskcleanup folder under library
task weekly cleanup task, cleanmgr – checks free space and opens disk cleanup window each week
cmd admin: schtasks
PS: Get-scheduledtask
https://technet.microsoft.com/en-us/itpro/powershell/windows/scheduledtasks/scheduledtasks
Other similar cmdlets New-JobTrigger Register-ScheduledJob
ACAD – Active Directory Admin Center
At the bottom there is a PS history viewer to see the PS output of anything done in the GUI
search box > Feedback Hub: type ‘edge’ in search to see other user feedback or add your own. Smiley face in apps can also be used.
Win 10 IoT – https://developer.microsoft.com/en-us/windows/iot
Comments are closed, but trackbacks and pingbacks are open.