Deploying, Managing and Securing "the Last Windows:" Working with Windows 10 

"I thought I knew Windows 10, but your class showed me things that paid for this seminar in the first hour!"
-attendee comment

 

A one-day course by Mark Minasi, author of 16 technical Windows support books, 20-year columnist for Windows IT Pro magazine, and award-winning presenter


Where You Can Attend This Seminar •  Course Objectives  •   Course Outline  •   Course Materials  •  Bring a Class to Your Site • About the Instructor •  


Why Take This Course?

Windows 10 is out, which is a kinda exciting for IT pros – new tools for us!  What is a bit less exciting, however, is Microsoft's current approach to documentation: a somewhat disjoint collection of blog posts.  (No, we're not kidding, that really is the current approach.) So if you need to figure out what it offers, how it'll fit in your network and current hardware, and how to secure it, then buckle up and get ready for hundreds of hours of Googling…

 

… Or you can take our Windows 10 class.  Our class is researched, written and delivered by Mark Minasi, a 30 year Windows veteran and writer of 16 bestselling Windows tech books.  Mark's been under the hood of Windows 10 since its first betas, and has assembled everything he's learned into this fast-paced, entertaining one-day class that will quickly update your Windows technical support skills, help you decide if Win 10's right for your organization, and point you towards setting up your deployment plan.

 

His course jumps right in with an explanation of what may be the strangest part of Windows 10, "Windows as a service."  While Windows 10 is nominally the last version of Windows it will require you to upgrade to new "sub-versions" every year, or you will no longer be able to install security patches.  From there, the class briefly illuminates a few little-known productivity enhancing features and useful "internals" changes to Win 10.  Next, you'll learn some important new deployment concepts and meet new tools to deploy Windows 10, whether to one machine or one hundred.  Then we'll move to Windows 10's not-terribly-surprising-affinity for Microsoft's Azure cloud.  You'll see that we'll all need at least some kind of Azure identity in order to interact with any of Microsoft's online services.  You'll also see that Azure accounts solve one of Windows 8's most irritating flaws: the requirement that users log on with Hotmail/Live accounts to their own systems.  That leads to an explanation of what's changed management-wise in Windows 10 via group policies and a new and improved application distribution system driven by an all-new customizable "Store."  Finally, you'll understand and be able to deploy a few very innovative new security tools.  One, Credential Guard, seeks to crush "pass-the-hash" and similar secret-stealing attack.  Another, Device Guard, is Microsoft's latest swing at locking out malware.  Finally, you'll meet the new "Windows Hello" biometric system that quite literally sees you coming, and its associated Passport, which intends to put passwords out of business.

 

This course is a "delta" or "what's new only" class in that it assumes that its attendees already have a working knowledge of Windows 7 and 8/8.1 support. (If your organization has skipped Windows 8/8.1, however, then we can just add our course material for our Windows 8/8.1 course, making this a two-day class that assumes only knowledge of Windows 7…. Just let us know.)  

Course Outline

  1. Introduction

A brief overview of the course.  (We mainly do it for the many folks who sign up for this class without ever reading this course outline, which is very flattering but also kind of scary.)

 

  1. Windows as a Service:  There's Only One Version, But You'll Be Upgrading a Lot Anyway

One of the most confusing parts about Windows 10 is that while it's "the last Windows" in name, in fact you may see three new versions of Windows 10 in a calendar year, and you must upgrade to at least one of them each year.  This first section explains this new reality and how you can control your upgrades.

    1. Windows 10 Editions: Home, Pro, Education, Enterprise
    2. Know your builds:  keeping track of how "upgraded" your Windows is
    3. "Isn't it free?"  Well, sometimes.  But probably not for you.  Or me.
    4. "Upgrades" versus "updates:" Patch Tuesday gets a lot more interesting, and why they're doing it
    5. Flights and rings: not everyone gets the new stuff at the same time
    6. How to slow down the upgrades with the Common Branch for Business and Windows Update for Business
    7. Engineering updates:  patches save bandwidth by going torrent-ish
    8. Where WSUS and SCCM fit in
    9. An infrequent-update program:  Long Term Servicing Branch delivers Windows "the old-fashioned way"
       
  1. Just a Little on the New UI:  Tips for IT Pros

Windows 10 brings with it the usual quota of GUI changes, and you surely don't need us to explain the new Start Screen to you.  But Windows 10 does bring a number of changes that can actually boost productivity for IT pros, as well as a couple of "internals" features that you might never have known about that you'll find very useful. 

    1. 10's odd new "bipolar" Control Panel
    2. Learn and use virtual desktops!
    3. New hotkeys
    4. The "snipping" tool gets better
    5. Command prompt improvements
    6. Memory compression: why 10 runs better in two gigs than Windows 7 did

  1. Windows 10 Deployment Concepts and Scenarios

Ever since Vista, every new version of Windows brings new and (usually) improved tools to deploy Windows.  Windows 10 is no different, and offers us a somewhat different mindset in that in-place upgrade works very well now.  There's also a bunch of new deployment-related concepts, which we'll cover in this section to warm you up for the WinPE 10 and WICD sections.

    1. Scenarios:  no need to wipe a vendor-installed OS, and in-place upgrades finally make sense
    2. How the new in-place upgrades work
    3. Automating it with new setup.exe options
    4. New default disk layout
    5. Automated Deployment Kit (ADK) changes
    6. "Capabilities:" like features, but better
    7. "Provisioning packages" simplify some upgrades
    8. Smaller Windows:  CompactOS replaces WIMBoot

 

 

  1. Windows PE 10: No Longer Optional, And Getting Better All the Time

Microsoft created the Windows Preinstallation Environment (WinPE), a cut-down, free version of Windows that simplifies troubleshooting big problems back in 2001, but offered it solely to big customers.  They opened it to the world in 2006, but it's always been a "nice to know" rather than a "need to know" Windows tool.  With Windows 10, that changes, and so this brief section offers a quick tutorial on building WinPE and equipping it with PowerShell.  You'll also learn what new features Windows 10's PE has.

    1. Building a WinPE-enabled USB stick with Win 10's newer, easier tools
    2. Adding features:  turning on PowerShell
    3. Setup and xFAT

 

  1. Windows Image and Configuration Designer (WICD)

Automating Windows rollouts is important and every organization wants automated deployment, but making it work is complicated.  The Assessment and Deployment Kit (ADK, formerly known as the Windows Automated Installation Kit or WAIK) and its cousin Microsoft Deployment Toolkit (MDT) are terrific, powerful and free tools, but also complex ones that are sadly given a miss by many IT pros.  To address that, Microsoft has created a third free automated deployment tool called the Windows Image and Configuration Designer (WICD).  This tool, pronounced "wicked" (which is odd, as it contains no witches but does contain wizards), seeks to simplify deployment for regular old Windows as well as device-centric versions like Windows Phone 10.  In this section, we'll explore WICD so you'll know whether or not to add it to your deployment toolkit!

    1. Installing and tweaking WICD to make it useful
    2. Setup for its command-line personality, "ICD.EXE"
    3. Creating a project… just a few clicks creates a bootable USB stick that does a hands-off install
    4. The pieces:  deployment assets, image time settings and runtime settings
    5. The options:  image creating versus provisioning package creation, and The Five Taps (hint:  they are not a 50's band)
    6. WICD provisioning packages revealed: customizations.xml and more
    7. WICD as a command-line tool:  strengths, weaknesses, and a huge bug
    8. Hacking WICD: making it forget old projects

 

  1. Easier App Migration:  the new Scanstate

Anyone who's ever done a mass deployment by grabbing users' current settings and files, saving them on a share and then flattening and rebuilting the users' computers with a new version of Windows knows the User State Migration Tool (USMT) and its two main components, Scanstate and Loadstate.  (In case you've never used them, Scanstate packages up and saves your settings and files, before the flatten-and-rebuild.  After the flatten-and-rebuild, Loadstate recovers those files and settings and restores them to the users' systems.)  USMT's great, but it only migrates the users' files and application settings, not the applications themselves.  That changes with Windows 10's Scanstate, which saves not only the users' files and settings but their applications as well. Sound great?  Well, it is, kind of… but there are big limitations to the new Scanstate, as you'll learn in this section.

    1. Review: Scanstate background
    2. Details of new Scanstate capability with "/apps" to a provisioning package
    3. Step-by-step example
    4. Deploying saved apps: WICD is it!
    5. Provisioning package processes and Audit Mode in Windows 10

 

  1. Windows 10 Wants You in the Cloud:  Azure AD Basics

As you almost certainly know, Microsoft has become heavily invested in the cloud.  What you may not know is that their cloud strategies are paying off well enough that many think they'll be the top dog in the cloud business soon.  That has led to the fact that more and more Microsoft services – even the free ones – are cloud-based and require you to have a Microsoft cloud identity.  Once, a Hotmail account could serve that purpose, but more and more you'll need an Azure Active Directory account, even if you don't use it for anything else, and meanwhile, more and more organizations don't need any on-premises AD, so Azure AD does the job for them.  This section quickly introduces just enough Azure AD to get you ready to understand an interesting new Windows 10 capability – "joining a cloud." 

    1. Why on earth would I or my org use an Azure AD domain?
    2. Office 365 and Azure AD… you may have an Azure AD domain already!
    3. Azure AD terminology:  tenants, vanity domains, subscriptions
    4. Understanding Microsoft accounts versus organization accounts
    5. Creating your own Azure AD (it's free)
    6. Populating your AD with Azure AD Connect
    7. Creating admins, user accounts, and enabling cloud single signon
    8. PowerShell tools to simplify Azure AD
    9.  
  1. Joining Win 10 Systems to a Cloud

You already know how to join a Windows box to an AD domain. Here we'll see how and why you'd join to an Azure domain, doing a "cloud join."

    1. Why join a Win 10 device to an Azure AD?
    2. Enabling cloud join
    3. Doing cloud join
    4. Results:  new security principals
    5. What cloud join doesn't do

  1. Managing Windows 10: New Group Policy Settings

If you've run a Windows 7 network, you've already got most of the tools you'll need to run a Windows 10 network, but Win 10 brings a few new management needs and solutions.  We start covering that in this section with Windows 10's 42 (yes, it really is just 42) new group policy settings.

    1. Security settings: PIN and Virtual Secure Mode
    2. "Windows Recording" settings
    3. UI features, feedback control
    4. Windows Update for Business settings
       
  1. Managing Windows 10:  Applications and The Store

Windows 8 brought the idea of the "Windows Store" and iPad-ish "modern applications," which has caught on slowly in most places, but the Store has morphed to include the more-widely-used "desktop" apps.  Even better, Microsoft enables you to create your own tightly-defined version of the Store that lets your employees get apps that you want them to get.  ("Curated" is the phrase Microsoft uses nowadays for such a store.)  This was possible in Windows 8, but it suffered from blockers like "the employees need a credit card to get Store apps," or "you need System Center to set this up," but now just about anyone can create a curated Store, as you'll learn in this section.

    1. Intro to the new Store
    2. Flexible payment methods and inventory control
    3. Sideloading is easier, free and universal
    4. Line of business apps can be added to the Store
    5. Preinstalling apps in images
    6. Controlling (and potentially blocking) the store:  the app and the service

 

  1. Securing Windows 10:  New Tools to Lock out the Bad Guys

Windows 8 and 8.1 met mixed reviews, but almost no one seems to know that many of their most undeniably cool features were in the realm of security. Windows 10 continues that tradition with the notions of Isolated User Mode and Virtual Secure Mode, two fancy-sounding terms for a set of four technologies ("trustlets" is the new phrase) that take important, high-security data and store it in what is essentially another dimension.  Windows 10 can, with the right hardware, create a block of memory whose data can only be accessed by the four in-the-box trustlets, and it's essentially impossible to create a fifth.  It's neat, but fairly complex to figure out how to set up… unless you attend this last section of our class.

    1. User Isolation Mode:  A new trust model
    2. Requirements:  the right OS, and the right hardware
    3. Beyond "user mode" versus "kernel mode"
    4. The new tools: "trustlets"
    5. Configuration:  BIOS settings, boot mode, group policy
    6. Credential Guard: the first trustlet, that eliminates pass-the-hash
    7. Validating Credential Guard
    8. Device Guard:  the second trustlet, that blocks running malware
    9. Device Guard limitations
    10. The last two trustlets:  virtual TPMs
    11. Windows Hello: biometrics, Win 10 style
    12. Windows Passport:  the end to passwords
    13. Why is a PIN acceptable on a laptop?
    14. Where this leads to
    15. Next steps
       

 

Course Materials and Course Format

The class works from PowerPoint presentations and hands-on exercises.  Every attendee gets a printed copy of the PowerPoints.  All of the demonstrations are explained clearly in the PowerPoint, so you can reproduce them after class!

Arranging a Course at Your Location

We offer this class as a public seminar at locations around the US; you can view the current schedule at www.minasi.com/pubsems.htm.  But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.  For more info, please contact out office at (757) 426-1431 between noon and five PM Eastern time or email assistant@minasi.com to discuss scheduling and fees.