CHAPTER 2
Plan desktop and device deployment

When deploying Windows 10 devices, it is important to consider who will be using the devices, how the devices will be used, and in what ways you can configure those devices to ensure that you provide users with a functional, flexible, and secure Windows environment. This chapter deals with several aspects of configuring Windows 10 in preparation for deployment to devices serving a variety of roles in the enterprise.

Skills in this chapter:

Skill 2.1: Migrate and configure user data

Skill 2.2: Configure Hyper-V

Skill 2.3: Configure mobility options

Skill 2.4: Configure security for mobile devices

Skill 2.1: Migrate and configure user data

User data is an important consideration when supporting Windows computers, especially when planning to upgrade or migrate to a new version of Windows. This section covers important topics relating to user profiles, the primary location for user data in Windows 10. You will see the tools and considerations relating to migrating and configuring user data, which you need to be aware of for the exam.

Configure user profiles

User profiles hold the majority of user-configurable settings and data in Windows 10. Each user that signs in to a Windows 10 computer is associated with a file-level profile folder, stored by default in the C:Users folder. This is the default location for user profiles in Windows 10, for all users who sign in, including local and domain accounts. A user profile is automatically created and configured for each user that signs in to a Windows 10 computer.

There are three main profile types in Windows 10: local profiles, roaming profiles, and mandatory profiles.

Local profiles

Local profiles are stored in the C:Users\%USERNAME% directory on a Windows 10 computer. For example, a user with the username Adam would have his profile stored in the C:UsersAdam folder. A local profile is the default profile type in Windows 10, and the data for the profile is located in several files and folders within the C:Users\%USERNAME% folder, as shown in Figure 2-1. This figure also shows the hidden system files in the folder. These files will not be visible unless the Show Hidden Files option is selected in File Explorer.

The local profile is defined by a combination of the contents of the folders within a user profile (such as AppData, Documents, Local Settings, and Start Menu) and the NTUSER.DAT file. NTUSER.DAT contains registry settings that pertain to the user. When a user signs out, the HKEY_CURRENT_USER registry hive is saved to NTUSER.DAT, and then applied to the Windows 10 environment the next time the user signs in.

Roaming profiles

While a local profile is available only on the local computer that a user is signed in to, a roaming profile is also stored in a network location. To use roaming profiles, your environment needs to first satisfy specific requirements:

The Windows 10 computer must be a member of an Active Directory Domain Services (AD DS) domain.

The user signing in must have a user account object created in the domain.

The user account must have the Profile path attribute set to a network location to which the user has Read and Write permissions granted.

You can configure a roaming profile for a domain user account in Active Directory Users And Computers, from the Profile tab in the Administrator Properties dialog box, as shown in Figure 2-2.

When a user account is configured with roaming-profile settings, the local profile is copied to the specified network location when the user signs out. When the user signs in to a computer, the profile is copied from the network location to the local-profile folder.

Mandatory profiles

A mandatory profile is a special type of roaming profile. Mandatory profiles are copied to a network location, like roaming profiles. However, mandatory profiles are always read-only, which means a mandatory profile cannot be altered by the user. If a user makes changes to the Windows environment when using a mandatory profile, none of the changes are copied to the network location of the profile, so the user will not see those changes reflected in the Windows environment when they next sign in to a Windows computer.

Mandatory profiles are commonly used to provide enforced environment settings for users who perform a specific or specialized task and are set when he or she is signed in to a Windows computer. You can create a mandatory profile by renaming the NTUSER.DAT file in a roaming profile to Ntuser.man. Any time the user signs in after this change has been made, they’ll use the mandatory profile.

Configure folder location

Although you can use roaming profiles to store user-profile contents in a network location, the entire profile must be copied to and from the network location. You can also configure network locations for specific folders within a user profile. When using an alternate folder location that is stored on the network, all of the files in the folder are not stored locally, but in the network location, by default. Mobile users will have offline versions of the folders available as locally cached files, in case they are disconnected from the network. Changes to files within folders that are redirected to the network are synchronized with the local cache on a file-by-file basis, rather than the entire profile being copied, as happens with roaming profiles.

You can configure folder location in Windows 10, as shown in Figure 2-3, by performing the following steps:

1. Open File Explorer and expand This PC.

2. On any of the folders except Local Disk, right-click the folder and then click Properties. For example, right-click Documents and then click Properties.

3. In the Documents Properties dialog box, click the Location tab, and change the location by performing either of the following steps:

   Typing a new file location

   Clicking Move, browsing to the new location, and clicking Select Folder

   

   FIGURE 2-3 Configuring folder location

Migrate user profiles

When upgrading Windows, or moving a user to another computer, user profiles are often the first consideration in the migration process. Migrating user profiles can be a simple process when there’s a single user on a single computer, or it can be complicated, involving many users and computers in an enterprise environment.

Use the User State Migration Tool

The User State Migration Tool (USMT) is a collection of command-line tools that enable you to automate and customize the process of migrating user profiles. The USMT can copy user-profile information to a migration store location, from where it can be retrieved and copied to new computers.

You use the USMT to migrate user profiles between Windows computers. The USMT is part of the Windows 10 Assessment and Deployment Toolkit (Windows ADK).

The USMT contains three command line tools:

ScanState.exe Use this tool to scan and copy user-profile data to a migration store for the purpose of copying the profile to new computers.

LoadState.exe Use this tool to locate and copy user-profile data from a migration store to new Windows computers.

UsmtUtils.exe Use this tool to check a migration store for corruption, manage migration stores, and manage encryption during the migration process.

The USMT also includes the following three modifiable .xml files:

MigApp.xml This file includes instructions to migrate supplication settings.

MigDocs.xml This file is used to specify the files and folders that will be migrated by USMT.

MigUser.xml This file includes instructions to migrate user files based on name extensions.

The other file typically used by USMT, but not included with the default USMT files is Config.xml. You can generate Config.xml by using the /genconfig switch with ScanState.exe. Config.xml enables you to specify certain items that are not included in the migration processes of ScanState.exe and LoadState.exe.

USMT AND WINDOWS PE

The USMT command-line tools can be run as an online migration, within Windows, or from Windows Preinstallation Environment (Windows PE), as an offline migration. Windows PE provides a minimal version of Windows that can be used for several tasks on a Windows computer, including deployment and troubleshooting. You can use the Windows 10 installation media to run Windows PE, or you can create a standalone copy of Windows PE to run from bootable media, such as a DVD, removable hard drive, or USB flash drive.

MIGRATING USER PROFILES WITH USMT

When you’re prepared to perform the migration process with USMT, you need to perform the following high-level steps:

1. Install the Windows ADK on a technician computer.

2. Use ScanState.exe to generate Config.xml, if required.

3. Modify Config.xml, MigApp.xml, MigDocs.xml, and MigUser.xml to customize the migration environment, if necessary.

4. Copy the USMT files to a network share or removable drive.

5. Create a folder on a network share or removable drive that can be used as a migration store.

6. On the source computers, run ScanState.exe from the network share or removable drive to collect files and settings,

7. Install Windows 10 on the destination computers that will be part of the migration.

8. On the destination computers, run LoadState.exe from the network drive or removable drive to apply the files and settings in the migration store.

This process is commonly run as part of a Windows PowerShell or startup script to migrate profiles on multiple computers or across an enterprise.

Skill 2.2: Configure Hyper-V

In Windows 10, Hyper-V provides a virtualization platform that enables you to run virtual machines hosted on a Windows 10 computer. These virtual machines run on the same platform as Hyper-V in Windows Server products, which makes Windows 10 a capable environment for building and testing virtual machines destined for the production virtualization environment. This chapter will familiarize you with the primary functionality and components of Hyper-V.

Create and configure virtual machines

Prior to creating virtual machines, you must ensure that your Windows 10 computer supports Hyper-V and that the Hyper-V feature is installed. To support Hyper-V, your Windows 10 computer must meet the following minimum requirements:

Windows 10 Professional, Enterprise or Education 64-bit edition

A processor that supports Second Level Address Translation (SLAT)

4 GB of RAM

BIOS or UEFI-level hardware virtual support

Enabling the Hyper-V feature

To enable the Hyper-V feature, open Programs And Features in Control Panel and click Turn Windows Features On Or Off. In the Windows Features dialog box, expand Hyper-V and select all of the check boxes under the Hyper-V node, as shown in Figure 2-4.

Creating a virtual machine

Hyper-V Manager, shown in Figure 2-5, is the GUI tool that you use to perform Hyper-V configuration tasks.

To create a virtual machine, perform the following steps:

1. In Hyper-V Manager, on the Action menu, point to New, and then click Virtual Machine.

2. Click Next to start the creation process.

3. Specify the name and location of the new virtual machine. It’s best, for now, to keep the default location, so click Next.

4. Choose the Generation option that best suits your needs and click Next:

   Generation 1 supports the same virtual hardware that the previous version of Hyper-V did. You can use it on operating systems including Windows Server 2008 and Windows 7, among others.

   Generation 2 supports Secure Boot, SCSI boot, and PXE boot using a standard network adapter. Guest operating systems must run at least Windows Server 2012 or a 64-bit version of Windows 8 or later.

5. Enter the amount of startup memory required and choose whether to use dynamic memory for this machine. Click Next.

6. On the Configure Networking page, click Next. You’ll only see options here if you’ve previously created Network Switch settings.

7. Verify that the Create A Virtual Hard Disk option is selected and that the settings are correct. Click Next.

8. For our example here, leave Install An Operating System Later selected and click Next (you could opt to install an operating system now, though).

9. Click Finish (note the new virtual machine in the bottom pane of the Hyper-V Manager).

10. Leave the Hyper-V Manager open.

Configuring a virtual machine

There are several configuration tasks that you can perform on a virtual machine, including the following:

Change memory and processor settings. The virtual machine must be in a Stopped state to perform either of these on a Generation 1 virtual machine, but memory settings can be modified on a Generation 2 virtual machine while the virtual machine is running.

Attach or detach virtual hard disk (VHD) files.

Change network adapter settings.

Attach virtual DVD or floppy-disk media.

To configure a virtual machine, right-click the virtual machine in Hyper-V Manager, and then click Settings. In the GUI, all settings can be configured in the Settings for Windows dialog box, as shown in Figure 2-6.

Configuring virtual machines by using Windows PowerShell

Windows 10 contains a full set of Windows PowerShell cmdlets that you can use to configure your virtual machine. Windows PowerShell can help to ease administrative effort when performing repetitive configuration tasks or configuration tasks that need to be performed on multiple VMs.

WINDOWS POWERSHELL DIRECT

Windows PowerShell Direct is a new Hyper-V feature in Windows 10. Windows PowerShell Direct enables you to run PowerShell commands remotely on a Windows Hyper-V virtual machine without starting an active Hyper-V console session on the host computer.

The way Windows PowerShell Direct works is similar to Windows PowerShell remoting, except that with Windows PowerShell Direct, you can specify the name of a virtual machine being hosted on the computer rather than on a remote network computer. For example, both of the following commands enable you to run Windows PowerShell cmdlets on a virtual machine:

Click here to view code image

Enter-PSSession -VMName VMName

Invoke-Command -VMName VMName -ScriptBlock { commands }

Create and manage checkpoints

Checkpoints are used to save the state of a virtual machine. A checkpoint includes all of the contents on the hard disk, along with virtual machine configuration settings. If you need to return a virtual machine to a configuration that existed at a previous point in time, you can restore a checkpoint if one has been made. You create checkpoints manually, either through Hyper-V Manager or by using the Checkpoint-VM cmdlet for Windows PowerShell.

CREATE A CHECKPOINT

To create a checkpoint, perform the following steps:

1. In Hyper-V Manager, right-click the VM for which you want to create a checkpoint.

2. In the menu, click Checkpoint.

3. The new checkpoint will appear in the Checkpoints pane, as shown in Figure 2-7.

RESTORE A CHECKPOINT

To restore a checkpoint for a virtual machine, right-click the checkpoint that you want to restore, and then click Apply. After the checkpoint is applied, the virtual machine returns to the state it was in when the checkpoint was taken.

Create and configure virtual switches

Virtual switches enable you to control how your virtual machines are connected to each other, the host computer, and the rest of your network.

There are three types of virtual switches in Hyper-V:

External Allows the VM to connect to a physical NIC on the computer to communicate with the external network, in the same logical way that the host computer is connected to the network

Internal Allows the VM to communicate with the host computer and other virtual machines connected to the same switch

Private Enables the virtual machine to communicate only with other virtual machines connected to the same switch

To create a virtual switch, perform the following steps:

1. In the Hyper-V Manager, click Action, and then click Virtual Switch Manager, shown in Figure 2-8.

   

   FIGURE 2-8 The Virtual Switch Manager

2. In the Virtual Switch Manager For window, select the type of switch to create (you can select External here, if you’re performing these steps).

3. Click Create Virtual Switch.

4. From the drop-down list under What Do You Want To Connect This Virtual Switch To, select the external network to use, if applicable. For now, you need to select an Ethernet-based solution. You can also enable virtual local area network (VLAN) identification if the network switch is going to be used with a specific VLAN.

5. Click OK.

6. If prompted, click Yes to apply the changes.

After you have created the switch, you can test it. If you created an external switch, for example, you can test connectivity to the Internet easily. You can also open the Virtual Switch Manager from the Action pane displayed on the right in the Hyper-V Manager console and rename the new switch.

Create and configure virtual disks

Virtual machines need VHDs to function. VHDs are files that you can transport on a USB flash drive. These files are in the format of either VHD or VHDX. VHDs reside on the host computer and contain either an operating system or data that is used by the virtual machines. You can boot to a VHD if the host is running Windows 7 or later.

There are two main differences between the two types of VHD formats:

VHD can be as large as 2048 GB (about 2 TB). You use this format when you know you’ll be running the VHD on older operating systems, specifically anything before Windows Server 2012 and Windows 8.

VHDX can be much larger, up to 64 TB. It is not compatible with versions of Hyper-V or operating systems created before Windows Server 2012 or Windows 8. You use this format when you know you’ll be using the VHD on compatible machines. VHDX also provides the following benefits:

Protection against data corruption when there is a power failure (because updates are logged effectively)

Improved performance on large-sector disks

Larger block sizes for dynamic and differencing disks to enhance performance

Custom metadata that can be used to record information about the file, such as operating system version, among other things

The use of “trim” technology to reduce file size and to access and use free disk space (“trim” requires disks to be directly attached to the VM, and hardware must be compatible)

To create a VHD from the Hyper-V Manager, perform the following steps:

1. In the Action pane, click New, and then click Hard Disk.

2. Select the file type format to use (VHD or VHDX), the Size (Fixed, Dynamically Expanding, or Differencing), Name, and Location, and then opt how to configure the disk. If you want to apply the VM you created in this section, in the Name box you’ll need to type the name of the VM to use. When prompted, create a new blank VHD.

3. You can now attach the hard disk to a VM, export it, import it, inspect it, or perform other administrative tasks, as necessary.

Move virtual machine storage

The easiest way to move a VM is to shut it down, export it to the new disk, and then import it to the new location. You might need to export a VM from your production environment, open it somewhere else (perhaps on your desktop with Client Hyper-V), perform any required troubleshooting, and then export it back to the production environment.

To move a virtual machine, follow these steps:

1. In the Hyper-V Manager Wizard, right-click the VM to move and click Shut Down. Click Shut Down again to verify.

2. Wait until the state of the VM shows Off. Then right-click the VM and click Export.

3. Specify where to save the file or click Browse to choose a location. If you receive an Error message, save to a different location or create a subfolder.

4. Click Export.

5. If desired, open the folder that contains the exported VM and note the subfolders: Snapshots, Virtual Hard Disks, and Virtual Machines.

When you import the VM, you work through a similar wizard that prompts you to browse to the VM, select the VM, and provide other necessary details. Once you’ve specified these details, you are prompted to select an Import Type. The three options are described here:

Register The Virtual Machine In-Place (Use The Existing Unique ID For The VM) If you only need to start using the VM where it is currently stored and you don’t want to move it or copy it, choose this option.

Restore The Virtual Machine (Use The Existing Unique ID For The VM) If your VM files are stored on a file share, a removable drive, a network drive, and so on, and you want to move the files, choose this option.

Copy The Virtual Machine (Create A New Unique ID For The VM) If you have a folder of VM files that you want to import multiple times (perhaps you are using them as a template for new VMs), choose this option and copy the files.

To import a VM, perform the following steps:

1. Open Hyper-V on the target computer.

2. In the Actions pane, click Import Virtual Machine.

3. Click Next on the Import Virtual Machine Wizard.

4. Click Browse to locate the top-level folder associated with the export process, and then click Next.

5. Select the VM to import, and then click Next.

6. Read the options available to you and choose how to register the VM. (Here we restore the VM and use the existing unique ID.) Click Next.

7. Accept the default store folder for the VM files, and click Next. If you receive an error message, create a new folder inside the default store to hold the files.

8. Accept the default store folder for the VHDs, and click Next. If you receive an Error message, create a new folder inside the default store to hold the VHD.

9. Click Finish.

Skill 2.3: Configure mobility options

Many Windows 10 computers, such as laptops and tablets will not remain stationary in an office, but be used as mobile devices, moving from location to location. You need to understand the considerations for mobile devices pertaining to power and battery configuration, file synchronization, and network connectivity. This chapter will show you how to configure mobility options in Windows 10.

Configure offline file policies

Remote connectivity for mobile devices has become increasingly more common through virtual private network (VPN) and DirectAccess, in conjunction with Wi-Fi and mobile broadband network connectivity. In a remote connectivity situation, users can connect to network file servers when they are away from the office. However, there are instances when no connection can be made, and users still need access to their files. You can allow offline access for your Windows 10 users by configuring Offline Files and then creating policies to manage it.

When the Offline Files feature is enabled, specified network files are cached locally for offline access when the device isn’t connected to the corporate network. A Windows 10 computer will access the local cache in the following scenarios:

The Always Offline Mode has been enabled. This feature provides faster access to files and uses less bandwidth by letting the user always work offline, even when a connection is available.

Cost-Aware Synchronization is configured and enabled. This helps users avoid high data-usage costs from synchronization while using metered connections that have usage limits or while roaming on a different network.

The server is unavailable due to a network outage or server malfunction, or the network connection is slower than a threshold you’ve configured, and thus working offline could be more efficient for the user.

The user manually switches to Offline Mode (perhaps to optimize bandwidth usage on a metered connection) by clicking the Work Offline button in File Explorer.

Administrators create policies that define the use of Offline Files, either in a domain or on the local machine. Those policies can be located in the applicable Group Policy Editor. Two policies are discussed here enabling Always Offline Mode and enabling File Synchronization On Costed Networks, but you need to become familiar with all of the Group Policy options for working with Offline Files.

To enable the Always Offline Mode, use Group Policy to enable the Configure Slow-Link Mode policy setting and set the latency to one (millisecond). Doing so causes client computers running Windows 8 or later and Windows Server 2012 or later to automatically use the Always Offline Mode. Follow these steps:

1. Open Group Policy Management Console.

2. Right-click the Group Policy Object (GPO) you want to use and click Edit.

3. Navigate to Computer Configuration, Policies, Administrative Templates, Network, and Offline Files.

4. Right-click Configure Slow-Link Mode and click Edit.

5. Click Enabled.

6. In the Options box, click Show (you might have to scroll).

7. In the Value Name text box, specify the file share for which you want to enable Always Offline Mode or type *. to enable this for all file shares.

8. In the Value box, type Latency=1, and then click OK.

9. Click OK again.

To enable background file synchronization of Offline Files for a group of users while using metered connections, use Group Policy to enable the Enable File Synchronization On Costed Networks policy setting for the appropriate GPO by following this procedure:

1. Open Group Policy Management Console.

2. Right-click the GPO you want to use and click Edit.

3. Navigate to Computer Configuration, Policies, Administrative Templates, Network, Offline Files.

4. Right-click Enable File Synchronization On Costed Networks, and click Edit.

5. Click Enabled.

6. Click OK, and then click OK again.

Configure sync options

This Skill focuses on configuring sync options, not on creating sync partnerships. However, you need to know how to create a sync partnership anyway, so we briefly cover that here. With that done, you’ll review how to configure sync options in Sync Center, including scheduling when syncing should happen and under what circumstances.

Sync Center and configuring sync options

To practice with Sync Center and configure options you need to first create a sync partnership on a computer running Windows 10. To do this, navigate to a share on a different computer or file server, right-click that share, and click Always Available Offline. After that is done, on that same Windows 10 computer, open Sync Center. You can access Sync Center (shown in Figure 2-9) from Control Panel when viewing in the Large icons or Small icons view. Make a note of the options on the left side before continuing you can use these once after syncing is configured, to manage syncing. One option, Manage Offline Files, lets you view the Offline Files dialog box, where you can disable offline files, view offline files, check disk usage, encrypt your files, and more.

In Sync Center, once a sync partnership is available, you can opt to sync everything, or you can select the Offline Files folder, click Schedule (not shown), and follow the wizard to configure sync settings. There are two options:

At A Scheduled Time; for example, every Monday at 11 A.M. or every day at 2 A.M.

When An Event Occurs; for example, every time you log on to your computer

Depending on your choice, you can opt for more scheduling options, such as only syncing when the computer has been idle for a specific amount of time or if the computer is running on external power (and not on its battery).

Managing Power Settings

Windows 10 enables users to manage power settings in a number of different ways. These include using the Settings app, configuring power plans in Control Panel, using the powercfg.exe command-line tool, and using group policies.

Using the Settings app

To manage power by using the Settings app, use the following procedure:

1. Click Start, and then click System.

2. In System, click Power & Sleep, as shown in Figure 2-10.

   

   FIGURE 2-10 Configuring Power & sleep options

3. In the details pane, under the Screen heading, set a time interval to manage the On battery power, and turn off after setting. The default is five minutes.

4. Set a time interval to manage the When Plugged In Turn Off After setting. The default is 10 minutes.

You can also configure battery settings. In the System category of the Settings app, click the Battery tab, as shown in Figure 2-11, and then:

1. Select the Turn battery saver on automatically if my battery falls below check box, and then use the slider bar to set a percentage value. The default is enabled for 20%.

2. Select the Lower screen brightness while in battery saver check box.

If you want to know more about which apps are consuming battery, click the Battery Usage By App link.

Configure power plans

You can exert more granular control over your computer’s power settings by using the Power Options link in Control Panel. You can switch power plans and you can also configure these options:

Require a password on wakeup

Choose what the power buttons do

Choose what closing the lid does

Create a power plan

Choose when to turn off the display

Change when the computer sleeps

If you aren’t already familiar with these features, take some time now to explore them. Make sure to create your own personal power plan by using the Create A Power Plan option in the Tasks pane of the Power Options dialog box, because you might see something about that on the exam. You might also be asked to state how many minutes must pass for each of the three default plans (Balanced, High Performance, Power Saver) before the computer goes to sleep or turns off the display, when running on its battery, or when plugged in. Additionally, and you can explore this on your own, you’ll need to know how to monitor battery usage from the Notification area of the Taskbar and how to change common mobility settings such as the power plan type, display brightness, and so on.

Beyond these end-user tools for managing power, there are other power-related items on which you’ll be tested, including how to use the command-line tool Powercfg.exe to view and export power plans and configure power policies using Group Policy. Because these are less common and likely less familiar, these concepts will be covered here.

Using Powercfg.exe

Powercfg.exe is a command-line tool you can use to configure settings that aren’t available from Control Panel or Group Policy. One of the things you can do here is to export a power management plan to a file and then import it to another computer. To get a list of the available power plans using this command, type powercfg.exe list at a command prompt. If you haven’t yet created any custom plans, you’ll only see the three default plans that come with Windows 10, as shown in Figure 2-12. Choose the plan to export and note the GUID value. To export the policy, open an elevated command prompt, and run powercfg.exe export power.pow GUID (where this is the GUID value for the plan to export).

There are some other parameters you can use with Powercfg.exe. You must review these so that you are familiar with everything that’s offered. Here are a few you might want to try now, just to get a feel for the command:

changename

-delete

-setactive

deviceenablewake and devicedisablewake

Creating power policies

As with most Windows 10 components, you can use Group Policy to set policies related to the available power plans. Use the Group Policy Management Editor to navigate to Computer Configuration, Administrative Templates, System, Power Management. When you expand Power Management in the left pane you can see the additional containers: Button Settings, Hard Disk Settings, Notification Settings, Sleep Settings, and Video And Display Settings. In the right pane you can see two options: Specify A Custom Active Power Plan and Select An Active Power Plan. The available options from Windows 10, using the Local Group Policy Editor are shown in Figure 2-13. As with any other Group Policy, you double-click the policy to access the options to configure it.

When you click one of the five nodes under Power Management, more options appear. You can control every aspect of power management here. For instance, in the Sleep Settings node, you can configure, enable, and disable the following (and more):

Specify the system sleep timeout (plugged in)

Specify the system sleep timeout (on battery)

Require a password when the computer wakes (plugged in)

Require a password when the computer wakes (on battery)

Allow standby states (S1 S3) when sleeping (plugged in)

Allow standby states (S1 S3) when sleeping (on battery)

You need to explore all of the policies in every node before continuing.

Configure Windows To Go

Windows To Go enables users to run Windows 10 from a USB flash drive. Users can plug the Windows To Go flash drive in any computer that supports USB boot. It’s like having a PC in your pocket. However, it does have limitations and specific requirements:

The host PC must meet the Windows 7 Certification requirements, but it can run any operating system. Those requirements are available here: http://msdn.microsoft.com/en-us/library/windows/hardware/dn423132. They include, but are not limited to, USB boot compatibility, 1 gigahertz (GHz) or faster processor, 2 GB or more RAM, DirectX 9 graphics device with Windows Display Driver Model (WDDM) 1.2 or greater driver, and an available USB 2.0 port or greater.

Windows To Go is not intended to replace desktops, laptops, or mobile devices such as tablets. It is meant to support short-term, alternative workplace scenarios.

Windows To Go is only available for Enterprise customers who are part of the Microsoft Software Assurance program.

Internal disks are offline to ensure data isn’t accessed from the Windows To Go device. Likewise, if a Windows To Go drive is inserted into a running system, the Windows To Go drive will not be listed in File Explorer by default.

Trusted Platform Module (TPM) can’t be used because TPM is tied to a specific computer and Windows To Go drives are associated with multiple computers.

Hibernate is disabled by default in Windows To Go, although this can be changed in Group Policy settings.

Windows Recovery Environment isn’t available, and neither is refreshing or resetting. If there is a problem with Windows To Go, the drive needs to be reimaged.

In addition to the USB boot support in the BIOS, the Windows 10 image on the Windows To Go drive must be compatible with the processor architecture and firmware type (32-bit Windows To Go on 32-bit hosts, 64-bit Windows To Go on 64-bit hosts for Unified Extensible Firmware Interface [UEFI] BIOS, and 32-bit Windows To Go on 64-bit Legacy BIOS).

Consider the following Windows To Go features:

Store apps can roam between multiple PCs on a Windows To Go drive.

Windows To Go will detect all hardware on the host computer and install necessary drivers. When the Windows To Go workspace is used again on that same computer, it will recognize it’s already been used and load the correct set of drivers automatically.

Administrators can create Windows To Go drives using the same deployment tools they use to deploy Windows in an enterprise, namely DiskPart and the Deployment Image Servicing and Management (DISM) tool. When creating an image, make sure to include everything you’ll need, such as device drivers, sync tools, and remote connectivity options if used outside the company network.

Windows To Go is best configured on certified Windows To Go USB drives. The drives must be USB 3.0, although they can be used in USB 2.0 ports on a host computer.

There are also a few Group Policy settings for Windows To Go. You can find those settings in Computer Configuration, Administrative Templates, Windows Components, and Portable Operating System. You can enable or disable these to manage hibernation options and sleep states, and to set default startup options. To learn more about these settings, double-click an option to review and read the relevant information in the Help window. The Help information for Allow Hibernate (S4) When Starting From A Windows To Go Workspace offers this: specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. It goes on to explain that if enabled, the PC can hibernate; if disabled, the PC can’t hibernate.

On the host side, users can search for Windows To Go from the Start screen and click Change Windows To Go Startup Options. From there, they can enable the host to boot from a Windows To Go workspace. To boot to the Windows To Go workspace, insert the USB drive and do one of the following:

If the computer has already been configured to boot to the USB drive and a Windows To Go workspace, the user can simply reboot or turn on the computer.

If the computer is not USB-boot enabled, the user can reboot the computer, press the required key combination to access the boot menu (perhaps F12 or F2), and choose the USB Drive from the list.

If the computer is turned on and the operating system is available, the user can use the Advanced Startup options to reboot using a device. You’ll find that in the Settings app, under Update And Recovery, Recovery.

Creating a workspace by using the Windows To Go Workspace Wizard

To create a Windows To Go workspace on a USB drive, you need to work through the Create A Windows To Go Workspace Wizard. The basic steps are outlined next.

1. Mount the Windows 10 installation file or image on the Windows 10 Enterprise computer.

2. Insert the certified Windows To Go 3.0 USB drive into an available USB port and start the Create A Windows To Go Workspace Wizard.

3. Work through the wizard to do the following:

   Select the USB flash drive to use.

   Select the image to use.

   Opt whether to protect and encrypt the drive with BitLocker and a password, which is a good idea because USB drives are prone to being misplaced or stolen.

   Opt whether to boot to the new Windows To Go workspace now.

Creating a workspace by using Windows PowerShell

You can use Windows PowerShell to create a Windows To Go workspace. Although the wizard is easier to use, you’ll need to use Windows PowerShell if you want to automate or customize the process or if you want to create multiple workspaces simultaneously. The script required to perform these tasks is quite complex and includes preparing the flash drive with a system partition and a Windows partition and assigning drive letters. You’ll have to apply the image using the available Deployment Image Servicing and Management (DISM) tools. You can use the BCDboot command-line tool to install the applicable boot files for both UEFI and BIOS. There are quite a few steps involved, but in an enterprise it’s worth the effort.

Configure Wi-Fi Direct

Windows 10 computers can now directly connect to compatible devices one on one, using Wi-Fi Direct, without requiring an intermediary like a router or network access point. Users might use these types of connections to quickly transfer files to other workers using a computer-to-computer connection, or they might even transfer media or perform media streaming to other devices. You’ll need to use Netsh to pair the two devices, only one of which has to support Wi-Fi Direct. Once connected, the connected device will appear in the Settings apps in the same way other devices do when they are connected.

You’ll combine Netsh with wireless local area network (WLAN) and the desired parameters to connect with Wi-Fi Direct. Here are some of the available parameters you can use with Netsh WLAN at an elevated command prompt:

Connect This parameter connects to a wireless network. You’ll have to use connect name= to input the profile name and service set identifier (SSID)= to input the SSID.

Export hostednetworkprofile This parameter saves WLAN profiles to Extensible Markup Language (XML) files.

Refresh hostednetwork This parameter refreshes hosted network settings.

Set This parameter sets configuration information. You’ll have to add tags such as the SSID, name of the profile, and so on.

Show all This parameter displays information for all networks that are currently visible.

Start hostednetwork This parameter starts the hosted network.

Stop hostednetwork This parameter stops the hosted network.

Skill 2.4: Configure security for mobile devices

You can prevent data from being accessed when mobile devices (or hard drives) are lost or stolen. You can use the same technologies to protect against boot attacks, too, like rootkits. There are other ways to secure devices, though, by using Group Policy settings, preventing apps from obtaining a user’s location, encrypting data, using VPNs, and more. Here, you’ll review only about BitLocker and how to manage startup keys.

Configure BitLocker

BitLocker Drive Encryption lets you encrypt entire hard disks and disk volumes, which include the Windows operating system drive, user files, and system files. You can use BitLocker to protect 32-bit and 64-bit computers running Windows 10. On computers that have a trusted platform module (TPM) version 1.2 or 2.0, BitLocker can also ensure that data is accessible only if the boot components of the computer haven’t been compromised (altered) and if the disk is still installed in the original computer.

When using BitLocker, you have the option of requiring users to enter a password to unlock the drive when they want to use it. You also have the option of requiring multifactor authentication perhaps by adding a smart card or a USB drive with a startup key on it on computers with a compatible TPM. BitLocker can also be managed through Group Policy. For instance, you can require that BitLocker be enabled before the computer can be used to store data.

When configuring BitLocker, you must consider the following:

The requirements for hardware and software This includes TPM versions, BIOS configuration, firmware requirements, drive size, and so on.

How to tell if your computer has a TPM An administrator might opt to type TPM.msc and click Enter in a Run dialog box. An end user might opt to access Control Panel, All Items, open BitLocker Drive Encryption and see if he can turn on BitLocker. If a TPM isn’t found, you’ll have to set the required Group Policy to Require Additional Authentication At Startup, which is located in Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives. You need to enable this and then select the Allow BitLocker Without a Compatible TPM check box.

What credentials are required to configure BitLocker Only Administrators can manage fixed data drives, but Standard users can manage removable data drives (the latter can be disabled in Group Policy). Standard users can also change the PIN or password on operating system drives to which they have access via BitLocker.

How to automate BitLocker deployment in an enterprise One way is to use the command-line tool Manage-bde.exe. Manage-bde command-line tools you might use in your own work are detailed later in this section. There are other ways, including using Windows Management Instrumentation (WMI) and Windows PowerShell scripts.

The reasons why BitLocker might start in recovery mode Reasons include disabling the TPM, making changes to the TPM firmware, making changes to the master boot record, and so on.

How to manage recovery keys Recovery keys let you access a computer in the event that BitLocker doesn’t permit access. There are many ways to store these keys for fixed drives, including saving them to a folder or your Microsoft account online, printing them, and storing the keys on multiple USB drives.

Configuring BitLocker in Control Panel

Before you configure BitLocker, there are a few more things to know. The first time you enable BitLocker, you’ll be prompted to create a startup key. This is what’s used to encrypt and decrypt the drive. The startup key can be stored on a USB drive or the TPM chip. If you opt for USB, you’ll have to insert that USB drive every time you want to access the computer, and you’ll also have to enter the key. If a compatible TPM chip is used, the key retrieval is automatic. You can also opt for a PIN. This can be created only after BitLocker is enabled. If you lose the startup key, you’ll need to unlock the drive using a recovery key. This is a 48-digit number that can be stored in numerous ways, including on a USB drive.

There are five authentication methods for protecting encrypted data using BitLocker, consisting of various combinations of TPM, startup PIN, and startup keys; just a TPM; or just a startup key. Here is a brief summary of these options:

TPM + startup PIN + startup key This is the most secure, but it requires three authentication tasks. The encryption key is stored on the TPM chip, but an administrator needs to type a PIN and insert the startup key (available on a USB drive).

TPM + startup key The encryption key is stored on the TPM chip. In addition to this, the administrator needs to insert a USB flash drive that contains a startup key.

TPM + startup PIN The encryption key is stored on the TPM chip, and an administrator needs to enter a PIN.

Startup key only An administrator needs to insert a USB flash drive with the startup key on it. The computer doesn’t need to have a TPM chip. The BIOS needs to support access to the USB flash drive prior to the operating system loading.

TPM only The encryption key is stored on the TPM chip, and no administrator login is required. TPM requires that the boot environment has not been modified or compromised.

Additionally, the drive that contains the operating system must have two partitions, the system partition and the operating system partition, both of which need to be formatted with NTFS.

To configure BitLocker and encrypt the operating system drive on a Windows 10 computer, follow these steps:

1. Open Control Panel, change the view to Small Icons or Large Icons, and click BitLocker Drive Encryption.

2. Click Turn On BitLocker (if you receive an error that no TPM chip is available, enable the required Group Policy setting).

3. Choose how to unlock your drive at startup; Enter A Password Is Chosen in this example.

4. Enter the password, re-enter to confirm, and then click Next.

5. Opt to save the password; Save To Your Microsoft Account is selected in this example.

6. Click Next (in this instance, you can perform this step again to perform a secondary backup before moving on).

7. Choose to encrypt either the used disk space or the entire drive. Click Next.

8. Leave Run BitLocker System Check selected, and click Continue.

9. Click Restart Now. If prompted, perform any final tasks, such as removing CDs or DVDs from drive bays, and then click Restart Now again, if necessary.

10. On boot-up, type or provide the startup key.

11. Note the pop-up notification in the Desktop taskbar that encryption is in progress. It will take some time to complete.

Return to Control Panel and review the BitLocker window. Note that from there you can perform additional tasks, including backing up your recovery key, changing your password, removing the passwords, and turning off BitLocker. You can see which actions require administrator approval by the icon next to the options.

Configuring BitLocker by using the Manage-bde tool

You don’t have to use Control Panel to manage BitLocker Drive Encryption. You can work from a command line, using commands that can turn on or turn off BitLocker, specify unlock mechanisms, update recovery methods, and unlock BitLocker-protected data drives. Many of these commands are used in large enterprises and are not applicable to this Skill; however, there are several parameters you might use with the Manage-Bde command-line tool, including but not limited to the following:

status Use this parameter to provide information about the attached drives, including their BitLocker status, size, BitLocker version, key protector, lock status, and more.

on This parameter encrypts the drive and turns on BitLocker, used with a drive letter such as C that follows the on parameter.

off This parameter decrypts and then turns off BitLocker, used with a drive letter such as C that follows the off parameter.

pause and resume Use pause with a drive letter to pause encryption; use resume with a drive letter to resume encryption.

lock and unlock Use these parameters with a drive letter to lock and unlock the drive.

changepin This parameter changes the PIN for the BitLocker-protected drive.

recoverypassword Use this parameter to add a numerical password protector.

recoverykey This parameter adds an external key protector for recovery.

password Use this parameter to add a password key protector.

Configure startup key storage

This section covers how to configure startup key storage. However, to understand what a startup key is, you need to first understand what it isn’t. There are several key management terms to contend with:

TPM owner password You need to initialize the TPM before you can use it with BitLocker Drive Encryption. When you do, you create a TPM owner password that is associated only with the TPM. You supply the TPM owner password when you need to enable or disable the TPM or reset the TPM lockout.

Recovery password and recovery key The first time you set up BitLocker, you are prompted to configure how to access BitLocker-protected drives if access is denied. This involves creating a recovery key. You’ll need the recovery key if the TPM cannot validate the boot components, but most of the time, a failure to access a BitLocker drive occurs because the end user has forgotten the PIN or password.

Password A password can be used to protect fixed, removable, and operating system drives. It can also be used with operating system drives that do not have a TPM. The password can consist of 8 to 255 characters as specified by the Configure Use Of Passwords For Operating System Drives, Configure Use Of Passwords For Removable Data Drives, and Configure Use Of Passwords For Fixed Data Drives Group Policy settings.

PIN and enhanced PIN If you use a TPM, you can configure BitLocker with a PIN that the user needs to enter to gain access to the computer. The PIN can consist of 4 to 20 digits as specified by the Configure Minimum PIN Length For Startup Group Policy setting. Enhanced PINs use the full keyboard character set in addition to the numeric set to allow for more possible PIN combinations. You need to enable the Allow Enhanced PINs For Startup Group Policy setting before adding the PIN to the drive.

Startup key You use a startup key, which is stored on a USB flash drive, with or without a TPM. The USB flash drive must be inserted every time the computer starts. The USB flash drive needs to be formatted by using the NTFS, FAT, or FAT32 file system.

Now that you know what a startup key is, you can save your computer’s startup key on a USB flash drive. Right-click the BitLocker-protected drive to get started and then follow the prompts.

Thought experiments

In these thought experiments, demonstrate your skills and knowledge of the topics covered in this chapter. You can find the answers to these thought experiments in the next section.

Scenario 1

You are the network administrator of a 2012 Active Directory domain. All 20 client computers run Windows 10. One of your users purchased her own computer and brought it to work, and it too runs Windows 10 Enterprise. You approve the computer and join it to the domain. There are some issues, though.

1. After logging on to the domain, the user can’t access her personal data. What should you do?

2. You want the data the user would normally save to her Documents folder to instead be saved to a share on the network. What should you do?

3. The user wants her local user profile to follow her from computer to computer. What should you do?

Scenario 2

You need to create a VM using a Windows 10 computer as the host that you can move from computer to computer on a USB drive. You’ll be using the VM on a Windows Server 2012 computer in the production environment. The VM needs to support Secure Boot and PXE Boot. Answer the following questions:

1. When you create the VM, which Generation option should you choose?

2. Will you need a valid product ID for the operating system you will be installing on the VM?

3. You want the VM to be able to communicate with other VMs on the host computer, but not with any host computer directly. What type of virtual switch should you configure?

4. When you configure your VHD, what file format should you use?

5. To export the VM stored on the USB drive, which export option should you choose?

Scenario 3

You have users who need access to the files stored in the file servers of your company, no matter where they are. You have configured Offline Files to enable this. It’s working well except that when the users are on metered connections or are roaming with a cellular connection, the costs are high. You want to reduce or better yet, eliminate these costs. All users are running Windows 10.

1. What feature available with Offline Files would you enable in Group Policy to help users avoid high data-usage costs from synchronization while using metered connections that have usage limits or while roaming on another network?

2. What feature available with Offline Files would you enable in Group Policy to provide fast access to files while also limiting the bandwidth used by having the users work offline even if a connection is available?

3. You also want users to work offline when they aren’t on metered networks if the connection is very slow. You’ve configured a threshold for this in Group Policy. Does the user need to do anything when this threshold is met?

4. Can you configure Offline Files and these settings if your servers are running Windows Server 2008 R2?

Scenario 4

A client wants to enable BitLocker on her laptop and has called you to set it up. She wants to protect the data on the computer if the computer is stolen or if the hard drive is removed. You need to find out if a compatible TPM chip is available, and if not, configure the computer so that BitLocker can be used effectively.

1. What can you type in a Run box to find out if a compatible TPM is available on the computer?

2. If a TPM is not found, what policy do you need to change in Local Group Policy on the computer?

3. If a TPM is not found, what must be true regarding the BIOS or UEFI firmware?

4. If a TPM is found, what is the most secure authentication option to apply during startup?

Thought experiment answers

This section provides the solutions for the tasks included in the thought experiment.

Scenario 1

1. Use USMT to transfer the user’s local profile to her domain profile.

2. Configure folder location.

3. Configure a roaming user profile.

Scenario 2

1. Generation 2, because it supports the listed requirements and Generation 1 doesn’t.

2. Yes. All installations of an operating system, even those installed on virtual drives, require a product ID.

3. Private. You want the VM to be able to communicate with other VMs on the host computer, but not with any host computer directly. The other options, External and Internal, do not meet these criteria.

4. VHDX. Although you won’t likely need the feature that enables the disk to be up to 64 TB, you do use this format when you know you’ll be using the VHD on Windows Server 2012 and later or Windows 8 or later.

5. Restore The Virtual Machine (Use The Existing Unique ID For The VM). If your VM files are stored on a file share, a removable drive, a network drive, and so on, and you want to move it, choose this option.

Scenario 3

1. Cost-Aware Synchronization

2. Always Offline Mode

3. No, the computer will go offline when the threshold is met.

4. No. Always Offline and Cost-Aware Synchronization are only available for clients and servers running the latest operating systems.

Scenario 4

1. TPM.msc.

2. You’ll need to set the required Group Policy to Require Additional Authentication At Setup, which is located in Computer Configuration, Administrative Templates, Windows Components, BitLocker Drive Encryption, Operating System Drives. You need to enable this and then select the Allow BitLocker Without A Compatible TPM check box.

3. The BIOS or UEFI firmware must have the ability to read from a USB flash drive in the boot environment.

4. TPM + startup PIN + startup key.

Chapter summary

You can configure user profiles to support user environments in Windows with local profiles, roaming profiles, and mandatory profiles.

You can change the default location for several folders in the user profile to another location, including a network location.

You can use the USMT to migrate user profiles and user files for one or many Windows computers.

To use Hyper-V in Windows 10, the host computer must:

Have Windows 10 Professional, Enterprise or Education 64-bit installed.

Have a compatible Second Level Address Translation (SLAT) processor.

Have 4 GB of RAM and BIOS-level hardware virtualization support.

You create VMs in order to use a single computer to house multiple operating systems to test various hardware and software scenarios as well as to save money, resources, space, power consumption, and more.

Checkpoints let you take snapshots of the configuration of a VM. You can restore to a saved checkpoint at any time.

Virtual switches can be used to configure the network environment and to separate and secure multiple VMs.

Virtual disks let you port VMs and are saved as either VHD or VHDX file formats. VHDX is the newer format and is compatible only with Windows Server 2012 or later and Windows 8 or later.

The Offline Files feature enables users to work with their personal files even when they aren’t connected to the network. Administrators can control behavior through Group Policy settings.

Power plans help users to manage battery life on mobile devices. Administrators can manage power plans by using the Powercfg.exe tool and Group Policy.

Windows To Go enables users to run Windows 10 from a USB flash drive.

Wi-Fi Direct lets users share files without an intermediary network device.

BitLocker can be used to protect mobile devices and mobile drives from theft, loss, or attacks by hackers.

You need to carefully manage startup keys, recovery keys, and other items related to BitLocker Drive Encryption so that you access the drive if it is compromised or if the user forgets the PIN or password.

The command-line tool Manage-bde along with applicable parameters lets you manage BitLocker from a command line.