Deploying, Managing and Securing "the Last Windows:" Windows 10 for Win 7 Professionals
"I thought I knew Windows 10, but your
class showed me things that paid for this seminar in the first hour!"
A two-day course by Mark Minasi, author of 16 technical Windows support books, 21-year columnist for Windows IT Pro magazine, and award-winning presenter
Windows 10 arrived in July 2015, which is a kinda exciting for IT pros – new tools for us! What is a bit less exciting, however, is Microsoft's current approach to documentation: a somewhat disjoint collection of blog posts. (No, we're not kidding, that really is the current approach.) So if you need to figure out what it offers, how it'll fit in your network and current hardware, and how to secure it, then buckle up and get ready for hundreds of hours of Googling…
… Or you can take our Windows 10 class. Our class is researched, written and delivered by Windows expert Mark Minasi. Mark's been under the hood of Windows 10 since its first betas, and has assembled everything he's learned into this fast-paced, entertaining one-day class that will quickly update your Windows technical support skills, help you decide if Win 10's right for your organization, and point you towards setting up your deployment plan. And Just in case you skipped Windows 8 and 8.1, don’t fear – this course includes all of the 8.x changes that survived to Windows 10. (If, however, your folks are already up to speed on 8/8.1, please contact us for info on our one-day 8.1-to-10 class.)
Key Learning Points
· Understand Windows 10’s new “agile” upgrade system whereby Microsoft will deliver roughly two new versions of Windows 10 per year… and how to slow down the pace of those upgrades
· Grasp how UEFI/Secure Boot and Early Launch Anti-Malware (ELAM) add powerful new security to your systems, and how to install them
· Know how Windows 10’s revised Setup engine requires new disk layouts and expands your upgrade options
· Assist yourself in making the “upgrade from 7 or not?” call by enumerating Windows 10 changes that can extend the life of your existing hardware
· Master the basics of “Azure Active Directory” cloud-based domains and user accounts, the new identity structures that Office 365 users already have and that Windows 10 supports (somewhat)
· Discover how Windows 10’s OneGet application package manager can simplify installing new applications and managing existing ones
· See how the new “Modern” or “Universal” applications work in Windows 10 and how they offer your desktops more responsive multitasking and your systems longer battery life, and how to use the Windows Store for Business to control how your users acquire applications
· Identify how native 4K drive support and a revised CHKDSK can make your system storage faster and more resilient
· Meet dozens of PowerShell cmdlets that simplify both local and remote administrations
· Uncover how User Isolation Mode and Virtual Secure Mode can protect your systems from “pass the hash” attacks
A brief overview of the course.
One of the most confusing parts about Windows 10 is that while it's "the last Windows" in name, in fact you may see up to three new versions of Windows 10 in any given calendar year. Furthermore, you must upgrade to at least one of those versions each year. This first section explains this new reality and how you can control your upgrades.
Windows 10 brings with it the usual quota of GUI changes, and you surely don't need us to explain the new Start Screen to you. But Windows 10 does bring a number of changes that can actually boost productivity for IT pros, as well as a couple of "internals" features that you might never have known about that you'll find very useful.
Back in the late 1900s, Intel had some great ideas on how to build better PCs, and some of those ideas have finally become commonplace. Among those ideas is a replacement for BIOSes called “UEFI firmware.” UEFI’s great, but with Windows 10, it becomes even better, as it enables a nice anti-malware upgrade called “Secure Boot” that goes an awful way towards ruining the day of many a malware authors. In this section, you’ll see what kind of hardware you need (you’ve actually probably already got it) and how to add Secure Boot to your security regimen. Perhaps most important, you’ll see how to avoid having BitLocker lock you out of your system after you’ve tweaked some small system setting.
A. It’s not a “BIOS,” it’s “firmware:” UEFI “BIOSes”
B. How Secure Boot works
C. Setting up a Secure Boot system
D. Alternate boots: booting from USB sticks and the like in a Secure Boot / UEFI world
E. How Secure Boot and Bitlocker interact: avoiding a “Bitlocker lockout” after system maintenance
Your organization might have had many reasons for skipping 8/8.1, but we’d lay odds that at least one big reason was the Start menu. Windows 10 certainly has a Start menu that is less alien than Windows 8’s, but it still needs configuring. You can raise that Start menu by just pressing the “Windows” key… and when you do, you’ll also pull up the “Search,” which as you probably now know sports a voice interface and a name, “Cortana.” You’ll want to deploy and tweak them both, and this section shows you how.
A. Get and capture a “standard Start menu”
B. Deployment options: immutable or just a suggestion
C. Start menu deployment limitations
D. The new Search: Cortana
E. Things to know: Cortana and privacy
F. Controlling Cortana with group policies
G. Finding Cortana’s settings
H. Cortana’s “Notebook”
I. Cortana and accounts: do you, um, have a Live account?
One of Windows 10’s quiet revolutions can be found in Setup.exe, which has some nice improvements. Perhaps the most interesting one is that in-place upgrades honestly do make sense now, and they’re a lot more flexible than they ever have been before. Learn about what’s new and neat in Setup in this section.
A. How in-place upgrades work: five steps
B. New Setup.exe syntax and examples
C. Default Windows 10 disk layout
D. Windows 10 insists on a recovery partition
Ever since Vista, every new version of Windows brings new and (usually) improved tools to deploy Windows. Windows 10 is no different, and offers us a somewhat different mindset in that in-place upgrade works very well now. There's also a bunch of new deployment-related concepts, which we'll cover in this section to warm you up for the WinPE 10 and WICD sections.
Microsoft created the Windows Preinstallation Environment (WinPE), a cut-down, free version of Windows that simplifies troubleshooting big problems back in 2001, but offered it solely to big customers. They opened it to the world in 2006, but it's always been a "nice to know" rather than a "need to know" Windows tool. With Windows 10, that changes, and so this brief section offers a quick tutorial on building WinPE and equipping it with PowerShell. You'll also learn what new features Windows 10's PE has.
Automating Windows rollouts is important and every organization wants automated deployment, but making it work is complicated. The Assessment and Deployment Kit (ADK, formerly known as the Windows Automated Installation Kit or WAIK) and its cousin Microsoft Deployment Toolkit (MDT) are terrific, powerful and free tools, but also complex ones that are sadly given a miss by many IT pros. To address that, Microsoft has created a third free automated deployment tool called the Windows Image and Configuration Designer (WICD). This tool, pronounced "wicked" (which is odd, as it contains no witches but does contain wizards), seeks to simplify deployment for regular old Windows as well as device-centric versions like Windows Phone 10. In this section, we'll explore WICD so you'll know whether or not to add it to your deployment toolkit!
Anyone who's ever done a mass deployment by grabbing users' current settings and files, saving them on a share and then flattening and rebuilting the users' computers with a new version of Windows knows the User State Migration Tool (USMT) and its two main components, Scanstate and Loadstate. (In case you've never used them, Scanstate packages up and saves your settings and files, before the flatten-and-rebuild. After the flatten-and-rebuild, Loadstate recovers those files and settings and restores them to the users' systems.) USMT's great, but it only migrates the users' files and application settings, not the applications themselves. That changes with Windows 10's Scanstate, which saves not only the users' files and settings but their applications as well. Sound great? Well, it is, kind of… but there are big limitations to the new Scanstate, as you'll learn in this section.
If the machine you’re rolling out already has a copy of Windows 10 on it, you may be able to speed up your rollout with a “provisioning package,” a file you place on a USB stick, shove into the new computer, boot up the new computer and then press the Windows key five times, rapidly. In this short section, we’ll explain both the “Five Taps” and the current state of “Audit Mode.”
Deploying a new copy of an operating system gets easier and easier as time goes on, but they how to get applications on it? For some rollouts, you can just pre-install the applications in a “golden image,” and if that’s working, then fine. But Windows 10 and PowerShell’s WMF 5.0 introduce OneGet, a set of commands that let you easily existing applications on a PC or let you search “application galleries” and execute commands to quickly download and deploy applications. Even if you don’t understand PowerShell, you’ll quickly grasp the potential of OneGet and who knows, you may create an application gallery for your own organization.
A. Application packagers: NuGet, Chocolatey and more
B. Using OneGet to find and install packaged applications
C. Doing local application inventory with the OneGet cmdlets
Over the years, we’ve become used to Windows boot drives becoming larger and larger – after all, desktop storage is really cheap, right? Well… maybe not. That “cheap” storage is rotational, and a standard 2.5” form factor. But who wants that? Solid state 2.5” drives are great but smaller in capacity, and the flood of very useful, insanely cheap small laptops with skinny profiles, weight under two pounds, a real keyboard are great… but they come with 128GB system drives. (And as those drives aren’t standard, they can’t be upgraded.) It is, then, a bit more of a priority to be able to do some housecleaning on the images we push out and the systems we deliver.
A. Deleting Windows.old without the GUI (it’s faster)
B. Understanding Windows “Side by Side,” why it’s a storage hog, and how to clean it out
C. Trimming System Restore
D. Do you need a pagefile? Windows 10’s pagefile changes the rules, and why Windows 10 runs better in two gigs than Windows 7 does
Speaking of new storage, like the eMMC solid state storage found in so many new inexpensive Windows 10 laptops, Windows 10 adds some new storage-related capabilities, not the least of which being that Microsoft finally fixed some really annoying CHKDSK behaviors. Find out more in this section.
A. Native 4K disk support
1. Why 4K sector disks?
2. 4k emulation and native
3. Win 10 native 4K support
B. New PowerShell storage cmdlets
C. Double-click that ISO: native ISO and VHD mounting
D. CHKDSK, rebooted: never fear the countdown again
As you almost certainly know, Microsoft has become heavily invested in the cloud. What you may not know is that their cloud strategies are paying off well enough that many think they'll be the top dog in the cloud business soon. That has led to the fact that more and more Microsoft services – even the free ones – are cloud-based and require you to have a Microsoft cloud identity. Once, a Hotmail account could serve that purpose, but more and more you'll need an Azure Active Directory account, even if you don't use it for anything else, and meanwhile, more and more organizations don't need any on-premises AD, so Azure AD does the job for them. This section quickly introduces just enough Azure AD to get you ready to understand an interesting new Windows 10 capability – "joining a cloud."
You already know how to join a Windows box to an AD domain. Here we'll see how and why you'd join to an Azure domain, doing a "cloud join."
If you've run a Windows 7 network, you've already got most of the tools you'll need to run a Windows 10 network, but Win 10 brings a few new management needs and solutions. We start covering that in this section with Windows 10's 42 (yes, it really is just 42) new group policy settings.
If you’ve ever used folder redirection or roaming profiles, you know that they can be great but have an annoying tendency to leave a lot of junk behind on the computers you’ve logged onto at some point in the past. Windows 10 offers an improvement in the form of the “primary computer.” Its value? You can log onto any machine that you like, but your folders or profile do not roam to that machine unless it’s in your “primary computer” list.
A. Understanding a “primary computer”
B. Gotchas: this doesn’t work in a network with Windows 7 entirely
C. Primary computer setup: modify Active Directory
D. Tracking PCs
One of the biggest changes wrought by Windows 8/8.1—and one of the most-ignored and –reviled – was a completely new software platform named “Windows Runtime” or “WinRT.” That platform was originally intended to allow developers to create tablet-ish applications that relied almost solely on touch and large, clunky-looking interface elements. (That was where the “ignore” and “revile” part came from.) First called “Metro” apps and then “Modern” applications, the WinRT apps aimed to support a strongly secured “sandbox” as well as applications that ran as well on a standard Windows box as on the original “Surface RT” tablet and the Windows Phone platform. It was largely a flop. With Windows 10, however, Windows Runtime got a bit of a makeover and re-aligning to become the “Universal Windows Platform,” and UWP really pervades Windows 10, which is why this section is the first of several about “modern” and “universal” apps. Every Windows 10 admin needs to know that things in these sections because UWP in Windows 10 changes multitasking among all kinds of programs, because it actually does offer better security, and, well it’s hard to manage a Windows 10 system without working with these applications. This first section explains WinRT / UWP and the applications that it supports.
A. Windows application program interface (API) overview: Win32 and .NET
B. Why a third API, WinRT?
C. The three types of WinRT apps
D. From WinRT to UWP: “Universal” apps
E. Your phone as a PC: Continuum
F. Modern/Universal app deployment: “the Store”
Even if you intend never to touch a Modern/Universal application, you’ll need to understand what they’ve done to your PC: they’ve made it multitask better and use a lot less power. As you’ll see in this section, you can put Windows 10 on a circa-Windows 7 system and usually get much better battery life from it, and smoother multitasking even of “non-modern” apps.
A. Juggling two kinds of apps: the new multitasking structure
B. New multitasking with the Desktop Activity Monitor (DAM)
C. App rules: the system’s watching!
D. Shooting the hogs: controlling background processes
E. Sleep, Modern style
F. I/O coalescing, low power epoch, resiliency and Network Quiet Mode: getting more bang for your battery
G. Tracking the savings with powercfg
Windows 8 brought the idea of the "Windows Store" and iPad-ish "modern applications," which has caught on slowly in most places, but the Store has morphed to include the more-widely-used "desktop" apps. Even better, Microsoft enables you to create your own tightly-defined version of the Store that lets your employees get apps that you want them to get. ("Curated" is the phrase Microsoft uses nowadays for such a store.) This was possible in Windows 8, but it suffered from blockers like "the employees need a credit card to get Store apps," or "you need System Center to set this up," but now just about anyone can create a curated Store, as you'll learn in this section.
Windows 8 and 8.1 met mixed reviews, but almost no one seems to know that many of their most undeniably cool features were in the realm of security. Windows 10 continues that tradition with the notions of Isolated User Mode and Virtual Secure Mode, two fancy-sounding terms for a set of four technologies ("trustlets" is the new phrase) that take important, high-security data and store it in what is essentially another dimension. Windows 10 can, with the right hardware, create a block of memory whose data can only be accessed by the four in-the-box trustlets, and it's essentially impossible to create a fifth. It's neat, but fairly complex to figure out how to set up… unless you attend this last section of our class.
Ever had a smartphone or a laptop start acting strangely, or perhaps needed to wipe it clean so you could give it away? As we all know, it’s pretty easy – just push the right buttons or click something in Settings, and your phone is either back in “no longer acting strangely” or “completely wiped clean” mode, and you can either start over with it, or give it away. Well, Windows 10 seeks to offer those things to your Windows laptops. In this section, you’ll learn how.
A. Introducing “pushbutton reset” or PBR
B. Simple reset versus complete reset
C. Activating it
XXIV. Windows to Go: Your Desktop on a Stick
Windows 10 Enterprise offers you the ability to install Windows not on a laptop, but instead onto a USB stick. You can then just boot any laptop from that USB stick and not only see your desktop and applications, you don’t see the local hard disks on the laptop… nice.
A. Windows to Go pros and cons
B. Hardware and software requirements (which are kind of stringent, be warned)
C. Creating the USB stick
D. Notes from the field on what it can and can’t do
The class works from PowerPoint presentations and hands-on exercises. Every attendee gets a printed copy of the PowerPoints. All of the demonstrations are explained clearly in the PowerPoint, so you can reproduce them after class!
We will soon offer this class as a public seminar at locations around the US – check www.minasi.com/pubsems.htm to find out when we’ll start public seminars. But you needn't wait for the public classes, as Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs. For more info, please contact out office at (757) 426-1431 between noon and five PM Eastern time or email firstname.lastname@example.org to discuss scheduling and fees.