A
access. See also remote access
authentication and authorization 250–256
Dynamic Access Control 217
Effective Access tool 182
troubleshooting 184
access-based enumeration (ABE) 217–218
Access Control Entry (ACE) 215, 238
Access Control List (ACL) 215, 238, 240
account lockout policies 27–28
Accounts: Block Microsoft Accounts 4–5
Active Directory Certificate Services (AD CS) 19
Active Directory Domain Services (AD DS) 26, 39
synchronizing user accounts with 95–97
Active Directory Domain Services (AD DS) database 2
Active Directory Federation Services (AD FS) 30, 96
Add-AppxPackage cmdlet 12
Add-PhysicalDisk cmdlet 174
administrative users 253
Advanced Security Settings dialog box 245
alerts
Cloud App Security 125
notification rules 108
Allow permissions 244
Always Offline Mode 53, 54, 283–284
Android
Android devices
Remote Desktop on 274
APIPA. See Automatic Private IP Addressing
Application Compatibility Tools 319, 320–324
application settings 78
application virualization 327–330
apps
compatibility modes for 323
desktop 9
choosing users for 16
from Company Store 17
using Microsoft Office 365 5–7
line-of-business (LOB) 10
AppX Windows PowerShell module 12–13
assigned groups 105
Attach Task To This Event option 250
auditing
account policies to protect 27–28
computer accounts 26
Credential Manager 28
digital certificates for 19
domains 26
exceptions, configuring 156–157
Kerberos 265
Kerberos v5 26
picture passwords 22
Secure Channel 27
user accounts 26
authorization
administrative users 253
personal devices 30
workgroups 25
Automatic Private IP Addressing (APIPA) 134
Azure Active Directory (AAD) 95
Azure Active Directory (AD) Connect tool 96–97
Azure Active Directory (Azure AD)
Azure Information Protection 120–123
activation of 121
configuration 120
labels 120
Azure portal
Intune policies configuration in 111–112
Azure Rights Management (Azure RMS) 120
B
Backup And Restore (Windows 7) tool 353–357, 361, 362
backups
of EFS-protected files 235–237
scheduling 354
battery settings 57
BitLocker 63–68, 117–118, 185, 188, 233
authentication methods 189
configuration 64–67, 190–191, 194–196
Microsoft BitLocker Administration and Monitoring 200–203
moving encrypted drive to another computer 193
recovery keys 65
startup key storage 67–68, 197–198
suuspending 193
without TPM 65
BitLocker Network Unlock 198
BitLocker Recovery Password Viewer 200
BitLocker To Go
Bluetooth 223
bring your own device (BYOD) 74
Bring Your Own Device (BYOD) 294
broadband connectivity
broadband tethering
C
Certificate Authority (CA) 19
certificate compliance reports 107
certificates
digital 19
Remote Desktop Session Host 316
Challenge-Handshake Authentication Protocol (CHAP) 264, 266
Checkpoint-Computer cmdlet 341
checkpoints
creating 48
restoring 49
choose your own device (CYOD) 74
Cipher.exe 236
Clear-DnsClientCache cmdlet 140
click-to-run installation 8
client certificates 19
Cloud App Security (CAS) 123–127
accessing and exploring 124–125
alerts 125
General Dashboard 125
cloud settings 78
cloud storage 29
command-line tools
BitLocker configuration using 194–196
for connectivity issues 139
for sharing folders 216
comma separated value (CSV) files 96
Company Store
installing apps from 17
Compatibility Administrator 320, 321–324
computer accounts
authentication 26
computer groups
computer inventory reports 106
Computer Management Intune Policies 76–77
Computer Management MMC snap-in 215–216
configuration
authentication and authorization 250–256
authentication exceptions 156–157
Azure Information Protection 120
BitLocker 64–67, 190–191, 194–196
connection security rules 155–156
DAC 184
file and folder access 232–256
information protection 113–127
local accounts 29
location-aware printing 146–147
Microsoft account 29
Microsoft Intune subscriptions 102–103
Microsoft Office 365 6
Mobile Device Management 86–87
mobility options 52–63, 281–302
NTFS permissions 238
picture passwords 22
security
virtual smart cards 21
Wi-Fi Direct 63
Windows Hello 33
Windows Update 366–370, 373–377
Workplace Join 30
connection security rules 153, 155–156
connectivity issues 138–139, 153
Control Panel
BitLocker configuration in 65–66
Work Folders configuration in 80
Cost-Aware Synchronization 53
Credential Locker 28
credential roaming 237
D
data
user
data access. See access
data encryption
BitLocker 64–68, 118–119, 185, 188–202, 233
Encrypting File System 185–187, 233–237
File History support for 361
Data Encryption Standard (DES) 264
data loss prevention (DLP) policy 114–116
data recovery
Data Recovery Agent (DRA) 185–186, 233, 234, 235
data security 179–203. See information protection; See security
Dynamic Access Control 184–185
Encrypting File System 185–187
permissions management 179–185
data storage
cloud-based 29
Distributed File System 164–167
user data 6
default gateway 134
Deny permissions 244
Deny Write Access To Drives Not Protected By BitLocker 188
Deployment Image Servicing and Management (DISM) 294, 381
Deployment Image Servicing and Management (DISM) cmdlets 12–13
compatibility issues 319, 320–324
compatibility modes for 323
deployment using Microsoft Intune 331–333
User Experience Virtualization and 330–331
Desktop Connections fee 317
detected software reports 106
device capabilities settings 78
device drivers
signed 351
uninstalling 378
Device Enrollment Manager (DEM) 99–100
device history reports 107
device management 94–113. See also remote access
Microsoft 365 Business enrollment 97–99
Microsoft 365 Enterprise enrollment 99–100
Microsoft Intune subscriptions 102–103
Microsoft Service Connection Point role 103–104
troubleshooting Microsoft Intune 109
user account provisioning 95–97
user and computer groups 104–106
view and manage devices 100–102
device registration
Device Registration Service (DRS) 30
DFS. See Distributed File System
DFS Namespaces (DFSN or DFS-N) 165
DFS Namespace service (Dfssvc.exe) 166
DFS Replication (DFSR or DFS-R) 164–167
Dfsutil.exe 166
DHCP. See Dynamic Host Configuration Protocol
DHCP scope 134
differencing disks 49
digital certificates 19
DirectAccess 53
DirSync 96
Disable-ComputerRestore cmdlet 341
discretionary access control list (DACL) 238
Disk Cleanup 381
disk drives
kepping together 171
disk quotas 232
disk space 172
disk usage 172
Dism.exe 380
Distributed File System (DFS) 163, 164–167
DNS. See Domain Name Service
document version history 365
domain accounts 2
associating Microsoft account with 2–3
domain controllers 26
Domain Name Service (DNS) 135
domain networks 141
DRA. See Data Recovery Agent
Driver Roll Back feature 352–353
Driver Store 351
DVDs 187
Dynamic Access Control (DAC) 184–185, 217
dynamic groups 105
Dynamic Host Configuration Protocol (DHCP) 134
E
EAP-MS-CHAPv2 265
Echo Request messages 139
Effective Access tool 182
EFS. See Encrypting File System (EFS)
electronic point of sale (EPOS) 262
Electronic Software Distribution (ESD) 329
elevation prompts, UAC 253–256
Enable-ComputerRestore cmdlet 341
Encrypting File System (EFS) 185–187, 232, 233–237, 361
credential roaming 237
Windows Public Key Infrastructure and 234
encryption
BitLocker 64–68, 118–119, 185, 188–202, 233
Encrypting File System 185–187, 233–237
File History support for 361
Perfect Forward Secrecy 174
settings 78
Endpoint Protection 76–77, 108
enhanced PINs 197
environmental variables 39
Extensible Authentication Protocol (EAP) 265
Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) 264
F
FAT volume 243
federation
Azure AD Connect and 96
File Explorer
accessing OneDrive from 225
History 213
sharing indicator 218
File History
encryption support 361
restore points 360
turning off 361
file recovery
files
access
copying 243
deleting from library 212
fetching, using OneDrive 230–231
moving 243
Offline Files 53–54, 81, 282–285, 296–298
OneDrive 226
permissions. See permissions management
restoring previous versions of 361–363
synchronization 282–284, 296–298
File Server Resource Manager (FSRM) 232, 247
filtering 149
firewalls
rules 156
Windows Firewall Settings template 77
folder location
folders
copying 243
deleting from library 212
moving 243
OneDrive 226
Public 214
renamed 216
restoring previous versions of 361–363
sharing from command line 216
sharing using Windows PowerShell 216–217
folder structure 181
G
Get-AppxLastError cmdlet 12
Get-AppxLog cmdlet 12
Get-AppxPackage cmdlet 12
Get-AppxPackageManifest cmdlet 12
Get-ComputerRestorePoint cmdlet 341
Get-DnsClientCache cmdlet 141
Get-NetIPAddress cmdlet 140
Get-NetIPv4Protocol cmdlet 140
Get-SmbShare cmdlet 217
Get-StoragePool cmdlet 174
Get-VirtualDisk cmdlet 174
Global Catalog 26
/grant switch 241
graphical user interface (GUI) 283
Graphical User Interface (GUI) 173
Group Policy 74
accessing 4
disabling Microsoft Store access with 10
enabling sideloading using 11–12
for Windows to Go 61
Microsoft account configuration using 4–5
offline file policies 54
power policy configuration using 287, 289
removable media management using 187–188
Work Folders configuration using 81, 299–300
Group Policy Objects 184
Group Policy Objects (GPOs) 27
disk quota 246
for Microsoft Store functionality 384
groups
adding, to Microsoft Intune 14
assigned 105
dynamic 105
guest networks 141
H
Health Insurance Portability and Accountability Act (HIPAA) 114
Hibernate 61
HKEY_CURRENT_USER registry 38
HomeGroups
file and folder sharing 210
joining 209
troubleshooting 209
configuring virtual machines in 46–48
creating virtual machines in 45–46
enabling 44
installation 325
requirements 325
I
ICACLS.exe 241
authentication and authorization 18–33
information protection
data loss prevention (DLP) policy 114–116
Windows Information Protection (WIP) 117–119
inheritance
installation
apps
from Company Strore 17
click-to-run 8
Microsoft Office 365 7
Internet Control Message Protocol (ICMP) 139
Internet Key Exchange, Version 2 (IKEv2) 264
Internet Service Providers (ISPs) 82
Intune. See Microsoft Intune
Intune App Protection 98
iOS
Remote Desktop on 275
IP addresses 133
conflicts 138
filtering 149
requirements for 134
Ipconfig 139
Ipconfig /all 139
IP settings
K
Kerberos 265
Kerberos Key Distribution Center (KDC) 26
Kerberos v5 authentication protocol 26
L
Last Known Good Configuration 347
Layer 2 Tunneling Protocol (L2TP) 264
libraries
adding locations 211
creating 211
deleting files from 212
license installation reports 106
license purchase reports 106
licenses
user 95
line-of-business (LOB) apps 10
Link Layer Topology Discovery (LLTD) protocol 214
LLTD Mapper (LLTDIO) 214
local accounts 2
associating Microsoft account with 2–3
configuration 29
local cache 53
local profiles 38
Local Security Policy 27
location-aware printing 146–147
LockDown VPN profile 268
Logical Unit Number (LUN) 168
Long Term Servicing Channel (LTSC) 372
M
Mac computers
Remote Desktop on 275
malware settings 78
Manage Storage Spaces console 171
mandatory profiles 40
MDM. See Mobile Device Management
Microsoft 365
about 73
Admin Center 95
information protection 113–127
licenses 103
mobile device support in 73–88
user licenses 95
Microsoft 365 Business
view and manage devices 100–101
Microsoft 365 Enterprise
view and manage devices 101–102
Microsoft account
associating with local or domain account 2–3
configuration 29
Microsoft BitLocker Administration and Monitoring (MBAM) 119, 200–203
Microsoft Desktop Optimization Pack (MDOP) 201, 327–328
Microsoft Intune
adding users and groups 14
Administrator Console 332
desktop app deployment with 331–333
Device Enrollment Manager 99–100
Mobile Device Management and 84–88
policies
configuring in Azure portal 111–112
remote computer management 112–113
software deployment using 88–94
subcriptions configuration 102–103
Microsoft Intune Agent Settings template 76–77
Microsoft Intune Center Settings template 77
Microsoft Intune Policy page 110
Microsoft Office 365
configuration 6
features 8
installation 7
updates 5
Microsoft Online Services 175–176
Microsoft Remote Desktop Assistant 274
Microsoft Service Connection Point role 103–104
Microsoft Services Agreement 175
Microsoft Store
about 9
disabling access to 10
Microsoft Store apps
Microsoft Store for Business 10
Microsoft Store for Education 10
migration
Miracast over Infrastructure 300
mobile device inventory reports 106
Mobile Device Management (MDM) 74, 84–88
annual certificate renewal 88
mobile devices 261–306. See also remote access
remote connectivity 53
Wi-Fi Direct 63
Mobile Device Security Policy template 78–79
mobile hotspots 83
Mobility and Multi-homing (MOBIKE) protocol 264
Modify permission 244
monitoring
MS-CHAP v2 266
Mstsc.exe 275
multifactor authentication 19, 33, 189
N
name resolution
namespaces
DFS 166
near field communication (NFC) 219, 223–224
Netsh 63
Net Share 216
Netstat tool 139
network adapters
Network And Sharing Center 138, 209, 214
network discovery 214
Network Discovery settings 214
networking
IP addresses 134
networks 23
connection status, viewing 138
domain 141
domains 26
guest 141
private 141
wireless
network security
New-StoragePool cmdlet 174
New Technology File System (NTFS) 179–184, 213, 362
New-VirtualDisk cmdlet 174
noncompliant apps reports 107
Non-Volatile Memory Express (NVMe) 245
notification rules 108
Nslookup tool 139
NTUSER.DAT 38
O
Office 365. See Microsoft Office 365
data loss prevention (DLP) policy 114–116
Office 365 Security & Compliance Center 114–116
offline file policies 53–54, 81, 282–285
OneDrive 29
deleting personal settings from 296
document version history 365
files and folders 226
limitations of 226
mapping drive to 227
OneDrive for Business and 229–232
pricing plans 225
Recycle Bin 177–178, 226, 363–365
synchronization 226
usage policy 226
using on other devices 232
OneDrive for Business 178, 229–232
operating system
Optimize-StoragePool cmdlet 174
out-of-box experience (OOBE) 229
P
page description language (PDL) 219
parity 168
parity volume mirroring 169
Password Authentication Protocol (PAP) 264, 266
passwords 19
Credential Manager for 28
picture 22
policies 27
recovery key 67
saving 28
weak 27
Patch Tuesday 366
Perfect Forward Secrecy (PFS) 174
permissions management 179–185
combining NTFS and Share 183–184
NTFS permissions 179–182, 213, 238
permissions inheritance 242–243
Share permissions 183–184, 213, 215
Personal certificate store 19
personal devices
configuring access for 30
personally identifiable information (PII) 114–115
picture passwords 22
Ping tool 139
PKI. See public key infrastructure
Point-to-Point Tunneling Protocol (PPTP) 263–264
port numbers 149
port rules 153
PowerShell. See Windows PowerShell
Power & Sleep Settings option 285–286
Premium OneDrive 225
printer drivers 219
printer ports 219
printers
key terms 219
near field communication 223–224
print server properties 222–223
Type 4 printer drivers 219–220
printing
location-aware printing 146–147
Print Management console 222
private networks 141
program rules 153
protocols 149
Public folders 214
public key infrastructure (PKI) 19
Q
R
radio frequency identification (RFID) 223
RD Session Host role service 308–310
Read permission 244
recovery
of EFS-protected files 235–237
Recovery Environment (RE) 338
recovery keys 65, 67, 189, 191, 197, 199
recovery passwords 67, 189, 197
Recycle Bin 177–178, 226, 363–365
redundancy 168
referral cache 165
RemoteApp And Desktop Connections 313–316, 317
RemoteApp apps 307–319, 326–327
advantages of 307
GPOs for signed packages 316–317
iOS and Android support 317–318
remote computers
Remote Desktop
on Android 274
on iOS and Mac 275
on Windows 10 274
Resistricted Admin mode 277–279
troubleshooting 279
Zoom support 280
Remote Desktop Connection Manager (RDCMan) 281
Remote Desktop Protocol 261–281
Remote Desktop Services (RDS) 326–327
Remote Desktop Session Host 310, 316
Remote Desktop Web Access (RD Web Access) 318–319
Remote Differential Compression (RDC) 165
Remote Server Administration Tools (RSAT) 166, 200
removable storage 179, 196–197
Remove-AppxPackage cmdlet 12
Remove-PhysicalDisk cmdlet 174
Remove-StoragePool cmdlet 174
Repair-VirtualDisk cmdlet 174
reports
creating 107
Resilient File System (ReFS) 168, 172, 247
Resistricted Admin mode
Resolve-dnsname cmdlet 140
Responder (RSPNDR) 214
restore points 353–357, 360, 362
Robocopy 164
Robust File Copy for Windows (Robocopy) 164
root certificates 19
S
SaaS. See software as a service
Sarbanes-Oxley Act 247
Schannel 27
scheduling
backups 354
synchronization 82
Secure Channel 27
Secure Desktop 256
Secure Digital High-Capacity (SDHC) memory cards 339
Secure Sockets Layer (SSL) protocol 264
Secure Socket Tunneling Protocol (SSTP) 264
security. See also authentication
authentication exceptions 156–157
connection security rules 155–156
connectivity and 153
Dynamic Access Control 184–185
Encrypting File System 185–187
information protection 113–127
permissions management 179–185
personal devices 30
TLS/SSL 27
Windows Defender Security Center 148–149
Security Account Manager (SAM) 2, 25
Security & Compliance Center 114–116
Security log 249
Security Support Provider (SSP) 27
Semi-Annual Channel 371
Server Message Block (SMB) 213
service set identifier (SSID) 145
Set-PhysicalDisk cmdlet 174
Set-StoragePool cmdlet 174
Settings app 3–4, 11, 29, 56–57
Network Setting 145
access-based enumeration 217–218
folder permissions 213–218, 241–242
Public folders 214
Share permissions 183–184, 213, 215
sideloading
single sign-on (SSO) 30
Slow-link Mode 285
smart cards
software
software as a service (SaaS) 6
Software Assurance (SA) 328
software deployment
software updates
automatic approval settings 92–93
deadlines for installations 93
Solid State Drive (SSD) 245
SSO. See single sign-on
Standard User Analyzer 320
StartComponentCleanup task 380
storage
cloud 29
cmdlets 174
Distributed File System 164–167
removable 179, 187–188, 196–197
Storage Area Network (SAN) 167, 245
storage pools 167–168, 169–171
Storage Spaces 163
Manage Storage Spaces console 171
redundancy types 168
size of 171
Sync Center 55, 81–82, 296–298
synchronization
system access control list (SACL) 239
System Center Configuration Manager 103–104, 198
System Center Configuration Manager (SCCM) 373
system image
System Properties dialog box 24
system recovery
system repair disks
identifying affected apps and files 342–343
task schedule modification 343
within Windows RE 343
System Restore Wizard 342
system settings 78
T
templates
terms and conditions reports 106
tethering
third-party software
three-way mirroring 168
Time to Live (TTL) 165
TPM Lockout 198
Tpmvscmgr.exe 21
Tracert tool 139
Transport Layer Security (TLS)/Secure Sockets Layer (SSL) security 27
Triple DES (3DES) algorithm 264
troubleshooting
access 184
Encrypting File System 186–187
HomeGroups 209
permissions 184
Remote Desktop 279
Trusted Platform Module (TPM) 61, 64, 188, 191, 290
BitLocker and 119
Trusted Platform Module (TPM) chip 20
Trusted Root Certification Authorities store 19
two-way mirroring 168
Type 3 print drivers 219
Type 4 print drivers 219, 219–220
U
Undo feature 177
unified extensible firmware interface (UEFI) 344
Unified Extensible Firmware Interface (UEFI) 191
Universal Naming Convention (UNC) 166
Universal Naming Convention (UNC) address 217
update reports 106
deferring 371
delivery optimization for 368–370, 376–377
for enterprise customers 371–373
pausing 367
release of 366
settings configuration 366–370
Update-StoragePool cmdlet 174
USB 2.0 ports 291
USB 3.0 ports 291
User Account Control (UAC) 233
administrative users 253
Secure Desktop 256
user accounts
authentication 26
manual creation of 95
synchronizing with AD DS 95–97
user credentials
saving 28
user data
user-effective permissions 181
User Experience Virtualization (UE-V) 330–331
user groups
user licenses 95
user names
saving 28
user profiles
local 38
mandatory 40
users
adding, to Microsoft Intune 14
administrative 253
remote, authentication of 265–266
User State Migration Tool (USMT) 41–43
ut-of-box experience (OOBE) 348–349
V
variables
environmental 39
Verisign 19
virtual hard disks (VHDs) 50–51, 168
virtual hard drives (VHDs) 49
virtual machines (VMs) 43
creating and configuring 44–48
importing 52
virtual private networking (VPN) 262
creating connection 265, 266–268
security properties 267
virtual private networks (VPNs) 53
types of 49
Virtual Switch Manager 50
volume-level resiliency 168
Volume Shadow Copy Service (VSS) 341, 355, 362
W
Wake-on-LAN (WoL) 198
Wbadmin.exe 355
WBF. See Windows Biometric Framework
WiFi Alliance 302
Wi-Fi Direct 63
WiFi Direct
Windows 8 283
Windows 10
Advanced Troubleshooting Mode 344–346
authentication and authorization 250–256
GUI changes 283
integration of Microsoft Account with 2–5
mobile device support in 73–88
OneDrive synchronization 226
Remote Desktop app on 274
upgrades, deferring 371
Windows 10 Anniversary Update 117
Windows 10 Enterprise 99
Windows 10 Pro 97
Windows ADK 42
Windows Assessment and Deployment Toolkit (Windows ADK) 320
Windows Biometric Framework (WBF) 22, 224
Windows Credential Manager 237
Windows Defender Credential Guard 237
Windows Defender Remote Credential Guard 276–277
Windows Defender Security Center 148–149, 150
Windows Deployment Services (WDS) 164
Windows Deployment Services (Windows DS) 347
Windows Firewall
allowing app through 151
security settings 214
Windows Firewall Settings template 77
Windows Firewall With Advanced Security 152–154
Windows Health Attestation Service 117
Windows Hello 33
Windows Information Protection (WIP) 117–119
Windows Insider Program 372
Windows Intune 373
Windows Mobility Center 286–287
Windows PowerShell
managing Officer 365 with 8
managing Storage Spaces using 173–174
modifying domain users with 40
System Restore configuration using 341
virtual machine configuration in 47–48
Windows to Go workspace creation with 62
Windows To Go workspace creation with 293–294
Windows PowerShell Direct 48
Windows Preinstallation Environment (Windows PE) 42–43
Windows Public Key Infrastructure (PKI) 234
Windows Recovery Environment 61
Windows Recovery Environment (Windows RE) 343
Windows Server 2012 283
Windows Server Update Services (WSUS) 373
Windows Software Update Services (WSUS) 220
Windows Store. See Microsoft Store
certified drives 292
hardware considerations 291
limitations and requirements 60–61
roaming with 291
workspace creation 62–63, 292–294
Windows To Go Workspace Wizard 292–293
Windows Update
delivery optimization for 368–370, 376–377
for enterprise customers 371–373
settings configuration 366–370
Windows Vault 237
wireless networks
Work Offline button 53
Workplace Join 30
workspaces
Write-DfsrHealthReport cmdlet 165
Y
Your Info tab 2
Z
Zero-Day updates 366