Chapter 11

Configuring Windows networks

Modern computing is defined by our ability to communicate, share, and collaborate with one another by using devices of all shapes and sizes. These days, most of that activity happens over the world’s largest global network, the internet, using a variety of widely accepted hardware and software standards. The internet is also the driving force behind cloud-based services, which are transforming the way we work and play.

The same network standards that allow connections to the internet can also be used to create a local area network (LAN), which makes it possible to share files, printers, and other resources in a home or an office.

In the past, setting up a network connection could be a painful process, one that often required professional help. Today, network hardware is ubiquitous, and setting up a network connection in Microsoft Windows 11 requires little or no technical knowledge. That doesn’t mean the process is entirely pain-free; troubleshooting network problems can be frustrating, and understanding the basics of networking is tremendously helpful in isolating and fixing problems.

In this chapter, we cover the essentials of connecting a Windows 11 device to wired and wireless networks in a home or small office. We also discuss how to connect your Windows 11 computers to cloud apps and resources, such as Microsoft 365.

In addition, we explain how to share resources securely and how to check the status of your network connection to confirm that it’s working properly. When you want access to an entire computer rather than just its shared resources, a feature called Remote Desktop enables you to do exactly that, and a section of this chapter is devoted to explaining how.

In earlier versions of Windows, a feature that facilitated easy resource sharing over a home network was available. Known as HomeGroup, it first appeared in Windows 7, but it was removed from Windows 10 in 2018, and Windows 11 no longer supports this feature. That doesn’t mean the end of easy sharing, of course. Later in this chapter, we discuss alternatives to HomeGroup, including Nearby Sharing.

Windows 11 networking essentials

Before you can connect to the internet or a local area network, your Windows 11 device needs a network adapter, properly installed with working drivers.

Since the release of Windows 7, Microsoft’s hardware certification requirements have mandated that every desktop PC, laptop, all-in-one, and portable device include a certified Ethernet or Wi-Fi adapter. Some portable devices also include modems that connect to mobile broadband networks, and Bluetooth adapters support limited types of direct connections between PCs.

You’ll typically find wired Ethernet adapters in desktop PCs and all-in-ones, where a permanent wired network connection is appropriate. These adapters can be integrated into the motherboard or installed in an expansion slot and accept RJ45 plugs at either end of shielded network cables. (Most such devices also include a wireless network adapter.)

Most modern wired adapters support the Gigabit Ethernet standard, which allows data transfers at up to 1 gigabit (1,000 megabits) per second. In an office or a home that is wired for Ethernet, you can plug your network adapter into a wall jack, which in turn connects to a router, hub, or switch at a central location called a patch panel. In a home or an office without structured wiring, you need to plug directly into a network device.

In recent years, wireless networking technology has enjoyed an explosion in popularity. Wireless access points are a standard feature in most home routers and cable modems, and Wi-Fi connections are practically ubiquitous. You can connect to Wi-Fi, often for free, in hotels, trains, buses, ferries, airplanes, and even public parks in addition to the more traditional hotspot locations such as cafés and libraries.

All laptops and mobile devices designed for Windows 11 include a Wi-Fi adapter, which consists of a transceiver and an antenna capable of communicating with a wireless access point. Wireless adapters are also increasingly common in desktop and all-in-one computer designs, allowing them to be used in homes and offices where it is impractical to run network cables.

Ethernet and Wi-Fi are the dominant networking technologies in homes and offices. In lieu of the twisted-pair wiring typically used to connect endpoints on wired networks, you can use existing coaxial cable installations, such as those used by cable TV systems, with adapters at each endpoint that support MoCA technology (the acronym stands for Multimedia over Coax Alliance, the organization that defines the standard). Each adapter includes a connector for the coaxial cable and a separate RJ45 connector for an Ethernet cable. This configuration enables you to connect PCs using Ethernet adapters at Gigabit Ethernet and higher speeds.

Alternatives include phone-line networks, which plug into telephone jacks in older homes, and powerline technology, which communicates using adapters that plug into the same AC receptacles you use for power. The availability of inexpensive wireless network gear has relegated phone-line and power-line technologies to niche status; they’re most attractive in older homes and offices, where adding network cable is impractical and where wireless networks are unreliable because of distance, building materials, or interference. (A hybrid approach, useful in some environments, allows you to plug a Wi-Fi extender into an existing power line to increase signal strength in a remote location or to create a so-called mesh network.)

You don’t need to rely exclusively on one type of network. If your cable modem includes a router and a wireless access point, you can plug network cables into it and use its wireless signal for mobile devices or for computers located in areas where a network port isn’t available.

Windows 11 detects and configures network hardware automatically, installing drivers from its built-in collection. A wired internet connection should be detected automatically; you’re typically prompted to enter the access key for a wireless connection during the setup process.

Note

In this chapter, we assume you have an always-on broadband connection in your home or office or that you’re connecting to the internet through a public or private Wi-Fi connection with internet access.

Checking the status of your network

As we noted earlier, most network connections in Windows 11 configure themselves automatically during setup, although you might be prompted to enter security information to connect to a wireless access point. Tools included with Windows 11 allow you to inspect the status of the current connection and either make changes or troubleshoot problems.

The most easily accessible network tool is the status icon that appears by default in the system tray area at the right side of the taskbar.

This icon indicates the current network type (wired or wireless) and the status of the network. Click that icon to display the Quick Settings menu, which presents options relevant to your type of network connection, in addition to other Windows settings.

Figure 11-1 shows the system tray icon and Quick Settings menu for a desktop computer with an active wired Ethernet connection and a Wi-Fi adapter that currently has no active connection. Both networks appear to be operating properly.

This screenshot shows the system tray at the right end of the taskbar, which includes an icon indicating a wired network connection. A flyout above the taskbar shows that Wi-Fi connections are available, and also shows the status of Bluetooth, airplane mode, speaker volume, and other options.

Figure 11-1 The network icon in the system tray indicates that the wired connection is the primary network. Click the arrow to the right of the Wi-Fi button on the Quick Settings menu to show available wireless networks.

In Windows 11 version 22H2, clicking or tapping Airplane Mode enables you to shut down all wireless communications, including Wi-Fi, Bluetooth, cellular, GPS, and near field communication (NFC). If you enable Bluetooth or Wi-Fi after turning on airplane mode, Windows remembers your choice and leaves that wireless connection enabled the next time you turn on airplane mode.

On any device with a Wi-Fi adapter, a button labeled Mobile Hotspot activates the system as a mobile hotspot. For information about using your device as a mobile hotspot, see “Mobile hotspots and other metered connections,” later in this chapter.

Note

A portable computer with no physical Ethernet adapter sometimes shows the icon for a wired connection rather than wireless. That can occur when you have a virtual network adapter set up for virtual machines. (For details about virtual network adapters and virtual switches, see Chapter 17, “Running Windows 11 in a virtual machine or in the cloud.”)

To view wireless networks, click the arrow to the right of the Wi-Fi button to display a list of available wireless networks that are advertising their SSID, along with their relative signal strengths. Figure 11-2 shows three networks, all protected.

This screenshot shows the network flyout after clicking the Wi-Fi tile. The names of three networks appear, each with an icon that indicates signal strength and whether the network is secured. A Connect button appears by the selected network.

Figure 11-2 Select any available network, click Connect, and provide the required security details. The padlock icon indicates that the connection is secured and requires a passcode. Use the Wi-Fi switch to turn the wireless adapter off or on.

To disable Wi-Fi, slide the switch at the top of the dialog to the Off position. You are then prompted to choose when to turn Wi-Fi back on. You can opt to do this manually, which is the default, or schedule this for one hour, four hours, or one day from now.

Note

The option to disable Wi-Fi temporarily comes in handy when you’re traveling and have access only to a weak wireless signal (which might drain your PC’s battery as it repeatedly tries to make a connection), or a paid Wi-Fi option that you’ve decided is too expensive. Setting a timer allows you to reconnect without having to remember to turn Wi-Fi back on manually.

At the bottom of the dialog, you can select the More Wi-Fi Settings link. This opens the Settings app, and navigates automatically to the Network & Internet > Wi-Fi page, as shown in Figure 11-3.

This screenshot shows the Wi-Fi page in Settings. A radio button near the top shows that Wi-Fi is on. Other options include Show Available Networks, Manage Known Networks, Hardware Properties, and Random Hardware Addresses.

Figure 11-3 From Settings, you can configure additional Wi-Fi options.

The Wi-Fi switch at the top of this page allows you to disable or enable the wireless adapter. If you’re connected to a wireless network, the entry below that switch shows the current network name; click that entry to see detailed properties for the Wi-Fi connection. You can configure the following additional settings from this page:

If you have no network connectivity, or no access to the internet, the network icon displays as a globe with a superimposed no entry sign.

Network management tools

As with so many other parts of Windows 11, the knobs and dials and switches that control networking have steadily migrated from Control Panel to the Settings app. In fact, there’s no longer any reason (except perhaps nostalgia) to use the old Control Panel Network And Internet page. You can find every network setting you need by going to Settings > Network & Internet, as shown in Figure 11-4. From here, you can access the following:

This screenshot shows Network & Internet in Settings. A large icon at the top indicates a working ethernet connection and shows data usage of 25 GB in the past 30 days. Below that are settings for Wi-Fi, Ethernet, VPN, Mobile Hotspot, and more.

Figure 11-4 You can accomplish just about any network-related task from this starting point in Settings.

Note

For slightly faster access to network settings, right-click the network icon in the system tray and click Network And Internet Settings.

You can still use the Control Panel interface if you prefer. In Control Panel, select Network And Internet, and then select Network And Sharing.

You can review the available network connections in Settings by selecting Advanced Network Settings from the Network & Internet page, as shown in Figure 11-5. That action displays a list of available adapters along with the controls you need to reconfigure their settings.

This screenshot shows the Advanced Network Settings page in Settings. Under the heading Network Adapters is a list of four adapters.

Figure 11-5 The Advanced Network Settings page displays a list of available adapters. You can disable any adapter or reconfigure an adapter’s settings, including the TCP/IP settings.

Note

Network adapter names that begin with vEthernet are virtual adapters created when you set up a virtual switch with Hyper-V. Various diagnostic tools might display other virtual adapters used for specialized functions, such as Wi-Fi Direct connections. In general, we recommend that you avoid trying to manage these adapters manually.

TCP/IP configuration

Transmission Control Protocol/Internet Protocol (TCP/IP) is the default communications protocol of the internet and for modern local area networks; in Windows 11, it’s installed and configured automatically and cannot be removed. Most of the time, your TCP/IP connection should just work, without requiring any manual configuration. (We cover some troubleshooting techniques at the end of this chapter.)

Networks that use the TCP/IP protocol rely on IP addresses as they route packets of data from point to point. On a TCP/IP network, every computer has a unique IP address for each protocol (that is, TCP/IPv4 and TCP/IPv6) in use on each network adapter.

A computer’s TCP/IP configuration has the following elements:

Windows provides several methods for assigning IP addresses to networked computers:

Note

IPv6 supports a feature called stateless autoconfiguration. An IPv6 device, such as a Windows 11 computer, “listens“ to network packets on the local network interface and is able to determine the configuration details for the local subnet based on router announcements. The device then configures a valid IPv6 configuration based on the router configuration.

To see details of your current IP configuration, open Settings > Network & Internet, and then expand the relevant network adapter. As shown in Figure 11-6, you can review the current IPv4 and IPv6 settings and, where necessary, select Edit to change those settings.

This screenshot shows the page in Settings with details for a network adapter. It shows the settings for IP and DNS server assignment—both set to Automatic (DHCP)—as well as the IP and MAC addresses for the adapter.

Figure 11-6 You can review the network settings for both IPv4 and IPv6. Click the Edit buttons to change the IP Assignment and DNS Server Assignment settings.

Note

For most Windows 11 devices, you don’t need to configure IPv4 or IPv6 manually. Most devices obtain an IPv4 configuration via a DHCP server or a wireless access point with embedded DHCP functionality. For IPv6, most devices typically only have a link-local address, which begins with fe80; this is similar to an APIPA address in IPv4. Where an IPv6 router is present, the device determines additional IPv6 configuration data automatically.

It can be useful for some computers to have static IP addresses; for example, if you’ve set up your router to forward external packets to a specific computer running a server app, it can be convenient to have the internal address defined as static.

To set a static IP address in Windows 11, use the following procedure:

  1. Open Settings and select Network & Internet.

  2. Select the appropriate network adapter; for example, click Ethernet. On the Ethernet page, displayed in Figure 11-6, next to IP Assignment, click Edit.

  3. In the Edit IP Settings dialog, click the dropdown and select Manual.

  4. For IPv4, select the IPv4 radio button, and then enter some or all of the following details. (Note that you don’t have to fill in every setting. If you just want to specify a preferred DNS server, for example, fill in the Preferred DNS box and leave the rest blank; Windows uses DHCP for the remaining IP assignments.)

    • IP Address

    • Subnet Mask

    • Gateway

    • Preferred DNS

    • Alternate DNS

  5. Click Save to apply the configuration changes. Figure 11-7 shows the dialog with all fields filled in.

    This screenshot shows the Edit IP Settings screen. IPv4 is selected, and information has been entered in the IP Address, Subnet Mask, Gateway, and Preferred DNS fields.

    Figure 11-7 When assigning static IP addresses, you must fill in all fields correctly or leave them blank.

Note

When an IPv4 subnet or IPv4 address is expressed in the format 172.16.16.1/20, it’s referred to as a classless inter-domain routing (CIDR) address, or sometimes as a variable length subnet mask (VLSM) address. This format, which is used in Microsoft Azure subnets and elsewhere, expresses the subnet mask as a prefix in a number of bits—in this example, 20. What it means is that 20 bits, in this case, are network or subnetwork bits, and the remaining 12 bits are host bits. That enables you to determine what subnet this host resides in (172.16.16.0/20, in this example).

Mobile hotspots and other metered connections

Some devices with data connections on a cellular network allow you to turn the device into a mobile Wi-Fi hotspot—a feature sometimes referred to as tethering. This capability is invaluable when you need to get some work done on a portable PC, and an affordable, reliable, and secure Wi-Fi connection isn’t available. Most modern smartphones, including iPhones and Android devices, can act as a hotspot, although the cellular data provider must allow this capability.

When using a mobile hotspot with a plan that requires you to pay by the megabyte or gigabyte, you risk incurring potentially higher costs (especially if you’re roaming outside your home network) or hitting your data limit and having your connection throttled or stopped completely. To minimize that possibility, Windows 11 identifies mobile hotspots as metered connections and automatically limits certain types of background activity. By default, the list of restricted activities includes downloads from Windows Update, syncing with OneDrive, and always-on connections to an Exchange Server in Microsoft Outlook.

To ensure that Windows 11 treats a specific network as a metered connection, open Settings > Network & Internet > Wi-Fi > Manage Known Networks. Expand the desired Wi-Fi connection, and then turn the Metered Connection switch to On, as shown in Figure 11-8.

This screenshot shows a portion of the Settings page with properties for a Wi-Fi connection. A radio button near the bottom, labeled Metered Connection, is switched on.

Figure 11-8 On pay-as-you-go networks, or on those with data caps, you can reduce the amount of data used by telling Windows 11 to treat the connection as metered.

You can set a cap on the amount of data Windows is allowed to send or receive over any currently available network by going to Settings > Network & Internet > Advanced Network Settings > Data Usage. As shown in Figure 11-9, select the appropriate network connection (if not already selected) and then click Enter Limit. You can also review the amount of data usage from the last 30 days for the selected connection. Limits can be monthly, one time, or set to unlimited. If monthly, you can set the day of the month to reset the counters. You can specify limits in MB or GB.

This screenshot shows the Data Usage page in Settings. A series of bar graphs shows the data used by each app in the past 30 days. A control in the upper-right corner has the WiFi connection selected. Below that is a button labeled Enter Limit.

Figure 11-9 You can review data usage and also set limits for any available network connection.

Recent versions of Windows 11 have expanded the Mobile Hotspot feature to support sharing of any network connection on a Windows 11 PC. If you’ve paid for Wi-Fi on an airplane, for example, you can share that connection securely with up to eight other devices.

All the options you need are in Settings > Network & Internet > Mobile Hotspot. There are four settings to pay attention to here:

  1. To begin sharing your network connection, flip the Mobile Hotspot switch to the On position.

  2. Choose which connection you want to share. In the screenshot shown in Figure 11-10, Wi-Fi is the only option, but you can share any available connection: wired, Wi-Fi, or even mobile data.

    This screenshot shows the Mobile Hotspot page in Settings. The Mobile Hotspot radio button is selected and Wi-Fi is selected in the Share Over box. Under Network Properties, the name and password of the shared hotspot are shown.

    Figure 11-10 Turn on the Mobile Hotspot switch to share your internet connection with other devices. If you have multiple networks available (Ethernet and Wi-Fi, for example), you can select which one to share.

  3. Choose how to share your connection: over Wi-Fi or Bluetooth.

  4. Click Edit to change the connection name, replace the default random password with one of your own choosing, and customize the type of connection.

With that setup complete, you can turn on your mobile hotspot from the Quick Settings menu or from Settings and use the shared connection with any device (including a mobile phone).

Enabling network discovery

For a local network to work properly, your computer must be able to locate other resources, including other computers. Likewise, other resources need a way to locate your computer.

In Windows 11, this feature is known as network discovery. By default, network discovery is disabled. To enable it, open Settings > Network & Internet > Advanced Network Settings, and then select Advanced Sharing Settings. You can enable the Network Discovery option for private networks, public networks, or both.

When you enable network discovery, a number of Windows services start, if they’re not already running: DNS Client (dnscache); Function Discovery Resource Publication Services (fdrespub); Simple Service Discovery Protocol (ssdpsrv); and UPnP Device Host (upnphost). In addition, a Windows Defender Firewall exception for network discovery is created.

Setting the network location

Network location is closely related to network discovery. On a public network, you generally want network discovery disabled, to reduce the risk that an unknown host on the same network will access shared resources. By contrast, setting a network location to private signals that you trust other resources on the local network and want them to be available. That’s especially important on mobile devices that can connect to different types of networks—a corporate domain, a wireless hotspot at a coffee shop, or a private home network.

Each type of network has its own security requirements. Windows uses network location profiles to categorize each network and then applies appropriate security settings. When you connect to a new network, Windows applies one of three security settings:

The location profile of the current network is shown on the details page for a selected network connection, as shown in Figure 11-8 earlier in this chapter.

To change the profile of the current network from Public to Private, or vice versa, go to Settings > Network & Internet. Look to the network name at the top of the page for a link labeled Properties, which should include the current network location. Click that Properties link and then, under the Network Profile Type heading, select Private Network or Public Network (Recommended) as appropriate.

You can also use the PowerShell Get-NetConnectionProfile and Set-NetConnectionProfile cmdlets to review and modify the NetworkCategory values for your network connections. As displayed in Figure 11-11, the administrat or has retrieved the properties for the current network profile on the local computer. These cmdlets are documented at https://learn.microsoft.com/powershell/module/netconnection.

This screenshot shows a PowerShell window in which Get-NetConnectProfile has been entered. The cmdlet output shows the name, interface type, network profile type, and other details for two network connections.

Figure 11-11 The NetworkCategory value determines whether the network location profile is public or private.

Connecting to a wireless network

In this section, we assume you have already configured a wireless access point (often included as a feature in cable modems, internet-facing routers, and other network access devices supplied by your broadband provider) and confirmed that it is working correctly, or that you are in a location with a public or private wireless access point managed by someone else. Whenever your computer’s wireless network adapter is installed and turned on, Windows scans for available wireless access points.

When you click the Network icon in the system tray and then click the arrow to the right of the Wi-Fi button, you’re likely to see lots of access points available for connection, most of them owned by your neighbors or nearby visitors. Assuming those networks are adequately secured with a network security key that you don’t know and can’t guess, you’d have no luck connecting to them.

When you select an available wireless connection, assuming it’s known, then you have the option to select the Connect Automatically checkbox, as displayed in Figure 11-12. When you get within range of the network in the future, your computer automatically enters the saved password and connects to the network.

This screenshot shows the Manage Wi-Fi Connections flyout. Three Wi-Fi networks are shown. The first one is selected, and it has a Connect button and a Connect Automatically checkbox.

Figure 11-12 If you select Connect Automatically, your Wi-Fi connection will establish automatically the next time you’re in range of the network.

Note

Note that saved Wi-Fi network passwords are synced between devices when you sign in with a Microsoft account, so you might find that a brand-new device, one you’ve never used before, automatically connects to your home or office Wi-Fi without having to ask you.

Clicking the Connect button for a secure wireless access point reveals a box in which you’re expected to enter a network password, as in Figure 11-13. If what you enter matches what’s stored in the access point’s configuration, you’re in. Getting in is easy on a network you control, where you set the network security key. For a secured access point controlled by someone else—a doctor’s waiting room, a coffee shop, a friend’s office—you need to ask someone, typically the network owner, for the password.

This screenshot shows the Manage Wi-Fi Connections flyout. Below the first Wi-Fi network is a box for entering the network security key and a Next button.

Figure 11-13 Connecting to a secure network for the first time requires that you correctly enter a passphrase or security key.

To disconnect from a Wi-Fi access point, click or tap its entry in the Quick Settings menu and then tap Disconnect. Doing so automatically turns off the option to connect automatically to that network in the future.

Windows 11 saves credentials for every Wi-Fi access point you connect to, giving you the option to connect with a tap when you revisit. If that thought makes you uncomfortable, you can see and manage the full list of networks by opening Settings > Network & Internet > Wi-Fi and clicking Manage Known Networks.

That list can be startlingly long, especially if you’re a frequent traveler. To review the properties for a connection, select it from the list. If you want to abandon a network connection, click the Forget button to the right of the network name, as displayed in Figure 11-14.

This screenshot shows part of the Manage Known Networks page in Settings. Controls at the top enable searching, sorting, and filtering the list of networks. Next to the network name in the list is a Forget button.

Figure 11-14 Wireless networks you connect to are saved in this list. Tap Forget to delete the saved security key and remove the network from the list.

Connecting to a hidden network

Every wireless network has a name, formally known as a service set identifier but typically referred to as an SSID. In an effort to enforce security through obscurity, some wireless networks are set up so that they don’t broadcast their SSID. Connecting to such a hidden network is a bit more challenging because its name doesn’t appear in the list of available networks on the network flyout Quick Settings Menu or in Network & Internet Settings. Making such a connection is possible, however, as long as you know the network name and its security settings.

Note

Configuring a router so that it doesn’t advertise its name has been incorrectly promoted by some as a security measure. Although it does make the network less accessible to casual snoops, lack of a broadcast SSID is no deterrent to a knowledgeable attacker. Furthermore, attackers can learn the SSID even when they’re not near your wireless access point, because it’s periodically broadcast from your computer, wherever it happens to be. We provide these steps to help you connect to a hidden network managed by someone else; we don’t recommend that you configure your home or office network in this fashion without a good reason.

To connect to a hidden network, open Settings > Network & Internet > Wi-Fi > Manage Known Networks and then click Add Network. As shown in Figure 11-15, you must enter the network name, select the security type, enter relevant security information, and then click Save.

This screenshot shows the Add A New Network dialog. It has three pieces of information entered: an entry in the Network Name box, a selection in the Security Type dropdown, and an obscured entry in the Security Key box.

Figure 11-15 Enter the required information to connect to an unadvertised network.

If you select certain security types, the Add A New Network dialog expands to list new options. Figure 11-16 shows the settings for an enterprise network that requires the user to authenticate with credentials rather than enter a simple password.

This screenshot shows the Add A New Network dialog, with WPA2-Enterprise AES selected as the security type. Below that is an EAP Method dropdown and links to add Trusted Servers and Trusted Certificate Thumbprints.

Figure 11-16 On enterprise networks, some security options require additional configuration.

Wireless security

On a conventional wired network, especially in a private home or office, physical security is reasonably easy to maintain: If someone plugs a computer into a network jack or a switch, you can trace the physical wire back to the intruder’s computer. On wireless networks, however, anyone who comes into range of your wireless access point can tap into your network and intercept signals from it.

If you run a small business, you might want to allow internet access to your customers by using an open internet connection. Some internet service providers create secure guest accounts on their customers’ cable modems (or similar access devices) that allow other customers of that service to connect using their network credentials. Many modern Wi-Fi routers include the option to create a secure guest network, separate from the one you use in your home or office. That option allows customers to securely access the internet without having access to local network resources.

Other than those scenarios, however, you probably want to secure your network so that the only people who can connect to it are those you specifically authorize. Doing that means configuring security settings on your wireless access point or router. When you connect to a network, known or unknown, the level of security is determined by the encryption standard chosen by the network owner and supported by network hardware on both sides of the connection.

Depending on the age of your hardware, you should have a choice of one or more of the following options, from least to most secure:

You might see other encryption options, including the 802.11x standard, which allows corporate networks to enforce access through user credentials such as Active Directory. Those configurations are typically designed for use on large enterprise networks and are beyond the scope of this book.

You must use the same encryption option on all wireless devices on your network—access points, routers, network adapters, print servers, cameras, and so on—so choose the best option that’s supported by all your devices.

Connecting to another computer with Remote Desktop

Sharing computer resources over a properly configured network gives you access to all the files you might need, wherever they’re stored. But sometimes even that’s not enough. You might need to run an app that’s installed only on another computer, or you might need to configure and manage another computer’s files and settings in ways that can be done only by sitting down in front of that computer. For those occasions, a Remote Desktop session is the perfect solution.

With Remote Desktop, applications run on the remote computer; your computer is effectively used as a terminal. You can use a low-powered computer or even a mobile device to connect to a remote computer directly. Remote Desktop connections are encrypted, so your information is secure.

Note

The computer that you want to control—the one at the remote location—is called the remote computer. The computer you want to use to control the remote computer is called the client computer. By default, Remote Desktop traffic is sent and received using Remote Desktop Protocol (RDP) over TCP port 3389.

In this section, we focus on the most common scenario: configuring a PC running Windows 11 Pro, Enterprise, or Education or any supported version of Windows Server to allow incoming Remote Desktop connections and using a second PC running any edition of Windows 11 as the remote client over a local network. (PCs running Windows Home edition can be used as a Remote Desktop client but do not allow hosting Remote Desktop sessions.)

Installing Remote Desktop client software

Windows 11 includes a desktop app for remote access called Remote Desktop Connection. Although this program’s main feature set and its overall appearance have remained largely unchanged since its debut nearly 20 years ago, it’s still perfectly suitable for remote connections. If you’re sitting in front of a PC running any version of Windows, you can use this app to connect to a Windows 11 PC configured as a Remote Desktop server.

A slightly newer alternative, called Microsoft Remote Desktop, is available in the Microsoft Store. (To see its listing, go to https://bit.ly/ms-rdc-store.) This app works on any Windows 11 device, and it includes some capabilities not available in Remote Desktop Connection. In this section, we describe how to use both programs.

Even if you don’t have a PC available, you might still be able to configure your Windows 11 device as a Remote Desktop server and connect to it using a non-Windows device. Microsoft has Remote Desktop clients for mobile devices running iOS and Android as well as Apple-branded PCs running macOS. For download links and installation instructions, see https://aka.ms/rdapps.

Enabling inbound Remote Desktop connections

For security reasons, incoming Remote Desktop sessions are not allowed without your explicit permission. To grant access on a computer running Windows 11 Pro, Enterprise, or Education, go to Settings > System > Remote Desktop and slide the Remote Desktop switch to the On position.

You must be signed in using an administrator account to make this change, and you must click Confirm in a separate step to verify the configuration change.

Enabling Remote Desktop starts a service that listens for incoming connections on port 3389. It also creates an exception in Windows Firewall that allows authenticated traffic on this port. (If you’re using third-party security software that includes a firewall, it should make this configuration change for you; if it doesn’t, you need to adjust that software’s settings so it allows incoming access to TCP port 3389.)

After Remote Desktop is enabled, you can configure additional settings. The first of these is that you can configure Network Level Authentication (NLA) for any Remote Desktop connections; this setting is enabled by default and is recommended. You would normally only change this if you were intending to allow connections from older versions of Windows operating systems that don’t support NLA.

Next, you can define which user accounts are able to connect using Remote Desktop to your computer. To do this, click Remote Desktop Users on the Remote Desktop page, as shown in Figure 11-17.

This screenshot shows the Remote Desktop page in Settings. It displays the Remote Desktop port and PC name, and has a link to Remote Desktop Users.

Figure 11-17 You can disable the requirement for NLA and define which users can access your computer using Remote Desktop. The TCP port used, 3389, cannot be changed using Settings.

The current user account and any user account that’s a member of the local Administrators group can connect remotely to the computer. To allow access for other user accounts that are not members of the local Administrators group, click Remote Desktop Users and then select which users you want to authorize.

Using the Microsoft Remote Desktop app

As we noted earlier, the Microsoft Remote Desktop app is not included with Windows; it is, however, available as a free download from the Microsoft Store. Remote Desktop offers a simplified user experience compared to the legacy Remote Desktop Connection client. Its visual approach shows all your remote connections on the home screen, allowing you to open one with a single click or tap. In addition, Microsoft Remote Desktop includes several performance enhancements that optimize your connection quality. It supports multiple instances, so you can operate two or more Remote Desktop sessions simultaneously, each in its own window. And, of course, as a Store app, it’s touch friendly.

Note that if you’re planning to connect to Azure Virtual Desktop devices or to devices that are Azure AD-joined, this app will not work. Instead, use the 64-bit Windows app available from https://bit.ly/AVC-remote-client.

The Microsoft Remote Desktop app window is downright Spartan until you’ve saved a desktop or two. Adding a desktop takes minimal effort: Click the Add (+) button and then click PCs. The Add A PC page appears, as shown in Figure 11-18.

This screenshot shows the Add A PC pane in Remote Desktop. It has boxes for entering the PC name, user account, and display name. Near the bottom is a Show More link.

Figure 11-18 In the PC Name box, you can specify the remote computer by name or IP address. Clicking Show More enables you to optimize your connection experience.

Enter the name or IP address of the PC to which you want to connect. All the other fields in the Add A PC pane are optional.

By default, the User Account field is set to Ask Me Every Time. In this configuration, you’re prompted for your username and password each time you connect to the desktop. If you know you’ll always want to use the same account, you can add its credentials here, and Remote Desktop will sign you in every time without prompting. Click the arrow at the right side to select a previously configured user account. If the account you want to use doesn’t appear in the list, click the plus sign above the User Account box and add the necessary details. Optionally, enter a connection Display Name and then click Save. The connection appears as a tile in the app window.

Before you save the settings, on the Add A PC pane, you can also click Show More. This displays the following additional settings:

Working in a Remote Desktop session

After you save a connection in the Add A Desktop pane, an icon for that connection appears in Remote Desktop. Click the icon to open a connection to the remote computer. Along the way, you might encounter a couple of obstacles:

  • If you specified Ask Me Every Time in the User Account box, Remote Desktop asks for the username and password of an account authorized on the remote computer to make a connection. Select Remember Me, and you won’t need to enter this information in future sessions.

  • By default, Remote Desktop sessions you create on your local network use self-hosted digital certificates that aren’t recognized as trusted by the client computer. If you’re certain that you’re connecting to the right computer, select the Don’t Ask About This Certificate Again checkbox (so you won’t be bothered in future sessions) and click Connect.

After bounding past those hurdles, Remote Desktop attempts to open a connection. If the account you use for the remote connection is already signed in to the remote computer—or if no one is signed in to the remote computer—the remote computer’s desktop then appears on your computer.

If a different user account is signed in to the remote computer, Windows lets you know that you’ll be forcing that person to sign out and gives you a chance to cancel the connection. On the other end, the signed-in user sees a similar notification that offers a short time to reject the remote connection before it takes over. Note that only one user at a time can control the desktop of a computer running Windows. Whoever is currently signed in has the final say on whether someone else can sign in.

While you’re connected to the remote computer, the local display on that computer (if it’s turned on) does not show what you see on the client computer but instead shows the lock screen. A person who has physical access to the remote computer can’t see what you’re doing (other than the fact that you’re signed in remotely).

When you connect to a remote computer using the Microsoft Remote Desktop app without specifying a custom resolution, the remote computer takes over your entire screen using the resolution of the client computer. At the top of the screen, in the center, a tiny toolbar with two controls appears. Click the magnifying glass icon to zoom the remote display; click the ellipsis (three dots) icon to reveal two buttons in the upper-right corner, as shown in Figure 11-19.

This screenshot shows two buttons that appear on a Remote Desktop screen. The Disconnect button features a large X. The other button has two arrows and switches between full-screen and window views.

Figure 11-19 Use these large buttons to disconnect from a session or expand it to full screen in the Store version of the Remote Desktop client.

Click Disconnect to end your remote session. The remote computer remains locked, ready for someone to sign in locally. Click Full Screen to toggle between full-screen and windowed views of the remote PC.

While the display is in full-screen mode, you can move the mouse pointer to the top edge of the screen to display the Remote Desktop title bar. It includes the usual window controls (minimize, resize, and close). Move the mouse pointer to the bottom edge of the screen to display the taskbar for your local computer. Clicking any icon on the local taskbar shifts the focus away from the remote session and back to your local computer. If you’re running the Remote Desktop app on a touchscreen-equipped PC, you can reveal either of these controls by swiping in from the top or bottom edge of the screen.

Ending a remote session

When you’re through with a Remote Desktop session, you can lock, sign out, or disconnect. If the remote computer is running Windows 11, these options are in the usual places where comparable options appear on your local computer: Lock and Sign Out appear when you click the user avatar on Start on the remote computer, and Disconnect appears when you click Power on Start. For remote machines running earlier Windows versions, these options appear in the lower-right corner of the remote session’s Start menu. (You must click the arrow to see all the options.)

Locking the computer keeps the remote session connected and all programs running, but it hides everything behind a sign-in screen that requests a password; this is comparable to pressing Windows key + L to lock your computer.

Signing out closes all your programs, exits your user session, and disconnects.

If you disconnect without signing out, your programs continue to run on the remote computer, but the connection is ended. The sign-in screen is visible on the remote computer, and it’s available for another user. If you sign in later—either locally or through a remote connection—you can pick up right where you left off. As an alternative to the Start commands, you can disconnect by clicking the Disconnect button, displaying the Remote Desktop title bar and clicking the Back button, or simply closing the Remote Desktop window.

Adjusting Microsoft Remote Desktop app settings

At the top of the Microsoft Remote Desktop app window, to the right of the Add button, is a Settings button that exposes a pane filled with options to customize the app experience. Here, you can edit credentials for saved user accounts, for example; to remove a user account, choose a username from the list, click the pen icon above the name, and then click the faint Remove This Account link at the bottom of the Edit An Account pane.

Other settings on this list that are potentially useful include a Start Connections In Full Screen switch, which you should turn off if you prefer to run remote sessions in a window, as well as a Prevent The Screen From Timing Out switch that can reduce the annoyance of having to sign back in if you leave an open session to work on other tasks.

Using Remote Desktop Connection

Remote Desktop Connection is a desktop app that should be familiar to longtime Windows users accustomed to remote administration tasks. To start it, in the search box, type remote and then click Remote Desktop Connection, or enter its command directly: Mstsc.exe. A dialog like the one shown in Figure 11-20 appears. In the Computer box, type the name of the remote computer or its IP address.

This screenshot shows the initial sign-in screen for Remote Desktop Connection. The Computer box shows the name of a remote computer. At the bottom are buttons for Show Options, Connect, and Help.

Figure 11-20 You can specify the remote computer by name or IP address.

Note

Both the Microsoft Remote Desktop app and Remote Desktop Connection support the use of Jump Lists. If you pin either icon to the taskbar and save credentials, you can right-click to choose saved PCs from the Jump List to go straight to a remote session.

After entering the PC name, you can click Connect and begin the process of connecting to the remote PC immediately.

When you make a default connection, the display from the remote computer fills your entire screen, using the resolution of the client computer. Along the top of the screen, in the center, a small title bar appears. This title bar lets you switch between your own desktop and the remote PC. The pushpin button locks the connection bar in place.

The Remote Desktop Connection client software offers a wide range of additional configuration options. We won’t go through every tab, but here are two options that you might find useful:

Sharing files, printers, and other resources over a local network

Much of the networking infrastructure of Windows 11 is a refinement of features that were developed decades ago, when the internet was still an interesting experiment. Today, the simplest way to share files, digital media, and other resources, even between computers in the same home or office, is through a cloud-based service like OneDrive. If you’re a Microsoft 365 Business or Enterprise subscriber, in addition to OneDrive for Business, you can use Teams and SharePoint to easily collaborate with colleagues, customers, and suppliers.

There are, however, still valid reasons for Windows PCs to connect and share resources across a local area network. These traditional networking tools and techniques are fully supported in Windows 11, and you can use them alongside OneDrive sharing or Microsoft 365 collaboration features if you want to.

The underlying system of share permissions and NTFS permissions for controlling access to objects remains in Windows 11, working much like it has in previous versions of Windows going all the way back to Windows NT in the early 1990s. That’s our starting point for this section.

Understanding sharing and security models in Windows

Much like Windows 10, Windows 11 offers two ways to share file resources, whether you’re doing so locally or over the network:

You don’t need to decide between sharing the Public folder and sharing specific folders because you can use both methods simultaneously. You might find that a mix of sharing styles works best for you; each has its benefits:

Configuring your network for sharing

If you plan to share folders and files with other users on your network, you must take a few preparatory steps. (If you plan to share only with others who use your computer by signing in locally, you can skip these steps. And if your computer is part of a domain, some of these steps—or their equivalent in the domain world—must be done by an administrator on the domain controller. We don’t cover those details in this book.)

  1. Be sure that all computers use the same workgroup name. With modern versions of Windows, this step isn’t absolutely necessary, although it does improve network discovery performance.

  2. Set your network’s location to Private. This setting makes it possible for other users to discover shared resources and provides appropriate security for a network in a home or an office. (Setting the location to Public tightens network security and breaks most local networking features.) For details, see “Setting the network location,” earlier in this chapter.

  3. Confirm that network discovery is turned on. This should happen automatically when you set the network location to Private, but you can double-check the setting—and change it if necessary—in Advanced Sharing Settings. To open Advanced Sharing Settings, go to Settings > Network & Internet > Advanced Network Settings. Then click Advanced Sharing Settings to open the page shown in Figure 11-21.

    This screenshot shows the Advanced Sharing Settings page in Settings. It shows groups of settings for private networks, public networks, and all networks.

    Figure 11-21 After you review settings for the Private profile, click the arrow by Public Networks and All Networks to see additional options.

  4. Select your sharing options. In Advanced Sharing Settings, make a selection for each of the following network options. The first option is under the Private profile; to view the remaining settings, expand All Networks.

    • File And Printer Sharing Turn on this option if you want to share specific files or folders, the Public folder, or printers; it must be turned on if you plan to share any files (other than media streaming) over your network.

      The mere act of turning on file and printer sharing does not expose any of your computer’s files or printers to other network users; that occurs only after you make additional sharing settings.

    • Public Folder Sharing If you want to share items in your Public folder with all network users (or, if you enable password-protected sharing, all users who have a user account and password on your computer), turn on Public folder sharing. If you do so, network users will have read/write access to Public folders. With Public folder sharing turned off, anyone who signs in to your computer locally has access to Public folders, but network users do not.

    • File Sharing Connections Leave this option set to 128-bit encryption, which has been the standard for most of this century.

    • Password Protected Sharing When password-protected sharing is turned on, network users cannot access your shared folders (including Public folders, if shared) or printers unless they can provide the username and password of a user account on your computer. With this setting enabled, when another user attempts to access a shared resource, Windows sends the username and password that the person used to sign in to their own computer. If that matches the credentials for a local user account on your computer, the user gets immediate access to the shared resource (assuming permissions to use the resource have been granted to that user account). If either the username or the password does not match, Windows asks the user to provide credentials.

      With password-protected sharing turned off, Windows does not require a username and password from network visitors. Instead, network access is provided by using the Guest account. It’s important to note that the guest account in Windows 11 is disabled by default. This means that even if you turn off the requirement for password-protected sharing, a user still requires a valid user account to connect to your shared resources. You can, of course, enable the Guest account on your computer, but we strongly urge you to reconsider as this represents a significant security issue.

  5. Configure user accounts. If you use password-protected sharing, each person who accesses a shared resource on your computer must have a user account on your computer. If you use a Microsoft account, make sure that the account is added to both computers; for a local account, the username and password must be identical on both machines. If you’ve configured accounts correctly, network users will be able to access shared resources without having to enter their credentials after they’ve signed in to their own computer.

Sharing files and folders

Whether you plan to share files and folders with other people who share your computer or those who connect to your computer over the network (or both), the process for setting up shared resources is the same as long as the Sharing Wizard is enabled. We recommend you use the Sharing Wizard even if you normally disdain wizards. It’s quick, easy, and certain to make all the correct settings for network shares and NTFS permissions—a sometimes-daunting task if undertaken manually. After you configure shares with the wizard, you can always dive in and make changes manually if you need to. (Although it’s possible to use the Advanced Sharing options to configure network sharing independently of NTFS permissions, we don’t recommend that technique and do not cover it in this book.)

To be sure the Sharing Wizard is enabled, open File Explorer Options. (In File Explorer, click See More > Options.) In the dialog that appears, shown in Figure 11-22, click the View tab. Near the bottom of the Advanced Settings list, verify that Use Sharing Wizard (Recommended) is selected.

This screenshot shows the Folder Options dialog in File Explorer. The View tab is shown, and a long list of checkboxes appears under the Advanced Settings heading.

Figure 11-22 On the View tab of the Folder Options dialog, verify that the option to use the Sharing Wizard is enabled in Advanced Settings.

With the Sharing Wizard at the ready, follow these steps to share a folder or files:

  1. In File Explorer, select the folders or files you want to share. (You can select multiple objects.)

  2. Right-click the folder(s) and click Show More Options. Then choose Give Access To > Specific People. The Network Access dialog appears, as shown in Figure 11-23.

    This screenshot shows the Choose People To Share With dialog in the Sharing Wizard. In the list of people, one name appears with its permission shown as Owner. A second name, the Authenticated Users group, has read permission and a pop-up with three options: Read, Read/Write, and Remove.

    Figure 11-23 For each name in the list other than the owner, you can click the arrow to set the access level—or remove that account from the list.

  3. Click in the text box and enter the name or Microsoft account for each user with whom you want to share. You can type a name in the box or click the arrow to display a list of available names; then click Add.

    Repeat this step for each person you want to add. You can add any user accounts on your computer, and also groups. In Figure 11-23, the administrator has added the Authenticated Users group—which means any user that has an account on this computer can access the shared item.

  4. For each user, select a permission level. Your choices are

    • Read Users with this permission level can view shared files and run shared programs, but they cannot change or delete files. Selecting Read in the Sharing Wizard is equivalent to setting NTFS permissions to Read & Execute.

    • Read/Write Users assigned the Read/Write permission have the same privileges you do as owner: They can view, change, add, and delete files in a shared folder. Selecting Read/Write sets NTFS permissions to Full Control for this user.

    Note

    You might see other permission levels if you return to the Sharing Wizard after you set up sharing. Contribute indicates Modify permission. Custom indicates NTFS permissions other than Read & Execute, Modify, or Full Control. Mixed appears if you select multiple items and they have different sharing settings. Owner, of course, identifies the owner of the item.

  5. Click Share. After a few moments, the wizard displays a page like the one shown in Figure 11-24.

  6. In the final step of the wizard, you can do any of the following:

    • Send an email message to the people with whom you’re sharing. The message includes a link to the shared items.

    • Copy the network path to the Clipboard. This is handy if you want to send a link via another application, such as a messaging app. (To copy the link for a single item in a list, right-click the share name and choose Copy Link.)

    • Double-click a share name to open the shared item.

    • Open File Explorer with your computer selected in the Network folder, showing each network share on your computer.

    When you’re finished with these tasks, click Done.

Creating a share requires privilege elevation, but after a folder has been shared, the share is available to network users no matter who is signed in to your computer—or even when nobody is signed in.

This screenshot shows the Sharing Wizard with a prominent message at the top: Your Folder Is Shared. A box below that shows the shared folder’s share name and network path.

Figure 11-24 The Sharing Wizard displays the network path for each item you shared.

Stopping or changing sharing of a file or folder

If you want to stop sharing a particular shared file or folder, select it in File Explorer. Right-click the folder, click Show More Options, select Give Access To and then click Remove Access. Doing so removes access control entries that are not inherited. In addition, the network share is removed; the folder is no longer visible in another user’s Network folder.

To change share permissions, right-click the folder, click Show More Options, select Give Access To and then select Specific People. In the File Sharing dialog, you can add users, change permissions, or remove users. (To stop sharing with a user, click the permission level by the user’s name and choose Remove.)

Sharing a printer

Although Windows doesn’t have a wizard for sharing a printer over the network, the process is fairly simple. You configure all options for a printer—shared or not—by using the printer’s properties dialog, which you access from Settings > Bluetooth & Devices > Printers & Scanners.

To make a printer available to other network users, select a printer, and then click Printer Properties. On the Sharing tab, select Share This Printer and provide a share name, as shown in Figure 11-25.

Unlike for shared folders, which maintain separate share permissions and NTFS permissions, a single set of permissions controls access to printers, whether by local users or by network users. (Of course, only printers that have been shared are accessible to network users.)

This screenshot shows the properties dialog for a printer. The Sharing tab is displayed. The Share This Printer checkbox is selected and a share name appears below that.

Figure 11-25 The share name for a printer can include spaces.

When you set up a printer, initially all users in the Everyone group have Print permission for documents they create, which provides users access to the printer and the ability to manage their own documents in the print queue. By default, members of the Administrators group also have Manage Printers permission—which allows them to share a printer, change its properties, remove a printer, and change its permissions—and Manage Documents permission, which lets them pause, restart, move, and remove all queued documents. As an administrator, you can view or modify permissions on the Security tab of the printer properties dialog.

Setting print server properties

In addition to setting properties for individual printers by using their properties dialogs, you can set other properties by visiting the Print Server Properties dialog. To get there, open Settings > Bluetooth & Devices > Printers & Scanners. Then, under Related Settings, click Print Server Properties.

The first three tabs control the list of items you see in the properties dialog for a printer:

  • The Forms tab controls the list of forms you can assign to trays using the Device Settings tab in a printer’s properties dialog. You can create new form definitions and delete any you create, but you can’t delete any of the predefined forms.

  • On the Ports tab, you can configure the ports that appear on the Ports tab in a printer’s properties dialog.

  • The Drivers tab offers a list of all the installed printer drivers and provides a centralized location where you can add, remove, or update drivers.

On the Advanced tab, you can specify the location of spool files. (You might want to change to a folder on a different drive if, for example, you frequently run out of space on the current drive when you attempt to print large documents.) You can also set notification options on this tab.

Finding and using shared resources on a Windows network

The Network folder is your primary gateway to available network resources, just as This PC is the gateway to resources stored on your own system. The Network folder (shown in Figure 11-27) contains an icon for each computer that Windows discovers on your network; double-click a computer icon to see that computer’s shared resources, if any.

This screenshot shows a File Explorer window. Network is selected in the left pane. In the right pane, two devices appear under the Computer heading, one router appears under Network Infrastructure, and one printer appears under Printers.

Figure 11-27 The Network folder shows all computers on your network, not just those in your workgroup.

To open a shared folder on another computer, double-click its icon in the Network folder. If you have the proper permissions, this action displays the folder’s contents in File Explorer. It’s not always that easy, however. If the user account with which you signed in doesn’t have permission to view a network computer or resource you select, a dialog asks you to provide the name of an account (and its password, of course) that has permission. Don’t be fooled by the Domain reference below the User Name and Password boxes; in a workgroup, that value refers to the local computer.

Perhaps the trickiest part of using shared folders is fully understanding what permissions have been applied to a folder and which credentials are in use by each network user. It’s important to recognize that all network access is controlled by the computer with the shared resources; regardless of what operating system runs on the computer attempting to connect to a network share, it must meet the security requirements of the computer where the shared resource is actually located.

Working with mapped network folders

Mapping a network folder makes it appear to applications as though the folder is part of your own computer. Windows assigns a drive letter to the mapped folder, making the folder appear like an additional hard drive. You can still access a mapped folder in the conventional manner by navigating to it through the Network folder. But mapping gives the folder an alias—the assigned drive letter—that provides an alternative means of access.

To map a network folder to a drive letter, follow these steps:

  1. Open File Explorer, right-click Network, and then click Map Network Drive to open the dialog shown in Figure 11-28.

    This screenshot shows the Map Network Drive dialog.

    Figure 11-28 Mapping a network drive letter to a folder is a straightforward process. Enter the shared folder address in UNC format (\\server\share).

  2. Select a drive letter from the Drive list. You can choose any letter that’s not already in use.

  3. In the Folder box, type the path to the folder you want or, more easily, click Browse and navigate to the folder.

  4. Select Reconnect At Sign-In if you want Windows to connect to this shared folder automatically at the start of each session.

  5. If your regular sign-in account doesn’t have permission to connect to the resource, select Connect Using Different Credentials. (After you click Finish, Windows asks for the user-name and password you want to use for this connection.)

  6. Click Finish.

In File Explorer, the “drive” appears under This PC.

If you change your mind about mapping a network folder, right-click the folder’s icon in your This PC folder. Choose Disconnect on the resulting shortcut menu to sever the connection.

Connecting to a network printer

To use a printer that has been shared, open the Network folder in File Explorer and double-click the name of the server to which the printer is attached. If the shared printers on that server are not visible, return to the Network folder, click to select the server, and then, on the ribbon’s Network tab, click View Printers. Right-click the printer and choose Connect. Alternatively, from Settings > Bluetooth & Devices > Printers & Scanners, click Add Device. If the shared printer you want doesn’t appear, click Add Manually and use the Add Printer Wizard to add a network printer.

Connecting to and using cloud-based apps and resources

Organizations that once maintained on-premises servers are increasingly moving those resources to the cloud, giving the cloud provider responsibility for ensuring security and reliability without having to worry about hardware failures. Small businesses and even individuals can benefit from using cloud-hosted storage and Software as a Service (SaaS) subscriptions.

Microsoft offers two main cloud services that are of interest to businesses running Windows 11:

Both Microsoft 365 and Azure are pay-as-you-go subscription-based services, and are not part of Windows 11. To access these cloud services, a user must sign in using a cloud user account (in Windows 11, these are usually called Work or School accounts). These are stored in Azure AD, which is provided as part of your Microsoft 365 or Azure subscriptions. For details on setting up and using this type of account, see “Azure Active Directory account,” in Chapter 10, “Managing user accounts, passwords, and credentials.”

Troubleshooting network problems

Network connectivity problems can be a source of great frustration. Fortunately, Windows 11 includes several tools that can help you identify and solve problems. Even better, Windows has built-in network diagnostic capabilities, so in many cases, if there is a problem with your network connection, Windows knows about it before you do, displays a message, and often solves the problem.

When a network-dependent activity (for example, browsing to a website) fails, Windows works to address the most common network-related issues, such as problems with file sharing, website access, newly installed network hardware, connecting to a wireless network, and using a third-party firewall.

If you encounter network problems that don’t trigger an automatic response from Windows, you should first try to detect and resolve the problem with one of the built-in troubleshooters. Open Settings > System > Troubleshoot and then click Other Troubleshooters. You can then review a list of common troubleshooting tools, including

Each of the troubleshooting wizards performs several diagnostic tests, corrects some conditions, suggests actions you can take, and ultimately displays a report that explains the wizard’s findings. Sometimes, the problem is as simple as a loose connection.

If the diagnostic capabilities leave you at a dead end, restarting the affected network hardware often resolves the problem because the hardware is forced to rediscover the network. Here’s a good general troubleshooting procedure:

  1. Isolate the problem. Does it affect all computers on your network, a subset of your network, or only one computer?

  2. If it affects all computers, try restarting the internet device (that is, the fiber router, or cable/DSL modem). If the device doesn’t have a power switch, unplug it for a few moments and plug it back in.

  3. If the problem affects a group of computers, try restarting the router to which those computers are connected.

  4. If the problem affects only a single computer, try repairing the network connection for that computer. Open Settings > Network & Internet > Advanced Network Settings and then click More Network Adapter Options. Control Panel opens. In Network Connections, right-click the suspect network connection and choose Disable. Then right-click and choose Enable. This reinitializes the adapter and its configuration.

Network troubleshooting tools

The following list includes some of the command-line utilities you can use to perform these troubleshooting procedures. To learn more about each utility, including its proper syntax, open a Command Prompt window and type the executable name followed by /?.

As is the case with other command-line utilities, the Windows PowerShell environment includes cmdlets that offer much of the same functionality along with the scripting capability of PowerShell. You can get a list that includes many of the more commonly used network-related cmdlets by entering the following at a PowerShell prompt:

Click here to view code image

get-command -module nettcpip, netadapter

Troubleshooting TCP/IP problems

When you encounter problems with TCP/IP-based networks, such as an inability to connect with other computers on the same network or difficulty connecting to external websites, the problems might be TCP/IP related. You need at least a basic understanding of how this protocol works before you can figure out which tool to use to uncover the root of the problem.

Checking for connection problems

Any time your network refuses to send and receive data properly, your first troubleshooting step should be to check for problems with the physical connection between the local computer and the rest of the network. Assuming your network connection uses the TCP/IP protocol, the first tool to reach for is the Ping utility. When you use the Ping command with no parameters, Windows sends four echo datagrams—small Internet Control Message Protocol (ICMP) packets—to the address you specify. If the machine at the other end of the connection replies, you know that the network connection between the two points is alive.

To use the Ping command, open a Command Prompt window (Cmd.exe) and type the command ping target_name (where target_name is an IP address or the name of another host machine). The return output looks something like this:

Click here to view code image

C:\>ping www.example.com
Pinging www.example.com [93.184.216.34] with 32 bytes of data:
Reply from 93.184.216.34: bytes=32 time=54ms TTL=51
Reply from 93.184.216.34: bytes=32 time=40ms TTL=51
Reply from 93.184.216.34: bytes=32 time=41ms TTL=51
Reply from 93.184.216.34: bytes=32 time=54ms TTL=51

Ping statistics for 93.184.216.34:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 54ms, Average = 47ms

If all the packets you send come back and the time values are roughly equal, your TCP/IP connection is fine, and you can focus your troubleshooting efforts elsewhere. If some packets time out, a “Request timed out” message appears, indicating your network connection is working, but one or more hops between your computer and the target machine are experiencing problems. In that case, repeat the Ping test using the -n switch to send a larger number of packets; ping –n 30 192.168.1.1, for example, sends 30 packets to the computer or router at 192.168.1.1.

Note

The -n switch is case-sensitive; don’t capitalize it.

A high rate of timeouts, also known as packet loss, usually means the problems are elsewhere on the network and not on the local machine. (To see the full assortment of switches available for the Ping command, type ping with no target specified.)

If every one of your packets returns with the message “Request timed out,” the problem might be the TCP/IP connection on your computer or a glitch with another computer on that network. To narrow down the problem, follow these steps, in order, stopping at any point where you encounter an error:

  1. Ping your own machine by using any of the following commands:

    ping ::1
ping 127.0.0.1
ping localhost

    These are standard addresses. The first line is the IPv6 address for your own computer; the second line is the IPv4 address; the third line shows the standard host name. If your local network components are configured correctly, each of these three commands should allow the PC on which the command is run to talk to itself. If you receive an error, TCP/IP is not configured properly on your system. For fix-it details, see “Repairing your TCP/IP configuration” later in this chapter.

  2. Ping your computer’s IP address.

  3. Ping the IP address of another computer on your network.

  4. Ping the IP address of your router or the default gateway on your network.

  5. Ping the address of each DNS server on your network. (If you don’t know these addresses, see the next section for details on how to discover them.)

  6. Ping a known host outside your network. Well-known, high-traffic websites are ideal for this step, assuming that they respond to ICMP packets.

  7. Use the PathPing command to contact the same host you specified in step 6. This command combines the functionality of the Ping command with the Traceroute utility to identify intermediate destinations on the internet between your computer and the specified host or server.

If either of the two final steps in this process fails, your problem might be caused by DNS problems, as described later in this section. (For details, see “Resolving DNS issues.”) To eliminate this possibility, ping the numeric IP address of a computer outside your network instead. (Of course, if you’re having DNS problems, you might have a hard time finding an IP address to ping!) If you can reach a website by using its IP address but not by using its name, DNS problems are indicated.

If you suspect that there’s a problem on the internet between your computer and a distant host or server, use the Traceroute utility (Tracert.exe) to pinpoint the problem. Like the Ping command, this utility works from a command line. You specify the target (a host name or IP address) by using the syntax tracert target_name, and the utility sends out a series of packets, measuring the time it takes to reach each hop along the route. Timeouts or unusually slow performance indicate a connectivity problem. If the response time from your network to the first hop is much higher than the other hops, you might have a problem with the connection to your internet service provider; in that case, a call to your ISP’s support line is in order. Problems further along in the traceroute might indicate congestion or hardware problems in distant parts of the internet that are out of your ISP’s hands. These symptoms might disappear when you check another URL that follows a different path through the internet.

If your testing produces inconsistent results, rule out the possibility that a firewall program or NAT device (such as a router or residential gateway) is to blame. If you’re using Windows Defender Firewall or a third-party firewall program, disable it temporarily. Try bypassing your router and connecting directly to a broadband connection such as a cable modem. (Use this configuration only for testing and only very briefly, because it exposes your computer to various attacks.)

If the Ping test works with the firewall or NAT device out of the picture, you can rule out network problems and conclude that the firewall software or router is misconfigured. After you complete your testing, be sure to enable the firewall and router again.

Diagnosing IP address problems

You can also get useful details of your IP configuration by using the IP Configuration utility, Ipconfig.exe, in a Command Prompt window. Used without parameters, typing ipconfig at a command prompt displays the DNS suffix; IPv6 address, IPv4 address, or both; subnet mask; and default gateway for each network connection. To see exhaustive details about every available network connection, type ipconfig /all.

The actual IPv4 address you see might help you solve connection problems:

  • If the address is in the format 169.254.x.y, your computer is using Automatic Private IP Addressing (APIPA). This means your computer’s DHCP client was unable to reach a DHCP server to be assigned an IP address. Check the connection to your network.

  • If the address is in one of the blocks of IP addresses reserved for use on private networks (for details, see the sidebar “Public and private IP addresses” earlier in this chapter), make sure that a router or residential gateway is routing your internet requests to a properly configured public IP address.

  • If the address of your computer appears as 0.0.0.0, the network is either disconnected or the static IP address for the connection duplicates an address that already exists on the network.

  • Make sure you’re using the correct subnet mask for computers on your local network. Compare IP settings on the machine that’s having problems with those on other computers on the network. The default gateway and subnet mask should be identical for all network computers. The first one, two, or three sets of numbers in the IP address for each machine should also be identical, depending on the subnet mask. A subnet mask of 255.255.255.0 means the first three IP address numbers of computers on your network must be identical—192.168.0.83 and 192.168.0.223, for instance, can communicate on a network using this subnet mask, but 192.168.1.101 will not be recognized as belonging to the network. The gateway machine must also be a member of the same subnet. (If you use a router, switch, or residential gateway for internet access, the local address on that device must be part of the same subnet as the machines on your network.)

Note

Are you baffled by subnets and other related technical terms? For an excellent overview of these sometimes confusing topics, read “Understanding TCP/IP addressing and subnetting basics” (https://bit.ly/ipv4-overview), which offers information about IPv4. For comparable details about IPv6, see the “Internet Protocol version 6 (IPv6) overview” at https://bit.ly/ipv6-overview.

Repairing your TCP/IP configuration

If you suspect a problem with your TCP/IP configuration, try either of the following repair options:

  • Use the automated repair option Right-click the connection icon in Network Connections in Control Panel and click Diagnose.

  • Release and renew your IP address Use the ipconfig /release command to let go of the DHCP-assigned IPv4 address. Then use ipconfig /renew to obtain a new IP address from the DHCP server. To renew an IPv6 address, use ipconfig /release6 and ipconfig /renew6.

Resolving DNS issues

The Domain Name System (DNS) is a crucial part of the internet. DNS servers translate host names (www.microsoft.com, for instance) into numeric IP addresses so that packets can be routed properly over the internet. If you can use the Ping command to reach a numeric address outside your network but are unable to browse websites by name, the problem is almost certainly related to your DNS configuration.

Here are some questions to ask when you suspect DNS problems:

  • Do your TCP/IP settings point to the right DNS servers? Inspect the details of your IP configuration, and compare the DNS servers listed there with those recommended by your internet service provider. (You might need to call your ISP to get these details.)

  • Is your ISP experiencing DNS problems? A misconfigured DNS server (or one that’s offline) can wreak havoc with your attempts to use the internet. Try pinging each DNS server to see whether it’s available. If your ISP has multiple DNS servers and you encounter problems accessing one server, remove that server from your TCP/IP configuration temporarily and use another one instead.

Temporary DNS problems can also be caused by the DNS cache, which Windows maintains for performance reasons. If you suddenly have trouble reaching a specific site on the internet and you’re convinced there’s nothing wrong with the site, type this command to clear the DNS cache: ipconfig /flushdns.

A more thorough solution is offered by ipconfig /registerdns, which renews all DHCP leases (as described in the previous section) and reregisters all DNS names.