Deploy images

After you’ve completed the process of creating and configuring your task sequences, you’re ready to deploy your images. All you need to do is start the required computers, and they should start up using the MDT PE. Then use the following procedure to apply the image and deploy Windows 10. Note that steps might vary based on your specific configuration options:

1. Turn on your target computer.
2. The Microsoft Deployment Toolkit deployment wizard starts.
3. As displayed in Figure 1-14, select Run the Deployment Wizard to install a new Operating System.

Figure 1-14 Deploying Windows 10 using an MDT task sequence

4. Enter your User name, Password, and Domain and select OK.
5. On the Task Sequence page, select the appropriate task sequence and select Next.
6. On the Computer Details page, review the generated computer name, and then select either Join a domain or Join a workgroup. For the domain option, enter the Domain to join, Organizational Unit, and credentials to join (User Name, Password, and Domain). Select Next.
7. Complete the Windows Deployment Wizard by entering the following information:

• Choose whether to move user data and settings from a previous version of Windows.
  • Choose whether to restore user data.
  • Specify the Language Settings and Time Settings.
  • Select any apps you want to deploy.

8. When you’ve completed the required settings, select Begin. Your operating system and selected apps are deployed.

Need More Review? Deploy a Windows 10 Image Using MDT

To review further details about deploying images with MDT, refer to the Microsoft website at https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.

Monitor and troubleshoot deployment

If you experience problems with deployment by using MDT, review the configuration settings for your deployment share. If you’re confident that everything is properly configured, then you can consider reviewing MDT logs. Each MDT script automatically generates logs.

Depending on the type of deployment you’re performing, after deployment, the log files are moved to either:

• %WINDIR%\SMSOSD
• %WINDIR%\TEMP\SMSOSD

For LTI deployments, the logs are moved to:

• %WINDIR%\TEMP\DeploymentLogs

Table 1-15 describes the available MDT logs.

TABLE 1-15 MDT logs

Exam Tip

The MDT log file format is designed to be read by CMTrace.

When you investigate the logs, you’ll want to identify any errors. There are numerous error codes with specific meanings. For example, error codes 5201, 5203, and 5205 all mean that a connection to the deployment share could not be made, and deployment cannot proceed.

Need More Review? Error Codes and Their Descriptions

To review further details about error codes with MDT, refer to the Microsoft website at https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshooting-reference#table-1-error-codes-and-their-description.

Need More Review? Troubleshooting Reference for MDT

To review further details about troubleshooting MDT, refer to the Microsoft website at https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshooting-reference.

Authentication methods

Now that organizations are moving toward Azure AD and cloud-based identity authentication, administrators can offer enhancements to their users, which both simplify the authentication process and offer increased security.

Traditional passwords can be forgotten, lost, stolen, and even compromised by hackers, malware, and social engineering. One policy that is quickly being adopted is to require that a user present a second authentication factor in addition to a password when they sign on.

Azure AD includes features, such as Azure Multifactor Authentication (Azure MFA) and Azure AD Self-Service Password Reset (SSPR), which allow administrators to protect their organizations and users with secure authentication methods.

Additional verification is needed before authentication is completed and may be obtained through the methods shown in Table 1-16.

TABLE 1-16 Authentication methods

Microsoft Authenticator APP

The Microsoft Authenticator app provides a quick and simple way to add additional levels of security to your Azure AD account.

Once a user has installed the Microsoft Authenticator app on their smartphone or tablet, the user can add multiple work or school Azure AD and Microsoft accounts. Each time the user accesses secured resources, they must access the Microsoft Authenticator app and perform one of the following options, depending on service configuration:

• Approve the request Users acknowledge the request by selecting Approve on their device.
• Retrieve a verification code Users enter the verification code from the app into the resource access page and then authentication is approved.

Exam Tip

To configure whether users are prompted to enter a verification code, or must approve an authentication request, the administrator must enable Mobile app code and/or Mobile app notification.

Users can download and install the Microsoft Authenticator app from the application store for their smartphone platforms.

Explore Biometrics

Biometrics, like a fingerprint, provides a more secure (and often more convenient) method—for both the user and administrator—to be identified and verified. Windows 10 includes native support for biometrics through the Windows Biometric Framework (WBF), and when used as part of a multifactor authentication plan, biometrics is increasingly replacing passwords in modern workplaces.

Biometric information is obtained from the individual and stored as a biometric sample, which is then securely saved in a template and mapped to a specific user. To capture a person’s fingerprint, you use a fingerprint reader (you “enroll” the user when configuring this). Also, you can use a person’s face, retina, or even the user’s voice. The Windows Biometric service can be extended to also include behavioral traits, such as the gait of a user while walking or the user’s typing rhythm.

Windows includes several Group Policy settings related to biometrics, as shown in Figure 1-16, that you can use to allow or block the use of biometrics from your devices. You can find Group Policy Objects here: Computer Configuration > Administrative Templates > Windows Components > Biometrics.

Figure 1-16 Biometrics Group Policy settings

Azure MFA

Azure MFA provides organizations with a highly scalable two-step verification solution, which can be used to safeguard access to data and applications and provide users with a simple sign-in process.

There are several methods you can use enable Azure MFA:

• Enabled by conditional access policy Conditional access policy is available for Azure MFA in the cloud if you have Azure AD premium licensing. It requires Azure AD P1 or P2 licensing.
• Enabled by Azure AD Identity Protection This method uses an Azure AD Identity Protection risk policy to enforce two-step verification for sign in to all cloud applications. It requires Azure AD P2 licensing.
• Enabled by changing user state This is the traditional method for requiring two-step verification. An administrator can configure Azure MFA so that users must perform two-step verification every time they sign in, and it overrides conditional access policies.

When enabling Azure MFA, users are required to configure their preferred authentication methods using the registration portal at https://aka.ms/mfasetup, as shown in Figure 1-17.

Figure 1-17 Configuring additional settings for security verification

Configure Microsoft accounts

In addition to traditional local accounts and domain user accounts, Windows 10 supports several modern methods of signing in to a device. The sign-in methods employed by an organization provide a strong first-line defense against identity theft, and you need to understand how to configure and manage sign-in options within an environment. This section teaches you how to disable PIN or picture login, and you’ll learn how to configure Windows Hello for Business.

A Microsoft account provides you with an identity that you can use to securely sign in on multiple devices and access cloud services. Because the identity is the same on multiple devices, your personal settings can be synchronized between your Windows-based devices.

On a device for personal use, if Windows 10 detects an internet connection during the initial setup, you are prompted to specify your Microsoft account details. However, you can skip this step and create a local account instead. If the device is personally owned, but you want to use it for work or school, you can register your device on your work or school tenant after setup is complete.

Microsoft accounts are primarily for consumer use. Enterprise users can benefit by using their personal Microsoft accounts in the workplace, although there are no centralized methods provided by Microsoft to provision Microsoft accounts to users. After you connect your Microsoft account to Windows 10, you will have the following capabilities:

• You can access and share photos, documents, and other files from sites such as OneDrive, Outlook.com, Facebook, and Flickr.
• Integrated social media services providing contact information and status for your users’ friends and associates are automatically maintained from sites such as Outlook.com, Facebook, Twitter, and LinkedIn.
• You can download and install Microsoft Store apps.
• You benefit from app synchronization with Microsoft Store apps. After the user sign in, when an app is installed, any user-specific settings are automatically downloaded and applied.
• You can sync your app settings between devices that are linked to your Microsoft account.
• You can use single sign-in with credentials roaming across any devices running Windows 10, Windows 8.1, Windows 8, or Windows RT.

If Microsoft accounts are allowed in an enterprise environment, you should note that only the owner of the Microsoft account can change the password. A user can perform a password reset in the Microsoft account sign-in portal at https://account.microsoft.com.

You can sign up for a Microsoft account at https://signup.live.com. After you have created your Microsoft account, you can connect it to your device.