Chapter 4

Maintain Windows

After you have deployed computers in your organization, you must maintain those computers. If users experience problems with their computers, you may be required to perform system recovery. If users have lost files, you may be called on to recover those missing files.

Computers typically do not remain in the same state throughout their use. In most organizations, computers are updated periodically. With the new Windows as a service model for feature updates, you must be aware of how and when Windows Updates are applied. You may also need to know how to manage updates and, in certain circumstances, troubleshoot the application of updates. Even in normal circumstances, it is necessary to monitor your users’ computers to help ensure the ongoing reliable use of those computers.

Finally, to save having to visit users’ computers to maintain and manage them, you should know how to remotely manage Windows 10 computers. This chapter covers those aspects of the MD-100 Windows 10 exam that relate to Windows 10 monitoring and maintenance.

Skills covered in this chapter:

Skill 4.1: Configure system and data recovery

In this skill, you review how to configure system and data recovery options for Windows 10. If you have experience with an earlier version of Windows, you may be familiar with many of the options because some are included in Windows 10. To prepare for the exam, we recommend that you work through all the wizards and tools to ensure that you’re comfortable with each process, paying particular attention to the newer features, tools, and options.

Perform file recovery

Windows 10 provides a number of tools that you or your users can use to recover files. These tools include:

  • Windows Backup and Restore (Windows 7)

  • WBAdmin

  • File History

  • Previous Versions

Use Windows Backup And Restore

Windows 10 includes the Backup And Restore (Windows 7) tool, which allows the creation of backups of your data. In addition to restoring files and folders, you can use this tool to create backups of files contained in folders, libraries, and whole disk volumes.

You cannot save your backups to the disk on which Windows 10 is installed, so you must provide another location, such as an external USB drive, network drive, or non-system local disk. To open the Backup And Restore (Windows 7) tool in the GUI, open the System And Security section of Control Panel or use the Backup And Restore (Windows 7) item listed in the Settings app.

To create a backup of your files and folders and a system image, follow these steps:

  1. Open the Settings app, and then select Update & Security.

  2. In the navigation pane, select Backup, and in the details pane, select Go to Backup and Restore (Windows 7).

  3. In the Backup and Restore (Windows 7) window, select Set up backup.

  4. On the Select where you want to save your backup page, choose the location and select Next.

  5. On the What do you want to back up? page, select Let Windows choose (recommended) and select Next.

  6. On the Review your backup settings page, select Change schedule.

  7. On the How often do you want to back up? page, leave the Run backup on a schedule (recommended) check box selected and, if necessary, modify the backup schedule.

  8. Select OK.

  9. On the Review your backup settings page, select Save settings and run backup.

The backup begins, and you review the progress as displayed in Figure 4-1. The first backup takes the longest time because it is a full backup. Subsequent backups are incremental and can take only a few minutes to complete.

A screenshot shows the Backup And Restore (Windows 7) window. A backup is in progress. The location is set to Storage Space (E:). The next backup is not scheduled. The last backup date is displayed. Contents is configured to Files In Libraries And Personal Folders For Selected Users. Schedule is Every Sunday At 7:00 PM.

FIGURE 4-1 Backup And Restore (Windows 7)

When the backup is complete, use the links on the Backup And Restore (Windows 7) page to see the size of the backup on disk, edit the schedule, and manage the disk space the Backup And Restore (Windows 7) tool uses.

When backing up your system, you can opt for the recommended settings, which create a backup of all files and folders in your user profile (including libraries) as well as a system image. The system image files are large, likely to be approximately 10 GB in size. You can specify the frequency and time when Windows 10 performs backups or retain the default backup schedule of Sunday at 7 PM every week.

If you require more specific scheduling, you can modify the triggers in the AutomaticBackup job in Task Scheduler after you have enabled scheduled backups. Available options to trigger a scheduled backup include:

  • On A Schedule

  • At Logon

  • At Startup

  • On Idle

  • On An Event

  • At Task Creation/Modification

  • On Connection/Disconnect To A User Session

  • On Workstation Lock/Unlock

If you want to choose specific libraries and folders for the backup manually, select Let Me Choose on the What Do You Want To Back Up? page when initially setting up the backup. Although you cannot select individual files for backup, you can clear the check box to include a system image of the drive.

The Backup And Restore (Windows 7) tool uses the Volume Shadow Copy Service (VSS) to create the backups. The initial backup creates a block-level backup of the files to the backup file and uses the virtual hard disk (VHD) file format. VSS greatly enhances the performance of the backup operation because subsequent backups copy only the data that has changed since the previous backup, which is typically a smaller amount of data, thus making the incremental backup much faster.

Each time you run a backup, the Backup And Restore (Windows 7) tool creates a new restore point, which the Previous Versions feature in File Explorer can use (and is covered later in this chapter).

Note Back up NTFS Only

The Backup And Restore (Windows 7) tool can only be used to back up data that is stored on file system volumes formatted as NTFS.

To restore libraries, folders, or files from a backup, you can use the Restore My Files link in the lower right of the Backup And Restore (Windows 7) screen. You can select which backup set to use and restore items to their original locations or to different locations. To restore data from a backup, use these steps:

  1. On the Backup and Restore (Windows 7) page, select Restore my files.

  2. The Restore files dialog box presents you with access to the latest backup. If you want to choose an alternative backup, select Choose a different date, select the correct backup, and select OK.

  3. Locate the files or folders you intend to restore by using one of these three options:

    • Search Type part of the name of the file you intend to restore. Select the file or select Select All to restore all the found files. Select OK. (The search speed is very fast.)

    • Browse for files Select the backup name with the correct date and timestamp and browse to the folder that contains the items you want. Select the items and select Add Files.

    • Browse for folders Select the backup name with the correct date and timestamp and browse to the folder that you want. Select the folder and select Add Folder.

      You can choose multiple files and folders and use any of the three options or combinations of the options to locate the items you want.

  4. Select Next.

  5. On the Where do you want to restore your files? page, choose to restore to the original location or browse and select a different location.

  6. If you restore an item to a location that contains the same item name, you are prompted to choose one of the following:

    • Copy and replace The item restored from the backup overwrites the item in the destination location.

    • Don’t copy Nothing changes, and no item is restored.

    • Copy, but keep both files The original item remains as is, and the file name of the restored item is modified to show it is a version of the same item.

    • Do this for all conflicts If you’re restoring multiple items, you can apply the same choice to each conflict.

  7. When the restoration is complete, the Your files have been restored page appears, and you can select the View restored files link.

  8. Select Finish.

Perform a backup and restore with WBAdmin

In addition to the Backup And Restore (Windows 7) tool, Windows 10 includes another backup tool, the Windows Backup tool, which you can use from a command line. This tool is also found in Windows Server and is useful if you need to automate or create a backup job on several computers.

Use the WBAdmin.exe command-line utility to create, configure, and restore backup jobs. In this section, you review some of the commonly used applications for WBAdmin.

Backing up using WBAdmin

The Windows 10 version of WBAdmin is a simplified version of the utility that is available with the Microsoft Server operating systems and offers some low-level features such as the generation of index listings of all files and folders within an image data file.

To perform a recovery using WBAdmin, you must be a member of the Backup Operators group or the Administrators group, or you must have been delegated the appropriate permissions. You must also run wbadmin from an elevated Command Prompt. A number of the subcommands are not supported in Windows 10, and you must boot to Windows Recovery Environment (RE) to perform a restore operation of data that was created using the wbadmin start backup subcommand.

Table 4-1 lists the command-line syntax of WBAdmin.

TABLE 4-1 WBAdmin command-line syntax



wbadmin get versions

Lists the details of backups available from the local computer or from a specified computer.

wbadmin enable backup

Configures and enables a regularly scheduled backup.

wbadmin start backup

Runs a one-time backup; if used with no parameters, it uses the settings from the daily backup schedule.

wbadmin get items

Lists the items included in a backup.

wbadmin start recovery

Runs a recovery of the volumes, applications, files, or folders specified. Supported only in a Windows Recovery Environment (RE).

Need More Review? WBAdmin Command-Line Reference

You can find additional detailed information about WBAdmin by typing wbadmin /? at the Command Prompt. The content provided in this section should be sufficient for your exam preparation, but you can find additional WBAdmin resources on the Windows IT Pro Center at

For example, if you connect a removable hard drive to your computer that uses the drive letter E, the following examples guide you through the process of performing a backup and restore using the WBAdmin command-line tool.

To back up the entire contents of the C drive to a backup drive located on E, follow these steps:

  1. Open an elevated Command Prompt.

  2. Run the following command:

    WBAdmin start backup -BackupTarget:E: -Include:C:
  3. Enter Y to begin the backup operation.

    The tool creates a shadow copy of the volume and then creates a block copy of the volume, as displayed in Figure 4-2. A simple log file relating to the operation is created, and this is stored in C:WindowsLogsWindowsBackup.

A screenshot shows the wbadmin command running in the Administrator: Command Prompt window. The following command was executed: wbadmin start backup -BackupTarget:E: -Include:C:.

FIGURE 4-2 WBAdmin command-line tool

The WBAdmin utility saves the image backup in a WindowsImageBackup folder on the target drive.

After you have created a backup, you can list backup images created on the system by running this command:

WBAdmin get versions -backupTarget:E:
Restoring data using WBAdmin

To recover from a backup that you have previously created with WBAdmin, start Windows RE, and then open the Windows RE Command Prompt. Enter WBAdmin get versions backuptarget:d: to provide the version information of the available backups. (You may have to change the drive letter to correspond to your system).

For example, to recover a backup of volume E from May 31, 2021, at 17:12, enter the following command at a Command Prompt:

WBAdmin start recovery -version:05/31/2021-17:12 -itemType:Volume -items:\?
Volume{a6f2e427-0000-0000-0000-501f00000000} -BackupTarget:D: -RecoveryTarget:E:

Note Drive Letters Might Vary

The wbadmin start recovery command is only supported in Windows RE and not in a normal Windows 10 administrative Command Prompt. Be careful because the drive letters of the mounted volumes can be different in Windows RE from those in Windows 10. You might need to replace the drive letters in your wbadmin start recovery options.

Configure File History

File History is a file recovery method that provides users with an easy and user-friendly method of retrieving files after they have been accidentally deleted or modified. Once enabled, File History will automatically create a backup of all user files that have been modified on an hourly schedule. As long as the backup destination location does not become full, File History can continue to store changes indefinitely.

To turn on File History, follow these steps:

  1. Open Settings, select Update & Security, and select Backup.

  2. Select the plus (+) icon labeled Add a drive. File History will search for drives.

  3. In the Select a drive dialog box, select the external hard drive that you want to use for File History.

  4. On the Back up using File History page, verify that the Automatically back up my files toggle is On.

Once enabled, File History will save copies of your files for the first time. This will happen as a background operation, and you can continue to work normally.

File History saves your files from your user profile and all the folders located in your libraries, including OneDrive, that are synced to your device if OneDrive is used. You can manually include or exclude folders on the Backup Options page. To manually include additional folders to be monitored by File History, perform the following steps:

  1. Open Settings, select Update & Security, and select Backup.

  2. Select the More options link.

  3. On the Backup options page, select Add a folder.

  4. Select the folder that you want to back up and select Choose this folder, as displayed in Figure 4-3.

    A screenshot shows the Select Folder dialog box with the Data folder selected. The Select Folder dialog box is shown in front of the Backup Options screen.

    FIGURE 4-3 File History Backup Options

  5. Ensure that the folder is listed in the list of folders under Back up these folders.

  6. Close the Backup Options page.

There are two other methods for adding a folder to the File History list of folders:

  • Add folders to one of the existing libraries already backed up by File History File History will protect these folders.

  • Use File Explorer Select the folder, select History in the Home ribbon, and then select the Include It In Future Backups link.

You can configure many of the File History settings multiple ways, and you need to be familiar with each of them:

  • File History in Control Panel

  • Backup in the Settings app

  • History item on the File Explorer ribbon

Within the advanced settings screen of File History, accessed from the See Advanced Settings link on the Backup Options page, you can configure the following:

  • Modify the frequency of the File History backup from every 10 minutes to daily.

  • Open File History event logs to view recent events or errors.

  • Define the length of time to keep saved versions of your files.

  • Manually clean up older versions of files and folders contained in the backup to recover space on the backup drive. You could also use the command-line tool FhManagew.exe to delete file versions based on their age stored on the File History target device.

Note File History Restore Points

Previous Versions is a feature that uses the File History restore points and allows you to select one of the file version histories; it is accessed within File Explorer. Previous Versions is covered later in this chapter.

File History file recovery

You can open File History file recovery, as displayed in Figure 4-4, in several ways:

  • History icon Open File Explorer and navigate to the folder that contains a modified or deleted file, and then select History on the Home ribbon. The File History page will open, and you can view the recoverable files.

  • Restore personal files Open File History in Control Panel and select the Restore Personal Files link on the left side.

  • Restore files from a current backup The Restore Files From A Current Backup link is at the bottom of the page in the following location: SettingsUpdate & SecurityBackupMore OptionsBackup Options.

A screenshot of the Restore Your Personal Files screen in File History, which shows the folder path at the top of the page along with the date and time. 3 of 3 represents the number of backups made by File History. Listed in the center pane are 3 files. At the bottom of the page is a large green button with a revert symbol. On either side of the button are arrows that will scroll through the 3 backups.

FIGURE 4-4 Restoring your personal files using File History

On the File History page, you can navigate through each restore point by using the left and right arrow buttons. Each restore point has a date and time to help you decide which version of the file or files to restore. You can select one or more files to revert and then select which version of the file by navigating through the backups that have been made by File History. If you right-click the file or folder, you can preview the file to view the contents. If you want to proceed to recover the file, select the green button on the File History screen. The file or files selected will be restored, and File Explorer will open with the restored files displayed.

File History support for encryption

Protecting files and folders using Encrypting File System (EFS) is supported on NTFS when using Windows 10 Pro and Windows 10 Enterprise versions. File History supports backing up files that are encrypted using the EFS as long as the drive selected for the backup is formatted as an NTFS volume. Without NTFS, data cannot be encrypted using EFS. Therefore, if the destination drive does not use NTFS, File History will not back up encrypted files.

If you use BitLocker Drive Encryption to protect your data on your PC and use File History to back up this data to a removable drive, the data will no longer be protected. You should consider enabling BitLocker To Go on the removable drive to protect the contents. The File History is designed to back up on a per-user basis and is performed using the local user account, which means only files and folders that you have access to will be backed up.

Note Turn Off File History

There is only one Group Policy Object (GPO) relating to File History, located at Computer ConfigurationAdministrative TemplatesWindows ComponentsFile HistoryTurn off File History. When enabled, File History cannot be turned on.

Restore previous versions of files and folders

Previous Versions, which has been reintroduced in Windows 10, is a file and folder feature that lets users view, revert, or recover files that have been modified or deleted by mistake. Previous Versions uses the File History feature or restore points created during backups in Backup And Restore (Windows 7). One of these features must be configured to use the Previous Versions feature.

After you have enabled File History or created a Backup And Restore (Windows 7) backup, browse in File Explorer to the location where the modified or deleted files are stored. If one of these methods has “protected” the file or folders being browsed, the Previous Versions tab shown in File Explorer will list the available restore points for your data. Until one of these tasks has been performed, the Previous Versions tab will be empty.

VSS is used by Previous Versions to monitor and preserve copies of modified files on an automatic schedule. Earlier in the chapter, you saw that the Backup And Restore (Windows 7) tool also creates a restore point each time you create a backup. After the initial File History restore point has been created, subsequent restore points may take only a few minutes to complete.

Note Previous Versions Restore Points

On the Previous Versions tab, a message is displayed stating that the previous versions come from File History and restore points. The Previous Versions feature uses the restore points that are created by the Backup And Restore (Windows 7) tool and not the restore points that System Restore creates.

If you configure File History and also use the Backup And Restore (Windows 7) tool, multiple restore points will be available on the Previous Versions tab. The Previous Versions feature is available on all file systems if File History is used. The Backup And Restore (Windows 7) tool can be used only to back up data using NTFS volumes.

To revert files to a previous version, use these steps:

  1. Ensure that File History is turned on.

  2. Create a folder on your computer—for example, C:Travel PlansYork—and then create or save a text file called Things to do in the folder.

  3. In File History, select Run Now.

  4. Open Things to do, modify the contents, save the file, and exit.

  5. In File History, select Run Now.

  6. Right-click Things to do and select Restore Previous Versions.

  7. On the Previous Versions tab, note that the Things to do.txt file has two previous versions listed, one of which is the original file. Modify the file again. There will not be another Previous Version listed until the next restore point is created by File History.

  8. To manually create a new restore point, return to File History and select Run Now. Select the Things to do.txt file and notice that it now has three file versions listed, as displayed in Figure 4-5.

    A screenshot of the Previous Versions tab on the properties page of a file called Things to do.txt. Listed in the middle of the page are two versions of the Things to do.txt file; the top one has a time modified of 6:09 AM and the second file has a timestamp of 6:04 AM. At the bottom of the dialog box are two options: Open and Restore.

    FIGURE 4-5 Restoring previous versions of files and folders in File Explorer

  9. Delete the Things to do.txt file.

  10. To recover the last version of the file that was saved by File History, right-click the C:Travel PlansYork folder and select Restore Previous Versions.

  11. On the Previous Versions tab, select the Travel Plans folder, select the drop-down Open menu, and select Open in File History.

  12. File History opens. Double-click the folder that contained the deleted file.

  13. Select the deleted file, and select the green restore button.

  14. Verify that the Things to do.txt file has been restored to the C:Travel PlansYork folder.

Recover files from OneDrive

OneDrive allows you to store your files online. You can sync files between your PC and OneDrive. You can access files from from just about any device that is connected to the internet. You can use the OneDrive Recycle Bin to recover files that you accidentally delete from your OneDrive account.

The OneDrive Recycle Bin can retain deleted items for between 3 and 30 days, if you are signing in using your Microsoft account. If you sign in with your Microsoft 365 account, deleted items are retained for up to 93 days. The actual retention period is dependent on the size of the Recycle Bin, which is set to 10 percent of the total storage limit by default. If the Recycle Bin is full, old items will be deleted to make room for new items as they are added to the Recycle Bin, and this may have an impact on the default retention period.

To recover deleted files from your, follow these steps:

  1. Browse to your, or right-click the cloud icon in the notification area and select View Online.

  2. On the left side of the page, select the Recycle Bin.

  3. If the Recycle Bin is not visible, select the three horizontal lines in the top-left corner of the screen and select Recycle Bin.

  4. Select the items that you want to recover.

  5. Select Restore on the menu.

OneDrive will restore the items and they will be removed from the Recycle Bin.

At present, you are not able to modify the retention settings or increase the size of the Recycle Bin for If you use the Recycle Bin often and you are concerned about whether your deleted files will be protected by the Recycle Bin, you could consider increasing the space provided to the Recycle Bin by upgrading to a paid OneDrive storage plan such as Microsoft 365 Personal. If space is limited, you could also review the items currently in the Recycle Bin and select items for permanent deletion to free up space, as displayed in Figure 4-6.

A screenshot of the Recycle Bin, with the Permanently Delete dialog box in focus. This dialog box is advising you that if you permanently delete the selected items you won't be able to restore them. A Delete and a Cancel button are available.

FIGURE 4-6 Permanently deleting items from the OneDrive Recycle Bin

When you delete files using the interface or from your OneDrive folders within File Explorer, the deleted files will be automatically synchronized to the Recycle Bin and the File Explorer Recycle Bin (or Trash if you are using OneDrive on a Mac). If you use the Restore All or Empty Recycle Bin option, you need to be aware that these tasks are irreversible.

The Search feature within is a powerful method of locating files stored in your OneDrive. Search results do not include items in the OneDrive Recycle Bin or the File Explorer Recycle Bin.

OneDrive document version history

For Office documents, such as Microsoft Word and Microsoft Excel files, maintains previous versions of these documents where available. To view the available versions stored in OneDrive, navigate to the Office file, right-click it, and choose Version History. OneDrive will open the file in a new browser tab. You can then see the list of available versions in the left pane, and you can review the contents of each file, as displayed in Figure 4-7.

A screenshot of Microsoft Edge with a Word document open. The left side displays the older versions of the document, of which there are four. In the right pane, a Word Online document is displayed; it represents the current version.

FIGURE 4-7 Microsoft Office previous versions available in OneDrive

The older versions are listed together with the date and time when the file was last saved. If you select an older version of the document from the list of older versions in the left pane, OneDrive will open the older file in the tab, and it will display the name of the modifier. You can choose to download or restore this older version from the link displayed in the left pane.

Recover Windows 10

Windows 10 is a reliable operating system. However, occasionally you will encounter problems with your users’ devices that require you to perform some sort of operating system recovery. The severity of the problem will determine your particular course of action, and because of this, Microsoft has provided a number of recovery tools in Windows 10.

Some of these are relatively benign and enable you to investigate and resolve the underlying problem with little effect on the operating system. Others are more intrusive and can result in resetting the operating system to an earlier point in time or even to its initial state. These recovery tools include:

  • Recovery Drive

  • System Restore

  • Windows RE

  • Reset This PC

  • Fresh Start

  • System Image Restore

  • System Repair Disk

Configure a recovery drive

Windows 10 computers have a recovery partition, which contains a full image of the system. If your computer does not start properly, you can use the recovery partition to start up.

You can also copy the contents of the recovery partition to a removable storage device so that if your recovery partition becomes inaccessible or corrupted, you will still be able to recover your system.

Disk drive space on many small form-factor devices and tablets might be smaller than available on a laptop or PC. This can limit the availability for an original equipment manufacturer (OEM) to include a recovery partition on devices shipped with Windows 10. If there is no recovery partition, you can still create a bootable Universal Serial Bus (USB) flash drive–based recovery drive; you can use this drive to boot into the Windows Recovery Environment (Windows RE). You will then need to access a system image that you have created or that is provided by the OEM.

To create a recovery drive, follow these steps:

  1. Search for Recovery Drive and select Create A Recovery Drive.

  2. Accept the User Account Control (UAC) prompt, providing the necessary credentials, if required.

  3. Select the Back up system files to the recovery drive option, and select Next. Windows 10 will prepare the recovery image.

  4. If you have not already connected a backup device to the system, on the Connect a USB flash drive page, connect a drive that has at least 16 GB capacity.

  5. On the Select the USB flash drive page, select the drive for the recovery drive, as displayed in Figure 4-8, and select Next.

    A screenshot shows the Select The USB Flash Drive page of the Recovery Drive Wizard. A drive has been selected labeled O: (DATA2). Below this are two buttons: Next and Cancel.

    FIGURE 4-8 Creating a recovery drive

  6. On the Create the recovery drive page, read the warning that the USB drive contents will be deleted, and select Create. The Creating the recovery drive page appears with a progress bar, which will indicate which phase of the process is being performed. The process can take up to 30 minutes, depending on the performance of the PC and the media. The tool performs the following actions:

    • Prepares the drive

    • Formats the drive

    • Copies Recovery Drive utilities

    • Backs up system files

  7. On the last page, select Finish.

When the recovery drive has been provisioned on the removable media, if your device has a recovery partition, you will see a link to delete the recovery partition from your PC. This relates to the Windows 10 device recovery partition and not the newly created recovery drive. If you want to free up the space on your device, you need to select this option. It is important to store the recovery drive in a safe place because you will not be able to recover your device if you have lost the recovery drive and you have deleted the recovery partition.

Note SDHC Memory Cards

Some devices support the use of Secure Digital High-Capacity (SDHC) memory cards. The Recovery Drive Wizard can use an SDHC card as an alternative to using a USB flash drive.

You should carefully label your Recovery Drive media after they have been created. Note that a 64-bit (x64) recovery drive can only be used to reinstall a device with 64-bit architecture. The Windows 10 Recovery Drive cannot be used to repair earlier versions of Windows.

Configure System Restore

You can use System Restore to restore a computer that has become unstable. System Restore offers a reliable method of recovering systems by restoring the operating system to a restore point created during a period of stability.

Once enabled, System Restore will automatically create restore points at the following opportunities:

  • Whenever apps are installed If the installer is System Restore compliant.

  • With updates Whenever Windows 10 installs Windows updates.

  • Based on a schedule Windows 10 includes scheduled tasks, which can trigger restore point creation.

  • Manually You can create a System Restore from the System Protection screen.

  • Automatically When you use System Restore to restore to a previous restore point, Windows 10 will create a new restore point before it restores the system using the selected restore point.

To turn on System Restore and manually create a system restore point, follow these steps:

  1. Open Control Panel and select System and Security.

  2. Select System. The Settings app opens. Scroll down and select the System protection link.

  3. The System Properties dialog box appears with the System Protection tab open.

  4. To turn on the System Restore feature, select the Local Disk (C:) (System) drive, and then select Configure.

  5. In the System Protection for Local Disk (C:) dialog box, select Turn on system protection.

  6. Under Disk Space Usage, move the slider for the Max Usage to allow room on the restore points to be saved (5 percent is a reasonable amount), as displayed in Figure 4-9.

    A screenshot of the System Protection For Local Disk (C:) dialog box. The administrator has enabled system protection and assigned 5% Max Usage.

    FIGURE 4-9 Configuring System Restore properties

  7. Select OK twice.

You can also use PowerShell to configure System Restore. Some of the available commands that you need to review are as follows:

  • Enable-ComputerRestore Enables the System Restore feature on the specified file system drive

  • Disable-ComputerRestore Disables the System Restore feature on the specified file system drive

  • Get-ComputerRestorePoint Gets the restore points on the local computer

  • Checkpoint-Computer Creates a system restore point

The following command enables System Restore on the C drive of the local computer:

PS C:> enable-computerrestore -drive "C:"

Note System Restore Requires NTFS and Uses Volume Shadow Copy Service

System Restore uses the Volume Shadow Copy Service (VSS) and is only available on drives that are formatted with NTFS.

If the amount of space allocated for the restore points is used up, System Restore automatically deletes the oldest restore points. If you require more restore points to be available, you must allocate a larger proportion of the hard disk to the feature.

After the system has created restore points, you are protected, and the system should be recoverable.

To recover your system, you can open the System Restore Wizard one of two ways:

  • System Protection If your system allows you to sign in to Windows, you can open System Restore from the Windows 10 GUI.

  • Windows Recovery Environment (Windows RE) If the system doesn’t allow you to sign in, you can start your computer with Windows RE and open the System Restore Wizard from the Advanced options.

Note Windows Re

Windows RE is built on Windows Preinstallation Environment (Windows PE), which is a cut-down version of Windows that offers only limited functionality.

Identifying affected apps and files

When you’re using System Restore to restore a computer to an earlier state, the wizard will allow you to scan the restore point and advise you which apps and files will be affected by performing the operation. To restore your computer’s configuration to an earlier state, use the following procedure:

  1. Open System Protection.

  2. Select System Restore.

  3. On the Restore System Files And Settings page, select Next.

  4. On the Restore your computer to the state it was in before the selected event page, choose the restore point that you want to be restored, as displayed in Figure 4-10.

    A screenshot of the System Restore Wizard. Four restore points are displayed, dating back around a month. The administrator has selected one of these.

    FIGURE 4-10 Applying a system restore point to your system

  5. Optionally, select Scan For Affected Programs, or select Next.

  6. On the Confirm Your Restore Point page, select Finish.

  7. On the warning screen, select Yes.

  8. System Restore will now prepare your computer and restart. The process can take some time to complete.

  9. When the process is complete, the system will restart, and you can sign in to Windows.

  10. You will be presented with a summary of the system restore status, and a confirmation that your documents have not been affected.

  11. Select Close.

Note System Restore in Windows Re

When using System Restore in Windows RE—as a protection against unauthorized access to the system—you need to select a user account and provide the user’s password before you can use the System Restore feature.

Modifying the task schedule

After you have enabled the System Restore feature, you can modify the default task schedule for when you want automatic restore points to occur by modifying the SR scheduled task as follows:

  1. Search for a Task and select the Task Scheduler item.

  2. In the Task Scheduler Microsoft Management Console (MMC), expand the node on the left to locate Task Scheduler LibraryMicrosoftWindowsSystemRestore.

  3. Double-click the SR task in the middle pane.

  4. In the SR Properties (Local Computer) dialog box, select the Triggers tab.

  5. On the Triggers tab, select New.

  6. In the New Trigger dialog box, configure the schedule that you require. For example, you can configure Windows to create a daily system restore point at noon.

  7. Ensure that the Enabled check box is selected and select OK.

  8. On the Triggers tab, select OK. In the Task Scheduler MMC, the trigger is now displayed and enabled.

  9. Close the Task Scheduler MMC.

Opening Windows RE

To open Windows RE and use safe mode or other advanced troubleshooting tools, you can attempt to start Windows 10 in advanced troubleshooting mode by using one of the following options:

  • Open Settings, and select Update & Security. Select the Recovery tab, and if available, select Restart Now under Advanced Startup.

  • Restart the device using the Recovery Drive.

  • Boot the device using Windows 10 installation media and select the Repair Your Computer option.

  • Press the Shift key and select the Restart option on the Start menu.

In addition to these methods, Windows will automatically start in Windows RE after detecting the following issues:

  • Two consecutive failed attempts to open Windows

  • Two consecutive unexpected shutdowns that occur within 2 minutes of boot completion

  • A Secure Boot error

  • A BitLocker error on touch-only devices

After Windows 10 boots to the advanced troubleshooting mode, you must select Troubleshoot; then on the Advanced Options screen, you can access some or all the following options, as displayed in Figure 4-11:

  • Startup Repair Fix problems that are preventing Windows from starting.

  • Startup Settings Change Windows startup behavior.

  • Command Prompt Used for advanced troubleshooting.

  • Uninstall Updates Remove quality or feature updates.

  • UEFI Firmware Settings Used to modify UEFI settings.

  • System Restore Use a system restore point to restore Windows.

  • System Image Recovery Recover Windows using a system image file.

A screenshot displays six tiles, one for each of the following advanced options: Startup Repair, Startup Settings, Command Prompt, Uninstall Updates, UEFI Firmware Settings, and System Restore.

FIGURE 4-11 Windows 10 advanced troubleshooting mode

Note Windows 10 Does not Support F8 at Startup

Unlike versions prior to Windows 10, you can’t access the advanced troubleshooting mode by pressing F8 during the startup process. However, you can reenable the F8 support by modifying the boot configuration data (BCD).

The advanced troubleshooting mode shown in Figure 4-11 allows you to select the Startup Settings, which restarts Windows in a special troubleshooting mode that might be familiar to users of other versions of the Windows operating system. Selecting the Startup Settings troubleshooting mode presents you with the following options:

  • Enable debugging Start Windows 10 in troubleshooting mode, monitoring the behavior of device drivers to help determine if a specific device driver is causing Windows 10 to behave unexpectedly.

  • Enable boot logging Windows 10 creates and writes to a file named Ntbtlog.txt to record the device drivers installed and loaded during startup.

  • Enable low-resolution video Start Windows 10 in a low-resolution graphics mode.

  • Enable Safe Mode Windows 10 starts with a minimal set of drivers, services, and applications to allow you to troubleshoot the system using the GUI. Safe mode does not include network connectivity.

  • Enable Safe Mode with Networking Safe mode with networking enables network connectivity.

  • Enable Safe Mode with Command Prompt Safe mode using a Command Prompt window rather than the Windows GUI.

  • Disable driver signature enforcement Allows you to load device drivers that do not have a digital signature.

  • Disable early launch anti-malware protection Start Windows 10 without the early launch antimalware functionality running. This mode is useful for identifying whether early launch antimalware is affecting a driver or app from being loaded.

  • Disable automatic restart after failure Stops Windows 10 from automatically restarting after a system failure occurs.

You can cancel and reboot your system normally by pressing Enter. To select an option that you require, you need to press the number key or function key F1–F9 that corresponds to the list of items as displayed in Figure 4-12.

A screenshot shows the list of options for Startup Settings.

FIGURE 4-12 Windows 10 Startup Settings

If you press F10, you are taken to another screen with the option to open the recovery environment. This option reboots the system and returns you to the Advanced Options screen, as shown previously in Figure 4-11.

Note Last Known Good Configuration

Windows 10 does not support the Last Known Good Configuration startup option that was present in Windows 7 and earlier versions of Windows.

Reset This PC

If other methods of recovering your system fail or your problems reoccur, you can revert your system to the state similar to how it was when you purchased it or when you first installed Windows 10. Typical issues that prevent the use of other tools mentioned in this chapter include a damaged hard drive or a malware attack that encrypts the drive.

Windows 8 first introduced the option to refresh or recycle your computer; Windows 10 has improved the performance and reliability of this feature. You will see the words recycle and reset used interchangeably by Microsoft to mean the same thing, although the Windows interface options typically use the term reset. The Reset This PC option consolidates the two options (Refresh Your PC and Reset Your PC) that were available in Windows 8 and Windows 8.1.

For enterprise users who suffer from an unstable or corrupted system, often the quickest remedy is to deploy a fresh system image from the deployment server to the device. Home users and small organizations can use a similar solution, but rather than use a deployment server on the network such as Windows Deployment Services (Windows DS), Windows 10 is able to re-image the device itself. Selecting the Reset This PC option effectively reinstalls the Windows 10 operating system and allows you to either keep your files or remove everything.

To start the recovery process, follow these steps:

  1. Open the Settings app.

  2. Select Update & Security.

  3. Select Recovery.

  4. On the Reset this PC page, select Get started.

    The screen will be dimmed, and you will be presented with the options displayed in Figure 4-13:

    • Keep my files Removes apps and settings but keeps your personal files

    • Remove everything Removes all your personal files, apps, and settings

  5. Select Keep my files.

  6. On the How would you like to reinstall Windows? page, you are prompted to choose between:

    • Cloud download Choose this option to download and reinstall Windows from a cloud source. You are likely to download a more up-to-date version of Windows 10.

    • Local reinstall Choose this option to reinstall Windows from a local source. You can accelerate the recovery process by chosing this option.

  7. On the Additional Settings page, you can review your choices. Select Change Settings, or if you’re happy, select Next. A summary screen displays and describes the actions that will be performed. You can select the View apps that will be removed link to review which apps will be removed during the reset procedure.

  8. Select Reset. The reset process begins.

A screenshot shows the Choose An Option dialog box for Reset This PC. It offers two options: the Keep My Files option removes apps and settings but keeps your personal files; the Remove Everything option removes all of your personal files, apps, and settings.

FIGURE 4-13 Reset This PC options

After the reset process has completed and you’ve signed in, you will have a list of removed apps on the desktop. This file, called Removed Apps, is discussed more in the next section.

Note Recycle the Device

If you want to recycle a device, you can use the Reset This PC option to make the device available for use by someone else. If you choose Remove Everything, the device reverts to the out-of-box experience (OOBE) state. You can then use a deployment process, such as Windows Autopilot, to configure the device for reuse in your organization—with minimal user intervention.

If you selected Remove Everything, then you can also choose to clean your drive. Cleaning the drive helps ensure that your content is not recoverable by the new owner of the device. This option is ideal if you are seeking to recycle your PC and want to make it difficult for someone to recover your removed files. When the system reset is complete, you are offered the OOBE. You must configure the device, install any apps, and modify any settings that you would like.

To clean your drive, follow these steps:

  1. Select Reset this PC, and select Remove everything.

  2. On the How would you like to reinstall Windows? page, choose either Cloud download or Local reinstall.

  3. On the Additional Settings page, select Change Settings.

  4. On the Choose settings page, displayed in Figure 4-14, select Clean data?. If you have multiple hard disks and you want to clean them all, also select Delete files from all drives?. Select Confirm.

    A screenshot shows the Choose Settings page. The administrator has selected the Clean Data? and Delete Files From All Drives? options.

    FIGURE 4-14 Choose settings options for Remove Everything operations

  5. Review your chosen options, and then select Next.

  6. Finally, when prompted, select Reset.

Perform a Fresh Start

Versions of Windows 10 1909 and earlier provided another way to reset the system called Fresh Start. Fresh Start performs three actions:

  • Reinstalls Windows 10 while retaining your data

  • Removes all installed apps and bloatware

  • Installs the latest security updates

Fresh Start has been consolidated in Reset This PC in Windows 10 2004 and newer.

Creating a system image backup

As mentioned earlier, included with Windows 10 is the Backup And Restore (Windows 7) tool, which you can use to back up and restore selected files and folders. You can also use this tool to create a system image of your computer.

To create a system image backup, follow these steps:

  1. In Settings, select Update & Security and then select the Backup tab.

  2. In the Details pane, select Go to Backup and Restore (Windows 7).

  3. In Backup and Restore (Windows 7), select Set up backup.

  4. On the Select where you want to save your backup page, choose the location and select Next.

  5. On the What do you want to back up? page, select Let me choose and then select Next.

  6. Select any folders that you want to back up, but make sure you select the Include a system image of drives check box, as displayed in Figure 4-15.

    A screenshot shows the What Do You Want To Back Up? page of the Set Up Backup Wizard. The administrator has selected the Include A System Image Of Drives check box.

    FIGURE 4-15 Performing a system image backup

  7. On the Review your backup settings page, select the Change schedule link.

  8. On the How often do you want to back up? page, leave the Run backup on a schedule (recommended) check box selected, and choose when you want the backup to be performed.

  9. Select OK.

  10. On the Review your backup settings page, select Save settings and run backup.

  11. The backup will begin.

Note Advanced Backup Scheduling

Backup And Restore (Windows 7) allows you to create a simple backup schedule. If you modify the Automatic Backup task in Task Scheduler, you can specify a more complex backup schedule—for example, to back up multiple times per day or to back up when your workstation is in the locked state.

Using System Image Recovery

When you use the System Image Recovery process in Windows RE, Windows 10 replaces your computer’s current operating system state with the system image that has been created by the Backup And Restore (Windows 7) tool.

You should only use System Image Recovery if other recovery methods are unsuccessful because it will overwrite data on your computer. During the restore process, you can’t choose individual items to restore. All the apps, system settings, and files are replaced. Any data files stored locally on your computer that you have created or modified since the system image was created will not be available after you use System Image Recovery unless you have saved them to another location, such as OneDrive.

To recover a device with a system image, follow these steps:

  1. Open Settings, and then select Update & Security.

  2. Select Recovery, and then, under Advanced Startup, select Restart Now.

  3. In Windows RE, on the Choose An Option page, select Troubleshoot.

  4. On the Troubleshoot page, select Advanced options.

  5. On the Advanced options page, select System image recovery. Allow the system to reboot, and Windows will prepare for System Image Recovery.

  6. On the System image recovery page, select your user account.

  7. Enter your password and select Continue.

  8. On the Re-image your computer page, verify the system image is correctly selected, as displayed in Figure 4-16, and select Next.

    A screenshot shows two options for selecting a system image backup. The first option is titled Use The Latest Available System Image (Recommended) and is not selected; the second option is Select A System Image.

    FIGURE 4-16 Using the System Image Recovery Wizard

  9. On the Choose additional restore options page, select Next and then select Finish to start the restoration process.

  10. In the Re-image your computer dialog box, read the warning, and then select Yes. The Re-image your computer process will now proceed.

  11. Once completed, Windows will need to restart. Click Restart now, or you can wait and allow Windows to automatically restart. When Windows restarts, you will be presented with the sign-in screen.

Creating a system repair disk

In addition to a system image, you can use the Backup And Restore (Windows 7) tool to create a system repair disk. You can use a system repair disk to recover Windows 10 in the event of a drive or other catastrophic failure.

A system image can be incorporated into any backup when using the Backup And Restore (Windows 7) tool. However, creating a system repair disk requires that you manually create a repair disk, as follows:

  1. Open Backup And Restore (Windows 7) in Control Panel.

  2. Insert a blank writable CD or DVD into your device.

  3. On the Backup And Restore (Windows 7) screen, select the Create a system repair disc link.

  4. In the Create a system repair disc dialog box, select Create disc, as displayed in Figure 4-17.

A screenshot of the Create A System Repair Disc dialog box, with Backup And Restore (Windows 7) in the background. In the dialog box, a green horizontal progress bar is displayed as the system repair disc is being created.

FIGURE 4-17 Creating a system repair disc

The system repair disc is useful if Windows 10 will not automatically boot in the advanced startup options. In this situation, insert the system repair disc and your computer will boot from the recovery media automatically. If it doesn’t, you might need to change the boot order.

Troubleshoot the startup process

Windows 10 has an efficient and reliable startup architecture. It is rare that you will need to get involved in resolving startup problems. However, when startup problems do occur, they can be difficult to resolve unless you understand the underlying process.

Components of the startup architecture

The startup architecture consists of four main components:

  • Windows Secure Boot All computers are potentially vulnerable to malicious software, such as computer viruses. This is especially true during the early startup phases when the operating system’s protective components may not yet be available. To mitigate this issue, Windows 10 implements Secure Boot. If your computer supports the Unified Extensible Firmware Interface (UEFI), you can enable Secure Boot in your computer’s UEFI settings. Once Secure Boot is enabled, when the computer starts and before control is transferred to the operating system, each piece of software is checked for a valid digital signature. Only software deemed safe is loaded, including all low-level operating system drivers and files.

  • Windows Boot Manager This consists of a single file, BOOTMGR, which resides in the root directory of the active disk partition. This partition is not assigned a drive letter. The Windows Boot Manager, BOOTMGR, reads the Boot Configuration Data (BCD) from the boot store. BOOTMGR replaces the NTLDR program from Windows XP and earlier. The BCD identifies the location and state of any operating systems installed on the local computer. The BCD is a database. Windows XP used a simple text file called Boot.ini.

  • Windows OS Loader Winload.exe is located in the WindowsSystem32 folder on the operating system partition, which is typically assigned the drive letter C. Winload.exe initializes memory and then transfers control to the Windows kernel; this is a file called Ntoskrnl.exe located in C:WindowsSystem32.

  • Windows Resume Loader Winresume.exe is also located in the WindowsSystem32 folder on the operating system partition. If the boot store identifies that there is a hibernation image (hiberfil.sys) on the local computer, then BOOTMGR has passed control to Winresume.exe rather than Winload.exe. Winresume.exe then returns the computer to its pre-hibernation state.

Note Partitioning

Your computer typically has three partitions on its installed hard disk. All of these will be primary partitions. The first partition will be marked as active and will contain the files necessary to perform the initial startup of the operating system; this partition, or drive, is often referred to as the System partition (although it contains the boot store and low-level boot files). The second partition automatically is assigned the drive letter C and contains the operating system; it is often referred to as the Boot partition. The third partition is the recovery partition containing Windows RE. You might also have a vendor-specific recovery partition.

Note Fast Startup

By default, Windows 10 is configured to use Fast Startup. When you shut down your computer, part of the operating system’s state is stored in Hiberfil.sys. However, this is not true hibernation; instead, it is a hybrid state. We recommend using Fast Startup because it enables your computer to start up far more quickly. You can configure Fast Startup in Power Options in Control Panel.

The Windows 10 startup process

When you start a computer installed with Windows 10, as displayed in Figure 4-18, the following process occurs:

  1. Power-on self-test When you power up your computer, the UEFI or, on older computers, the Basic Input/Output System (BIOS), performs a number of fundamental checks. This is referred to as the power-on self-test (POST).

    The critical check that the POST performs is to verify the presence and accessibility of a configured boot device, such as a hard disk. The hard disk must contain a valid master boot record (MBR). The MBR enables the computer to identify and access partition information on the attached disk. The computer accesses the primary active partition (which contains the Windows 10 boot sector) and loads BOOTMGR.

  2. Read the boot configuration data BOOTMGR accesses the BCD from the system partition. This enables BOOTMGR to determine the location of any installed operating systems and, where necessary, to display a startup menu on computers configured with multiple operating systems (referred to as dual-boot or multiboot systems). BOOTMGR also determines whether the computer has a hibernation file.

  3. Winload.exe or Winresume.exe If a Hiberfil.sys file exists, BOOTMGR passes control to Winresume.exe to restore the operating system from the pre-hibernation state. If no Hiberfil.sys file exists, BOOTMGR passes control to Winload.exe.

    Winload.exe initializes memory and scans the computer’s registry to locate device drivers configured with a Start value of 0. These include low-level hardware components, such as hard disk controllers and peripheral bus components. Winload.exe then scans the registry for device drivers assigned a Start value of 1.

    Finally, control is passed to the operating system Kernel, Ntoskrnl.exe, and all drivers in memory; the Kernel is then initialized.

  4. Load drivers After the kernel initializes, any remaining required drivers are loaded and initialized.

  5. Session Manager The kernel loads the Windows Session Manager (Smss.exe), which among other things, initializes the Windows subsystem (Csrss.exe). The display will now switch from character mode to graphical mode.

  6. Sign in After the Windows subsystem loads, the Winlogon service starts. This displays the sign-in page, and the local user can sign in to the computer.

    A graphic displaying the startup process in Windows 10. Stages shown are: 1: Post, 2: BCD, 3: WINLOAD, 4: KERNEL, 5: SESSION MANAGER, and 6: SIGN IN.

    FIGURE 4-18 The Windows 10 startup process

Available options for startup recovery

If your computer does not start properly, or at all, you can choose from a number of repair and recovery tools, depending on the particular situation:

  • Windows RE If your computer won’t start, then start from the product DVD and select Repair Your Computer In Setup. You can then access the full set of recovery tools in Windows RE, including System Restore, System Image Recovery, Startup Repair, Command Prompt, and Startup Settings. Generally, if the problem is related to low-level startup files, such as the boot sector, BOOTMGR, and the BCD, choosing the Startup Repair option is generally successful in fixing startup problems.

  • Advanced Startup Settings If the startup problem lies elsewhere than with the startup files, you should be able to successfully start your computer in Safe Mode. Start from the product DVD, and in Setup, select Repair Your Computer. From the Advanced options menu, select Startup Settings, and then choose Safe Mode. Advanced Startup Settings include:

    • Enable Debugging

    • Enable Boot Logging

    • Enable Low-Resolution Video

    • Enable Safe Mode

    • Enable Safe Mode With Networking

    • Enable Safe Mode With Command Prompt

    • Disable Driver Signature Enforcement

    • Disable Early Launch Antimalware Protection

    • Disable Automatic Restart After Failure

  • System Configuration tool If your computer starts but with errors, you can access Safe Mode by running the System Configuration tool (Msconfig.exe). On the Boot tab, shown in Figure 4-19, select the appropriate Safe Boot option. Note that the computer remains in Safe Mode until you return to System Configuration to revert to Normal startup on the General tab.

    A screenshot that displays the Boot tab on the System Configuration tool. Safe Boot has been selected.

    FIGURE 4-19 System Configuration tool

  • Automatic Failover If your computer experiences startup problems, assuming that your computer still has the (default) recovery partition, Windows will fail over to Windows RE from this recovery partition.

The boot store

The boot store contains information that enables the low-level startup components of Windows 10 to locate any installed operating systems on the attached hard disk(s). Generally, it is not necessary to make changes to the BCD. However, it is important that you know how to make changes in case you must troubleshoot the startup environment.

Typically, you make changes to the BCD by reconfiguring Windows. For example, you might use the System Configuration tool to force Safe Mode. You might decide to make changes to the Startup And Recovery settings to choose the default operating system (assuming several are installed). Both these changes are made in the user interface but are reflected in the BCD. However, you can also work directly with the BCD using a number of command-line tools. For example, Figure 4-20 shows the output from the bcdedit.exe /enum command; this command enumerates and displays all boot store entries.

A screenshot that displays the output from the bcdedit.exe /enum command. The returned output shows two entries: Windows Boot Manager and Windows Boot Loader.

FIGURE 4-20 Output from BCDEdit.exe

Modifying the boot store

There are a number of tools with which you can directly edit the BCD:

  • BCDEdit.exe You can use BCDEdit.exe from an elevated Command Prompt. It enables you to

    • Add BCD store entries

    • Modify BCD store entries

    • Delete entries

    • Export the BCD

    • Import into the BCD

    • List entries

    • Query entries

    • Make global changes

    • Change the default time-out

    Need More Review? Bcdedit Command-Line Options

    You can find more information about the syntax of the bcdedit.exe command on the Microsoft website at

  • Bootrec.exe You can use Bootrec.exe to manually rebuild the BCD based on a scan that the program performs. You must run Bootrec.exe in Windows RE in the Command Prompt tool. There are a number of parameters that you can use:

    • /FixMbr Resolves MBR corruption issues

    • /FixBoot Corrects boot sector corruptions

    • /ScanOS Scans the hard disk(s) for Windows installations and displays any not listed in the BCD

    • /RebuildBcd Scans the hard disk(s) for Windows installations and prompts you to add any discovered to the BCD

Managing devices and device drivers

For hardware to function properly, it requires special software designed for Windows 10 to communicate with it. This software is referred to as a device driver. When Windows 10 detects new hardware, the system automatically attempts to install one of the built-in drivers included as part of the operating system. These drivers are located in the Windows 10 Driver Store, or you can download them through Windows Update. A common reason for a computer to fail to start, or to start with errors, is because a device driver is faulty or corrupted.

Install devices

New and updated hardware device drivers are regularly submitted to Microsoft by the equipment vendor for testing and cataloging. If the Windows Update feature is enabled, Windows 10 automatically detects the presence of new device drivers, downloads them, and installs them.

New hardware is typically installed automatically when it’s added to Windows 10; the operating system detects and identifies the new hardware through the Plug and Play feature. Windows 10 supports new hardware connected through a variety of connection methods, including USB (1.0 through 3.1), Wi-Fi, and Bluetooth. In addition to backward compatibility for existing and earlier hardware, emerging technologies, such as near-field communication (NFC) and Miracast for wireless displays, also have built-in support in Windows 10.

Device Manager is intended for advanced users or for managing or troubleshooting a hardware device issue. Device Manager provides information about each device, such as the device type, device status, manufacturer, device-specific properties, and device driver information.

There are multiple ways to load the Device Manager, including:

  • Right-clicking the Start button and selecting Device Manager

  • Typing Device Manager into Search

  • Opening Control Panel, selecting Hardware And Sound, and then selecting Device Manager

The Device Manager default view (devices by type) is shown in Figure 4-21.

A screenshot shows Device Manager.

FIGURE 4-21 Device Manager showing the devices by type view

You can expand and explore each node in Device Manager and then select a device. All devices have properties, and you can view them by right-clicking the desired device and selecting Properties.

The Properties dialog box for a device is shown in Figure 4-22.

A screenshot shows the Microsoft AC Adapter Properties dialog box.

FIGURE 4-22 Device Properties

If you added a new peripheral and Windows 10 does not immediately recognize it, first check that the device is connected properly and that no cables are damaged. You should ensure that the external device is powered on and not in sleep or standby mode. You can also open Device Manager and start the Scan For Hardware Changes Wizard from the Action menu, which will locate previously undetected hardware and then configure it for you.

Update device drivers

Most computers that you’ll work with have different hardware components, such as motherboards, disk controllers, graphics cards, and network adapters. Fortunately, Windows 10 is designed to work with an extensive list of hardware devices, and it benefits from Plug and Play, which tries to detect new devices automatically and then installs the correct driver software. If Windows has a problem with a device, you must troubleshoot the cause. Troubleshooting can involve locating the correct or updated device drivers and installing them.

Windows 10 automatically attempts to install a device driver, and if one is not available locally, it attempts to locate one through Windows Update. For most systems, devices and their associated drivers remain constant and require no further administrative effort. In the following instances, you might need to update, disable, or reinstate a previous driver:

  • Windows 10 detects that a newer driver is available through Windows Update.

  • You want to install a newer device driver manually, typically obtained from the manufacturer’s website.

  • The device is not performing or functioning correctly with the current driver.

  • A new or beta version of a driver is causing stability issues.

To update a specific driver, select the device in Device Manager and select Update Driver Software from the context menu.

Windows 10 offers you two choices for updating the driver:

  • Search Automatically For Updated Driver Software

  • Browse My Computer For Driver Software

Typically, most users allow Windows to locate, download, and install an updated device driver automatically if one is available through Windows Update. This method is the default.

If you have the installation media that came with the hardware, you can use the browse feature to locate the correct driver. The Windows 10 Update Driver Software Wizard can automatically search through the subfolders in the media and locate all the relevant drivers for the device.

If you have already downloaded a specific device driver from the manufacturer—for example, a video driver from NVIDIA or AMD/ATI—you might need to run the driver installation wizard included in the download files, which contains additional software besides the device driver.

If Windows determines that the current driver is the most up-to-date or best driver available, you can confirm the version number of the driver by viewing the properties of the driver in Device Manager. If you have a more recent driver that you want to use, you must manually uninstall the current driver and then manually install the more recent driver.

Disable individual driver updates or Windows Updates

Sometimes it is important to remove a device driver completely from the system. It might be corrupted or incompatible with your system. If Windows determines that the driver is valid and up-to-date, it is impossible to use another device driver while the current driver is present. To uninstall an unwanted device driver, use the following steps:

  1. Open Device Manager.

  2. Locate the device with the problem driver, right-click it, and choose Uninstall device.

  3. In the Uninstall device dialog box, select Uninstall.

If the item relates to an unwanted Windows Update, use the following steps.

  1. Open Settings, select Update & Security, and on the Windows Update tab, select View update history.

  2. Select Uninstall updates. In Control Panel, on the Installed Updates page, locate and uninstall the unwanted update by selecting it from the list and then selecting Uninstall.

If you have difficulty uninstalling the driver, try restarting the computer and attempting the procedure again. Only as a last resort should you try to delete the software manually. You can use the PnPUtil.exe command-line tool and remove the INF files that are associated with the device:

PnPUtil.exe -a -d <path to the driver> <drivername>.inf

We discuss using the PnPUtil.exe command-line tool later in this chapter.

Note Driver Installation and Removal are Administrative Functions

You must use administrative privileges to install or uninstall a device or driver package by using Device Manager.

Because different hardware types have different functions and features, review the tabs in the properties screen. Not all devices have the same tabs, and some devices do not offer the ability to view or modify the device driver.

Turn on or off automatic device driver installation in Device Installation Settings

Sometimes installing an updated driver can cause your computer to lose functionality, and you may decide to uninstall the driver. Windows 10 automatically attempts to reinstall the driver, which is not desirable. In this situation, you might need to turn off the automatic device driver installation setting by following these steps:

  1. Open Control Panel, and under Hardware and sound, select Devices and printers.

  2. Under Devices, right-click the icon that represents your computer (it should have your computer name), and select Device installation settings, as displayed in Figure 4-23.

    A screenshot shows the context menu for a computer device.

    FIGURE 4-23 Disabling the automatic device driver software installation

  3. In the Device installation settings dialog box, choose No (your device might not work as expected). (Yes is the default setting.)

  4. Select Save changes.

Perform a driver rollback

Sometimes a driver problem can cause the system to become unstable. In Device Manager, you can roll back an updated driver to its previous version. If the system allows you to start normally, you can perform this task by following these steps:

  1. Open Device Manager.

  2. Right-click the device that you want to roll back and then select Properties.

  3. In the Properties dialog box, select the Drivers tab and then select Roll back driver.

  4. In the Driver package rollback dialog box, select Yes.

The Driver Package Rollback feature can only be used to revert to a previously updated driver. If you have not installed a later driver, the option in Device Manager will be unavailable.

Note No Driver Rollback for Printers

Although Printers and Print queues appear in Device Manager, you cannot use Driver Package Rollback for these devices.

If your system is unstable or won’t start up properly because of a faulty driver, such as a video driver, you may need to restart the computer in Safe Mode to access Device Manager and perform the driver rollback. Windows 10 automatically detects startup failures and should boot into the advanced startup menu. To access Safe Mode, use the following procedure:

  1. Open Settings, select Update & Security, and then select the Recovery tab.

  2. Under the Advanced startup heading, select Restart now.

  3. When your PC restarts, select Troubleshoot from the Choose an Option menu.

  4. Select Advanced options.

  5. Select Startup Settings and select Restart. You see the Startup Settings screen, as displayed in Figure 4-24.

    A screenshot shows the Startup Settings options.

    FIGURE 4-24 Startup Settings options

  6. Select Safe Mode by pressing the 4 key.

  7. Sign in to the system and roll back the driver as described earlier.

The rollback feature remembers only the last driver that was installed and doesn’t keep copies of multiple drivers for the same device.

Resolve driver issues

One of the most common issues with device drivers relates to users attempting to install a driver designed for an earlier operating system or a different architecture. In some cases, on previous versions of Windows, it might have been possible to install a Windows 7 driver on a Windows 8–based computer, but this is not a supported operation for Windows 10 and should be avoided in a production environment. As is the case with other software installations, you can’t use a 32-bit driver for a 64-bit resource. You can’t use a 64-bit driver to communicate with a 32-bit resource, either.

Note Device Manager Error Troubleshooting

Device Manager marks a device that is not operating normally with a yellow exclamation point. When troubleshooting a device, you can check the error that Device Manager reports. For a detailed list of errors that Device Manager reports, see the article at

Use driver verification tools

If you encounter issues with drivers that seem to relate to malware or missing drivers, you can use a command-line tool called sigverif.exe, which checks whether any drivers have been installed on the computer that have not been signed. The check can take several minutes to complete. To run this tool, perform the following steps:

  1. Open a Command Prompt.

  2. Enter sigverif.exe. The File Signature Verification tool appears.

  3. Review the Advanced options.

  4. Select Start and view the results, as displayed in Figure 4-25.

A screenshot shows the output for the Sigverif.exe tool. A file, ibtsiva.exe, has been identified as unsigned.

FIGURE 4-25 File Signature Verification tool output

The sigverif.exe tool is useful if you need to locate an unsigned driver. However, there is a more powerful driver verification tool, Driver Verifier, which is built into Windows 10.

With the enhanced kernel mode operation and reliance on signed drivers, Windows 10 should be less prone to frequent Stop errors. Although less likely, even signed drivers can cause problems, especially if you have an exotic combination of hardware inside your computer. If you do encounter instability, use the built-in Driver Verifier to discover whether a faulty driver is causing the problem.

The Driver Verifier Manager Wizard can help you troubleshoot, identify, and resolve common device driver problems, and you can then remove, reinstall, or roll back the offending driver with Device Manager.

To run the series of driver tests, follow these steps:

  1. Open an elevated Command Prompt.

  2. Enter verifier.exe. The Driver Verifier tool appears.

  3. Review the settings in the tool. Depending on which option you choose, you might need to restart your computer for the tool to recognize all loaded drivers.

  4. After you have selected drivers to be tested, restart the computer, restart the application, and then select Display information about the currently verified drivers.

Driver Verifier Manager tests each specified driver at startup and then enables you to perform a live test of each loaded driver by running a range of tests, as displayed in Figure 4-26. If it detects a problem, the tool can identify the driver, and then you can disable it.

A screenshot shows the Driver Verifier Manager dialog box. The selected option is Create Standard Settings.

FIGURE 4-26 Driver Verifier Manager tool

View device settings

Device drivers provide Windows 10 with the information required to populate the device details that you find in Device Manager. If only a few details are available to view, the device might have been installed using the built-in driver. You may be able to install a driver from the manufacturer’s website, which will give additional information through Device Manager.

The default Device Manager screen enables users to work directly in the Properties dialog box of a device and provides information about the device that the hardware and device driver provide. The following is a review of Device Manager features that you can use to explore the available information so that you can configure the driver settings.

In Device Manager, explore these four menu options:

  • File This menu enables you to exit the console and optionally delete the record of the console customizations you make to the console settings.

  • Action This menu enables you to access the action-specific tasks relating to the highlighted hardware, including Update Driver Software, Disable, Uninstall, Scan For Hardware Changes, Add Legacy Hardware, Properties, and Help.

  • View This menu enables you to change how the console view displays advanced information relating to the devices listed in Device Manager. Some hardware is also hidden from normal view, and this option can be set to show hidden devices. The Customize option enables you to show or hide items within the console. You can view devices by:

    • Device type or connection

    • Resources by type or connection

  • Help This menu offers access to help topics relating to Device Manager and the console.

There are several advanced views in Device Manager that standard users do not normally use. These include the connection type and hidden device views, as follows:

  • Show Hidden Devices In previous versions of Windows, printers and non–Plug and Play (PnP) devices could be marked by the device manufacturer as a NoDisplayClass type of device, which prevents it from automatically being displayed in the Device Manager. Devices that have been removed from the computer—but whose registry entries are still present—can also be found in the hidden devices list.

  • Devices By Type This is the default view, and it shows devices grouped by familiar device name, such as Network Adapters, Ports, and Disk Drives. Each node can be expanded by selecting the > symbol to the left of the node name.

  • Devices By Connection You can view devices based on the hardware connection, such as physical or virtual.

  • Resources By Type Use this option to view resources organized by how they connect to system resources, including Direct Memory Access (DMA), Input/Output (IO), Interrupt Request (IRQ), and Memory. Unless your BIOS allows you to declare that you are not using a Plug and Play–compliant operating system, you will not be able to modify these settings.

  • Resources By Connection This view is for advanced users only and is not particularly useful on a modern system. Viewing the device hardware resources by DMA, IO, IRQ, and Memory were useful for earlier versions of Windows prior to the introduction of Plug and Play, which allowed the operating system to manage automatically the resources required by devices.

Support for older hardware

Some of the advanced settings in Device Manager are seldom used but have been retained for backward compatibility with older devices that do not support Plug and Play. Modern hardware peripherals must support Plug and Play, which allows Windows 10 to assign hardware resources automatically to new devices. If you look on the Resources tab of a device’s Properties dialog box in Device Manager, you see that a check box is selected indicating that Windows 10 is using automatic settings, as displayed in Figure 4-27. The setting is unavailable and cannot be modified unless you disable the BIOS/UEFI setting, which declares that the operating system is Plug and Play–compliant.

A screenshot shows the Resources tab of the Qualcomm Atheros AR8161 PCI-E Gigabit Ethernet Controller (NDIS 6.0) Properties dialog box. The Use Automatic Settings option is selected and nonconfigurable.

FIGURE 4-27 Automatic resource allocation

The Plug and Play standard for connecting devices to Windows is nearly two decades old. Some hardware still exists that requires the administrator to install it manually. In Device Manager, the Add Hardware Wizard enables you to install hardware that does not support Plug and Play (PnP). To install such hardware, perform the following steps:

  1. Open Device Manager.

  2. On the Action tab, select Add legacy hardware.

  3. On the Welcome to the add hardware wizard page, select Next.

  4. Select one of these options:

    • Search for and install the hardware automatically (recommended)

    • Install the hardware that I manually select from a list

  5. Follow the wizard prompts to finish the configuration of the hardware and provide the driver when requested.

Note Non-PnP (Older) Devices are not Shown in Windows 10

Since Windows 8 and Windows Server 2012, non-PnP devices have not been represented in Device Manager as viewable nodes.

Driver signing

One of the reasons Windows 10 is more secure than earlier versions of Windows is that kernel mode drivers must now be submitted to and digitally signed by the Windows Hardware Developer Center Dashboard portal. Windows 10 will not load kernel mode drivers that the portal has not signed. To ensure backward compatibility, drivers that are properly signed by a valid cross-signing certificate will continue to pass signing checks on Windows 10.

Windows 10 also introduces the Universal Windows driver, which is designed to work on all OneCoreUAP-based editions of Windows, such as Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, and Windows 10 Internet of Things Core (IoT Core).

A Universal Windows driver has access to the trusted kernel and has a limited range of the interfaces that are available to a Windows driver. OEMs can supplement the driver functionality by including additional software, but this software will be external to the driver. Windows 10 security is more robust by locking down the kernel to signed drivers and encouraging developers to use the Universal Windows driver model.

If you have a specific need to install an unsigned driver—for example, if you are a developer and work with drivers, and you want to test the driver functionality without having to sign the driver digitally each time—you can invoke a special boot-time configuration setting that bypasses the security the Windows 10 driver enforcement model provides. To load an unsigned driver (not recommended), you can follow these steps:

  1. Sign out of Windows 10.

  2. On the sign-in screen, select the Power button, hold down the Shift key, and select Restart.

  3. On the Choose An Option screen, choose Troubleshoot.

  4. Choose Advanced Options.

  5. On the Advanced Options screen, select Startup Settings and select Restart.

    Advanced Boot Options appears.

  6. Choose Disable driver signature enforcement, as displayed in Figure 4-28.

    A screenshot shows the Startup Settings page.

    FIGURE 4-28 Disable Driver Signature Enforcement

  7. Install the unsigned driver and then restart the computer.

Manage driver packages

When device drivers are created by an OEM, they are deployed with the hardware in a driver package that includes all the files and information required for Windows 10 to communicate with the hardware. Let’s see how driver packages are managed and how to install, provision, and import driver packages on Windows 10 devices.

Use the Driver Store

You learned earlier that the driver package can include an information file (INF file), any files that the INF file references, and a CAT file that contains the digital signature for the device driver. Windows 10 uses the Driver Store to hold device drivers that have been installed or prestaged.

All Windows 10 kernel mode drivers must be digitally signed by the Windows Hardware Developer Center Dashboard portal. Windows 10 will prevent the loading of new kernel mode drivers that are not signed by the portal. This is an important change from previous versions of Windows and will make the operating system more secure. Previously, it was possible for a hacker to gain unauthorized access to a system by using a flaw in an unsigned device driver. Ensuring that all drivers are digitally signed removes the ability for a malicious hacker to add or modify device driver contents.

If you are creating a custom installation image, or if you build and deploy many computers, you can speed up the driver installation process by preloading the Windows 10 Driver Store with the specific drivers for the peripheral devices that your devices will be using. When Windows 10 finds the drivers it needs in the Driver Store (located in %SystemRoot%System32 DriverStore), it uses these local drivers and does not download them from Windows Update.

Preinstalling a driver is a two-stage process, and the first stage must be carried out with administrator credentials. You need to add the driver package to the Driver Store and then ensure that the hardware is attached; Windows 10 then automatically locates and installs the local driver.

There are a few ways to deploy drivers to the Driver Store, and the most appropriate method will depend on your physical network infrastructure, network connectivity, and level of administrative privileges on devices, among other things.

Note Avoid Deleting Files From the Driver Store

Take care not to delete driver packages manually from the Driver Store. Doing so can cause an inconsistency among the INF file, the Driver Store catalog, and the driver in the Driver Store. For more information, go to

Use PnPUtil.exe to manage driver packages

To prestage the installation of a specific hardware device, you can install a driver manually before connecting the device by using the PnPUtil.exe command-line tool. This tool can be useful when you are distributing a laptop to a remote user who you know has a local printer or scanner. Standard users cannot normally install device drivers, but if the driver package is already in the Driver Store, this is possible.

Run the PnPUtil.exe tool by using administrative privileges. You can use it to manage the Driver Store; you can add, delete, and list driver packages. You saw earlier that a driver package consists of all the information Windows 10 requires to install and trust the driver, including the following:

  • Driver files Dynamic link library (DLL) files with the .sys file extension.

  • Installation files Text files containing all the information needed to install a driver. These INF files include information, such as driver name and location, driver version information, and registry information. These files are copied to the %SystemRoot%Inf directory during installation. Every installed device must have an INF file.

  • Driver Catalog file Contains a cryptographic hash of each file in the driver package. These hashes are used to verify that the package was not altered after it was published (created). Digitally signing the catalog file proves the file has not been altered because only the digital signature owner can sign the file.

  • Additional files These are files such as a device installation application, device icon, device property pages, and additional files.

For enhanced security, Windows 10 uses a single kernel model across all editions of Windows 10, and Windows 10 encourages the use of a new universal driver model. This universal INF file is required when deploying device drivers to an offline system image, such as when building a Windows 10 Mobile system (which does not support Plug and Play).

The syntax for the PnPUtil.exe command-line tool is as follows:

PnPUtil.exe a <path to the driver> <drivername>.inf

The full list of parameters is shown in Table 4-2.

TABLE 4-2 PnPUtil.exe parameters




Adds a driver package to the Driver Store.


Removes a driver package from the Driver Store.


Lists the driver packages that are currently in the Driver Store.


Forces the deletion of the specified driver package from the Driver Store; cannot be used with the -i parameter.


Installs the driver package on matching devices that are connected to the system. Cannot be used with the -f parameter.


Displays help.

An example command to add the INF file specified by MyDevice.inf to the Driver Store (located at %SystemRoot%System32DriverStore) is:

PnPUtil.exe -a C:TempMyDevice.inf

In addition to the PnPUtil.exe tool, you can use the following Windows PowerShell cmdlets:

  • Get-PnpDevice Displays information about PnP devices

  • Get-PnpDeviceProperty Displays detailed properties for a PnP device

  • Enable-PnpDevice Enables a PnP device

  • Disable-PnpDevice Disables a PnP device

An example Windows PowerShell command to enable the device with an instance ID of 'USBVID_5986&;PID_0266&;MI_007&;1E5D3568&;0&;0000' is as follows:

PS C:> Enable-PnpDevice -InstanceId 'USBVID_5986&;PID_0266&;MI_007&;

For more information about, or for the syntax of, any of the Windows PowerShell cmdlets, you can use the Get-Help <cmdlet name> cmdlet, such as the following:

Get-Help <cmdlet name> -Examples
Download driver packages

Drivers are packaged together; each driver package consists of all the software components needed for your device to work with Windows.

Most drivers are obtained directly by using built-in tools such as Windows Update. However, if you are provisioning systems, you might want to deploy the PC with the required drivers already imported and configured.

Device drivers can be accessed to perform a malicious attack on your systems. Therefore, you should ensure that driver packages are sourced only from reputable locations, such as the manufacturer’s own website. You should avoid third-party driver repository websites because some sites repackage drivers and include spyware or freeware products in the installation files.

The built-in Windows 10 driver packages are often just the core drivers created by your device manufacturer and provided by Microsoft through the Windows Hardware Quality Labs (WHQL), which tests and digitally signs the drivers. Video drivers often include additional software support and hardware functionality. For example, drivers sourced directly from NVIDIA or AMD for their graphics cards include the NVIDIA Control Panel or the AMD Catalyst control panel, respectively.

If you are seeking the most up-to-date or even a beta version of a device driver, you must download it directly from your device manufacturer. In most cases, you will not need to upgrade your device driver after Windows 10 is installed. If everything is working properly, you probably won’t have to install extra hardware drivers.

If you are a gamer, it can be beneficial to ensure that your graphics card drivers are using the latest versions so that they support the latest PC games.

You should consider downloading new driver packages in the following scenarios:

  • If you play PC games Install the latest graphics drivers directly from your graphics card manufacturer because they are often required to play the latest games. Newer versions can also improve graphics performance.

  • When you need a hardware utility Install the latest version if the manufacturer- provided driver package includes a hardware utility, such as a network configuration tool or ink monitor for your printer.

  • To resolve a bug Bugs can be found in released drivers and will often be fixed in the most up-to-date version.

  • To install hardware manually If Windows Plug and Play does not automatically detect and install the hardware, you may have to download the driver package from the manufacturer and install the device driver.

Add packages using DISM

The Deployment Image Servicing and Management (DISM) tool is included as part of the Windows 10 operating system. This tool is useful for offline image servicing. DISM is a command-line tool that you can use to maintain images and apply them with Windows Updates. It is also used to add and remove Windows features, including language packs, and to manage device drivers.

If you have a custom Windows 10 image, you can use DISM to modify it, and the changes will be visible when you next deploy the image. This can be useful when you know that a driver has been updated since you built the deployment image. Using DISM to inject the new driver saves you from having to rebuild the whole image. Using DISM is similar to using a file compression tool, such as WinRAR, whereby you add or remove new files and then WinRAR reseals the WIM, VHD, or VHDX file so that it is ready for deployment.

When you use DISM to install a device driver to an offline image, the device driver is added to the Driver Store. When the image is booted, PnP runs, looks for drivers in the store, and associates them with the corresponding devices on the computer on which they’re being installed.

To add drivers to an offline image by using DISM, use these steps:

  1. Open an elevated Command Prompt.

  2. Establish the name or index number for the image that you are servicing by running:

    Dism /Get-ImageInfo /ImageFile:C:	estimagesinstall.wim
  3. Mount the offline Windows image by running the following:

    Dism /Mount-Image /ImageFile:C:	estimagesinstall.wim /Name:"Windows Offline
    Image" /MountDir:C:	estoffline
  4. You can now add the driver, located in the C:Drivers folder, to the image by running:

    Dism /Image:C:	estoffline /Add-Driver /Driver:C:driversNew_driver.inf
  5. If you have additional drivers in a folder, you can use the /Recurse option, which installs all the drivers from a folder and all its subfolders. To do this, run:

    Dism /Image:C:	estoffline /Add-Driver /Driver:c:drivers /Recurse
  6. You can review the drivers in the Windows image by running:

    Dism /Image:C:	estoffline /Get-Drivers

    In the list of drivers, notice that the added drivers have been renamed Oem*.inf. This ensures that all driver files in the Driver Store have unique names. For example, the New_Driver1.inf and New_Driver2.inf files are renamed Oem0.inf and Oem1.inf.

  7. To complete the operation, commit the changes and unmount the image by running:

    Dism /Unmount-Image /MountDir:C:	estoffline /Commit

    Need More Review? DISM

    For a detailed reference for the DISM command-line options, visit the Microsoft website at

Manage driver packages with DISM

During the life of a Windows 10 installation, the system downloads and installs multiple versions of device driver packages over time. For devices with small hard drive capacity, be aware of how to locate and delete outdated driver packages that the system retains.

You can use the built-in Disk Cleanup tool to remove device driver packages that have been kept after newer drivers are installed.

To clean up old device drivers by using the Disk Cleanup tool, perform these steps:

  1. Select Start , enter Disk Cleanup, and then select the Disk Cleanup app.

  2. In the Drive Selection dialog box, select (C:) and select OK.

  3. On the Disk Cleanup results screen, select Clean up system files.

  4. In the Drive selection dialog box, select (C:) and select OK.

  5. On the Disk Cleanup results screen, select Device driver packages and select OK.

  6. On the Are you sure you want to permanently delete these files? page, select Delete Files.

All driver packages that were installed during the Windows 10 setup process are stored in a directory called WinSxS, the side-by-side component store. This folder contains driver packages and operating system components so that you can add devices later without having to supply device drivers. If disk space is limited, you can purge the WinSxS directory contents; doing so can be helpful because it could occupy a significant amount of disk space.

To analyze the Windows Component Store for driver packages and other files that can be deleted, you can use the DISM tool by using the following steps:

  1. In an elevated Command Prompt, run the following:

    DISM /Online /Cleanup-Image /AnalyzeComponentStore

    The tool analyzes your system. Typical results are shown in Figure 4-29.

    A screenshot shows the output from the DISM /Online command.

    FIGURE 4-29 Analyzing the Component Store (WinSxS) with DISM

  2. When the analysis is complete, you can initiate a cleanup of the Windows Component Store by running the following command:

    DISM /Online /Cleanup-Image /StartComponentCleanup /ResetBase

Important Do not Delete the Winsxs Folder

Do not manually delete the WinSxS directory or its contents to reclaim the space because Windows creates many hard links from files in the WinSxS folder to locations in system folders.

Managing Services

Another possible cause of startup problems in Windows 10 is services; these are software components that function with the operating system and usually require no user intervention. Usually, services start before a user signs in to a Windows computer.

If your computer experiences problems when starting, you can use the following tools to help to identify whether the issue relates to operating system services:

  • Event Viewer If services have problems, then generally errors are written to the Windows log files. You use the Event Viewer tool to access these log files. Event Viewer is discussed in more detail later in this chapter.

  • Log files Outside of the built-in capabilities of the Windows logs, you can also enable additional logging within specific Windows components or within a particular app. For instance, you can enable more detailed logging of the startup process by selecting Boot Logging in the Advanced Startup Options menu.

  • Stop codes Windows 10 is very robust and system crashes are rare. However, when they occur, you can use the stop codes generated to help to identity the cause. These stop codes might suggest that a service is the root cause of a system crash.

  • Notifications Within the Action Center, you can view notifications from Windows about system events, including possible problems.

If your computer does not start as a result of an issue with services, you can attempt to resolve the problem in a number of ways. These include:

  • Safe Mode Start your computer in Safe Mode; doing so reduces the number of services running and might enable you to start your computer successfully. Once started, you can then investigate the possible causes using the tools just listed.

  • Windows RE Start your computer into Windows RE and then select the Command Prompt tool. Using commands such as Net.exe and Sc.exe enables you to manually control service behavior.

  • MSConfig.exe The System Configuration tool has a Services tab that you can use to control service startup. You can choose to disable specific services from this console. You can also focus only on those services that are not built in to Windows, as displayed in Figure 4-30.

A screenshot shows the Services tab of the System Configuration tool. The administrator has selected the Hide All Microsoft Services check box. Therefore, only non-Microsoft services are displayed.

FIGURE 4-30 Viewing the non-Microsoft services in System Configuration

Skill 4.2: Manage updates

Keeping computers safe and protected from external threats such as malware and malicious hackers is a big challenge. In earlier versions of Windows, you could decide whether the operating system was automatically updated with the latest features, security updates, and fixes through the Windows Update feature. Some users chose to disable automatic updates, and these computers are vulnerable to attack. With over a billion Windows devices worldwide, even if this number is a small percentage of the total, it might mean millions of devices are unprotected.

Windows 10 changes the game with regard to updates and security because it will continually and automatically benefit from new updates rolled out through Windows Update. To enhance the security protection delivered in Windows 10, the consumer can no longer turn off security updates. Enterprise users will have some leeway on the timing of updates and upgrades, and they can still choose to test updates and deliver them internally, using Windows Server Update Service (WSUS) or other management tools to keep their devices updated. For organizations that require deployment of a static installation of Windows 10 that will not have upgrades, Microsoft ships a special build of Windows 10, which is discussed later in this skill.

Plan for Windows Updates

In order to keep your Windows computers running efficiently and securely, it is important to install updates from Microsoft when they become available. In the past, these updates were designed primarily to fix identified problems or security vulnerabilities. However, with Windows 10, Microsoft has introduced a new update model: Windows as a service.

With Windows as a service, updates are designed not only to resolve perceived defects in software, but also to add new features to the operating system. Instead of releasing new versions of Windows every few years, Microsoft now provides continual updates that provide new features to Windows 10.

As an IT professional supporting Windows 10 users, it’s important that you know how to manage updates within your organization. A significant part of this goal is based on a good understanding of the new Windows as a service model.

Windows as a service

Windows as a service is more about Windows deployment than it is updating; in other words, the update mechanism is used to deliver, or deploy, new builds of Windows instead of relying on more traditional deployment methods.

As an organization, this means that instead of planning and performing operating system upgrades, such as from Windows 7 to Windows 10, you use Windows Update to continually introduce new Windows 10 features as the operating system evolves. This means that the update process becomes a continual process, based on small incremental updates rather than significant upgrades every few years.

Two types of update are delivered in this way:

  • Feature updates These add significant functionality to the Windows 10 operating system, and to date, these updates have been deployed twice a year, typically in spring and fall. Until recently, these updates have been identified by their year and month. But this has now changed. Updates are currently identified by the year and the half of the year when they are due for public release. For example, this book and its companion exam are based on Windows 10 20H2, which shipped in the second half of 2020. Other, earlier, feature updates include Windows 10 1909 and Windows 10 2004.

  • Quality updates These provide reliability and security updates and fixes. Microsoft deploys these updates monthly on the second Tuesday of the month. They are cumulative, meaning that even if you miss an update, by applying a subsequent update you receive all previous updates.


Business users of Windows 10 can determine when these updates apply. Broadly, you can configure deferral periods for both Feature and Quality updates. These deferrals define a number of days that you defer the application of released updates.

When an update is imminent, Microsoft makes it available to early adopters. When the update is finalized, the update is distributed to Windows devices around the world.

As part of the planning process for updates, you should consider participating in the early release scheme for updates for some of your users’ computers. This will enable you to test the effect of the updates on your organization’s Windows 10 computers. You can also use the deferrals to determine precisely when, after an update has been released, you will apply it to the majority of your computers.

The illustration in Figure 4-31 gives an example of how this might work. When an update is released to early adopters, you can begin the planning process for the deployment of that update. When it’s released, you can make it available to a small subset of your computers. Finally, you can distribute the update more widely.

An illustration of the Windows as a service model displaying the planning, pilot, and deployment phases of the update process.

FIGURE 4-31 Windows as a service feature updates over the past few years

You can continue to use a Windows 10 version for 18 months after it has been made widely available. You must then start the process over again. It’s quite likely that many organizations will choose to perform continual, rolling updates. Consequently, it’s possible that some of your users’ computers will be using one version of Windows 10 while other users are using earlier or later versions.

Select the appropriate servicing channel

In order to implement updates within your organization, you must decide on which computers will receive updates, and how quickly they will receive them after Microsoft releases them. Part of this decision is about selecting a servicing channel. You must also consider deferral periods for these updates.

Users of Windows 10 Home editions have no control over how their computers receive these updates. However, users in business and educational organizations who are using Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education editions can control their update experience using servicing channels.

  • Servicing channels Microsoft provides several servicing channels. These channels determine when updates are applied to a computer. These channels are as follows:

    • Windows Insider Program For early adopters. There are three channels available to insiders: Fast, Slow, and Release Preview. Those on the Fast channel receive early and frequent updates, those on Slow receive less frequent updates, and those on Release Preview receive what you may think of as being a pre-release beta of the finalized updates. Note that these channels are also referred to as Dev Channel, Beta Channel, and Release Preview Channel, respectively.

    • Semi-Annual Channel The default channel. Users receive updates fairly quickly after Microsoft releases them.

    • Long-Term Servicing Channel A specialized version of Windows 10 Enterprise that doesn’t receive feature updates. This is not a channel you configure, but rather a version of Windows 10 Enterprise that you license (Windows 10 Enterprise LTSC).

  • Deployment rings You can define deployment rings by using Group Policy Objects (GPOs) or Microsoft Intune. These deployment rings use a selected servicing channel and additional Windows settings to determine when updates apply. By configuring groups of computers with matching settings, you can control updates to that group.

Select the servicing channel

You cannot select a servicing channel directly through the user interface in Windows 10. Instead, you must use either GPO settings or Microsoft Intune to control this setting. However, you can subscribe to the Windows Insider Program through the user interface.

As mentioned, the Windows Insider Program enables Windows 10 users to gain insight into feature updates before they’re released. They can also provide feedback to Microsoft during their evaluation of those feature updates. To opt in to the Windows Insider Program channel, follow these steps:

  1. Open the Settings app.

  2. Select Update & Security and then select the Windows Insider Program tab.

  3. As displayed in Figure 4-32, on the Windows Insider Program tab and under the Windows Insider Program heading, select Get started.

A screenshot shows the Update & Security node of the Settings app. The Windows Insider Program tab is displayed.

FIGURE 4-32 Windows Insider Program

Using deployment rings

By selecting an appropriate servicing channel, and then configuring feature update and quality update deferral values, you can create deployment rings. You may decide that you require a test group of computers that get updates early. You may also decide to create a group of computers that receive updates reasonably quickly after release. After testing, you may then want to enable the bulk of your remaining computers to receive the updates. You could achieve this by using the deployment rings described in Table 4-3.

TABLE 4-3 Suggested deployment rings



Feature deferral

Quality deferral



Windows Insider Program

0 days

0 days

Enables you to evaluate and test prerelease updates before they are deployed to your other devices. During this phase, you can begin to identify any potential issues with the updates.


Semi-Annual Channel

0 days

0 days

Enables you to evaluate released updates on a small subset of your devices. This enables you to identify any possible problems before you deploy updates to the rest of your computers.


Semi-Annual Channel

60 days

30 days

For most of your users, the deferment values ensure that you have had adequate time to test updates and to identify possible problems.


Semi-Annual Channel

180 days

30 days

This ring might be used to ensure that updates are applied as long as possible after their release. Devices configured into this ring might be running critical apps or services.

To configure deployment rings for Active Directory Domain Services (AD DS) domain-joined devices, use GPO settings. These settings are discussed in the next section.

To configure deployment rings for non-domain-joined devices, use Microsoft Intune. You can configure the deployment rings using the Microsoft Endpoint Manager admin center, as displayed in Figure 4-33. Details about this process are beyond the scope for this book, since they are not covered in the MD-100 Windows 10 exam. Note that in the Microsoft Endpoint Manager admin center, deployment rings are referred to as update rings.

A screenshot shows the Microsoft Endpoint Manager admin center. The administrator is viewing the Windows 10 Update Rings node. Displayed on the right are four rings: Early, Slow, Standard, and Test.

FIGURE 4-33 Microsoft Intune update rings

Configure Windows Update options

After you have planned your deployment rings, you must configure the Windows Update settings. With the exception of the servicing channel and deferrals, you can do this on a per- computer basis by using the Settings app. However, most organizations will use GPOs to configure AD DS domain-joined computers and use Intune Windows 10 update rings to configure cloud-based Windows 10 devices.

Configuring settings on an individual computer

To configure the Windows Update settings on an individual computer, open the Settings app and select Update & Security. You can then configure the following settings.

Windows Update

Select the Windows Update tab, as displayed in Figure 4-34.

A screenshot shows the Windows Update page on the Settings app. Updates are pending. Also available is a Download link to start installing the updates.

FIGURE 4-34 Windows Update settings

You can then configure active hours, view update history, and configure the following advanced options (discussed earlier):

  • Pause updates for 7 days This setting enables you to temporarily stop the application of updates for a week. This is useful when troubleshooting updates.

  • Change Active Hours This setting allows the user to identify the period of time when they expect the device to be in use. Automatic restarts after an update will occur outside of the active hours. The default is 8 AM to 5 PM.

  • View Update History Provides access to the links to uninstall updates and to access recovery options. You can also see a list of recent updates, as displayed in Figure 4-35. To uninstall updates, select the link and select the update you want to remove.

    A screenshot shows the View Update History window. The following links are displayed: Uninstall Updates and Recovery Options. Also shown are a list of Quality Updates applied and their details.

    FIGURE 4-35 Viewing update history

  • Advanced options On the Advanced options page, shown in Figure 4-36, you can configure the following properties:

    • Receive updates for other Microsoft products when you update Windows Users can choose to include updates for other Microsoft products in addition to Windows, and use the users’ sign-in info to automatically sign back in to the device to complete the installation following an update.

    • Download updates over metered connections Enables users to ensure they receive updates, even when connected using cellular data.

    • Update notifications Allows Windows to display a notification when a restart is required following updates.

    • Pause updates Enables the user to turn off updating for a period of up to 35 days.

A screenshot shows the Advanced Options window. Under the Update Options heading, the following options are shown: Receive Updates For Other Microsoft Products When You Update Windows, Download Updates Over Metered Connections, Update Notifications, and Pause Updates.

FIGURE 4-36 Changing advanced Windows Update options

Delivery Optimization

In Windows 10, you have several options regarding how Windows updates and Microsoft Store apps are delivered to the computer. By default, Windows obtains updates from the Microsoft Update servers, computers on the local network, and on the internet. Windows Update Delivery Optimization allows the application of updates more quickly than previous versions of Windows. Once one PC on your local network has installed an update, other devices on the network can obtain the same updates without downloading directly from Microsoft.

This process is similar to popular peer-to-peer file sharing apps. Only partial file fragments of the update files are downloaded from any source, which speeds up the delivery and increases the security of the process. If you allow delivery optimization to take place, you then can choose from the following options how your PC will obtain updates and apps from other PCs:

  • PCs on my local network Windows will attempt to download from other PCs on your local network that have already downloaded the update or app.

  • PCs on my local network, and PCs on the internet Windows will attempt to download from the PCs on your local network, and Windows also looks for PCs on the internet that are configured to share parts of updates and apps.

If Delivery Optimization is enabled, your computer can also send parts of apps or updates that have been downloaded using Delivery Optimization to other PCs locally or on the internet. To enable Delivery Optimization, from Settings, in Update & Security, select the Delivery Optimization tab, as displayed in Figure 4-37.

A screenshot shows the Delivery Optimization tab in Windows Update. Under the Allow Downloads From Other PCs heading, the following options are displayed: PCs On My Local Network (Selected) and PCs On My Local Network, And PCs On The Internet (not selected).

FIGURE 4-37 Editing the Delivery Optimization settings for Windows Update

Note that there are additional delivery optimization settings that you can configure by using GPO settings. These settings are discussed in the next section.

Configuring settings using GPOs

Although you can configure all your computers running Windows 10 manually, it is far easier and quicker to use Group Policy to configure your domain-joined computers. You can configure the following Windows Update settings using GPOs:

  • Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows Update, as described in Table 4-4

  • Computer ConfigurationAdministrative TemplatesWindows ComponentsDelivery Optimization, as described in Table 4-5

  • Computer ConfigurationAdministrative TemplatesWindows ComponentsWindows UpdateWindows Update for Business, as displayed in Table 4-6

To set a GPO to configure Windows Update, complete these steps:

  1. On a domain controller, open Group Policy Management.

  2. Right-click a GPO and then select Edit.

  3. In the Group Policy Management Editor, shown in Figure 4-38, navigate to the appropriate node and edit the appropriate setting(s) as per the following tables.

    A screenshot shows the Group Policy Management Editor. The Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Update node is selected.

    FIGURE 4-38 Editing the Windows Update GPO settings

  4. Close the editor when you are finished. The GPOs will refresh to domain-joined computers.

TABLE 4-4 Windows 10 GPO settings in the Windows Update node

GPO Setting


Turn Off Auto-Restart For Updates During Active Hours

Allows you to specify the active hours during which the PC won’t restart.

Specify Active Hours Range For Auto-Restarts

Allows you to specify the maximum number of hours that active hours can be set. This time can be set between 8 and 18 hours.

Specify Deadline Before Auto-Restart For Update Installation

Allows you to enforce a restart 2–14 days after a restart is scheduled.

Configure Auto-Restart Reminder Notification For Updates

Allows you to specify when auto-restart reminders are displayed.

Turn Off Auto-Restart Notifications For Update Installations

Allows you to turn off all auto-restart notifications.

Configure Auto-Restart Required Notifications For Updates

Allows you to specify how the restart notifications are dismissed. By default, this is automatic after 25 seconds.

Configure Automatic Updates

Configure whether Windows Update can enable automatic updates on your computer.

If this setting is enabled, you must select one of the five options in the Group Policy setting (also note there is no option 6):

  • 2 = Notify for download and auto install

  • 3 = Auto download and notify for install

  • 4 = Auto download and schedule the install

  • 5 = Allow local admin to choose setting

  • 7 = Auto Download, Notify to Install, Notify to Restart

If you select option 4, you can also modify a recurring schedule; otherwise all installations will be attempted every day at 03:00.

Specify Intranet Microsoft Update Service Location

Configure whether Windows Update will use a server on your network to function as an internal update service.

Do Not Allow Update Deferral Policies To Cause Scans Against Windows Update

Allows you to prevent update deferral policies to cause scans against Windows Update.

Remove Access To Use All Windows Update Features

Enabling this policy removes user access to Windows Update scan, download, and install features.

Specify Engaged Restart Transition And Notification Schedule For Updates

Enabling this policy allows you to configure settings related to PC restart following a period of time when auto-restart settings have been configured.

Do Not Include Drivers With Windows Updates

If you enable this policy setting, Windows Update will not include drivers with Windows quality updates.

Configure Auto-Restart Warning Notifications Schedule For Updates

Controls when users receive notification reminders and warnings to restart their devices following an update installation.

Update Power Policy For Cart Restarts

For EDU devices that remain on charging carts overnight to receive updates to reboot during the scheduled install time frame.

Defer Windows UpdatesSelect When Feature Updates Are Received

Controls the type of feature updates to receive and when based on branch readiness level.

Defer Windows UpdatesSelect When Quality Updates Are Received

Controls the type of quality updates to receive and when to receive them based on branch readiness level.

The second table of GPO settings allows you to modify the Delivery Optimization settings in Windows 10 so that you can fine-tune and regulate the peer caching of updates.

TABLE 4-5 GPO settings in the Delivery Optimization node

GPO Settings


Absolute Max Cache Size (In GB)

Allows you to limit the maximum size in GB for the Delivery Optimization cache. The default size is 10 GB.

Enable Peer Caching While The Device Connects Via VPN

Can allow the device to participate in Peer Caching while connected via VPN to the domain network to download from or upload to other domain network devices, while either on the VPN or via the corporate network.

Download Mode

Configures the use of Windows Update Delivery Optimization for downloads of Windows apps and updates as follows:

  • 0=HTTP only: No peering

  • 1=LAN: HTTP blended with peering behind the same NAT

  • 2=Group: HTTP blended with peering across a private group

  • 3=Internet: HTTP blended with Internet Peering

  • 99=Simple: Download mode with no peering

  • 100=Bypass mode: Do not use Delivery Optimization and use BITS instead

Group ID

Used to create a group ID to which the device belongs. Used to limit or to group devices.

Max Cache Age (In Seconds)

Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. Default setting is 3 days.

Max Cache Size (Percentage)

Specifies the maximum cache size that Delivery Optimization uses as a percentage of available disk size. Default is 20%.

Maximum Download Bandwidth (In KB/s)

Specifies the maximum download bandwidth that the device can use across all concurrent download activities using Delivery Optimization.

Max Upload Bandwidth (In KB/s)

Defines the maximum upload bandwidth that a device will utilize for Delivery Optimization.

Minimum Background QoS (In KB/s)

Specifies the minimum download QoS (Quality of Service or Speed) for background downloads. Default is 500 KB/s.

Allow Uploads While The Device Is On Battery While Under Set Battery Level (Percentage)

Specify the value between 1 and 100 to allow the device to upload data to LAN and Group peers while on battery power. The device can download from peers while on battery regardless of this policy.

Minimum Disk Size Allowed To Use Peer Caching (In GB)

Specifies the required minimum disk size for the device to use Peer Caching. Default is 32 GB.

Minimum Peer Caching Content File Size (In MB)

Specifies the minimum content file size in MB enabled to use Peer Caching. Default value is 100 MB.

Minimum RAM Capacity (Inclusive) Required To Enable Use Of Peer Caching (In GB)

Specifies the minimum RAM size in GB required to use Peer Caching. Default value is 4 GB.

Modify Cache Drive

Specifies the drive Delivery Optimization will use for its cache.

Monthly Upload Data Cap (In GB)

Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to internet peers in each calendar month. Default value is 20 GB.

Maximum Download Bandwidth (Percentage)

Specifies the maximum download bandwidth that Delivery Optimization uses. The default value is 0.

Windows Update for Business settings in GPO enable you to control which deployment ring your users’ computers are configured for. By using these settings, you control which servicing channel your users’ devices use, and deferment values for both feature and quality updates.

TABLE 4-6 GPO settings in the Windows Update for Business node

GPO Settings


Select When Preview Builds And Feature Updates Are Received

This value enables you to select the servicing channel. You can choose between:

  • Preview Build – Fast

  • Preview Build – Slow

  • Release Preview

  • Semi-Annual Channel

You can then also select a deferment value.

Select When Quality Updates Are Received

If you enable this value, you can then define a deferment value (in days) for quality updates.

Disable Safeguards For Feature Updates

Enable this setting when Feature Updates should be deployed to devices without blocking on any safeguard holds.

Manage Preview Builds

You can control whether your users’ computers can be configured into the Insider Build servicing channel. Enable this value, and then choose whether the devices are enabled for preview builds, disabled for previews, or disabled after the next release becomes public.

Select The Target Feature Update Version

Enable this policy to specify a Feature Update version to be requested in subsequent scans.

Check for updates

It is not usually necessary to check for updates manually. However, you can easily do so by opening the Settings app. In Update & Security, on the Windows Update tab shown in Figure 4-39, select Check For Updates. Windows connects to Windows Update and retrieves a list of any pending updates. It’s currently not visible as updates are already displayed as available.

A screenshot shows the Windows Update tab in Update & Security in the Settings app. The administrator has selected Check for Updates. Windows is now displaying a list of available updates.

FIGURE 4-39 Checking for updates

Note Caution

If updates are available, they will automatically start to download and install, even if you have configured settings in GPO to only notify for download and install.

Validate and test updates

It is important that you know how Windows updates might affect your users’ devices. Consequently, you should take the time to validate and test updates before making them available across your organization.

We have already discussed how a servicing channel together with deferment values can be used to create the notion of deployment rings. Using deployment rings gives you an opportunity to obtain and test forthcoming updates before ongoing deployment.

In addition, you can consider using additional services to deploy Windows updates rather than relying solely on the Windows Update servers. Table 4-7 describes the additional options.

TABLE 4-7 Options for deployment of updates

GPO Settings



This is a Windows Server 2019 server role. WSUS downloads updates from the Windows Update server(s). You can then configure how these updates are propagated to your client computers. This gives you time to test and validate updates.

Windows Update For Business

Essentially, you can consider this to be similar to WSUS. However, it is maintained in the cloud by Microsoft and is available for devices running Windows 10 Pro, Windows 10 Education, or Windows 10 Enterprise. By configuring Intune deployment rings, or by configuring Windows Update for Business GPO values, you are using Windows Update for Business.

Endpoint Configuration Manager (formerly SCCM)

If you already have ECM for managing deployment, you can also use it to manage updates. ECM gives you great control and flexibility in managing updates.

Microsoft Intune

Intune is a cloud-based device and app management tool. It’s especially useful for managing non-domain-joined devices. With Intune, you can approve updates, deploy updates, and remove updates.

When testing updates, it’s important that you make sure that all devices, peripherals, and apps will work with the new updates. This is particularly relevant when considering the deployment of feature updates.

Troubleshoot updates

If a machine is not receiving updates and you have checked the Settings app and Group Policy settings to ensure that updates are not deferred or paused, you should verify that the two services in Windows relating to Windows Update are running.

The first is the Windows Update service, which checks which updates have been installed locally and what is available on the update servers. The Windows Update service also handles the download, installation, and reporting of the state of updates.

Background Intelligent Transfer Service (BITS) is a supplemental service that handles the transfer of update files in the most efficient manner. Both services need to be running for Windows Update to function correctly.

You can also use the Windows Update troubleshooter. This is located on the Additional Troubleshooters page, accessible on the Troubleshoot tab in Update & Security in the Settings app, as displayed in Figure 4-40.

A screenshot shows the Troubleshoot tab in Update & Security within the Settings app. The administrator has selected Windows Update, and the Run The Troubleshooter button is now visible.

FIGURE 4-40 Running the Windows Update troubleshooter

Click Run The Troubleshooter. Windows attempts to check the required services and attempts to connect to the Windows Update server. If Windows identifies problems, as displayed in Figure 4-41, it might make recommendations on how best to resolve the issue(s).

A screenshot shows the Windows Update Troubleshooting wizard. Problems have been detected with network settings, and the troubleshooter is prompting the user to apply this fix.

FIGURE 4-41 Recommended fixes for Windows Update problems

Roll back updates

With the rhythm of regular updates becoming the method of keeping devices secure and up-to-date, there might be instances when an update causes problems and you need to consider removing the update completely by rolling it back. You may have experience with driver rollbacks; the same concept is used for rolling back Windows updates.

Sometimes you need to remove a single Windows update. You can perform this task in a number of ways—through Control Panel, the Settings app, or the Command Prompt.

Uninstall a Windows update by using Control Panel

If you prefer to use Control Panel, you can see an Installed Updates list in Control Panel by following these steps:

  1. Click the Start button and enter Control Panel, and select Control Panel.

  2. Open Programs > Programs And Features.

  3. Select View Installed Updates.

  4. Select an update that you want to uninstall, as displayed in Figure 4-42.

    A screenshot shows the Uninstall An Update page in Control Panel. Nine updates are displayed, and the administrator has selected one for removal.

    FIGURE 4-42 Removing an update in Control Panel

  5. If Windows allows you to uninstall it, Uninstall appears on the toolbar.

  6. In the Uninstall An Update dialog box, select Yes to confirm.

  7. Accept the UAC if prompted. A restart might be needed to complete the removal of the update.

Uninstall a Windows update in Settings

The Settings app ultimately opens the same Installed Updates list in Control Panel. Perform these steps if you prefer to use the Settings app:

  1. Open the Settings app and select Update & Security.

  2. Select Windows Update and then select View update history. A list of your installed Windows Updates appears.

  3. Select Uninstall Updates at the top of the screen. The link opens the Control Panel > Programs > Programs and Features > View installed updates page.

  4. Select an update that you want to uninstall. If Windows allows you to uninstall it, Uninstall appears on the toolbar.

  5. In the Uninstall an update dialog box, select Yes to confirm.

  6. Accept the UAC if prompted. A restart might be needed to complete the removal of the update.

Uninstall a Windows update by using the Command Prompt

Sometimes you will want to remove the same update from multiple devices. After you have tested the command-line tool on your test device, you can use the Command Prompt or Windows PowerShell to script the command and distribute it to multiple devices by using Group Policy or Windows PowerShell.

You can use the Windows Management Instrumentation (WMI) command-line utility to generate a list of installed Windows Update packages on a Windows 10–based device, as displayed in Figure 4-43.

A screenshot shows the result from the wmic qfe list command.

FIGURE 4-43 Command Prompt running the wmic qfe list command

To generate the list of installed Windows Update packages on your device, open a Command Prompt (or Windows PowerShell) and run the following command:

wmic qfe list brief /format:table

When you have identified an update that you want to remove, you can use the Windows Update Stand-Alone Installer (Wusa.exe) command-line tool to uninstall updates by providing the package number (from the Microsoft Knowledge Base) of the update to be uninstalled. The syntax for the tool is as follows:

wusa.exe /uninstall /kb:<KB Number>

Replace <KB Number> in the command with the actual KB number of the update you want to uninstall. The WMIC and WUSA commands work in either the Command Prompt or Windows PowerShell.

Skill 4.3: Monitor and manage Windows

After your computers are installed with Windows 10, it will be necessary to monitor and manage them. Windows 10 provides many tools with which to monitor your computers, including the Event Viewer, and a number of performance-monitoring tools, including Resource Monitor and Performance Monitor.

In addition to monitoring your computers, you must be familiar with how to manage important elements of the operating system, including printers and printing, indexing, and services.

Configure and analyze event logs

A key built-in security tool in all Windows operating systems are event logs, which are accessed in the Windows Event Viewer and provide information regarding system events that occur. Event logs are generated as a background activity by the Event Log service and can include information, warning, and error messages about Windows components and installed applications and actions carried out on the system.

Understand event logs

You can start Event Viewer, as displayed in Figure 4-44, by entering eventvwr.msc.

A screenshot shows the System log in Event Viewer. A number of informational events are displayed in the central pane. The administrator has selected a Critical event for further analysis.

FIGURE 4-44 Event Viewer with System log selected

Upon opening, the console retrieves the events that have occurred on your computer and displays them. You can configure the Event Viewer to work with event logs from remote computers; you must enable remote management in your firewall.

There are two types of log files:

  • Windows logs Includes Application, Security, Setup, System, and Forwarded Events

  • Applications and services logs Includes other logs from applications and services to record application-specific or service-specific events

Because logs are created as part of the operating system, they can provide forensic-level metadata that can help you understand problems that are difficult to diagnose, using real-time analysis of the system.

The Windows logs are described in more detail in Table 4-8.

TABLE 4-8 Built-in Windows logs



Log File Location

Default Log Size


Events logged by installed applications.



20,480 KB


Records events logged by Windows during setup and installation.


1,028 KB


Contains auditable events such as logon, logoff, privileged use, and shutdown.


20,480 KB


Contains events logged by Windows 10. This is the main system log.


20,480 KB

Forwarded Events

Used when event forwarding is operational. This log records forwarded events from other computers.

%SystemRoot%System32Config ForwardedEvents.Evtx

20,480 KB

The default Windows 10 event log maximum file size is 20 MB. If your system reaches this maximum size, new events will overwrite old events.

Open Event Viewer and take some time to familiarize yourself by reviewing some logs. There are several levels of events, with descriptions as follows:

  • Information These logs provide information about changes related to a component or system process, usually a successful outcome.

  • Warning These events are not critical, although they could lead to more serious problems and should be investigated.

  • Error Events warn you that a problem has occurred.

  • Critical These events are the most severe and could lead to failure or loss of function. They are highly significant and indicate that a problem is occurring or has occurred.

  • Audit Success/Failure If you have enabled auditing, these log entries appear in the security log.

In Event Viewer, select each of the Windows logs and look at the types of events that have been generated. The Actions pane on the right side provides tools and wizards to help you work with logs, including saving a log, clearing/deleting entries in a log, opening a previously saved log, and attaching a task to an event.

Create a custom view

When you explore Event Viewer, you may find so many entries that it is hard to locate specific issues. You’ll want to remove entries, but you should not clear a log on a production machine without first saving the log. A better method of removing log entries, such as informational or warning log entries, is to create a custom view that shows only specific events. This acts like a saved filter that you can invoke.

To create a custom view in Event Viewer that displays only Critical events in the System log, follow these steps:

  1. Open Event Viewer.

  2. On the Action menu, select Create Custom View.

  3. On the Filter tab, select the Critical check box for Event Level.

  4. In By Log, use the down arrow and expand Windows Logs; select only the System check box and then select OK.

  5. Enter a name, such as System-Critical, for the log name, and select OK. The custom view immediately refreshes and displays log entries that match the criteria.

  6. Check that your custom view filter—in this case, named System-Critical—is located in the left pane under the Custom Views node.

  7. Close Event Viewer.

With all events, you can double-click the event log entry to reveal its Properties dialog box. The Event Properties dialog box provides you with additional detailed information together with a Copy button so that you can copy the event data to the Clipboard and then work with the data or seek help. Event descriptions have become easier to understand than in previous versions of Windows. The experience of reading event log entries will also help build your understanding.

Configure event subscriptions

You can configure Event Viewer to gather other computers’ event logs. Manually connecting to other computers on a regular basis can be cumbersome. You can automate the collection of event logs from other computers by creating event subscriptions.

All computers participating in a subscription must be configured to allow remote administration. This is achieved by enabling the Windows Remote Management service on the source computer. On the collector computer, start the Windows Event Collector service, which enables the computer to collect events from remote devices. To configure the computers to collect and send events, perform the following two short procedures.

View subscriptions

To enable the collector computer to view subscriptions:

  1. Open an elevated Command Prompt.

  2. Enter wecutil qc.

  3. Enter Y to start the Windows Event Collector service. The Windows Event Collector service announces that it was configured successfully.

  4. Close the Command Prompt window.

To enable remote collection of events on the source computer, follow these steps:

  1. Open an elevated Command Prompt.

  2. Enter winrm quickconfig.

  3. Enter Y; repeat when prompted. The WinRM firewall exception is now enabled.

  4. Close the Command Prompt window.

You can create two kinds of subscriptions: collector-initiated and source computer–initiated. Table 4-9 describes these subscriptions, along with some of the key terms related to event subscriptions.

TABLE 4-9 Event subscription terms




A group of events you configure based on specific criteria you create is called a subscription. Subscriptions enable you to receive events from other computers, called sources.


The event source computer is the computer that provides you with events on your network. The source computer can be a PC or a server.


The event collector computer is the computer on which you view the collected events. The collector computer can be a PC or a server.

Collector-initiated subscription

In a collector-initiated subscription, the subscription must contain a list of all the event sources that need to be added one at a time. This is used on small networks because each must be configured manually.

Source computer– initiated subscription

The source computer transmits local events to the collector computer. This is a push type of arrangement, often configured using Group Policy.

Create a subscription

To create a collector-initiated subscription, follow these steps:

  1. Open Event Viewer.

  2. Select the Subscriptions node.

  3. If the option to start the Windows Event Collection Service dialog box appears, select Yes.

  4. In the Action pane, select Create Subscription.

  5. Enter a name and a description for the subscription, as displayed in Figure 4-45.

    A screenshot shows properties of an event subscription called Collect Warning Event Messages From Kiosk PC.

    FIGURE 4-45 Creating an event subscription

  6. Under Subscription type and source computers, select Collector initiated and then select Select Computers.

  7. In the Computers dialog box, select Add Domain Computers, select the computer to be polled for subscriptions, and select OK.

  8. Under Events To Collect, select Select Events and define the event criteria—such as event levels, log type, and event source—that will be used to match and collect events. Select OK.

  9. Select OK to save and make the subscription active.

    The new subscription is listed in the main pane of the Subscriptions node.

If you want to view events on other computers on your network, you can do so without creating a subscription. This approach is useful for ad hoc monitoring, for example, to see whether a particular event has occurred.

Access event logs remotely

When you want to quickly view event logs on a remote computer, you don’t have to create a subscription. Instead, you can view the event logs directly. To view event logs on a remote system, follow these steps:

  1. Open Event Viewer.

  2. Right-click Event Viewer (Local) in the left pane and choose Connect to Another Computer.

  3. When the Select Computer dialog box opens, select Another Computer and enter the name, the domain name, or the IP address of the computer, or select Browse to search for the computer on your network.

  4. If you need to specify logon credentials, select the Connect as another User check box. Select Set User and enter the logon credentials for a local administrator or user on the remote device and then select OK.

Note View Events on Remote Computers

You must have administrator privileges to view events on a remote computer. You must also configure Windows Firewall on all participants to allow traffic on TCP port 80 for HTTP or on TCP port 443 for HTTPS.

Manage performance

Windows 10 offers a number of tools that you can use to view and manage performance. Some of these provide a snapshot view of system performance. Others provide a means to collect and analyze performance data over a period of time.

You can use the following tools to manage performance in Windows 10:

  • Task Manager

  • Resource Monitor

  • Performance Monitor

Monitor performance using Task Manager

If you have used an earlier version of Windows, you probably have used Task Manager. It is one of the most useful tools available in Windows for gaining an immediate insight into how a system is performing.

Access Task Manager

The Task Manager built into Windows 10 shows you which processes (tasks) are running on your system and, most important, shows the system resource usage that directly relates to performance. If a particular task or process is not responding or continues to run after you have closed the application, you can use Task Manager to view this behavior and force the offending process to end.

When troubleshooting, you may find that some users are comfortable using Task Manager to review the system status and end problematic tasks.

If you are moving to Windows 10 from Windows 7 or earlier, notice that Task Manager has been redesigned extensively and is now much more user-friendly, informative, colorful, and slightly less technical.

To open Task Manager, right-click the Start button and then select Task Manager. There are other ways to open Task Manager:

  • Pressing Ctrl+Shift+Esc

  • Right-clicking the taskbar, Cortana, or the Task View button and then selecting Task Manager

By default, Task Manager opens to show only the running applications, as you can see in Figure 4-46. While using this view, you can highlight any of the listed applications and select End Task to stop a running app.

A screenshot shows the running applications listed in Task Manager. These are Microsoft Edge, Microsoft Management Console, Microsoft Word, and Virtual Machine Connection.

FIGURE 4-46 Task Manager

If you select More Details, Task Manager reopens and displays seven tabs, which enable you to review specific areas of your computer activity. The tabs are described in Table 4-10.

TABLE 4-10 Task Manager tabs

Task Manager Tab



Shows all running apps and background processes


Shows real-time statistics for CPU, memory, disk, Ethernet, Bluetooth, and Wi-Fi usage

App History

Shows historical data for universal and modern apps usage for the previous month


Lists the apps that start when the computer boots


Lists all the users currently logged on to the computer locally and remotely


Shows detailed statistics on all running and suspended processes


Displays all running and stopped system services

Each tab offers you a different view of the system. Most users might be interested only in the simple view, whereas most IT professionals will only use the detailed version of Task Manager.

Using the Performance tab

The Performance tab provides a graphical, real-time, statistical view for CPU, Memory, Disk, and Ethernet. If you have multiple Ethernet devices, such as Wi-Fi, these are listed. Figure 4-47 shows the Performance tab with Disk 0 selected. In the lower pane, below the graphics, you see additional information, such as read/write speed, capacity, and average response time. If you are connected to Wi-Fi and select Ethernet, you see the adapter name, Service Set Identifier (SSID), Domain Name Service (DNS) name, connection type, IPv4 and IPv6 addresses, and signal strength.

A screenshot shows the Performance tab in Task Manager. The CPU node is selected. Other nodes are Memory, Disk 0, Disk 1, Disk 2, Ethernet, Ethernet, and GPU.

FIGURE 4-47 The Performance tab in Task Manager

At the bottom of the Performance tab is an Open Resource Monitor link to the management console.

Monitor performance using Resource Monitor

Resource Monitor displays more information and activity statistics relating to your system resources in real time. It is similar to Task Manager, but it also enables you to dive deeper into the actual processes and see how they affect the performance of your CPU, disk, network, and memory subcomponents.

Open Resource Monitor by using the link on the Performance tab of Task Manager or search for Resource using the Start button. The executable for Resource Monitor is Resmon.exe, which you can run from a Run dialog box or a Command Prompt.

When you open Resource Monitor, you see an overview of your system, with graphs for each area of the system subcomponent. Four further tabs are available: CPU, Disk, Network, and Memory. The statistics tracked on the Overview tab include the following:

  • % CPU Usage

  • CPU Maximum Frequency

  • Disk I/O Bytes Per Second

  • Disk % Highest Active Time

  • Network I/O Bytes Per Second

  • % Network Utilization

  • Memory Hard Faults Per Second

  • % Physical Memory Used

Review each tab; each subcomponent offers additional components, as displayed in Table 4-11.

TABLE 4-11 Resource Monitor components

System Component

Additional subcomponents




Associated Handles

Associated Modules



Physical Memory


Processes With Disk Activity

Disk Activity



Processes With Network Activity

Network Activity

TCP Connections

Listening Ports

In each data collector, you can sort the output by selecting the column title. If you select one or more processes in the topmost section, selecting the check box on the left side creates a filter for the items across all four tabs. The selected item is highlighted in orange so that you can see how the item compares to the overall output, as displayed in Figure 4-48.

A screenshot shows the CPU tab in Resource Monitor. The administrator has selected the vmmem.exe application. Highlighted in orange in the rightmost display is the CPU usage of that specific app.

FIGURE 4-48 Resource Monitor CPU view

Resource Monitor is useful for troubleshooting performance issues that relate to high resource usage and you need to establish which process is using a more than normal amount of resources such as memory.

For more advanced analysis, you can right-click any column and choose additional columns by choosing Select Columns. Each tab has associated columns; the CPU panel offers the following additional columns:

  • Average Cycle Average percentage of CPU cycle time for the process (over a 60-second interval).

  • Cycle Current percentage of CPU cycle time the process is using.

  • Elevated The elevation status of the process. (If this is Yes, it is an elevated process.)

  • Operating System Context The operating system context in which the process is running.

  • Platform The platform architecture that the process is running.

  • User Name The name of the user or service that is running the process.

If you want to freeze the screen so that you can analyze the display or capture an image, you can select Monitor and then select Stop Monitoring.

Monitor performance using Performance Monitor and Data Collector Sets

You can use the Performance Monitor Microsoft Management Console (MMC) snap-in to monitor and track your device for the default set of performance parameters or a custom set you select for display. These performance parameters are referred to as counters. Performance Monitor graphically displays statistics and offers real-time monitoring and recording capabilities. By default, the update interval for the capture is set to one second, but this is configurable.

You can use Performance Monitor to record performance information in a log file so that it can be played back and used as part of your overall benchmarking process on a system being tested, or when collecting information to help you troubleshoot an issue. You can also create alerts that notify you when a specific performance criterion, such as a threshold or limit, has been met or exceeded.

The easiest way to learn how to use Performance Monitor is to run one of the two built-in collector sets and review the results:

  • System Diagnostics Data Collector Set collects the status of local hardware resources and configuration data, together with data from the System Information tool.

  • System Performance Data Collector Set reports the status of local hardware resources, system response times, and processes.

Run the Performance Monitor data collector

To run the System Performance data collector and view the report, follow these steps:

  1. Select Start, enter Performance, and then select Performance Monitor in Control Panel.

  2. In the navigation pane, select Data Collector SetsSystem and select System Performance.

  3. On the toolbar, select the Run icon (green triangle). The collector runs for 60 seconds and then stops.

  4. After the collector has stopped, in the navigation pane, select Reports and expand System.

  5. Select the chevron arrow next to System Performance and then select the Report icon related to the collector you just ran. The latest report should be listed at the bottom. The System Performance Report appears in the results pane.

  6. Review the System Performance Report and then close Performance Monitor.

When you review the report, as displayed in Figure 4-49, you can see how extensive and detailed the monitoring is. The report is saved and can be printed and refreshed to provide an up-to-date report, which you can compare to other reports.

A screenshot shows the graphical output of a report gathered from a data collector set in Performance Monitor.

FIGURE 4-49 Viewing a report in Performance Monitor’s reporting node

The diagnostic or performance-monitoring data collector sets are useful when identifying the cause of performance deterioration, which might be a warning sign of potentially malfunction or failing hardware.

You can manually configure Performance Monitor to report on one or many parameters you select for display. You choose the counters that relate to the hardware and software installed on your system. If you add new hardware, such as a new network card, Performance Monitor updates the set of performance counters for the new resource.

Use Performance Monitor

To use Performance Monitor, you start with a blank canvas and add items that you want to monitor. There are three components that you can add as follows:

  • Performance objects These relate to any system component that enables monitoring, such as

    • Physical The memory, the processor, or the paging file

    • Logical component For example, a logical disk or print queue

    • Software For example, a process or a thread

  • Performance object instances These represent single occurrences of performance objects. You can choose individual instances, or you can track all instances of an object.

  • Performance counters These are the measurable properties of performance objects, such as the % Processor Time for the processor, as displayed in Figure 4-50.

A screenshot shows the administrator adding the % Processor Time counter to a Performance Monitor dataset. The Add Counters dialog box overlays the Performance Monitor window.

FIGURE 4-50 Adding objects and counters to Performance Monitor

After you have selected some counters, a moving graphical display shows the activity relating to the counters you selected. You can locate the color of the line from the key at the base of the graph and hide/show any counter by clearing the check box at the left of the counter.

A selection of the most common performance objects that you may want to monitor are summarized in Table 4-12.

TABLE 4-12 Commonly tracked performance objects

Performance Object



Monitors memory performance for system cache, physical memory, and virtual memory


Monitors IPv4 communications


Monitors the logical volumes on a computer

Network Interface

Monitors the network adapters on the computer


Monitors hard disk read/write activity and data transfers, hard faults, and soft faults

Print Queue

Monitors print jobs, spooling, and print queue activity


Monitors processor idle time, idle states, usage, deferred procedure calls, and interrupts

Because the monitoring is performed in real time, the effect of monitoring many counters can have an impact on the host system performance, which could distort the usefulness of the performance information. Therefore, you should test the number of counters and the frequency of data collection and witness the impact. To add new values to the Performance Monitor chart, follow these steps:

  1. Select Start, and enter perfmon. Performance Monitor opens.

  2. Select the Performance Monitor node in the left pane. The default counter for % Processor Time appears.

  3. On the toolbar, select the plus (+) symbol to add an additional counter.

  4. In the Available Counters area, expand PhysicalDisk, and select % Idle Time.

  5. In the Instances Of Selected Object box, select 0 C:, select Add, and select OK.

  6. Right-click % Idle Time and then select Properties.

  7. In the Color box, select blue, and then select OK. Leave Performance Monitor open.

To create a new data collector set based on a template, in Performance Monitor follow these steps:

  1. In the left pane, expand Data Collector Sets and then select User Defined.

  2. Right-click User Defined, select New, and then select Data Collector Set.

  3. On the Create new Data Collector Set page, enter Disk Activity in the Name box, and then select Next.

  4. In the Template Data Collector Set box, select Basic and select Next.

  5. Select Next to accept the default storage location.

  6. Select Open properties for this data cllector set and select Finish. The Disk Activity Properties dialog box appears; it has six tabs.

  7. Review the General, Directory, Security, Schedule, Stop Condition, and Task tabs and select OK.

  8. In the right pane, double-click Disk Activity. Three types of logs are displayed:

    • Performance Counter Collects data that is viewable in Performance Monitor

    • Configuration Records changes to registry keys

    • Kernel Trace Collects detailed information about system events and activities

  9. Double-click Performance Counter.

  10. Select the Processor Counter and select Remove.

  11. Select Add and then select PhysicalDisk in Available counters.

  12. Select Add and then select OK.

  13. In the navigation pane, right-click Disk Activity and then select Start.

  14. On the Disk Activity node, a small play icon appears for 60 seconds.

  15. When Data Collector Set has stopped recording, right-click Disk Activity and then select Latest Report.

  16. Review the report, which shows the data that the data collector set collected.

  17. Close Performance Monitor.

Monitor system resources

Every computer system has a performance threshold that, if pushed beyond this level, will cause the system to struggle to perform optimally. If you overload the system, it eventually slows down as it attempts to service each demand with the available resources. Most systems include a capable processor and sufficient amount of RAM for everyday or general needs. Memory is automatically reclaimed from apps that are closed. However, when apps or web browser tabs are left open, and more apps are then opened, the overall ability for the system to perform is degraded.

Understand baseline performance vs. real-time monitoring

You have learned that with tools such as Performance Monitor, Resource Monitor, and Task Manager you can monitor your system activity and understand how demands on processor, RAM, networking, and disks affect your computer system. Real-time monitoring information is useful for instant diagnosis. Also, creating a baseline for your computer’s performance can generate a system-specific report that can show what your performance statistics look like during normal or heavy use.

If you intend to deliver a device to a user who will use the device extensively for system-intensive tasks, such as video editing or computer-aided design, it might be useful to create a performance baseline for the device so that you can establish how the system performs normally and when under heavy load. This information will be useful to confirm that the device specification is suitable for the user. Also, it will be helpful if the user reports performance issues because you can run another performance baseline and compare the two baselines to evaluate whether the system environment has changed. For example, perhaps the user now regularly multitasks with new apps on the system that use additional memory.

In this scenario, when an issue or symptom occurs, you can compare your baseline statistics to your real-time statistics and identify differences between the two instances. When you can diagnose the issue, you can recommend a solution, such as to add memory.

The most appropriate tool to record a baseline in Windows 10 is Performance Monitor; it will help you review and report on the following areas in your system:

  • Evaluate your system workload

  • Monitor system resources

  • Notice changes and trends in resource use

  • Help diagnose problems

Create a performance baseline

To create a performance baseline that monitors key system components you can use to measure against a future performance baseline, follow these steps:

  1. Select Start, then enter perfmon. Performance Monitor opens.

  2. Select the Data Collector Sets node in the navigation pane.

  3. Select User Defined, right-click User Defined, select New, and then select Data Collector Set.

  4. In the Create new Data Collector Set Wizard, on the How would you like to create this new data collector set? page, in the Name box, enter Initial PC Baseline.

  5. Select Create manually (Advanced) and then select Next.

  6. On the What type of data do you want to include? page, select the Performance counter check box and then select Next.

  7. On the Which performance counters would you like to log? page, in the Sample interval box, enter 1 and then select Add.

  8. Include the following counters:

    • Memory > Pages/Sec

    • Network Interface > Packets/Sec

    • PhysicalDisk > % Disk Time

    • PhysicalDisk > Avg. Disk Queue Length

    • Processor > % Processor Time

    • System > Processor Queue Length

  9. Select OK and then select Finish.

  10. Right-click Initial PC Baseline and then select Start.

  11. Simulate load on the system by starting several programs, including Microsoft Edge, Word 2019, Microsoft Excel 2019, and Microsoft PowerPoint 2019.

  12. Close all Microsoft Office apps, close Microsoft Edge, and stop the Initial PC Baseline data collector set.

  13. To view the baseline report, in Performance Monitor, expand the ReportsUser Defined nodeInitial PC Baseline and select the report to open it.

  14. Print the report or view the report and record the values for the following counters:

    • Memory > Pages/sec

    • Network Interface > Packets/Sec

    • PhysicalDisk > % Disk Time

    • PhysicalDisk > Avg. Disk Queue Length

    • Processor > % Processor Time

    • System > Processor Queue Length

Troubleshoot performance issues

In normal operating conditions, the majority of users rarely experience performance issues with their devices after they have been configured with the necessary security, antimalware, productivity, and specialist software. Out of the box, Windows 10 is optimized for general user environments.

Over time, the device might gradually seem to become slower. If the user notices this decreased system performance, they might request help from the help desk.

You can avoid some performance degradation by performing regular maintenance, such as using the Disk Cleanup utility to remove temporary or unwanted files. Windows 10 does a good job at self-healing and maintaining the system and schedules many maintenance tasks to run automatically for you.

If poor performance occurs, investigate and troubleshoot the reason to establish whether there is a bottleneck—perhaps a memory-hungry app, multiple startup programs, or even malware. Another gradual but common occurrence is when a system runs out of disk space, especially because the majority of devices are now using solid-state drives (SSDs) that are typically smaller-capacity drives.

When looking at the factors that might influence your PC, consider some of the following:

  • Windows 10 architecture: x86 or x64

  • Processor speed, processor quantity, onboard cache memory, and cores

  • Physical hard disks input/output speed, buffer size, and defragmentation state

  • Memory: capacity, speed, and type

  • Graphics card: throughput, memory, onboard processing speed, quantity, and drivers

  • Network interface throughput, onboard processing capability, quantity, and drivers

  • Application number, type, available optimizations, and architecture

  • System, peripheral, and application drivers

Understand how system bottlenecks can occur, how to diagnose a system that is suffering from a performance bottleneck, and how to respond and recover from the problem. Some common performance bottlenecks that are useful to know about when troubleshooting are shown in Table 4-13.

TABLE 4-13 Performance bottlenecks

Performance Counter


LogicalDisk\% Free Space

If this is less than 15 percent, you risk running out of free space for Windows 10 to use to store critical files.

PhysicalDisk\% Idle Time

If this is less than 20 percent, the disk system is overloaded. Consider replacing with a faster disk.

PhysicalDiskAvg. Disk Sec/Read

If the number is larger than 25 milliseconds (ms), the disk system is experiencing read latency; suspect drive failure (or a very slow and/or old disk).

PhysicalDiskAvg. Disk Sec/Write

If the number is larger than 25 milliseconds (ms), the disk system is experiencing write latency; suspect drive failure (or a very slow and/or old disk).

PhysicalDiskAvg. Disk Queue Length

If the value is larger than two times the number of drive spindles, the disk might be the bottleneck.

Memory\% Committed Bytes in Use

If the value is greater than 80 percent, it indicates insufficient memory.

MemoryAvailable Mbytes

If this value is less than 5 percent of the total physical RAM, there is insufficient memory, which can increase paging activity.

Processor\% Processor Time

If the percentage is greater than 85 percent, the processor is overwhelmed, and the PC might require a faster processor.

SystemProcessor Queue Length

If the value is more than twice the number of CPUs for an extended period, you should consider a more powerful processor.

Network InterfaceOutput Queue Length

There is network saturation if the value is more than 2. Consider a faster or additional network interface.

Manage Windows 10 environment

In this section, you will learn how to manage printers, control and configure indexing, evaluate system stability, and configure and manage services.

Monitor and manage printers

Windows 10 provides additional options for you to manage your printing compared to previous versions of Windows. A new Print Management desktop app and the new Printers & Scanners options in the Settings app provide basic printer management such as Add, Remove, and Set As Default Printer.

You still have previous printer tools in the Devices And Printers section of Control Panel or from the link at the bottom of the Printers & Scanners options in the Settings app. The Devices And Printers Control Panel item is the same interface as in previous versions of Windows.

Manage printers by using Print Management

A new Print Management console is available for you to manage your device printers from a single management console. Print devices connected to your PC can be shared, and you can manage the properties of the device. The Print Management MMC, as displayed in Figure 4-51, is included in the Administrative Tools of Windows 10 Pro and Enterprise editions, and it lists all printers, drivers, and other print servers that you are connected to.

A screenshot shows the Print Management console in Windows 10. Eleven printers are listed.

FIGURE 4-51 Managing printers

You can also access the Print Management console by selecting Start and entering Printmanagement.msc.

The Print Management console offers you a single location to perform the following printer-related management tasks:

  • Add and delete print devices

  • View printers and print servers

  • Add and remove print servers

  • Add and manage print drivers

  • Deploy printers using Group Policy

  • Open and manage printer queues

  • View and modify status of printers

  • Use the filter feature to view printers based on filters

If you right-click a printer, you are presented with a list of action items that can be performed on the selected printer. These can include the following tasks:

  • Open Printer Queue

  • Pause Printing

  • List In Directory

  • Deploy With Group Policy

  • Set Printing Defaults

  • Manage Sharing

  • Print Test Page

  • Enable Branch Office Direct Printing

  • Properties

  • Delete

  • Rename

  • Help

Note Remote Printers

You can use the Print Management console to manage both local and remote printers. Devices And Printers in Control Panel can only manage locally connected printers.

Manage printers by using Windows PowerShell

You can use more than 20 Windows PowerShell cmdlets to manage printers. Some of the most common cmdlets are shown in Table 4-14.

TABLE 4-14 Windows PowerShell printer cmdlets




Adds a printer to the specified computer


Installs a printer driver on the specified computer


Installs a printer port on the specified computer


Gets the configuration information of a printer


Retrieves a list of printers installed on a computer


Retrieves the list of printer drivers installed on the specified computer


Retrieves a list of printer ports installed on the specified computer


Retrieves printer properties for the specified printer


Removes a printer from the specified computer


Deletes printer drivers from the specified computer


Removes a print job on the specified printer


Renames the specified printer


Restarts a print job on the specified printer


Resumes a suspended print job


Sets the configuration information for the specified printer


Updates the configuration of an existing printer


Modifies the printer properties for the specified printer

To list all the available cmdlets, run the following command in a Windows PowerShell window:

Get-Command -Module PrintManagement
Configure indexing options

To maintain the performance of Windows 10 search, the system automatically indexes data on your computer in the background. This data includes user-generated files, folders, and documents. Most users will never modify the default indexing settings, but you can add new areas to be indexed and exclude others. Common locations include your user profile areas and app data that you access frequently, such as Office apps.

If you store a lot of data in a storage space or a removable drive, you can add this location to Indexing Options to significantly speed up the performance of future searches in this location.

To view your existing indexing locations, select Start and enter Index and then select Indexing Options in Control Panel to open the Indexing Options dialog box shown in Figure 4-52.

A screenshot shows the Indexing Options dialog box.

FIGURE 4-52 Indexing Options

You can use the Modify button to add or remove locations. In the Indexed Locations dialog box, you see the summary of locations. If you select Show All Locations, Windows 10 displays all the hidden locations, and this enables you to fine-tune the indexing to specific subfolders, if necessary. To select the Downloads and Documents folders in your profile, select the arrow next to the Users folder and then locate and select Downloads and Documents in your user profile.

After you apply changes to indexing, the indexing process doesn’t happen immediately; rather, it runs as a background task whenever your machine is running but not being used. While the indexing process is incomplete, the message in the dialog box indicates that Indexing Speed Is Reduced Due To User Activity. When the process has finished, the message states Indexing Complete.

Be careful not to index everything on your disk. A large index can affect the search performance negatively.

In the Indexing Options dialog box, the Advanced button enables you to configure Index Settings and specify File Types to be excluded. You can include or exclude encrypted files, treat similar words as different words, delete and rebuild the index (useful if you suspect search is not working), and change the index location from the default C:ProgramDataMicrosoft.

On the File Types tab, you can exclude file types from the index and configure whether the index searches in the file contents or just in the file properties. You can also manually add new file types that have not been automatically included to index.

Evaluate system stability by using Reliability Monitor

Members of the desktop support team often report that it is difficult to ascertain the precise nature of calls that relate to poor performance or system instability. Reliability Monitor is an excellent tool for these situations because it enables you to review a computer’s reliability and problem history and offers both the help desk and you the ability to explore the detailed reports and recommendations that can help you identify and resolve reliability issues. Changes to the system such as software and driver installations are recorded, and changes in system stability are then linked to changes in the system configuration.

To open Reliability Monitor, select Start and enter reliability. Then, select View Reliability History in Control Panel, or enter perfmon /rel at a Command Prompt. The tool displays a summary of the reliability history for your system, as displayed in Figure 4-53.

A screenshot shows Reliability Monitor. The last couple of weeks' data is displayed. The selected day has a number of critical issues, including an application failure.

FIGURE 4-53 Reliability Monitor

The top half of the Reliability Monitor screen shows a line graph with a scale of 1 to 10 and a date timeline along the bottom axis. You can toggle the view from weeks to days. The graph rises and sinks over time, and at the low points are colored markers in red, blue, or yellow. Below the graph are the details that relate to system configuration changes, such as software and driver installations. When system changes result in a negative system stability, such as an app crashing or a service stopping, there might be a relationship between the two, and these relationships can be further explored. The graph gradually reaches the maximum level of 10 if the system does not experience negative system stability over a prolonged period.

Reliability Monitor is enabled by default in Windows 10. Reliability Monitor requires the Microsoft Reliability Analysis task, RacTask, to process system reliability data, which is a background process that collects reliability data. RacTask can be found in the Task Scheduler library under the MicrosoftWindowsRAC node.

The Reliability Monitor main features include:

  • System stability chart Provides a summary of annual system stability in daily/weekly increments. The chart indicates three levels of stability data: information, warning messages, and critical errors.

  • Records key events in a timeline Tracks events about the system configuration, such as the installation of new apps, operating system patches, and drivers.

  • Installation and failure reports Provides information about each event shown in the chart, including:

    • Software Installs/Software Uninstalls

    • App Failures

    • Hardware & Driver Failures

    • Windows Operating System Failures

    • Miscellaneous Failures

Because the tool offers a rolling view of reliability history, you can retain a copy of a point-in-time report. Select the Save Reliability History link to save complete details at periodic time points, such as annually. System builders and repair shops often use the report to demonstrate computer stability for future reference.

At the bottom of the Reliability Monitor screen are two additional links that list all computer problems and attempt to locate problem solutions from the internet. The Problem Reports And Solutions tool helps you track problems that are reported and checks for all available solution information to problems.

Configure and manage services

A service can best be described as a software component that interacts at one level with device drivers and, at another level, with app-level components. In a sense, services sit between apps and hardware devices and are considered a core part of the operating system, controlling user requests, through apps, to hardware resources.

These operating system services provide discrete functions in Windows 10 and require no user interaction. You can manage services in a number of ways, including from the Command Prompt, by using Windows PowerShell, and by using the management console.

Using the Services management console snap-in

The most straightforward way to manage services is to use the Services management console snap-in, as displayed in Figure 4-54.

A screenshot shows the Services management console. A list of services is displayed alphabetically.

FIGURE 4-54 Managing services

You can use this console to review and manage services in the operating system. For example, to manage the status of a service (assuming it is not running), right-click the service and then select Start. If you want to stop or restart a running service, right-click the running service and then select either Stop or Restart.

You can also manage the settings of a service by double-clicking the desired service. In the Properties dialog box for the named service, as displayed in Figure 4-55, you can then configure the properties shown in Table 4-15.

A screenshot shows the properties of the BranchCache service. The General tab is selected. Other tabs visible are Log On, Recovery, and Dependencies.

FIGURE 4-55 Managing a specific service

Table 4-15 Configurable options for a Windows 10 service


Options and explanation


  • Service name. You cannot change this value, but it is useful to know what name Windows assigns to the service so that you can reference it when using a command-line tool or Windows PowerShell.

  • Startup type: Disabled, Manual, Automatic, Automatic (Delayed Start). This option enables you to determine the startup behavior of the service.

  • Start parameters. You can add properties to configure the service behavior when it starts.

Log On

Log on as Local System Account or This Account. Some services run in the context of the Local System Account. Others must be configured to use a specific, named account (for example, when communicating across the network with another service). You can create special local user accounts for the purpose of running services. When you define a specific user account and change the user password, you must update the password information on the Log On tab for the services that use that account.


You can configure what happens when a service fails to start or crashes. Specifically, you can configure Windows 10 to attempt a restart of a service if it fails to start on the first attempt. On second attempts, you can choose another option, such as Restart The Computer. Available options for failures are Take No Action, Restart The Service, Run A Program, and Restart The Computer.

If you select Run A Program, you can configure additional options for the path and name of the program, plus any runtime switches you want to apply.


Some services depend on other services, or groups of services, to run. In this way, Windows 10 can start efficiently by making sure only the required services are in memory. You cannot make changes on this tab, but it is informative to know whether a service has dependencies, especially when a service is failing to start properly.

Using command-line tools

You can also use the command line to investigate and troubleshoot service startup. Table 4-16 describes some of the more common command-line tools you can use to work with services. To use these commands, open an elevated Command Prompt.

TABLE 4-16 Managing services from the command line



Net start

When used without arguments, lists the running services. When used with the name of a service, the service, if not running, is started. For example, net start workstation starts the Windows workstation service.

Net stop

Must be used with the name of a running service. For example, net stop workstation will stop the Windows workstation service.

Sc query

Displays a list of services.

Sc stop

Enables you to stop a named service. For example, to stop the spooler service, run:

Sc stop spooler

Sc start

Enables you to start a named service. For example, to start the spooler service, run:

Sc start spooler

You can also use Windows PowerShell to manage services. This is particularly useful because you can use Windows PowerShell to administer other computers remotely, including their services. In addition, you can script Windows PowerShell cmdlets, enabling you to store common administrative tasks for future use. Table 4-17 describes the cmdlets you can use to manage services in Windows 10. Open an elevated Windows PowerShell window to use these cmdlets.

TABLE 4-17 Managing services with Windows PowerShell




Lists available services. To get a list of running services, use the following cmdlet:

Get-Service | Where-Object {$_.status -eq "running"}


Enables you to stop the named service(s). For example:

Stop-service - name spooler


Enables you to start the named service(s). For example:

Start-service - name spooler


Enables you to stop and start the named service(s). For example:

Restart-service - name spooler


Enables you to reconfigure the startup and other properties of the named service. For example, to change the display name of the Workstation service, use the following cmdlet:

set-service -name lanmanworkstation -DisplayName "LanMan Workstation"

Use the System Configuration tool

If you are experiencing problems with starting your Windows 10 device and you suspect a service might be the cause of the problem, you can control which services start when you start your computer by using Safe Mode. This reduces the set of services that start to the minimum required to run Windows.

You can force your computer into Safe Mode during startup or use the System Configuration tool, Msconfig.exe. To access the System Configuration tool, run msconfig.exe. You can then configure your computer’s startup behavior. Configurable options are described in Table 4-18.

TABLE 4-18 System configuration options


Options and Explanation


  • Select Normal Startup to configure normal operations on your computer.

  • Choose Diagnostic Startup to load a minimal set of devices and services.

  • Choose Selective Startup to be more selective about what is initialized during startup.


  • You can enable Safe Mode by selecting Safe Boot. Then you can choose additional options: Minimal, Alternate Shell, and Network. You can also start without the GUI, enable a boot log, and configure startup to use a base video driver and configuration.

  • The Advanced Options button enables you to restrict Windows to using fewer logical processors and a reduced amount of memory. These options are useful for re-creating a computer configuration in which a specific problem was experienced.

  • If multiple operating systems are installed on your computer, they are listed on this tab, enabling you to select between the available operating systems.

  • You can choose to make your boot selections permanent, but you should exercise caution with this option in case the settings you have selected are inappropriate.


The Services tab displays the available operating system services and enables you to configure their startup behavior. For example, you can disable any services that you suspect might be causing issues with your computer. To disable a service, clear the check box next to its name.


The Startup tab enables you to access the Startup tab in Task Manager to control the startup behavior of apps.


The Tools tab provides a consolidated list of available system tools, including:

Change UAC Settings, System Properties, Computer Management, Device Manager, and the Registry Editor.

Configure local registry

All settings within Windows 10 are ultimately stored in the Windows Registry. This is a database that contains details of all Windows settings, installed software, device drivers, and much more. Without the registry, Windows would not work.

Every reference to working the registry always stipulates that you should take great care when working with or editing the registry. An incorrect registry change can prevent your system from booting and can result in you having to completely reinstall the operating system. You should always take care and create a system backup before editing the registry.

Understanding the registry structure

The registry is a database that is split into multiple separate files known as hives, together with associated log and other support files.

You can find the registry files in %systemroot%System32Config, though you will need to be an administrator to access this folder. Within this system folder, you should find several binary format “files” that the registry uses:

  • SAM (Security Accounts Manager used to store local passwords)





  • USERDIFF (used only for Windows upgrades)

In addition to the system files, the user-specific settings are stored within the user profile and are loaded into system memory when a user signs in. These registry files are located in the following locations:

  • %userprofile% tuser.dat

  • %userprofile%AppDataLocalMicrosoftWindowsUsrClass.dat

Other notable registry files include the Boot Configuration Data (BCD) store, which stores its own file on the boot drive. The local services are located in %SystemRoot% ServiceProfilesLocalService and network services are stored in %SystemRoot%ServiceProfilesNetworkService.

The vast majority of changes to the hive files are made automatically by Windows whenever you install an application or change a setting or configuration by using the Settings app or Control Panel.

The main hives, or subtrees, which store settings for Windows 10 are shown in Table 4-19.

TABLE 4-19 Registry hives




This hive relates to file association information relating to applications installed in the device. For example, it defines that the application for DOCX files is Microsoft Word. This hive contains application information derived from the settings that are stored in the HKEY_LOCAL_MACHINESoftwareClasses and HKEY_ CURRENT_USERSoftwareClasses hives.


This hive contains information for the signed-in user. Personalized settings such as background image, Windows color scheme, and font settings are stored in this hive.


This hive stores computer-related configuration settings.


This hive contains user-related configuration settings for all users who have signed in locally to the computer, including the currently signed-in user. The HKEY_CURRENT_USER hive is a subkey of HKEY_USERS. Edits to this hive will affect the user settings for the currently signed-in user.


This hive contains current hardware profile information for the local computer.

Should you need to make a manual change, create a new entry, or modify an existing registry entry, these changes will typically take place in the following two hives:



The primary tool for managing and editing the registry is the built-in registry editor.

Within the hives, settings containing values are stored in subtrees, keys, and subkeys. The hierarchical nature of the registry makes it easy to locate a registry value. An example of a key, subkeys, and value would be

ComputerHKEY_CURRENT_USERControl PanelMouse

This key holds many subkeys, which Windows uses to store settings for the mouse.

The mouse settings can be modified in the registry, as displayed in Figure 4-56, or by using the Mouse item in Control Panel. If you enable mouse pointer trails in Control Panel, the registry subkey for MouseTrails is modified to have a value of 7.

A screenshot displays the local registry. The administrator has selected the Group value in the ComputerHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesatapi path.

FIGURE 4-56 Registry keys

Values are stored within each key and subkey that are used to configure the operating system. There are several value types that are used to store information such as numerical data, text, and variables like file paths. Often a value is empty or not defined, as displayed in the (Default) subkey in Figure 4-56. Table 4-20 lists common types of registry values.

TABLE 4-20 Registry value types

Value Type

Data Type




Raw binary data. Values are normally displayed in hexadecimal format. Hardware information is often stored in these values.



4-byte numbers (a 32-bit integer). Device-driver and service-related values are stored in these values.



A fixed-length text string. Most of the values listed in the HKEY_CURRENT_USERControl PanelMouse keys are REG_SZ values.


Expandable string

A variable length text string. Windows uses REG_EXPAND_SZ values to contain variables, such as file system paths.


Multiple strings

Multiple string values. These values are typically used when multiple values are required.

Understanding the Registry Editor

The built-in Registry Editor (Regedit.exe) allows you to view, search, and modify the registry’s contents. Some common tasks that administrators can perform using the Registry Editor tool are as follows:

  • Search the registry for a value, value name, subkey, or key

  • Create, delete, and modify keys, subkeys, and values

  • Import entries into the registry from an external (REG) file

  • Export entries from the registry into an external (REG) file

  • Back up the entire registry

  • Manage the HKEY_LOCAL_MACHINE and HKEY_USERS registry hives on a remote computer

You can also import registry keys and values directly into the registry by using a text file with the .reg extension.

All REG files will use the following syntax for Registry Editor to understand them:

Windows Registry Editor Version 5.00
[<Hive name><Key name><Subkey name>]
"Value name"=<Value type>:<Value data>

Because REG files are associated with the registry, executing a REG file will merge it with—or import it to—the local Windows Registry. The contents of the REG file will add, delete, or modify one or more keys or values in the registry. Depending on the changes contained within the REG file, you may need to restart your computer after the changes have been made.

You can also use the import option on the File menu in the Registry Editor to import the settings, or you can use the command line with a script similar to the following example:

regedit /s C:\Registry\regsetting.reg > nul
Using PowerShell to manage registry settings

The registry can be accessed directly using Windows PowerShell. The registry provider within PowerShell presents the registry like a file system, displaying the keys and subkeys as subfolders within a registry hive.

Windows PowerShell uses the abbreviated form of the hive nomenclature, where the HKEY_LOCAL_MACHINE hive becomes HKLM and HKEY_LOCAL_USER becomes HKLU.

To view the registry using Windows PowerShell, open an elevated Windows PowerShell Command Prompt and then enter the following, pressing Enter after each line:

Get-ChildItem -Path hklm:

You can also obtain a richer output by running this PowerShell command:

Get-Childitem -ErrorAction SilentlyContinue | Format-Table Name, SubKeyCount,
ValueCount -AutoSize

To create a new registry key, you can first use the Set-Location cmdlet to change to the appropriate registry subtree and key as shown here:

Set-Location "HKCU:Software"

Alternatively, you can use the full path to the registry key in the cmdlet as follows:

New-Item -Path HKCU:Software -Name "Demonstration" –Force

Use the following cmdlet to assign the new registry key a value of “demo”:

Set-Item -Path HKCU:SoftwareDemonstration -Value "demo"

To validate that the key value has been stored correctly, view the key in the registry, or enter:

Get-Item -Path HKCU:SoftwareDemonstration

Schedule tasks

You have already learned that you can use Task Scheduler, displayed in Figure 4-57, in Windows to manage backup operations as well as to control the schedule for the automatic creation of system restore points. Let’s examine Task Scheduler in more detail.

A screenshot displays the Windows 10 Task Scheduler.

FIGURE 4-57 The Windows 10 Task Scheduler

You can locate Task Scheduler by selecting Start, and then scrolling to Windows Adminstrative Tools. Then select Task Scheduler.

To review an existing scheduled task, use the following procedure:

  1. In Task Scheduler, in the navigation pane, expand Task Scheduler Library, expand Microsoft, and expand Windows. Most operating system tasks can be scheduled here.

  2. Navigate to the appropriate service. For example, to review the System Restore task schedule, navigate to SystemRestore.

  3. Double-click the SR task in the middle pane.

  4. In the SR Properties (Local Computer) dialog box, select the Triggers tab.

  5. On the Triggers tab, select New.

  6. In the New Trigger dialog box, configure the schedule that you require. For example, you can configure Windows to create a daily System Restore point at noon, as displayed in Figure 4-58.

    A screenshot displays the New Trigger dialog box.

    FIGURE 4-58 Configuring a trigger for a task

  7. Ensure that the Enabled check box is selected and select OK.

  8. On the Triggers tab, select OK. In the Task Scheduler MMC, the trigger is now displayed and enabled.

Skill 4.4: Configure remote connectivity

When you have a large number of computers to manage, or a workforce that uses their devices in a number of locations, you must know how to manage those computers by using remote management tools.

Manage Windows remotely by using Windows Remote Management

Windows 10 provides a number of tools that you can use to manage your organization’s computers remotely. These include Remote Assistance, Remote Desktop, Windows PowerShell remoting, and many management console snap-ins. Knowing which tools support a given situation helps you address your users’ needs more quickly.

Remote management tools in Windows 10

You can use a variety of tools to manage Windows 10 devices remotely. Table 4-21 shows the available remote management tools in Windows 10.

TABLE 4-21 Windows 10 remote management tools



Remote Assistance

A built-in tool that provides for interaction with the remote user. By using Remote Assistance, you can view or take remote control of the user’s computer and perform remote management. You can also use a text-based chat facility to interact with the user.

Quick Assist

A built-in Microsoft Store app that enables you to offer or receive assistance quickly. As with Remote Assistance, you can view or take remote control of the user’s computer and perform remote management. To initiate a session, participants exchange a six-digit security code.

Remote Desktop

A built-in tool that you can use to access a computer remotely over the Remote Desktop Protocol (RDP). In the past, users often accessed their computers from other locations by using Remote Desktop. Security concerns and the adoption of mobile devices have made this a less common use of this tool. However, you can also use Remote Desktop to manage a remote computer. It does not provide for user interaction and requires the computer’s user to sign out before you can access the computer remotely.

Windows PowerShell

Windows PowerShell is a powerful command-line management tool and scripting environment. You can use it to perform virtually any management function in Windows 10. You can also use Windows PowerShell to manage remote computers. This is known as Windows PowerShell remoting.

Microsoft Management Console

Microsoft Management Console (MMC) is an extensible interface for management applications in both Windows clients and Windows Server. To perform management by using MMC, a specific tool for the management task, known as a snap-in, is loaded into the console. For example, to perform management of disks and attached storage, you add the Disk Management snap-in to MMC. You can use MMC snap-ins to manage Windows 10 devices remotely by targeting the remote computer from the MMC interface.

Selecting the appropriate remote management tool

Given that a variety of tools are available, it is important to know which one to use in a given situation. When considering the appropriate tool, use the guidance in Table 4-22 to help you make your choice.

TABLE 4-22 Selecting the appropriate Windows 10 remote management tool



User requires help and guidance. For example, you must help the user perform a specific task in an application such as printing, using the appropriate settings.

Remote Assistance or Quick Assist

You must perform a single remote management task on a single computer and require no user interaction.

Remote Desktop or MMC

You must perform the same management task on several or many remote computers.

Windows PowerShell

You must perform a remote management task that you have performed many times in the past and expect to perform again in the future.

Windows PowerShell

You are unsure of the nature of a problem a user is experiencing on their computer and wish to investigate computer settings.

Remote Desktop

You want to be able to perform the same management task, using the same management tool on any computer.


As you can see from Table 4-22, you can sometimes use several methods to address a specific remote management scenario. It is therefore a question of choosing the most appropriate method. Generally, if you know you will be required to perform the same management task again, on the same or a different computer, it is worth considering Windows PowerShell remoting. If you need to provide user interaction, choose Remote Assistance or Quick Assist. After that, it’s probably a personal preference of whether you use an MMC snap-in remotely or Remote Desktop.

Enabling remote management settings

Depending on the remote management tool you have decided to use, it is almost certain that you must configure the target computer (the one you wish to manage) and possibly the local management computer (the one you are using) to enable the selected remote management tool. For example, it is common to have to enable the appropriate feature through Windows Defender Firewall to allow for management of a remote Windows 10–based device.

Configuring Windows Defender Firewall to enable remote management

To enable remote management through Windows Defender Firewall on a target computer, open Control Panel and complete the following procedure:

  1. Right-click the network symbol on the taskbar, and then select Open Network & Internet Settings.

  2. In Settings, select Windows Firewall.

  3. In the Windows Security app, select Allow an app through the firewall.

  4. In Allowed apps dialog box, select Change settings.

  5. In the Allowed apps and features list, scroll down and select the appropriate management feature.

    For example, as displayed in Figure 4-59, we selected Remote Assistance. This enables the selected management feature on the private network location profile. If you also wish to allow the remote management feature on public networks, select the Public check box.

    A screenshot displays the Allowed Apps dialog box. The administrator has selected the Remote Assistance check box for the private network interface.

    FIGURE 4-59 Allowing Remote Assistance through Windows Defender Firewall

  6. Select OK. The available remote management features are:

    • Remote Assistance

    • Remote Desktop

    • Remote Event Log Management

    • Remote Event Monitor

    • Remote Scheduled Tasks Management

    • Remote Service Management

    • Remote Shutdown

    • Remote Volume Management

    • Virtual Machine Monitoring

    • Windows Defender Firewall Remote Management

    • Windows Management Instrumentation (WMI)

    • Windows Remote Management

    • Windows Remote Management (Compatibility)

It is not always feasible, or especially desirable, to reconfigure these settings manually on each computer to enable the appropriate remote management feature. Instead, in an Active Directory Domain Services (AD DS) environment, you can use Group Policy Objects (GPOs) to configure the desired firewall settings.

Enabling remote management through System Properties

Both Remote Assistance and Remote Desktop can be enabled through the System Properties dialog box, as displayed in Figure 4-60. To access these settings, open the Settings app and follow these steps:

  1. Select System and then select About.

  2. In the details pane, under Related Settings, select Advanced System Settings.

  3. Select the Remote tab.

A screenshot displays the Remote tab in System Properties. Remote Assistance is enabled. Remote Desktop is not enabled.

FIGURE 4-60 Configuring Remote settings through System Properties

Enabling Remote Assistance

To enable Remote Assistance, on the Remote tab of the System Properties dialog box, select the Allow Remote Assistance Connections To This Computer check box. Then, optionally, select Advanced. As displayed in Figure 4-61, you can then configure the following additional settings.

  • Allow this computer to be controlled remotely This setting enables you to determine whether the person providing remote support can take remote control of the computer or only view the computer desktop. This setting is enabled by default when Remote Assistance is enabled.

  • Set the maximum amount of time invitations can remain open One way of initiating a Remote Assistance session is for the user to invite the support person to connect. This setting defines the validity period of the invitations. The default is 6 hours.

  • Create invitations that can only be used from computers running Windows Vista or later Windows Vista and later versions of Windows use a superior method of encrypting Remote Assistance network traffic. You should select this option if you are using Windows Vista and later on all support computers.

A screenshot displays the Remote Assistance Settings dialog box.

FIGURE 4-61 Configuring Remote Assistance advanced settings

Enabling Remote Desktop

To enable Remote Desktop, on the Remote tab of the System Properties dialog box, select the Allow Remote Connections To This Computer check box. Then, optionally, select Allow Connections Only From Computers Running Remote Desktop With Network Level Authentication (Recommended), shown in Figure 4-60. This setting improves the security of the Remote Desktop network traffic between the management computer and the target computer.

Click Select Users. As displayed in Figure 4-62, you can then add the users or groups that you want to have remote access to this computer by using Remote Desktop. You can also enable Remote Desktop by opening the Settings app, selecting System, and then selecting the Remote Desktop tab.

A screenshot displays the Remote Desktop Users dialog box. AndrewWarren already has access.

FIGURE 4-62 Configuring Remote Desktop users

Using Microsoft Management Console (MMC) to manage remote computers

With both Remote Desktop and Remote Assistance, you use RDP to connect to a remote computer. After you establish a connection, you can perform any management task interactively just as if you were sitting at the remote computer. This is not the case with either MMC or Windows PowerShell remoting.

With MMC, you must enable the desired remote management feature by modifying the Windows Defender Firewall configuration. Then you can use the appropriate management console snap-in and target the desired remote machine.

Using MMC snap-ins to manage remote computers is easy. Some management snap-ins enable you to specify additional computers to connect to from the console. As displayed in Figure 4-63, you can right-click the uppermost node in the navigation pane and then select Connect To Another Computer.

A screenshot displays the Computer Management console. The administrator is connecting to another computer.

FIGURE 4-63 Connecting to another computer with MMC

If the management snap-in you want to use does not enable you to connect to additional computers, you can create a new management console by running mmc.exe and adding the appropriate snap-in to the empty console. When prompted, specify Another Computer.

It is important to realize that the remote computer must recognize you. This means that you must authenticate your connection by using a username and password that have the necessary management rights on the target computer. This step is simple in an AD DS domain environment because you can use domain admin credentials. However, in workgroup environments, this step is trickier. Generally, you must be able to provide credentials of a member of the target computer’s local Administrators group.

In addition to authentication, the necessary Windows Defender Firewall feature must be enabled. After you have enabled the required remote management feature in Windows Defender Firewall and modified your MMC to connect to a remote computer using appropriate credentials, performing remote management is no different from performing local management.

Configure remote assistance tools including Remote Assistance and Quick Assist

As already mentioned, Remote Assistance is a built-in tool that provides for interaction with the remote user during a support session. You can view or take remote control of a remote user’s computer and perform remote management of it.

Quick Assist is similar. It’s a built-in Microsoft Store app that enables you to offer or receive assistance quickly. Using Quick Assist, you can view or take remote control of the user’s computer and perform remote management of it.

Configure Remote Assistance

After you have enabled Remote Assistance, you can configure and use this tool to help your users administer and manage their computers remotely. There are two fundamental ways of initiating a Remote Assistance session: one is for the user to request assistance, and the other is for the support person to offer it.

Requesting help using Remote Assistance

If a user is experiencing problems with their computer, they can request assistance from support personnel by using the Request Assistance feature of Remote Assistance. This is known as solicited remote assistance. To request assistance, the user must open Control Panel, select System And Security, and then select Launch Remote Assistance.

As displayed in Figure 4-64, you can then choose between:

  • Invite someone you trust to help you Choose this option if you require assistance.

  • Help someone who has invited you Choose this option if you can provide assistance.

A screenshot displays the Windows Remote Assistance dialog box. The administrator has selected the Invite Someone You Trust To Help You option.

FIGURE 4-64 Requesting Windows Remote Assistance

To request help, select Invite Someone You Trust To Help You. You can then choose from among three options:

  • Save This Invitation As A File Choose this option to create an RA Invitations file. These have a .msrcllncident file extension. You are prompted to save the request file. Store this file in a location that is accessible to the user from whom you are requesting help. Typically, this location will be a file server shared folder. After you have defined a save location, a dialog box appears with the password for the remote assistance session. Share this password with your helper. When your helper double-clicks the file you saved, they are asked for the password, and then the Remote Assistance session begins.

  • Use Email To Send An Invitation If you choose this option, your default email program is opened by Remote Assistance, and the invitation file is automatically attached to an email message. You must enter the email address of the person you want to invite. When you send the message, the same dialog box appears containing the session password. Again, share this password with your helper. When your helper double-clicks the attached file in the email you sent, they are asked for the password, and then the Remote Assistance session begins.

  • Use Easy Connect Easy Connect enables you to establish a Remote Assistance session without the need to use an invitation file. After you have established an Easy Connect session, you can save the name of the helper for future use, enabling you to receive remote assistance without the need to exchange a password.

Offering help with Remote Assistance

A user might not be in a position to request assistance. In these circumstances, an administrator can offer assistance. This is known as unsolicited remote assistance. To offer remote assistance, run Msra.exe and choose Help Someone Who Has Invited You. Then, on the Choose A Way To Connect To The Other Person’s Computer page, select Advanced Connection Option For Help Desk, as displayed in Figure 4-65.

A screenshot displays the Windows Remote Assistance dialog box. The administrator has selected the Help Someone Who Has Invited You option. Displayed are two options for connecting to a remote computer, together with a link, Advanced Connection Option For Help Desk.

FIGURE 4-65 Offering Remote Assistance

On the Who Do You Want To Help page, in the Type A Computer Name Or IP Address box, enter the relevant computer name or IP address of the computer that you want to send the offer of help to and then select Next.

The user on the target computer must accept your offer, and then the remote assistance session is initiated. This is often a useful way to start a remote assistance session, especially when you are attempting to support novice users.

Configuring Remote Assistance with GPOs

Although you can configure the necessary settings for Remote Assistance manually on each computer, in an AD DS domain environment it is easier to use GPOs to distribute the required settings. Table 4-23 shows the settings you can configure for Remote Assistance by using GPOs. To configure these settings, open Group Policy Management and locate the appropriate GPO. Open the GPO for editing and navigate to Computer Configuration > Policies > Administrative Templates > System > Remote Assistance.

TABLE 4-23 Configuring Remote Assistance with GPOs

Policy Setting


Allow Only Windows Vista Or Newer Connections

Enables Remote Assistance to generate invitations with more secure encryption. This setting does not affect Remote Assistance connections initiated by unsolicited offers or Remote Assistance.

Turn On Session Logging

Enables session logging. Logs are stored in the user’s Documents folder in the Remote Assistance folder.

Turn On Bandwidth Optimization

Provides performance improvements in low-bandwidth situations. Adjust from No Optimization through Full Optimization.

Customize warning messages

Enables you to customize warning messages.

Configure Solicited Remote Assistance

Enables solicited Remote Assistance on a computer. If you disable this setting, it prevents users from asking for Remote Assistance. You also can use this setting to configure invitation time limits and whether to allow remote control.

Configure Offer Remote Assistance

Enables unsolicited Remote Assistance on this computer.

Using Remote Assistance to manage a computer remotely

After you have configured the desired settings and established a Remote Assistance session, you can perform the following tasks:

  • Request Control Enables you to ask the remote user for permission to take remote control of their computer. The remote user must allow you to do this. Remember also that the ability to gain remote control is a configurable option.

  • Chat Enables you to open a chat window to communicate with the remote user. You can use chat to explain what you are doing, or the remote user can use it to discuss the details of their computer problem.

Configure Quick Assist

There are no special setup requirements for Quick Assist. However, users must be able to authenticate with one another, and to initiate a session, participants must exchange a six-digit security code.

To use Quick Assist, select Start and then enter Quick Assist. Select the Quick Assist link. As displayed in Figure 4-66, you can then select the link to assist another person or enter a code from your assistant, depending on your situation.

A screenshot displays the Quick Assist dialog box.

FIGURE 4-66 Opening Quick Assist

Offering help with Quick Assist

To create a Quick Assist session, after opening Quick Assist at both ends of the session, the IT support person selects the Assist Another Person button, as displayed in Figure 4-66. Then use the following procedure to create a session:

  1. A sign-in dialog box displays. Enter your Microsoft Account name and select Next.

  2. Enter your password, select Next, and then record the secutity code, as displayed in Figure 4-67.

    A screenshot displays the Quick Assist security code page.

    FIGURE 4-67 Reviewing the security code

  3. Share the code with the person you want to help. Choose between copying the code to the clipboard, using an email message, or providing instructions.

  4. At the remote end, the user being helped enters the provided code, and then selects Share Screen.

  5. You now choose between Take Full Control or View Screen. Then select Continue.

  6. The remote user now confirms the permissions you requested by selecting Allow.

  7. The session opens, as displayed in Figure 4-68.

A screenshot displays an active Quick Assist session.

FIGURE 4-68 An active remote session using Quick Assist

After you have opened a remote session, you can use the toolbar across the top of the display to perform the following actions:

  • Select Monitor Enables you to select a remote a screen to review or interact with.

  • Annotate Provides you with the ability to write.

  • Actual Size Enables you to resize the screen output to actual size.

  • Toggle Instruction Channel Turns on (or off) the chat window in which you can provide instructions to the remote user.

  • Restart Enables you to initiate a restart of the remote computer.

  • Task Manager Enables Task Manager at the remote computer.

  • Reconnect Reconnects your session.

  • Pause Pauses the session without ending it.

  • End Terminates the session.

The remote session will time out after a period of inactivity, or you can end it as needed once you have finished helping the remote user.

Configure Remote Desktop access

After Remote Desktop is enabled on a computer, you can use the Remote Desktop Connection program to connect to the computer. When connected, you can use the computer as if locally signed in and perform all management tasks that your user account has the rights to perform. This makes using Remote Desktop particularly useful.

Creating and editing Remote Desktop connections

To create a Remote Desktop connection, from Start, select All Apps, select Windows Accessories, and then select Remote Desktop Connection. As displayed in Figure 4-69, you must then specify the computer that you want to connect to. Use either a computer name or an IP address. You can configure additional connection properties by using the options discussed in Table 4-24.

A screenshot displays a Remote Desktop Session dialog box. The Computer is, and the administrator has entered the credentials ContosoAdministrator.

FIGURE 4-69 Creating a Remote Desktop connection

TABLE 4-24 Configurable Remote Desktop Connection options




  • Logon Settings:

    • Computer

    • User Name

    • Allow Me To Save Credentials

    • Connection Settings:

    • Save

    • Save As

    • Open


  • Display Configuration:

    • Small > Large

    • Use All My Monitors For The Remote Session

  • Colors:

    • Choose The Color Depth Of The Remote Session

    • Display The Connection Bar When I Use Full Screen

Local Resources

  • Remote Audio:

  • Remote Audio Playback:

    • Play On This Computer

    • Do Not Play

    • Play On Remote Computer

  • Remote Audio Recording:

    • Record From This Computer

    • Do Not Record

  • Keyboard, Apply Windows Key Combinations:

    • Only When Using The Full Screen

    • On This Computer

    • On The Remote Computer

  • Local Devices And Resources:

    • Printers

    • Clipboard

  • Smart Cards

  • Ports

  • Drives

  • Other Supported Plug And Play (Pnp) Devices


  • Performance:

    • Modem (56 kbps)

    • Low-Speed Broadband (256 Kbps–2 Mbps)

    • Satellite (2 Mbps–16 Mbps With High Latency)

    • High-Speed Broadband (2Mbps–10 Mbps)

    • WAN (10 Mpbs Or Higher)

    • Detect Connection Quality Automatically

    • Persistent Bitmap Caching

    • Reconnect If The Connection Is Dropped


  • Server Authentication, If Server Authentication Fails:

    • Connect And Don’t Warn Me

    • Warn Me

    • Do Not Connect

  • Connect From Anywhere:

  • Connection Settings:

    • Automatically Detect RD Gateway Server Settings

    • Use These RD Gateway Server Settings

    • Do Not Use An RD Gateway Server

  • Log-on Settings:

    • Username

    • Use My RD Gateway Credentials For The Remote Computer

When you have finished configuring the connection, on the General tab select Connect. You can also choose to save your configuration to an RDP file for subsequent use.

Customizing Remote Desktop settings from the command line

You can open the Remote Desktop Connection app by running Mstsc.exe from the command line or the Windows Run dialog box. The Mstsc.exe command also enables administrators to open the tool, with several parameters configured.

The default firewall port that Remote Desktop uses is 3389, and this firewall port must allow RDP traffic through for Remote Desktop to work. If an administrator changes the firewall port for RDP traffic, the revised port number must be specified in the command-line tool Mstsc.exe when opening the application.

The syntax for mstsc is

mstsc [<connection file>] [/v:<server[:port]>] [/admin] [/f[ullscreen]] [/w:<width>]
[/h:<height>] [/public] | [/span] [/multimon] [/edit "connection file"]
[/restrictedAdmin] [/remoteGuard] [/prompt] [/shadow:sessionID> [/control]
[/noConsentPrompt]] [/?]

The list of command-line parameters for Remote Desktop Connection are shown in Table 4-25.

TABLE 4-25 Command-line parameters for Remote Desktop Connection



<connection file>

Specifies the name of an RDP file for the connection.


Specifies the remote computer to which you want to connect.


This parameter is used to connect you to a session for the administration of a Remote Desktop Session Host server (the RD Session Host role service must be installed on the remote server).

/edit <"connection file">

Opens the specified RDP file for editing.


Starts Remote Desktop Connection in full-screen mode.


Specifies the width of the Remote Desktop window.


Specifies the height of the Remote Desktop window.


Runs the Remote Desktop in public mode, where passwords and bitmaps are not cached.


This enables the Remote Desktop width and height to be matched with the local virtual desktop, spanning across multiple monitors if necessary.


Configures the Remote Desktop session monitor layout to render it identical to the client configuration.


Connects to the remote PC or server in Restricted Administration mode, which prevents login credentials from being sent to the remote PC or server. Functionality and or compatibility may be impacted as the connection is made as local administrator.


Utilizes Remote Guard to protect the connection. No credentials are sent to the remote device; however, full access is provided.


Allows you to specify the SessionID to which you wish to connect.


Allows control of the remote session.


Allows the connection to continue without user consent.


Lists the available parameters.

Configuring Remote Desktop with GPOs

Just as with Remote Assistance, although you can configure Remote Desktop settings manually on each computer, in an AD DS domain environment it makes sense to configure these settings with GPOs. Table 4-26 describes the configurable GPO settings for Remote Desktop. To configure these settings, open Group Policy Management and locate the appropriate GPO. Open the GPO for editing and navigate to Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop Services.

TABLE 4-26 Configuring Remote Desktop with GPOs

Policy Setting


Remote Desktop Connection ClientDo Not Allow Passwords To Be Saved

Determines whether users can save passwords on this computer from Remote Desktop Services clients.

Remote Desktop Connection ClientPrompt For Credentials On Client Computer

If enabled, a user is prompted to provide credentials for a remote connection to a Remote Desktop server on their client computer rather than on the Remote Desktop server.

Remote Desktop Session HostConnectionsAllow Users To Connect Remotely By Using Remote Desktop Services

If enabled, users that belong to the Remote Desktop Users group on the target computer can connect remotely to the target computer, using Remote Desktop Services.

Remote Desktop Session HostDevice And Resource Redirection

You use these settings to specify whether to allow or prevent data redirection from local devices (such as audio and clipboard) to the remote client in a Remote Desktop Services session.

Remote Desktop Session HostSecuritySet Client Connection Encryption Level

If enabled, all communications between clients and Remote Desktop servers is encrypted, using the encryption method specified. By default, the encryption level is set to High.

Remote Desktop Session HostSession Time Limits

These policies control session time limits for disconnected, idle, and active sessions and whether to terminate sessions when specified limits are reached.

Troubleshooting Remote Desktop Connections

Remote Desktop is a powerful tool for administrators that enables them to manage PCs and servers within the enterprise. Some common problems encountered when trying to connect to a remote PC using Remote Desktop, and their resolution, are listed in Table 4-27.

TABLE 4-27 Troubleshooting Remote Desktop Connections


Possible resolution

The remote PC can’t be found.

  • Make sure you have the correct PC name.

  • Try using the IP address of the remote PC.

There’s a problem with the network.

  • Ensure that the router is turned on (home networks only).

  • Make sure that the Ethernet cable is plugged into your network adapter (wired networks only).

  • See that the wireless switch on the PC is turned on (devices using wireless networks only).

  • Make sure your network adapter is functional.

The Remote Desktop port might be blocked by a firewall.

  • Contact your system administrator to check that Remote Desktop is not blocked.

  • Allow the Remote Desktop application through Windows Firewall.

  • Make sure the port for Remote Desktop (usually 3389) is open.

Remote connections might not be set up on the remote PC.

  • In the System Properties dialog box, under Remote Desktop, select the Allow Remote Connections To This Computer button.

The remote PC might only enable PCs that have Network Level Authentication set up to connect.

  • Upgrade to Windows 7, Windows 8 or Windows 8.1, or Windows 10, which support Network Level Authentication.

The remote PC might be turned off.

  • You can’t connect to a PC that’s turned off, asleep, or hibernating.

  • Turn on the remote PC.

Manage Windows remotely by using PS remoting

Although using Windows PowerShell cmdlets can sometimes seem daunting, they do offer a convenient and quick way of configuring many machines more quickly than by using a graphical tool. In addition, through the use of scripting, you can use Windows PowerShell to complete frequently performed management tasks.

Using Windows PowerShell to manage remote computers is referred to as Windows PowerShell remoting, but before you can use Windows PowerShell remoting, you must know how to enable and configure it.

Windows PowerShell is ubiquitous across the Windows platform, appearing in both Windows 10 and Windows Server. Therefore, using Windows PowerShell to perform management tasks on both local and remote computers makes sense because you can transfer those skills to other management and administration situations.

Many cmdlets in Windows PowerShell can be used with a -ComputerName parameter, making the use of the command remotely no more complex than specifying the name of the computer you want to run the command against. For example, to determine the IP configuration of a computer, you can run the following command:

Get-NetIPConfiguration -computername LON-CL1

However, not all cmdlets accept the -ComputerName parameter, and for these, you must enable and configure Windows PowerShell remoting. The function of Windows PowerShell remoting is to enable you to connect to one or several remote computers and execute one or more cmdlets or scripts on those remote computers and return the results to your local computer.

Although Windows PowerShell remoting is enabled by default on Windows Server, you must manually enable it on Windows 10. To do this, complete one of the following procedures:

  • If necessary, start the Windows Remote Management service. You must also enable Windows Remote Management through the Windows Defender Firewall. As displayed in Figure 4-70, you can do this by running the winrm quickconfig command at an elevated Command Prompt. When prompted, press Y and Enter twice.

A screenshot displays a Windows PowerShell window. The administrator has executed the winrm quickconfig command.

FIGURE 4-70 Enabling Windows Remote Management

Note Winrm Quickconfig and the Public Network Location Profile

If one of your network connections is assigned the Public network location profile, this command fails, and you must manually configure the Windows Defender Firewall exceptions.

  • Alternatively, to enable Windows PowerShell remoting, you can run the enable- PSremoting -force cmdlet from an elevated Windows PowerShell window.

Using Windows PowerShell to manage remote computers

After you have enabled Windows PowerShell remoting, you can use Windows PowerShell cmdlets and scripts to manage the remote computer in virtually the same way that you manage local computers. However, you must first establish a connection with the remote computer.

After you have established a connection, you can run any cmdlets or scripts against the remote machine. When you connect to the remote computer and run a remote command against it, the command is transmitted across the network and run on the remote computer. The results are sent back to your local computer and displayed in your Windows PowerShell window.

One way to establish a remote connection and run a command is to use the invoke- command cmdlet. You can also use the invoke-command cmdlet to establish a temporary remote connection. For example, the following command retrieves the contents of the system event log from the remote computer LON-CL1:

Invoke-Command -ComputerName LON-CL1 -ScriptBlock {Get-EventLog -log system}

If you intend to run several cmdlets, or to run more complex scripts, it is useful to establish a persistent connection to the remote computer. Use the New-PSSession cmdlet to do this. For example:

$s = New-PSSession -ComputerName LON-CL1

You can now use the Enter-PSSession command to establish the persistent connection:

Enter-PSSession $s

You will now have a Windows PowerShell prompt that looks like this:

[LON-CL1]: PS C:>

Any commands that you run in this session run on the LON-CL1 computer. The session remains active until you close with the exit-PSSession command.

You can also use these commands to establish remote connections with multiple computers. For example, to connect simultaneously to computers called LON-CL1 and LON-CL2, use the following command:

$s = New-PSSession -ComputerName LON-CL1, LON-CL2

Next, run the remote Windows PowerShell cmdlets against the new session:

Invoke-Command -Session $s -ScriptBlock { Get-EventLog -log system }

You can run any Windows PowerShell command remotely in this way.

Manage Windows 10 remotely by using Windows Admin Center

Windows Admin Center is a web-based management console that you can use to manage remote computers and services, including services hosted in Microsoft Azure. Windows Admin Center has two core components that enable you to manage remote devices and services:

  • Gateway Enables you to manage servers through Windows PowerShell Remoting and WMI using WinRM.

  • Web server Enables management through standard HTTPS communications.


To use Windows Admin Center, you must first download it from the Microsoft Download website. After download, run the installation program. Then use the following procedure to complete setup:

  1. In the Windows Admin Center Setup Wizard, select Next.

  2. On the Install Windows Admin Center on Windows 10 page, select Next.

  3. On the Installing Windows Admin Center page, for Select a port for the Windows Admin Center site, enter a suitable TCP port. The default, as displayed in Figure 4-71, is 6516. This port is used to communicate with the Windows Admin Center.

    A screenshot displays the Installing Windows Admin Center page of the Configure Gateway Endpoint wizard. The default values are selected.

    FIGURE 4-71 Installing Windows Admin Center

  4. Select the Allow Windows Admin Center to modify this machine’s trusted hosts settings check box if you want to manage computers that are not part of your AD DS forest. See more information about authentication in the next section.

  5. Select Install. Accept the UAC prompt.

  6. When you see the prompt, select Finish.

After installation, when you run Windows Admin Center for the first time, you are prompted for a certificate. Select the Windows Admin Certificate, as displayed in Figure 4-72.

A screenshot displays the Windows Admin Center prompt to select a suitable certificate on first run.

FIGURE 4-72 Selecting the Windows Admin Center certificate


If you connect to remote computers, either with Windows Admin Center or with Windows PowerShell remoting, you must authenticate with the remote computer. If your two computers are part of the same AD DS forest, Kerberos authentication automatically occurs. However, if you are connecting to computers in a different forest, or to non-domain-joined computers, you must configure the TrustedHosts settings.

If, when you install Windows Admin Center, you accept the defaults, then the TrustedHosts are set to be automatically configured. However, if you want to manage these settings manually, you do so by using Windows PowerShell:

  1. Open an elevated Windows PowerShell prompt.

  2. Run the following command:

    Set-Item WSMan:localhostClientTrustedHosts -Value ''
  3. When prompted, enter Y to confirm the change.

  4. For each device you want to manage, run the preceding command, remembering to change the computer name specificied in the value parameter.

You can also use a wildcard to enable connectivity to any computer. Run the following command:

Set-Item WSMan:localhostClientTrustedHosts -Value '*'
Using Windows Admin Center

After you have set up Windows Admin Center, you can start managing computers. The first step is to add computers to the available connections. Use the following procedure:

  1. In the console, select Add.

  2. On the Add or create resources blade, select the type of resource. Choose between Servers, Windows PCs, Server Clusters, or Azure VMs. In this case, in the Windows PCs section, select Add.

  3. On the Connection tags blade, in the Computer name box, enter the name of the remote computer and select Add.

Windows Admin Center now updates to include the newly added computer. To connect to a computer, select it from the All Connections list, as displayed in Figure 4-73.

A screenshot of the Windows Admin Center displaying All Connections. Two computers are displayed.

FIGURE 4-73 Reviewing the All Connections list

You can then use the navigation pane to select a specific management component, as displayed in Figure 4-74.

A screenshot displays the Windows Admin Center. The Overview page is selected for a remote computer.

FIGURE 4-74 Connecting to a computer

You can manage many aspects of a remote Windows PC, including the following:

  • Restart or shut down the computer.

  • Edit the computer ID.

  • Add or remove apps and features.

  • Review installed certificates.

  • Review the event logs.

  • Navigate the file system, and manage shared resources.

  • Review and configure network and firewall settings.

  • Gather performance-related data.

  • Configure the registry.

  • Manage scheduled tasks.

  • Manage services and storage.

  • Manage virtual machines and switches.

Chapter summary

  • Windows 10 File History is the preferred backup option that performs automatic backups of files every hour to a nonlocal storage.

  • Previous Versions is a feature that allows you to recover deleted or modified versions of your files directly from File Explorer rather than via a backup or File History.

  • OneDrive offers you a Recycle Bin, which allows you to recover files you’ve deleted from OneDrive folders and syncs with the File Explorer Recycle bin.

  • OneDrive can provide a history of older versions of Office documents that are stored within OneDrive so that you can access, restore, and download previous versions of your files.

  • A Windows 10 recovery drive can be used to recover your system in the event of failure.

  • System Restore is useful for restoring the operating system to a previous point in time. For example, you can restore to a point prior to when your computer became unstable.

  • Windows RE enables you to access the advanced startup options to troubleshoot Windows 10 startup issues.

  • You can use Reset This PC to recycle a computer for use by another user or to revert the computer to its OOBE state if you experience serious problems with the computer.

  • Fresh Start in Windows Security enables you to keep your personal files and some Windows settings but remove all apps, including third-party apps that are preinstalled on your device.

  • Restore points are created when the Backup And Restore (Windows 7) tool creates a backup image. You can use a system image to recover Windows 10 if Windows 10 becomes unstable (for example, if your hard drive has failed and other recovery methods have failed).

  • Driver Rollback allows you to revert to a previous device driver after your system begins to suffer the effects of upgrading to a new device driver that is poorly performing.

  • Windows 10 Home users have Windows Updates automatically downloaded and installed on their devices. Windows 10 Pro, Education, and Enterprise customers can defer feature updates for up to 365 days, and they can defer quality updates for up to 30 days.

  • Windows 10 Pro, Education, and Enterprise customers can pause quality updates for up to 35 days.

  • Windows Update Delivery Optimization is a method of peer-to-peer sharing of Windows update files. This feature significantly reduces the time that a Windows 10 device is vulnerable from zero-day malware attacks. Peer caching can occur between other users on the local network or optionally across the internet.

  • Administrators can use Group Policy to centrally configure and manage Windows Update behavior, location of WSUS servers, and Windows Update Delivery Optimization settings.

  • If a driver update causes system stability issues, you can uninstall the update, and if necessary, you can disable the automatic application of the update.

  • Event logs automatically record system activity such as logons, application errors, and services stopping and starting.

  • If you enable remote management, you can pull event logs from remote computers by using event subscriptions.

  • Windows 10 includes several tools to view system performance, including Task Manager, Performance Monitor, and Resource Monitor.

  • In Performance Monitor, you can create benchmarking reports by creating your own user-defined collector sets and running them to generate a performance baseline.

  • Windows 10 introduces the option to manage your default printer by setting the default to the last printer you used, rather than the printer at your current location.

  • The built-in Search feature uses the background indexing service to index areas of your hard drive automatically, including files stored in your user profile.

  • Reliability Monitor provides a graphical history of your computer’s reliability and offers solutions to resolve issues.

  • You can choose from a number of management tools to perform remote management.

  • To configure and enable remote management settings, you must first modify the Windows Firewall configuration.

  • Remote Assistance can be used to view or take remote control of a remote user’s computer.

  • Both Remote Desktop and Remote Assistance can be configured manually or by using GPOs.

  • Windows PowerShell remoting enables you to perform remote management of any Windows 10–based computer with Windows PowerShell.

  • Management console snap-ins support both local and remote connections.

Thought experiment

In these thought experiments, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to these thought experiments in the next section.

Scenario 1

You want to use the Backup And Restore (Windows 7) tool to create a backup of your files contained on your computer to a removable USB hard drive or SDHC memory card. You want to create a custom schedule. Answer the following questions relating to the Backup And Restore (Windows 7) tool:

1. What is the default backup schedule for the Backup And Restore (Windows 7) tool?

2. How would you modify the schedule so that you can be more specific? For example, say you want to back up the data every 30 minutes.

3. What triggers are available that could be used to begin the backup task?

4. You no longer want to use the Backup And Restore (Windows 7) tool for your Windows 10 Pro tablet. What built-in backup tool could you use instead? How could the data be safeguarded from theft?

Scenario 2

You have been asked to review the backup and restore options available within Windows 10 and Your manager is developing a backup strategy and wants to ensure that files are backed up and that users can easily access the backed-up files for at least six months. Backups will be stored offsite. Answer the following backup-related questions:

1. How would relying on the OneDrive Recycle Bin feature affect the backup strategy?

2. You want to examine how the Previous Versions feature found in File Explorer works, but you cannot see any Previous Versions listed. How do you enable Previous Versions?

3. Could the Previous Versions feature found in File Explorer offer backup and recovery of files as part of the backup strategy?

Scenario 3

Your company has recently upgraded half of its computers from Windows 7 to Windows 10 Pro. Staff members use Office and a web-based line-of-business application. The help desk manager has received several complaints from users who state a variety of problems following the upgrade, including that the following:

  • Their computers are slow.

  • Apps stop responding.

  • Websites are slow to load.

The remaining Windows 7–based computers do not exhibit the same issues. You need to offer the help desk some advice on how to diagnose these problems and recommend how to resolve them as soon as possible.

Answer the following questions from the help desk:

1. Why might the computers be slow after the upgrade?

2. Which tool could you recommend to assist the help desk support members verify which apps are freezing?

3. You suspect that the network card could be a performance bottleneck. How could this suspicion be tested?

4. How would a network card bottleneck present itself?

Scenario 4

You work as a desktop support technician. Your Windows 10 deployment for 5,000 devices is now complete, and you are now busy supporting your users. Answer the following questions about using advanced management tools and techniques for your organization:

1. You find that you are repeatedly performing the same management task on multiple computers. At the moment, you use several customized Microsoft Management Consoles to perform the required tasks. How could you achieve this more easily?

2. A number of users are experiencing problems with their computers. You determine that the issue relates to a service that occasionally stops and is then restarted. Where can you track information about this problem?

3. What command-line tools can you use for managing services?

Scenario 5

You work in support at Adatum Corporation. Many of your users work in small branch offices. Some work from home, using work laptops. It is important for you to be able to manage these users’ computers remotely. As a consultant for Adatum, answer the following questions about remote management in the Adatum organization:

1. One of your users phones the help desk, requiring assistance with an application. They need to know how to perform a grammar check with Microsoft Word 2019. They are not very experienced, and despite your best efforts and explanation of how the process works, they are still confused. What remote management tool might you consider using in this situation?

2. Another user calls the help desk. They’ve lost a file and need you to locate it. They’re due to leave the office for a conference this afternoon, and they tell you that’s the best time for you to resolve the issue. What remote management tool would you use?

3. You try to connect to this user’s computer later that afternoon, but despite knowing that the necessary Windows Firewall settings are configured, you cannot connect. Why?

4. You want to use Windows PowerShell remoting. You try to connect to a remote machine but are unsuccessful. What steps must you perform on the remote machine before Windows PowerShell remoting can work?

Thought experiment answers

This section provides the solutions for the tasks included in the thought experiment.

Scenario 1

1. The default backup schedule for the Backup And Restore (Windows 7) tool is every Sunday at 7 PM.

2. You need to edit the AutomaticBackup task in the WindowsBackup node found in Task Scheduler and configure the task to repeat every 30 minutes by editing the trigger.

3. The triggers available for the task to begin include the following: On A Schedule, At Log On, At Startup, On Idle, On An Event, At Task Creation/Modification, On Connection/ Disconnect To A User Session, and On Workstation Lock/Unlock.

3. You would suggest using File History. This feature allows the backup of files and folders to a removable drive—for example, a USB drive or SDHC memory card—that may be used with the device. Optionally, the external storage may be encrypted using BitLocker To Go or EFS.

Scenario 2

1. The OneDrive Recycle Bin is not a backup facility. It will only retain files that have been deleted for a maximum of 93 days. This is less than the 6 months required by the backup strategy.

2. You would need to turn on the schedule to create restore points using either File History or the Backup And Restore (Windows 7) tool. Once the Backup And Restore (Windows 7) tool creates a backup, or when File History runs, previous versions of files will be available on the Previous Versions tab.

3. Previous Versions could provide the longevity of access to the backed-up files if the backup storage location does not become full. To ensure that the Previous Versions complied with the backup strategy, you would need File History or the Backup And Restore (Windows 7) tool to save the image to a remote storage location, such as a network-attached drive.

Scenario 3

1. Answers might vary. Several potential areas need to be investigated. The original computers should have met the minimum specification for Windows 10 to upgrade from Windows 7. The computers might be quite old and contain components that are slow in comparison to modern hardware, such as older hard drives without cache, or slow RAM memory. The BIOS or motherboard firmware might be old and need updating. The hardware device drivers might not have been updated to the latest versions for Windows 10.

2. Recommend to the help desk that it suggest using Reliability Monitor to review the stability history of the computers that are reporting app freezing. The Reliability Monitor report should identify the failing app and how often it is failing; also, the report should identify potential solutions. You should also be able to see whether other failures are occurring that might relate or contribute to the app failure.

3. Answers might vary. You could review the network card driver version and see whether there are any known issues relating to the network card and Windows 10 on the manufacturer’s website. You could use Performance Monitor to review the performance for the Network Interface counter and monitor the Output Queue Length.

4. Network-related activities, such as web browsing and opening and saving resources across the network, would be slower than normal. If there is network saturation, the report should indicate that the queue length is more than 2, meaning that the network card cannot process network packets quickly enough.

Scenario 4

1. You could create Windows PowerShell scripts as required that contain the required management cmdlets. Because Windows PowerShell supports remoting, it is easy to run the script against remote computers at the same time. You must, however, ensure that the execution policy for each computer supports the running of PowerShell scripts and that Windows PowerShell remoting is enabled.

2. Use the System log in Event Viewer. You can group events based on source; in this instance, the source is Service Control Manager.

3. You can use Windows PowerShell to manage services. Also, the SC.exe and Net.exe command-line tools can be used.

Scenario 5

1. Using Remote Assistance would enable you to demonstrate how to perform the grammar check. You could take remote control of the user’s computer and show them the procedure.

2. Remote Desktop is the most suitable tool. Remote Assistance requires the interaction of the user to accept your connection request and, initially, to invite you to help. Remote Desktop requires no invitations and does not require the remote user to assist you in connecting.

3. The most likely reason you can’t connect is that Remote Desktop users must be granted access in addition to the Windows Firewall configuration changes being made.

4. You must start the Windows Remote Management service and reconfigure the Windows Firewall, and then Windows PowerShell remoting must be enabled. You can perform these steps by running either winrm quickconfig or by runningenable-PSremoting.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.