2C ENU Companion

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20697-2C
Deploying and Managing Windows 10
Using Enterprise Services
Companion Content
ii Deploying and Managing Windows 10 Using Enterprise Services
Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
© 2018 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at https://www.microsoft.com/en-
us/legal/intellectualproperty/Trademarks/Usage/General.aspx are trademarks of the Microsoft group of companies. All
other trademarks are property of their respective owners
Product Number: 20697-2C
Released: 03/2018
MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE
These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1. DEFINITIONS.
a. “Authorized Learning Center” means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.
b. “Authorized Training Session” means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c. “Classroom Device” means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Center’s training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.
d. “End User” means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. “Licensed Content” means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f. “Microsoft Certified Trainer” or “MCT” means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.
g. “Microsoft Instructor-Led Courseware” means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. “Microsoft IT Academy Program Member” means an active member of the Microsoft IT Academy
Program.
i. “Microsoft Learning Competency Member” means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.
j. “MOC” means the “Official Microsoft Learning Product” instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.
k. “MPN Member” means an active Microsoft Partner Network program member in good standing.
l. “Personal Device” means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.
m. “Private Training Session” means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. “Trainer” means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.
o. “Trainer Content” means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers’ use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.
2.1 Below are five separate sets of use rights. Only one set of rights apply to you.
a. If you are a Microsoft IT Academy Program Member:

i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.
b. If you are a Microsoft Learning Competency Member:

User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.
d. If you are an End User:

For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.

i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
“customize” refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.
2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.
2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

matter is based on a pre-release version of Microsoft technology (“Pre-release”), then in addition to the
other provisions in this agreement, these terms also apply:
a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (“Pre-release term”).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.
4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
• access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
• alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
• modify or create a derivative work of any Licensed Content,
• publicly display, or make the Licensed Content available for others to access or use,
• copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
• work around any technical limitations in the Licensed Content, or
• reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.
5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.
7. SUPPORT SERVICES. Because the Licensed Content is “as is”, we may not provide support services for it.
8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.
9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.
10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.
11. APPLICABLE LAW.

a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.
b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.
13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.
14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to

o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.
Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence étant distribué au Québec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le contenu sous licence visé par une licence est offert « tel quel ». Toute
utilisation de ce contenu sous licence est à votre seule risque et péril. Microsoft n’accorde aucune autre garantie
expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualité marchande, d’adéquation à un usage particulier et d’absence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres
dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité
stricte, de négligence ou d’une autre faute dans la limite autorisée par la loi en vigueur.
Elle s’applique également, même si Microsoft connaissait ou devrait connaître l’éventualité d’un tel dommage. Si
votre pays n’autorise pas l’exclusion ou la limitation de responsabilité pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou l’exclusion ci-dessus ne s’appliquera pas à votre
égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir d’autres droits
prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

Managing PCs and devices in an enterprise environment 1-1
Module 1
Managing PCs and devices in an enterprise environment
Contents:
Lesson 1: Managing Windows 10 in an enterprise 2
Lesson 2: Managing a mobile workforce 5

Lesson 3: Overview of Enterprise Mobility + Security 7
Lab Review Questions and Answers 9

1-2 Deploying and Managing Windows 10 Using Enterprise Services
Lesson 1
Managing Windows 10 in an enterprise
Contents:
Question and Answers 3
Resources 3
Demonstration: Exploring Windows 10 features 3
Question and Answers

Question: What are some of the features that make the Windows 10 Enterprise edition useful for large
organizations?
Answer: In general, the Windows 10 Enterprise edition provides features for better
manageability. Some of these features are:
• Manage Microsoft Store access
• Manage Cortana
• AppLocker
• DirectAccess
• Windows Defender Credential Guard
• Windows Defender Application Control
• Windows To Go
• BranchCache
• Microsoft Desktop Optimization Pack (MDOP)

o Microsoft Application Virtualization (App-V)
o Microsoft User Environment Virtualization (UE-V)
Question: Which cloud service can you use to manage mobile devices?
Answer: You can use Microsoft Intune to manage mobile devices. You can use it to deploy
policies and apps to mobile devices.
Resources
Overview of Windows 10
Additional Reading: For more information about the new features in Windows 10, refer to
“What's new in Windows 10” at http://aka.ms/sfakvk.
Demonstration: Exploring Windows 10 features

Demonstration Steps
1. Sign in to LON-CL1 as Adatum\Administrator by using the password Pa55w.rd.
2. Right-click Start, and then review each of the options.
3. Open Settings from the Start menu, and review the settings in:
o System
o Devices
o Network & Internet
4. In Accounts, review the following settings:

o Sign-in options > Dynamic lock
o Access work or school
5. Open Control Panel and review the available options.

6. In Control Panel, click Programs, and then browse to Programs and Features and review the list of
Windows features.
7. In the notifications area, open the settings for OneDrive, and then review the settings on each tab.
8. After completing the demonstration, revert 20697-2C-LON-DC1 and 20697-2C-LON-CL1.
Lesson 2
Managing a mobile workforce
Contents:
Discussion: Challenges with managing mobile users and devices

Question: How many (or what percentage of) users in your organization use laptop computers, tablets, or
convertible devices?
Answer: Answers will vary depending on the student’s organization.

Question: What is the biggest challenge you have faced in managing laptops, tablets, or convertible
devices in your organization?
Question: How often do remote users connect their computers to the organizational network?
Question: Which technologies do you use to manage remote users?

Question: Is there a policy in place at your organization that lists approved mobile devices?
Question: What operating systems are mobile device users at your organization using?
Question: Do you allow mobile device users at your organization to access sensitive internal
organizational data and applications?
Question: What mobile device management technologies do you use to ensure that mobile devices are
free of malware and can be wiped remotely if the user loses the device or leaves the organization?

Lesson 3
Overview of Enterprise Mobility + Security
Contents:
Resources 8
Discussion: How can an organization benefit from the Enterprise Mobility

+ Security suite?
Question: How can your organization use the additional functionality in Azure AD Premium to enhance
the experience of mobile users?

Question: How can your organization use the functionality in Intune to enhance the experience for
mobile users?
Question: How can your organization use the functionality in Azure Information Protection to improve
information protection?
Question: Are any of the other features in Enterprise Mobility + Security useful for your organization?
Resources
Practical Uses of Enterprise Mobility + Security
Additional Reading: For additional examples of how Enterprise Mobility + Security can be
used, refer to “Protecting and empowering your connected organization with Microsoft
Enterprise Mobility + Security” at https://aka.ms/U21qg3.
Lab Review Questions and Answers

Lab: Planning for Windows 10 and device management in an enterprise
Question: Which technology should you use to ensure that documents users at Adatum create can be
opened only by other users A. Datum, and not by anyone outside the organization?
Answer: Azure Information Protection enables organizations to control the dissemination of

information. You can use Azure Information Protection templates to stop anyone outside the
organization from opening a protected document.
Question: Which cloud services can the sales team use for file storage so that they can access the files
from anywhere?
Answer: They can use OneDrive for Business to store personal files, and Microsoft SharePoint
Online for shared files.
Question: Which technology can you use to allow users of iOS and Android-based tablets access to
applications that run only on computers running Windows operating systems?
Answer: You can use RemoteApp from the central office. This technology allows users of devices
with the iOS and Android operating systems to use applications that run on Windows operating
systems. You can do this by streaming the presentation of the application from servers hosted in
your data centers to devices with the RemoteApp client installed.
Question: Which cloud-based technology can you use to deploy applications to the sales team’s laptops
that are running Windows 10?
Answer: You can use Microsoft Intune to deploy applications to the laptops.
Question: Which cloud-based technology can you use to perform software and hardware inventory on
the sales team’s laptops that are running Windows 10?
Answer: You can use Intune to perform software and hardware inventory on the laptops.
Traditional Windows 10 deployment in an enterprise 2-1
Module 2
Traditional Windows 10 deployment in an enterprise
Contents:
Lesson 1: Overview of Windows 10 enterprise deployment 2
Lesson 2: Customizing enterprise deployments 6

Lesson 3: Maintaining a Windows 10 installation 13
Lesson 4: Volume license activation for Windows 10 17
Module Review and Takeaways 20

Lesson 1
Overview of Windows 10 enterprise deployment
Contents:
Resources 5

Question: You can use MDT to perform ZTI deployment of Windows 10.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You can perform a ZTI deployment only with Configuration Manager. With MDT, you
can perform an LTI deployment of Windows 10.
Question: You must perform an in-place upgrade if you want to use Windows 10 Enterprise instead of
Windows 10 Pro.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You can use a provisioning package to upgrade the Windows 10 edition. You can also
upgrade the Windows 10 edition by joining it to Microsoft Azure Active Directory (Azure AD) and
assigning the user who will use the computer a Windows 10 Enterprise license.
Managing desktops in an enterprise environment

Question: What is the main difference between a clean installation of Windows 10 and migration to
Windows 10?
Answer: With a clean installation, you finish with a fresh Windows 10 installation in which no
apps or user data are preserved. A migration to Windows 10 includes a clean installation as one
of its steps. You perform migration after a clean Windows 10 installation, and you reinstall the
apps and restore settings and data during migration.
Question: Which deployment option can you use if a device already has Windows 10 preinstalled?
Answer: You can use provisioning if a device already has Windows 10 preinstalled. You can use
other deployment options such as in-place upgrade, clean installation, and migration if the
device doesn’t have Windows 10 installed.
Overview of Windows 10
Question: Can you upgrade a 64-bit Windows 8.1 Pro computer to a 64-bit Windows 10 Pro computer if
you start the computer from Windows 10 DVD installation media?
Answer: No. You can upgrade to Windows 10 only by running Setup.exe from an existing
operating system. If you start a computer from DVD media, you can perform a clean installation
of Windows 10, but you can’t upgrade the existing operating system to Windows 10.
Question: Can you perform an in-place upgrade of a 64-bit computer that is running a 32-bit version of
Windows 8.1 Pro to a 64-bit version of Windows 10 Enterprise?
Answer: No, you can’t. You can perform an in-place upgrade from Windows 8.1 Pro to Windows
10 Enterprise, but you can’t perform an in-place upgrade between 32-bit and 64-bit operating
systems.
Managing Windows 10 in an enterprise environment

Question: What happens with user settings, data, and installed apps if you perform a clean installation of
Windows 10 on a computer that has Windows 7 installed?
Answer: If you perform a clean installation of Windows 10, the existing users, their settings, data,
and installed apps on the computer that is running Windows 7 aren’t migrated to Windows 10. If
you didn’t format the volume, this information will be preserved in the Windows.old folder, but
it won’t be used in the Windows 10 environment.
Question: What would be some of the reasons to perform a clean installation instead of using an in-place
upgrade to Windows 10 on a Windows 7 computer?
Answer: An in-place upgrade is the preferred way of installing Windows 10 on a computer with
an existing operating system. In some instances, however, you can’t use an in-place upgrade. For
example, if you want to install 64-bit Windows 10 on a computer that is running 32-bit Windows
7, if you want to switch languages between Windows 7 and Windows 10, or if you use a virtual
hard disk to start Windows 7.
Question: Your consulting company wants to upgrade its client computers that are running 32-bit
Windows 7 Service Pack 1 (SP1) to 64-bit Windows 10. The computers meet all hardware requirements for
64-bit Windows 10. What would you recommend?
Answer: While most of the scenario suggests an in-place upgrade, you can’t upgrade 32-bit
Windows 7 SP1 to 64-bit Windows 10. Therefore, in this scenario, you must perform a migration
to retain user settings, and you must reinstall the apps.
Question: What is the difference between side-by-side and wipe-and-load migration?
Answer: Side-by-side migration is used when you want to replace currently used computers, but
you want to keep current settings and data; you need two computers to perform side-by-side
migration. Wipe-and-load migration restores settings and data on the same computer, on which
the operating system is replaced with Windows 10 and apps are reinstalled; you need a single
computer to perform wipe-and-load migration.
Question: Can you run an app that was developed for Windows 7 on a Windows 10 computer?
Answer: Windows 7 apps are generally compatible with Windows 10, and it’s very likely that you
will be able to run them on a Windows 10 computer. You can use ACT or Windows Analytics to
verify if an app has any known issues with Windows 10.
Question: Can you use a device driver from a 32-bit version of Windows 8.1 with a 64-bit version of
Windows 10?
Answer: The 32-bit version of the Windows operating system can use 32-bit device drivers only,
and the 64-bit version of the Windows operating system can use 64-bit device drivers only. This
means that you can’t use any device driver from a 32-bit version of Windows 8.1 with a 64-bit
version of Windows 10.
Question: Can you provision a 64-bit Windows 8.1 computer?
Answer: No, you can’t provision a computer that is running the Windows 8.1 operating system.
You can use provisioning only on computers that already have Windows 10 installed.
Question: You bought a Windows 10 Pro tablet and want to use it as a Bring Your Own Device (BYOD)
device. How can you provision the device?
Answer: You can provision the device by running a provisioning package. You can also add a
provisioning package in the Settings app.
Question: You want to control a Windows 10 deployment by using a task sequence. Which two
deployment tools could you use?
Answer: You can control an operating system deployment by using a task sequence in MDT and
in Configuration Manager. You can also integrate MDT with Configuration Manager, which will
provide you additional task sequence templates in Configuration Manager.
Question: What must be available on the network if an organization wants to implement ZTI deployment
of Windows 10?
Answer: If an organization wants to implement ZTI deployment of the Windows 10 operating

system, which installs Windows 10 without any user interaction, the organization should use
Configuration Manager (Current Branch). The organization must also have Dynamic Host
Configuration Protocol (DHCP) and Windows DS on its network because operating system
deployment in Configuration Manager depends on those two infrastructure roles.
Resources
Deployment options for Windows 10 computers
Additional Reading: For more information on Windows 10 deployment scenarios, refer to”
Windows 10 deployment scenarios” at https://aka.ms/Ouipc2.
Considerations for an in-place upgrade
Additional Reading: For more information, refer to “Windows 10 upgrade paths” at

https://aka.ms/N3sw9x.
Methods for mitigating common app compatibility issues
Additional Reading: For more information about ACT, refer to “Application Compatibility
Toolkit (ACT) Technical Reference” at https://aka.ms/Wgqpo9.
Overview of Windows 10 provisioning
Additional Reading: For more information on provisioning Windows 10, refer to

“Provisioning packages for Windows 10“ at https://aka.ms/Cpbc0w.
Lesson 2
Customizing enterprise deployments
Contents:
Resources 9
Demonstration: Creating an answer file 10
Demonstration: Creating and using Windows PE 11
Demonstration: Generalizing a computer by using Sysprep 11

Question: The DISM PowerShell module is included in the default Windows 10 installation.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: The default Windows 10 installation includes Dism.exe and the DISM PowerShell
module. You can also get it from Windows ADK.
Question: All seven Windows setup passes occur when you run Setup.exe from Windows 10 installation
media.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: When you install Windows 10 by running Setup.exe from Windows 10 installation
media, only the following four Windows setup passes occur: windowsPE, offlineServicing,
specialize, and oobeSystem.
Challenges for managing a mobile workforce

Question: Why is the size of a single Windows image file that contains images of Windows 10 Home,
Windows 10 Pro, and Windows 10 Enterprise considerably smaller than the combined size of three
Windows image files, where the first image file contains a Windows 10 Home image, the second image
file contains a Windows 10 Pro image, and the third image file contains a Windows 10 Enterprise image?
Answer: Windows image files use compression, but they also use single instancing, which means
that if multiple images in the same Windows image file contain the same file, then that file is
stored only once in the Windows image file. Windows 10 Home, Windows 10 Pro, and Windows
10 Enterprise share many files, which means that single instancing can save a considerable
amount of space if all three images are in the same Windows image file. If each image is in a
separate Windows image file, single instancing can’t be used, and the combined size of the
Windows image files will be significantly larger.
Question: What is the name of the default Windows 10 image file, and where can you locate it?
Answer: The default Windows 10 image file is named Install.wim. You can locate Install.wim in
the Sources folder on Windows 10 installation media.
Discussion: Challenges with managing mobile users and devices

Question: Can you use Windows ADK only for customizing Windows 10 installations?
Answer: No. Windows ADK tools are backward compatible, and you can also use them to
customize Windows 7, Windows 8, and Windows 8.1 installations. You can use the same tools to
customize Windows Server installations.
Question: Are Windows ADK tools included in Windows 10?

Answer: No. Windows ADK tools work with Windows 10, but they aren’t included in Windows 10.
You can access the tools by downloading Windows ADK from the Microsoft portal.
Question: Can you use a custom Windows 10 image to perform an in-place upgrade?
Answer: No, you can perform an in-place upgrade only by using the default Windows 10 image.
If you want to deploy a custom Windows 10 image, you must perform a clean installation, which
can be followed by migration.
Question: What would you use to control a Windows 10 installation on a reference computer by using
MDT or Configuration Manager?
Answer: If you plan to install Windows 10 on a reference computer by using MDT or

Configuration Manager, you typically would use a task sequence to control the installation.
Question: How many Windows setup configuration passes are available, and do all occur when you install
Windows 10 by running Setup.exe?
Answer: There are seven Windows setup configuration passes: windowsPE, offlineServicing,
generalize, specialize, auditSystem, auditUser, and oobeSystem. Only four of these setup passes,
windowsPE, offlineServicing, specialize, and oobeSystem, occur when you install Windows 10 by
running Setup.exe.
Question: Can you configure the same Windows 10 settings in multiple Windows setup configuration
passes?
Answer: You can configure Windows settings in specific and predefined setup configuration
passes. Some settings can be configured in multiple setup configuration passes, and you can use
the documentation or Windows SIM to find out the setup configuration passes in which specific
Windows settings can be configured.
Solutions for managing external clients

Question: What must you do before you can create an answer file for a Windows 10 installation?
Answer: If you want to create an answer file, you must have the catalog for the Windows image.
Because the catalog of the Windows 10 images isn’t included on Windows 10 installation media,
you first need to create the catalog file. Windows SIM can create the catalog, but only if the
Windows image file is on writable media. Therefore, you also need to copy Install.wim onto USB
media or a hard drive.
Question: How can you create and edit an answer file?

Answer: An answer file is an XML file, which means that you can create and edit it in any text
editor. However, you create and edit Windows answer files in Windows SIM, which shows the
components and packages that you can use in the answer files. Windows SIM also verifies the
syntax of the answer files.
Question: What are some of the tasks in which you can use Windows PE?
Answer: You can use Windows PE media to start a computer regardless of its state. You can use
Windows PE to troubleshoot a computer that won’t start, for example, because of corrupted Boot
Configuration Data (BCD), to access data on a hard disk and to inject a missing device driver. By
starting a computer from Windows PE, you can also capture an image of the installed and
generalized Windows 10 operating system, format the partition, and install a custom Windows 10
image.
Question: What do you need to create Windows PE media?
Answer: Windows ADK includes Windows PE. If you want to create Windows PE media, you must
first install Windows ADK on your computer. You can then run CopyPE.cmd to build the
Windows PE environment, perform Windows PE customization, and then create Windows PE

media by running the MakeWinPEMedia.cmd script.
Question: Why should you run Sysprep on a reference Windows 10 computer before capturing the
image?
Answer: Sysprep generalizes the Windows operating system by removing computer-specific
information such as the computer name and security identifier (SID). If you don’t generalize a
reference computer before capturing the image, all deployed computers would have the same
information. This will cause conflicts on the network.
Question: Do you need to install Windows ADK to use Sysprep?
Answer: No, the default Windows 10 installation includes Sysprep.exe. You can find it in the
C:\Windows\System32\sysprep folder.
Question: What must you do before you can capture an image of a Windows 10 computer?
Answer: You can’t capture an image of a running operating system. Before you can capture a
Windows 10 image, you must start the computer from an alternate operating system, such as
Windows PE. In most cases, you should also generalize Windows 10 by running Sysprep before
you capture the image.
Question: Why does the image you add to an existing .wim image file typically take less space than if you
capture the same image to a new .wim image file?
Answer: A Windows image file uses single instancing, which shares a single and compressed
copy of files that are common between the images that are in the same .wim image file. If you
add an additional image to a .wim image file and the image includes some of the same files that
are already in the existing .wim image file, the existing copy of the files is used. If you capture an
image to a new .wim image file, the .wim file doesn't include any image, which means that all
files from the image you are adding are compressed and added to the new .wim image file.
Resources
What is the Windows image file format?
Additional Reading: For complete technical description of the .wim format, refer to
“Windows Imaging File Format (WIM)“ at https://aka.ms/C5tlt7.
Overview of Windows setup configuration passes
Additional Reading: For more information, refer to ”Windows Setup Configuration Passes“
at https://aka.ms/Tdn1l9.
Using an answer file to control an installation
Additional Reading: For a complete list of all the settings that you can use to automate
the configuration and the deployment of Windows 10, refer to “Unattended Windows Setup
Reference” at https://aka.ms/Xdj0ft.
What is Windows PE?
Additional Reading: For more information, refer to “Windows PE (WinPE)“ at

https://aka.ms/Nusbjz.
What is Sysprep?
Additional Reading: For more information, refer to “Sysprep (System Preparation)

Overview“ at https://aka.ms/Ao777c.
Demonstration: Creating an answer file

Demonstration Steps
1. On LON-CL1, open Windows System Image Manager, and then in the Answer File section, right-click
Create or open an answer file and then click New Answer File.
2. Under Windows Image, add the install_Windows 10 Enterprise Evaluation.clg file, which is in the
E:\Labfiles\mod02\Sources folder as a Windows image.
3. In the Components section of Windows SIM, add the following components, and then configure
their properties with following values:
• amd64_Microsoft-Windows-Setup_10.0.16299.15_neutral \DiskConfiguration\Disk
o Add Setting to Pass 1 WindowsPE

o DiskID: 0
o WillWipeDisk: true
• amd64_Microsoft-Windows-
Setup_10.0.16299.15_neutral\DiskConfiguration\Disk\CreatePartitons\CreatePartition

o Extend: True
o Order: 1
o Type: Primary
• amd64_Microsoft-Windows-Setup_10.0.16299.15_neutral\ImageInstall\OSImage\InstallTo
o DiskID: 0
o PartitionID: 1
• amd64_Microsoft-Windows-Setup_10.0.16299.15_neutral\UserData
o AcceptEULA: true
o Organization: Adatum
4. Save the answer file on the desktop as Autounattend.xml. Open the answer file in Internet Explorer,
and then verify that the settings that you configured in Windows SIM are saved in the answer file.
Demonstration: Creating and using Windows PE

Demonstration Steps
1. On LON-CL1, open the Deployment and Imaging Tools Environment.
2. Use CopyPE.cmd to copy the base amd64 Windows PE files to the C:\WinPE folder.
3. Use File Explorer to view the contents of the C:\WinPE and C:\WinPE\media\sources folders.
4. Use MakeWinPEMedia.cmd to create the Windows PE ISO media. Use the C:\WinPE folder and
name the file WindowsPE.iso.
5. Add Windows PE media to LON-CL3 by attaching the DVD image file at D:\Program
Files\Microsoft Learning\20697-2\Drives\WindowsPE.iso.
6. Start LON-CL3 from DVD media.
7. On LON-CL3, at the command prompt, run the dir d: command.
Demonstration: Generalizing a computer by using Sysprep

Demonstration Steps
1. On LON-CL3, use File Explorer to verify that the computer name is LON-CL3.
2. Create a document with your name, delete the document, and then verify that it moved to the
Recycle Bin.
3. Add a custom event to Event Viewer by running the following command:
Eventcreate /T error /ID 1000 /L application /D “My custom error”
4. Verify that the event you added is visible in the Application log in Event Viewer.
5. View and make note of the user’s SID by running the following command:
Whoami /user
6. Run Sysprep.exe, and then specify the options to generalize the installation and to shut down the
computer.
7. After LON-CL3 is turned off, create a checkpoint of LON-CL3, name it Generalized, and then turn on
LON-CL3.
Note: After LON-CL3 starts, notice that the startup takes longer than usual because the
computer is going through the first startup. LON-CL3 also restarts and then goes through the
out-of-box experience (OOBE) setup pass.
8. Accept the default options on OOBE pages.

9. Specify that the user named User will use this PC with the password Pa55w.rd.
10. Wait until the user signs in.
11. Verify that the LON-CL3 computer was renamed.

12. Verify that the Recycle Bin is empty.
13. Verify that the custom event that you added to Application log is no longer present and that all
events were added after the generalization.
14. Verify that the user has a different SID by running the following command:
Whoami /user
Note: The user has a different SID than before because the user SID contains the Computer
ID, which changed when you generalized the computer.
Lesson 3
Maintaining a Windows 10 installation
Contents:
Resources 15
Demonstration: Working with images by using DISM 15
Demonstration: Using Windows Configuration Designer to create
provisioning packages 16

Question: You must mount the Windows 10 image if you want to perform online servicing.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You must mount the Windows 10 image if you want to perform offline servicing.
Online servicing is performed on a running Windows 10 computer.
Question: You can apply a provisioning package to a Windows 10 computer that doesn't have network
connectivity.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: You can apply a provisioning package to any Windows 10 computer regardless of
whether it has network connectivity. If a computer doesn't have network connectivity, you can
use a USB flash drive to transfer a provisioning package to a computer.
Question: What types of images can you modify by using DSIM?
Answer: You can use Dism.exe to modify offline and online Windows 10 images. You can also
use Dism.exe to modify other images, for example, a Windows PE image.
Question: What must you do before you can modify an offline Windows 10 image?
Answer: Before you can modify an offline Windows 10 image, you must mount the image to an
empty folder. You can mount an image by using the Dism.exe command or the Mount-
WindowsImage Windows PowerShell cmdlet.
Question: Does Windows 10 include Windows Configuration Designer?
Answer: No, Windows Configuration Designer is part of Windows ADK. You can install Windows
ADK on Windows 10 and on other Windows operating systems. You can use Windows
Configuration Designer only after you install Windows ADK.
Question: What is the difference between using the Provision desktop devices wizard or using
advanced provisioning in Windows Configuration Designer?
Answer: All three Windows Configuration Designer wizards, including the Provision desktop
devices wizard, enable you to configure only the most commonly used settings. Advanced
provisioning allows you to configure all available settings in the provisioning package. You can
always switch from the wizard to the advanced editor, but you can’t switch from the advanced
editor to the wizard.
Question: Can you configure Windows 10 image deployment options by using provisioning packages?
Answer: No, you can only configure runtime Windows 10 options by using a provisioning
package. In older versions of Windows Configuration Designer, it was possible to configure
Windows 10 image deployment options, but that functionality was removed from Windows
Configuration Designer.
Question: Can you use a provisioning package to add a Windows 10 computer account to a specific
organizational unit (OU) in AD DS?
Answer: Yes, you can add a Windows 10 computer account to a specific OU in AD DS by using a
provisioning package. However, you can only configure this option by using the advanced editor,
and not by using the Provision desktop devices wizard.
Resources
Modifying and maintaining Windows images
Additional Reading: For more information, refer to “Windows 10 DISM Command-Line

Options” at https://aka.ms/K1ejpz.
Overview of Windows Configuration Designer
Additional Reading: For more information, refer to “Provisioning packages for Windows
10“ at https://aka.ms/Cpbc0w.
Using provisioning packages to configure Windows 10
Additional Reading: For a list of all settings that you can configure in a provisioning
package, refer to “Windows Configuration Designer provisioning settings (reference)“ at
http://aka.ms/a5v1ak.
Demonstration: Working with images by using DISM

Demonstration Steps
1. On LON-CL1, use File Explorer to view the properties of the install.wim file in the sources folder on
the DVD drive.
2. Use Dism.exe with the Get-ImageInfo parameter to view the content of the install.wim file.
3. Use the New-WindowsImage cmdlet CapturePath parameter to capture the contents of the
C:\Windows\INF folder to a file named C:\image.wim, and then name the image First image.
4. Use File Explorer to view the properties of the C:\Windows\INF folder.
5. View the size of the C:\image.wim file, and then explain the benefits of the Windows image file
format compression.
6. Use the Add-WindowsImage cmdlet to add the contents of the C:\Windows\INF folder as a second
image to the C:\image.wim file, and then use Second Image as the image name.
7. View the size of the C:\image.wim file, and then explain the benefits of single instancing where
multiple images in the same Windows image file have the same files.
8. Create a folder named C:\mount, and then use Dism.exe with the Mount-Wim parameter to mount
the second image in the C:\image.wim file to the C:\mount folder.
9. Use File Explorer to view the properties of the C:\mount folder.

10. In the C:\mount folder, create a subfolder named Folder1. Delete the files named 1394.PNF,
acpi.PNF, and acpidev.PNF in the C:\mount folder.
11. Use Dism.exe with the Unmount-Wim and Commit parameters to unmount the image.
12. Use Dism.exe with the Get-WimInfo parameter to view and compare the properties of both images in
the C:\image.wim file.
Demonstration: Using Windows Configuration Designer to create

provisioning packages
Demonstration Steps
1. On LON-CL4, verify that the computer name is LON-CL4 and that the computer is in a workgroup
named WORKGROUP.
2. Verify that LON-CL4 doesn't have a local user named LocalUser.

3. On LON-CL1, use Windows Configuration Designer to create a provisioning package that includes
the following settings:
a. Computer name: Marketing-%RAND:3%

b. Add to the domain: Adatum.com
c. Use the Adatum\Ada username and the password Pa55w.rd to add the computer to the
domain.
d. Add the local user named LocalUser with the password Pa55w.rd.
4. Export the provisioning package, and then save it to the virtual floppy disk as Marketing
Computers.ppkg.
5. Eject the Transfer.vfd virtual floppy disk from 20697-2C-LON-CL1 virtual machine.
6. Insert the Transfer.vfd virtual floppy disk, which is located on the host in the Program
Files\Microsoft Learning\20697-2\Drivers folder on the 20697-2C-LON-CL4 virtual machine.
7. On LON-CL4, use File Explorer to install the Marketing Computer.ppg provisioning package that is
on the virtual floppy disk.
8. Wait until LON-CL4 restarts, and then sign in to LON-CL4 as Admin with the password Pa55w.rd.
9. On LON-CL4, verify that the computer name is Marketing followed by three digits and that the
computer is in the Adatum.com domain.
10. Verify that LON-CL4 has a local account named LocalUser.

Lesson 4
Volume license activation for Windows 10
Contents:
Resources 18

Question: Can you use Active Directory-based activation to activate Windows 10 computers that aren’t
domain members?
Answer: No. Active Directory-based activation can only activate domain member computers that
are running Windows 8, Windows Server 2012, or a newer operating system.
Question: What type of connection establishes between a Windows 10 computer and a domain controller
when using Active Directory-based activation?
Answer: When a Windows 10 computer wants to activate, it establishes LDAP communication

with the domain controller. This is the same type of connection for other interactions between
client computers and domain controllers, so you don’t need to open any additional port on the
firewall to allow Active Directory-based activation.
Question: Can a Windows 10 computer be a KMS host?

Answer: Yes. Any computer that is running Windows 10 or an older version of the Windows
operating system can be a KMS host. However, this isn’t a best practice, because a Windows 10
computer isn’t always connected to the network, and it’s used by end users. We recommend that
a server running Windows Server 2016 or an older Windows Server operating system act as a
KMS host on a network.
Question: How can a Windows 10 computer locate the KMS host?

Answer: A Windows 10 computer can locate the KMS host by querying the DNS server. The KMS
host automatically publishes its existence by adding a service location (SRV) resource record to
the DNS.
Question: What is the main benefit that VAMT provides for an environment without direct internet
connectivity?
Answer: One VAMT feature is MAK proxy activation, which enables you to use VAMT to activate
all the clients on a network at once, without requiring the clients to have internet connectivity.
Question: Where can you get VAMT? On which version of the Windows operating system can you install
VAMT?
Answer: VAMT is available in Windows ADK. You can install it on any supported version of the
Windows operating system.
Resources
Technologies for volume license activation
Additional Reading: For more information, refer to “Volume Activation for Windows 10”
at http://aka.ms/T5383c.
How Active Directory-based activation works
Additional Reading: For more information on configuring and using Active Directory-
based activation, refer to “Activate using Active Directory-based activation” at
https://aka.ms/Tluunp.
Volume activation management
Additional Reading: For more information on VAMT, refer to “Volume Activation

Management Tool (VAMT) Technical Reference“ at https://aka.ms/Qfvrld.
Module Review and Takeaways

Question: You can use KMS activation for activating Windows 10 computers in a workgroup.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: KMS activation can activate any Windows computer, regardless of whether the
computer is in AD DS or in a workgroup. The only requirement is that the computer must be able
to locate the KMS host and connect to it.
Question: Any computer that is a domain member can activate by Active Directory-based activation.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Only Windows-based computers that are domain members can activate by using
Active Directory-based activation. However, to be able to activate, they must be running
Windows 8, Windows Server 2012, or a newer Windows operating system. If you still have
Windows 7 computers, they can’t activate by using Active Directory-based activation even if they
are domain members.

Lab: Deploying Windows 10 by using Windows ADK tools
Question: Why was the Windows image file only slightly bigger when you added the same image to the
file for the second time?
Answer: The Windows image file uses a single instancing store, which means that it can store
multiple copies of the same files very effectively. The first file copy is compressed, and for all
additional copies of the same file, just the pointer and not the actual file content is added to the
Windows image file.
Question: When can you use an answer file for an unattended Windows 10 installation?
Answer: If the answer file includes all the settings that are necessary for the Windows 10
installation, you can use it for a completely unattended installation of Windows 10.
Managing Windows 10 sign-in and identity 3-1
Module 3
Managing Windows 10 sign-in and identity
Contents:
Lesson 1: Overview of enterprise identity 2
Lesson 2: Overview of Azure AD Premium 4

Lesson 3: Extending identity to the cloud 7

Lesson 1
Overview of enterprise identity
Contents:

Question: When you sign in to a Windows 10 computer with a Microsoft account, you can access domain
resources in your organizational network in the same way as with a domain account.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: A Microsoft account doesn’t allow you to access domain resources because it is for
authentication with online services such as Microsoft OneDrive or Microsoft Outlook online. To
access domain resources, you must sign in with a domain account, which you can link with a
Microsoft account.
Question: Windows Hello provides native support for biometric authentication.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: Unlike previous technologies that used biometrics as a faster way to type passwords,
Windows Hello is a native biometric solution.
Lesson 2
Overview of Azure AD Premium
Contents:
Demonstration: Viewing an Azure AD tenant 5
Demonstration: Managing Azure AD users and groups 5
Demonstration: Joining a Windows 10 computer to Azure AD 6

Question: How can you manage all your computers that are joined to Azure AD?
Answer: Azure AD doesn’t provide management functionality for joined computers, but you can
configure autoenrollment for Intune. After computers enroll in Intune, you can manage them
through Intune.
Question: What are some of the tools you can use to manage cloud-based identities in Azure AD?
Answer: You can manage cloud-based identities in Azure AD by using the Azure portal, the
Office 365 portal, the AzureAD Windows PowerShell module, and the MSOnline Windows
PowerShell module.
Demonstration: Viewing an Azure AD tenant

Demonstration Steps
1. If necessary, create a new Microsoft account.
2. If necessary, create a new Azure trial subscription.

3. Open Microsoft Edge, and then browse to https://portal.azure.com.
4. On the Sign-in page, sign in with the Microsoft account that is associated with your Azure
subscription.
5. In the navigation pane, select Azure Active Directory, and then select Overview.
6. Read the name of the default directory above the Overview link. This name is based on the email
address that was used to create the tenant.
7. Select Custom domain names, and then read the existing name. Note the existing name because it
is necessary for the next demonstrations. The name of your domain is based on the email address
provided during creation in the format <initials><date>outlook.onmicrosoft.com.
8. Leave the Azure portal open for the next demonstration.
Demonstration: Managing Azure AD users and groups

Demonstration Steps
• If necessary, enable Azure AD Premium in your tenant.
Create a standard user

1. On LON-CL3, on the Azure portal, browse to Users and groups - All users.
2. Create a new user with the following information:
o Name: Deanna Sheppard
o Username: Deanna@yourtenant.onmicrosoft.com
o First name: Deanna
o Last name: Sheppard

o Department: IT
3. Note the password for later use.
Create a global administrator

1. On LON-CL3, on the Azure portal, create a new user with the following information:
o Name: GAdmin
o Username: GAdmin@yourtenant.onmicrosoft.com
o Directory role: Global administrator
2. Note the password for later use.
3. Close Microsoft Edge.
Create a group with static membership

1. On LON-CL3, on the Azure portal, browse to Azure Active Directory, and then browse to Users and
groups - All groups.
2. Create a new group with the following information:
o Name: StaticGroup
o Membership type: Assigned
o Members: Deanna Sheppard, GAdmin
Create a group with dynamic membership

1. On LON-CL3, on the Azure portal, browse to Azure Active Directory, and then browse to Users and
groups - All groups.
2. Create a new group with the following information:
o Name: DynamicGroup
o Membership type: Dynamic User
o Dynamic membership rule: department Equals IT
3. Verify that Deanna Sheppard is listed as a member of DynamicGroup.

4. Leave the Azure portal open for the next demonstration.
Note: If no DynamicGroup members are listed, wait a few minutes, and then refresh the
membership list. It can take several minutes for the membership to populate.
Demonstration: Joining a Windows 10 computer to Azure AD

Demonstration Steps
1. On LON-CL3, select Settings in the Start menu, and then select Accounts.
2. In Access work or school, connect by using the following settings:
o Join this device to Azure Active Directory
o Username: Deanna@yourtenant.onmicrosoft.com
3. Use Microsoft Edge to open https://portal.azure.com, and then sign in as

GAdmin@yourtenant.onmicrosoft.com.
4. In Azure Active Directory, browse to Devices, and then verify that Deanna Sheppard is the owner of
LON-CL3.
5. Restart LON-CL3, and then sign-in as Deanna@yourtenant.onmicrosoft.com.
6. Set up a PIN if prompted to do so.
7. Verify your identity by text message if prompted to do so.

Lesson 3
Extending identity to the cloud
Contents:
Demonstration: Establishing directory synchronization 8

Question: How does directory synchronization support SSO?
Answer: To provide SSO between AD DS and cloud-based applications, you need to have a
single unified identity. Directory synchronization replicates the identity from AD DS to Azure AD,
where it can be used for connectivity to cloud-based resources.
Question: To enable federated identities with Active Directory Federation Services (AD FS), should you
select express settings or custom settings when installing Azure AD Connect?
Answer: The express settings option in Azure AD Connect configures password synchronization
rather than federated identities. To configure federated identities, you need to select custom
settings.
Demonstration: Establishing directory synchronization

Demonstration Steps
Update UPNs for Azure AD
1. On LON-DC1, use Windows PowerShell Integrated Scripting Environment (ISE) to open
E:\Labfiles\Mod03\UpdateUPN.ps1.
2. On line three of the script, replace <yourtenant> with the name of your Azure AD tenant.
3. Save the script, and then run it.

4. Use Active Directory Administrative Center to verify that the user principal name (UPN) is updated for
Abbi Skinner in the IT OU.
Install Azure AD Connect

1. On LON-DC1, run E:\Labfiles\ AzureADConnect.msi.
2. Install Azure AD Connect by using the following settings:

o Express settings
o Azure AD account: GAdmin@yourtenant.onmicrosoft.com
o AD DS account: Adatum\Administrator
o Continue without any verified domains
o Start the synchronization process when configuration completes


Best Practices
• Use synchronized identities in the cloud, if possible, so you can create an SSO experience for your
users.
• Manage synchronization settings for Microsoft accounts by using Group Policy.
• Use the Azure AD Join feature in the Windows 10 operating system if you have several resources in
the cloud.
• Ensure that you have a management mechanism for computers that are joined to Azure AD.
Review Questions
Question: What service do you need to use if you want to access cloud services with your on-premises
accounts, but you still want to perform authentication locally?
Answer: You can perform authentication locally by using federated identities with AD FS or by
using pass-through authentication with Azure AD Connect. Pass-through authentication is
simpler to implement, but it works only with Microsoft cloud services. AD FS provides claim-
based authentication and can integrate with multiple cloud services and apps.
Question: Your organization has an Office 365 subscription that uses synchronized identities with
password synchronization. When users are out of the office and forget their passwords, they need to call
the help desk to reset them. However, they are unable to change their passwords until they return to the
office. How can you enable users to change their passwords in Office 365?
Answer: Office 365 includes Azure AD Free, which doesn’t support password writeback to AD DS.
You can enable password writeback if you purchase Azure AD Premium, which allows users to
change their passwords in Office 365, and the password will synchronize back to AD DS. You
could also enable self-service password resets to help avoid help desk calls.

Lab: Extending on-premises AD DS to Azure AD
Question: Why did you need to add the Microsoft Enterprise Mobility + Security trial subscription before
configuring the group with dynamic membership?
Answer: Dynamic group membership is only available in Azure AD Premium. Adding the
Enterprise Mobility + Security trial subscription to your tenant enabled Azure AD Premium.
Question: Why did you change the UPNs for the user accounts before enabling directory
synchronization?
Answer: When you implement directory synchronization, the UPN in AD DS and Azure AD
should be the same to allow users to use a single set of credentials when accessing on-premises
and cloud-based resources.
Managing user profiles and UE-V 04-1
Module 4
Managing user profiles and UE-V
Contents:
Lesson 1: Managing user profiles and user state 2
Lesson 2: Configuring UE-V 8

Lesson 3: Managing user state migration 13

Lesson 1
Managing user profiles and user state
Contents:
Resources 6
Demonstration: Configuring Folder Redirection 7

Question: Which of the following elements does the user state include? Select all that apply.
( ) Selected font and font size in Notepad

( ) Write.exe
( ) HKEY_CURRENT_CONFIG registry hive
( ) Shortcuts on the desktop

( ) Restore points
Answer:
(√) Selected font and font size in Notepad

( ) Write.exe
( ) HKEY_CURRENT_CONFIG registry hive
(√) Shortcuts on the desktop

( ) Restore points
Feedback: Write.exe is an executable program that Windows stores in the C:\Windows folder.
The HKEY_CURRENT_CONFIG registry hive stores computer configuration and is in the
C:\Windows\System32\Config folder. Restore points are inside the C:\System Volume
Information folder. The other two options, selected font and font size in Notepad and shortcuts
on the desktop, are stored in the user profile.
Question: Which of the following features enables users to transparently access their files while
minimizing network traffic?
( ) Folder Redirection
( ) Roaming user profiles
( ) Primary computer
( ) UE-V
( ) Enterprise State Roaming
Answer:
(√) Folder Redirection
( ) Roaming user profiles
( ) Primary computer
( ) UE-V
( ) Enterprise State Roaming
Feedback: Only Folder Redirection enables users to transparently access their files while
minimizing network traffic. Roaming user profiles enable users to access their files but do cause
considerably more network traffic. Primary computer is just a setting, and it does not enable
users to access their files on its own. UE-V and Enterprise State Roaming sync only settings and
not data, which means that they do not enable users to access their files.
Question: Which two limitations can you apply to a computer that is not a user’s primary computer?
( ) The user cannot sign in
( ) User’s roaming profile is not available

( ) User’s redirected folders are not available
( ) The user can sign in only during a limited time
( ) The user cannot connect to the internet
Answer:
( ) The user cannot sign in
(√) User’s roaming profile is not available
(√) User’s redirected folders are not available
( ) The user can sign in only during a limited time
( ) The user cannot connect to the internet
Feedback: If a user signs in to a computer that is not on their primary computers list, you can
configure Group Policy to prevent using that user’s roaming user profile and redirected folders.
You can also configure all other limitations, but they cannot be based on the user’s primary
computer setting.
What is user state?

Question: Is user state contained in a single file?
Answer: No. A single file does not contain a user state. User state defines the user environment
and is composed of many files, which include user settings, user registry, app settings, and
application data.
Question: Does user state include installed applications?
Answer: No. User state includes user settings, Windows 10 operating-system settings, and user
data files. Installed applications are not part of user state, but they should be available on the
computer on which a user signs in.
How does a user profile maintain user state?

Question: How can you configure Windows 10 to use user profiles?
Answer: By default, the Windows 10 operating system uses user profiles without any additional
configuration. In fact, you cannot change this configuration so that Windows 10 doesn’t use user
profiles for storing user state.
Question: Where are local user profiles stored in Windows 10 and when are they created?
Answer: The C:\Users folder stores local user profiles as subfolders, and Windows creates a
subfolder when a user signs in for the first time and has the same name as that user’s sign-in
name.
User profile types

Question: Can an administrator change the user profile type on a Windows 10 computer?
Answer: If a user is not signed in, an administrator can locally select to use a cached local copy of
the roaming user profile instead of the user’s roaming profile on a particular Windows 10
computer. An administrator must make any other changes in Active Directory Domain Services
(AD DS), where an administrator can modify user properties, or on a file server, where an
administrator can rename NTUSER.DAT to NTUSER.MAN.
Question: Can you configure a domain user with a mandatory user profile only by modifying user
properties in AD DS?
Answer: No. You can configure a user with a roaming user profile by modifying user properties
in AD DS. However, to configure a user with a mandatory user profile instead of a roaming user
profile, you need to rename the NTUSER.DAT file to NTUSER.MAN.
Options for minimizing user profile size

Question: How can you enforce size limits on local user profiles in Windows 10?
Answer: You can enforce size limits on local user profiles only by configuring disk quotas on the
local Windows 10 volume on which user profiles are stored. If you use any other option, such as
redirecting folders or limiting profile sizes by using Group Policy, Windows does not enforce
limits and local user profiles can grow larger than configured.
Question: What is the most transparent way to reduce user profile size?
Answer: The most transparent way to reduce user profile size is to use Folder Redirection. Users
save their files to redirected folders in the same way. However, files are no longer stored in their
user profiles, but are instead saved in folders that are outside of their user profiles.
What is Folder Redirection?

Question: What is the main difference between roaming user profiles and redirected folders?
Answer: Roaming user profiles copy locally when users sign in, and modifications copy back to a
network location when they sign out. Redirected folders are on a network location all the time
and do not copy locally.
Question: Can you use Folder Redirection on a computer that is running Windows 10 and that is joined
to Azure Active Directory (AD)?
Answer: No. Folder Redirection is configured in domain Group Policy, and domain Group
Policy applies only to computers that are Active Directory Domain Services (AD DS) members. If a
computer that is running Windows 10 is joined to Azure AD, Group Policy settings do not apply
to it, and you cannot use Folder Redirection on that computer.
What are offline files?

Question: Do you need to enable the Offline Files feature manually to access the content of redirected
folders if your computer temporarily loses network connectivity?
Answer: The Offline Files feature enables you to access files that are stored on the network,
even when you temporarily do not have network connectivity. In Windows 10, Offline Files is
disabled by default, but it is automatically enabled if the user is configured with Folder
Redirection. Therefore, you do not need to manually enable Offline Files to be able to access
redirected folders without network connectivity.
Question: Which tool can you use to verify if Offline Files is enabled and if there were any conflicts when
offline files were synchronized? Where can you access this tool in Windows 10?
Answer: You can use Sync Center to verify if Offline Files is enabled and to view the results of
offline-file synchronization. You can access Sync Center in Control Panel on a Windows 10
computer.
Using primary computer settings

Question: Can you configure a user’s list of primary computers from a Windows 10 computer?
Answer: Windows stores the list of a user’s primary computers in Active Directory in the user
account’s msDS-PrimaryComputer attribute. By default, you cannot configure a user’s primary
computer list from a Windows 10 computer. Before you can do that, you must first install Remote
Server Administration Tools (RSAT) or the Windows PowerShell module for Active Directory on a
Windows 10 computer.
Question: Can you use the primary computer setting to control if roaming user profiles and redirected
folders are available on all user devices?
Answer: No. Primary computer settings apply only to user devices that are running Windows 8
or newer operating systems and are AD DS members. For example, if a user signs in to a
computer running Windows 7, primary computer settings will not apply to that device. Primary
computer settings also do not apply if users sign in to their Windows 10 devices that are joined
to Azure AD.
Enterprise State Roaming

Question: Can you use Enterprise State Roaming to sync settings between Windows 10 computers that
are members of on-premises AD DS?
Answer: To be able to use Enterprise State Roaming, you must sign in to a computer by using an
Azure AD account. If on-premises AD DS is not synchronized with Azure AD, this is not possible.
In this scenario, you can’t use Enterprise State Roaming. However, if on-premises AD DS is
connected and synchronized to Azure AD, you can use Enterprise State Roaming to sync UWP
apps and Windows settings.
Question: Can you control which settings Enterprise State Roaming will sync?
Answer: Yes. You can control whether Enterprise State Roaming should sync and which settings
it should sync. You can make these selections in the Sync my settings page in the Windows 10
Settings app. When you sign in to Windows 10 by using Azure AD, all the settings are synced by
default, but you can turn off the syncing of individual settings or decide not to use Enterprise
State Roaming at all. You can also use Group Policy to control settings that will be synchronized
by Enterprise State Roaming.
Resources
User profile types
Additional Reading: For more information, refer to “Roaming user profiles of earlier
versions of Windows are incompatible with Windows 10, Windows Server Version 1709 and
Windows Server 2016” at https://aka.ms/Dqarj2.
What is Folder Redirection?
Additional Reading: For more information, refer to “Folder Redirection, Offline Files, and
Roaming User Profiles overview” at https://aka.ms/Lg6xc7.
Using primary computer settings
Additional Reading: To learn more about primary computers and Folder Redirection,
refer to “Deploy Primary Computers for Folder Redirection and Roaming User Profiles“ at
https://aka.ms/p64xyu.
Enterprise State Roaming
Additional Reading: For more information on Enterprise State Roaming, refer to

“Enterprise State Roaming overview” at https://aka.ms/Oqhrl0.
Additional Reading: Additionally, for a detailed list of settings that Enterprise State
Roaming syncs, refer to “Windows 10 roaming settings reference” at https://aka.ms/T73hcb.
Demonstration: Configuring Folder Redirection

Demonstration Steps
1. On LON-DC1, on drive C, create a folder named Redirected. Grant Domain Users Read/Write
permissions to the folder, and then share it with Read/Write permissions for Domain Users.
2. Create a Group Policy Object (GPO) named Folder Redirection, and then link it to the Marketing
organizational unit (OU).
3. Configure the Folder Redirection Group Policy setting to redirect the Documents folder to \\LON-
DC1\Redirected.
4. Verify that the Redirected folder is empty.
5. Sign in to LON-CL1 as Adatum\Ada with the password Pa55w.rd.
6. In Notepad, create a file with your name, and then save it in the Documents folder.
7. Verify that the file is stored in the \\LON-DC1\Redirected\Ada\Documents folder and is not stored
inside Ada Russell’s local profile. Also verify that the Offline Files tab is present in the File Properties
dialog box.
8. Use Sync Center to view sync partnerships, sync results, and available settings for managing offline
files.
9. Disconnect 20697-2C-LON-CL1 from the virtual switch.

10. ON LON-CL1, create a text file named File1 in the Documents folder, and then view its properties on
the Offline Files tab.
11. Open a file with your name from the Documents folder, type today’s date, and then save the
updated file.
12. Connect 20697-2C-LON-CL1 to the virtual switch named Private Network.
13. On LON-DC1, verify that the redirected folder is no longer empty. The Redirected folder contains
Ada Russell’s redirected Documents folder.
14. Sign in to LON-CL2 as Adatum\Ada with the password Pa55w.rd.
15. Use File Explorer to verify that both the files that you created on LON-CL1 are available in the
Documents folder.
Lesson 2
Configuring UE-V
Contents:
Resources 11
Demonstration: Working with UE-V 12

Question: UE-V can sync settings of non-Microsoft apps as soon as you install the apps.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: UE-V can sync app settings only if it has a registered UE-V template for that app. By
default, UE-V does not include templates for non-Microsoft apps. Therefore, you must first create
and register a UE-V settings location template for a non-Microsoft application.
Question: UE-V is part of the Windows 10 Enterprise operating system.

( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: Starting with Windows 10 Anniversary Update (version 1607), UE-V installs with the
Windows 10 Enterprise and Windows 10 Education operating systems. However, Windows 10
Home and Windows 10 Pro do not include or support UE-V.
Question: Which UE-V component specifies the location in which an app stores its settings?
( ) UE-V service
( ) Settings storage location
( ) Settings location template

( ) Settings template catalog
( ) Settings packages
Answer:
( ) UE-V service
( ) Settings storage location
(√) Settings location template
( ) Settings template catalog
( ) Settings packages
Feedback: All five answers represent different UE-V components. Of these components, settings
location template stores the locations in which an app stores its settings.
Overview of UE-V
Question: Can you sync user documents between computers by using UE-V?
Answer: No. UE-V can only sync settings, such as the settings of Word 2016. UE-V cannot sync
data files, which include user documents. If you want to make user documents roam to the
computer on which a user signs in, you should use Folder Redirection, roaming user profiles, or
Work Folders, or you should save documents on a shared network folder or on Microsoft
OneDrive.
Question: What is the difference between using roaming user profiles and UE-V?
Answer: With roaming user profiles, all user settings and data follow users to any computer on
which they sign in within an AD DS environment. You cannot control what is included in roaming
user profiles, and locally cached copies of roaming user profiles only sync during sign-in and
sign-out.
With UE-V, you can control which settings sync between specified AD DS computers.
Synchronization happens as soon as users close an application, but they do not need to sign out
for synchronization to occur. However, UE-V syncs settings only. It does not sync data.
UE-V components
Question: How often is the settings template catalog checked for changes?
Answer: Each UE-V client contains a scheduled task named Template Auto Update that checks
the settings template catalog for updates once daily at 3:30 AM and at system startup by default.
Question: Do you need to create custom settings template if you want to use UE-V to sync settings for
Office 2016 apps?
Answer: No. UE-V in Windows 10 includes Office 2016 settings templates, so you don’t need to
create custom settings template for UE-V to sync settings for Office 2016 apps. However, you
need to register Office 2016 settings location templates before UE-V synchronizes the settings of
Office 2016 apps.
Preparing the UE-V environment

Question: What must you do before you can use Group Policy to configure UE-V?
Answer: If you are using central store for storing Group Policy administrative templates and
central store has been updated with administrative templates from Windows 10 Anniversary
Update (version 1607) or newer, or you are configuring Group Policy settings from a Windows 10
computer, then you do not need to take any other steps. If this is not the case, you must update
the administrative templates, either in central store or on the local computer before you can use
Group Policy to configure UE-V.
Question: Is Group Policy the only way to configure UE-V with the settings storage location?
Answer: No. Group Policy is the preferred way, because you can configure multiple computers at
the same time. However, it is not the only way. You can also use the Set-UevConfiguration
Windows PowerShell cmdlet to achieve the same goal, but you must run it on each computer
where you want to configure the settings storage location.
Managing UE-V
Question: Can you use local Group Policy to configure UE-V?
Answer: You would normally not use local Group Policy to configure UE-V. Local Group Policy
applies only to a single computer, while domain Group Policy can apply to multiple or to all
domain computers. However, you also could use local Group Policy to configure UE-V.
Question: When will a UE-V setting that you configure in Group Policy be effective on a Windows 10
computer?
Answer: The UE-V setting is effective when Group Policy is applied on the UE-V client computer.
This can be at sign-in, after background Group Policy refresh, or if you run gpupdate /force on
the client. The Group Policy Update option also is available in the Group Policy Management
Console (GPMC), and you can use this option to update Group Policy settings on multiple clients
at once.
Overview of UE-V templates

Question: Why does UE-V need settings location templates?
Answer: UE-V can sync only app settings if it is aware of their location of storage. You can store
settings in the registry or in a file. A UE-V settings location template specifies where application
settings are stored. Without this template, the UE-V service would not be able to locate and sync
the settings. Therefore, you must have settings location template for each application that you
want to sync by using UE-V.
Question: How can you view the list of registered UE-V templates?
Answer: You can view the list of registered UE-V templates by running the Get-UevTemplates
cmdlet or by examining the content of the InboxTemplates subfolder in
C:\ProgramData\Microsoft\UEV. To use the local settings location templates, you must register
them manually.
What is the UE-V generator?

Question: Do you need to copy a custom UE-V settings location template to every computer on which
the app that you would like to sync is running?
Answer: No. You can copy custom UE-V templates to a shared network folder, and the UE-V
service can use it from there. UE-V registers new UE-V templates from the settings location
catalog daily.
Question: Can UE-V sync settings of an app for which it does not have a registered settings location
template?
Answer: No. UE-V can only sync settings of an app for which it has a registered settings location
template. If you want to sync apps for which UE-V does not have UE-V templates, you can create
them by using the UE-V Generator or you can download them from the TechNet Gallery.
Comparing UE-V with other sync options

Question: Which of the sync options require Azure AD?
Answer: You can implement roaming user profiles, Folder Redirection, and UE-V only in AD DS
environment. Enterprise State Roaming is the only sync option that requires Azure AD.
Question: Which feature(s) enable you to sync settings of a desktop applications and user certificates?
Answer: If you want to sync desktop application settings and user certificates, you can
implement roaming user profiles or UE-V. Folder Redirection and Enterprise State Roaming do
not sync certificates and desktop application settings.
Resources
Overview of UE-V templates
Additional Reading: For more information about syncing settings for Office apps, refer to
“Synchronizing Office with UE-V” at https://aka.ms/xoi8nq.
Additional Reading: To access UE-V settings location templates that are published in
TechNet Gallery, refer to "TechNet Gallery – resources for IT professionals” at
https://aka.ms/Ldum36.
Demonstration: Working with UE-V

Demonstration Steps
1. On LON-DC1, create a folder named UEVData. Grant Domain Users Read/Write permissions to the
folder, and then share it with Read/Write permissions for Domain Users.
2. Use Group Policy Management to link the Group Policy setting named Demo UE-V to the
Adatum.com domain.
3. On LON-CL1, verify the UE-V status by running the Get-UevStatus cmdlet.
4. Enable UE-V by running the Enable-Uev cmdlet.
5. Use the Get-UevTemplate cmdlet to verify that no settings location template is registered by default.
6. Use the Register-UevTemplate cmdlet to register all the XML templates in the
C:\ProgramData\Microsoft\UEV\InboxTemplates folder.
7. Use the Get-UevTemplate cmdlet to verify that many templates are now registered.
8. Restart LON-CL1.
9. Sign in to LON-CL2 as Adatum\Administrator with the password Pa55w.rd, and then run the
C:\Labfiles\Mod04\ConfigureUEV.ps1 script. This script enables UE-V, registers default templates,
and restarts the computer.
10. Sign in to LON-CL1 and LON-CL2 as Adatum\Administrator with the password Pa55w.rd.
11. On LON-CL1, in Notepad, set the font to Verdana size 48. Type your name, and then save the file in
the Documents folder.
12. On LON-CL2, verify that Notepad is using Verdana size 48 font that you configured on LON-CL1.
Also verify that the Documents folder on LON-CL2 is empty.
Note: UE-V syncs settings only. It does not sync data.
13. Use the Restore-UevUserSetting cmdlet to restore initial configuration for Notepad.
14. Verify that Notepad is configured with initial font Consolas size 11 and not with Verdana size 48 that
was used earlier.
Lesson 3
Managing user state migration
Contents:
Resources 15

Question: If you want to use USMT to migrate settings or data that does not migrate by default, you
should edit the XML configuration files.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: You can specify additional settings that USMT should migrate in XML configuration
files.
Question: Where can you get USMT?
( ) In the Support folder on Windows 10 installation media
( ) In the Sources folder on Windows 10 installation media
( ) Be default, in the default Windows 10 installation
( ) In Windows ADK
( ) In the Microsoft Deployment Toolkit
Answer:
( ) In the Support folder on Windows 10 installation media
( ) In the Sources folder on Windows 10 installation media
( ) Be default, in the default Windows 10 installation

(√) In Windows ADK
( ) In the Microsoft Deployment Toolkit
Feedback: USMT is not available on Windows 10 installation media, the default Windows 10
installation does not include it, and is not available in the Microsoft Deployment Toolkit. USMT is
available only as a Windows 10 component.
Overview of user state migration

Question: Does user state always migrate to Windows 10 automatically if you perform an in-place
upgrade from a supported operating system?
Answer: If you perform an in-place upgrade to Windows 10 from a supported operating system,
you are prompted to choose what to keep: personal files, applications and Windows settings,
personal files only, or nothing at all. Based on the selection, you can have the user state migrate
to Windows 10 automatically or not at all.
Question: What is the difference between the PC replace and PC refresh scenarios?
Answer: In the PC replace scenario, you have two different computers, and you need to migrate
user settings from one computer to the other. In the PC refresh scenario, you have a single
computer, and you want to migrate the user state from the old operating system to the new
operating system that you install on the same computer.
Determining what to migrate

Question: Your users are utilizing an application that stores data in files with an .xyz extension. Will that
data migrate automatically if you use USMT?
Answer: If that data is in a location from which all data is migrated by default, for example, in
user profiles, then data files with an .xyz extension will migrate automatically. If you store them
somewhere else, you need to customize the USMT settings to specify the locations that you want
to include in the migration or an .xyz file name extension that should be included in the
migration.
Question: Do you need to migrate settings and data that are stored in roaming user profiles or that are
redirected by using Folder Redirection?
Answer: No. You do not need to migrate those settings and data. You only need to identify and
migrate settings for locally stored data. Roaming user profiles and redirected folders are not
stored locally; they are stored on a file server.
Overview of the USMT toolset

Question: What is the easiest way to exclude some of the settings that are captured by default by
ScanState.exe from the migration?
Answer: The easiest way to exclude some of the settings that USMT migrates by default is to
create a custom XML file. For the settings that you want to exclude from the migration, specify
migrate=“no“.
Question: Do you need to install Windows ADK on the source computer from which you plan to migrate
user state?
Answer: ScanState.exe and XML files that are used during the capture process are included in
Windows ADK and they must be available on the source computer. However, you do not need to
install Windows ADK on the source computer. You can make USMT available on a shared
network folder, and you can access and run it from there on a source computer.
Resources
Determining what to migrate
Additional Reading: For a list of settings that USMT migrates, refer to “What does USMT
migrate?” at https://aka.ms/Evvzep.
Overview of the USMT toolset
Additional Reading: For more information, refer to “Getting Started with the User State
Migration Tool (USMT)” at https://aka.ms/Bnc8cr.

Review Questions
Question: After you created a user account in AD DS, you noticed that the domain user does not have a
user profile yet. Why?
Answer: The domain user has never signed in, so their profile has not been created yet. A user
profile is created when a user signs in for the first time.
Question: Can you use UE-V to sync application settings for a user who you already have configured to
use Folder Redirection?
Answer: Yes. You can configure UE-V and Folder Redirection for the same user. We
recommend this method when you want settings and user data to roam between computers.
Question: Can you use UE-V to sync settings between two Azure AD-joined computers?
Answer: No. UE-V is an on-premises feature that can sync settings only between AD DS-joined
computers. If Windows 10 computers are joined to Azure AD, you can use Enterprise Data
Roaming to sync settings between those computers.
Question: You have been asked to keep user settings for 50 users who are using local user profiles and
who will get new Windows 10 computers. What should you use to migrate user settings?
Answer: USMT is the best option in this scenario. Manually migrating user states for 50 users
would be too time-consuming. You can script USMT command-line tools to automate the
migration process.

Lab A: Configuring user profiles and UE-V
Question: What steps must you take to ensure that the settings that UE-V syncs are applied from the
settings storage location and not from the local cache?
Answer: UE-V applies settings from the local cache by default. If you want UE-V to apply
changes directly from the settings storage location and not from the local cache, you must
change the sync method to None. You can configure the sync method by using Group Policy or
by using the Set-UevConfiguration cmdlet.
Question: After you copy the settings location template to the settings location catalog, how long does it
take for UE-V clients to update with it?
Answer: Templates are automatically registered once per day. To register them manually, you
can run the Register-UevTemplate cmdlet.
Question: Which tool can you use to create a UE-V settings location template?
Answer: You can use UE-V Generator to create a UE-V settings location template. UE-V
generator is not included in Windows 10, but it is available in Windows ADK.
Lab B: Migrating a user state by using USMT

Question: Why did you need to create and customize a Config.xml file?
Answer: A custom Config.xml file includes or excludes additional settings and files in a
migration. One of your manager’s requirements was that several default folders should not be
migrated, so you had to create and customize a Config.xml file.
Question: Why did you use XML files with the ScanState.exe command?
Answer: XML files configure which settings and data to capture and what data to include in a
capture. Without specifying the XML configuration files, only default data would be captured.
Managing desktop and application settings by using Group Policy 05-1
Module 5
Managing desktop and application settings by using Group
Policy
Contents:
Lesson 1: Managing GPOs 2
Lesson 2: Configuring enterprise desktops by using Group Policy Policies 7
Lesson 3: Overview of Group Policy preferences 12

Lesson 1
Managing GPOs
Contents:
Demonstration: Managing GPOs 5

Question: To which types of Active Directory objects can you link a GPO? Select all that apply.
( ) User
( ) Security group
( ) Organizational unit (OU)
( ) Domain
( ) Site
Answer:
( ) User
( ) Security group
(√) Organizational unit (OU)
(√) Domain
(√) Site
Feedback: You can link a GPO only to a site, domain, or OU. You can use security filtering to limit
the application of a GPO to only group members, and prevent other users or computers who
might have an account in the same part of AD DS. from applying the GPO. However, you can’t
link a GPO directly to users or security groups.
Question: You must install the GPMC on a Windows 10 computer to be able to view which GPO settings
were applied to a domain computer.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: The GPMC is the most commonly used tool for managing GPOs. However, you can
use tools that are in the Windows 10 default installation, including the Resultant Set of Policy
snap-in and GPResult.exe, to see which GPOs and settings were applied to a domain computer.
Options for using GPOs to deploy configuration settings

Question: You have a GPO named GPO1 in which you have configured several User Configuration
settings and Computer Configuration settings. You link GPO1 to a part of Active Directory Domain
Services (AD DS) in which there are only groups. Members of those groups are all domain users and
computers. To whom will the settings in GPO1 apply?
Answer: The settings in GPO1 will not apply to anyone, because there are no user or computer
accounts in the part of AD DS to which GPO1 links. Group Policy can apply only to users or
computers, but those users or computers must have their account in a part of the domain to
which the GPO links.
Question: Can you configure the same settings in the User Configuration and Computer
Configuration parts of Group Policy?
Answer: You can configure most settings in either the User Configuration part or the
Computer Configuration part of Group Policy, but not in both. However, there are several
settings that you can configure in both parts. In such cases, the setting in Computer
Configuration has precedence over the setting in User Configuration.
Tools for managing Group Policy

Question: What are the requirements for using the Group Policy Management Console (GPMC) on a
Windows 10 computer?
Answer: Windows 10 does not include the GPMC. It is part the Remote Server Administration
Tools (RSAT). Therefore, to use the GPMC on a Windows 10 computer, you must download and
install RSAT on that computer first.
Question: Which tool can you use to view the list of GPOs that will apply to a domain computer?
Answer: You can use the GPMC to view the list of GPOs that will apply to a domain computer.
You can also use the Resultant Set of Policy snap-in, which Windows 10 includes, or use the
Get-GPInheritance Windows PowerShell cmdlet to get the same result.
Processing GPOs
Question: When you join a Windows 10 computer to Active Directory Domain Services (AD DS), its local
Group Policy settings no longer apply.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: When you join a Windows 10 computer to AD DS, its local Group Policy settings as
well as the domain GPOs will apply. Domain GPOs have a higher precedence than local Group
Policy settings. Therefore, if you configure the same setting in a local Group Policy setting and a
domain GPO, but with different values, then the value from the domain GPO will prevail and be
effective.
Question: What is the default processing order for domain GPOs?
Answer: Domain GPOs always process in a specific order. GPOs that link to the site have the
lowest priority, which means that they process first. GPOs that link to a domain are processed
next and GPOs that link to OUs process after them. GPOs that link to the OU that contains the
user’s or computer’s account have the highest priority, which means that they are processed last.
Modifying the GPO processing order

Question: Can a GPO that links to a domain override the settings from a GPO that is linked to an OU?
Answer: By default, the settings from a GPO that links to an OU will override the settings from a
GPO that is linked to a domain. However, if you enforce the link of the GPO that links to the
domain, its settings will override the settings of the GPO that links to the OU.
Question: What will happen if you enforce a GPO at the domain level, but block policy inheritance on the
OU?
Answer: By default, when you block policy inheritance, Group Policy ignores all settings from the
inherited GPOs. However, if an inherited GPO is enforced, the Block Inheritance setting will not
prevent its application. The settings from such a GPO will apply to users and computers in the OU
on which you block policy inheritance.
Group Policy filtering

Question: A GPO links to a container, which includes user accounts. All those users are members of a
group named Group1. You configure security filtering for the GPO and make sure that only Group1 is
listed in the Security Filtering section. Does the GPO apply to the users?
Answer: No. The GPO is always retrieved in a computer’s security context. Therefore, for GPO
settings to apply to users, the computer must have at least Read permissions to that GPO. For the
GPO to apply to users, you must also ensure that you include in the security filtering those
computers on which the users are signed in.
Question: Can you use WMI filtering to filter the application of individual GPO settings?
Answer: No. WMI filtering always applies to the entire GPO and all its settings. You cannot use
WMI filtering to filter the application of individual GPO settings. However, if a GPO includes
multiple settings and you would like to use WMI filtering to filter just some of those settings, you
can create new GPO just for those settings. After that, you link the WMI filter to the new GPO.
Determining RSoP
Question: Can you generate an Resultant Set of Policy (RSoP) report in logging mode for a recently
created user who has not yet signed in to any computer?
Answer: No. You can create an RSoP report in logging mode only for users who have already
signed in. You can see logging only for the computers to which the users signed in. However, you
can generate RSoP in planning mode, regardless of whether the user has already signed in.
Question: What is the difference between Group Policy modelling and Group Policy results?
Answer: Group Policy results show the results of GPO processing. The computer that applied the
settings provides the Group Policy results, which you can view only for what already happened.
For example you can view Group Policy results for User1 on Computer1 only if User1 has already
signed in to Computer1.
The domain controller provides the Group Policy modeling information, which shows which GPOs
would apply if a certain user were to sign in to a certain computer, irrespective of whether that
user has actually signed in to the computer in the past.
Demonstration: Managing GPOs

Demonstration Steps
1. On LON-CL1, use Active Directory Users and Computers to point out that the Technicians OU is
in the IT OU and that user Beth Burke is in the Technicians OU.
2. Use the GPMC to create a GPO named Background1, and then link it to the IT OU.
3. Edit the Background1 GPO, and then configure the following settings at User
Configuration\Policies\Administrative Templates\Desktop\Desktop:
o Desktop Wallpaper: Enabled
o Wallpaper Name: \\LON-DC1\Labfiles\Mod05\img1.jpg
4. On LON-CL2, point out Beth’s desktop. Sign out and then sign in as Adatum\Beth with the password
Pa55w.rd.
5. Point out that Beth’s desktop is no longer black and that it displays an image instead. Explain that this
is the image that you specified in the Background1 GPO.
6. Use the GPMC to create a GPO named Background2, and then link it to the Technicians OU.
7. Edit the Background2 GPO, and then configure the following settings at User
Configuration\Policies\Administrative Templates\Desktop\Desktop:
o Desktop Wallpaper: Enabled

o Wallpaper Name: \\LON-DC1\Labfiles\Mod05\img8.jpg
8. On LON-CL2, sign out and then sign in as Adatum\Beth with the password Pa55w.rd.
9. Point out that Beth’s background has changed and now it displays the picture of a flower, as you set
in the Background2 GPO. Explain that the Background2 GPO has overwritten settings from the
Background1 GPO, because it is linked to the OU that contains Beth’s account.
10. Use the GPMC to point out that the Background2 GPO has a precedence value of 1 when applying
to the Technicians OU.
11. Enforce the Background1 GPO link to the IT OU.
12. Point out how GPMC shows that the Background1 link is enforced. Also point out that Default
Domain Policy, Background1, and Background2 GPOs apply to the Technicians OU and that the
Background1 GPO has a precedence of 1.
13. On LON-CL2, sign out and then sign in as Adatum\Beth with the password Pa55w.rd.
14. Point out that after a few seconds, Beth’s background changes to an image of a person running,
which is what was configured in the Background1 GPO.
15. On LON-CL1, use the GPMC to generate the Group Policy results report of Beth signing to LON-CL2.
Point out that you can generate a Group Policy results report only for users who had already signed
in to LON-CL2.
16. Open the Group Policy results report of Beth signing to LON-CL2 in advanced view. Go to the User
Configuration\Administrative Templates\Desktop\Desktop node, and then show the properties
of the Desktop Wallpaper setting.
Lesson 2
Configuring enterprise desktops by using Group
Policy Policies
Contents:
Resources 10
Demonstration: Configuring Group Policy settings 10

Question: After you copy the PolicyDefinitions folder to the \SYSVOL shared folder on the domain
controller, local administrative templates will not be used when creating domain GPOs.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: By copying the PolicyDefinitions folder to the \SYSVOL shared folder on the domain
controller, you created a central store. If you configure a domain with central store, Group Policy
management tools, such as GPMC or Group Policy Management Editor, do not use the local
copy of administrative templates.
Question: Do you configure a user’s password policy in the User Configuration or Computer
Configuration part of Group Policy?
Answer: You configure a user’s password policy in the Computer Configuration part of Group
Policy. You must configure password policy in a GPO that links to a domain. If you do not, then
the password policy settings will apply only to local users on the computers to which the GPO
applies.
Overview of administrative templates

Question: Where are administrative templates found on a Windows 10 computer?
Answer: Administrative templates are in the C:\Windows\PolicyDefinitions folder.
Question: When you downloaded an administrative template, you noticed that you got two files—one
file with an .admx extension and the other file with a .adml extension. What is the difference between
those two files?
Answer: The file with the .admx extension is language-agnostic and specifies changes that you
must perform on a computer to apply a setting. The file with the .adml extension is
language-specific, which means that you have different .adml files for different language versions
of Windows. This file specifies policy settings that will show in a graphical interface; for example,
setting name and setting description.
Managing administrative templates in the enterprise

Question: Your company is using central store. You copy Microsoft Office 2016 administrative templates
to the C:\Windows\PolicyDefinitions folder on your Windows 10 computer. Will you be able to
configure Microsoft Office 2016 Group Policy settings on that computer?
Answer: If your company is using central store, local administrative templates are not used when
configuring GPOs. Because you copied Microsoft Office 2016 administrative templates to the
local store, the templates will not be used and you will not be able to configure Microsoft Office
2016 Group Policy settings.
Question: If you delete the content in the PolicyDefinitions folder in central store, but don’t delete the
PolicyDefinitions folder, you will be able to view all the settings in existing domain GPOs.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: If the PolicyDefinitions folder exists in the central store, but is empty, you will not
see or be able to configure Group Policy settings under the Administrative Templates node in
the user and computer parts of Group Policy.
Windows 10-specific Group Policy settings

Question: It is possible to configure Windows 10-specific Group Policy settings from a Windows 8.1
computer.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: If Windows 8.1 is using Windows 10 administrative templates, then you will be able to
view and configure Windows 10-specific Group Policy settings from that Windows 8.1 computer.
However, you should be aware that Windows 10-specific Group Policy settings will never apply to
a Windows 8.1 computer.
Question: How can you see which Group Policy settings are Windows 10-specific?
Answer: If you want to see which Group Policy settings are Windows 10-specific, you can view
the setting details. Each setting includes the Apply to section, or it includes the Requirements
section if you view it in extended view. You can also configure Group Policy Editor filtering
options to show only settings that have specific requirements; for example, settings that require
Windows 10.
Managing common desktop settings

Question: In which part of Group Policy can you configure most of the common desktop settings?
Answer: You can configure some settings, such as Display highly detailed status messages, in
the Computer Configuration part of Group Policy. However, you configure most of the common
desktop settings in the User Configuration part of Group Policy.
Question: You have a GPO named GPO1 that has several common desktop settings configured. Can you
apply just a few of the settings in GPO1, and not apply others?
Answer: No. The settings in a GPO either all apply or none apply\. If you configure some of the
settings in GPO1 in another, higher precedence GPO, the settings from that GPO will override
the settings in GPO1. It will appear as though some of the settings in GPO1 did not apply.
Managing common security settings

Question: If you configure a GPO with password settings to require that a password is at least 10
characters long, and then link that GPO to an OU named OU1, all users in that OU must have a password
that is at least 10 characters long.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You can only configure the password policy for domain users in a GPO that links to a
domain (or in a password settings object). If you configure password requirements in a GPO, and
then link that GPO to an organizational unit named OU1, those password requirements apply
only to local users on computers that have computer accounts in OU1.
Question: You can use the settings in Application Control Policies to control which applications can run
on domain-joined computers that are running 64-bit Windows 10 Pro.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: The Application Control feature is available only in Windows 10 Enterprise, Windows
10 Education, and the Enterprise editions of older Windows versions. Windows 10 Pro does not
implement AppLocker, so it will ignore Application Control Policies settings.
Resources
Windows 10-specific Group Policy settings
Additional Reading: To download the Group Policy Settings Reference spreadsheet, refer
to “Group Policy Settings Reference for Windows and Windows Server” at http://aka.ms/vk84hh.
Managing common security settings
Additional Reading: To download the Microsoft Security Compliance Toolkit, refer to

“Microsoft Security Compliance Toolkit 1.0” at https://aka.ms/Xjd4zx.
Demonstration: Configuring Group Policy settings

Demonstration Steps
1. On LON-CL1, use the GPMC to point out that administrative templates are currently retrieved from
the local computer.
2. Copy the C:\Windows\PolicyDefinitions folder to the \\LON-DC1\sysvol\Adatum.com\Policies

folder, and then explain that by doing so, you created a central store.
3. Use the GPMC to point out that administrative templates are now retrieved from the central store.
4. Point out that the GPOs do not have the Microsoft Office 2016 (Machine) node in the
Administrative Templates part of computer policy, but they do have the Microsoft User
Experience Virtualization node under Windows Components.
5. Copy the contents of the D:\Labfiles\Mod05\admx folder to the \\LON-

DC1\sysvol\Adatum.com\Policies\PolicyDefinitions folder. Explain that by doing so, you added
Microsoft Office 2016 administrative templates to the central store.
6. Delete UserExperienceVirutalization.admx from the central store.
7. On LON-CL1, point out that the GPOs now have the Microsoft Office 2016 (Machine) node in the
Administrative Templates part of the computer policy, but they do not have the Microsoft User
Experience Virtualization node under Windows Components. Explain that this is because you
deleted the administrative template from the central store.
8. On LON-DC1, use the GPMC to point out that administrative templates are retrieved from the
central store.
9. Remove the central store by deleting the PolicyDefinitions folder in the SYSVOL shared folder on
LON-DC1.
10. On LON-CL1, use GPMC to point out that administrative templates are currently retrieved from the
local computer.
11. Point out that the GPOs no longer have the Microsoft Office 2016 (Machine) node in the
Administrative Templates part of computer policy, but they do have the Microsoft User
Experience Virtualization node under Windows Components. Explain that the updates that you
performed in the central store are not effective, because the GPMC uses the local copy of
administrative templates again.
Lesson 3
Overview of Group Policy preferences
Contents:
Demonstration: Configuring Group Policy preferences 14
Comparing Group Policy preferences and policies

Question: After you apply Group Policy policies to a Windows 10 computer, the user cannot modify
settings that you configured in the preferences.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Group Policy policies are enforced and users cannot change them after you applied
the GPO to a Windows computer. Group Policy preferences are not mandatory, and users can
change them after you apply the GPO.
Question: Group Policy preferences always apply to the same users and computers as the GPO in which
you configured preferences.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Group Policy preferences are configured in Group Policy and can apply only to the
users and computers to which the GPO applies. However, you can configure item-level targeting
for preferences, which can limit to whom the preferences apply. The preferences can apply to a
smaller number of users and computers than the GPO in which you have configured preferences.
Common settings for Group Policy preferences

Question: Do Group Policy preferences in Computer Configuration and User Configuration have the
same settings?
Answer: Preferences in the computer and user part of Group Policy are similar, but there are also
some preferences that are specific to users or computers. For example, you can use the
Environment preference or Network Shares preference only for computers, whereas you can
use Internet Settings and Drive Maps preferences only for users.
Question: Do Group Policy preferences apply once or do they reapply each time GPOs refresh?
Answer: It depends. By default, Group Policy preferences reapply each time GPOs are refreshed.
However, for each preference, you can configure the Apply once and do not reapply option, in
which case that preference setting will apply only once.
Item-level targeting for Group Policy preferences

Question: You can use security filtering to limit to whom Group Policy preferences will apply.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: You configure security filtering per GPO. You also configure preferences in GPOs,
which means that if you configure security filtering for a GPO, this also applies to preferences in
that GPO. Security filtering limits the application of all preferences in the GPO and it cannot be
set on a per-preference base, as item level targeting can be.
Question: You can use GPO filtering only for filtering Group Policy policies and item-level targeting for
filtering Group Policy preferences.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: It is true that you can use item-level targeting only for filtering Group Policy
preferences. However, GPO filtering filters the entire GPO, which includes Group Policy policies
and Group Policy preferences.
Demonstration: Configuring Group Policy preferences

Demonstration Steps
1. On LON-CL1, use the GPMC to create a GPO named Preferences, and then link it to the
Technicians OU.
2. Configure the Preferences GPO with the following two shortcuts for preference settings in User
Configuration:
o The first shortcut has the following settings:

 Name: Shortcut1
 Location: Desktop
 Target path: C:\
o The second shortcut has the following settings:
 Name: Shortcut2
 Location: Desktop
 Target path: C:\
 Apply once and do not reapply
3. On LON-CL2, where you are signed in as Beth, point out that currently there is only Recycle Bin icon
on the desktop.
4. Refresh the GPOs on LON-CL2, and then point out that Shortcut1 and Shortcut2 are added to the
desktop.
5. Delete both shortcuts. Because the configuration was performed by Group Policy preferences, the
user can change it.
6. On LON-CL2, refresh the GPOs, and then point out that this time, only Shortcut1 is added to the
desktop. Remind students that you configured Shortcut2 to apply only once and to not be reapplied.
7. On LON-CL1, use the GPMC to configure item-level targeting for the Shortcut1 shortcut preference
in the Preferences GPO. The Shortcut1 preference should apply only if the computer has the
C:\Folder1 folder.
8. Delete Shortcut1 on the desktop and then refresh the GPOs. Explain that Shortcut1 was not added,
because the computer doesn’t have the C:\Folder1 folder.
9. Create folder C:\Folder1, and then refresh the GPOs. Point out that Shortcut1 is now added, because
the computer met the item-level filtering requirement.

Best Practices
Best Practices related to Group Policy Management:
• Include comments on GPO settings to document settings and make it easier to find configured
settings later.
• Use a central store for administrative templates.
• Use Group Policy preferences instead of logon scripts.
Review Questions
Question: What is the benefit of having a central store?
Answer: A central store is a single folder inside the SYSVOL shared folder on the domain
controller that stores administrative templates. After you configure the central store, the Group
Policy Management Editor recognizes it and loads all administrative templates from the central
store rather than installing them from the local computer. This is beneficial if you edit GPOs from
several computers. By using a central store, you only need to update administrative templates in
one location.
Question: On which AD DS objects can you set block inheritance?
( ) User
( ) Computer
( ) Site
( ) Domain
( ) OU
Answer:
( ) User
( ) Computer
( ) Site
(√) Domain
(√) OU
Feedback: Block inheritance prevents the inheritance of GPOs that are linked to higher-level
containers. You can set block inheritance only on a domain or OU level.
Common Issues and Troubleshooting Tips

Common Issue Troubleshooting Tip
Group Policy settings are not applying to all • Check security filtering on the GPO.
users or computers in an OU where a GPO is • Check WMI filters on the GPO.
applied.
Group Policy preferences are not being Check the preference settings for item-level
applied. targeting.

Lab: Configuring Group Policy policies and Group Policy preferences
Question: In the lab, you used the GPMC on LON-CL1, which is running Windows 10. How was that
possible, considering you did not install RSAT during the lab?
Answer: Windows 10 does not include the GPMC, as you verified in the first exercise on LON-
CL2. The GPMC was preinstalled on LON-CL1 during the virtual environment’s preparation, so
you did not have to install it during the lab.
Question: In the lab, why did you only configure user settings in the GPOs?
Answer: In the lab, you linked GPOs to the IT and Technicians OUs. Both OUs contain only user
accounts, and not computer accounts. If you were to configure computer settings in those
policies, they would not apply to any computer.
Managing devices in Microsoft Office 365 6-1
Module 6
Managing devices in Microsoft Office 365
Contents:
Lesson 1: Overview of Office 365 2
Lesson 2: MDM for Office 365 5


Lesson 1
Overview of Office 365
Contents:
Resources 3
Demonstration: Using Office 365 4
Demonstration: Configuring and using DLP 4

Question: Which of the following does an Office 365 subscription include? (Choose all that apply).
( ) Azure AD
( ) Exchange Online
( ) SharePoint Online
( ) Word Online
( ) Skype
Answer:
(√) Azure AD
(√) Exchange Online
(√) SharePoint Online
(√) Word Online

( ) Skype
Feedback: The various Office 365 subscriptions include Skype for Business, but not the Skype
app.
Planning considerations for Office 365

Question: How will you use Office 365 in your organization?
Answer: Answers will vary because each organization has its own requirements for Office 365
deployment.
Question: What are your organization’s business requirements?

Answer: Answers will vary because each organization has its own requirements for Office 365
deployment.
Question: Which Office 365 subscription is the most suitable for your organization?
Answer: Answers will vary because each organization has its own scenario for Office 365
deployment.
Resources
What is Office 365?
Additional Reading: For more information, refer to “Office 365 Service Descriptions” at
http://aka.ms/jv0xa9.
Office 365 plans
Additional Reading: For more information, refer to “Switch to a different Office 365 for
business plan” at http://aka.ms/o1i758.
Demonstration: Using Office 365

Demonstration Steps
Access the Office 365 Admin portal
1. On LON-CL3, open the Office 365 Admin portal.
2. Add an Office 365 Enterprise E3 license to the user Abbi Skinner.

3. Make Abbie Skinner a Global administrator.
Use Word Online and OneDrive

1. Open Microsoft Edge, and then navigate to https://office.com.
2. Sign in with your onmicrosoft.com account

3. Open Word Online.
4. Create and edit a new document.

5. Open OneDrive for Business, view the file in the Files list, and then share the file.
Demonstration: Configuring and using DLP

Demonstration Steps
Configure a DLP Policy
1. On LON-CL3, in Microsoft Edge open the Office 365 Security & Compliance center.
2. Open the Data loss prevention page and then click Policy.
3. Create a custom policy with the following settings:
o Name: Prevent external sharing of US PII

o Locations: All
o Sensitive information types: U.S. Social Security Numbers
o Overrides: Allowed with business justification
Test the DLP Policy

1. In Office 365, open OneDrive for Business
2. Upload the EmployeeTravel.xlsx file from E:\allfiles\mod6\.

3. In OneDrive for Business, select the EmployeeTravel.xslx file.
4. Select Share.
5. In the Enter a name or email address box, type mary@fabrikam.com.

6. View the policy tip and override the policy, providing the business justification Sharing employee
information with company travel agent.
7. Close the Policy Tip window, and then attempt to share the file again.
View DLP alerts

1. In Microsoft Edge, open the Security & Compliance center.
2. View the DLP policy matches and DLP false positives and overrides reports.
Lesson 2
MDM for Office 365
Contents:
Resources 6
Demonstration: Establishing MDM in Office 365 6

Question: You can use MDM in Office 365 to manage Android 3 devices.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You can use MDM in Office 365 to manage devices that are running Android 4 and
later operating systems.
Resources
MDM capabilities for Office 365
Additional Reading: For more information, refer to “Capabilities of built-in Mobile Device
Management for Office 365” at http://aka.ms/k0piks.
Demonstration: Establishing MDM in Office 365

Demonstration Steps
Create a security group
1. In the Office 365 Admin portal, create a new group with the following properties:
o Type: Security group
o Group name: Windows Devices
o Members: Abbi Skinner
Create an MDM policy

1. From the Security & Compliance center, create a new security policy with the following settings:
o Name: Windows devices
o Description: A Datum policies for Windows devices.

o What requirements do you want to have on devices? options:
 Require a password: Yes
 Minimum password length: 4
 Block access and report violation
o What else do you want to configure? options:
 Block screen capture
 Block connection with removable storage
 Block Bluetooth connection
2. Choose to apply the policy immediately.
3. Add the Windows Devices group to the policy, and then deploy the policy.
Use a Windows 10 device to access Office 365

1. On LON-CL4, enroll in device management using the following information to complete the
enrollment:
o Email address: Abbi@your_domain.onmicrosoft.com

o Password: Pa55w.rd
2. Open the Mail app, and then add a new account:
o Choose an account: Exchange

o Email address: Abbi@your_domain.onmicrosoft.com
o Password: Pa55w.rd
o Add this account to Windows: Yes
Note: Wait for a few minutes to give the policy time to apply to your device.
3. When prompted with Make my PC more secure, select Enforce these policies.
View managed devices and a compliance report

• On LON-CL3, open the Device management page, and then view the list of managed devices.

Question: Which underlying Microsoft cloud service provides user authentication for Office 365?
Answer: Azure AD provides authentication for Office 365.

Question: Which Office 365 Enterprise or Government subscription plans include Office 365 ProPlus?
Answer: The following plans include Office 365 ProPlus:
• Office 365 Enterprise E3

• Office 365 Enterprise E5
• Office 365 Government E3
• Office 365 Government E5


Lab B: Managing devices in Office 365 (Part 2)
Question: In the lab, you configured a policy to block access to removable storage. To which device types
does this apply?
Answer: Windows phone

Question: In the lab, you used groups to decide how to apply policies. If a user has multiple devices and
belongs to a group to which a policy is applied, to which devices does the policy apply?
Answer: If a user belongs to a group to which a mobile device management (MDM) policy
applies, the policy affects all of the user’s devices.
Managing devices by using Microsoft Intune 7-1
Module 7
Managing devices by using Microsoft Intune
Contents:
Lesson 1: Overview of Intune 2
Lesson 2: Managing devices by using Intune 5

Lesson 3: Basic Intune administration 7
Lesson 4: Working with Intune device profiles 9
Lesson 5: Conditional access with Intune 11

Lesson 6: Managing software updates 13

Lesson 1
Overview of Intune
Contents:
Demonstration: Using portals for managing Intune 3

Question: Which mobile device management option can manage VPN connections?
( ) Intune
( ) Mobile Device Management for Office 365
Answer:
(√) Intune
( ) Mobile Device Management for Office 365
Feedback: Only Intune can manage virtual private network (VPN) connections.
Question: What are the two options for implementing Intune?

Answer: Intune standalone and Intune hybrid with Microsoft System Center Configuration
Manager (SCCM)
Demonstration: Using portals for managing Intune

Demonstration Steps
Assign Microsoft Enterprise Mobility + Security licenses to users
1. On LON-CL3, open Microsoft Edge and navigate to https://portal.office.com/AdminPortal.
2. Sign in with the following account:

o Username: GAdmin@initialsMMDDYY.onmicrosoft.com
o Password: The password you created in Module 3
3. In the Office 365 Admin center, under Users, select Active Users.
4. Edit the following users, and then assign an Enterprise Mobility + Security E5 license to each
account:
o Abbi Skinner
o Ada Russell
o Aidan Norman
Access the Intune console in the Azure portal

1. In the Office 365 Admin center, expand Admin centers, and then select Intune.
2. Set the mobile device management authority to Intune MDM Authority.
3. In the Microsoft Intune console, select Users.
4. In eyebrow navigation, select Microsoft Intune.

5. In the details pane, select Classic portal.
Note: You should receive an “Unsupported browser or browser mode” error in Microsoft
Edge.
6. In Internet Explorer, open https://admin.manage.microsoft.com.
7. Sign in as GAdmin@initialsMMDDYY.onmicrosoft.com.
8. Under Groups, view Users.
Note: Because no devices are currently enrolled, no data appears.

Lesson 2
Managing devices by using Intune
Contents:
Demonstration: Enrolling a Windows 10 device with Intune 6

Question: When would you typically install the Intune client software on a device?
Answer: You must use the Intune client to manage Windows 7 computers. You can also deploy
the Intune client to use features such as managing updates for non-Microsoft software.
Demonstration: Enrolling a Windows 10 device with Intune

Demonstration Steps
1. On LON-CL3, go to Windows Settings.
2. In the Accounts settings, select Access work or school, and then connect by using the credentials
for Abbi@your_domain.onmicrosoft.com.
3. Confirm your enrollment by viewing your settings on the Access work or school page.
Lesson 3
Basic Intune administration
Contents:

Question: You can combine both users and devices in a single dynamic group.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: False. You cannot combine users and groups in a single dynamic group.
Lesson 4
Working with Intune device profiles
Contents:
Demonstration: Using an Intune device profile 10

Question: How are device profiles managed in the Intune classic portal?
Answer: In the Intune classic portal, device profiles are known as configuration policies.
Configuration policies are created and managed just like any other policy in the classic portal.
Demonstration: Using an Intune device profile

Demonstration Steps
Create an Azure AD group

1. In Azure AD, create the AdatumVPN Test security group.
2. Assign LON-CL3 to the group.
Create and deploy the VPN profile

1. On LON-CL3, in Microsoft Edge, in Azure, open the Intune console.
2. Open the Create Profile blade.
3. Create a device profile with the following settings:
o Name: Adatum VPN

o Description: Corporate VPN for Adatum
o Platform: Windows 10 or later
o Profile type: VPN

o Connection name: Adatum VPN
o Server:
 Description: Adatum VPN Server
 IP Address or FQDN: vpn.adatum.com
 Default server: True
o Connection type: F5 Edge client
o Authentication method: Username and password
o Custom XML:
<f5-vpn-conf><single-sign-on-credential /></f5-vpn-conf>
4. Deploy the profiles to the Adatum VPN Test group.
Confirm that the profile was deployed

• On LON-CL3, open Network connections, and then confirm that the virtual private network (VPN)
connection was added.
Lesson 5
Conditional access with Intune
Contents:
Demonstration: Creating a device compliance policy 12
Demonstration: Using conditional access 12

Question: Is conditional access a feature of Intune?
Answer: Conditional access is a solution that is part of Microsoft Enterprise Mobility + Security
(EMS), and Intune is part of the solution. Intune adds mobile device compliance and mobile
application management (MAM) to the solution, but it does not provide a full conditional access
solution. At a minimum, you must also have Azure AD.
Demonstration: Creating a device compliance policy

Demonstration Steps
Create an Azure AD group
1. In Azure AD, create a security group named Device compliance test.
2. Add Bill Kruger to the group.
Create and deploy a device compliance policy

1. In the Intune console in the Azure portal, open the Device compliance blade.
2. Create a policy with the following settings:
o Name: Password compliance
o Platform: Windows 10 and later

o Require a password to unlock mobile devices: True
3. Assign the policy to the Device compliance test group.
Confirm device compliance

• On the Device compliance test blade, confirm the status of LON-CL3.
Demonstration: Using conditional access

Demonstration Steps
1. On LON-CL3, in the Azure AD console, open the Conditional access - Policies blade.
2. Create a policy with the following settings:

o Name: Exchange Online conditional access policy
o Assignments:
 Users and groups: Device compliance test
 Cloud apps: Office 365 Exchange Online
 Conditions:
 All locations
 All platforms
o Access controls:
 Grant: Block
 Sessions: not configured
Lesson 6
Managing software updates
Contents:
Demonstration: Creating and assigning an update ring 14

Question: What does Windows as a service mean?
Answer: Windows as a service means that instead of the traditional release cadence of major
updates, minor updates, and monthly patches, Windows 10 receives quality updates (bug fixes)
on a regular monthly cadence. Feature updates occur on a less-frequent but predictable
schedule.
Demonstration: Creating and assigning an update ring

Demonstration Steps
Create an Azure AD group for the update ring
1. In Azure AD, create a security group named Adatum update ring.
2. Assign LON-CL3 to the group.
Create and deploy the update ring

1. On LON-CL3, in the Intune console in Azure, open the Software updates blade.
2. Create a Windows 10 update ring with the following settings:
o Name: Windows 10 update ring
o Servicing branch: Semi-Annual Channel

o Microsoft product updates: Allow
o Windows drivers: Allow
o Quality update deferral period (days): 2

o Feature update deferral period (days): 10
o Delivery optimization download mode: HTTP blended with peering behind the same NAT
3. Assign the ring to the Adatum update ring group.


Question: You have created a Windows 10 update ring, but updates are not being deployed. What might
be the problem?
Answer: One of the first things you should check is to make sure that the update ring has been
assigned to a group of computers. If not, the update ring will not do anything.
Question: What are the phases of the mobile device management lifecycle?
Answer:
• Enroll
• Configure
• Protect
• Retire
Question: The Intune console in the Azure portal requires Silverlight.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: The Intune classic portal requires Silverlight. The Azure portal does not require
Silverlight.
Question: In the Intune classic portal, how are device compliance policies created?
( ) Per platform.
( ) All platforms at once.
( ) Compliance policies are not supported in the classic portal.

Answer:
( ) Per platform.
(√) All platforms at once.
( ) Compliance policies are not supported in the classic portal.

Feedback: In the classic portal, device compliance policies are set for all platforms at the same
time. In the Intune console in the Azure portal, you can set a different device compliance policy
for each platform.

Lab A: Implementing Intune
Question: In the lab, you created a custom Intune role. Describe some scenarios where you might need to
do this.
Answer: Answers will vary, but the scenarios include:

• When a group of users and devices have a single person or team dedicated to managing
them.
• When you need to create combinations of permissions that the built-in roles do not handle,
such as those for a single person or small team dedicated to managing all the aspects of
mobile device management.
Lab B: Managing devices with Intune

Question: In the lab, you chose to install updates from the Windows 10 update ring automatically outside
of the device’s active hours. When might you decide that an update should be installed and the device
restarted without user consent?
Answer: Generally, you will want to do this only for extremely critical security updates that
address a significant threat so that users do not lose unsaved work.
Configuring and using Microsoft Store for Business 8-1
Module 8
Configuring and using Microsoft Store for Business
Contents:
Lesson 1: Using Microsoft Store for Business for app deployment 2
Lesson 2: Deploying Windows 10 by using Windows AutoPilot 6


Lesson 1
Using Microsoft Store for Business for app
deployment
Contents:
Resources 5

Question: On which device or devices can you install an app from Microsoft Store for Business? Select all
that apply.
( ) Windows 8.1 Enterprise PC
( ) Windows 10 Pro tablet
( ) Windows 10 Education PC
( ) Android 7 tablet
( ) Apple iPad Pro
Answer:
( ) Windows 8.1 Enterprise PC
(√) Windows 10 Pro tablet
(√) Windows 10 Education PC

( ) Android 7 tablet
( ) Apple iPad Pro
Feedback: You can install apps from Microsoft Store for Business only on Windows 10 devices.
Question: Users can install offline-licensed apps only if they have an Azure AD account.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Users can install offline-licensed apps on a device even if the device doesn’t have
internet connectivity and the user doesn’t have an Azure AD account.
Question: An organization must pay a monthly fee for using Microsoft Store for Business.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Microsoft Store for Business is a cloud service that is available for free. However, an
organization must be using Azure AD to use Microsoft Store for Business.
Features and benefits of Microsoft Store for Business

Question: What is the main difference between Microsoft Store and Microsoft Store for Business?
Answer: The main difference is that Microsoft Store is for general audiences, whereas Microsoft
Store for Business is for organizations. In Microsoft Store, users can find all types of apps,
including games, books, music, and TV shows. In Microsoft Store for Business, you find business-
related modern Windows 10 apps and LOB apps.
Question: Can you sign in to Microsoft Store for Business with a Microsoft account?
Answer: You can use a Microsoft account to purchase and install an app from the Microsoft
Store. However, you can’t use a Microsoft account to sign in to Microsoft Store for Business; you
must use a Microsoft Azure Active Directory (Azure AD) account to sign in to it.
Prerequisites for Microsoft Store for Business

Question: Can you install an app from Microsoft Store for Business on a device that is running Windows
8.1 Update?
Answer: No, you can’t install an app from Microsoft Store for Business on a device that is
running Windows 8.1 Update. Apps from Microsoft Store for Business can install only on
Windows 10 devices.
Question: Is an Azure AD account necessary if you want to browse Microsoft Store for Business and not
install any apps from it?
Answer: Yes, an Azure AD account is necessary even if you only want to browse Microsoft Store
for Business. Users must authenticate before they can access Microsoft Store for Business. This is
different than with the public Microsoft Store, where users can browse the store and install free
apps without signing in to the Microsoft Store; they must authenticate with a Microsoft account
only before they can purchase and install a purchased app.
How to implement Microsoft Store for Business

Question: In which app can you sign up for Microsoft Store for Business? Do users utilize the same app
for browsing it?
Answer: You can sign up for Microsoft Store for Business in a web browser such as Internet
Explorer 11 or Microsoft Edge. You can use a web browser to manage Microsoft Store for
Business, browse the available apps in a private store, and install apps from Microsoft Store for
Business. Company users would probably use the Microsoft Store app for browsing Microsoft
Store for Business and for installing apps from the store.
Question: Do you need to add company users to a role to be able to browse Microsoft Store for
Business?
Answer: No. After you set up Microsoft Store for Business, all company users who have Azure AD
accounts can access and browse it. If you want to delegate permissions to some users—for
example, to purchase apps and to add them to the private store—you must add them to a role.
What is the app licensing model?

Question: Should a user have an Azure AD account if you want to deploy an offline-licensed app to that
user?
Answer: Microsoft Store for Business requires that users have an Azure AD account if you want
to deploy online-licensed apps to those users, or if they want to connect to Microsoft Store for
Business. You can deploy an offline-licensed app to any user, regardless of whether they have an
Azure AD account.
Question: Can you include an online-licensed app from a private store in an image that you plan to
deploy on a new Windows 10 computer?
Answer: Online-licensed apps require that a user first connects and authenticates to Microsoft
Store for Business, and only then can the user install the app. You can’t download and include
online-licensed apps in an image.
Deploying and managing Microsoft Store for Business apps

Question: In which ways can you distribute an online-licensed app from Microsoft Store for Business?
Answer: Users must authenticate in Microsoft Store for Business before they can install an
online-licensed app. For distributing online-licensed apps, you can use a private store, assign
apps to users, or use a mobile device management tool such as Intune or Configuration Manager.
Question: Can you assign an app from Microsoft Store for Business to a Windows 10 device?
Answer: No, you can assign apps from Microsoft Store for Business only to company users. You
can’t assign apps from Microsoft Store for Business to groups or devices.
Resources
Features and benefits of Microsoft Store for Business
Additional Reading: For an overview of Microsoft Store for Business, refer to “Microsoft
Store for Business and Microsoft Store for Education overview” at https://aka.ms/s6ik04.
Prerequisites for Microsoft Store for Business
Additional Reading: For more information, refer to “Prerequisites for Microsoft Store for
Business and Education” at https://aka.ms/p0db8f.
What is the app licensing model?
Additional Reading: For additional information about offline licensing in Microsoft Store
for Business, refer to “Extend your reach with offline licensing in Windows Store for Business” at
https://aka.ms/lhidy7.
Additional Reading: For more information about working with LOB apps in Microsoft
Store for Business, refer to “Working with line-of-business apps” at https://aka.ms/wwf42z.
Deploying and managing Microsoft Store for Business apps
Additional Reading: For additional information about distributing offline-licensed apps,

refer to “Distribute offline apps” at https://aka.ms/oaj2fm.
Lesson 2
Deploying Windows 10 by using Windows AutoPilot
Contents:

Question: An organization can use Windows AutoPilot even if it doesn’t have Microsoft Store for
Business.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Windows AutoPilot can deploy only to known devices. You can manage Windows
AutoPilot in Microsoft Store for Business or in Intune. However, you can upload device-specific
information only on Microsoft Store for Business. Because of this, a company can’t use Windows
AutoPilot if it doesn’t have Microsoft Store for Business.
Question: Windows AutoPilot deployment is faster than deployments that use Windows 10 installation
media.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: If you deploy Windows 10 by using installation media, you perform image-based
installation. You use Windows AutoPilot when Windows 10 is already installed on a device.
Windows AutoPilot automates the OOBE setup phase without deploying a new image. This is
much faster than performing image-based deployment.
Question: You need the Windows Assessment and Deployment Kit (Windows ADK) to be able to use
Windows AutoPilot.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Windows AutoPilot is a cloud service that automates the OOBE setup phase for
known Windows 10 devices. You don’t need Windows ADK or any other tool on the Windows 10
device. You only need to upload device-specific information to Microsoft Store for Business,
create and assign a Windows AutoPilot deployment profile, and start the device in the OOBE
setup.
Comparing traditional and modern Windows 10 deployment

Question: What is the prerequisite for a modern Windows 10 deployment?
Answer: To use modern Windows 10 deployment, the Windows 10 operating system must
already be installed on the device. Modern deployments transform an existing Windows 10
installation with little or no user interaction and without deploying a new image.
Question: Name three modern Windows 10 deployment options.
Answer: If your device already has a Windows 10 operating system, you can use modern
deployment options such as provisioning packages, Windows 10 subscription activation, or
Windows AutoPilot.
What is Windows AutoPilot?

Question: Can you use Windows AutoPilot to deploy any device?
Answer: No, you can use Windows AutoPilot to deploy only known devices that already have
Windows 10 operating systems. You must obtain and upload device-specific information, which
includes hardware ID, to the cloud before you can deploy a device by using Windows AutoPilot.
Question: Does the user who deploys a device by using Windows AutoPilot become a local Administrator
of the device?
Answer: It depends. By default, a user who completes the OOBE setup phase becomes a local
Administrator. Windows AutoPilot enables you to specify whether a user should become a local
Administrator.
Prerequisites for Windows AutoPilot

Question: Can you use Windows AutoPilot to deploy Windows 10 computers in a company that doesn’t
have Azure AD?
Answer: No. Windows AutoPilot requires companies to have Azure AD. You can’t set up
Microsoft Store for Business or Intune without Azure AD, and at least one of those cloud services
is necessary to use Windows AutoPilot.
Question: Can you deploy a custom Windows 10 image by using Windows AutoPilot?
Answer: No. Windows AutoPilot isn’t an image-based deployment, and you can’t use it to deploy
Windows 10 images. However, if your computer has a preinstalled Windows 10 image, you can
use Windows AutoPilot to automate and customize the OOBE setup phase on that computer.
How Windows AutoPilot works

Question: Do you always have to upload a device-specific comma-separated value (CSV) file to Microsoft
Store for Business if you want to deploy devices by using Windows AutoPilot?
Answer: No. If you purchase Windows 10 devices from Windows AutoPilot original equipment
manufacturer (OEM) partners, such as Lenovo, HP, or Toshiba, they can upload a device-specific
CSV file on your behalf. However, device-specific information must be present in Microsoft Store
for Business before you can deploy the devices by using Windows AutoPilot.
Question: After you upload device-specific information, what must you do in Microsoft Store for Business
if you want to deploy those devices by using Windows AutoPilot?
Answer: Before you can deploy the devices by using Windows AutoPilot, you must create and
apply a Windows AutoPilot deployment profile to the devices or device group. The Windows
AutoPilot deployment profile controls the Windows 10 OOBE setup phase.
Preparing Microsoft AutoPilot deployment

Question: How can you obtain device-specific information from a Windows 10 device if you want to
deploy it by using Windows AutoPilot?
Answer: If you purchased the device from a Windows AutoPilot OEM partner, you can obtain
device-specific information in CSV format from that partner. You can also obtain device-specific
information by running the Get-WindowsAutoPilotInfo.ps1 Windows PowerShell script.
Question: Where can you create a Windows AutoPilot deployment profile?
Answer: You can create a Windows AutoPilot deployment profile in Microsoft Store for Business
and in Intune.
What is Windows Automatic Redeployment?

Question: Can any user initiate Windows Automatic Redeployment on a device?
Answer: No, normal users can’t initiate Windows Automatic Redeployment. A user must be a
member of the Administrators group to run Windows Automatic Redeployment.
Question: In which two ways can you configure Windows Automatic Redeployment, and how you can
trigger it?
Answer: You can configure Windows Automatic Redeployment by using a mobile device
management policy or by using a provisioning package. You can trigger Windows Automatic
Redeployment by pressing Ctrl+Windows logo key+R when you are at the Windows 10 lock
screen.

Review Questions
Question: You want to add a purchasable app to Microsoft Store for Business. Will company users have to
pay when they want to install the app from the private store?
Answer: No. If you want to add a purchasable app to Microsoft Store for Business, you need to
buy and pay for the required number of copies of the app. Then, company users will be able to
install the app from Microsoft Store for Business without paying for it. You should be aware that
the number of company users who can install the app can’t exceed the number of app copies
that you purchased.
Question: You need to create a Microsoft Store for Business account for every company user who will
access the store.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Users utilize Azure AD accounts to access Microsoft Store for Business. You don’t need
to create additional accounts for them to access Microsoft Store for Business.
Question: Which role must a user have in Azure AD to be able to sign up for Microsoft Store for Business?
Answer: The user must be a global administrator in an Azure AD tenant to be able to sign up for
Microsoft Store for Business.
Question: Can you use Intune to configure and manage Windows AutoPilot?
Answer: You can create and apply a Windows AutoPilot deployment profile in Intune. However,
you can’t perform the initial step, which is uploading device-specific CSV files that you want to
deploy in Intune. You must upload a CSV file in Microsoft Store for Business and then sync the
uploaded device information with Intune.

Lab: Deploying apps and Windows 10 by using Microsoft Store for
Business

Question: Can you sign up for Microsoft Store for Business by using the Microsoft Store app?
Answer: Windows 10 includes the Microsoft Store app, and you can use it to access, browse, and
install available apps from the Microsoft Store and from Microsoft Store for Business. However,
you can’t sign up for Microsoft Store for Business in the Microsoft Store app. You must use a web
browser to sign up for Microsoft Store for Business.
Question: Do you need to add a user to the Basic purchaser role to be able to browse and install apps
from Microsoft Store for Business?
Answer: No. All company users can perform this action by default.
Question: Why were you unable to view any apps in the private store even though you had added several
apps there?
Answer: The private store updates periodically. It can take up to 36 hours before newly added
apps appear in a private store, regardless of whether you access the store by using the Microsoft
Store app or a web browser.
Question: Can you fully automate a deployment by using Windows AutoPilot?
Answer: No. Windows AutoPilot can automate most of the OOBE setup phase, but users will still
have to select their locales and keyboards, and sign in with their Azure AD credentials.
Deploying apps and managing information access by using Intune 9-1
Module 9
Deploying apps and managing information access by using
Intune
Contents:
Lesson 1: App management by using Intune 2
Lesson 2: App deployment and management 4
Lesson 3: Working with WIP 7

Lesson 1
App management by using Intune
Contents:
Resources 3
Demonstration: Synchronizing Intune with Microsoft Store for Business 3

Question: You can deploy .exe files as LOB apps to Windows 10 devices using Intune.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You can use Intune only to deploy files with the .appx, .appxbundle, and .msi file
extensions to Windows 10 devices. The file extension .exe is not supported.
Resources
Overview of app lifecycle management
Additional Reading: For a list of application management capabilities across all platforms,
refer to “What is Microsoft Intune app management?” at https://aka.ms/ft7s7r.
Overview of the Intune Company Portal
Additional Reading: For more detailed instructions on customizing the Company Portal,
including guidelines for logo size and length of text, refer to “How to configure the Microsoft
Intune Company Portal app” at https://aka.ms/O4fldc.
Demonstration: Synchronizing Intune with Microsoft Store for Business

Demonstration Steps
1. Sign in to LON-CL3, and then in Microsoft Edge sign in to Microsoft Store for Business as
GAdmin@initialsMMDDYY.onmicrosoft.com
2. In the Management tools settings, add Microsoft Intune as a management tool.
3. Open the Intune console in Azure, and then navigate to the Mobile apps workload.
4. Under Setup, select Microsoft Store for Business.

5. Select Enable.
6. Select the Language used for display of apps within the Azure portal.
7. Select Sync.
8. In the Mobile apps workload, view the list of available apps and confirm that the apps added in
Module 8 appear.
Lesson 2
App deployment and management
Contents:
Resources 5
Demonstration: Deploying an app by using Intune 5

Question: When would you want to perform a full wipe of a device instead of a selective wipe?
Answer: Answers will vary. One reason to perform a full wipe is if the device is lost or stolen and
you want to remove both personal data and corporate data. You might also want to perform a
full wipe of corporate-owned devices to remove personal information.
Resources
Managing app assignment
Additional Reading: For a complete list of potential app assignment conflicts and
resolutions, refer to the How conflicts between app intents are resolved topic in “How to
assign apps to groups with Microsoft Intune” at https://aka.ms/Gxw0ln.
Demonstration: Deploying an app by using Intune

Demonstration Steps
Create an app category in Intune
1. On LON-CL3, in Microsoft Edge, navigate to the Intune console in Azure.
2. Open the App categories blade in the Mobile apps workspace.
3. Add a category named IT Tools.
Add an app to Intune

1. In the Intune console in Azure, open the Mobile apps workspace.
2. Add an LOB app with the following settings:
o App package file: C:\Labfiles\Mod09\XmlNotepad.msi

o Description: XML text editor for the IT team
o Publisher: Microsoft
o Category: IT Tools
o Display this as a featured app in the Company Portal: No
o Information URL: http://adatum.sharepoint.com/IT/Tools
o Privacy URL: http://adatum.sharepoint.com/IT/Privacy

o Developer: Microsoft
o Owner: Adatum IT
Assign the app to a group

1. In the Mobile apps workspace, open the Apps blade.
2. Select the XML Notepad 2007 app, and then assign it to the Windows devices group as a Required
app.
Monitor and verify app installation

1. In the XML Notepad 2007 app blade, monitor Device install status.
2. Verify that LON-CL3 appears in the list.

3. When the status report indicates that the app has successfully installed, open the app on LON-CL3.
Lesson 3
Working with WIP
Contents:
Resources 8
Demonstration: Configuring a WIP policy 8

Question: What are the four WIP protection modes?
Answer:
Block
Allow overrides
Silent
Off
Question: Which WIP protection mode do you use for testing policies?
Answer: You will most likely use either the Allow overrides or Silent mode for testing new WIP
policies. The Allow overrides mode will let your users continue working while learning about the
policies. The Silent mode will make sure you are informed about instances when the policy is
violated, but users will not be notified.
Resources
Creating WIP policies
Additional Reading: For detailed information about how to add each type of app to the
Allowed apps list, refer to the “Add apps to your Allowed apps list” topic in “Create a Windows
Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune” at
https://aka.ms/kkf3k8.
Additional Reading: For more information, refer to “Create and verify an Encrypting File
System (EFS) Data Recover Agent (DFA) certificate” at http://aka.ms/G7280o.
Additional Reading: For more information about Azure RMS, refer to “Microsoft Azure
Rights Management” at https://aka.ms/Rjhpql.
Demonstration: Configuring a WIP policy

Demonstration Steps
Create the WIP policy
1. On LON-CL3, in Microsoft Edge, switch to the Dashboard – Microsoft Azure tab.
2. Open the Mobile apps workspace.

3. Select App protection policies.
4. Add a policy with the following settings
o Name: Windows 10 WIP test policy

o Platform: Windows 10
o Enrollment state: With enrollment
Add protected apps, WIP-protection mode, and corporate identity

1. Select the following apps to protect:
o Microsoft Edge
o Notepad
2. Set the WIP-protection mode to Allow overrides.
3. Set the corporate identity to adatum.com.
Define corporate boundaries

1. Set a corporate network boundary definition by using the following values:
o Name: Domain name
o Boundary type: Network domains
o Value: Adatum.com
2. Set a second corporate network boundary definition by using these values:
o Name: IPV4 range
o Boundary type: IPv4 ranges
o Value: 172.16.0.1-172.16.0.190
Create and upload a DR certificate

1. In Windows PowerShell, use the following command to create a DRA certificate named
ADATUMDRA.cer:
Cipher /rc:\users\Ana\documents\ADATUMDRA
2. Navigate to and upload the certificate to the WIP policy.

3. Set the Show the enterprise data protection icon overlay setting to Yes.
Deploy and test the WIP policy

1. In the Mobile apps – App protection policies list, select Windows 10 WIP test policy.
2. Assign the policy to the Windows devices group.
3. Open a new Microsoft Edge browser session.
4. Attempt to upload the file C:\Labfiles\Mod09\WIPTest.txt to the personal OneDrive associated

with the Microsoft account you created for this class.
Note: You should not be able to successfully upload the file to OneDrive.

Best Practice
Managing Windows 10 devices as mobile devices in Intune provides the most flexibility and functionality.
Review Questions
Question: What are some of the capabilities that Intune has for managing Windows 10 devices?
Answer:
Answers should include the following:
• Add and assign apps to devices and users.
• Protect company data in apps with WIP.

• Selective wipe of data from apps.
• Monitor app assignments.
• Assign and track bulk-purchased apps.

• Mandatory install of apps on Intune-managed devices.
• Available install of apps from the Company Portal.
• Install shortcut to an app on the web.

• Install apps from a store.
• Update apps.
Question: Within Intune, where do you create WIP policies, and what other kinds of policies can you
create from the same interface?
Answer: You can create WIP policies from the App protection policies blade. Along with WIP
policies for Windows 10 devices, you can also create app protection policies for iOS and Android
devices from the same blade.

An app wipe request status is showing as Keep in mind that the user must open the app
Pending for a very long time. before the wipe will occur. If they do not open the
app, the wipe might never occur. It can also take
up to 30 minutes for a wipe request to arrive on
the device.
An app deployed by using Intune does not It is possible that the app is not enlightened,
appear to successfully tell the difference which means that it is not WIP-aware. If an app is
between personal data and corporate data not WIP-aware, it might encrypt both personal
found within the network boundary. and corporate data. Check with the app developer
to find out if the app is WIP-aware. Intune
Recommended apps are enlightened.

Lab: Deploying apps and managing information access by using Intune
Question: In the lab, you created a custom Office suite and assigned it to users. In your organization, can
you think of times you would create different Office suite installations for different users?
Answer: Answers will vary. Office 365 ProPlus contains several applications, such as Microsoft
Access and Microsoft Publisher that are mostly used by a small group of users, so there is no
reason to install these applications on every computer. Also, Microsoft Project and Microsoft Visio
require separate licenses, so you might want to deploy those apps only to a limited number of
people.
Question: In the lab, you set the corporate identity to adatum.com. In this field, you can list multiple
domains. In which situations would you use multiple domains?
Answer: You would list multiple domains if there are several valid domains that your company
owns and are used to send email. You might also do this if there are highly trusted partner
companies with whom you can safely share sensitive data.
Managing data access for Windows-based devices 10-1
Module 10
Managing data access for Windows-based devices
Contents:
Lesson 1: Overview of data access solutions 2
Lesson 2: Implementing Work Folders 4

Lesson 3: Implementing cloud data access 6
Lesson 4: Publishing and using RemoteApp programs 8

Lesson 1
Overview of data access solutions
Contents:

Question: Your company uses an accounting app based on client/server architecture, which you cannot
install on another company’s operating system that is running on a user’s device. How can users still use
the company accounting app from their devices?
Answer: Because you cannot install an accounting app locally on users’ devices, they can use
their devices to connect to some other system and use the app from that system. They also could
use Remote Desktop to connect to their company computer. Alternatively, if their company has
deployed a VDI environment, they could connect to their virtual desktop and use the accounting
app from the VDI environment.
Lesson 2
Implementing Work Folders
Contents:
Demonstration: Deploying and using Work Folders 5

Question: You can share the content of your Work Folders with your coworkers.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Currently, the Work Folders technology does not support content sharing. You cannot
share content stored in user’s Work Folders with other users.
Demonstration: Deploying and using Work Folders

Demonstration Steps
Configure Infrastructure for Work Folders
1. On LON-DC1, use Windows PowerShell to install the FS-SyncShareService feature by using the
Install-WindowsFeature cmdlet.
2. Use Server Manager to create a new sync share. Use the following data:
o Local path: C:\syncshare1

o Structure for user folders: User alias
o Grant sync access to groups: Managers
o Device policies: No policy is selected
3. Use Server Manager to verify that syncshare1 displays in the WORK FOLDERS section and that user
Adam Hobbs is listed in the USERS section.
4. On LON-DC1, use IIS Manager to add an https binding to the default website. Use LON-
DC1.adatum.com as the SSL certificate.
Configure Group Policy settings for Work Folders

1. On LON-DC1, use the Group Policy Management Console to create and link a Group Policy named
Deploy Work Folders to the Marketing OU.
2. For the Deploy Work Folders Group Policy, in the Group Policy Management Editor, browse to User
Configuration\Policies\Administrative Templates\Windows Components\Work Folders.
3. Enable the Specify Work Folders settings setting, configure it with https://lon-dc1.adatum.com as
Work Folders URL, and then select the Force automatic setup check box.
4. On LON-CL1, sign out, and then sign back in as adatum\adam by using the password Pa55w.rd.
5. Use File Explorer to create a new text document in Work Folders named On LON-CL1.
Verify that Work Folders is Synchronizing

1. On LON-CL2, sign out, and then sign back in as adatum\adam by using the password Pa55w.rd.
2. Open File Explorer and verify that On LON-CL1 is in Work Folders.

Lesson 3
Implementing cloud data access
Contents:
Demonstration: Configuring OneDrive for Business 7

Question: Administrators can manage the content stored in both OneDrive and OneDrive for Business,
provided the computer is joined to a domain.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: Administrators cannot manage content in OneDrive. Because OneDrive is a

consumer-based service, it does not allow any delegated management.
Demonstration: Configuring OneDrive for Business

Demonstration Steps
Configure the OneDrive client
1. On LON-CL2, run odopen://sync?useremail=Adam@yourdomain.onmicrosoft.com and sign in as
adam by using Pa55w.rd as the password.
2. Accept the default settings as you configure the OneDrive client.
3. View the contents of the OneDrive folder in File Explorer.
Verify Synchronization
1. On LON-CL2, in File Explorer, create a new Word document named LocalDoc.
2. Open LocalDoc, add the text Local Content, and save the changes.
3. Use Microsoft Edge to open https://login.microsoftonline.com and sign in as

Adam@yourdomain.onmicrosoft.com by using a password of Pa55w.rd.
4. Browse to OneDrive and edit LocalDoc.docx in the browser.
5. Add a new line with the text Cloud Content.
6. In File Explorer, open LocalDoc and verify that Cloud Content has been added.
Share a file
1. On LON-CL2, in File Explorer, Share the file LocalDoc.docx with Abbi Skinner and allow her to edit
the file.
2. Use the Share dialog box for LocalDoc.docx to Manage Access and verify the permissions assigned
to Abbi Skinner.
Lesson 4
Publishing and using RemoteApp programs
Contents:
Demonstration: Creating a session collection and publishing
RemoteApp programs 9

Question: Which methods can you use to access RemoteApp programs?
Answer: You can access RemoteApp programs by using RD Web Access or RemoteApp and
Desktop Connections. Older implementations of RemoteApp allows you to distribute .rdp files
and .msi files to access RemoteApp programs, but those methods are no longer supported.
Demonstration: Creating a session collection and publishing RemoteApp

programs
Demonstration Steps
Create a session collection

1. On LON-SVR1, use Server Manager to remove QuickSessionCollection.
2. Create a new session collection with the following configuration:
o Name: RemoteApp Collection
o RD Session Host Server: LON-SVR1.Adatum.com

o User Groups: ADATUM\Domain Users
o User Profile Disks: Not enabled
Publish RemoteApp programs

1. On LON-SVR1, use Server Manager to view RemoteApp Collection.
2. In RemoteApp Collection, publish the following RemoteApp programs:

o Calculator
o Paint
o WordPad
Review RDS certificates

1. On LON-SVR1, use Server Manager to edit the deployment properties in the COLLECTIONS area and
view the configuration of Certificates.
Connect to RD Web Access

1. On LON-CL1, use Microsoft Edge to open https://lon-svr1.adatum.com/rdweb.
2. When notified that the site is not secure, expand More information and select Go on to the
webpage (not recommended).
3. Sign in as Adatum\Adam with a password of Pa55w.rd.
4. Open Paint and select Don’t ask me again for remote connections from this publisher.
5. When you receive a prompt, sign in as Adatum\Adam by using a password of Pa55w.rd.


Best Practices
• Consider using cloud-based storage solutions to reduce your storage and maintenance costs.
• Allow use of Work Folders to users who need on-premises data synchronization.
• Explain to your users that they should not store business data in OneDrive.
• Use Web Application Proxy to publish Work Folders.
Review Questions
Question: Can you access Work Folders content on a computer without network connectivity?
Answer: A computer that supports Work Folders creates a local copy of Work Folders content. If
network connectivity is not available, you still will be able to access and modify a local copy.
When network connectivity is restored, local changes will synchronize transparently with the
Work Folder content on the file server.
Question: How are Work Folders and OneDrive for Business different?
Answer: Both Work Folders and OneDrive for Business provide similar remote access for mobile
users. However, OneDrive for Business has the following benefits that are not available in Work
Folders:
• Does not require on-premises infrastructure.
• Automatic versioning.
• Recycle bin for recovering deleted items.
• High availability across data centers.
• Files-On Demand to control caching of files.
• File sharing.

Work Folders sync cannot be configured on • Verify that the certificate on server side is
client computers valid and trusted.
• Verify whether the user is in the group that is
allowed to use Work Folders.
• Verify that the Work Folders server is
available.

Lab A: Implementing and using Work Folders
Question: Can a user access the same Work Folders from both domain devices and workgroup devices?
Answer: Yes. Users can access the same Work Folders from all devices, regardless of their domain
membership. The user account is the most important factor. If users access Work Folders by using
the same domain credentials from their devices, they will access the same content.
Question: Can you access Work Folders content from a device that does not support Work Folders?
Answer: No, you can connect to Work Folders only from devices that support Work Folders.
However, you can create an SMB share that points to the same folder on a Windows Server 2012
R2 file server. This would enable users to access the content from any device from which you can
connect to a shared folder.
Lab B: Managing Data Access by Using OneDrive

Question: Can you share files in OneDrive for Business with people outside your organization?
Answer: Yes, you can share files with specific people outside your organization if they have an
Azure AD or Microsoft Account. You can also share files with all users. Both of these options are
allowed by default, but an administrator can restrict them.
Question: When you delete a file stored in OneDrive for business by using File Explorer, is it recoverable
from the OneDrive recycle bin?
Answer: Files deleted in OneDrive for Business are available for recovery in the recycle bin
whether they are deleted by using File Explorer or by using the OneDrive web interface.
Lab C: Publishing and using RemoteApp programs

Question: Why is it important to use a trusted certificate for RemoteApp?
Answer: If you don’t use a trusted certificate, clients will be presented with warnings when they
use RD Web Access and RemoteApp programs. Also, without a trusted certificate, it is not
possible to integrate RemoteApp programs in the Start menu by using RemoteApp and Desktop
Connection.
Question: How does the user experience differ when SSO is enabled for RemoteApp programs?
Answer: When SSO is enabled for RemoteApp programs, users can click a RemoteApp program
in RD Web Access and have it start without any prompts. Without SSO, the users are prompted to
sign in again, which is an annoyance for the users.
Configuring and managing Client Hyper-V 11-1
Module 11
Configuring and managing Client Hyper-V
Contents:
Lesson 1: Installing and configuring Client Hyper-V 2
Lesson 2: Configuring virtual switches 7

Lesson 3: Creating and managing virtual hard disks 10
Lesson 4: Creating and managing VMs 14

Lesson 1
Installing and configuring Client Hyper-V
Contents:
Resources 5
Demonstration: Installing Client Hyper-V 5

Question: In which Windows 10 editions can you use Client Hyper-V? Select all that apply.
( ) Windows 10 Home
( ) Windows 10 Pro
( ) Windows 10 S
( ) Windows 10 Enterprise
( ) Windows 10 Education
Answer:
( ) Windows 10 Home
(√) Windows 10 Pro
( ) Windows 10 S
(√) Windows 10 Enterprise

(√) Windows 10 Education
Feedback: You can enable and use the Client Hyper-V feature in the Pro, Enterprise, and
Education editions of Windows 10. You cannot enable Client Hyper-V in Windows 10 Home or in
Windows 10 S.
Question: You can use Client Hyper-V for running Windows Server 2016 on Windows 10 computer.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: You can run an operating system, regardless of whether it is a server or client
operating system, in a Client Hyper-V VM.
Question: You can install Client Hyper-V by using the Windows PowerShell cmdlet Install-
WindowsFeature.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: The Install-WindowsFeature cmdlet is available only in Windows Server operating

systems. It is not available in Windows 10.
Overview of Client Hyper-V

Question: Can you run two VMs with the same name and TCP/IP network settings in the same Client
Hyper-V environment?
Answer: Yes. You can run multiple VMs with the same name and same TCP/IP settings in the
same Client Hyper-V environment without conflict. Each VM is isolated from others and from the
Windows 10 computer. Therefore, no conflict will exist if operating systems in VMs are
configured with the same settings.
Question: How can you use multiple operating systems on a Windows 10 computer simultaneously?
Answer: You can use multiple operating systems on a Windows 10 computer simultaneously by
installing the Client Hyper-V feature. With this feature, you can create multiple VMs, install a
different operating system in each VM, and then use them all at the same time.
How to Install Client Hyper-V

Question: Can members of the Hyper-V Administrators group install the Client Hyper-V feature on a
Windows 10 computer?
Answer: No, members of the Hyper-V Administrators group cannot install the Client Hyper-V
feature on a Windows 10 computer. They can manage Client Hyper-V, but you require
administrative permissions in Windows 10 to install any Windows 10 feature, including Client
Hyper-V.
Question: Which Windows PowerShell cmdlet can you use to install the Client Hyper-V feature in
Windows 10?
Answer: You use the Enable-WindowsOptionalFeature cmdlet to install Client Hyper-V in
Windows 10.
What is nested virtualization?

Question: Can you enable nested virtualization in Hyper-V Manager? If so, what are the prerequisites for
enabling nested virtualization?
Answer: No, you can enable nested virtualization only in Windows PowerShell by using the Set-
VMProcessor cmdlet.
Question: Can you modify the amount of memory that a VM with enabled nested virtualization can use
while that VM is running?
Answer: No. You can modify the amount of memory that a VM can use while a VM is running
only if nested virtualization is not enabled. As soon as you enable nested virtualization for a VM,
you will get an error if you try to change the amount of memory while the VM is running.
Client Hyper-V settings

Question: By default, how many VMs that are running on Windows 10 Enterprise can you move
simultaneously without any downtime?
Answer: Windows 10 does not support live migration, which means that you cannot move any
running VMs from or onto a Windows 10 computer.
Question: You want Adam to manage VMs that are running on Windows 10. However, you also want to
grant him minimal required permissions. In which group should you add him?
Answer: If you want to grant a user the ability to manage VMs on Windows 10 but you do not
want to give them any unnecessary permissions, you should add them to the Hyper-V
Administrators group.
Managing Client Hyper-V by using Windows PowerShell

Question: What must you do to administer Client Hyper-V by using Windows PowerShell?
Answer: You most likely installed the Hyper-V module for Windows PowerShell already when
you installed the Client Hyper-V role. In that case, you can start using Windows PowerShell for
administering Client Hyper-V. If you want to administer Client Hyper-V from a remote computer,
you must first enable the Hyper-V module for Windows PowerShell feature.
Question: Which cmdlet can you use to verify if nested virtualization is enabled for a VM named VM1?
And which cmdlet can you use to modify the settings of a Windows 10 Client Hyper-V host?
Answer: To verify that nested virtualization is enabled for VM1, you can run the Get-
VMProcessor VM1 | fl Windows PowerShell cmdlet, and then look at the value of the
ExposeVirtualizationExtension property. If you want to modify a property of the Client Hyper-
V host, you can run the Set-VMHost cmdlet.
Resources
What is nested virtualization?
Additional Reading: To read more about nested virtualization, refer to: “Run Hyper-V in a
Virtual Machine with Nested Virtualization” at https://aka.ms/dx4dmq.
Demonstration: Installing Client Hyper-V

Demonstration Steps
1. On LON-CL1, run the Get-Command cmdlet with the –Module parameter and point out that no
cmdlets from the Hyper-V module are currently available.
2. Try to install the Hyper-V Windows feature with all components.
Note: You cannot install Hyper-V Platform feature because LON-CL1 does not meet the
prerequisites for installing Client Hyper-V.
3. On the physical host computer, enable nested virtualization for LON-CL1 by running the following
cmdlet:
Set-VMProcessor 20697-2C-LON-CL1 –ExposeVirtualizationExtension $True
Note: You will get an error because LON-CL1 is running and you can enable nested
virtualization only if the VM is turned off.
4. Shut down LON-CL1.

5. Enable nested virtualization for LON-CL1 by running the Windows PowerShell Set-VMProcessor
cmdlet.
6. Configure LON-CL1 with 4096 megabytes (MB) of memory.
7. Start LON-CL1, and then sign in as Adatum\Administrator using Pa55w.rd as the password.
8. Install the Hyper-V Windows feature with all components, and then restart LON-CL1 when needed.
9. Sign in to LON-CL1 as Adatum\Administrator using Pa55w.rd as the password.
10. Use the Get-Command cmdlet with the –Module Hyper-V parameter, and point out that many
cmdlets from the Hyper-V module are now available.
Lesson 2
Configuring virtual switches
Contents:
Demonstration: Configuring virtual switches 9

Question: When you create an internal virtual switch, you will get an additional network connection in
Windows 10.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: When you create an internal virtual switch, an additional network adapter is added to
Windows 10. This adapter is connected to the internal virtual switch, and it is configured to
obtain an IP address automatically.
Question: You can connect an external virtual switch only to an Ethernet network adapter.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You can connect external virtual switches to both an Ethernet network adapter and a
wireless network adapter.
Types of virtual switches

Question: You have a Windows 10 laptop with one Ethernet adapter and one wireless adapter. How
many external virtual switches can you create on the laptop after you enable the Client Hyper-V feature?
Answer: Each external virtual switch must be connected to a different Ethernet or wireless
adapter. Because you have a laptop with two such adapters, you can create two external virtual
switches.
Question: You have a Windows 10 laptop with one Ethernet adapter and one wireless adapter. How
many internal virtual switches can you create on the laptop after you enable the Client Hyper-V feature?
Answer: Internal virtual switches do not require any network adapter on Windows 10 computer,
so you can create as many internal virtual switches as you want.
Advanced settings for virtual switches

Question: Where can you configure advanced virtual switch settings?
Answer: You can configure several advanced virtual switch settings in the Advanced Features
settings section for the VM network adapter. You can configure certain advanced settings by
using Windows PowerShell only.
Question: Should you enable DHCP guard protection on each VM that you want to protect from
obtaining TCP/IP configuration from the unauthorized DHCP server?
Answer: No. You should enable DHCP guard protection only on VMs in which the (potentially)
unauthorized DHCP server is installed. When you enable DHCP guard protection on a VM, DHCP
in the VM cannot provide TCP/IP settings to other systems on the network. DHCP guard
protection settings have no effect on whether the VM can obtain TCP/IP settings.
Demonstration: Configuring virtual switches

Demonstration Steps
1. On LON-CL1, use Hyper-V Manager to show students that one virtual switch named Default Switch
is available in Client Hyper-V by default.
2. Point out that two network connections are present on LON-CL1.

3. In Hyper-V Manager, create a private virtual switch, and name it Private Switch. Point out that you
cannot configure the virtual local area network (VLAN) ID for the private switch.
4. Point out that there are still two network connections on LON-CL1. Explain that no additional
connection is added in Windows 10 when you create the private virtual switch.
5. In Hyper-V Manager, create an internal virtual switch, and name it Internal Switch. Point out to the
students that you can configure VLAN ID for the internal switch.
6. Point out that there are three network connections on LON-CL1. Explain that an additional
connection is added when you create the internal virtual switch and that this connection can provide
connectivity between VMs and a physical Windows 10 computer.
7. In Hyper-V Manager, create an additional internal virtual switch and name it Internal Switch 2.
8. In Hyper-V Manager, create an external virtual switch, and name it External Switch. Point out that
one network adapter is listed in the External network drop box, and that you can configure VLAN ID
for the external switch.
9. Point out that now there are five network connections on LON-CL1, and that one of them is named
vEthernet (External Switch).
10. Try to create an additional external switch and name it External Switch 2. Point out that this time an
error occurs because you can only have as many external virtual switches as there are network
adapters in Windows 10.
Lesson 3
Creating and managing virtual hard disks
Contents:
Demonstration: Creating a virtual hard disk 12

Question: You can convert between the VHD, VHDX, and VHD Set virtual hard disk formats.
( ) True
( ) False
Answer:
( ) True
(√) False
Feedback: You cannot convert to or from the VHD Set format. You can specify it only when you
create a new virtual hard disk. You can convert only between the VHD and VHDX virtual hard
disk formats.
Question: If you want to increase the size of a VHD virtual hard disk from 1 TB to 3 TB, you first must
convert it to the VHDX format.
( ) True
( ) False
Answer:
(√) True
( ) False
Feedback: Disks with the .vhd extension are limited to 2,040 GB. If you want to create a larger
virtual hard disk, you must use the VHDX format.
Question: You have a virtual hard disk that contains several files. You need to access those files. Which of
the following must you run first? (Select all answers that apply.)
( ) Hyper-V Manager
( ) Diskpart.exe
( ) Format.exe
( ) Disk Management
( ) File Explorer
Answer:
( ) Hyper-V Manager
(√) Diskpart.exe
( ) Format.exe
(√) Disk Management
(√) File Explorer
Feedback: To access files in a virtual hard disk, you must first attach the virtual hard disk. You can
attach virtual hard disk by running diskpart.exe, Disk Management, or File Explorer.
Overview of disk formats

Question: Can you convert a 2,000 GB virtual hard disk that is in VHDX format to VHD format?
Answer: Yes, you can convert a virtual hard disk from the VHDX to the VHD format, but only if it
is smaller than 2,040 GB in size.
Question: Can you convert a virtual hard disk in the VHD format that is attached to a running VM to the
VHDX format while the VM is running?
Answer: No. Virtual hard disk conversion is an offline operation. You can convert virtual hard
disks only when they are not in use—when they are not attached to a VM or the VM is not
running.
Overview of disk types

Question: Can Client Hyper-V allocate more storage space to a differencing virtual hard disk than to the
parent disk to which it links?
Answer: Yes. A differencing virtual hard disk always links to a parent disk, which can be fixed size,
dynamically expanding, or another differencing virtual hard disk. When you link a differencing
virtual hard disk to a dynamically expanding or a differencing virtual hard disk, Client Hyper-V
can allocate the differencing virtual hard disk more space than the parent disk to which it links.
Question: Can you create a differencing virtual hard disk in the VHDX format, which has a virtual hard
disk in the VHD format as its parent?
Answer: No. A differencing virtual hard disk and its parent must be in the same format, either
VHD or VHDX.
Inspecting and editing a virtual hard disk

Question: Can you compact the virtual hard disk of a running VM?
Answer: Yes, you can compact a virtual hard disk of a running VM, but only if it is in VHDX
format and if it is connected to SCSI controller. If these requirements are not met, you cannot
compact the virtual hard disk of the running VM.
Question: Can you use Edit Disk to edit a virtual hard disk in the VHD Set format?
Answer: Yes, you can use Edit Disk to edit a virtual hard disk in the VHD Set format. In this case,
Compact and Expand are the available options.
Demonstration: Creating a virtual hard disk

Demonstration Steps
1. On LON-CL1, use Hyper-V Manager to create a new virtual hard disk with the following settings:
o Format: VHDX
o Type: Dynamically expanding
o Name: Dynamic.vhdx
o Location: C:\VMs
o Size: 100 GB
2. Use Hyper-V Manager to create a new virtual hard disk with the following settings:
o Format: VHD
o Type: Differencing
o Name: Differencing.vhd
o Location: C:\VMs
o Parent: E:\Labfiles\Mod11\Base18A-W10-1709.vhd
3. In Windows PowerShell, use the New-VHD cmdlet to create a new virtual hard disk with the
following settings:
o Path: C:\VMs\Fixed.vhdx
o Size: 1 GB
o Type: Fixed size
4. In File Explorer, browse to the C:\VMs folder, and then point out that Fixed.vhdx allocates 1
gigabyte (GB) disk space, while Dynamic.vhdx and Differencing.vhd are allocated much less disk
space.
5. Use the Resize-VHD cmdlet to increase Disk 1 to 2 GB and Disk 2 to 150 GB. You can achieve this by
running following two cmdlets:
Resize-VHD C:\VMs\Fixed.vhdx –SizeBytes 2GB

Resize-VHD C:\VMs\Dynamic.vhdx –SizeBytes 150GB
6. Use File Explorer to point out the sizes of the Fixed.vhdx and Dynamic.vhdx virtual hard disks.
Note: While you extended Fixed.vhdx to 2 GB, the size of the Dynamic.vhdx has not
increased, because no additional data was written to it; it is still only 4 MB, even though you can
write 150 GB to it.
Lesson 4
Creating and managing VMs
Contents:
Resources 17
Demonstration: Creating and modifying a VM 18

Question: Which of the following hardware components can you use in Generation 2 VMs?
( ) BIOS
( ) IDE controller
( ) Network adapter
( ) Trusted Platform Module

( ) COM 1
Answer:
( ) BIOS
( ) IDE controller
(√) Network adapter
(√) Trusted Platform Module

( ) COM 1
Feedback: You can use a network adapter and Trusted Platform Module in Generation 2 VMs.
BIOS, IDE Controller and COM 1 are available only in Generation 1 VMs.
Question: Which of the following modifications can you perform on a running VM in Client Hyper-V on
Windows 10?
( ) Rename the VM
( ) Move virtual hard disk from volume C to volume D
( ) Modify amount of memory that the VM can use

( ) Add a legacy network adapter
( ) Enable Integration Services
Answer:
(√) Rename the VM
(√) Move virtual hard disk from volume C to volume D
(√) Modify amount of memory that the VM can use
( ) Add a legacy network adapter
(√) Enable Integration Services
Feedback: While a VM is running on Windows 10, you can always rename the VM, move the
virtual hard disk between the volumes, and enable Integration Services. You can also modify the
amount of memory that the VM can use, but only if the VM configuration version is 6.2 or higher.
You can never add a legacy network adapter to a running VM, but you could add a network
adapter to a running Generation 2 VM.
Types of VMs
Question: Can you convert a Generation 1 VM that has Windows 10 installed to a Generation 2 VM?
Answer: No. You can select the generation of a VM only when you create the VM, and you
cannot change it later. If you already have a Generation 1 VM, you cannot convert it to a
Generation 2 VM, regardless of the operating system that is installed on that VM.
Question: Can you add a DVD drive to Generation 2 VM?
Answer: Yes. However, in a Generation 1 VM, the DVD drive is connected to an IDE controller by
default. Generation 2 VMs do not support IDE controllers, and therefore a DVD drive is not
available in Generation 2 VMs by default. If you need a DVD drive, you can add it to a SCSI
controller in the Generation 2 VM.
VM configuration version
Question: You imported a VM from a Windows 8.1 computer. Can you enable nested virtualization for
that VM?
Answer: Yes. However, the VM was created on an older version of Client Hyper-V, which means
that its configuration data uses the configuration version 5.0. You can only enable nested
virtualization for VMs whose configuration version is 8.0 or higher, which means that you cannot
enable nested virtualization for the imported VM until you upgrade its configuration version.
Question: Can you create a VM that has the configuration version 5.0 on Windows 10 Client Hyper-V?
Answer: Yes, although if you create a VM by using Hyper-V Manager, by default, the VM will
have the configuration version 8.2. If you create a VM by using the New-VM cmdlet, you can
specify the Version parameter (such as 5.0), which defines the configuration version for the VM. If
you don’t specify the Version parameter, the VM will use the highest available configuration
version, which is 8.2.
VM security
Question: Can you use vTPM in Generation 1 VMs? Can you use BitLocker to protect the C: partition in
Generation 1 VMs?
Answer: No, you can use vTPM only in Generation 2 VMs. But you can use BitLocker Drive
Encryption to protect the C: partition in Generation 1 VMs. To do that, you must configure the
BitLocker settings in Group Policy.
Question: Can you protect data in a VM that is running Linux by enabling BitLocker on a Windows 10
Client Hyper-V computer?
Answer: Yes, you can protect data in any VM, regardless of its operating system by enabling
BitLocker on Windows 10 Client Hyper-V computer. BitLocker helps protect VM data providing it
is stored locally. If you export the VM machine and import it into different physical computer, it
won’t be protected by BitLocker any longer.
Modifying VM settings
Question: Do you always need to turn off a VM before you can modify its settings?
Answer: It depends on the modification that you want to perform. For example, if you want to
rename a VM, connect it to a different virtual switch, or add a virtual hard disk to the SCSI
controller, you can complete these actions while the VM is running. However, if you want to add
a virtual hard disk to an IDE controller or increase the memory that is available to the VM, you
must first shut down the VM.
Question: Can you add a network adapter to a running VM or connect a network adapter to a virtual
switch while the VM is running?
Answer: You can add a network adapter to a running Generation 2 VM. However, if it is
Generation 1 VM, you cannot add or remove a network adapter to the VM while it is running.
You can connect an existing VM network adapter to a virtual switch while the VM is running.
What are integration services?

Question: If you want to copy a file to a VM by using the Copy-VMFile cmdlet, do you need to install
Integration Services in a Windows 10 VM?
Answer: No. Windows 10 includes Integration Services, and you do not need to install it if
Windows 10 is running in the VM. However, you must enable the Guest integration service for
the VM because this service is not enabled by default and is required to copy a file to the VM by
using the Copy-VMFile cmdlet.
Managing checkpoints
Question: Which checkpoint requires more space: a standard checkpoint of a running VM or a
production checkpoint of a running VM?
Answer: The standard checkpoint of a running VM because it includes memory content, whereas
there is no memory content for a production checkpoint. When comparing the checkpoint size,
the standard checkpoint of a running VM will be larger than the production checkpoint of the
same VM. But when you apply a production checkpoint, the VM will go through startup process.
However, applying a standard checkpoint will return the VM to the same state as it was in when
you took the checkpoint.
Question: Can you modify the configuration of a VM checkpoint if you created that checkpoint when the
VM was turned off?
Answer: You can never modify a VM configuration in a checkpoint, regardless of whether the
VM was running or turned off when you created the checkpoint. Checkpoints contain a VM
configuration from the past, which you cannot modify.
How does storage migration work?

Question: Can you use storage migration to move virtual hard disks only?
Answer: No, you can use storage migration to move any VM data files. Virtual hard disks are
usually the largest VM data files, but you can also use storage migration to move checkpoints,
current configuration, and smart paging files.
Question: Do you need to be local administrator to use the Move Wizard?
Answer: No, you do not need to be local administrator. You only need to be a member of the
Hyper-V Administrators group to be able to use the Move Wizard.
Resources
VM configuration version
Additional Reading: To read more about VM configuration versions, refer to “Upgrade

virtual machine version in Hyper-V on Windows 10 or Windows Server 2016” at
https://aka.ms/j14tr5.
What are integration services?
Additional Reading: For more information about Hyper-V Integration Services, refer to
“Manage Hyper-V Integration Services” at https://aka.ms/h2a2tl.
Demonstration: Creating and modifying a VM

Demonstration Steps
1. On LON-CL1, use Hyper-V Manager to create a new VM with the following settings:
o Name: VM1
o Generation: Generation 1
o Startup memory: 1024 MB
o Use Dynamic Memory: Disabled
o Connection: External Switch
o Virtual hard disk: C:\VMs\Differencing.vhd
2. Start VM1, and point out that the VM1 checkpoint is created automatically.
3. While the VM1 is running, add the C:\VMs\Fixed.vhdx virtual hard disk to its SCSI controller, and
increase its memory to 1500 MB.
Note: Point out that you were able to add the virtual hard disk and modify the amount of
memory while VM1 was running.
4. Use Hyper-V Manager to create a new VM with the following settings:
o Name: VM2
o Generation: Generation 2
o Startup Memory: 512 MB
5. Enable Trusted Platform Module (TPM) for VM2 and point out that this option is available only for
Generation 2 VMs.
6. Start VM2 and point out that checkpoint of VM2 is created automatically.
7. While VM2 is running, add a network adapter to VM2 and connect it to the Private Switch.
8. Turn off VM2 and point out that its automatically created checkpoint was deleted
9. On LON-CL1, connect to VM1 and use a display configuration of 800x 600 pixels.
10. On VM1, sign in as Admin and use Pa55w.rd as the password.
11. On VM1, use Disk Management to point out that VM1 has two disks.
12. Create simple volume with maximum size on Disk 1 and format it with NTFS.
13. Point out that volume on Disk 1 has size of 2 GB and there is no unallocated space on the disk.
14. On LON-CL1, use Resize-VHD cmdlet to increase Disk 1 to 3 GB You can achieve this by running
following cmdlet:
Resize-VHD C:\VMs\Fixed.vhdx –SizeBytes 3GB
15. On VM1, point out that 1 GB of unallocated space is added to Disk 1. Explain that you extended the
disk while it was in use.
16. Extend volume E: to whole Disk 1.


Question: Why would you deploy Client Hyper-V to a Windows client computer in a corporate
environment?
Answer: Users are then able to use Client Hyper-V to work with VMs based on Hyper-V for
troubleshooting and testing purposes. They also can use it as an isolated test environment or for
running multiple operating systems on the same computer.
Question: Why will you not be able to use VM checkpoints for backup and disaster recovery?
Answer: Checkpoints enable you to apply older point-in-time snapshots to a VM. However,
checkpoints depend on VM files, and if those files are not available, you cannot use checkpoints
even if checkpoint files are still available. Therefore, if the physical disk on which a VM stores files
fails, you will not be able to recover the VM by using checkpoint files.
Question: Can you create a standard checkpoint of a VM that is turned off?

Answer: Yes, you can create a standard checkpoint of the VM provided it is not in a paused state.
If you create a standard checkpoint of a VM that is in the off state, it will be smaller in size than
the standard checkpoint of a running VM because the checkpoint will not contain VM memory.
Question: When you open Windows PowerShell and run the New-VM cmdlet to create a new VM, you
get an error stating that New-VM is not recognized as the name of a cmdlet. What could be the most
probable reason for such an error?
Answer: New-VM is one of the cmdlets in the Hyper-V module for Windows PowerShell. The
most probable reason for the error is that the Hyper-V module is not available on the computer.
If you want to use the cmdlet, you should turn on the Hyper-V module for the Windows
PowerShell feature.

Lab: Configuring and managing Client Hyper-V
Question: In the lab, you created a private virtual switch to connect to the VM. Would a private virtual
switch be the logical choice if you were using the VM for testing Windows Updates? Why or why not?
Answer: A private virtual switch would limit VM connectivity with other VMs that are running on
the same Windows 10 Client Hyper-V. This would not be a good choice for Windows Updates
because the computer will need Internet connectivity to download the updates. The external
virtual switch or Default Switch would be better suited for a VM that you are using to test
Windows Updates.
Question: Can you use Hyper-V Manager to shrink a virtual hard disk in VHDX format while it is in use?
Answer: No, you can shrink the VHDX virtual hard disk while it is in use only by using the Resize-
VHD cmdlet. To do that, the VHDX virtual disk must be connected to a SCSI controller.

2C ENU Companion

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2C ENU Companion

Uploaded by

Copyright:

Available Formats

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

© 2018 Microsoft Corporation. All rights reserved.

Product Number: 20697-2C

a. If you are a Microsoft IT Academy Program Member:

b. If you are a Microsoft Learning Competency Member:

d. If you are an End User:

e. If you are a Trainer.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Content’s subject

11. APPLICABLE LAW.

This limitation applies to

LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES

Revised July 2013

Lesson 2: Managing a mobile workforce 5

Lab Review Questions and Answers 9

Question and Answers

• Windows Defender Credential Guard

• Windows Defender Application Control

• Microsoft Desktop Optimization Pack (MDOP)

Demonstration: Exploring Windows 10 features

o Network & Internet

4. In Accounts, review the following settings:

o Access work or school

5. Open Control Panel and review the available options.

Question and Answers

Discussion: Challenges with managing mobile users and devices

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Question: Which technologies do you use to manage remote users?

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Question and Answers

Discussion: How can an organization benefit from the Enterprise Mobility

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Answer: Answers will vary depending on the student’s organization.

Practical Uses of Enterprise Mobility + Security

Lab Review Questions and Answers

Answer: Azure Information Protection enables organizations to control the dissemination of

Lesson 2: Customizing enterprise deployments 6

Lesson 4: Volume license activation for Windows 10 17

Module Review and Takeaways 20

Question and Answers

Managing desktops in an enterprise environment

Managing Windows 10 in an enterprise environment

Question: Can you provision a 64-bit Windows 8.1 computer?

Answer: If an organization wants to implement ZTI deployment of the Windows 10 operating

Deployment options for Windows 10 computers

Considerations for an in-place upgrade

Additional Reading: For more information, refer to “Windows 10 upgrade paths” at

Methods for mitigating common app compatibility issues

Overview of Windows 10 provisioning

Additional Reading: For more information on provisioning Windows 10, refer to

Question and Answers

Challenges for managing a mobile workforce

Discussion: Challenges with managing mobile users and devices

Question: Are Windows ADK tools included in Windows 10?

Answer: If you plan to install Windows 10 on a reference computer by using MDT or

Solutions for managing external clients

Question: How can you create and edit an answer file?