MDM & GP Tips Blog

Nov 2018

How to Buy a Laptop for the Normal Person.. in 2019

This is a yearly re-post / re-edit. It started in 2009 and has been updated yearly. This started out as a post to just my closest friends but has become one of my popular blog entries of all time. Here’s my fully updated guide to end-of-year 2018 into 2019.

Quick updates for 2018-2019:

  • Snapdragon "Always on / Always Connected" PCs
  • What is M.2 storage?
  • Jeremy's laptop update ... one year later... after 7 years with his old one.
  • The laptop I use around the office for regular people (Spoiler alert.. it's NOT a Dell).

If you’re an IT geek like me, you’re often asked “What kind of laptop should I buy?”

If you’re NOT an IT geek, you’re likely asking an IT geek friend “What kind of laptop should I buy?”

This is a guide for both of you.

If you’re in IT, this question might not directly affect you, since many IT organizations dole out laptops to the whole staff, including you. However, since you’re seen walking around with a laptop, or have that geeky-vibe about you, I’m guessing you’ve been asked more than once “What kind of laptop should I buy?”

You might be tempted to say “Buy a Macbook” – if only for the reason that you DON’T have a Macbook, and therefore would be unable to help the person in the future. (See this for the example of the problem: That being said, Macbooks are pretty awesome, and if you want to real work on a Macbook, you can do that. That’s just not the point of this article. This is about how to buy a Windows PC laptop. Macs are great, if you want to go there.

If you’re NOT in IT, your problems are substantial too. If you ask three geeks, you might get THREE answers.

With that in mind, here’s “Jeremy’s Guide to Buying a new PC-based Laptop in 2017-2018.” Again, there are a LOT of ways someone COULD do this task. This is what I send to people in my inner circle (friends, family, etc.) when I get the question.

Seriously. I just email them a link to this blog entry, and .. I’m done.

These suggestions should be “good enough” for the common man / woman / student for the foreseeable near term future. Any one person’s particular needs may vary, but you, the IT Pro, should be able to “print out and hand over” these suggestions and have them work for about 90+% of the people you come in contact with.

If you’re NOT an IT geek, you’re looking at the Internet and catalogs and think that desktop and laptops could be “infinitely configured.”

And you don’t have time for that. You want to get back to real work. So, here is a document you can send to anyone who has ever asked that question with some “straight dope answers.”

Yes: This document is long. But, you want to make a GOOD decision which will last you the next 2-4 years, right? So, just read it. Really READ it. Then go shopping.

Jeremy’s Guide to Buying a new PC-based Laptop in 2019

We’re going to answer some questions here like:

  • Laptop or Ultrabook ?
  • What "Chip" should I get in my laptop?
  • Laptop or iPad or Surface (Windows Tablet)?
  • Should I get a $200 Windows laptop?
  • What is / should I get a Microsoft Surface?
  • What’s the deal with Android Tablets and Google Chromebook Laptops?
  • iPad Pro? Will that work for me?
  • Where can I get good deals?
  • What kind of hardware (and warranty) should I get?
  • Should I get Windows 10 or hunt down a laptop with Windows 7?
  • Should I get 32-bit or 64-bit?

Part I: Laptop, Ultrabook or Netbook ?

To make sure we all understand the marketing vocabulary you’re likely to encounter as you go to buy a machine:

  • Laptops: You know what a laptop is.
  • Ultrabook: Just like a laptop, but thinner and lighter.

For most people, they want Laptops. They’re mid priced, mid weight and have a full sized keyboard.

If you pay a little more, you can get an Ultrabook, which is just like a laptop — except lighter.

I think there are a ton of great options out there where you don’t have buy a HEAVY laptop, or buy an EXPENSIVE Ultrabook.

Said another way, you can get a great laptop, which approaches the weight of an Ultrabook, at a “Laptop cost.”

Part II:  Non-Windows tablets (iPad, Android, Chromebooks)

Before we talk about ACTUAL laptops, let’s take a quick turn and chat about your “second” device.

In fact, you might be thinking “Maybe I don’t need a laptop at all, and instead, I’ll just get an iPad, iPad Pro, or Chromebook.” And, what’s the deal with “Microsoft Surface?”

In short, nothing beats a laptop for ACTUAL WORK.

The iPad can be FORCED into a device that can help kinda-sorta help you to do ACTUAL WORK. There’s the iPad, iPad Mini and “jumbo” iPad Pro which.. is just a REALLY BIG iPad and pen with some specialty apps to help you try to do ACTUAL WORK. 

But honestly, I’ve tried a lot of stuff, and NOTHING BEATS A LAPTOP for ACTUAL WORK.

For me, I tend to use my iPad Mini when on the airplane and on the road, watching movies and quick dash emails. 

The bonus of a laptop over an iPad is… its just better at creating and editing documents. Yes, you CAN create documents, deliver slideshows, or make a spreadsheet on an iPad. For me, when it comes to creating content, even simple emails… I need a keyboard. Yes, yes, you can get Bluetooth keyboards that sync with the iPad (and I have one), but still the content creation software and experience isn’t the same as a Netbook, laptop or desktop.

That being said, you might have a friend who "gets away with" having an iPad instead of a laptop. Indeed, Apple tried to suggest this was possible with this ad (link to video).. where a child in the future doesn't even understand te concept of a computer. Spoiler alert: Most people completely hate this ad.

So, here’s my verdict if you want a “Not Full Windows Machine”:

  • If I had “real work” to do, and had to only pick one travel machine for the next 5 years, then, sorry iPad, I’d have to go laptop.
  • If I’m sitting on a beach, bus or couch and want to read, game, surf or NetFlix.. I use my iPad.

How about Android Tablets? Are those good choices?

Possibly. So, I’m (personally) not a huge fan of the current Android world. But I actually believe it’s a very personal choice / taste.

But, I actually recognize I’m in the minority.

That is, apparently more portable devices run Android than anything else out there. But I don’t own one, so I can’t personally recommend it.

I will say that Android devices (Phones and tablets) seem to get a lot of viruses and crap that iPads simply do not. For that reason alone, I wouldn’t recommend them to most people.

If you’ve got a friend with one, ask to play around on it. But even if I loved it, I’m not sure I’d want it as my only content-creation machine.

What’s the deal with the “Google Chromebook Laptop”?

Whew. This is a tough one. So, non-IT folks… stick with me here.

Every year I get a lot of comments telling me that I don’t give Google Chromebooks enough “discussion.”

Fine. Okay.. Here’s the Wall Street Journal article entitled “You can ditch your PC now” which demonstrates for some people its possible to use a Chromebook for many (most) tasks.

Google has a “full size laptop thing” running an OS called the Chrome OS.

Here’s the deal: It has no hard drive, and ALMOST everything you do is in the cloud. Meaning, really, that when you save stuff you’re saving to a website which stores your stuff for later access.

  • Does it run Windows applications? No.
  • Does it run Mac applications? No.
  • Does it run iPad apps? No.
  • Does it run Android apps?  See below.
  • Might you want one anyway? Possibly.

A recent addition to the Android arsenal is the new idea where SOME Chromebooks can run Android apps. Here’s a list of currently supported devices. Of course I don’t maintain that list and who knows when it gets updated.

But that’s kind-of-sort of interesting for me, if there was some key application I wanted to use while in my submarine or the WiFi goes down.

Back to their core usage: Where are these Chromebook devices GREAT? In school (K-12) environments. They run Google apps and all the Google-y stuff you already use.

So teachers just give ‘em to students and if they break? O well. There’s nothing stored on them anyway. Since the Internet is always on (usually) in the school, it makes a lot of sense there.

For me, though, it’s not how I want to work. But some people can and do use a Google Chromebook is their “daily driver” for all things. And with the addition of Android apps you can take on-the-go with you, it’s a serious iPad contender and possible laptop replacement for some.

But not me personally. I have several friends who love them and give them to their parents as their “daily driver” for all things. In fact, I tried this.. I tried to suggest to an "older friend" to give a Chromebook a try, but she didn't love it. I'm not exactly sure why.. but maybe it was just too different from her usual (old) experience and went back to Windows.

Okay: Back to laptops and Netbooks.

Part III: Which laptop brand should I get?

Read this part first, before we get to the “Should I try really hard to get Windows 7 on my laptop” section. We’ll answer that in a minute.

Okay: Here’s the thing about all laptops. All of them: basically, they’re all the same.

Shocker, I know. But so are cars. They are all basically, almost exactly, 99% the same. Some of the “differences” might be:

  • Extra ports or USB 3.0 vs. USB 2.0.
  • USB “C” port(s). (None of my laptops have this, and I do just fine, thank you very much.)
  • One or two “video chips” (don’t get me started).
  • Keyboard twists / converts to make it a tablet.
  • Keyboard snaps off to make it a tablet.
  • Keyboard doesn’t exist at all (so it *IS* a tablet) and you ADD a keyboard.
  • Some are a little faster or a little slower.
  • Some are heavier. Others are lighter.
  • Some have 10-key keypads build in and some do not.
  • Some have BIG power supplies (which add to the overall weight of travel). Others have small wee ones.
  • Some are “bigger” and have a full sized keyboard. Others are smaller (Netbooks.)
  • Some laptops have touch screens, some do not.

But… again 99% of all laptops running Windows are EXACTLY the same “guts” and what they’re capable of.

Since they all do the same basic thing, for the MAJORITY of “Joe and Jane users” you almost CANNOT GO WRONG in buying a new laptop nowadays.

This is going to sound totally weird, but my primary suggestion to prospective buyers of laptops and desktops is: UNDERSTAND THE WARRANTY.

We’ll cover this in the next part of this talk.

Of course, you’re also looking for a good deal. So, here are my top five deals for anyone looking for a computer:

1. New Dell Inspiron laptops. They’re cheap, decent, fast, and have Dell’s warranty (again, more on this in a second.) Click here to see them. I wouldn’t recommend _all_ of them. Some of them have the “wrong” processor type. (again, more on this in a second.) And this year and until I'm dead, I’m recommending ONLY disks without moving parts (SSD) .. again, more on this in a bit.

2. Dell Factory Outlet  This is Dell’s “island of lost toys.” This usually mans “Jane Doe couldn’t afford her new laptop for her son Johnny Doe after all, so she sent it back after 9 days of light use.” It doesn’t really mean “It was dropped, so it’s now crap.”  Even if it did, Dell still puts an original warranty on everything they sell there, which is the most important part of owning a laptop. I’ve literally bought 4 Dell laptops using the Outlet store.

3. and NewEgg. They do sell new computers, but also “fell off the truck, if ya know what I mean”, off-lease (meaning, used) or are market closeouts in some way. But, holymoly.. lots and lots of awesome deals here. I promise you won’t find better deals than Tigerdirect. You will get the MOST bang for your buck, especially if you’re looking for something “higher end” at “lower cost.” But here’s the trick: Tigerdirect doesn’t warranty these. They’re always “factory direct warranties” whatever that means. And since they sell all brands, I don’t know what to tell you – even if you find a great deal. You’ll have to manually inspect the warranty yourself, call the company and see what their story is. Don’t expect Tigerdirect to help you when you have a problem. They sell it to you. They mail it to you. That’s the extent of your relationship.

4. Retail: Best Buy, hhGregg, Office Max, Office Depot, Staples: Even if they swore “up and down” that they had the most amazing warranty of all time, PLUS a killer deal  I still wouldn’t buy the computer and warranty from any of them. Plain and simple: There are KIDS working in these stores, and this is YOUR business / personal laptop. Sorry, but I can’t trust any of these outfits with my most precious business instrument. Not to mention that these kinds of stores turn over equipment types and makes and models so, so quickly. Will the kid behind the desk know what to do when you bring yours in from 1.5 years ago?

5. Other Internet sites:, Buy.Com, and others. Again almost always ONLY manufacturer’s warranty or some kind of 30-90 day only warranty. Again, not my cup of tea... as a RECOMMENDATION for most people. (More on this later.)

Part IV: Understanding the warranty (the most important part of your laptop.)

Let’s talk about Dell, specifically, for a second though. Why have I, historically, always owned a Dell laptop? (But, read all the way to the end about why I personally use Lenovo laptops. Trust me: This makes sense if you read all the way to the end.)

Simple. Dell's warranty is easy for my pea-brain to understand.

Here’s how it works:

  • The default warranty is 1 year if something “dies.” Examples are: Power supply, screen goes blank, USB port dies, whatever. You call up. They try to fix it over the phone.
  • If it needs a part you can replace (ie: battery, mouse, removable DVD drive) they ship it to you; you replace it yourself. You put the broken part in a pre-paid box back to them, and drop it in the mail. You are done.
  • If it needs a part you can’t replace (laptop screen, motherboard) the part is shipped “overnight” to a “regional center.” Then when the part arrives, the center calls you and you schedule a time to get your machine fixed.
  • For a little extra money when you buy your laptop, you can get 3 years on-site (ie: they come to you) coverage.
  • For a little “extra extra”, you can get “I spilled coffee directly in it”, “I dropped it hard on a marble floor” or “I dropped it in a lake” insurance, which will cover things like that. Really. At least that’s what they say.

Now.. with that said: I, with my pea-brain, can understand this warranty structure, and can embrace what it means.

To be clear: This warranty structure doesn’t mean “my problem will be fixed in 24 hours.” (Especially on a Thursday or Friday.)

It means: “We (Dell) spring to action right away… If you called us with your problem after 2.00 PM or so, then we’re going to miss Mr. DHL delivery dude for today. So, we’ll have to ship it tomorrow then it will (usually) get to the local repair depot the next business (shipping) day. And when it arrives, then you’ll get a call. Only after the part arrives at the local depot center, will we call you and schedule an appointment for up to 24 hours after that.”

That’s the deal.

So don’t expect your warranty coverage to mean “your problem will be fixed within 24 hours.” Expect them to get started on your problem right away and have it fixed 24 hours AFTER the part is in the hands of the depot.

So, because I ‘get’ the deal, I usually recommend Dell. It’s the “warranty-devil” I know, and I’m totally cool with that deal.

That said, I always recommend Dells to Joes and Janes when they ask me what laptop to get because:

  • 99% of the any laptop you get is exactly the same and
  • I can EXPLAIN the warranty to them and ..
  • They can decide if that’s what they want.

I cannot OVER-EMPHASIZE how important UNDERSTANDING your laptop’s warranty and restrictions are. This is literally, the #1 factor you should choose in buying a laptop.

Again: I’ve described Dell’s warranty service above. If you want to check out other manufacturer’s warranties, great. I’m just giving you my personal experience with Dell and warranties.

Part V: “How much laptop do I, a regular person, need?”

If you’re planning on: Surfing, Facebook, using Microsoft Office, Google Docs, Gmail, Hotmail, Office 365, NetFlix, Skype and other usual stuff you’ve got what I call “modest needs.”

If you’re running some high powered stuff like Quark, World Of Warcraft (or other high end games), Final Cut, Movie Maker, VMware Workstation, HyperV, Autocad, Camtasia Studio or Mathemetica, you might need more than what I’ve listed here.

Now, before we get into this, there’s a handful of.. holycow.. NEW $200 full Windows laptops out there. (Here’s an older Wall Street Journal Entry on them. And here’s a article from 2017 on sub-$200 laptops) And here's an article for 2018 from Best Laptops World for computers under $200. But … they FAIL the “sniff test.” Read the article, then also read my discussion on Chip Type.. right here.

So, here’s my answer for your “modest needs” person.

CPU Chip type and speed:

Here’s the dirty little secret the laptop manufactures don’t want you to know: This almost doesnt matter. Or said another way, you almost cannot go wrong. Here are my suggestions:

Regular Intel Chips: i3 / i5 / i7

Intel’s chip lines are the Intel Core i3, i5 and i7s. The i3 is usually the best bang for the buck but I wouldn’t turn down the higher model i5s or i7s. Again, i3 (any speed) will be perfectly fine for almost anyone. Get the i5s if you can afford it. The i7s are almost certainly overkill for almost everyone.

Intel Celerons (Avoid at all costs)

Avoid “Intel Celerons” at all costs. None are acceptable. Ever. This is why you don’t want to buy the $200 HP Stream 11 laptop .

See the above line: NEVER EVER buy a laptop with an Intel Celeron. EVER.  

ATOM Processor

I would also avoid anything with Intel ATOM. They’ll run all Windows apps. But slower. The PLUS side is that battery life is greater on these, but definitely slower than the Intel “i” series I mentioned above.

Snapdragon Laptops (new for 2018-2019)

New for 2018-2019, there's a new choice on the block ... in a chip called Snapdragon. If this word maybe sounds familiar to you, it's because many phones utilize Snapdragon processors. They are very low power, which means you get pretty insane battery life. Snapdragon laptops are closer to ATOM processors than they are to Intel i3/i5/i7s. This is because all the software you're running has to convert everything from "Intel speak to Snapdragon speak."

They are considered "Always on, always connected." So even if you close the lid, they don't really go to sleep... they jusst "sip" power and will just be ready to rock when you re-open the lid. (Like an iPad works.)

The good news is that, by all accounts, Snapdragon PCs are pretty nifty and if you use your PC like I use my iPad... for checking web stuff, surfing, skyping, etc etc. If you use a PC like this, then a Snapdragon PC is a pretty good choice. There is a tradeoff: you have to sacrifice a speed drop, but you get a really big advantage of outrageous near all-day battery life. Well, that's the idea anyway. This fair review of a Snapdragon PC is not too, too glowing. These Snapdragon PCs are getting faster... but I'm not sure I would want it to be my daily driver. So... I'm not recommending it for students, and "worker bees" or people who create content and work for a living... yet. Maybe 2019 - 2020 or 2021 will be the year.

Gamer Laptops

Avoid all “gamer” laptops. Avoid due to the high price tag and low battery life and large power supply to lug around. And I've used some of these gamer laptops, and they don't really feel faster than what I'm using now for work-like stuff. I'm sure they do awesome on games. But I don't play games.


The new modern standard is 8GB. You could get away with 4GB likely just fine. But if if you had an extra $40, get 8GB over 4GB.

Note that I am NOT recommending you get more than 8GB for most modest-needs users. If you happen to get MORE than 8GB of RAM, bully for you, but you likely will never really need or use it.

Hard drive:

There are fivekinds of hard drives now:

  • Spinning disks (the kind we’ve had for years)
  • SSD disks which have no moving parts at all and
  • eMMC drives (also have no moving parts at all)
  • Hybrids which are spinning disks with some extra SSD stuff slapped on.
  • M.2 disks which are like SSD disks, and look like little sticks of Wrigley's gum. These are generally faster than SSD disks, aren't needed for most mere mortals. Standard SSD disks are just fine.

Note that the older spinning disks are still found in 50% of all laptops. These are typically labeled SATA, but that's kind of a misnomer. SATA is the interface... so a SATA interface might connect wither a traditional spinning disk -or- an SSD disk. So, read the fine print and verify what you're getting when you see "SATA": are you getting a spinning disk (connected via SATA)? or are you getting an SSD disk (connected via SATA)?

I would avoid spinning disks in total now, and opt only for the SSD  or M.2s (which has no moving parts.) The catch however is that SSD and M.2 disks are more expensive than older spinning disks (for the same amount of space.) Manufacturers used to only have small SSDs for some reason; now they’re finally getting their acts together and you can go pretty big. Avoid eMMC drives, which are found in PCs as well; these kinds of drives are made for phones' storage, but sometimes PC makers will put them in PCs. Don't use eMMC drives if possible.

In short getting an SSD (or M.2)  vs. spinning disks is going to be the greatest one thing you can do to make your laptop (even your old, crappy 3 year old laptop) feel insanely fast. More on SSD disks a little later.

Video card / chip:

Unless you’re playing games, it doesn’t matter.


Even if you’re planning on watching NetFlix or Hulu, or playing Mindcraft, those kinds of apps really don’t care about your video chip / card much.

Even on my super old crappy 8 year old Netbook, I am able to see full screen videos (wirelessly!) without any issue with a good network connection.

Avoid laptops which tout “multiple” or “two” video chips. These give you extra headaches for almost NO VALUE to the mere mortal.

Screen Size / Resolution & Touch:

Look for something with WXGA or WXGA+ resolution. This can mean 1280×720 and up, which is decent on a laptop. 

In a total surprise, I find Microsoft Surface laptops to have "too much" resolution and too insane on my eyes. I'm over 40, and.. well, that means my eyes are just so-so. I would test-drive any laptop and make sure the resolution works for you. Of course this is adjustable in software / Windows.. but sometimes Windows looks lousy when not at the uppermost maximum resolution.

Some laptops don’t have touch screens. You might as well get a touch-enabled laptop, since things do appear to be getting “touch-ier.” That being said, as I write this year’s revised article, the two laptops I own; neither has a touch screen.

Wireless Network Card:

All laptops have built-in Wireless cards. You don’t have to get all worried if you don’t have the fastest wireless card.

Ideally, look for one that has “n” in the spec, like 802.11n to get the fastest. Note that 802.11n isn’t actually the fastest thing out there. It’s actually 802.11AC but I think only a handful of laptop manufacturers put 802.11AC chips built into their notebooks (Asus being one of them).

Part VI: Picking the OS. Windows 10, Windows 10 S and Windows 7 

So, let me start out by saying it’s really, really hard to get a new laptop WITHOUT Windows 10 on it.

There really isn’t any compelling reason to get Windows 7 anymore anyway. Windows 10 is the “last” version of Windows, but it will constantly upgraded and updated with new features every few months.

In short, you pretty much have to get it.. so just get it… UNLESS your business or school or something requires you to have Windows 7 and NOT Windows 10. Besides, Windows 7 support ends January of 2020.. so I would avoid Windows 7. It's hard to find now on new machines anyway, so, just go Windows 10 and be done with it. 

My advice for “normal people” would be to spring for a machine with Windows 10 Pro.

Why not “Windows 10 Home?” It’s Cheaper right?

Right. But it’s missing ONE KEY feature I think everyone should be using, which is BITLOCKER Full Disk Encryption. And that is not within Windows 10 Home, so, for me.. it’s a non-starter.

Note: My geeky friends will notice Windows 10 Enterprise isn’t on this list, because they are NOT sold with NEW machines are only available to IT departments.

This chart is excellent to see what you get in which edition (left most columns): 

Note also that some new laptops might come with Windows 7 or Windows 8 or 8.1 pre-loaded. It depends on the manufacturer if you get “Windows 10 Ugprade rights.” I would just skip all of this and get Windows 10 Pro.

Now: There’s another new kid on the block with Windows. Windows 10S. Windows 10S comes pre-loaded on some laptops and here’s the deal:

  • You can only install stuff from the Windows 10 Store.
  • You can only use Microsoft Edge as your browser
  • You cannot “download any application from the Internet” (like .MSI or EXE apps) and expect it to run. It won’t.
  • You can UPGRADE from Windows10S one time to Windows 10Pro if you purchase a upgrade license.
  • You CANNOT DOWNGRADE from Windows 10Pro backward to Windows 10S.

So, why does Windows 10S exist? Because in the same way there is goodness and utility when an iPad is “locked” to using the Apple apps store, and an Android Tablet has goodness and utility when “locked” to the Android Store… Windows 10S also has goodness and utility when “locked” to the Windows 10 Store.

So these Windows 10S machines are like “Windows’ versions of Chromebooks, but you can download apps.. lots of them from the Windows Store and do a lot of useful stuff.” But you can’t get yourself into too much trouble with viruses, malware, and evil stuff because.. these Windows 10S computers simply cannot run that stuff.

So Windows 10S might be a pretty good option.. for SOME PEOPLE, SOME TIMES. Microsoft is touting Windows 10S as an excellent choice for Schools and “Front Line Workers” like hotel clerks, storefronts, and so on.. because they don’t need to do too, too much and don’t want to get into too much trouble. If this sounds good to you, check it out and see if a Windows 10S machine might be right for you. If it stinks, just return it. Or... you can do a one-time upgrade of Windows 10S to Windows 10 Pro. Here’s a good article about using a Windows 10S as a daily driver. I recommend the read.

Part VII: 32 bit vs 64 bit.

Most new machines you will get are 64-bit capable. 64-bit capable means you get two major benefits.

Since most machines (laptops, not netbooks) you will buy nowadays are 64-bit capable, if you had an extra minute before clicking “buy now” I would check to ensure your new machine it’s 64-bit compatible and Windows 10 64-bit is pre-loaded.

Okay  — why would you care?

  • Benefit #1: With 64-bit you can tap into all 4GB+ of memory you purchase. If you were to use the older 32-bit OS you will only see 3.2GB of your 4GB purchase. Weird, but that’s how it works.
  • Benefit #2: By and large, the computer will be “faster” than the exact same machine running a 32-bit operating system. Even though we’re talking about identical systems, the 64-bit is faster all around because it processes (many / most) things in 64-bit “chunks” as opposed to 32-bit “chunks.” So it’s overall, faster.

So, in short, if you CAN get a 64-bit Windows 10 edition pre-loaded on your machine, I say “do it.”

In the old days, there were driver problems with 64-bit editions.

No more.

If the machine comes pre-loaded with Windows 10 and has 64-bit support, you’re likely quite golden with regards to drivers. You could, maybe possibly have some problems with some of the stuff ATTACHED to your machine, like Printers and Scanners. But Windows 7 and 8′s drivers support is excellent and those drivers should work in Windows 10. It’s a rare (mostly modern) device that won’t work with Windows 64-bit. Note: some won’t, and that’s a possible 64-bit risk.

For more information on 32 vs 64 bit support from Microsoft’s perspective, read this.

In short, for regular people, my advice is simple: Get Windows 10 Pro 64-bit edition pre-loaded on your laptop if you want guaranteed success.

Where do I go next:

Again, your best bet for Price / Performance is the Dell Factory Outlet: 

I found many, many, many under $600. Here’s an example available now as I write this:

  • Processor: Intel Core 7th Generation i5 Processor
  • Windows 10 Pro 64-bit
  • 256 GB Solid State Drive
  • 8GB DDR4 RAM 
  • 14 Inch HD (1366×768) LED-backlit Non-Touch Display
  • Intel HD Graphics
  • Dell Outlet Latitude 5480 Laptop

Total price: $587 (as of Nov 29, 2018)

Are these the best, lightest, fastest, crispest, nicest laptops you’re going to find? DEFINITELY NO. But for MOST PEOPLE these laptops (and the warranty I explained earlier) are PERFECT for mere mortals.

So, after this: everything else.. everything else.. is just bells and whistles when it comes to laptops. 

You could argue that touch is becoming more and more important. So, if you wanted touch, then… get one with touch.  :-) Again: I have two "daily driver" Windows PC laptops, neither has touch, and I don't miss it, not even a litle bit.

If you do want to go there, my only other big alternative might be a Microsoft Surface device. These are tablets that convert into laptops with snap-on keyboards (extra cost.) But the devices are amazingly built and very slick. You can go thru the myriad of options (again, this will be more expensive than other laptops, but you will almost certainly be happy with the experience.) Anyway, check them out here.

Part VII: Wait.. you said Solid-State (SSD) disks were the best, why don’t I see those (sometimes) when I try to buy a new laptop?

Here’s a fact: Your computer is ONLY as fast as its SLOWEST part.

Want to know what the slowest part is? The “spinning disk” hard drive. (Or “Hybrid” which is a spinning disk with SOME non-spinning stuff slapped on.)

Remember: Most computer manufacturers are cheap. They want to make something cheap and sell you something that works. When you get it they want you to be REASONABLY happy enough NOT to send it back. Its also in their best interest to say “500GB hard drive” or “750GB Hard drive”. Sounds HUUUUGE. So, ”spinning disks” do the job. They’re cheap and plentiful.

But, your spinning disk is holding you back.

SSD and M.2 disks are where the action is. Sometimes you cannot buy SSD disks with new systems (or if you do, you can only get the smaller ones.)

Why? See point #1 above: Spinning disks are good enough. So that’s what manufacturers sell. It won’t be like this forever. I suspect in the next year this will tip the other way to SSDs being normally available in bigger sizes.

So, here’s the (counter-intuitive) recommendation if you want to maximize your new laptop and make it feel AWESOME / ZIPPY for the next several years. Note: There is a litttttttle risk and costs involved here. But I think its worth it. Here goes:

  • Buy your machine with the SMALLEST spinning disk hard drive you can. Usually the smallest is 320GB for laptops made.
  • Buy your own SSD. Buy the biggest you can afford. I have tested several brands, and can only hands-down recommend ONE manufacturer: Samsung.

Samsung has three “flavors” of SSD disks. But, for YOU the mere mortal, there’s only one: The Samsung EVO.  Here on Amazon it’s $158.00 for the 120GB version.  A little more for 256 and so on, and you can select up to 1TB if you wanted (obviously for more money.)

In MOST cases (not all!) these drives come with a cable and software to MIGRATE the hard drive you HAVE onto the new platform. Always remember that in most cases, you need to be USING less space than you’re GOING to. (Be sure to read the details of your purchase CAREFULLY to ensure that your drive comes with a transfer cable if you want to do this yourself.)

Anyway.. here’s an example:

– Your new laptop comes with a 500GB spinning disk hard drive.

– Its using 20GB of space of that 500GB.

You can then upgrade to the 120GB SSD because you’re only using 20GB of that space.

Here’s another example:

-Your laptop comes with 500GB hard drive.

-You’re using 300GB of that space.

You cannot shove 300GB of stuff into that 120GB SSD disk.

Its usually pretty easy to then take out the OLD drive and throw in the NEW drive. If you’re UNCOMFORTABLE with all of this, you can pay someone at Best Buy or your local computer store to do all of this for you. Don’t pay more than $100 for the LABOR involved here.

What do you do with the original drive you took out? For $10 whole dollars on Amazon, you can put your ORIGINAL drive in a USB 3.0 case and reclaim that space as “spare” .. for pictures, videos, docs, whatever.

Part IX: What kind of laptop do you own, Jeremy? (Here comes a little geekier stuff.)

Some of you may wonder what kind of laptop I am running?

I finally in 2017, retired my laptop that I used since 2011 !! Up until this year, I used a Lenovo W520 with a four-core i7 processor and 1.5TB of SSD hard drive space (two SSD disks) and 32GB of RAM. It’s big and heavy and the power supply is .. just.. huge.

Now, for a little over a year, I have used a Lenovo T470P (P= Performance in case you care) with an i7-7820HQ 4-Core 2.9Ghz processor, 32GB RAM, and 2TB M.2 SSD space (which cost me as much as the laptop ITSELF!)


I do live demonstrations in front of thousands of people and my laptop has to FLY.

I have another machine which is a Lenovo X260 running Windows 10 64-bit with 16GB of RAM and 512GB SSD disk, and its totally fantastic to represent my “mere mortal machine”. This is the machine I carry around the house, or on a one or two day trip somewhere, where I am not presenting demos (but maybe demoing PowerPoints only). It has "near all day" battery life, but is pretty fast, and I can do 98% of what I would need to on my super fast "big boy" laptop.

I can hear you now: “But what about Dell? You reference Dell like 80 times in this article. Didn’t you basically tell me to buy a Dell?”

Yes, I did.

I recommend Dell for most people. But I personally like Lenovo’s “build quality” a lot better, and .. with my multiple Lenovo laptops I’ve owned over the years, I have literally NEVER needed the warranty. I’ve never had a pixel go bad, never had a USB port fry out, or a keyboard die. Not one. Not ever.

Remember: I’m an IT guy who does hard core demonstrations, so my needs are greater than some others. I need 32GB of RAM in my laptop, seriously fast hard drive and a lot lot more.

Again: my set up is NOT RECOMMENDED for regular people.

Let me be frank: the Lenovo buying experience is not great. The laptops take forever to get to me and the last time, my assistant called every day for 90 days to get confirmation of the activation of the warranty.

I wouldn’t want to put Jon and Jane Buyer thru either of those experiences. And I’m bordering on afraid to use the warranty service. Haven’t used it yet, I’ll cross my fingers. Heck, I don’t even know where to call if I had a problem. And that’s a problem.

For some of the people in my business, I have purcahsed them Lenovo T430s machines which I got as a refurbished deal on These are "off lease" / refubished machines. "Why would I do this to myself?" flying in the face of my own advice. Again: I'm not a regular person. I know what I'm doing. If one of these laptop dies, I'm confident I can rip the hard drive out and stick it another PC and be working the same day. And, I've had one of these machines fail.. the same day I got it. And then never again. So, again: Lenovo's appear to work like tanks, and I'm happy with my skillset to deal with "no warranty" or "sub-par" warranty on these systems to save some dollars, because I can recover if one of these T430s machines should die around the office.

Final Thoughts (and if you read nothing else…)

So, for regular people, I still recommended the Dell Outlet to get cheap, reliable, new computers and the Dell warranty for reliable, easy to understand warranty service.

Hope this guide helps you and your friends out.

– Signed, your friendly neighborhood Jeremy Moskowitz, Enterprise Mobility MVP

Nov 2018

Windows 1809 ADMX Files, Spreadsheet, and Security Baselines ... Out the door and final.

If you're using Windows 1809, the final 1809 ADMX, 1809 ADMX Spreadsheet and 1809 security baselines are out the door.

1809 ADMX:

1809 Spreadsheet:

1809 Baselines:  

As a reminder, here's my best practice video for ADMXs and how to update the central store:

That's it. ! Hope it helps you out!

Thanks to my friend Jeremy F for the reminder to send this to the gang... !



Nov 2018

What is the Policy CSP and why is it special to Intune?

So we said that CSPs are embedded interfaces in the Windows 10 OS that give MDMs the ability to read, set, modify and delete configuration settings.  This gives administrators the ability to command and deliver settings for enterprise devices.

There are many CSPs, but there is one particular one that is special.  That one is the Policy CSP. 

Like all CSPs, the MDM engine takes directives from it.  What makes it prominent is that it contains so many of the common items that admins are used to managing in Group Policy.  For instance, the Policy CSP contains settings for common components such as:

  • Browser
  • Defender
  • Device Guard
  • Power
  • Remote Desktop Services
  • Update

For instance, may you want to prevent users from terminating a task in the Task Manager.  Well, the Policy CSP contains a TaskManager Policy and the name of the settings is TaskManager/AllowEndTask.  The data type for this setting is integer and the supported values are as follows:

  • 0 - Disabled. EndTask functionality is blocked in TaskManager.
  • 1 - Enabled (default). Users can perform EndTask in TaskManager.

The TaskManager Policy is supported in the following Windows 10 Editions.

Chart taken from

The Policy configuration service provider contains sub-categories.

  • Policy/Config/AreaName – Handles the policy configuration request from the server.
  • Policy/Result/AreaName – Provides a read-only path to policies enforced on the device.

The Policy CSP have a scope to which its settings can be configured.  Some policies have settings that only apply to the device itself regardless of who is logged on to it.  Others apply to the user which means that settings can vary depending on which user logs on.  Each policy includes a path that defines its scope.  The possible scope paths are as follows:

User scope:

  • ./User/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
  • ./User/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

Device scope:

  • ./Device/Vendor/MSFT/Policy/Config/AreaName/PolicyName to configure the policy.
  • ./Device/Vendor/MSFT/Policy/Result/AreaName/PolicyName to get the result.

This is a quick introduction to the PolicyCSP. In other blog articles we'll examine more how to take advantage of it.


Nov 2018

What is a CSP and what is a Custom OMA-URI? (and how do I deploy one in Intune)?

CSP stands for Configuration Service Provider.  You might think Intune i somehow a CSP but that would be incorrect. 

Intune is an MDM service. 

A CSP is a component of the Windows 10 operating system; kind of like a Client Side Extension (CSE) is to Group Policy.

The CSP is what gives IT personnel the ability to apply device-specific settings to Windows devices.  In our case, that means using Intune to do it.  In doing so, IT can be assured that all company devices are compliant with the standards and policies set forth by the organization.  Keep in mind that you can deliver setting configurations to CSPs through other means than an MDM such as Windows Configuration Designer, which is used to create provisioning packages.  

So what are these CSP’s?  Well, you can go to Microsoft’s website and look them up at

Notice that not all operating system editions support each CSP because some settings are unique to select OS versions.  In addition, many CSP’s contain settings introduced in designated Windows versions.  This means that the settings are not supported in versions prior to that release.  

So let’s look at the inner workings of a CSP.  Let’s say you want to enable BitLocker for all the mobile devices used by your HR and Finance personnel.  Well, there is a CSP for that called BitLocker CSP.  If we look at the available settings for that CSP, they look like this:

Chart came from

CSP settings accept some sort of data type value to enable or disable the setting.  In this case, the data types are integers, either a 0 or a 1.  A value of 0 disables the settings while a value of 1 enables it.  The setting RequireDeviceEncryption for instance allows an administrator to require the use of BitLocker encryption on designated devices.

So let’s say our security minded administrator wants to deliver an integer data value of “1” to the BitLocker CSP contained within the HR and Finance devices.  That administrator just needs an interface to configure, assign and deliver them, and that is where Intune comes in.  Below, a Profile was created called “BitLocker Settings”  that now delivers the selected Windows Encryption settings.

How easy was that?  Ridiculously simple indeed. 

Keep in mind that not all CSP settings are "surfaced" as settings within Intune. 

So what happens when we want to configure settings on a CSP that doesn’t appear in Intune?  Well, there are two options.  The first would be to sit and wait around with our fingers crossed and hope that Microsoft Intune developers will add our desired settings soon.  The other way is to take matters into our own hands and make a Custom OMA-URL.  So how do we do this?

A key (and useful) example is how to make MDM vs. GP more deterministic.  Starting with 1803 however, a policy called “ControlPolicyConflict/MDMWinsOverGP was created to give you control over which one won.  So while the policy setting doesn’t appear by default, we can create a customized URI for it that will enforce the outcome we want. 

Intune provides an interface to create Custom OMA-URI policies within a profile.  We just have to provide some information which is outlined below. 

  • Name
  • Description
  • Data Type
  • Value

In the case of this CSP, the possible values are

  • 0 (default)
  • 1 - The MDM policy is used and the GP policy is blocked

In the case the creation process will look like this:

For more information concerning this particular CSP:

But the point is: Don't have a "knob" for the setting? Make a custom OMA-URA and you're off to the races.

Nov 2018

What is Azure AD connect, and how is it related to Intune?

If you are familiar with the concept of Windows Server Active Directory, then you already have a good idea of what Azure AD is.  It essentially is a cloud version of Active Directory which was introduced in Server 2000, which seems like forever ago.  In technical terms, it is Microsoft’s cloud-based identity and access management service.  The basic concept of the two AD’s is the same; users logon and authenticated to AD and then access resources.

So why the need for Azure AD?  Well, we live in a different world today than we did when Server 2000 was unveiled.  We live in a mobile age that is dominated by the Internet and traditional AD wasn’t designed for a world like that.  Azure AD on the other hand is designed to support web-based services that use Representational State Transfer API interfaces.  In simple terms, it was created for cloud based applications such as Office 365,, etc.  To do that, it had to be based on completely different protocols, specifically SAML and OAuth 2.0. 

There are a number of versions of Azure AD:

  • Azure Active Directory Free
  • Azure Active Directory Basic
  • Azure Active Directory Premium P1
  • Azure Active Directory Premium P2

The differences between these different versions is two fold.  As you move up from the free version, you get more features, which of course, you guessed it, costs more money.  Except for Azure Active Directory Free, which is complimentary if you have a paid subscription to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, the other versions require some sort of subscription free that goes up along with the number of feature packages.

There are several integral components of Azure AD.  They are:

  • Azure AD Directory – the equivalent to the domain of Windows Server AD, it is what contains the tenant’s users, groups, apps, devices, etc.
  • Azure AD Account – an identity created through Azure AD or another Microsoft cloud service such as Office 365.

The Azure AD account gives users access to their organization’s cloud service subscriptions.  On a Windows 10 device, it is referred to as a Work or School Account.  The screenshot below illustrates how one would manually join a Windows 10 device to Azure AD.

Azure AD is highly scalable.  Even the free version can contain 500,000 objects.  With so many users, accounts and applications, an organization undoubtedly needs one or more administrators to manage everything.  Below is the management screen of Azure AD. 

So how does Azure AD relate to Intune? 

Well, the two work hand-in-hand. 

In practivcal terms, you really cannot have Intune with Azure AD. 

In the same way that Windows Group Policy helped deliver and manage settings for Windows domain join machines, Intune is the mobile device management tool that integrates with Azure AD in order to manage settings as well.  It also protects your organization’s resources by controlling how users can access and share it and can lock down devices that may have been stolen or compromised. 


Nov 2018

Is Group Policy Slowing Me Down

Another article.. Not mine.. from Microsoft. Good one.

I do talk about this in super detail in my GPbook.. in the Troubleshooting chapter with more details; but this is an excellent first start.

I also talk about this topic in my talk from TechEd here:

And give you some tips and tricks for analyzing the data and making conclusions.

Hope this helps you out !

Nov 2018

What is Enterprise Mobility + Security E3 vs E5? (and which should you pick for Intune?)

There are a number of things that are complicated and hard to comprehend at first.  College algebra, quantum physics and Microsoft pricing when it comes to their cloud services.  For instance, here is a screenshot of just some of the available licensing for a school system that currently utilizes Microsoft cloud services.

At first glance, trying to wrap your head around all of the available licensing options can be as exhaustive as contemplating the size of the universe.  There are so many ways to slice and dice subscription licensing when it comes to Office 365, Intune, Azure, etc.  For the sake of this blog series, we are going to make it simple. 

You want the ability to do mobile device management, which means Intune.  You also want Azure AD.  That combination pairs your options down to one of two Enterprise Mobility Suite packages (EMS).  Before EMS, Microsoft only offered their products separately such as:

  • Azure Active Directory Premium
  • Microsoft Intune
  • Azure Information Protection
  • Microsoft Advanced Threat Analytics

Microsoft then offered EMS combos that bundled features together in a single option for simplicity’s sake.  As of today, there are two EMS bundle offerings which are outlined below:


Enterprise Mobility + Security E3

Enterprise Mobility + Security E5

Azure Active Directory






Azure Information Protection



Advanced Threat Analytics



Cloud App Security



So what is P1 and P2?  Well P2 includes more advanced features and capabilities.  For instance, the P1 bundle for Azure Active Directory gives you the ability to secure single sign-on to cloud and on premise apps.  It also offers multifactor authentication (MFA) conditional access and advanced security reporting.  P2 includes all of that plus offers Identity Protection and Privileged Identity Management (PIM) and advanced capability concerning identity protection.

E5 of course is more expensive.  So should you get E3 or E5?  Well, just like buying a car, this isn’t a decision that a business should make without a little time and consideration concerning what the needs of the organization actually are, as well as their budget.  Your decision also depends on what other Microsoft cloud services you subscribe to as well such as Office 365.  I told you it was complicated.  If you want to test drive all of the features that E5 has to offer, the good news is that you can sign up for an E5 trial.  That part I can truly say, is easy.

Nov 2018

What is Intune MDM Enrollment vs. Azure Workplace Join?

When you join a Windows machine in the traditional way to a network, you have the choice of joining a workgroup or a domain.  A workgroup has limited features.  It really just gives just each device the ability to share files with one another and that is about it.  A domain was a far better choice in most instances because it offers all of the management and security abilities you need in an enterprise.

I use that analogy to describe the difference between MDM Enrollment and Azure Workplace.   Azure Workplace join is not the same as Intune MDM. 

It is however a first step to enrolling in MDM because a device has to joined to Azure AD before it can be enrolled in Intune.  With Azure Workplace, you’re really just “half way there” (as the man to Bon Jovi would say, well, sing really.),

And there is really minimal of advantages to just being "half way" there. 

Azure Workplace is really just about allowing other people to bring their own devices (BYOD) to join your Azure AD and enjoy a few benefits such as:

  • single-sign-on (SSO) functionality to cloud services
  • access to the Windows store
  • ability to logon a device using an organizational work or school account

What you can’t do with Azure Workplace is:

  • Deploy applications or
  • Manage settings or
  • Lockdown a machine
  • Wipe it
  • Control it. 

All of that takes full MDM enrollment.  But if you are looking for a quick way for a dozen temp workers or contractors to join your Azure AD, it is ample to get the job done.

You can tell if your device is only Azure Workplace joined.  If you click “Manage your account on your Windows Profile page, the page will open in a web browser.  In the screenshot below, you can see where the computer is only “Workplace joined” and not MDM enrolled.

But you can see for yourself if you click on the flag, click Manage your account, and open the page in a Browser, like Edge. You’ll see in Figure 2.23 where the computer is merely “Workplace joined” and not MDM enrolled. 

Note the Windows flag like icon which is also an indicator of Workplace joined status.  If the machine were MDM enrolled, it would be replaced by a briefcase.  In the end, if you want the full Monty, you need to complete the two-part process and become MDM enrolled on top of merely registering with Azure.

Nov 2018

(Jeremy's been right for years)... Don't bother disabling unused GP "half".

I've never met this author, but I like the author's breakdown of the problem.

In summary... I get this question all the time.. "Jeremy... If I disable the UN-used half of the GPO, will it speed up GP processing?"

For 800 years, I've said "Don't bother." You only GAIN headaches because now the other half of the GPO might not process if you end up using it.

Now, a great article with excellent workmanship to prove the point: Don't bother.

Enjoy the read.