Create and manage images

Before you can do anything else. You’ll need to create your images. The starting point is a reference image. The reference image is the standard operating system that you’ll deliver to your users. You’ll have to consider what you want to add to the image; for example, adding drivers, apps, or specific configurations.

Create a reference image

After you’ve determined what will be included in the image, you’ll need to create it. Use the following procedure:

1. On a reference computer, install Windows 10.
2. Apply any Windows updates.
3. Add any drivers, apps, or other required software.
4. Apply any app updates.
5. Configure any installed apps or software as needed.
6. Generalize the image.

Exam Tip

You use the Sysprep.exe program to generalize your image. It’s located in the C:\Windows\System32\Sysprep\ folder.

7. Capture the generalized image.

8. Store the captured image in a location accessible to MDT.

In addition to your operating system image, you’ll also need a boot image. Typically, you’ll use the boot image provided on the Windows 10 product DVD or ISO.

Need More Review? Create a Windows 10 Reference Image

To review further details about reference image creation, refer to the Microsoft website at https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.

Add the images to MDT

After you’ve created any required images, the next step is to add the images to MDT. Before you can add images, you’ll need to create a deployment share. Use the following procedure:

1. Open the Deployment Workbench.
2. Select the Deployment Shares folder.
3. Right-click Deployment Shares and then select New Deployment Share.
4. Complete the New Deployment Share Wizard by providing the following:

• A local path on the MDT server for the share.
  • A share name, such as Deployment Share$.
  • A description.
  • Options that control the deployment experience when images are applied:
    • Ask if a computer backup should be performed.
    • Ask for a product key.
    • Ask to set the local Administrator password.
    • Ask if an image should be captured.
    • Ask if BitLocker should be enabled.

When you’ve created the deployment share, you can add your images to it.

To add an operating system image, use the following procedure:

1. Expand your deployment share and select Operating Systems.
2. Right-click Operating Systems and then select Import Operating System.
3. Complete the Import Operating System Wizard, displayed in Figure 1-12, by entering the following information:

Figure 1-12 Choosing the operating system image type

• Choose between Full set of source files, Custom image file, and Windows Deployment Services image.
  • The source location for your image.
  • A WDS server name, if you’re using a Windows Deployment Services image.
  • A destination directory name.

Deploy images

After you’ve completed the process of creating and configuring your task sequences, you’re ready to deploy your images. All you need to do is start the required computers, and they should start up using the MDT PE. Then use the following procedure to apply the image and deploy Windows 10. Note that steps might vary based on your specific configuration options:

1. Turn on your target computer.
2. The Microsoft Deployment Toolkit deployment wizard starts.
3. As displayed in Figure 1-14, select Run the Deployment Wizard to install a new Operating System.

Figure 1-14 Deploying Windows 10 using an MDT task sequence

4. Enter your User name, Password, and Domain and select OK.
5. On the Task Sequence page, select the appropriate task sequence and select Next.
6. On the Computer Details page, review the generated computer name, and then select either Join a domain or Join a workgroup. For the domain option, enter the Domain to join, Organizational Unit, and credentials to join (User Name, Password, and Domain). Select Next.
7. Complete the Windows Deployment Wizard by entering the following information:

• Choose whether to move user data and settings from a previous version of Windows.
  • Choose whether to restore user data.
  • Specify the Language Settings and Time Settings.
  • Select any apps you want to deploy.

8. When you’ve completed the required settings, select Begin. Your operating system and selected apps are deployed.

Need More Review? Deploy a Windows 10 Image Using MDT

To review further details about deploying images with MDT, refer to the Microsoft website at https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.

Monitor and troubleshoot deployment

If you experience problems with deployment by using MDT, review the configuration settings for your deployment share. If you’re confident that everything is properly configured, then you can consider reviewing MDT logs. Each MDT script automatically generates logs.

Depending on the type of deployment you’re performing, after deployment, the log files are moved to either:

• %WINDIR%\SMSOSD
• %WINDIR%\TEMP\SMSOSD

For LTI deployments, the logs are moved to:

• %WINDIR%\TEMP\DeploymentLogs

Table 1-15 describes the available MDT logs.

TABLE 1-15 MDT logs

Exam Tip

The MDT log file format is designed to be read by CMTrace.

When you investigate the logs, you’ll want to identify any errors. There are numerous error codes with specific meanings. For example, error codes 5201, 5203, and 5205 all mean that a connection to the deployment share could not be made, and deployment cannot proceed.

Need More Review? Error Codes and Their Descriptions

To review further details about error codes with MDT, refer to the Microsoft website at https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshooting-reference#table-1-error-codes-and-their-description.

Need More Review? Troubleshooting Reference for MDT

To review further details about troubleshooting MDT, refer to the Microsoft website at https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshooting-reference.

Windows 10 security features

Many of the advancements relating to security derive from new technology becoming widely available on desktop devices, laptops, and smartphones. Windows 10 supports a variety of modern technologies that can be used by administrators to protect users’ identities and resources, including:

• Trusted Platform Module (TPM)
• Unified Extensible Firmware Interface (UEFI)
• Virtualization-based security
• Windows Biometric Framework
• Virtual smart cards
• MFA

Some of the security features built into Windows 10 that you should have an awareness of include:

• BitLocker A TPM Version 1.2 or higher works with BitLocker to store encryption keys. BitLocker helps protect against data theft and offline tampering by providing for whole-drive encryption. Requirements for BitLocker include:
  • A device installed with either Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.
  • Optionally, a TPM. Using a TPM with BitLocker enables Windows to verify startup component integrity.

Note TPM Requirement

You don’t require a TPM in your computer to use BitLocker, but it does increase the security of the encryption keys. It’s also used to support other important security features in Windows 10.

• Device Health Attestation (DHA) With the increase in use of users’ personally owned devices to access corporate resources, such as email, it is important to ensure that Windows 10 devices connecting to your organization meet the security and compliance requirements of your organization. Device Health Attestation uses Measured Boot data to help perform this verification. To implement DHA, your Windows 10 devices must have TPM Version 2.0 or higher.
• Secure Boot When Secure Boot is enabled, you can only start the operating system by using an operating system loader that is signed using a digital certificate stored in the UEFI Secure Boot signature database. This helps prevent malicious code from loading during the Windows 10 start process.

Note Secure Boot

Secure boot is enabled by default in Windows 10.

• MFA This is a process that provides for user authentication based on using at least two factors, such as:
  • Something the user knows, such as a password
  • Something the user is, such as a biometric attribute (facial recognition, iris detection, or a fingerprint)
  • Something the user has, such as a device, like a cellphone, running the Microsoft Authenticator app
• Windows Biometric Framework Provides support for biometric devices, such as a fingerprint reader, a smartphone, or an illuminated infrared camera using Windows Hello. Organizations can implement secure, passwordless sign in for Azure AD and Microsoft accounts using a security key or Windows Hello when using standards-based FIDO2-compatible devices.
• Virtual Secure Mode This feature moves some sensitive elements of the operating system to trustlets that run in a Hyper-V container that parts of the Windows 10 operating system cannot access. This helps make the operating system more secure. Currently, this is only available in Windows 10 Enterprise edition.
• Virtual Smart Card This feature offers comparable security benefits in two-factor authentication to the protection provided by physical smart cards. Virtual smart cards require a compatible TPM (Version 1.2 or later).

Self-Service Password Reset

If you have ever worked in an IT service desk support function, you know that password-related issues are in the top three of all help desk calls. By implementing self-service password reset, you provide your users with the ability to reset their passwords, with no administrator intervention, whenever they need to.

Self-service password reset includes the following functionality:

• Password change Users know their password and want to change it to something new.
• Password reset A user can’t sign in and wants to reset the password.
• Account unlock A user can’t sign in because the account is locked out. If the user provides a password or passes more approved authentication methods, the account will be unlocked.

Once configured, a user can select the Can’t Access Your Account link on a cloud-based resource access page, or the user can visit the Password Reset Portal at https://aka.ms/sspr to reset the password.

Note Azure AD Self-Service Password Reset

You can review how Azure AD Self-Service Password Reset works in detail and how to implement a Password Reset Portal by viewing this Microsoft website: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks.

Understand MFA

Traditional computer authentication is based on users providing a name and password. This allows an authentication authority to validate the exchange and grant access. Although password-based authentication is acceptable in many circumstances, Windows 10 provides for several additional, more secure methods for users to authenticate their devices, including multifactor authentication (also referred to as two-factor authentication).

MFA is based on the principle that users who want to authenticate must have two (or more) things with which to identify themselves. Specifically, they must have knowledge of something, they must be in possession of something, or they must be something. For example, a user might know a password, possess a security token (in the form of a digital certificate), and be able to prove who they are with biometrics, such as fingerprints.

Configure Microsoft accounts

In addition to traditional local accounts and domain user accounts, Windows 10 supports several modern methods of signing in to a device. The sign-in methods employed by an organization provide a strong first-line defense against identity theft, and you need to understand how to configure and manage sign-in options within an environment. This section teaches you how to disable PIN or picture login, and you’ll learn how to configure Windows Hello for Business.

A Microsoft account provides you with an identity that you can use to securely sign in on multiple devices and access cloud services. Because the identity is the same on multiple devices, your personal settings can be synchronized between your Windows-based devices.

On a device for personal use, if Windows 10 detects an internet connection during the initial setup, you are prompted to specify your Microsoft account details. However, you can skip this step and create a local account instead. If the device is personally owned, but you want to use it for work or school, you can register your device on your work or school tenant after setup is complete.

Microsoft accounts are primarily for consumer use. Enterprise users can benefit by using their personal Microsoft accounts in the workplace, although there are no centralized methods provided by Microsoft to provision Microsoft accounts to users. After you connect your Microsoft account to Windows 10, you will have the following capabilities:

• You can access and share photos, documents, and other files from sites such as OneDrive, Outlook.com, Facebook, and Flickr.
• Integrated social media services providing contact information and status for your users’ friends and associates are automatically maintained from sites such as Outlook.com, Facebook, Twitter, and LinkedIn.
• You can download and install Microsoft Store apps.
• You benefit from app synchronization with Microsoft Store apps. After the user sign in, when an app is installed, any user-specific settings are automatically downloaded and applied.
• You can sync your app settings between devices that are linked to your Microsoft account.
• You can use single sign-in with credentials roaming across any devices running Windows 10, Windows 8.1, Windows 8, or Windows RT.

If Microsoft accounts are allowed in an enterprise environment, you should note that only the owner of the Microsoft account can change the password. A user can perform a password reset in the Microsoft account sign-in portal at https://account.microsoft.com.

You can sign up for a Microsoft account at https://signup.live.com. After you have created your Microsoft account, you can connect it to your device.