Upload
luis-valente
View
76
Download
5
Embed Size (px)
DESCRIPTION
Microsoft Study Guid for the 70-687 Exam
Citation preview
Certification: Exam 70-687: Configuring Windows 8 Part 1: Install and Upgrade to Windows 8 (14%)Posted byJohn BryntzePublished inCertification,Microsoft,Windows 8Exam70-687: Configuring Windows 8is scheduled for 17th September and instead of waiting for study material I will create my own and post here, first out isInstall and Upgrade to Windows 8that is14%of the whole exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In this part 1 we will look into these 3 objectives Evaluate hardware readiness and compatibility Install Windows 8 Migrate and configure user dataIf you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Evaluate hardware readiness and compatibilitySystem hardware requirements Processor: 1 gigahertz (GHz) or faster RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit) Hard disk space: 16 GB (32-bit) or 20 GB (64-bit) Graphics card: Microsoft DirectX 9 graphics device with WDDM driverdetermine whether 32 bit or 64 bit is appropriateThe only real reasons to run 32-bit version of Windows 8 is if you run older hardware that got an CPU that only support 32-bit architecture or if a critical software/driver only exist in 32-bit such a VPN client or older scanner and so on (but in that case upgrade the software would be a better idea). 32-bit OS cannot run any 64-bit software.Many more reasons to run 64-bit version such as the Windows 8 feature Hyper-V (version 3) only exist on 64-bit version, can address more memory than 4GB and make usable to the system if exists. Most 32-bit software can be installed on 64-bit OS, all except those hat goes deep into the system such as VPN client,If you are running not too old hardware and all your applications can run on on 64-bit OS then 64-bit Windows 8 should be the most appropriated.determine screen resolutionThe only reason I can see why Windows 8 exam has a section of screen resolution is due to the new Metro User Interface, Metro style applications have a minimum of 1024768 screen resolution, and 1366768 for the snap feature (running metro application side by side another metro app or desktop).Windows 8 wont give you the option to give a lower resolution than 1024768 unless you go into advance settings.
If you go into advance and change to a none supported screen resolution and start a metro application you get this error message: The screen resolution is too low for this app to run
choose between an upgrade or a clean installationPersonally I always prefer clean installation but for the exam you need to know that you can only upgrade a 32-bit OS to Windows 8 32-bit and the same for 64-bit only works from previous 64-bit OS to Windows 8 64-bit OS.Any previousWindows 7edition (home/premium,/professional/ultimate/enterprise) can be upgraded to Windows 8 and retain Applications Windows settings Personal filesWindows Vista with Service Pack 1or higher can be upgraded to Windows 8 and retain Windows settings Personal filesWindows Vista with no service packandWindows XP with Service Pack 3can be upgraded to Windows 8 but only retain Personal filesSo remember that only windows 7 can do a true in-place upgrade to keep applications (there are a few applications that wont run in Windows 8) and keep all windows settings and personal files, the others will install Windows 8 but only keep either Windows settings or Personal files or both.determine which SKU to installWindows 8 will exist in 4 different SKU (Stock-keeping Unit).1. Windows 82. Windows 8 Pro3. Windows 8 Enterprise4. Windows 8 RTWindows 8 The most basic version (can not join to a domain), only Windows 7 edition starter, home basic and home premium can be upgraded to this version.Windows 8 Pro includes all standard Windows 8 features, all Windows 7 editions (except Enterprise) can be upgraded to this version.Windows 8 Enterprise includes all standard Windows 8 features plus Windows to Go, DirectAccess, BranhceCache, RemoteFX and MetroStyle application development. This edition/version can only be acquired throughSoftware Assurancecustomer.Windows 8 RT you cannot really chose this edition since it comes pre-installed on ARM processors and can therefor not run any previous Windows programs.Basically Windows 8 RT can only be installed on ARM processor, Windows 8 for home use, Windows 8 Pro for businesses that doesnt have Software Assurance and Windows 8 Enterprise for those with Software Assurance agreements.Install Windows 8install as Windows to GoWindows to Go is an Enterprise feature which makes it possible for you to boot Windows 8 from a USB 2/3 stick, first boot takes longer due to driver installs but all after goes faster.One way (notthe way the exam will ask about) is to install Windows to Go onto an USB stick/disk is to open an elevated CMD prompt and with ImageX.exe (get it from Windows ADKhttp://www.microsoft.com/en-us/download/details.aspx?id=29929) and the ISO of Windows 8 and extract the install.wim file.When you have all that and NTFS formatted the USB disk you run this command in the elevated CMD prompt (make sure imagex.exe is in your path and in the example below the USB drive letter is E:):imagex.exe /apply install.wim 1 E:\Once imagex finished to apply the wim file make it bootable by running this commandbcdboot.exe E:\windows /s E: /f ALLNow you got an USB drive that can boot on any hardware, even on Mac (depending on which ISO media you used you could be limited to only 32-bit hardware)Another way to install Windows to Go and the more official way (read what will be asked on the exam) will be on a Windows 8 Enterprise edition machine launch the Windows To Go Creator Wizard.Exam tip: Know that Windows To Go only can be created from Windows 8 Enterprise edition and for license you need a Microsoft Software Assurance, then you can even run this on a home computer.To create one of these start theWindows To Gowizard from aWindows 8 Enterprisemachine.
Windows To Go support both USB 2.0 and 3.0 but of course recommend USB 3.0 for better performanceInsert a external/removable USB disk and it shows up, as seen as below all removable disks must be Windows To Go certified to be accepted but all external fixed disks are supported.
Notice that the wizard let you know that the device is a USB 2.0 and that USB 3.0 is recommended but it wont stop you from using it.When inserted a supported device the Next button activates, chose your disk you want to put Windows To Go on andpressNextbutton to continue.
Now you need to have the source files (basically a install image from Windows 8 enterprise, install.wim), either a DVD inserted or the install iso mounted and then if not already seen by wizardclickAdd search locationand browse it.Once foundclickon theNextbutton to continue.
You can enable BitLocker password which required to type in before the OS loads (take care with keyboard layout, it will be US-EN when booted on a standard boot.wim)Once all configuredpressNextbutton to continue.
Here you will get a summary and also be warned that the USB drive will be reformatted and any data on it will be lost.PressCreateto start the creation of the Windows To Go USB drive.
This process will take awhile, depends on the disk itself but about 10 minutes.
When finished you can chose boot options (Do you want to automatically boot from it when you restart your PC?): Yes It will modify boot to automatically boot from this USB disk No you will have to manually chose to boot from it, for example on Dell press F12 and chose USB device.If you chose Yes you can if wanting to test it directlypressSave and restartelse (and if chosen No)pressSave and close
migrate from Windows XP or Windows VistaMigrating from Windows XP with Service Pack 3 to Windows 8 works only to 32-bit version of Windows 8 (due to XP with SP3 only exist in 32-bit) and will rename previous windows folder to windows.old and install a new Windows 8 and then migrate over personal files. (no program or windows settings will be kept)Migrating from Windows Vista with no service pack will migrate the same as above for Windows XP, you can migrate to Windows 8 64-bit OS if previous Vista was 64-bit.Migrating from Windows Vista with service pack 1 or later will migrate windows settings and personal files but not programs.upgrade from Windows 7 to Windows 8 or from one edition of Windows 8 to another edition of Windows 8Upgrade from Windows 7 to Windows 8 in-place on same machine the Windows 8 Setup program will scan your PC to determine whether it can run Windows 8 what app and devices are compatible and provide a report that you can save or print.If currently running Windows 7 starter, home basic, home premium you can upgrade to either Windows 8 or Windows 8 Pro, if using Windows 7 professional or Ultimate you can only upgrade to Windows 8 Pro. Windows 7 Enterprise cannot be upgraded and need a fresh install (normally not an issue since enterprise normally got enterprise tools to reinstall)Upgrade from Windows 8 from one edition of Windows 8 to another edition, it is my guess it is only upgrading from Windows 8 to Windows 8 Pro since you cannot upgrade to Windows 8 RT and Windows 8 Enterprise you can only get by Software Assurance, doubt you can downgrade from Windows 8 Pro to Windows 8.Anyway to upgrade to a different version launch Get more features with a new edition of Windows.
Here either buy a new product key (for Windows 8 Pro) or if you already got one enter it in to upgrade, all files, settings, programs stays the same. (the screenshot below shows Release Preview version, not sure if that can be upgraded but either way that wont be an exam question).
install VHDBoot from Virtualized Hard Drive (VHD) is a feature in Windows 8 Pro and Windows 8 Enterprise (not in Windows 8 and Windows 8 RT).First we need to create the VHD by either diskpart or Disk Management, 50GB is a good starting size.
once created initialize disk and be sure to chose MBR (GPT doesnt work ATM but maybe in future)
Then create a new simple volume with NTFS formatted.
Once ready we apply our Windows 8 WIM to the VHD with imageX a laimagex /apply[path to wim]\install.wim 1[drive letter for VHD]When the VHD file contain out Windows 8 WIM we just need to make it boot-able with BOOTSECT.EXE with the command below.bootsect /nt60[Drive letter of VHD]/mbrLast step is toMark Parition as Activein Disk Management.
Now got a Windows 8 boot-able VHD (to actually use it you need to change the boot sector to use it).Migrate and configure user datamigrate user profilesTo migrate user profile from one machine to Windows 8 you got many ways, for the exam I assume these 2 ways will be tested on1. Windows Easy Transfer (MigWiz.exe) (home/SOHO tool)2. USMT User State Migration Tool (enterprise tool)Windows Easy TransferWorks well for home users and one time user profile migration to run through the wizard (MigWiz.exe) on you got 3 options to use either An Easy Transfer Cable, A Network (will give a code that needs to be used as authentication) or An external hard disk or USB flash drive.
If you chose An external hard disk or USB flash drive and your old PC is running Windows XP or Windows Vista you need to install Windows Easy Transfer.
For more detailed information how to run this follow this link:http://www.addictivetips.com/windows-tips/transfer-files-settings-from-windows-7-to-windows-8/USMT User State Migration ToolWorks well in enterprise and can be very customized and run scripted/automated.USMT version 5 (compatible with Windows 8) is included in Windows ADK (replace WAIK) and can be downloaded here:http://www.microsoft.com/en-us/download/details.aspx?id=30652USMT 5 works as before withscanstate.exeto capture files and settings andloadstate.exeto apply the files and settings captured by scanstate.exe and still using XML files to define what should be captured.USMT 5 still works with Windows XP and later.For more detailed information about USTM version 5 follow this link:http://blogs.technet.com/b/askds/archive/2012/04/13/new-usmt-5-0-features-for-windows-8-consumer-preview.aspxconfigure folder redirectionFolder Redirection is a good way to make user profile virtual and accessible from multiple devices (roaming profile is another) and is nothing new for Windows 8 and Windows Server 2012 but some extra features has been added.Since this exam is a Windows 8 exam and not Server 2012 I will only list the new Local Group Policy objects for Folder Redirection.Do not automatically make specific redirection folders available offlineAs the name implies if you enable this policy you need to check each folder that you dont want to be automatically available offline, the user can still manually check files and set them as available offline (it just wont be done automatically)
Enable optimized move of content in Offline File cache on Folder Redirection server path changeIf you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location.
Redirect folders on primary computers onlyNew feature which require Active Directory Schema update on windows Server 2012 that adds a new attribute to set a users primary computer so that you can exclude Redirect Folders on for example training/test and conference machine.
configure profilesNot sure what this exam objective is asking for, will when found out update it, could be something linked to new account type.With a Microsoft account you got more freedom to use it on any machine than a local or domain account, also your profile is saved in the cloud.
ertification: Exam 70-687: Configuring Windows 8 Part 2: Configure Hardware and Applications (16%)Posted byJohn BryntzePublished inCertification,Microsoft,Windows 8Exam70-687: Configuring Windows 8is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part two isConfigure Hardware and Applicationsthat is16%of the whole exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In this part 2 we will look into these 6 objectives Configure devices and device drivers Install and configure desktop applications Install and configure Windows Store applications Control access to local hardware and applications Configure Internet Explorer Configure Hyper-VIf you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure devices and device driversinstall, update, disable, and roll back driversNothing related to this exam but there are few native Microsoft Windows 8 drivers at todays date but Windows 7 drivers works most often just fine.Note: Nearly nothing changed in driver management so if you used this in XP/Vista/7 you can skip this partAll x64 device drivers must have a digital signature, boot critical drivers must have an embedded signature.To install a driver you can do like always, download the correct driver and run the setup file.
Drivers get updated regularly and Microsoft keep some drivers on Windows update which you can access from Device Manager in Update Driver or download the driver for the manufacture (often more later driver) and either install it or click on Update Driver in Device Manager (see image above)To disable a device you can either right click on the device itself in Device Manager or under driver tab press Disable (see that on the image above)If you update a driver and the device starts to malfunctioning you have the option to Roll Back Driver, and the system have kept the previous driver and add it back (if this option is greyed out there never were a previous driver)resolve driver issuesIt is not very unlikely that if you install Windows 8 on hardware from pre year 2012 (and even 2012) manually and at first start looking in Device Manager you got some device that are missing drivers, those are seen with a yellow triangle icon with ayellow!in it. To resolve this driver issue just download the correct driver and install it.
If a device icon shows an arrow down in a circle means the device has been disabled. To resolve this driver issue just right click on the device andchoseenable, make sure that it doesnt goes to another state such as missing driver.
configure driver settingsIn device manager you canright clickon a device andchosepropertiesand some device drivers got settings such as network drivers if the device should run when machine is low on battery or if WiFi adapters wireless mode a/b/g
Install and configure desktop applicationsset compatibility modeRight clickon any exe-file and takeProperties, there you see a tab calledCompatibility.
Here you can specify to run the exe-file as previous Windows versions, notice that Windows NT 4 isnt on the list. This can be useful if you run an older program that could run on Windows 8 but is hard-coded to look if it is a specific Windows version and only run on that.You can also reduce color mode and screen resolution, and run as administrator (if you experience UAC issues)install and repair applications by using Windows InstallerWindows Installer = MsiExecTo use the Windows Installer requires the install files includes a MSI file, some software comes only as an exe file but then extract msi file to a temp folder and run them, such as all Apple softwares QuickTime, iTunes etc work that way. Then you have programs that comes native in MSI format such as 7-Zip, Adobe Flash Player and so on, then you also have programs that doesnt come at all as msi but their own installer such as Firefox and VLC, for those you need to package yourself to get in MSI format if needed (if you deploy software with GPO you need them in msi format).So if you run an exe install file or msi directly in explorer.exe you get to answer some questions in a wizard.To run by command line you can answer these questions and run this silently with msiexe, below a typical example:msiexec /ic:\jbkb\jbkb-1.0.0.msi/qn /norestart/i= Install,/qn= quiet and No UserInterface,/Norestart= no restart even if program demands one.
To repair you can either go to Program and Features andright-clickon the program you want to repair and choseChange.
ThenchoseRepairand follow the instructions
You can also repair with MsiExec as the example below/msiexec /foc:\jbkb\jbkb-1.0.0.msi
/f= repair/o= repair only if file missing or older file is installed.
configure default program settingsin command line you can usedism.exeto either export settings from a machine to xml, modify the xml file and import it to the machine that need these program settings.In GUI goControl Panel\Programs\Default Programs\Set Default Programsto modify the default program settings.
modify file associationsin command line you can useAssocorDismto view and modify file associations.In GUI you can go toControl Panel\Programs\Default Programs\Set Associationsand modify the file associations you want.
manage App-V applicationsUnfortunately there is no native App-V client in Windows 8 but App-V 5.0 (currently in Beta) and later is supported in Windows 8.Unsupported but it works to install App-V 4.6 with SP but watch out since Windows 8 isnt on the valid list on the OSD file.Install and configure Windows Store applicationsinstall, reinstall, and update Metro applicationsTo install a Metro (now Modern UI Style) applications just simply go to the Store app, start typing the app that you want.
Then simply click on Install button to start downloading and install the application.
To reinstall an application you uninstalled or had on another machine go inStoreandright-clickandchoseYour appsand you will be able to reinstall the applications.
If an update becomes available for an app you will see this in theStoreand simplyclickonApp updatesand chose to update all or select the once you want to update.
restrict Windows Store contentEach Windows Store app got an Age rating, if it contains violence/sex/weapon and other inproperate content for children (or adults).You can then restrict the Windows Store content (well what you can see) by usingFamily Safety(Parental Control) it doesnt show up default on a Windows 8 domain joined machine, but you can make it visible byenableMake Family Safety control panel visible on a DomainGPO
Restriction is set per user account (only work for standard users/none-admin but set by admin) and underControl Panel\All Control Panel Items\Family Safety\User Settings\Game and Windows Store Restrictionscheck[Username]can only use games and Windows Store apps I allowradio button, thenclickonSet game and Windows Store ratings.
Here you can decide how it should handle games (apps) with no rating and more important restrict content based on Age Rating1. Early Childhood for 3+ ratings2. Everyone for 6+ ratings3. Everyone 10+ for 10+ ratings4. Teen for 13+ ratings5. Mature for 17+ ratings6. Adults Only for 18+ rating
add internal content (side loading)Side loading means installing an app without going through Windows Store, this could be LOB apps. These doesnt have to be certified or installed through Windows Store but must be signed with a certificated trusted by the machine that will install the app.Note: Not 100% sure but Technet documentation specific mention Windows 8Enterprise(and server 2012) so it is possible this is only supported on Enterprise edition. (but the GPO doesnt mention it)If your machine is not joined to the domain you must activate a sideloading key before you can run the app.If your machine is joined to a domain justenablethe GPOAllow all trusted apps to installbefore you can add a sideloaded appandrun it.
If the above is not fulfilled the app tiles will show a X in the bottom right corner.To install sideloading apps you can do it with 2 tools, dism.exe and Powershell PowerShell command add-appxpackageC:\JBKB.appxDependencyPathC:\JBKBccc.appx Dism.exe command -DISM /Online /Add-ProvisionedAppxPackage /PackagePath:C:\JBKB.appx/SkipLicensedisable Windows StoreTo disable Windows Store justenable[User | Computer] Configuration -> Administrative Templates -> Windows Components -> Store ->Turn off the Store applicationGPO.
Notice that Windows RT can use Local Machine Policies but take care because the Group Policy Client service, gpsvc, is disabled by default on Windows RT.Control access to local hardware and applicationsconfigure AppLockerNew in AppLocker for windows8 is that you can restrict Package Apps and Package Apps installer (.appx). Else it works pretty much the same as in Windows 7 and works only in Enterprise edition (you can create AppLocker rules in other version but not use it)To configure AppLocker you either use the prefered Global Group Policy or as in this post use Local Computer Policy, navigate toComputer Configuration -> Windows Settings -> Security Settings -> Applications Control Policies -> AppLocker.
If you for example want to restrict normal users (local administrators are excluded by default rules) from running a specific app (*appx) you can either manually create a rule for each approved or not approved app or you can scan through a template computer that got all apps already installed and set only those to allowed, will go through both examples and this also works onExecutable Rules(.exe, .com),Windows Installer Rules(.msi, .msp, .mst) andScript rules(.ps1)Manually Create a AppLocker RuleStart byright-clickonPackaged app RulesandchoseCreate New Rule...
A Wizard starts atBefore You Beginthat explains what the wizard will do, justclickonNext >to continueAtPermissionyou decide actionAlloworDeny, if two rules exist for same application the Deny rule wins.Here you also decide for which group it applies to, default iseveryone.In this example we setAllowtoEveryoneand thenpresstheNext >button.
AtPublisheryou either browse/select an app already installed or an app reference.In this example wepressSelectbutton andcheckMicrosoft SkyDriveapp and thenslide uptoPackage NameandPackaged Versionchange from version number to * (any version) which means that even if we update SkyDrive it will be allowed to run it. To continuepressNext >button.
AtExceptionsyou can specify exceptions to the rule, in this example we have no exception and continue topressNext >AtNameyou name the rule (the image shows the default name given) and you can also add a description such as why this rule was created and the goal with it.PressCreateto finish the rule.
Automatically Generate AppLocker RulesStart byright-clickonPackaged app RulesandchoseAutomatically Generate Rules...
A Wizard start and on first page you have to chose who this rules will apply to, default is Everyone group but you can browse any group.You also have to chose if it should generate a rules for those apps that is already installed on the machine you are running the wizard from or from a folder where you put all apps in.In this example we leave default theEveryonegroup and radio button onGenerate rules for all packaged apps installed on this computer, and set a suitable name for these rules.PressNext >button to continue.
AtRule Preferenceyou have only one choice that is enabled by default:Reduce the number of rules created by grouping similar applications,pressNext >button to continue.The wizard will now crawl through all installed packaged apps on the machineAtReview Rulesyou get an overview how many Rules created for the packaged apps, if you in the step before left the default the number of rules are fewer. If you are happy with the rulespressCreatebutton.
Now you see the extra created rules, all starting with the name specified in the start of the wizard.
Active AppLocker rulesIf enforcement is not configured it is enabled by default unless a Group Policy is defined then that value over write.To configure enforcement on a local machine youright-clickonAppLockerandchosePropertiesChose for each sections, if you dont want to enforce the rules you created you can chose Audit Only and you will only see what should have been blocked/locked but AppLocker wont block anything.
configure access through Group Policy or local security policyUnclear what objective this is aiming at but guess it isSoftware Restriction Polices.This is nothing new in Windows 8 and existed before so most likely not too many questions on this topic on the exam.There are 3 different security levels (default is Unrestricted)1. Disallowed Software will not run, regardless of the access rights of the user.2. Basic User Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.3. Unrestricted Software access rights are determined by the access rights of the user.To create a Software Restriction Policy rule go:Local Computer Policy ->Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction PoliciesRight-clickonAdditional Rulesand chose one of the 4 rule types1. Certificate Rule2. Hash Rule3. Network Zone Rule4. Path Rule
Certificate Rule can reduce performance by using this, you browse a certificate and chose security level.Hash Rule More secure than Path Rule since if a file is modified by malware or alike it will get another hash and not allowed to runNetwork Zone Rule Follow the same zones as Internet Explorer and you can restrict installation per zone.Path Rule Easy to implement but less secure, if a file exist in certain path it can depending on the security level be allowed to run, but if a malware replace a file in the path it will be allowed to run (in opposite of hash rules)
Path Rule not allowing Windows Media Player to runmanage installation of removable devicesNote: Havent found anything specially new in Windows 8 for this but some GPO that can help manage installations of removable devices but most of those existed already in Windows Vista.At Local Computer Policy:Computer Configuration -> Administrative Settings -> System -> Device Installation -> Device Installation Restrictions
If you want to prevent installation of removable devices (and that existing can update their driver),enablePrevent installation of removable devicesIf you only want to prevent certain removable devices (or allow) you must find out the device ID withAllow installation of devices that match any of these device IDsalternativePrevent installation of devices that match any of these device IDs. To find out these device IDs you can plug the device and go to Device Manager and take properties and read Hardware ID, the image below is a Western Digital external USB disk, example:GenDisk,USBSTOR\GenDiskand so on.
Configure Internet ExplorerIn Windows 8 you are offered 2 different Internet Explorer 10, one in Modern UI Style mode called just Internet Explorer (support no ActiveX) that is full screen and one in desktop mode called Internet Explorer for the desktop that works like previous Internet Explorer with ActiveX support.configure compatibility viewSome sites on Internet check theuser-agent stringto check what version of browser is requesting their content, for example if a sitehttp://john.bryntze.netknow that the content wont display good in Internet Explorer 6 the site can check user-agent string and notify users with Internet Explorer 6 that the site wont look good and recommend an upgrade or alike. With Internet Explorer 10 the user-agent string has of course changed, and more than normally due to 10.0 now is an extra digit from earlier MSIE 6.0, 7.0, 8.9, 9.0, so some might just compare the first digit and then by mistake think version 10.0 is version 1Below is the user-agent string for Internet Explorer 10 on Windows 8Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)So even if an Internet page would display perfectly in Internet Explorer 10 it might get blocked because the page cannot handle the new user-agent string and therefor block access, one way around this is to enable compatibility view for this site and it will trick it to be an Internet Explorer 7 browser with this user-agent string (note it still shows it is Windows 8 (=6.2))Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/6.0)
To configure Compatibility View Settings you usecommand bar(if not visiblepressALTkey) and goTools -> Compatibility View SettingsHere you can add URLs that should be in compatibility view mode (IE7 mode). Also decide if all websites should be viewed in compatibility view or if all Intranet URLs should default be in this mode (to support Intranet applications developed against older browsers). You can also download an updated list Microsoft provides about sites that views best in compatibility view.
All the above settings can of course be set by Group Policies User Configuration -> Administrative Templates Windows Components -> Internet Explorer -> Compatibility View
Notice: Nothing new in Internet Explorer 10. all the above has worked and been possible since Internet 8, the only little new is that now Microsoft keep a compatibility view list for sites that needs Flash for Internet Explorer 10 in Advanced UI Style mode (the version without ActiveX but that still got a slim Flash Player (not all features and drain less battery).configure security settingsInternet Explorer 10 includes a lot of security settings, most existed already in Internet Explorer 9, here are the most common one and a short description InPrivate Browsing activated by CTRL + SHIFT + P and makes the browser to not save an browser history, cookies or temp file during this session. Toolbar and extensions are disabled by default.
Tracking Protection Some provider such as Google that provides Map/Advertisement and other tools can share this information to give a better experience but also less integrity. You can either have it to automatically block it or set per sitealloworblock.
ActiveX Filtering If enabled you see the round blue circle with a line going through it, clicking on it you can do an exception for that website to use ActiveX control else it is disabled by default when ActiveX Filtering is enabled.
SmartScreen Filter On by default and check the URL against a Microsoft database if it is set as dangerous and then give the advice to not visit that site. You can also check a site manually and you can also report a site to Microsoft that you think is a phishing site or alike.
manage add-onsNot much new in Internet Explorer 10, works more or less as earlier versions. These settings can be set with Group Policies but also manually: Toolbars and Extensions: Disable or Enable specific ActiveX controllers, some got extra options to configure but no standard. Search Providers: Add search providers, default is Bing but you can add google/yahoo and others. Accelerators: Chose accelerators for Email/Map/Translators Tracking Protection: was covered earlier in this blog post, can add that you can use your own list but also get a list online.
configure websocketsWebsockets new in Internet Explorer 10 but has existed in earlier versions of alternative web browsers, ws:// or wss:// is a web standard to speed up where traditional HTML slow down.Had problem finding how to configure WebSockets, no GUI in Internet Options, but there is one Group Policy setting Turn off the WebSocket Object which can disable WebSockets that is enabled by default (which block data access cross domain)
configure Download ManagerDownload managers has existed long time in alternative browsers such as Firefox and isnt a new feature in Internet Explorer 10 but havent been there in older versions.To reach Download Manager you eitherpressCTRL + Jor goOptions View downloads
So far pretty basic, this exam sub objective includes manage download manager and when you are in it you can press options link and get to chose download location and if when finished to download prompt, and thats it! My guess is that thisw objective is to manage download manager with Group Policies and there are a few (yeah not that many really), all listed below: Windows Components -> Internet Explorer ->Delete Browsing History ->Prevent DeletingDownload History -As the name imply, users cannot delete their own download history Windows Components -> Internet Explorer -> Prevent users from bypassing SmartScreen Filters application reputation warnings about files that are not commonly downloaded from the Internet Again as the name imply, if SmartScreen warn about a file downloaded users cannot go around it.
Configure Hyper-VHyper-V 3.0 on Windows 8 is the first Hyper-V that runs on Client OS and also support sleep mode.Exam tip: Remember that Hyper-V can only run on 64-bit OS so be careful with questions mentioning you want to run Hyper-V on a 32-bit Windows 8, it wont be possible.create and configure virtual machinesSteps to create a virtual machine is pretty straight forward in GUI by doing the following:1. Right-clickon Hyper-V server and goNew -> Virtual Machineand a wizard starts.
2. At sectionBefore You Beginjust read through and thenpressNext >button to continue.3. At sectionSpecify Name and Locationyou do exactly that, you specify the name of the virtual machine and also location, default location is:C:\ProgramData\Microsoft\Windows\Hyper-V\but I recommend to create your own root folder andcheckthe box:Store the virtual machine in a different location. Once donepressNext >button to continue.
4. At section Assign Memory you specify how much memory (in Megabytes) the guest OS will use, this depends of course how much the OS and applications on it requires, once decidedpresstheNext >button to continue.
5. At sectionConfigure Networkingyou can if created chose the network you want and after wizard finished add more, basically you got 3 different, private, intranet and external.Chose your connection and thenpressNext>to continue.
6. At sectionConnect Virtual Hard Diskyou have the choices to create a new Virtual hard disk (and add site in Gigabytes), or add an existing (requirements is that they are in VHD or VHDX format) or add a virtual hard disk later.Once chosen press Next> button to continue.
7. At sectionInstallation Optionsyou can install the OS now or later, if you do it now you can either access the media from the Hyper-V phusical CD/DVDV drive, browse a ISO file, or install from virtual floppy disk (VFD format)
8. At sectionSummaryverify all looks good and finish it and the Virtual Machine gets created.Once the wizard has finished you can modify the Virtual Machine, such as add a Legacy Adapter (needed for PXE booting for example) and adjust Memory, add more disk and so on.Under the section Management you got some settings Name you can edit the name or add notes to it. Integrated Services- Is installed by default on newer Hyper-V aware OS but might need to be installed on older Windows OS Operating System shutdown The Hyper-V host can do a clean shut down guest OS. Time Synchronization The guest OS sync its time against the host OS (you can still have different time zone that adjust the time of course) Data Exchange Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer. Heartbeat The heartbeat service allows the host OS to detect when a virtual machine has locked up, crashed or otherwise ceased to function. The host OS sends heartbeat messages to the guest operating system at regular intervals. It is then the job of the Hyper-V Heartbeat Service installed on the guest operating system to send a response to each of these heartbeat messages Backup (volume snapshot) A VSS requester is installed that will allow VSS writers in the guest operating system to participate in the backup of the VM Snapshot File Location default the same location as virtual machines and then the name of the virtual machine, example: C:\Hyper-V Virtual Machines\JBKB-VM01 Smart Paging File Location same default as Snapshot File Location. Memory management technique to provide a reliable restart experience for virtual machines configured with less minimum memory than startup memory Automatic Start Actions- When the host OS starts you got 3 Automatic start actions for Guest O Nothing Automatically start if it was running when the service stopped default Always start this virtual machine automatically
create and manage snapshotsTo take a Snapshot just simply select the Virtual Guest you want to take a snapshot on and click on the Snapshot link.
If youright-clickon the snapshot you candeleteit, or take a new snapshot of current state and thenapplythe snapshot
Snapshot location was explained above, it can be changed as long as no snapshot has been taken, once there is a snapshot you cannot change location anymore (it is greyed out).Snapshot files has the file extension.avhdx
create and configure virtual switchesVirtual switches/ Hyper-V VLAN you can create 3 different types of virtual switches depending the needs of your virtual machines and one single machine can use multiple virtual NICs that is member of different Virtual Switches.1. External This virtual switch binds to the physical network adapter and create a new adapter you can see inControl Panel\Network and Internet\Network Connectionsso if a virtual machine needs contact outside the host machine this one is a must.2. Internal This virtual switch can be used to connect all virtual machines and the host machine but cannot go outside that.3. Private This virtual switch can only be used by the virtual host
The 3 different Switch types have some smaller configurations.External network you have to chose in a drop down box which physical NIC to bind it too, new in Hyper-V 3 is that you can bind to a WIFI NIC (there was dirty none supported work around in Hyper-V 2 you could make it work) and also chose virtual VLAN ID..Internal networks you can chose virtual VLAN ID.Private networks got no configuration, just to chose a name.
create and configure virtual disksFrom within Hyper-V console you can create virtual disks.Hyper-V 3 support 2 different disk formats: VHD support virtual hard disk up to 2,040 GB in size VHDX- support virtual hard disk up to 64 TB (this format is not supported in Hyper-V version 1 and 2)
You got 3 different Disk Types1. Fixed size- it will create a VHD or VHDX file that take up the disk size even if it is empty or not used, this can be useful when an application check for disk space before allows to install.2. Dynamically expanding use less space than Fixed Size and dynamically expand when disk is needed3. Differencing you can have a static disk and add a differencing disk were all changes are written to. This is for example very good in a lab/training environment where you can restore to default by just delete differencing disk.
You can configure the disk size (remember the limits with VHD and VHDX) and even copy content from a physical disk/virtual disk to the newly created virtual disk or keep it blank.
Certification: Exam 70-687: Configuring Windows 8 Part 3: Configure Network Connectivity (15%)Posted byJohn BryntzePublished inCertification,Microsoft,Windows 8Exam70-687: Configuring Windows 8is scheduled for 17th September and instead of waiting for study material I will create my own and post here, partthreeisConfigure Network Connectivitythat is15%of the whole exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In this part 3 we will look into these 4 objectives Configure IP settings. Configure networking settings. Configure and maintain network security. Configure remote management.If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure IP settingsconfigure name resolutionNo big changes from Windows 7 you can either get your name resolution DNS servers (or/and WINS) from DHCP or manually configure them inNetwork and Sharing CenterYou can also configure DNS through command line:netsh interface ip set dns Local Area Connection static 10.46.0.10connect to a networkConnect to a networkis the exact name of a Windows 8 native app that shows up if you type in search, as image shows below. You can connect in none Modern UI mode also as before.Here you get on the right side of your screen of all connections possible, such as WiFi connections, VPN connections if any configured and even DirectAccess if configured.
configure network locationsAssume network locations is Network Profiles that has existed since Windows Vista, you got 3 different that you can associate with different network adapters/network (these network profiles are also used by Windows Firewall) Private Useful at home/SOHO Guest or Public Useful when connecting to airports WiFi spot or public places. Domain For domain networks
You can for each of these Network Profiles decide if network sharing and printer sharing should be turned on or off.in Group Policy Network List Policy Manager you can prepare SSID with which Network Location and if user got rights to change it.resolve connectivity issuesTo resolve a connectivity issue you must first find where the issue is, some basic steps.1. find out if it is only one or more machines that got connectivity issues, if it is multiple computers is it likely it is not an issue on the local machine2. If it is only one machine that got the issue on the network check that it got an IP-address withipconfig(/all), if not check media and try other outlets or verify machine is within WiFi range.3. If machine got an correct IP address check that it can ping its gateway, if it can it is mot likely a name resolution issue, check that DNS answer withnslookupor simply ping (or pathping) john.bryntze.net and see it resolve to an IP-address.It is very rare but if using static IP-addresses check for IP-address conflicts or if using DHCP look that not two scopes are overlapping.You can alsoright-clickon a connection and choseTroubleshoot problemsand a wizard will suggest some actions.
IPv6Notice: Extra added due to rumors that Microsoft start to push for IPv6 on examsSince Windows Vista IPv6 is enabled by default, think about a few things: IPv6 addresses are128-bit hexadecimal numbers, that means that instead of before 32-bit it is 128-bit (1 or 0) and hexadecimal Identify amulticastIPv6 address with that it always start withFF0 Identify alink local unicastIPv6 address with that is always start withFE80 In IPv4 loopback address is for some strange reasons 127.0.0.1 (removing a full A-net) but inIPv6 loopback addressis more logically:0000:0000:0000:0000:0000:0000:0000:0001but know that you can reduce all 0000 so this address can be written::0001or even sometimes just::1 If you are used with 255.255.0.0 subnet mask that is not applicable in IPv6, IPv6 still uses subnet but it is included in the address. Of the 128-bits the first 48 bits are network pre-fix, then the16 bitsafter are thesubnet IDand used to create subnet. The last 64 bits are device ID. IPv6 also uses DNS but host records that in IPv4 was A areAAAAin IPv6. Windows 8 support a lot of tunnel technologies that can transport IPv6 packages over IPv4 nets such as Teredo and isatap.A few Windows 8 functions only work with IPv6 such as DirectAccess and HomeGroup.Configure networking settingsconnect to a wireless networkIf it is a wireless network broadcasting its SSID it is just click on it and connect (might require some steps if a key is needed to be entered WEP)If the wireless network isnt broadcasting its SSID you need to manually connect to it by usingSet Up a Connection or NetworkandselectManually connect to a wireless networkthen specify Network name, Security type, Encryption type, Security key (needed for example WEP).
manage preferred wireless networksTo manage preferred wireless networks is a feature that was introduced in Windows XP Service Pack 2, and existed until now! no it still exist in Windows 8 but you cannot really configure it, it is automatically managed by Windows 8 itself, here is a statementTo make sure we connect to the right network when multiple networks are available, Windows maintains an ordered list of your preferred networks based on your explicit connect and disconnect actions, as well as the network type. For example, if you manually disconnect from a network, Windows will no longer automatically connect to that network. If, while connected to one network, you decide to connect to a different network, Windows will move the new network higher in your preferred networks list. Windows automatically learns your preferences in order to manage this list for youNot related to this exam but you can see history of SSID you connected to in this folder per interface:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{Interface ID} in XML files.configure network adaptersNot much changed in Windows 8 from previous version.Most configuration on a network adapter are to check protocols, the protocol that require configurations are TCP/IP protocol to set how to aquire an IP-address, mask, default gateway, DSN/WNS, and domain suffix and so on. On tabSharingyou can enableInternet Connection Sharingwhich can share a connection with other computers/devices (mostly for home usage/SOHO)
PressingtheConfigurebutton gives your more configuration options such as drivers, if WiFi you can modify signal strength, 802.11x mode, Power Management if it should shut down to save battery.
configure location-aware printingLocation-aware printing is not a new feature, it existed already in Windows 7, it works that your default printer follows you, so at work you can have one default printer and another at home without manually switching.Just click on an installed printer in control panel andselectManage default printers.
Be sureChange my default printer when I change Networksisselectedand then manage per network which printer you want to be default.
Location-Aware Printing is dependent upon theNetwork ListService and theNetwork Location Awarenessservice. If either one of these services are stopped or malfunctioning, then Windows will not be able to detect network changes and may not switch default printers as expectedConfigure and maintain network securityconfigure Windows FirewallWindows Firewall havent changed a lot either, it now mention everything as App and not Program.If you dont see you app in the list you can add it byclickingAllow another Appand then browse the executive file. You can also chose which Network Profile/Type do allow this for (Domain/Public/Private)
InAllowed appsyou can decide which program can access and under which Network Profile by simplycheckingthe check boxes.
Default setting is to not allowed incoming connections to any program that is not in the Allow apps list.configure Windows Firewall with Advanced SecurityWindows Firewall has existed since Windows XP Service Pack 2, at that time you could only block inbound, now since Windows Vista and forward you can block outgoing traffic also.Windows Firewall with Advanced Security you can specify with rules for both inbound or outbound based on Program, Protocol and Ports, Scope.
Program You can select one of the following: All Programs -if you need a rule that applies to all and then limit it on Protocol and Ports instead. This program path examplec:\program files\jbkb\jbkb-test.exe Services Drop down list to deice if it apply toall program and services, oronly servicesor aspecific serviceorservice short nameProtocol and Ports Most common are protocols TCP and UDP but you can even specify some other such as ICMP (Ping for example), GRE (for some VPN) etc, or use a custom and type in any Protocol there exists.If you chose TCP or UDP you need to specify port number also and local/remote. An example rule could be to block Local Port/All Ports to Remote Port/Port 25 to block malware from trying to send SPAM directly. You can specify that all protocols/ports and restrict on Programs instead.
Scope there are two sections to fill in Which local IP-addresses does this rule apply to default isAny IP-addressbut you can can change and specify a IP-address range by clickingThese IP-addresses Which remote IP-addresses does this rule apply to default isAny IP-addressbut you can can change and specify a IP-address range by clickingThese IP-addressesAction If this rule is met by all the above you can decide what action will happen, one of these 31. Block the connection default option2. Allow the connection3. Allow the connection if it is secure If connection is with IPSec (explain in section below) it is allowed.Profile Here you chose if this rule applies toDomainor/andPrivateor/andPublicNetwork Profile.Name PutNameof the rule and an optionalDescription.configure connection security rules (IPSec)Connection Security Rulesare created withinWindows Firewall with Advanced Security, justright-clickand choseNew Ruleand you can create a new connection security rule.
With Connection Security Rule you can specify with rules for which net/clients that need IPSec security based on Endpoint, Requirements, Authentication Methods, Protocol and Ports and Network Profile.
Endpoints Create a secure (IPSec) connection between computers in Endpoint 1 and Endpoint 2. You got to settings to configure1. Which computers are in Endpoint 1? Any IP address (default) These IP addresses2. Which computers are in Endpoint 2? Any IP address(default) These IP addressesRequirements When do you want authentication to occur? 4 different choices1. Request authentication for inbound and outbound connections notice when it is writtenrequest, it will just check if it is possible, if not it will still continue, difference again Require that is forced.2. Require authentication for inbound connections and request authentication for outbound connections inbound connections must (=require) authenticate and outbound if possible (=request)3. Require authentication for inbound and outbound connections inbound and outbound connection must authenticate else it fail.4. Do not authenticate all connections will work without authentication.AuthenticationMethods choose between 4 different options Default the authentication specified in IPsec settings. Computer and user (Kerberos V5) Restrict connections to only domain joined users and computers. Computer (Kerberos V5) Restrict connections to only domain joined computers. Advanced here you can specify NTLMv2, Certificate, shared Secret and other authentication methodsProtocol and Ports Most common are protocols TCP and UDP but you can even specify some other such as ICMP (Ping for example), GRE (for some VPN) etc, or use a custom and type in any Protocol there exists.If you chose TCP or UDP you need to specify port number also and local/remote.Network Profile Here you chose if this rule applies toDomainor/andPrivateor/andPublicNetwork Profile.Name PutNameof the rule and an optionalDescription.configure authenticated exceptionsIf some machines cannot authenticate but still needs to communicate you can add them to an Authentication Exceptions list. It is still configured withinWindows Firewall with Advanced Securityand create a new Connection Security Rule and chooseExempt Computersas Rule Type.Exempt computers You can select which machines(s) should not be secured with IPsec, you can add IP-address, subnet, IP range or Predefined set of computers such as DNS server, Default gateway, DHCP servers and more.
Network Profile Here you chose if this rule applies toDomainor/andPrivateor/andPublicNetwork Profile.Name PutNameof the rule and an optionalDescription.To read more:http://technet.microsoft.com/en-us/library/cc947812%28v=ws.10%29.aspxconfigure network discoveryNetwork Discovery is a feature since windows Vista and is enabled by default in Windows 8 and you can disable/enable it per Network Locations (Domain/Private/Public). this feature if on makes the machine visible on the network.To modify go toNetwork and Sharing Center -> change Advance Sharing Settings, there modify perNetwork Profileif network discovery is turned on or off and extra option toTurn on automatically setup of network connected devicesif set toon.
manage wireless securityThere are some changed to wireless in general in Windows 8.Added support for Wi-Fi autentication type: WISPr (Wireless Internet Services Provider roaming) EAP-SIM/AKA/AKA Prime (SIM-based authentication), easier and quicker when connecting to Wi-Fi hotspots EAP-TTLSWISPr is enabled by default in Windows 8 but you can disable it in Group Policies bydisableEnable Hotspot Authentication
Configure remote managementThis is a Client OS exam, for me remote management would be to install RSAT toolshttp://www.microsoft.com/en-us/download/details.aspx?id=28972but again that is to remote manage server services and I dont think that is what this exam is after. Hesitate if Remote Management would be WinRM which enables by running:WinRM QuickConfigbut now thinking it could be Remote Assistance/Remote Desktop it is after?choose the appropriate remote management toolsIf you want to remotely help a user and see the same as the user is seeing Remote Assistance is the tool (msra.exe)
If you just need to work on the machine (logged in users get disconnected not logged out as in Windows XP) you can use Remote Desktop (mstsc.exe)
configure remote management settingsSeveral settings (that is not dependent on each other): RunWinRM Quickconfigto enable remote management Make sure serviceRemote Registryisrunning. If Remote Assistance is needed enable in Group Policy to enableAllow Remote Assistance connection to this computer If Remote Desktop session is needed enable in Group Policy and specify which users got the rights (local administrators are added by default), also decide if connections require NLA (supported from Vista clients and later)modify settings remotely by using MMCs or Windows PowerShellModify settings using MMC you can startComputer Managementand then goActions -> Connect to a another computer
For some of these settings remote registry service must be enabled and of course permission on the remote client.To modify remote settings with PowerShell you can either if hte Power Shell command itself accept a remote machine input specify remote machine or run an interactive Power Shell session with command (JBKB-Client01 is the remote machine in this example)enter-pssession JBKB-Client01tification: Exam 70-687: Configuring Windows 8 Part 4: Configure Access to Resources (14%)Posted byJohn BryntzePublished inCertification,Microsoft,Windows 8Exam70-687: Configuring Windows 8is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part four isConfigure Access to Resourcesthat is14%of the whole exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In this part 4 we will look into these 4 objectives Configure shared resources Configure file and folder access Configure local security settings Configure authentication and authorizationIf you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure shared resourcesconfigure shared folder permissionsDefault share permission iseveryone read, but I recommend the old school to set everyone full control on share level and set permission on NTFS level, it is easier to manage that way.You can configure shared folder permission in explorer.exe in two ways Share When using this you cannot decide share name, it will have same name as the folder itself, you get created as owner and you can add users and give them read or read/write permission Advanced sharing here you can decide share name, set more granular permission, decide cache options.
configure HomeGroup settingsHomeGroup came in Windows 7 and is a 3rd option to Domain/WorkGroup. HomeGroup is as the name implies most usefully at home and the security boundaries is made up by password (shared secret).Requirements for HomeGroup to work: Require IPv6 is enabled (it is enabled by default) The following services must be running on all machines in the HomeGroup DNS Client Function Discovery Provider Host Function Discovery Resource Publication Peer Networking Grouping HomeGroup Provider HomeGroup Listener SSDP Discovery UPnP Device HostA Windows 8 machine that is already member of a domain cannot host a HomeGroup but can join one (and still be member of a domain) and cannot share its own libraries but access others.To join a HomeGroup for example on a Windows 7 machine named EMMA-LAPTOP do the following:1. In Control Panel click HomeGroup and if a HomeGroup exist (and the machine hosting it is started) you will see it (even if IPv6 is not enabled), to join this HomeGroupclickJoin Nowbutton.
2. A Wizard starts explaining what you will be able to do (if you are joined on a domain you cannot share your own files just access others),clickNextto continue.
3. You need to know the shared secret, the machines joined to the HomeGroup can get it by clicking View or print the homegroup password in control panel -> HomeGroup (you only see this option if you are joined to the homegroup already).When you know the shared secret or homegroup password as it is called, type it in andpressNextto continue.
4. If you entered correct homegroup password you get it verified you have joined the homegroup (if wrong go back and retype it correct) also if IPv6 is not enabled you will get a warning and need to enable it before to continue.
So when your machine is member of a HomeGroup the control panel item is displayed differently, now you can do the following: View or print the homegroup password if another machine needs to join this homegroup you can click here and see the password in clear text and share. Change the password If decided to change the HomeGroup password, you must change it on all other members of the HomeGroup. Leave the homegroup you have to verify it and get a chance to cancel the action. Change advanced sharing settings there is a section there about HomeGroup, default managed by Windows and the password but you can also do it more WorkGroup alike to use Windows user account, but that requires all members in the HomeGroup got the same username and password. Start the HomeGroup troubleshooter Wizard based that suggest some actions and tools to fix any issues (it check IPv6 and the services mentioned above also)
So in the example with the Windows 7 machines HomeGroup we joined we can now see the libraries chosen to be seen in this HomeGroup (default Documents isnt shared but it is just a check box away to be shared) in explorer.exe
configure file librariesFile librarieswas new in Windows 7 and the basic behind it was that a lot of people like to create c:\my-important-data alike folder and it would then be located outside the c:\users folder for indexing and alike. File libraries over come this since it could link in those folders into this libraries and index from root c:\users and still get content outside of it.All libraries are saved default here:%appdata%\Microsoft\Windows\LibrariesIf you for example would like to give all in your sales a specific library called JBKB-Sales and folder C:\JBKB-Sales you would do the following:1. Create a new library
2. Copy it from%appdata%\Microsoft\Windows\Librariesto c:\JBKB-Sales3. Enable Group PolicyLocation where all default Library definition files for users/machines resideand setDefault libraries definition locationto: C:\JBKB-Sales
4. Now all who log into this machine and apply to the GPO will get this library created in step 1Windows 8 gives you 5 default libraries Documents Pictures Music Videos PodcastsYou can right click on each of them and take properties and add more music folders than those default (you cannot change icon on the default but if you create your own library you can chose your library icon)you can set one Set save location and one Set public save location but you can set both on same folder (default Public is on Public)
configure shared printersOn a printers properties go to Sharing tab and you can share the printer to other machines. this requires of course that the machine is online for the others to be able to use it.You also got a check box to decide if printer job should render on clients computers. Default if you install a printer on a Windows 8 it will only install Windows 8 drivers, if the sharing clients are running other OS such as Windows XP you can add those drivers byclickingAdditional drivers
set up and configure SkyDriveTo set up SkyDrive is pretty straight forward, start it:
Once it finished preparing it will ask you to login, if no existing account create a new one
Now a new folder is created in the profile%userprofile%\SkyDrivewith sub folders that sync to the SkyDrive cloud.Configuring SkyDrive you can go by SkyDrive system tray icon andchoseSettings.
Here you can configure settings such as auto start of SkyDrive, and make this machine available to other devices with same SkyDrive account, and let Office sync the files to SkyDrive so other can work at same time on the file.If you want to remove the SkyDrive connection you canclickonUnlink SkyDrivebutton.
SkyDrive gives 7GB for free.configure Near Field Communication (NFC)Very interesting feature, unfortunately found nothing to configure in windows 8 concerning this, it could be because my test devices doesnt support it. What is know is that windows 8 got APIs built-in that support NFC, which is a RFID technique to communicate to other devices supporting NFC. The difference between NFC and for example Bluetooth is that bluetooth devices need electricity/battery/power where NFC could be a paper (with a RFID alike in it)Notice: nothing useful in this section, will update when finding anything, for now just know that Windows 8 got NFC APIs and support it.Configure file and folder accessencrypt files and folders by using EFSKnow that EFS is only included inWindows 8 ProandWindows 8 Enterpriseedition.Know that BitLocker encrypt a whole disk and EFS can be used to encrypt separate files or folders. EFS has existed since Windows 2000.To encrypt a folder or/and files:1. right-clickand choseproperties2. clickon theAdvancedbutton3. checkthe boxEncrypt contents to secure dataand thenpressOKbutton4. Press theApplybutton.5. Decide if you want to only encrypt this folder or all sub folders and files within this folder and then pressOKbutton.
EFS is only supported on NTFS file system and when copied it is decrypted during transfer and encrypted again on the destination (if NTFS)All users on the Windows 8 machine will see the folder but all except the user who encrypted it wont be able to open the files and read the content. You can backup the certificate that encrypts your file so in case your user is lost or alike you can decrypt the files by runningManage File Encryption Certificateswizard.
configure NTFS permissionsNotice: No changes in Windows 8, if you know NTFS dont lose time reading the belowDifference from Share permission is that NTFS permission always apply (Share only when you access the folder/file from network not locally). Default NTFS permissions set on a parent folder is inherited to a child folder and files, you can block inheritance on a child folder and then chose if you want to copy the parents permission or start from a clean ACL.
Nothing change from before, deny permission always win over allow and it is often a basic design error if you think you need to set deny access.Permissions (most common): Full Control includes everything, even take ownership of files. Modify which includes the permission Write, Read, Read & execute. Write take care if you can only write but not read/list you cannot see what you save Read if you got only read and no write permission you can open files but not modify themIf a user John belongs to group Marketing and on a file the NTFS ACL/ACE specify that John got Read and Marketing group got Modify, the user John got effective permission Modify, it is accumulative.If a user Emma belongs to group Sales and on a file the NTFS ACL/ACE specify that Emma got Read and Write to a file and Sales group got deny Write, the user Emma got effective permission Read (the Deny wins)configure disk quotasDisk quotas are set at disk level (not folder/files level) and takepropertiesandgoto theQuotatab.By default it is disabled, you enable it bycheckingEnable quota managementand then specify options such if it should only be warning/logging or an actual consequence when you reach the quota such as checkingDeny disk space to users exceeding quota limit.Set one limit and one warning, of course warning must be lower than limit. funny to see that a client OS have EB (Exabyte) Windows 8 seems to be a OS built for the futureDisk Quota is limited due to only put per disk and one level for all users, running Windows Server 2012 you can set different limit per users.
configure object access auditingFirst make sureAudit object accessis enabled for either success or fail or both by going:Local Computer Policy -> Computer configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
Once that is enabled nothing will be logged until you specify which objects (file/folders) should be audited, if you audit everything it be too much to read and not useful.Right-clickon the folder you want to audit andchoseProperties->selectSecuritytab ->clickadvancedbutton ->clickonAuditingtab -> andpressAddbuttonFill in who should be audited, and for what actions (All/Success/Fail)
Audit entries are written to the Event Viewer Security log.Configure local security settingsconfigure local security policyConfigure local security policies you do atLocal Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local PoliciesA few new and updated local policies exist in Windows 8.Accounts: Block Microsoft accountsDefault undefined, but can be set to one of the following This policy is disabled Users cant add Microsoft accounts Users cant add or log on with Microsoft accounts.
Interactive logon: Do not require CTRL + ALT + DELNot a totally new policy but it is only for Windows 8 it is recommended to set toenable, for Windows 7 and earlier it is recommended to disable.
configure User Account Control (UAC) behaviorTo configure UAC behavior is also done with local security policies
Here are the 10 different settings, the important for the exam inbold:1. User Account Control: Admin Approval Mode for the built-in Administrator account This isdisableddefault, which means that default account administrators bypass UAC, if enabled it is treated as all other administrators account.2. User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop This isdisableddefault, if enabled it means that applications such Remote Assistance can be run without getting blocked by Secure Desktop.3. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This is set toPrompt for consent for non-Windows binariesdefault4. User Account Control: Behavior of the elevation prompt for standard user This is set toPrompt for credentials on the secure desktopdefault (more about this setting further below in this KB)5. User Account Control: Detect application installations and prompt for elevation This isenableddefault onWindows 8edition anddisableddefault onPro and enterpriseedition; due to in enterprise you might deploy applications with SMS/SCCM/GPO and want that to install silent.6. User Account Control: Only elevate executables that are signed and validated This isdisableddefault, even if this is good for security it is not practical since not all executables are signed.7. User Account Control: Only elevate UIAccess applications that are installed in secure locations This isenableddefault, only elevate UIAccess applications installed into%SystemDrive%\Program Files(including sub-folders),%SystemDrive%\Program Files (x86)(including sub-folders for 64-bit editions) and%SystemDrive%\windows\system328. User Account Control: Run all administrators in Admin Approval Mode This isenableddefault, and if it is disabled whole UAC is disabled! know this for the exam as they will try to trick you on this one.9. User Account Control: Switch to the secure desktop when prompting for elevation This isenableddefault, All elevates request goes to Secure Desktop that dims the screen until you answer.10. User Account Control: Virtualize file and registry write failures to per-user locations This isenableddefault, if a none elevated program tried to write itHKLMregistry or for examplec:\program files,c:\windows\system32etc and fails this setting does so it writes to the user profile instead so the program work. Good example ishttp://triplea.sourceforge.net/a game who want saved games to be saved in a sub folder of the game installation that is default inc:\program filesand instead get saved under%UserProfile%\AppData\Local\VirtualStoreconfigure Secure BootSecure Boot is new in Windows 8 and require you dont use traditional BIOS but UEFI. Know that UEFI Secure Boot cannot be disabled in Windows 8 RT edition.Know for the exam that if a Windows 8 OS has been installed with a traditional BIOS there is no way to convert over to UEFI and Secure Boot, you must reinstall Windows 8.UEFI OS install is done differently from a normal OS install, it requires in BIOS Setup setBoot -> CSM is disabledand then reboot andpressF7toBIOS Boot Selector Menu, in this menuchoseBuilt in EFI Shell. At the shell navigate toEFI\Bootandpressenter and then in there type:BOOTX64.EFIandpressenter and then the boot will look like normally and show Press any key to boot from the CDTo Enable Secure Boot:Reboot and press F2 to enter BIOS setup, navigate toSecurity -> Secure Boot, set theSecure Boot ModetoCustom, select Custom Key Management, selectInstall Factory Defaultsto load the keys, set the Secure Boot Mode back toStandard,exit and reboot to OS.configure SmartScreen filterSmartScreen filter is enabled by default but you can configure it either manually or by GPO and per Internet Explorer Security Zone, you can for exmaple disable SmartScreen Filtering in Trusted and intranet site/zone and keep it enabled on Internet Zone.You can manually configure one of the following (or use the Policy Configure Windows SmartScreen): Get administrator approval before running an unrecognized app from the Internet (recommended) this is default Warn before running an unrecognized app, but dont require administrator approval Dont do anything (turn off Windows SmartScreen)
Configure authentication and authorizationconfigure rightsUsers rights are configuredLocal Company Policies -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
Here you can configure who have rights tochange system time(all users in Windows 8 got right to change time zone but not system time),Take ownership of files and folders,Allow log on locallyand a lot of other rights.manage credentialsCredential Manager has existed in different forms since Windows XP but in Windows 8 it has updated a little.You find itControl Panel -> Credential ManagerIt is divided into 2 parts, Web Web Credentials For websites that uses credentials but not system prompted Windows Credentials- got 3 sub sections Windows Credentials Certificate-Based Credentials Generic CredentialsWhats new is that you can backup (and restore) Windows Credentials, if you backup you have to browse a save location and the file be saved with.crdExam Tip: Be careful if a question ask about backup/restore of credentials, know that only Windows Credentials works and not Web Credentials
manage certificatesCertificates are managed bycertmgr.msc
If added certificate from MMC you get to chose which storage to use My User Account same as above, manage user certificates Service account gives UAC prompt to manage service certificates Computer account gives UAC prompt to manage computer certificates.configure smart cardsWindows 8 continue support for smart card, most laptops got smart card readers built-in but desktop computers need an external smart card readers. New in Windows 8 is that you can have a virtual smart card which doesnt require a physical device, but it requires your machine got a TPM supported BIOS.Example on a command to enabled virtual smart cards is:TpmVscMgr create /name MyVSC /pin default /adminkey random /generateThere are 2 Windows services related to smart cards Smart Card set to start-up typeAutomatic (trigger start)and is needed for smart card to work, if disabled no usage of smart cards is possible. Smart Card Removal Policy set to start-up typeManualand is used so that if someone remove the smart card the user session is locked, practical for security if users use the same smart card to leave the building for lunch.configure biometricsBiometric in Windows 8 is built on Windows Biometric Framework and relies on Windows Biometric service that is set to start up manual by default.
This can be used to instead of touch scroll (where your finger will hide what you click on) or use a mouse you can control with your eyes for example (this require 3rd party which uses the Biometric framework).By default you are allowed to log on with biometric for example log on with your thumb but if you dont want this possibility you can disable it with a GPO namedAllow the use of biometricsconfigure picture passwordNew in Windows 8 is that you can log on with gestures, it works of course best with a touch screen but you can also do this with the mouse. If it is a domain user that uses this the domain password will be cached in the system vault.TypeCreate or change picture passwordand start that and you come toPC settings -> Usersand thereclickon the buttonCreate a picture password
Here you need to browse for an image where you will do the gesture (twice) and then you can use that to log on to the machine instead of password (you can still use password if you fail with gesture)
There is also a policy namedTurn off picture password sign-inthat can be enabled if this isnt needed.
configure PINSign in with PIN code (4-digit code) is not possible for a domain user, it is not even visible inPC Settings -> Users(if machine is not domain joined you see it). To enable it for even domain joined computer/users you canenablethe policyTurn on PIN sign-inand it becomes visible.
When you create a PIN code for a domain user you must first enter your password, then enter in a 4 digit PIN code twice
This is obviously a good sign-in method for touch screens and after entering the last digit you dont have to press enter or anything it sign-in automatically.set up and configure Windows Live ID (Microsoft account)Notice: Windows Live ID has been replaced with Microsoft Account, if you see a question on the exam mentioning Windows Live ID read it as Microsoft AccountTo set up a Microsoft account you can go toPC Settings -> Usersandclickon the+ Add a user
Now a wizards starts, if you already got an e-mail address that can sign into Microsoft services (a common mistake to think it can only be a hotmail/MSN/live account, even gmail and all other can be used if enabled for Microsoft services). If no email address exist you can create one in this wizard by goingsign up for a new email addressor create one on this or another machines.It is with this account you buy Apps from Windows store and sync your settings to the cloud so it follows you regardless which machine you log onto.When you got an email address type it in andpressNext.
it will connect to Internet and configure and then finish, you got one configuration options, if it is a child or another account you want to use Family Safety on check this box. ThenclickFinish
To modify Microsoft Account you can go to Manage User Accounts, select the Microsoft account andpressPropertiesbutton.On tabGeneralyou fill inuser name,full nameanddescription. OnGroup Membershiptab you can modify permission:Standard user,AdministratororOther(can be backup operator, log viewer etc, rarely used for Microsoft account.
Certification: Exam 70-687: Configuring Windows 8 Part 5: Configure Remote Access and Mobility (14%)Posted byJohn BryntzePublished inCertification,Microsoft,Windows 8Exam70-687: Configuring Windows 8is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part five isConfigure Remote Access and Mobilitythat is14%of the whole exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In this part 5 we will look into these 3 objectives Configure remote connections Configure mobility options Configure security for mobile devicesIf you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure remote connectionsconfigure remote authenticationFor other computers to connect to the Remote Desktop service in Windows 8 you can configure so it requireNetwork Level Authentication, which is more secure and completes user authentication before you establish a remote desktop connection and the logon screen appear (helps against DOS attacks).The only down side is that now all none-Windows (or older Windows such as windows XP SP2) support NLA and then cannot connect.To enable Network Level Authentication you just have to check the box:Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)or enable the GPOComputer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Require user authentication for remote connections by using Network Level Authentication
configure Remote Desktop settingsThere are settings for those who connect to the Windows 8 machine and settings when using Windows 8 to connect to Remote Desktops services.If Remote Desktop is set toAllow remote connections to this computerlocal administrators will always be able to remote into this machine with RDP (if accessible over network/Internet and firewall port open), but you can also specify regular users in the Remote Desktop Users (it is also a right).Remote Desktop connection(MSTSC) can be configured per connection or saved to a RDP file (it is clear text file you can modify after in notepad if you want) General enter in remote host, specify username and password (or wait until after connected), can also save the settings to a RDP file or open an existing. Display screen size/resolution default set to full screen, can also set color depth. Local Resources How much of your local resources do you ant to bring to the session you can add; Printers Clipboard Smart card drives, configure audio and keyboard settings. Programs any path to script or program will be executed once logged on. Experience If your connection is fast you can set to better experience (fast rendering, see wallpaper background, font smoothing and so on) and slower connection worse experience for performance win. Advanced Remote Desktop Gateway settings and how to behave if server authentication fails (default set to warn)
establish VPN connections and authenticationNotice: So much still works as Windows 7 that most of the text below is directly taken from:http://www.mcmcse.com/microsoft/guides/70-680/remote_connections.shtmlwhich I recommend everyone to read.Windows 8 support 4 types of VPN Point-to-Point Tunneling Protocol (PPTP) Based on PPP, the Point to Point Tunneling Protocol (PPTP) provides for the secure transfer of data from a remote client to a private server by creating a multi-protocol Virtual Private Network(VPN) which encapsulates PPP packets into IP datagrams. PPTP is considered to have weak encryption and authentication, therefore, IPsec is typically preferred. Layer 2 Tunneling Protocol (L2TP) / IP security (IPsec): L2TP is the next-generation tunneling protocol partially based on PPTP. To provide encryption, L2TP acts as a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec. IPSec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPSEC is made of two different protocols: AH and ESP. AH (Authentication header) is responsible for authenticity and integrity, while ESP (Encapsulating Security payload) encrypts the payload. Secure Socket Tunneling Protocol (SSTP) Introduced in Windows Vista. A tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAPTLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking. Internet Key Exchange (IKEv2)-Introduced Windows 7. IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500. An IKEv2 VPN is useful when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec provide strong authentication and encryption methods.AuthenticationProtocolDescription
PAPThis protocol uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. PAP is the least secure authentication protocol. It does not protect against replay attacks, remote client impersonation, or remote server impersonation. PAP is not enabled by default for Windows 8 and is not supported by remote access servers running Windows Server 2008.
CHAPCHAP uses a 3-way handshake in which the authentication agent sends the client program a key to be used to encrypt the user name and password. CHAP uses the Message Digest5 (MD5) hashing scheme to encrypt the response. CHAP is an improvement over PAP, in that the password is not sent over the PPP link. CHAP requires a plaintext version of the password to validate the challenge response. CHAP does not protect against remote server impersonation. Although remote access servers running Windows Server 2008 do not support this protocol, it is enabled by default for Windows 8 VPN connections for legacy VPN connections.
MS-CHAP v2Supports two-way mutual authentication. The remote access client receives verification that the remote access server that it is dialing in to has access to the users password. MS-CHAP v2 provides stronger security than CHAP.
EAP-MS-CHAPv2Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. EAP offers the strongest security by providing the most flexibility in authentication variations. This protocol requires the installation of a computer certificate on the VPN server.
Just like the VPN protocols, by default, Windows first tries to use the most secure authentication protocol that is enabled, and then falls back to less secure protocols if the more secure ones are unavailable.
enable VPN reconnectVPN reconnect was a feature that came in Windows 7. VPN Reconnect uses IKEv2 as the name implies it automatically re-establishing a VPN connection when temporarily lost Internet connections. This could be useful for wireless mobile broadband that for example traveling a train that passes areas where no connection will cut.The only configuration on client side is to setNetwork outage time(default to 30 minutes and maximum 8 hours) which decide how long the connection can be down before it stop to try reconnect.
manage broadband connectionsA wizard to create a broadband connection which basically just connection name, save username and password from ISP. You can also make it usable by all users who use the machine.
If you modify an existing Broadband connection you get more options such as modify authentication protocols, IPv4/IPv6 settings, Internet Connection Sharing, hang up settings, PPP settings and Service Name.Configure mobility optionsconfigure offline file policiesOffline files is not enabled by default, but easily enabled bypressingEnable offline filesbutton.
There are 2 new Offline Files policies in Windows 81. Remove Work offline commands it removes the option in Explorer.exe to make files (folders) available offline.
2. Enable file synchronization on costed networks is by default disabled and will not synchronize offline files in the background on connections that are roaming and close to its data limit.
configure power policiesDefault there are 3 Power Plans1. Balanced (recommended) default2. Power Saver -uses least battery power3. High Performance uses the most battery power.You can create your own by Group Policy Preferences but if only access to local machine as this exam expects you can create your own Power Policy based on one of the 3 existing and then switch by clicking on the battery system tray icon
Something new in Windows 8 with power settings is the GUI how to add hibernate toPower Button, default hibernation is supported (if drivers support it) but not visible it looks as below with Sleep, Shut down and Restart.
To add hibernation to the Power menu go toControl panel -> Power Options -> System SettingsandclickonChange settings that are currently unavailable
Now all that was greyed out before is changeable such ascheckingthe boxHibernation(Show in Power Menu). You can also control if you want the lock function in picture menu
If you checked Hibernate above your power button menu will look like below:
configure Windows to GoWindows To Gois one of the coolest new features and therefor sadly only available in Windows 8 Enterprise edition, it can be seen as a full version of Windows 8 running (even booting) from a mass storage device such as USB Flash drives and externally hard drives.Exam tip: Know that Windows To Go only can be create
