Whether you're installing a workstation or a server, the Windows operating system is designed to get you up and running as quickly as possible. Built-in drivers, ready-for-use applications, and a standardized Start Menu mean less devils in the details.
However, there are a few things I always make sure to check off when I set up a new Windows environment in a business environment. Some of these steps involve making my life easier so I can work more efficiently, and others involve reducing some pet peeves over which Microsoft and I butt heads. A few of my recommendations involve personal preferences - which of course will vary depending on the administrator involved - but in those cases I outline my reasoning behind these preferences. Many will also apply to home computers, not just those used in a business environment.
Obviously tasks like setting up the initial account, joining the domain and getting online are a no-brainer so I'll skip past these and assume the hypothetical system in question has just booted up and been logged in. I'll also skip steps like manipulating the page file, defragmenting the operating system or installing a registry health check/cleaner since these are largely things of the past thanks to improvements in Windows.
Note: screenshots taken on a Windows Server 2012 R2 system, but the steps should be comparable for other recent versions of Windows.
1. Document the administrator password
It's a small step, but I can't stress the importance of this enough. I use different administrator passwords on different systems (after all, like dominoes falling, if one administrator password is compromised all systems become accessible). They're all stored in a shared password safe called KeePass which my fellow admins and I rely on. If I leave the company, they retain access to these passwords. Of course, they also then have to change all these passwords for security reasons, but that's a different tale.
There are ways to reset administrator passwords - my favorite is to use Hiren's Boot CD to do so (in fact, the large number of possible ways to do this should reinforce why you should physically secure systems to keep them from falling in the wrong hands) but this can be complicated and time-consuming, and in some situations if your boot volume is encrypted you may be out of luck.
2. Reveal what is hidden
I go against Microsoft's grain in a couple of areas. By default, Windows hides certain files such as system files, subdirectories in user profile folders and other elements which would wreak havoc if accidentally deleted. Since the purpose of being a system administrator often involves working with these hidden files to resolve problems, it's essential to be able to find them (it's also frustrating to have to set them to be displayed when you're trying to solve an urgent problem).
Another element I personally find annoying is when Windows doesn't show file extensions for known file types, since this can lead to confusion; is this a Powershell script, text file, batch file or something else? Yes, the "Type" column lists a description of the file, but I'd rather see the extension for myself.
You can turn off the options to hide these files or extensions via these steps:
Open Windows Explorer, click View, go to Options then click the View tab.
Select "Show hidden files, folders and drives."
Uncheck "Hide extensions for known file types" and "Hide protected operating system files (Recommended)."
3. Tweak the taskbar/system tray settings
Microsoft is big on pinning things to the Task Bar. This process groups multiple running programs together via large icons and can result in a task bar which looks like this:
This is one of those personal preferences I mentioned in my introduction, but I find this too cluttered and difficult to navigate, especially when I have multiple remote desktop sessions going and want to be sure I'm on the right system (or else the wrong one might end up accidentally rebooted).
The notification area, which consists of icons in the lower right which can help you identify what's running, whether there are problems with the system, or other interesting operational elements, is also collapsed by default so not all icons are visible:
I can reveal all of the icons by hovering the mouse over that little black up arrow:
However, that's too manual for me. So to fix the above two issues, perform the following:
Right-click the taskbar and choose "Properties":
Check "Use small taskbar buttons" and then set the Taskbar buttons field to "Never combine."
Click the "Customize" button next to "Notification area":
Check off "Always show all icons and notifications on the taskbar."
Once you click OK you'll end up with a view similar to the following:
Everything is laid out and easily identifiable, facilitating system management.
4. Drivers and patches
My next task is to install the latest drivers and Windows Updates for this system. Microsoft does provide certain drivers via Windows Update, but I prefer to go straight to the source since those are likely the newest and most appropriate drivers.
This is easier these days than the wild goose chases of the past since vendors are helping out. Dell, for instance, has a great set of tools on their support website which can automatically detect which drivers your system needs then download and apply them for you. Other hardware manufacturers offer similar options.
Some systems are behind firewalls and not provided access to the internet, or may use a centralized patch management solution such as SCCM, so in this case I'll trigger a rollout of all patches to this new system and complete the necessary cycle of reboots so it's fully up-to-date.
5. Activate Windows
This is one of the best messages to come across on a Windows system:
Like a cat at dinnertime, Windows is very good about notifying you when it needs to be activated. In fact, you might say it can nag you quite a bit, especially as the 30-day deadline approaches.
Like a flu shot, I choose to get this out of the way as soon as possible if installing a stand-alone system not on a domain, just in case there are issues with activation I need time to resolve. To activate, go to Control Panel, System and click "Activate Windows Now." If the internet connection works this should happen automatically, but if there is a problem or the system has no internet access then activation by phone is necessary.
Microsoft offers a great service called "Key Management Service" (or KMS) which can handle automatic activation of systems in your domain. Basically, you set up the service on a centralized system and new systems activate Windows through this all on their own thanks to specific DNS records. The only catch is the system must connect to the server every 180 days to confirm its activation status, so if a machine leaves the domain or ends up as personal property Windows will eventually request activation again.
6. Installing Programs
The programs you install on a workstation or a server will vary depending on your needs and tastes. Obviously certain programs such as anti-malware, productivity tools, document readers and foundational elements like Java should be part of the process. For workstations I intend to utilize, Dropbox comes in handy since it contains all my installation programs so once I install this then they eventually appear on the hard drive ready to run. Reduce the number of programs you use on servers, however, to cut down on patch work and exploitable vulnerabilities (do you really need Microsoft Office running on a Windows server?)
However, here are some special free programs I've found indispensable across all the systems I use and manage:
- Clover: A version of Windows Explorer which allows the use of tabs.
- 4-Tray: Permits you to minimize running programs to the system tray and reduce clutter
- Veracrypt: A program which secures your files using encrypted containers (a single file which can be mounted as a drive).
- Notepad++ The regular Notepad program on steroids. Excellent for reviewing and debugging script files, running macros, sorting items and much more.
- Ninite: Lets you automatically install a vast variety of dozens of programs such as Foxit Reader, Chrome, Firefox, the VLC media player, Java, .NET, Peazip, XNView, PDFCreator, KeePass and many other examples. Once you select these you can download a single .exe file which handles the entire installation process.
- PortableApps: Many applications can run in stand-alone fashion without having to be officially installed. PortableApps can provide access to hundreds of these apps (you can review their app list directl) by downloading them to your hard drive. It even provides its own app launcher:
7. Control startup items
This tip applies mainly to workstations but can have some merit with servers as well.
Many operating systems and programs set unnecessary elements to start up automatically, such as the Adobe Acrobat Update Service. Many of these can slow down the boot process and add delays, can interfere with other programs and cause issues, or just plain aren't necessary. You can view and control which items are set to start automatically.
For Windows 10, hit Ctrl-Alt-Del, select Task Manager and then review the Startup tab.
You can review items and stop them from starting up automatically by right-clicking them and choosing "Disable." The right-click menu also gives you the option to open the file location, search online about it or examine properties.
For Windows Server 2012, examine startup items by clicking Search and entering:
This just opens the AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup under the local profile, and in this case we can see there are no startup items configured.
You can do the same for Services, which are system-based programs. Run the command:
This will open the Services window:
As with startup items, you can right-click any given service and stop or start is as desired. You can also specify what the service should do the next time it boots; to disable it right-click it, choose Properties:
Choose "Automatic (Delayed Start)," "Automatic," "Manual" or "Disabled."
Make sure you know what you're doing here and that the service in question can be disabled if you decide to go this route. Disabling the wrong service might adversely impact your system.
8. Arrange data backups
Whether a workstation or server, the system will quite likely contain some sort of data which needs to be backed up. Arrange to do so either via the official company backup software or arrange synchronization of data elsewhere (such as between servers).
Cloud storage is also an option (if not the official backup product); Dropbox works fine for me in backing up all my data, but it's also important to be aware of security policies and regulations which may prohibit the transfer of data off-site or to a third party.
9. Create an image or take a snapshot
Just as data should be backed up, you might need to arrange for the backup of the applications or operating system. If you can create a system image this can save you the headache of a full reinstallation down the road since you can roll Windows back to this image if needed. Microsoft provides built-in mechanisms to do this, such as for Windows 10. It's also possible to use SCCM for operating system deployments or rely on third party products such as Quest's KACE System Imaging and Deployment.
If the system is a virtual machine, the process can be even easier. Just take a snapshot of it and you can revert to this snapshot later if trouble arises. Just be aware that in some environments snapshots can inadvertently cause issues. For instance if using the vSphere console with a VMWare virtual environment you might find you can't expand a virtual volume because a snapshot exists of the system.
10. Document/set up alerts
This one often falls by the wayside after setting up a system. Document all necessary details including name, IP address, function, programs, support information and the like. Add asset tags (if applicable) and list the system in any financial-related documents or programs so it can be tracked and end of life (EOL) plans made for retirement.
If this is a server and it runs a critical function, make sure it is added to your monitoring and alerting environment (which of course should exist in any serious business) and that responsible staff are notified of any issues which may arise. Track resource consumption, service status, hardware components and any other elements which may impact operations if adversely affected.
Get the most from Windows 10 with these time-saving tips and shortcuts
How to disable automatic device driver updates in Windows 10
How to combine the power of Device Manager and Driverquery to manage your Windows 10 driver updates
Windows 10: The smart person's guide
Scott Matteson is a senior systems administrator and freelance technical writer who also performs consulting work for small organizations. He resides in the Greater Boston area with his wife and three children.