WEBVTT

1
00:00:00.080 --> 00:00:01.879
<v Speaker 1>Welcome to the deep dive. We're here to pull out

2
00:00:01.879 --> 00:00:05.320
<v Speaker 1>the really key insights from complex sources just so you

3
00:00:05.320 --> 00:00:08.000
<v Speaker 1>can get up to speak quickly. Today we're jumping straight

4
00:00:08.039 --> 00:00:12.119
<v Speaker 1>into well, a really crucial area, the modern desktop administrator.

5
00:00:12.519 --> 00:00:15.359
<v Speaker 1>Our goal mission for you is to give you a

6
00:00:15.359 --> 00:00:18.320
<v Speaker 1>focused look at the essential skills the concepts you need

7
00:00:18.399 --> 00:00:21.440
<v Speaker 1>for managing Windows ten. And that's across all sorts of environments,

8
00:00:21.839 --> 00:00:24.160
<v Speaker 1>from regular networks right through to the cloud. You'll get

9
00:00:24.160 --> 00:00:27.760
<v Speaker 1>a quick, actionable grasp of how Windows ten gets deployed,

10
00:00:28.039 --> 00:00:31.039
<v Speaker 1>how it's secured, managed, even recovered, and importantly how it

11
00:00:31.079 --> 00:00:34.520
<v Speaker 1>works with modern cloud services. Yeah, and our source for

12
00:00:34.560 --> 00:00:37.039
<v Speaker 1>this it's a pretty hefty study guide for Microsoft's m

13
00:00:37.079 --> 00:00:39.640
<v Speaker 1>D one hundred and MD one to one exams, packed

14
00:00:39.679 --> 00:00:42.880
<v Speaker 1>with practical stuff, real world insights. We've basically boiled it

15
00:00:42.920 --> 00:00:44.799
<v Speaker 1>down to the core nuggets for you.

16
00:00:44.920 --> 00:00:47.159
<v Speaker 2>It's such a critical topic. I mean it, administration has

17
00:00:47.240 --> 00:00:49.719
<v Speaker 2>changed so much, hasn't it. It's really not just about

18
00:00:50.240 --> 00:00:53.880
<v Speaker 2>fixing one computer here and there anymore. This role fundamentally

19
00:00:53.920 --> 00:01:00.640
<v Speaker 2>it's about thinking strategically, deployment strategy, really robust security, proactive security,

20
00:01:00.679 --> 00:01:04.480
<v Speaker 2>and just super efficient management across well everything and The

21
00:01:04.519 --> 00:01:07.040
<v Speaker 2>big challenge, the question in organizations face now is how

22
00:01:07.040 --> 00:01:10.200
<v Speaker 2>do you balance that user need for flexibility working from

23
00:01:10.239 --> 00:01:14.400
<v Speaker 2>anywhere with the absolute necessity of corporate control and you know,

24
00:01:14.519 --> 00:01:15.400
<v Speaker 2>keeping things secure.

25
00:01:15.519 --> 00:01:19.239
<v Speaker 1>Yeah, that tightrope walk freedom versus control. Every admin knows it.

26
00:01:19.719 --> 00:01:22.280
<v Speaker 1>So okay, let's start right at the beginning, getting Windows

27
00:01:22.400 --> 00:01:25.400
<v Speaker 1>ten onto a machine. We all kind of know about

28
00:01:25.480 --> 00:01:28.680
<v Speaker 1>clean installs, in place upgrades, but the real admin headache

29
00:01:28.719 --> 00:01:31.359
<v Speaker 1>isn't setting up one machine, it's doing it efficiently across

30
00:01:31.400 --> 00:01:36.200
<v Speaker 1>maybe hundreds even thousands. That's where automation really steps in exactly.

31
00:01:36.640 --> 00:01:39.120
<v Speaker 2>And the source material points to some key tools for that.

32
00:01:39.439 --> 00:01:43.680
<v Speaker 2>You've got the Microsoft Deployment Toolkit MDT. It's more than

33
00:01:43.799 --> 00:01:47.680
<v Speaker 2>just installing Windows. It basically turns a complex, potentially error

34
00:01:47.680 --> 00:01:52.120
<v Speaker 2>prone manual job into a smooth, repeatable process like a

35
00:01:52.200 --> 00:01:55.799
<v Speaker 2>factory assembly line. And that's huge because it frees up

36
00:01:55.799 --> 00:01:58.599
<v Speaker 2>all t folks from those repetitive tasks to focus on

37
00:01:58.640 --> 00:02:03.000
<v Speaker 2>bigger picture stuffrategic work. Yeah. Then there's Windows Deployment Services

38
00:02:03.200 --> 00:02:05.640
<v Speaker 2>WDS that works with a Windows server. Let's you do

39
00:02:05.680 --> 00:02:08.879
<v Speaker 2>network booting for deployment, you can figure it with WDS YouTube,

40
00:02:09.039 --> 00:02:12.120
<v Speaker 2>but for real world imaging, getting those golden images ready.

41
00:02:12.400 --> 00:02:15.599
<v Speaker 2>SISPREP dot ex the system preparation tool that's your go to.

42
00:02:16.080 --> 00:02:19.000
<v Speaker 2>Its main job is to generalize a Windows image. It

43
00:02:19.080 --> 00:02:22.680
<v Speaker 2>strips out the unique stuff, crucially, the security identifier, the SIV.

44
00:02:22.840 --> 00:02:25.400
<v Speaker 1>This ida right the computer's fingerprint basically, and.

45
00:02:25.360 --> 00:02:27.319
<v Speaker 2>If you cloned without CISPREPP in the old days, you

46
00:02:27.319 --> 00:02:31.719
<v Speaker 2>got identical fingerprints, major network conflicts. CISPREP solves that by

47
00:02:31.719 --> 00:02:34.599
<v Speaker 2>resetting it and use the Windows Assessment and Deployment Kit

48
00:02:34.680 --> 00:02:37.800
<v Speaker 2>ADK for tools to customize these images, like using Windows

49
00:02:37.800 --> 00:02:40.759
<v Speaker 2>SIM to create those unintended answer files for automated setup.

50
00:02:40.879 --> 00:02:44.120
<v Speaker 1>Okay, so that covers the traditional methods. What about the cloud.

51
00:02:43.800 --> 00:02:48.280
<v Speaker 2>Approach, Ah, yes, Windows autopile. That's a big shift. Cloud

52
00:02:48.319 --> 00:02:51.439
<v Speaker 2>based devices can be deployed pretty much straight from the vendor,

53
00:02:51.520 --> 00:02:54.919
<v Speaker 2>sometimes zero it touch involved. You get a customizable out

54
00:02:54.960 --> 00:02:59.800
<v Speaker 2>of box experience. Devices automatically joined groups. It streamlines everything

55
00:02:59.840 --> 00:03:00.719
<v Speaker 2>sounds efficient.

56
00:03:00.919 --> 00:03:01.800
<v Speaker 1>What's needed for that?

57
00:03:02.039 --> 00:03:05.719
<v Speaker 2>You need an Azure subscription, Azure Active directory and Microsoft

58
00:03:05.759 --> 00:03:09.639
<v Speaker 2>in Tune. And the key is capturing the device's unique

59
00:03:09.639 --> 00:03:13.879
<v Speaker 2>hardware ID, the hardware hash beforehand for pre registration. This

60
00:03:13.919 --> 00:03:17.879
<v Speaker 2>whole move Automated deployment, cloud integration. It shifts it from

61
00:03:17.919 --> 00:03:21.599
<v Speaker 2>being reactive and manual to being strategic and scalable. It

62
00:03:21.639 --> 00:03:23.199
<v Speaker 2>aligns with how businesses operate.

63
00:03:23.280 --> 00:03:26.840
<v Speaker 1>Now that makes sense, moving from manual setup to strategic automation.

64
00:03:26.919 --> 00:03:30.000
<v Speaker 1>It's a huge leap. But okay, you've got the machines deployed.

65
00:03:30.039 --> 00:03:32.400
<v Speaker 1>What about the people using them? Users and groups? That's

66
00:03:32.439 --> 00:03:35.039
<v Speaker 1>the next layer, right. We know the difference generally between

67
00:03:35.080 --> 00:03:38.199
<v Speaker 1>local users on one machine and domain users managed centrally

68
00:03:38.199 --> 00:03:41.120
<v Speaker 1>an active directory or azure AD. The real power of

69
00:03:41.159 --> 00:03:43.919
<v Speaker 1>domain users is that central control, that single place for

70
00:03:44.000 --> 00:03:46.360
<v Speaker 1>identity and access across the whole organization.

71
00:03:46.479 --> 00:03:48.560
<v Speaker 2>Absolutely, centralization is key, and.

72
00:03:48.479 --> 00:03:51.919
<v Speaker 1>Something that often surprises people is this SID concept, the

73
00:03:51.919 --> 00:03:55.039
<v Speaker 1>security identifier. You know, you rename a user account, maybe

74
00:03:55.039 --> 00:03:58.680
<v Speaker 1>Bob becomes Robert, but all's permissions, his access, it all

75
00:03:58.680 --> 00:03:59.719
<v Speaker 1>stays the same.

76
00:04:00.719 --> 00:04:04.120
<v Speaker 2>Because Windows doesn't actually track users by the name you see,

77
00:04:04.360 --> 00:04:08.360
<v Speaker 2>It uses that unique, unchanging SID behind the scenes. That's

78
00:04:08.400 --> 00:04:10.599
<v Speaker 2>the real identifier for access control. Right.

79
00:04:10.639 --> 00:04:13.400
<v Speaker 1>The name is just a label for us humans pretty much.

80
00:04:13.719 --> 00:04:16.519
<v Speaker 2>And when you need to manage permissions for lots of users,

81
00:04:16.800 --> 00:04:19.079
<v Speaker 2>groups are obviously essential. You have the built in ones

82
00:04:19.120 --> 00:04:23.240
<v Speaker 2>like administrators, users backup operators. But creating custom groups lets

83
00:04:23.240 --> 00:04:26.120
<v Speaker 2>you apply specific rights to collections of users all at once.

84
00:04:26.600 --> 00:04:27.360
<v Speaker 2>Much simpler.

85
00:04:27.439 --> 00:04:31.279
<v Speaker 1>Okay, So sids, identify groups, simplify permissions. How do we

86
00:04:31.399 --> 00:04:34.560
<v Speaker 1>enforce standards and security across all these users and machines?

87
00:04:34.759 --> 00:04:38.399
<v Speaker 2>Policies exactly. Policy is the heart of control for domain

88
00:04:38.439 --> 00:04:42.600
<v Speaker 2>join machines. It's group policy objects GPOs for standalone ones,

89
00:04:42.759 --> 00:04:46.519
<v Speaker 2>local group policy objects lgpos, and the crucial thing to remember,

90
00:04:46.879 --> 00:04:49.920
<v Speaker 2>GPOs always win if a setting is configured in both

91
00:04:50.120 --> 00:04:54.519
<v Speaker 2>the domain. GPO takes precedence that ensures organizational standards are met.

92
00:04:54.680 --> 00:04:57.000
<v Speaker 1>And what kind of things do these policies control?

93
00:04:57.360 --> 00:05:02.079
<v Speaker 2>Key areas include account policies, password rules, complexity, how often

94
00:05:02.120 --> 00:05:03.879
<v Speaker 2>you have to change it, how many times you can

95
00:05:03.920 --> 00:05:06.680
<v Speaker 2>try logging in before getting locked out? You know, like

96
00:05:06.720 --> 00:05:09.839
<v Speaker 2>setting it so five bad attempts in two minutes locks

97
00:05:09.839 --> 00:05:13.079
<v Speaker 2>the account for half an hour. That directly stops basic

98
00:05:13.120 --> 00:05:14.759
<v Speaker 2>brute force attacks makes sense.

99
00:05:14.920 --> 00:05:16.000
<v Speaker 1>And local policies.

100
00:05:16.120 --> 00:05:19.120
<v Speaker 2>Local policies control what users can do after they're logged in.

101
00:05:19.519 --> 00:05:22.759
<v Speaker 2>Auditing settings who get specific rights like allow log on

102
00:05:22.839 --> 00:05:27.199
<v Speaker 2>locally or backup files and directories. It's about defining capabilities.

103
00:05:27.600 --> 00:05:30.519
<v Speaker 2>And then there's User Account Control UAC. That's the thing

104
00:05:30.519 --> 00:05:32.839
<v Speaker 2>that gives you all those prompts asking for permission for

105
00:05:32.920 --> 00:05:33.759
<v Speaker 2>admin tasks.

106
00:05:33.879 --> 00:05:36.600
<v Speaker 1>Oh yeah, even when you are an administrator.

107
00:05:36.160 --> 00:05:39.959
<v Speaker 2>Right, it's designed that way. UAC forces privilege elevation. It's

108
00:05:40.000 --> 00:05:43.040
<v Speaker 2>an architectural safety net to stop malware running silently with

109
00:05:43.079 --> 00:05:47.439
<v Speaker 2>admin rights without you explicitly okaying it. Standard users always

110
00:05:47.480 --> 00:05:50.839
<v Speaker 2>need admin credentials. Of course, the big picture here is

111
00:05:51.000 --> 00:05:56.920
<v Speaker 2>defense in depth. UAC GPOs, local policies. They're not separate things,

112
00:05:56.959 --> 00:05:59.879
<v Speaker 2>they're layers. If one gets bypassed, the next one makes

113
00:05:59.879 --> 00:06:03.319
<v Speaker 2>it harder for an attacker. It builds resilience, layers of control.

114
00:06:03.439 --> 00:06:03.800
<v Speaker 2>Got it.

115
00:06:03.920 --> 00:06:07.160
<v Speaker 1>Okay, so we've controlled the users and the basic system settings.

116
00:06:07.360 --> 00:06:12.480
<v Speaker 1>Let's talk actual defenses, security paramount stuff. Windows ten bundles

117
00:06:12.519 --> 00:06:14.839
<v Speaker 1>a lot of this into the Windows Defender Security Center, right,

118
00:06:14.879 --> 00:06:16.639
<v Speaker 1>that's the main dashboard.

119
00:06:16.079 --> 00:06:17.879
<v Speaker 2>That's the hub. Yeah, makes it easier to manage.

120
00:06:17.959 --> 00:06:21.480
<v Speaker 1>So starting with the basics, Windows Defender Firewall blocks connections,

121
00:06:21.480 --> 00:06:25.319
<v Speaker 1>we get that. But the advanced version wfas.

122
00:06:24.639 --> 00:06:27.560
<v Speaker 2>Right, Windows Defendor Firewall with Advanced security that gives you

123
00:06:27.680 --> 00:06:31.680
<v Speaker 2>much finer control. Granular inbound and outbound rules really lets

124
00:06:31.720 --> 00:06:33.680
<v Speaker 2>you lock down network traffic precisely.

125
00:06:33.759 --> 00:06:37.040
<v Speaker 1>Now, there's something called authenticated exceptions in the firewall. What's

126
00:06:37.079 --> 00:06:39.399
<v Speaker 1>the deal there? Sounds convenient but maybe risky.

127
00:06:39.600 --> 00:06:43.199
<v Speaker 2>It is exactly that. It allows specific trusted computers, usually

128
00:06:43.279 --> 00:06:47.199
<v Speaker 2>domain joined and managed, to bypass certain ipsick rules. It

129
00:06:47.199 --> 00:06:49.639
<v Speaker 2>can simplify things and managed environments, but yeah, you have

130
00:06:49.680 --> 00:06:53.079
<v Speaker 2>to understand it inherently reduces the security boundary, so use

131
00:06:53.120 --> 00:06:57.040
<v Speaker 2>it sparingly only where trust is extremely high. Every convenience

132
00:06:57.040 --> 00:06:58.160
<v Speaker 2>has a security trade off.

133
00:06:58.240 --> 00:07:02.600
<v Speaker 1>Good point. Okay, on the firewall. What other Defender components

134
00:07:02.600 --> 00:07:03.319
<v Speaker 1>are key.

135
00:07:03.480 --> 00:07:06.759
<v Speaker 2>Well, there's Windows Defender Application Guard that's pretty neat. It

136
00:07:06.879 --> 00:07:10.120
<v Speaker 2>isolates untrusted websites or PDFs by opening them in a

137
00:07:10.199 --> 00:07:14.360
<v Speaker 2>separate virtualized container like a sandbox on steroids. So if

138
00:07:14.360 --> 00:07:17.040
<v Speaker 2>there's something malicious in there, it can't touch your actual system.

139
00:07:17.279 --> 00:07:19.800
<v Speaker 2>You can run it and standalone or enterprise mode.

140
00:07:19.959 --> 00:07:23.680
<v Speaker 1>Okay, sandboxing for web stuff. What about protecting credentials.

141
00:07:23.839 --> 00:07:27.519
<v Speaker 2>That's where Windows Defendo Credential Guard comes in. Uses hardware virtualization,

142
00:07:27.600 --> 00:07:30.839
<v Speaker 2>leveraging the actual processor features to create a super isolated

143
00:07:30.879 --> 00:07:34.319
<v Speaker 2>secure zone. It protects things like in TLM password hashes,

144
00:07:34.680 --> 00:07:37.759
<v Speaker 2>making those pass the hash attacks where attackers steal credentials

145
00:07:37.800 --> 00:07:41.000
<v Speaker 2>to move laterally much much harder. It's not just software,

146
00:07:41.040 --> 00:07:43.040
<v Speaker 2>it uses hardware isolation.

147
00:07:42.959 --> 00:07:44.079
<v Speaker 1>Hardware based protection.

148
00:07:44.519 --> 00:07:48.360
<v Speaker 2>Nice. What else is in the toolkit Windows Defender Exploit Guard.

149
00:07:49.079 --> 00:07:52.160
<v Speaker 2>This focus is on reducing the attack surface. It blocks

150
00:07:52.160 --> 00:07:56.480
<v Speaker 2>common techniques, malware and ransomware used to exploit vulnerabilities and applications.

151
00:07:57.079 --> 00:07:59.759
<v Speaker 2>The analogy in the source is like putting plexiglass over

152
00:07:59.759 --> 00:08:02.519
<v Speaker 2>most to a hockey net. Leaving only a tiny slot

153
00:08:03.000 --> 00:08:05.240
<v Speaker 2>makes it way harder for attackers to score even if

154
00:08:05.279 --> 00:08:07.920
<v Speaker 2>there's a vulnerability. I like that analogy, And for really

155
00:08:07.959 --> 00:08:13.279
<v Speaker 2>strict control, there's Windows Defender Application Control WDAC. This basically

156
00:08:13.360 --> 00:08:16.560
<v Speaker 2>says only applications you explicitly approve can run nothing else,

157
00:08:16.920 --> 00:08:17.600
<v Speaker 2>very locked down.

158
00:08:17.759 --> 00:08:21.639
<v Speaker 1>That sounds restrictive but effective. What about data encryption?

159
00:08:22.040 --> 00:08:25.399
<v Speaker 2>BitLocker drive encryption, full disc encryption for your OS drive,

160
00:08:25.439 --> 00:08:29.000
<v Speaker 2>other internal drives, and BitLocker to go for USB sticks

161
00:08:29.000 --> 00:08:32.679
<v Speaker 2>and removable drives. Ideally it uses a Trusted Platform Module

162
00:08:32.759 --> 00:08:36.039
<v Speaker 2>or TPM chip on the motherboard. That's a secure hardware

163
00:08:36.080 --> 00:08:38.919
<v Speaker 2>ship that stores the encryption keys, much safer than just

164
00:08:39.000 --> 00:08:41.679
<v Speaker 2>using a USB key to trade off. You get much

165
00:08:41.679 --> 00:08:44.360
<v Speaker 2>better security for data arrest, but there might be a

166
00:08:44.399 --> 00:08:48.440
<v Speaker 2>tiny performance hit because of the encryption. Decryption process usually

167
00:08:48.480 --> 00:08:49.360
<v Speaker 2>negligible these.

168
00:08:49.279 --> 00:08:52.360
<v Speaker 1>Days though okay, and authentication stronger methods.

169
00:08:52.480 --> 00:08:55.279
<v Speaker 2>Yeah. Windows ten has better support for smart cards and

170
00:08:55.360 --> 00:08:59.600
<v Speaker 2>multi factor authentication MFA. It makes deploying them easier, especially

171
00:08:59.639 --> 00:09:03.840
<v Speaker 2>for domain logins, pushing towards stronger identity verification. All these

172
00:09:03.879 --> 00:09:10.320
<v Speaker 2>things together firewall, application guard, credential guard, exploit guard, WDAC, BitLocker, MFA,

173
00:09:11.080 --> 00:09:15.159
<v Speaker 2>they create this multi layered defense. It's moved way beyond

174
00:09:15.200 --> 00:09:19.080
<v Speaker 2>just having anti virus. It's about proactively reducing threats and

175
00:09:19.120 --> 00:09:20.120
<v Speaker 2>protecting identities.

176
00:09:20.240 --> 00:09:23.200
<v Speaker 1>It definitely sounds comprehensive a lot of layers, but you know,

177
00:09:23.679 --> 00:09:26.360
<v Speaker 1>a lockdown fortress isn't much use if it can't talk

178
00:09:26.399 --> 00:09:28.240
<v Speaker 1>to the outside world or the rest of the network.

179
00:09:28.559 --> 00:09:31.519
<v Speaker 1>So networking, how do these machines connect and communicate? We

180
00:09:31.559 --> 00:09:34.639
<v Speaker 1>know the basic models where group decentralized peer to peer

181
00:09:35.120 --> 00:09:38.919
<v Speaker 1>domain base using active directory centralized control. But the modern

182
00:09:38.960 --> 00:09:42.399
<v Speaker 1>angle is also managing devices that join azuread directly right

183
00:09:42.480 --> 00:09:43.799
<v Speaker 1>cloud native identity.

184
00:09:43.600 --> 00:09:46.639
<v Speaker 2>Exactly that Azure eight join models becoming increasingly important for

185
00:09:46.679 --> 00:09:48.399
<v Speaker 2>cloud first strategies.

186
00:09:48.080 --> 00:09:51.879
<v Speaker 1>And underpinning all of this communication is, of course TCPAP.

187
00:09:52.399 --> 00:09:55.279
<v Speaker 1>We know IPP four the dotted decimals. IPv six is

188
00:09:55.320 --> 00:09:58.799
<v Speaker 1>the future massive address base. But for an admin, it's

189
00:09:58.840 --> 00:10:02.480
<v Speaker 1>not just knowing the difference, it's managing that transition right,

190
00:10:02.519 --> 00:10:06.039
<v Speaker 1>ensuring things work side by side, maybe using tunneling.

191
00:10:05.639 --> 00:10:10.159
<v Speaker 2>Like Terretto precisely dual stack implementations, understanding tunneling mechanisms like

192
00:10:10.200 --> 00:10:14.679
<v Speaker 2>Terrato for carrying IPv six over udpipv four networks where

193
00:10:14.960 --> 00:10:18.639
<v Speaker 2>native IPVC six isn't available. That's key operational knowledge for

194
00:10:18.679 --> 00:10:22.559
<v Speaker 2>future proofing. And yeah, we know static versus dynamic DHCP addressing,

195
00:10:22.799 --> 00:10:26.000
<v Speaker 2>but don't forget eighties IPA automatic private IP addressing.

196
00:10:26.039 --> 00:10:28.240
<v Speaker 1>Ah the one sixty nine point twenty five to four

197
00:10:28.240 --> 00:10:29.000
<v Speaker 1>address right.

198
00:10:29.080 --> 00:10:31.159
<v Speaker 2>If you see that, it's a big clue the machine

199
00:10:31.159 --> 00:10:34.480
<v Speaker 2>couldn't find a DHDP server. It's in troubleshooting pointer.

200
00:10:34.559 --> 00:10:37.279
<v Speaker 1>Okay, what about newer wireless stuff and remote management?

201
00:10:37.639 --> 00:10:40.320
<v Speaker 2>For wireless, you've got things like Wi Fi direct device

202
00:10:40.360 --> 00:10:43.320
<v Speaker 2>to device connection, no access point needed, uses near field

203
00:10:43.360 --> 00:10:47.480
<v Speaker 2>proximity NFP oftener for pairing, and broadband tethering letting you

204
00:10:47.559 --> 00:10:50.519
<v Speaker 2>share a mobile device's Internet connection. Very handy for remote

205
00:10:50.519 --> 00:10:50.919
<v Speaker 2>work and.

206
00:10:50.919 --> 00:10:53.519
<v Speaker 1>For actually managing machines remotely several tools.

207
00:10:54.080 --> 00:10:57.159
<v Speaker 2>Remote assistance is the one where a user explicitly invites

208
00:10:57.200 --> 00:11:00.000
<v Speaker 2>an expert to view or control their screen to help them.

209
00:11:00.600 --> 00:11:03.759
<v Speaker 2>It has an easy connect feature to simplify setup. Remote

210
00:11:03.799 --> 00:11:07.639
<v Speaker 2>desktop though gives you full keyboard video mouse control without

211
00:11:07.639 --> 00:11:10.320
<v Speaker 2>the end user needing to be there or interact once

212
00:11:10.360 --> 00:11:13.720
<v Speaker 2>it's enabled. Great for server management or troubleshooting when no

213
00:11:13.720 --> 00:11:14.919
<v Speaker 2>one's physically at the machine.

214
00:11:14.960 --> 00:11:16.919
<v Speaker 1>And secure connections back to the office.

215
00:11:16.600 --> 00:11:22.000
<v Speaker 2>Network VPNs virtual Private Networks. The source highlights IKEv two

216
00:11:22.120 --> 00:11:24.960
<v Speaker 2>is a good protocol choice because of its VPN reconnect feature.

217
00:11:25.360 --> 00:11:28.240
<v Speaker 2>It automatically tries to re establish the connection if you

218
00:11:28.279 --> 00:11:31.360
<v Speaker 2>temporarily lose network, which is much smoother for users and

219
00:11:31.399 --> 00:11:35.159
<v Speaker 2>for the command line folks. Powershow remoting is incredibly powerful

220
00:11:35.159 --> 00:11:38.559
<v Speaker 2>for running scripts and commands on remote machines securely. The

221
00:11:38.639 --> 00:11:41.639
<v Speaker 2>real takeaway here is how adaptable Windows ten is is

222
00:11:41.639 --> 00:11:43.679
<v Speaker 2>built to work and be managed across all these different

223
00:11:43.679 --> 00:11:48.120
<v Speaker 2>network scenarios on prem domains, mobile cloud connected admittans have

224
00:11:48.159 --> 00:11:50.320
<v Speaker 2>tools for pretty much any situation.

225
00:11:50.039 --> 00:11:54.799
<v Speaker 1>That flexibility seems absolutely essential. Now, okay, shifting gears slightly,

226
00:11:55.279 --> 00:11:58.159
<v Speaker 1>let's talk about the data itself and the hardware, keeping

227
00:11:58.159 --> 00:12:02.120
<v Speaker 1>things healthy recovering when they're not. Starting with filesystems, we

228
00:12:02.200 --> 00:12:05.679
<v Speaker 1>generally use NTFS now, not older FAT thirty two. Why

229
00:12:05.759 --> 00:12:07.720
<v Speaker 1>is NTFS so much better for administration?

230
00:12:07.919 --> 00:12:10.919
<v Speaker 2>Well, intfs has major advantages. Security is a big one.

231
00:12:10.960 --> 00:12:14.279
<v Speaker 2>You can set permissions on individual files and folders, not

232
00:12:14.399 --> 00:12:17.840
<v Speaker 2>just shares. Fat thirty two doesn't really have that. Plus

233
00:12:18.039 --> 00:12:23.399
<v Speaker 2>NTFS supports file compression, encryption using EFS encrypting filesystem and

234
00:12:23.519 --> 00:12:26.240
<v Speaker 2>disc quotas to limit how much space users can consume.

235
00:12:26.559 --> 00:12:30.120
<v Speaker 2>These are all critical admin controls that FAT thirty two lacks.

236
00:12:29.840 --> 00:12:33.480
<v Speaker 1>Right granular control. What about managing the discs themselves?

237
00:12:33.679 --> 00:12:36.159
<v Speaker 2>Use the disk management tool. You can have basic discs

238
00:12:36.240 --> 00:12:38.799
<v Speaker 2>or convert them to dynamic discs. Going dynamic lets you

239
00:12:38.840 --> 00:12:41.919
<v Speaker 2>do cool things like span volumes span volumes yeah, where

240
00:12:41.919 --> 00:12:44.159
<v Speaker 2>you take space from multiple physical hard drives and make

241
00:12:44.200 --> 00:12:47.039
<v Speaker 2>them appear as one single larger drive letter or stripe

242
00:12:47.080 --> 00:12:50.399
<v Speaker 2>volumes where data is written across multiple drives simultaneously for

243
00:12:50.440 --> 00:12:51.159
<v Speaker 2>better performance.

244
00:12:51.399 --> 00:12:55.639
<v Speaker 1>AH Striping sounds good but risky if one drive fails exactly.

245
00:12:55.919 --> 00:12:59.960
<v Speaker 2>Striping gives speed but increases risk. Spanning just pools space.

246
00:13:00.360 --> 00:13:03.320
<v Speaker 2>You need good backups either way, especially with striped volumes,

247
00:13:03.480 --> 00:13:06.960
<v Speaker 2>and you also deal with partition styles older NBR Master

248
00:13:07.000 --> 00:13:12.440
<v Speaker 2>Boot Record versus modern GPT guid Partition table. GPT is

249
00:13:12.480 --> 00:13:18.159
<v Speaker 2>standard now supports larger discs, more partitions, better boot reliability.

250
00:13:17.519 --> 00:13:20.360
<v Speaker 1>And for cloud storage. There's one drive built in and

251
00:13:20.559 --> 00:13:22.279
<v Speaker 1>Hardware issues Device Manager.

252
00:13:22.480 --> 00:13:27.120
<v Speaker 2>That's your central console for everything. Hardware viewing devices, updating drivers,

253
00:13:27.279 --> 00:13:31.039
<v Speaker 2>rolling back drivers if an update causes problems, disabling devices,

254
00:13:31.200 --> 00:13:34.639
<v Speaker 2>uninstalling them. Also where you manage printers, both local and network.

255
00:13:34.679 --> 00:13:37.080
<v Speaker 1>Okay, so that's keeping things running. What about when they

256
00:13:37.519 --> 00:13:39.360
<v Speaker 1>stop running?

257
00:13:38.799 --> 00:13:42.440
<v Speaker 2>Recovery options are crucial? Windows has several layers. First, the

258
00:13:42.440 --> 00:13:45.919
<v Speaker 2>startup boot options. You've got safe Mode, which loads Windows

259
00:13:45.960 --> 00:13:48.919
<v Speaker 2>with minimal drivers. Great for diagnosing boot problems caused by

260
00:13:48.919 --> 00:13:52.240
<v Speaker 2>a bad driver or software. Bootlogging creates a detailed text

261
00:13:52.279 --> 00:13:55.519
<v Speaker 2>file listing every driver in service that loads, helping pinpoint

262
00:13:55.559 --> 00:13:59.440
<v Speaker 2>failures and startup prepared tries to automatically fix common boot problems.

263
00:13:59.480 --> 00:14:00.840
<v Speaker 1>What about role back changes.

264
00:14:01.120 --> 00:14:04.600
<v Speaker 2>That's system restore. It uses restore points snapshots of system

265
00:14:04.600 --> 00:14:07.480
<v Speaker 2>files and settings. You can revert back to an earlier

266
00:14:07.519 --> 00:14:10.200
<v Speaker 2>point if something goes wrong after installing software or a driver.

267
00:14:10.360 --> 00:14:12.720
<v Speaker 1>But it doesn't touch personal files right correct.

268
00:14:12.720 --> 00:14:17.559
<v Speaker 2>System restore leaves your documents, pictures, etc. Alone. It also

269
00:14:17.639 --> 00:14:21.080
<v Speaker 2>doesn't uninstall programs installed after the restore point was created,

270
00:14:21.279 --> 00:14:24.799
<v Speaker 2>though they might not work correctly. For a full disaster recovery,

271
00:14:25.000 --> 00:14:28.159
<v Speaker 2>there's system image recovery. This uses as a complete image

272
00:14:28.200 --> 00:14:31.240
<v Speaker 2>a snapshot of your entire hard drive to restore everything.

273
00:14:31.600 --> 00:14:34.759
<v Speaker 2>And don't forget basic file recovery. There's the older Backup

274
00:14:34.759 --> 00:14:38.120
<v Speaker 2>and Restore Windows seven tool, but also one drive recovery

275
00:14:38.159 --> 00:14:40.879
<v Speaker 2>which often have version history and recycle bin features for

276
00:14:40.919 --> 00:14:41.600
<v Speaker 2>cloud files.

277
00:14:41.720 --> 00:14:45.759
<v Speaker 1>Okay, lots of recovery tools. How about preventing problems through monitoring?

278
00:14:46.000 --> 00:14:50.159
<v Speaker 2>Proactive monitoring is key. Performance monitor is the deep dive tool.

279
00:14:50.559 --> 00:14:55.279
<v Speaker 2>It tracks hundreds of stats, processor load, memory usage, disc activity,

280
00:14:55.519 --> 00:14:59.919
<v Speaker 2>network traffic, specific service performance use, performance objects and counters

281
00:15:00.000 --> 00:15:00.840
<v Speaker 2>sounds detailed.

282
00:15:01.000 --> 00:15:01.919
<v Speaker 1>What about a quick look?

283
00:15:02.080 --> 00:15:06.039
<v Speaker 2>That's task manager quick view of running apps, background processes,

284
00:15:06.080 --> 00:15:10.480
<v Speaker 2>cpu and memory usage, startup apps, services essential first stop

285
00:15:10.559 --> 00:15:14.159
<v Speaker 2>for what's slowing my machine down. For logging, there's the

286
00:15:14.200 --> 00:15:17.120
<v Speaker 2>event Viewer. It's the central place for all system messages,

287
00:15:17.919 --> 00:15:22.480
<v Speaker 2>information warnings, errors, log by applications, services, the operating system

288
00:15:22.600 --> 00:15:27.480
<v Speaker 2>security audits essential for troubleshooting after a crash or unexpected.

289
00:15:26.960 --> 00:15:28.679
<v Speaker 1>Behavior and in the cloud era.

290
00:15:28.720 --> 00:15:33.080
<v Speaker 2>Azure monitor This is Microsoft's big cloud based monitoring solution

291
00:15:33.559 --> 00:15:37.480
<v Speaker 2>at tracks performance, availability, usage for apps and infrastructure, whether

292
00:15:37.519 --> 00:15:40.639
<v Speaker 2>they're an Azure or on premises. Includes things like application

293
00:15:40.679 --> 00:15:43.919
<v Speaker 2>insights for web apps, monitoring for containers and vms, and

294
00:15:44.039 --> 00:15:47.480
<v Speaker 2>log analytics. Log analytics is powerful. Use queries like qel

295
00:15:47.519 --> 00:15:50.320
<v Speaker 2>to sift through logs and find specific events, for example

296
00:15:50.440 --> 00:15:53.279
<v Speaker 2>finding all air events on laptop one. The main point

297
00:15:53.279 --> 00:15:56.159
<v Speaker 2>here is that combining proactive monitoring with these robust recovery

298
00:15:56.159 --> 00:15:59.200
<v Speaker 2>tools is absolutely vital for minimizing downtime and data loss.

299
00:15:59.559 --> 00:16:01.639
<v Speaker 2>It's all about business continuity.

300
00:16:01.240 --> 00:16:05.600
<v Speaker 1>Absolutely critical. Yeah, especially with remote workforces and cloud dependence growing.

301
00:16:05.960 --> 00:16:08.320
<v Speaker 1>Which brings us nicely to the final piece, the really

302
00:16:08.399 --> 00:16:12.600
<v Speaker 1>modern part of this role, cloud integration. Let's talk Microsoft

303
00:16:12.600 --> 00:16:13.440
<v Speaker 1>in Tune right.

304
00:16:13.840 --> 00:16:17.879
<v Speaker 2>Intune is Microsoft's cloud native Mobile Device Management MDM and

305
00:16:17.960 --> 00:16:22.559
<v Speaker 2>Mobile Application Management MAM system operates entirely from the cloud, and.

306
00:16:22.480 --> 00:16:24.440
<v Speaker 1>A big benefit I hear about is licensing.

307
00:16:24.679 --> 00:16:28.639
<v Speaker 2>Yeah, that's a key difference. Intune typically licenses users, not

308
00:16:28.759 --> 00:16:32.600
<v Speaker 2>devices by default. One user license often covers something like

309
00:16:32.639 --> 00:16:36.799
<v Speaker 2>fifteen devices for organizations with users who have multiple devices,

310
00:16:36.879 --> 00:16:39.080
<v Speaker 2>though it can be a significant cost saving compared to

311
00:16:39.080 --> 00:16:41.360
<v Speaker 2>traditional per device licensing makes sense.

312
00:16:41.399 --> 00:16:43.080
<v Speaker 1>What can in Tune do a lot?

313
00:16:43.559 --> 00:16:46.960
<v Speaker 2>Device enrollment, setting up secure access to resources like Wi

314
00:16:46.960 --> 00:16:51.480
<v Speaker 2>Fi or VPNs, deploying applications, enforcing security policies, tracking hardware, software,

315
00:16:51.519 --> 00:16:55.120
<v Speaker 2>inventory reporting, and crucially, remote wipe. If a device is

316
00:16:55.159 --> 00:16:58.120
<v Speaker 2>lost or stolen or employee leaves, you can wipe corporate

317
00:16:58.200 --> 00:17:02.840
<v Speaker 2>data remotely, essential for protecting sensitive information. Plus Intune connectors

318
00:17:02.879 --> 00:17:05.720
<v Speaker 2>let it integrate with on prem tools like SECM for

319
00:17:05.839 --> 00:17:07.240
<v Speaker 2>hybrid management scenarios.

320
00:17:07.440 --> 00:17:10.720
<v Speaker 1>Okay, so in Tune manages devices and apps from the cloud,

321
00:17:11.160 --> 00:17:14.440
<v Speaker 1>and the identity piece is Azure Active Directory azure AD.

322
00:17:14.640 --> 00:17:17.640
<v Speaker 2>Exactly, azure AD is the cloud directory. It holds the

323
00:17:17.759 --> 00:17:20.839
<v Speaker 2>user and group accounts for accessing cloud services like Microsoft

324
00:17:20.839 --> 00:17:24.400
<v Speaker 2>three sixty five, Azure itself and thousands of other sauce apps.

325
00:17:24.720 --> 00:17:27.319
<v Speaker 2>And to link your existing on premises active directory with

326
00:17:27.359 --> 00:17:31.680
<v Speaker 2>Azure AD, you use Azure ad connect. This tool synchronizes identities,

327
00:17:32.000 --> 00:17:34.640
<v Speaker 2>enabling things like single sign on SSO so users have

328
00:17:34.680 --> 00:17:37.880
<v Speaker 2>one password for both environments. Foundational for hybrid.

329
00:17:37.559 --> 00:17:41.000
<v Speaker 1>Identity, got it so within Intune and Azure AD. What

330
00:17:41.039 --> 00:17:42.920
<v Speaker 1>are some key features admins use.

331
00:17:43.119 --> 00:17:46.799
<v Speaker 2>In in tune, you can figure policies and profiles. Compliance

332
00:17:46.839 --> 00:17:48.920
<v Speaker 2>policies set the roles the device must meet to be

333
00:17:48.960 --> 00:17:52.799
<v Speaker 2>considered compliant and gain access, like needing a certain OS

334
00:17:52.960 --> 00:17:56.759
<v Speaker 2>version or having encryption enabled. These often work with conditional

335
00:17:56.799 --> 00:18:01.480
<v Speaker 2>access policies and Azure AD device configuration profiles, push down settings,

336
00:18:01.519 --> 00:18:06.160
<v Speaker 2>configuring Wi Fi VPNs, email profiles, device restrictions, setting up

337
00:18:06.200 --> 00:18:09.400
<v Speaker 2>Windows Held for business for secure sign in, or configuring

338
00:18:09.480 --> 00:18:13.039
<v Speaker 2>KIOSK mode for specialized single app devices and for BIOD

339
00:18:13.160 --> 00:18:16.920
<v Speaker 2>Bring your own device. Mobile Application management MAM policies are huge.

340
00:18:17.119 --> 00:18:19.759
<v Speaker 2>They let you protect corporate data within specific apps on

341
00:18:19.799 --> 00:18:22.720
<v Speaker 2>a personal device without needing to fully enroll and manage

342
00:18:22.759 --> 00:18:26.359
<v Speaker 2>the entire device. Think restricting copy paste, auted outlook or

343
00:18:26.359 --> 00:18:29.200
<v Speaker 2>requiring a pin for word flexibility with security.

344
00:18:29.359 --> 00:18:31.839
<v Speaker 1>Okay, that MAM part sounds really useful for BOD. What

345
00:18:31.920 --> 00:18:33.799
<v Speaker 1>about as your AD features.

346
00:18:33.680 --> 00:18:37.920
<v Speaker 2>As your AD has tons Cell service Password reset SSPR

347
00:18:38.000 --> 00:18:40.480
<v Speaker 2>is a big one. Let's users reset their own forgotten

348
00:18:40.480 --> 00:18:45.880
<v Speaker 2>password securely, which drastically cuts down help desk calls. Identity protection,

349
00:18:45.960 --> 00:18:47.920
<v Speaker 2>which is part of the premium P two license, is

350
00:18:47.960 --> 00:18:51.079
<v Speaker 2>really advanced. It uses machine learning and heuristics to detect

351
00:18:51.119 --> 00:18:54.039
<v Speaker 2>suspicious sign ins or compromised accounts. You can then trigger

352
00:18:54.079 --> 00:18:57.359
<v Speaker 2>automated responses like forcing an MFA prompt or even blocking

353
00:18:57.400 --> 00:18:58.839
<v Speaker 2>access until an admin reviews it.

354
00:18:58.920 --> 00:19:00.920
<v Speaker 1>Proactive identity Secure security Yeah.

355
00:19:01.279 --> 00:19:04.359
<v Speaker 2>Then for sinking passwords from on prem you have Password

356
00:19:04.359 --> 00:19:08.240
<v Speaker 2>hash Synchronization PHS. It sinks a hash of the user's

357
00:19:08.240 --> 00:19:12.359
<v Speaker 2>password to azure AD. It's reliable and enables cloud authentication

358
00:19:12.480 --> 00:19:16.079
<v Speaker 2>even if the on prem domain controllers are unreachable. Alternatively,

359
00:19:16.160 --> 00:19:20.119
<v Speaker 2>passed through authentication PTA validates the user's password directly against

360
00:19:20.119 --> 00:19:23.359
<v Speaker 2>your on prem active directory in real time. No password

361
00:19:23.359 --> 00:19:25.839
<v Speaker 2>hash is stored in the cloud. It enforces on prem

362
00:19:25.880 --> 00:19:30.640
<v Speaker 2>account policies like lockout or hours restrictions, and federation usually

363
00:19:30.680 --> 00:19:34.319
<v Speaker 2>with ADFS active directory. Federation Services is another option, often

364
00:19:34.400 --> 00:19:37.559
<v Speaker 2>used for more complex scenarios. It redirects authentication to your

365
00:19:37.559 --> 00:19:40.880
<v Speaker 2>on prem federation server, which issues security tokens claims to

366
00:19:40.920 --> 00:19:45.680
<v Speaker 2>azure AD. Useful for specific application requirements or complex SSO needs.

367
00:19:45.759 --> 00:19:48.319
<v Speaker 1>Lots of authentication options to fit different needs.

368
00:19:48.240 --> 00:19:52.839
<v Speaker 2>Definitely and in Tune also provides alerts critical warning informational

369
00:19:52.880 --> 00:19:56.279
<v Speaker 2>which you can configure notifications for so admins know immediately

370
00:19:56.279 --> 00:19:59.240
<v Speaker 2>if there's a compliance issue, a configuration failure, or some

371
00:19:59.319 --> 00:20:02.880
<v Speaker 2>other important event. The fascinating thing here really is the

372
00:20:02.960 --> 00:20:06.880
<v Speaker 2>level of flexibility and control of the cloud offers. Managing

373
00:20:06.880 --> 00:20:10.759
<v Speaker 2>a diverse fleet of devices users working from anywhere. It

374
00:20:10.839 --> 00:20:14.279
<v Speaker 2>shifts the whole paradigm from managing servers in a rack

375
00:20:14.799 --> 00:20:18.519
<v Speaker 2>to orchestrating services in a distributed, highly available cloud model.

376
00:20:19.279 --> 00:20:21.960
<v Speaker 1>What a journey from basic installs all the way to

377
00:20:22.079 --> 00:20:24.680
<v Speaker 1>cloud orchestration. So what does this all boil down to

378
00:20:24.759 --> 00:20:26.680
<v Speaker 1>for you the listener, Well, you should.

379
00:20:26.440 --> 00:20:29.240
<v Speaker 2>Now have a really solid strategic overview of what it

380
00:20:29.279 --> 00:20:34.000
<v Speaker 2>takes to be a modern desktop administrator. Today we've covered deployment, security,

381
00:20:34.200 --> 00:20:37.880
<v Speaker 2>managing users, networking, keeping things healthy with recovery, and that

382
00:20:37.960 --> 00:20:41.359
<v Speaker 2>crucial cloud integration with Intune and Azure ad. You got

383
00:20:41.359 --> 00:20:44.599
<v Speaker 2>that shortcut that distilled knowledge about the really critical Windows

384
00:20:44.599 --> 00:20:47.839
<v Speaker 2>ten administration topics and how they fit together. Absolutely, the

385
00:20:47.880 --> 00:20:52.000
<v Speaker 2>broad and evolving skill set and looking forward as technology

386
00:20:52.039 --> 00:20:55.079
<v Speaker 2>keeps changing so fast, you know, think about AI more automation.

387
00:20:56.279 --> 00:20:59.279
<v Speaker 2>It does raise an important question, how is this role

388
00:20:59.400 --> 00:21:03.640
<v Speaker 2>the desktop administrator going to continue transforming? What new skills

389
00:21:03.720 --> 00:21:06.960
<v Speaker 2>might become even more valuable, maybe less hands on fixing

390
00:21:06.960 --> 00:21:11.359
<v Speaker 2>more about strategic planning, data analysis, orchestrating automated systems.

391
00:21:11.440 --> 00:21:13.519
<v Speaker 1>That's a great question to ponder. What is next for

392
00:21:13.559 --> 00:21:16.359
<v Speaker 1>this role? Definitely food for thought. A huge thank you

393
00:21:16.400 --> 00:21:19.279
<v Speaker 1>for joining us on this deep dive, Keep exploring, keep learning.

394
00:21:19.359 --> 00:21:20.880
<v Speaker 1>We'll catch you next time on the deep Dive.