Deploying, Managing and Securing "the Last Windows:" Windows 10 for Win 7 Professionals 

"I thought I knew Windows 10, but your class showed me things that paid for this seminar in the first hour!"
-- attendee comment

 

A two-day course by Mark Minasi, author of 16 technical Windows support books, 21-year columnist for Windows IT Pro magazine, and award-winning presenter


Course Objectives  •   Course Outline  •   Course Materials  •  Bring a Class to Your Site


Why Take This Course?

Windows 10 arrived in July 2015, which is a kinda exciting for IT pros – new tools for us!  What is a bit less exciting, however, is Microsoft's current approach to documentation: a somewhat disjoint collection of blog posts.  (No, we're not kidding, that really is the current approach.) So if you need to figure out what it offers, how it'll fit in your network and current hardware, and how to secure it, then buckle up and get ready for hundreds of hours of Googling…

 

… Or you can take our Windows 10 class.  Our class is researched, written and delivered by Windows expert Mark Minasi.  Mark's been under the hood of Windows 10 since its first betas, and has assembled everything he's learned into this fast-paced, entertaining one-day class that will quickly update your Windows technical support skills, help you decide if Win 10's right for your organization, and point you towards setting up your deployment plan. And Just in case you skipped Windows 8 and 8.1, don’t fear – this course includes all of the 8.x changes that survived to Windows 10.  (If, however, your folks are already up to speed on 8/8.1, please contact us for info on our one-day 8.1-to-10 class.)

 

Key Learning Points

·         Understand Windows 10’s new “agile” upgrade system whereby Microsoft will deliver roughly two new versions of Windows 10 per year… and how to slow down the pace of those upgrades

·         Grasp how UEFI/Secure Boot and Early Launch Anti-Malware (ELAM) add powerful new security to your systems, and how to install them

·         Know how Windows 10’s revised Setup engine requires new disk layouts and expands your upgrade options

·         Assist yourself in making the “upgrade from 7 or not?” call by enumerating Windows 10 changes that can extend the life of your existing hardware

·         Master the basics of “Azure Active Directory” cloud-based domains and user accounts, the new identity structures that Office 365 users already have and that Windows 10 supports (somewhat)

·         Discover how Windows 10’s OneGet application package manager can simplify installing new applications and managing existing ones

·         See how the new “Modern” or “Universal” applications work in Windows 10 and how they offer your desktops more responsive multitasking and your systems longer battery life, and how to use the Windows Store for Business to control how your users acquire applications

·         Identify how native 4K drive support and a revised CHKDSK can make your system storage faster and more resilient

·         Meet dozens of PowerShell cmdlets that simplify both local and remote administrations

·         Uncover how User Isolation Mode and Virtual Secure Mode can protect your systems from “pass the hash” attacks

Course Outline

  1. Introduction

A brief overview of the course. 

 

  1. Windows as a Service: Patch Tuesday Will Never be the Same

One of the most confusing parts about Windows 10 is that while it's "the last Windows" in name, in fact you may see up to three new versions of Windows 10 in any given calendar year.  Furthermore, you must upgrade to at least one of those versions each year.  This first section explains this new reality and how you can control your upgrades.

    1. Windows 10 Editions: Home, Pro, Education, Enterprise
    2. Know your builds:  keeping track of how "upgraded" is your Windows
    3. "Isn't it free?"  Well, sometimes.  But probably not for you.  Or me.
    4. "Upgrades" versus "updates:" Patch Tuesday gets a lot more interesting, and why they're doing it
    5. Flights and rings: yes, we’re seeing a lot of new Windows versions, but lots of other people shake them down first
    6. Control the upgrade pace with the Common Branch for Business and Windows Update for Business
    7. Engineering updates:  patches save bandwidth by going torrent-ish
    8. Where WSUS and SCCM fit in
    9. An infrequent-update program:  Long Term Servicing Branch delivers Windows "the old-fashioned way"
       
  1. Just a Little on the New UI:  Tips for IT Pros

Windows 10 brings with it the usual quota of GUI changes, and you surely don't need us to explain the new Start Screen to you.  But Windows 10 does bring a number of changes that can actually boost productivity for IT pros, as well as a couple of "internals" features that you might never have known about that you'll find very useful. 

    1. 10's odd new "bipolar" Control Panel
    2. … But “God Mode” is still around
    3. Virtual desktops get downright useful
    4. New hotkeys
    5. The "snipping" tool gets better
    6. Command prompt improvements

  1. Shiny New Boots:  BIOS, UEFI and Secure Boot

Back in the late 1900s, Intel had some great ideas on how to build better PCs, and some of those ideas have finally become commonplace. Among those ideas is a replacement for BIOSes called “UEFI firmware.”  UEFI’s great, but with Windows 10, it becomes even better, as it enables a nice anti-malware upgrade called “Secure Boot” that goes an awful way towards ruining the day of many a malware authors.  In this section, you’ll see what kind of hardware you need (you’ve actually probably already got it) and how to add Secure Boot to your security regimen.  Perhaps most important, you’ll see how to avoid having BitLocker lock you out of your system after you’ve tweaked some small system setting.

A.    It’s not a “BIOS,” it’s “firmware:” UEFI “BIOSes

B.    How Secure Boot works

C.    Setting up a Secure Boot system

D.   Alternate boots:  booting from USB sticks and the like in a Secure Boot / UEFI world

E.    How Secure Boot and Bitlocker interact: avoiding a “Bitlocker lockout” after system maintenance

  1. Controlling Start and Search:  Configuring the Start Menu and Cortana

Your organization might have had many reasons for skipping 8/8.1, but we’d lay odds that at least one big reason was the Start menu.  Windows 10 certainly has a Start menu that is less alien than Windows 8’s, but it still needs configuring.  You can raise that Start menu by just pressing the “Windows” key… and when you do, you’ll also pull up the “Search,” which as you probably now know sports a voice interface and a name, “Cortana.”  You’ll want to deploy and tweak them both, and this section shows you how.

A.    Get and capture a “standard Start menu”

B.    Deployment options: immutable or just a suggestion

C.    Start menu deployment limitations

D.   The new Search:  Cortana

E.    Things to know:  Cortana and privacy

F.     Controlling Cortana with group policies

G.    Finding Cortana’s settings

H.   Cortana’s “Notebook”

I.      Cortana and accounts: do you, um, have a Live account?

  1. Windows 10 Setup:  In-Place Upgrades, Disk Layout and Setup Options

One of Windows 10’s quiet revolutions can be found in Setup.exe, which has some nice improvements.  Perhaps the most interesting one is that in-place upgrades honestly do make sense now, and they’re a lot more flexible than they ever have been before.  Learn about what’s new and neat in Setup in this section.

A.    How in-place upgrades work: five steps

B.    New Setup.exe syntax and examples

C.    Default Windows 10 disk layout

D.   Windows 10 insists on a recovery partition

  1. Windows 10 Deployment Concepts and Scenarios

Ever since Vista, every new version of Windows brings new and (usually) improved tools to deploy Windows.  Windows 10 is no different, and offers us a somewhat different mindset in that in-place upgrade works very well now.  There's also a bunch of new deployment-related concepts, which we'll cover in this section to warm you up for the WinPE 10 and WICD sections.

    1. Scenarios:  no need to wipe a vendor-installed OS, and in-place upgrades finally make sense
    2. How the new in-place upgrades work
    3. Automating it with new setup.exe options
    4. New default disk layout
    5. Automated Deployment Kit (ADK) changes
    6. "Capabilities:" like features, but better
    7. "Provisioning packages" simplify some upgrades
    8. Smaller Windows:  CompactOS replaces WIMBoot

 

 

  1. Windows PE 10: No Longer Optional, And Getting Better All the Time

Microsoft created the Windows Preinstallation Environment (WinPE), a cut-down, free version of Windows that simplifies troubleshooting big problems back in 2001, but offered it solely to big customers.  They opened it to the world in 2006, but it's always been a "nice to know" rather than a "need to know" Windows tool.  With Windows 10, that changes, and so this brief section offers a quick tutorial on building WinPE and equipping it with PowerShell.  You'll also learn what new features Windows 10's PE has.

    1. Building a WinPE-enabled USB stick with Win 10's newer, easier tools
    2. Adding features:  turning on PowerShell
    3. Setup and xFAT

 

  1. Windows Image and Configuration Designer (WICD)

Automating Windows rollouts is important and every organization wants automated deployment, but making it work is complicated.  The Assessment and Deployment Kit (ADK, formerly known as the Windows Automated Installation Kit or WAIK) and its cousin Microsoft Deployment Toolkit (MDT) are terrific, powerful and free tools, but also complex ones that are sadly given a miss by many IT pros.  To address that, Microsoft has created a third free automated deployment tool called the Windows Image and Configuration Designer (WICD).  This tool, pronounced "wicked" (which is odd, as it contains no witches but does contain wizards), seeks to simplify deployment for regular old Windows as well as device-centric versions like Windows Phone 10.  In this section, we'll explore WICD so you'll know whether or not to add it to your deployment toolkit!

    1. Installing and tweaking WICD to make it useful
    2. Setup for its command-line personality, "ICD.EXE"
    3. Creating a project… just a few clicks creates a bootable USB stick that does a hands-off install
    4. The pieces:  deployment assets, image time settings and runtime settings
    5. The options:  image creating versus provisioning package creation, and The Five Taps (hint:  they are not a 50's band)
    6. WICD provisioning packages revealed: customizations.xml and more
    7. WICD as a command-line tool:  strengths, weaknesses, and a huge bug
    8. Hacking WICD: making it forget old projects

 

  1. Easier App Migration:  the new Scanstate

Anyone who's ever done a mass deployment by grabbing users' current settings and files, saving them on a share and then flattening and rebuilting the users' computers with a new version of Windows knows the User State Migration Tool (USMT) and its two main components, Scanstate and Loadstate.  (In case you've never used them, Scanstate packages up and saves your settings and files, before the flatten-and-rebuild.  After the flatten-and-rebuild, Loadstate recovers those files and settings and restores them to the users' systems.)  USMT's great, but it only migrates the users' files and application settings, not the applications themselves.  That changes with Windows 10's Scanstate, which saves not only the users' files and settings but their applications as well. Sound great?  Well, it is, kind of… but there are big limitations to the new Scanstate, as you'll learn in this section.

    1. Review: Scanstate background
    2. Details of new Scanstate capability with "/apps" to a provisioning package
    3. Step-by-step example
    4. Deploying saved apps: WICD is it!
    5. Provisioning package processes and Audit Mode in Windows 10

 

  1. The Five Taps: Quicker Windows Rollouts

If the machine you’re rolling out already has a copy of Windows 10 on it, you may be able to speed up your rollout with a “provisioning package,” a file you place on a USB stick, shove into the new computer, boot up the new computer and then press the Windows key five times, rapidly.  In this short section, we’ll explain both the “Five Taps” and the current state of “Audit Mode.”

  1. Easier Application Rollouts:  Windows 10’s Package Manager

Deploying a new copy of an operating system gets easier and easier as time goes on, but they how to get applications on it?  For some rollouts, you can just pre-install the applications in a “golden image,” and if that’s working, then fine.  But Windows 10 and PowerShell’s WMF 5.0 introduce OneGet, a set of commands that let you easily existing applications on a PC or let you search “application galleries” and execute commands to quickly download and deploy applications.  Even if you don’t understand PowerShell, you’ll quickly grasp the potential of OneGet and who knows, you may create an application gallery for your own organization.

A.    Application packagers: NuGet, Chocolatey and more

B.    Using OneGet to find and install packaged applications

C.    Doing local application inventory with the OneGet cmdlets

  1. System Cleanup in Windows 10

Over the years, we’ve become used to Windows boot drives becoming larger and larger – after all, desktop storage is really cheap, right?  Well… maybe not.  That “cheap” storage is rotational, and a standard 2.5” form factor.  But who wants that?  Solid state 2.5” drives are great but smaller in capacity, and the flood of very useful, insanely cheap small laptops with skinny profiles, weight under two pounds, a real keyboard are great… but they come with 128GB system drives.  (And as those drives aren’t standard, they can’t be upgraded.)  It is, then, a bit more of a priority to be able to do some housecleaning on the images we push out and the systems we deliver.

A.    Deleting Windows.old without the GUI (it’s faster)

B.    Understanding Windows “Side by Side,” why it’s a storage hog, and how to clean it out

C.    Trimming System Restore

D.   Do you need a pagefile?  Windows 10’s pagefile changes the rules, and why Windows 10 runs better in two gigs than Windows 7 does

  1. Storage Upgrades in Windows 10

Speaking of new storage, like the eMMC solid state storage found in so many new inexpensive Windows 10 laptops, Windows 10 adds some new storage-related capabilities, not the least of which being that Microsoft finally fixed some really annoying CHKDSK behaviors.  Find out more in this section.

A.    Native 4K disk support

1.    Why 4K sector disks?

2.    4k emulation and native

3.    Win 10 native 4K support

B.    New PowerShell storage cmdlets

C.    Double-click that ISO:  native ISO and VHD mounting

D.   CHKDSK, rebooted: never fear the countdown again

  1. Windows 10 Wants You in the Cloud:  Azure AD Basics

As you almost certainly know, Microsoft has become heavily invested in the cloud.  What you may not know is that their cloud strategies are paying off well enough that many think they'll be the top dog in the cloud business soon.  That has led to the fact that more and more Microsoft services – even the free ones – are cloud-based and require you to have a Microsoft cloud identity.  Once, a Hotmail account could serve that purpose, but more and more you'll need an Azure Active Directory account, even if you don't use it for anything else, and meanwhile, more and more organizations don't need any on-premises AD, so Azure AD does the job for them.  This section quickly introduces just enough Azure AD to get you ready to understand an interesting new Windows 10 capability – "joining a cloud." 

    1. Why on earth would I or my org use an Azure AD domain?
    2. Office 365 and Azure AD… you may have an Azure AD domain already!
    3. Azure AD terminology:  tenants, vanity domains, subscriptions
    4. Understanding Microsoft accounts versus organization accounts
    5. Creating your own Azure AD (it's free)
    6. Populating your AD with Azure AD Connect
    7. Creating admins, user accounts, and enabling cloud single signon
    8. PowerShell tools to simplify Azure AD
    9.  
  1. Joining Win 10 Systems to a Cloud

You already know how to join a Windows box to an AD domain. Here we'll see how and why you'd join to an Azure domain, doing a "cloud join."

    1. Why join a Win 10 device to an Azure AD?
    2. Enabling cloud join
    3. Doing cloud join
    4. Results:  new security principals
    5. What cloud join doesn't do

  1. Managing Windows 10: New Group Policy Settings

If you've run a Windows 7 network, you've already got most of the tools you'll need to run a Windows 10 network, but Win 10 brings a few new management needs and solutions.  We start covering that in this section with Windows 10's 42 (yes, it really is just 42) new group policy settings.

    1. Security settings: PIN and Virtual Secure Mode
    2. "Windows Recording" settings
    3. UI features, feedback control
    4. Windows Update for Business settings
       
  1. User-Device Affinity:  Preferred Computers

If you’ve ever used folder redirection or roaming profiles, you know that they can be great but have an annoying tendency to leave a lot of junk behind on the computers you’ve logged onto at some point in the past.  Windows 10 offers an improvement in the form of the “primary computer.”  Its value?  You can log onto any machine that you like, but your folders or profile do not roam to that machine unless it’s in your “primary computer” list.

A.    Understanding a “primary computer”

B.    Gotchas:  this doesn’t work in a network with Windows 7 entirely

C.    Primary computer setup:  modify Active Directory

D.   Tracking PCs

  1. Windows 10’s New Software Platform:  Modern and Universal Apps

One of the biggest changes wrought by Windows 8/8.1—and one of the most-ignored and –reviled – was a completely new software platform named “Windows Runtime” or “WinRT.”  That platform was originally intended to allow developers to create tablet-ish applications that relied almost solely on touch and large, clunky-looking interface elements.  (That was where the “ignore” and “revile” part came from.)  First called “Metro” apps and then “Modern” applications, the WinRT apps aimed to support a strongly secured “sandbox” as well as applications that ran as well on a standard Windows box as on the original “Surface RT” tablet and the Windows Phone platform.  It was largely a flop.  With Windows 10, however, Windows Runtime got a bit of a makeover and re-aligning to become the “Universal Windows Platform,” and UWP really pervades Windows 10, which is why this section is the first of several about “modern” and “universal” apps.  Every Windows 10 admin needs to know that things in these sections because UWP in Windows 10 changes multitasking among all kinds of programs, because it actually does offer better security, and, well it’s hard to manage a Windows 10 system without working with these applications.  This first section explains WinRT / UWP and the applications that it supports.

A.    Windows application program interface (API) overview:  Win32 and .NET

B.    Why a third API, WinRT?

C.    The three types of WinRT apps

D.   From WinRT to UWP:  Universal” apps

E.    Your phone as a PC:  Continuum

F.     Modern/Universal app deployment: “the Store”

  1. UWP and the OS:  Multitasking and Power in Win 10

Even if you intend never to touch a Modern/Universal application, you’ll need to understand what they’ve done to your PC:  they’ve made it multitask better and use a lot less power.  As you’ll see in this section, you can put Windows 10 on a circa-Windows 7 system and usually get much better battery life from it, and smoother multitasking even of “non-modern” apps.

A.    Juggling two kinds of apps:  the new multitasking structure

B.    New multitasking with the Desktop Activity Monitor (DAM)

C.    App rules: the system’s watching!

D.   Shooting the hogs: controlling background processes

E.    Sleep, Modern style

F.     I/O coalescing, low power epoch, resiliency and Network Quiet Mode:  getting more bang for your battery

G.    Tracking the savings with powercfg

  1. Getting Modern/Universal Apps: “Windows Store for Business” and Sideloading

Windows 8 brought the idea of the "Windows Store" and iPad-ish "modern applications," which has caught on slowly in most places, but the Store has morphed to include the more-widely-used "desktop" apps.  Even better, Microsoft enables you to create your own tightly-defined version of the Store that lets your employees get apps that you want them to get.  ("Curated" is the phrase Microsoft uses nowadays for such a store.)  This was possible in Windows 8, but it suffered from blockers like "the employees need a credit card to get Store apps," or "you need System Center to set this up," but now just about anyone can create a curated Store, as you'll learn in this section.

    1. Intro to the new “Windows Store for Business”
    2. Flexible payment methods and inventory control
    3. Sideloading is easier, free and universal
    4. Line of business apps can be added to the Store
    5. Preinstalling apps in images
    6. Controlling (and potentially blocking) the store:  the app and the service
    7. The bad news: If you don’t have Intune…

 

  1. Securing Windows 10:  New Tools to Lock out the Bad Guys

Windows 8 and 8.1 met mixed reviews, but almost no one seems to know that many of their most undeniably cool features were in the realm of security. Windows 10 continues that tradition with the notions of Isolated User Mode and Virtual Secure Mode, two fancy-sounding terms for a set of four technologies ("trustlets" is the new phrase) that take important, high-security data and store it in what is essentially another dimension.  Windows 10 can, with the right hardware, create a block of memory whose data can only be accessed by the four in-the-box trustlets, and it's essentially impossible to create a fifth.  It's neat, but fairly complex to figure out how to set up… unless you attend this last section of our class.

    1. DMA attacks:  grabbing your hash
      1. How a DMA attack works
      2. Windows 10’s “basic” defense
    2. Early Launch Anti-Malware (ELAM)
      1. What it is:  a new kind of scanner
      2. How it works
      3. How to set it up
    3. User Isolation Mode:  A new trust model
      1. Requirements:  the right OS, and the right hardware
      2. Beyond "user mode" versus "kernel mode"
      3. The cool part:  Hyper-V and a new trust model
      4. The new tools: "trustlets"
    4. Configuration:  BIOS settings, boot mode, group policy
    5. Credential Guard: the first trustlet, that eliminates pass-the-hash
    6. Why trust the trustlets?
    7. Validating Credential Guard
    8. Device Guard:  the second trustlet, that blocks running malware
    9. Device Guard limitations
    10. The last two trustlets:  virtual TPMs
    11. Windows Hello: biometrics, Win 10 style
    12. Windows Passport:  the end to passwords
    13. Why is a PIN acceptable on a laptop?
    14. Where this leads to
    15. Next steps

 

  1. “Windows Goodbye:” Understanding Pushbutton Reset

 Ever had a smartphone or a laptop start acting strangely, or perhaps needed to wipe it clean so you could give it away?  As we all know, it’s pretty easy – just push the right buttons or click something in Settings, and your phone is either back in “no longer acting strangely” or “completely wiped clean” mode, and you can either start over with it, or give it away.  Well, Windows 10 seeks to offer those things to your Windows laptops.  In this section, you’ll learn how.

A.    Introducing “pushbutton reset” or PBR

B.    Simple reset versus complete reset

C.    Activating it

    

    XXIV.        Windows to Go:  Your Desktop on a Stick

Windows 10 Enterprise offers you the ability to install Windows not on a laptop, but instead onto a USB stick.  You can then just boot any laptop from that USB stick and not only see your desktop and applications, you don’t see the local hard disks on the laptop… nice. 

A.    Windows to Go pros and cons

B.    Hardware and software requirements (which are kind of stringent, be warned)

C.    Creating the USB stick

D.   Notes from the field on what it can and can’t do

 

Course Materials and Course Format

The class works from PowerPoint presentations and hands-on exercises.  Every attendee gets a printed copy of the PowerPoints.  All of the demonstrations are explained clearly in the PowerPoint, so you can reproduce them after class!

Arranging a Course At Your Location

Unfortunately we no longer run public seminars, but Mark would love to come teach the class at your location. On-site classes offer you the flexibility to lengthen or shorten the class, modify the course's focus and zero in on your group's specific needs.  For more info, please email assistant@minasi.com to discuss scheduling and fees.