Windows 10 for Enterprise Administrators电子书

Title Page

Copyright

Windows 10 for Enterprise Administrators

Credits

About the Authors

About the Reviewer

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the color images of this book

Errata

Piracy

Questions

Installation and Upgrading

Which branch to select?

Current Branch, also known as Semi-Annual Channel (Targeted)

Current Branch for Business, also known as Semi-Annual Channel

Support timeline before 1709

Support timeline since 1709

The Long-Term Servicing Branch

LTSB problem silicon support - potential risk with Zen, Cannonlake, and newer CPUs

Limitations of LTSB

Recommendations

New deployment methods

Why in-place upgrades?

Limitations and blocker of the in-place upgrade

Changing from BIOS/legacy mode to UEFI mode

Changing from Windows 32-bit/x86 to 64-bit/x64

Changing the base OS language

Changing primary disk partitioning

Using the Windows To Go or boot from VHD features

Image creation process (sysprep after upgrade not supported)

Certain third-party disk encryption products

Changing too many apps (bulk application swap)

Changing the environment

Traditional wipe and load

An alternative: provisioning

Improvements in deployment since Windows 10 1511

Windows 10 1607, also known as Anniversary Update

Windows 10 1703/1709, also known as Fall Creators Update

Tips and tricks for smooth in-place upgrade from 7, 8.1, or 10 to 10

Integrating cumulative updates into install sources

Updating graphics driver

Looking at Setupact.log and Setupapi.dev.log

Using Windows Upgrade Analytics aka Windows Upgrade Readiness

Selecting the deployment tools

Summary

Configuration and Customization

Introducing Windows as a service

Cortana

Security mitigation

Image customization

Imaging process

Customizing the image

Upgrade expectations

Internet Explorer 11 Enterprise Mode configuration

Windows 10 Start and taskbar layout

Audit mode

Tips

Virtual Desktop Infrastructure

Layering technologies

Security Compliance Manager

AppLocker

Microsoft Windows Store for Business, also known as Private Store

Microsoft telemetry

Windows Spotlight

Mandatory user profiles

Assigned Access, also known as kiosk mode

Bring Your Own Device scenarios

Windows libraries

User Experience Virtualization

Summary

User Account Administration

Windows account types

Account privileges

Local Admin Password Solution

Create policies to control local accounts

Password policy

Account lockout policy

Manage user sign in options

Mobile device management security settings

User Account Control

Windows Hello for Business

Manage options for Windows Hello for Business

Credential Guard

Privileged Access Workstation

Summary

Remote Administration Tools

Remote Server Administration Tools

Installing RSAT

RSAT usage

PowerShell

PowerShell setup

PowerShell usage

PowerShell in the Enterprise

Desired State Configuration

Windows Sysinternals tools suite

BgInfo

Configuring BGInfo

Deployment

Introducing PsTools

Installing PsTools

Using PsTools

Custom code repository

Summary

Device Management

Evolving business needs

Mobile device management

Changes to GPOs in Windows 10

Enterprise/Education - only GPOs

Known issues when upgrading the central policy store

Known issues with Group Policy Preferences/GPMC

Servicing and patching

Why cumulative updates?

Update delivery solutions

Windows Update

Windows Update for Business

Windows Server Update Services

SCCM and third-party solutions

Windows 10 servicing

Summary

Protecting Enterprise Data in BYOD Scenarios

Bring Your Own Device

What is BYOD?

Choose Your Own Device

Key considerations

Device choice

Ownership

Management responsibility

Comparing options

Protection options

Identity and access management

Connect to work or school

Microsoft Passport

Windows Hello

Credential Guard

Device Configuration

Application management

Provisioning packages

Windows Store for Business

Mobile Application Management

Information protection

BitLocker and device pin

Windows Information Protection

Document classification and encryption

Data loss prevention

Alternative options

Enable remote/virtual desktops - RDS/VDI

Enable virtual private networks

Publish applications via proxy

End user behavior analytics

OneDrive for Business

Work Folders

Work Folders compared to other sync technologies

Summary

Windows 10 Security

Today's security challenges

Windows Hello/Windows Hello for Business

Differences between Windows Hello and Windows Hello for Business

Virtualization-based security

Credential Guard

Device Guard

Windows Defender Application Guard for Microsoft Edge

Windows Defender Exploit Guard

Device Health Attestation

Windows Defender Security Center

New BitLocker options

Local Administrator Password Solution

AD preparation

Now to the installation

LAPS UI

Group Policy client-side extension

Group Policy configuration options

Summary

Windows Defender Advanced Threat Protection

Prerequisites

Windows Defender

Windows Defender Security Center

Windows Defender ATP

Plan - environment analysis

Deploy - service activation

Sign up and activate Windows Defender ATP

Portal configuration

Check service health

Check sensor status

Enable SIEM integration

Onboard endpoints

Configure sensor data

Additional configuration

Detect - using the ATP portal

Alerts queue

Machine list

Preferences setup

Endpoint management

Protect Post-breach response

Types of threats

Ransomware

Credential theft

Exploits

Backdoors

General malware

Potentially Unwanted Application

Take responsive actions

Taking responsive actions on a machine

Collecting an investigation package

Isolate a machine

Take responsive actions on a file or process

Request deep analysis

Stop and quarantine file

Block file

Pivot into Office 365

Summary

Advanced Configurations

Virtual desktops

VDI infrastructure best practices

VDI configuration considerations

The Windows ICD

Windows 10 Kiosk Mode

AutoPilot mode

The Set up School PCs application

Device lockdown

Custom Logon

Keyboard filter

Shell Launcher

Unbranded Boot

Unified Write Filter

Summary

RedStone 3 Changes

OneDrive – file on demand

Task Manager shows GPU usage graph

No SMB1

Ubuntu, openSUSE and SUSE LSE available as Linux subsystem

New features of Microsoft Edge

New Google Chrome to Microsoft Edge migration feature

Hyper-V improvements

Change of network profiles in GUI

Improved storage sense feature

Microsoft Fluent Design

My people app

Eye tracking

Controlled folder access

Summary