70-687 - Certification Study Guide

Certification: Exam 70-687: Configuring Windows 8 Part 1: Install and Upgrade to Windows 8 (14%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, first out is Install and Upgrade to Windows 8 that is 14% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 1 we will look into these 3 objectives

Evaluate hardware readiness and compatibility Install Windows 8 Migrate and configure user data
If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free: http://www.microsoft.com/learning/en/us/offers/secondshot.aspx )
Evaluate hardware readiness and compatibility

System hardware requirements

Processor: 1 gigahertz (GHz) or faster RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit) Hard disk space: 16 GB (32-bit) or 20 GB (64-bit) Graphics card: Microsoft DirectX 9 graphics device with WDDM driver
determine whether 32 bit or 64 bit is appropriate

The only real reasons to run 32-bit version of Windows 8 is if you run older hardware that got an CPU that only support 32-bit architecture or if a critical software/driver only
exist in 32-bit such a VPN client or older scanner and so on (but in that case upgrade the software would be a better idea). 32-bit OS cannot run any 64-bit software. Many more reasons to run 64-bit version such as the Windows 8 feature Hyper-V (version 3) only exist on 64-bit version, can address more memory than 4GB and make usable to the system if exists. Most 32-bit software can be installed on 64-bit OS, all except those hat goes deep into the system such as VPN client, If you are running not too old hardware and all your applications can run on on 64-bit OS then 64-bit Windows 8 should be the most appropriated.
determine screen resolution

The only reason I can see why Windows 8 exam has a section of screen resolution is due to the new Metro User Interface, Metro style applications have a minimum of 1024768 screen resolution, and 1366768 for the snap feature (running metro application side by side another metro app or desktop). Windows 8 wont give you the option to give a lower resolution than 1024768 unless you go into advance settings.
If you go into advance and change to a none supported screen resolution and start a metro application you get this error message: The screen resolution is too low for this app to run
choose between an upgrade or a clean installation

Personally I always prefer clean installation but for the exam you need to know that you can only upgrade a 32-bit OS to Windows 8 32-bit and the same for 64-bit only works from previous 64-bit OS to Windows 8 64-bit OS. Any previous Windows 7 edition (home/premium,/professional/ultimate/enterprise) can be upgraded to Windows 8 and retain

Applications Windows settings Personal files
Windows Vista with Service Pack 1 or higher can be upgraded to Windows 8 and retain

Windows settings Personal files
Windows Vista with no service pack and Windows XP with Service Pack 3 can be upgraded to Windows 8 but only retain
Personal files
So remember that only windows 7 can do a true in-place upgrade to keep applications (there are a few applications that wont run in Windows 8) and keep all windows settings and personal files, the others will install Windows 8 but only keep either Windows settings or Personal files or both.
determine which SKU to install

Windows 8 will exist in 4 different SKU (Stock-keeping Unit). 1. Windows 8 2. Windows 8 Pro 3. Windows 8 Enterprise 4. Windows 8 RT Windows 8 The most basic version (can not join to a domain), only Windows 7 edition starter, home basic and home premium can be upgraded to this version. Windows 8 Pro includes all standard Windows 8 features, all Windows 7 editions (except Enterprise) can be upgraded to this version. Windows 8 Enterprise includes all standard Windows 8 features plus Windows to Go, DirectAccess, BranhceCache, RemoteFX and MetroStyle application development. This edition/version can only be acquired through Software Assurance customer. Windows 8 RT you cannot really chose this edition since it comes pre-installed on ARM processors and can therefor not run any previous Windows programs. Basically Windows 8 RT can only be installed on ARM processor, Windows 8 for home use, Windows 8 Pro for businesses that doesnt have Software Assurance and Windows 8 Enterprise for those with Software Assurance agreements.
Install Windows 8
install as Windows to Go
Windows to Go is an Enterprise feature which makes it possible for you to boot Windows 8 from a USB 2/3 stick, first boot takes longer due to driver installs but all after goes faster. One way (not the way the exam will ask about) is to install Windows to Go onto an USB stick/disk is to open an elevated CMD prompt and with ImageX.exe (get it from Windows ADK http://www.microsoft.com/en-us/download/details.aspx?id=29929 ) and the ISO of Windows 8 and extract the install.wim file. When you have all that and NTFS formatted the USB disk you run this command in the elevated CMD prompt (make sure imagex.exe is in your path and in the example below the USB drive letter is E:): imagex.exe /apply install.wim 1 E:\ Once imagex finished to apply the wim file make it bootable by running this command bcdboot.exe E:\windows /s E: /f ALL Now you got an USB drive that can boot on any hardware, even on Mac (depending on which ISO media you used you could be limited to only 32-bit hardware) Another way to install Windows to Go and the more official way (read what will be asked on the exam) will be on a Windows 8 Enterprise edition machine launch the Windows To Go Creator Wizard. Exam tip: Know that Windows To Go only can be created from Windows 8 Enterprise edition and for license you need a Microsoft Software Assurance, then you can even run this on a home computer. To create one of these start the Windows To Go wizard from a Windows 8 Enterprise machine.
Windows To Go support both USB 2.0 and 3.0 but of course recommend USB 3.0 for better performance Insert a external/removable USB disk and it shows up, as seen as below all removable disks must be Windows To Go certified to be accepted but all external fixed disks are supported.
Notice that the wizard let you know that the device is a USB 2.0 and that USB 3.0 is recommended but it wont stop you from using it. When inserted a supported device the Next button activates, chose your disk you want to put Windows To Go on and press Next button to continue.
Now you need to have the source files (basically a install image from Windows 8 enterprise, install.wim), either a DVD inserted or the install iso mounted and then if not already seen by wizard click Add search location and browse it. Once found click on the Next button to continue.
You can enable BitLocker password which required to type in before the OS loads (take care with keyboard layout, it will be US-EN when booted on a standard boot.wim) Once all configured press Next button to continue.
Here you will get a summary and also be warned that the USB drive will be reformatted and any data on it will be lost. Press Create to start the creation of the Windows To Go USB drive.
This process will take awhile, depends on the disk itself but about 10 minutes.
When finished you can chose boot options (Do you want to automatically boot from it when you restart your PC?):

Yes It will modify boot to automatically boot from this USB disk No you will have to manually chose to boot from it, for example on Dell press F12 and chose USB device.
If you chose Yes you can if wanting to test it directly press Save and restart else (and if chosen No) press Save and close
migrate from Windows XP or Windows Vista

Migrating from Windows XP with Service Pack 3 to Windows 8 works only to 32-bit version of Windows 8 (due to XP with SP3 only exist in 32-bit) and will rename previous windows folder to windows.old and install a new Windows 8 and then migrate over personal files. (no program or windows settings will be kept) Migrating from Windows Vista with no service pack will migrate the same as above for Windows XP, you can migrate to Windows 8 64-bit OS if previous Vista was 64-bit. Migrating from Windows Vista with service pack 1 or later will migrate windows settings and personal files but not programs.
upgrade from Windows 7 to Windows 8 or from one edition of Windows 8 to another edition of Windows 8
Upgrade from Windows 7 to Windows 8 in-place on same machine the Windows 8 Setup program will scan your PC to determine whether it can run Windows 8 what app and devices are compatible and provide a report that you can save or print. If currently running Windows 7 starter, home basic, home premium you can upgrade to either Windows 8 or Windows 8 Pro, if using Windows 7 professional or Ultimate you can only upgrade to Windows 8 Pro. Windows 7 Enterprise cannot be upgraded and need a fresh install (normally not an issue since enterprise normally got enterprise tools to reinstall) Upgrade from Windows 8 from one edition of Windows 8 to another edition, it is my guess it is only upgrading from Windows 8 to Windows 8 Pro since you cannot upgrade to Windows 8 RT and Windows 8 Enterprise you can only get by Software Assurance, doubt you can downgrade from Windows 8 Pro to Windows 8. Anyway to upgrade to a different version launch Get more features with a new edition of Windows.
Here either buy a new product key (for Windows 8 Pro) or if you already got one enter it in to upgrade, all files, settings, programs stays the same. (the screenshot below shows Release Preview version, not sure if that can be upgraded but either way that wont be an exam question).
install VHD
Boot from Virtualized Hard Drive (VHD) is a feature in Windows 8 Pro and Windows 8 Enterprise (not in Windows 8 and Windows 8 RT). First we need to create the VHD by either diskpart or Disk Management, 50GB is a good starting size.
once created initialize disk and be sure to chose MBR (GPT doesnt work ATM but maybe in future)
Then create a new simple volume with NTFS formatted.
Once ready we apply our Windows 8 WIM to the VHD with imageX a la imagex /apply [path to wim]\install.wim 1 [drive letter for VHD] When the VHD file contain out Windows 8 WIM we just need to make it boot-able with BOOTSECT.EXE with the command below. bootsect /nt60 [Drive letter of VHD] /mbr
Last step is to Mark Parition as Active in Disk Management.
Now got a Windows 8 boot-able VHD (to actually use it you need to change the boot sector to use it).
Migrate and configure user data

migrate user profiles
To migrate user profile from one machine to Windows 8 you got many ways, for the exam I assume these 2 ways will be tested on 1. Windows Easy Transfer (MigWiz.exe) (home/SOHO tool) 2. USMT User State Migration Tool (enterprise tool) Windows Easy Transfer Works well for home users and one time user profile migration to run through the wizard (MigWiz.exe) on you got 3 options to use either An Easy Transfer Cable, A Network (will give a code that needs to be used as authentication) or An external hard
disk or USB flash drive.
If you chose An external hard disk or USB flash drive and your old PC is running Windows XP or Windows Vista you need to install Windows Easy Transfer.
For more detailed information how to run this follow this link: http://www.addictivetips.com/windows-tips/transfer-files-settings-from-windows-7to-windows-8/
USMT User State Migration Tool Works well in enterprise and can be very customized and run scripted/automated. USMT version 5 (compatible with Windows 8) is included in Windows ADK (replace WAIK) and can be downloaded here: http://www.microsoft.com/enus/download/details.aspx?id=30652 USMT 5 works as before with scanstate.exe to capture files and settings and loadstate.exe to apply the files and settings captured by scanstate.exe and still using XML files to define what should be captured. USMT 5 still works with Windows XP and later. For more detailed information about USTM version 5 follow this link:http://blogs.technet.com/b/askds/archive/2012/04/13/new-usmt-5-0-features-forwindows-8-consumer-preview.aspx
configure folder redirection

Folder Redirection is a good way to make user profile virtual and accessible from multiple devices (roaming profile is another) and is nothing new for Windows 8 and Windows Server 2012 but some extra features has been added. Since this exam is a Windows 8 exam and not Server 2012 I will only list the new Local Group Policy objects for Folder Redirection. Do not automatically make specific redirection folders available offline As the name implies if you enable this policy you need to check each folder that you dont want to be automatically available offline, the user can still manually check files
and set them as available offline (it just wont be done automatically)
Enable optimized move of content in Offline File cache on Folder Redirection server path change If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location.
Redirect folders on primary computers only New feature which require Active Directory Schema update on windows Server 2012 that adds a new attribute to set a users primary computer so that you can exclude Redirect Folders on for example training/test and conference machine.
configure profiles
Not sure what this exam objective is asking for, will when found out update it, could be something linked to new account type. With a Microsoft account you got more freedom to use it on any machine than a local or domain account, also your profile is saved in the cloud.
ertification: Exam 70-687: Configuring Windows 8 Part 2: Configure Hardware and Applications (16%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part two is Configure Hardware and Applications that is 16% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 2 we will look into these 6 objectives
Configure devices and device drivers Install and configure desktop applications Install and configure Windows Store applications Control access to local hardware and applications Configure Internet Explorer
Configure Hyper-V
Configure devices and device drivers

install, update, disable, and roll back drivers
Nothing related to this exam but there are few native Microsoft Windows 8 drivers at todays date but Windows 7 drivers works most often just fine. Note: Nearly nothing changed in driver management so if you used this in XP/Vista/7 you can skip this part All x64 device drivers must have a digital signature, boot critical drivers must have an embedded signature. To install a driver you can do like always, download the correct driver and run the setup file.
Drivers get updated regularly and Microsoft keep some drivers on Windows update which you can access from Device Manager in Update Driver or download the driver for the manufacture (often more later driver) and either install it or click on Update Driver in Device Manager (see image above) To disable a device you can either right click on the device itself in Device Manager or under driver tab press Disable (see that on the image above) If you update a driver and the device starts to malfunctioning you have the option to Roll Back Driver, and the system have kept the previous driver and add it back (if this option is greyed out there never were a previous driver)
resolve driver issues

It is not very unlikely that if you install Windows 8 on hardware from pre year 2012 (and even 2012) manually and at first start looking in Device Manager you got some device that are missing drivers, those are seen with a yellow triangle icon with a yellow ! in it. To resolve this driver issue just download the correct driver and install it.
If a device icon shows an arrow down in a circle means the device has been disabled. To resolve this driver issue just right click on the device and chose enable, make sure that it doesnt goes to another state such as missing driver.
configure driver settings

In device manager you can right click on a device and chose properties and some device drivers got settings such as network drivers if the device should run when machine is low on battery or if WiFi adapters wireless mode a/b/g
Install and configure desktop applications

set compatibility mode
Right click on any exe-file and take Properties, there you see a tab called Compatibility.
Here you can specify to run the exe-file as previous Windows versions, notice that Windows NT 4 isnt on the list. This can be useful if you run an older program that could run on Windows 8 but is hard-coded to look if it is a specific Windows version and only run on that. You can also reduce color mode and screen resolution, and run as administrator (if you experience UAC issues)
install and repair applications by using Windows Installer

Windows Installer = MsiExec To use the Windows Installer requires the install files includes a MSI file, some software comes only as an exe file but then extract msi file to a temp folder and run them, such as all Apple softwares QuickTime, iTunes etc work that way. Then you have programs that comes native in MSI format such as 7-Zip, Adobe Flash Player and so on, then you also have programs that doesnt come at all as msi but their own installer such as Firefox and VLC, for those you need to package yourself to get in MSI format if needed (if you deploy software with GPO you need them in msi format).
So if you run an exe install file or msi directly in explorer.exe you get to answer some questions in a wizard. To run by command line you can answer these questions and run this silently with msiexe, below a typical example:
msiexec /i c:\jbkb\jbkb-1.0.0.msi /qn /norestart

/i = Install, /qn = quiet and No UserInterface, /Norestart = no restart even if program demands one.
To repair you can either go to Program and Features and right-click on the program you want to repair and chose Change.
Then chose Repair and follow the instructions
You can also repair with MsiExec as the example below
/msiexec /fo c:\jbkb\jbkb-1.0.0.msi
/f = repair /o = repair only if file missing or older file is installed.
configure default program settings

in command line you can use dism.exe to either export settings from a machine to xml, modify the xml file and import it to the machine that need these program settings. In GUI go Control Panel\Programs\Default Programs\Set Default Programs to modify the default program settings.
modify file associations

in command line you can use Assoc or Dism to view and modify file associations. In GUI you can go to Control Panel\Programs\Default Programs\Set Associations and modify the file associations you want.
manage App-V applications

Unfortunately there is no native App-V client in Windows 8 but App-V 5.0 (currently in Beta) and later is supported in Windows 8. Unsupported but it works to install App-V 4.6 with SP but watch out since Windows 8 isnt on the valid lis t on the OSD file.
Install and configure Windows Store applications

install, reinstall, and update Metro applications
To install a Metro (now Modern UI Style) applications just simply go to the Store app, start typing the app that you want.
Then simply click on Install button to start downloading and install the application.
To reinstall an application you uninstalled or had on another machine go in Store and rightclick and chose Your apps and you will be able to reinstall the applications.
If an update becomes available for an app you will see this in the Store and simply click on App updates and chose to update all or select the once you want to update.
restrict Windows Store content

Each Windows Store app got an Age rating, if it contains violence/sex/weapon and other inproperate content for children (or adults ).
You can then restrict the Windows Store content (well what you can see) by using Family Safety (Parental Control) it doesnt show up default on a Windows 8 domain joined machine, but you can make it visible byenable Make Family Safety control panel visible on a Domain GPO
Restriction is set per user account (only work for standard users/none-admin but set by admin) and underControl Panel\All Control Panel Items\Family Safety\User Settings\Game and Windows Store Restrictionscheck [Username] can only use games and Windows Store apps I allow radio button, then click on Set game and Windows Store ratings.
Here you can decide how it should handle games (apps) with no rating and more important restrict content based on Age Rating 1. 2. 3. 4. 5. 6. Early Childhood for 3+ ratings Everyone for 6+ ratings Everyone 10+ for 10+ ratings Teen for 13+ ratings Mature for 17+ ratings Adults Only for 18+ rating
add internal content (side loading)

Side loading means installing an app without going through Windows Store, this could be LOB apps. These doesnt have to be certified or installed through Windows Store but must be signed with a certificated trusted by the machine that will install the app.
Note: Not 100% sure but Technet documentation specific mention Windows 8 Enterprise(and server 2012) so it is possible this is only supported on Enterprise edition. (but the GPO doesnt mention it)
If your machine is not joined to the domain you must activate a sideloading key before you can run the app. If your machine is joined to a domain just enable the GPO Allow all trusted apps to install before you can add a sideloaded app and run it.
If the above is not fulfilled the app tiles will show a X in the bottom right corner. To install sideloading apps you can do it with 2 tools, dism.exe and Powershell
PowerShell command add-appxpackage C:\JBKB.appx DependencyPath C:\JBKBccc.appx Dism.exe command - DISM /Online /Add-ProvisionedAppxPackage
/PackagePath:C:\JBKB.appx/SkipLicense
disable Windows Store

To disable Windows Store just enable [User | Computer] Configuration -> Administrative Templates -> Windows Components -> Store ->Turn off the Store application GPO.
Notice that Windows RT can use Local Machine Policies but take care because the Group Policy Client service, gpsvc, is disabled by default on Windows RT.
Control access to local hardware and applications

configure AppLocker
New in AppLocker for windows8 is that you can restrict Package Apps and Package Apps installer (.appx). Else it works pretty much the same as in Windows 7 and works only in Enterprise edition (you can create AppLocker rules in other version but not use it) To configure AppLocker you either use the prefered Global Group Policy or as in this post use Local Computer Policy, navigate to Computer Configuration -> Windows Settings -> Security Settings -> Applications Control Policies -> AppLocker.
If you for example want to restrict normal users (local administrators are excluded by default rules) from running a specific app (*appx) you can either manually create a rule for each approved or not approved app or you can scan through a template computer that got all apps already installed and set only those to allowed, will go through both examples and this also works on Executable Rules (.exe, .com), Windows Installer Rules (.msi, .msp, .mst) and Script rules (.ps1)
Manually Create a AppLocker Rule

Start byright-click on Packaged app Rules and chose Create New Rule...
A Wizard starts at Before You Begin that explains what the wizard will do, just click on Next > to continue At Permission you decide action Allow or Deny, if two rules exist for same application the Deny rule wins. Here you also decide for which group it applies to, default is everyone. In this example we set Allow to Everyone and then press the Next > button.
At Publisher you either browse/select an app already installed or an app reference. In this example we press Select button and check Microsoft SkyDrive app and then slide up to Package Nameand Packaged Version change from version number to * (any version) which means that even if we update SkyDrive it will be allowed to run it. To continue press Next > button.
At Exceptions you can specify exceptions to the rule, in this example we have no exception and continue topress Next > At Name you name the rule (the image shows the default name given) and you can also add a description such as why this rule was created and the goal with it. Press Create to finish the rule.
Automatically Generate AppLocker Rules

Start byright-click on Packaged app Rules and chose Automatically Generate Rules...
A Wizard start and on first page you have to chose who this rules will apply to, default is Everyone group but you can browse any group. You also have to chose if it should generate a rules for those apps that is already installed on the machine you are running the wizard from or from a folder where you put all apps in. In this example we leave default the Everyone group and radio button on Generate rules for all packaged apps installed on this computer, and set a suitable name for these rules.
Press Next > button to continue.
At Rule Preference you have only one choice that is enabled by default: Reduce the number of rules created by grouping similar applications, press Next > button to continue. The wizard will now crawl through all installed packaged apps on the machine At Review Rules you get an overview how many Rules created for the packaged apps, if you in the step before left the default the number of rules are fewer. If you are happy with the rules press Create button.
Now you see the extra created rules, all starting with the name specified in the start of the wizard.
Active AppLocker rules

If enforcement is not configured it is enabled by default unless a Group Policy is defined then that value over write. To configure enforcement on a local machine you right-click on AppLocker and chose Properties
Chose for each sections, if you dont want to enforce the rules you created you can chose Audit Only and you will only see what should have been blocked/locked but AppLocker wont block anything.
configure access through Group Policy or local security policy

Unclear what objective this is aiming at but guess it is Software Restriction Polices.
This is nothing new in Windows 8 and existed before so most likely not too many questions on this topic on the exam. There are 3 different security levels (default is Unrestricted) 1. 2. Disallowed Software will not run, regardless of the access rights of the user. Basic User Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users. 3. Unrestricted Software access rights are determined by the access rights of the user.
To create a Software Restriction Policy rule go: Local Computer Policy ->Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies Right-click on Additional Rules and chose one of the 4 rule types 1. 2. 3. 4. Certificate Rule Hash Rule Network Zone Rule Path Rule
Certificate Rule can reduce performance by using this, you browse a certificate and chose security level. Hash Rule More secure than Path Rule since if a file is modified by malware or alike it will get another hash and not allowed to run Network Zone Rule Follow the same zones as Internet Explorer and you can restrict installation per zone. Path Rule Easy to implement but less secure, if a file exist in certain path it can depending on the security level be allowed to run, but if a malware replace a file in the path it will be allowed to run (in opposite of hash rules)
Path Rule not allowing Windows Media Player to run
manage installation of removable devices

Note: Havent found anything specially new in Windows 8 for this but some GPO that can help manage installations of removable devices but most of those existed already in Windows Vista. At Local Computer Policy: Computer Configuration -> Administrative Settings -> System -> Device Installation -> Device Installation Restrictions
If you want to prevent installation of removable devices (and that existing can update their driver), enable Prevent installation of removable devices If you only want to prevent certain removable devices (or allow) you must find out the device ID with Allow installation of devices that match any of these device IDs alternative Prevent installation of devices that match any of these device IDs. To find out these device IDs you can plug the device and go to Device Manager and take properties and read Hardware ID, the image below is a Western Digital external USB disk, example: GenDisk, USBSTOR\GenDisk and so on.
Configure Internet Explorer

In Windows 8 you are offered 2 different Internet Explorer 10, one in Modern UI Style mode called just Internet Explorer (support no ActiveX) that is full screen and one in desktop mode called Internet Explorer for the desktop that works like previous Internet Explorer with ActiveX support.
configure compatibility view

Some sites on Internet check the user-agent string to check what version of browser is requesting their content, for example if a site http://john.bryntze.net know that the content wont display good in Internet Explorer 6 the site can check user-agent string and notify users with Internet Explorer 6 that the site wont look good and recommend an upgrade or alike. With Internet Explorer 10 the user-agent string has of course changed, and more than normally due to 10.0 now is an extra digit from earlier MSIE 6.0, 7.0, 8.9, 9.0, so some might just compare the first digit and then by mistake think version 10.0 is version 1 Below is the user-agent string for Internet Explorer 10 on Windows 8
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)

So even if an Internet page would display perfectly in Internet Explorer 10 it might get blocked because the page cannot handle the new user-agent string and therefor block access, one way around this is to enable compatibility view for this site and it will trick it to be an Internet Explorer 7 browser with this user -agent string (note it still shows it is Windows 8 (=6.2))
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/6.0)
To configure Compatibility View Settings you use command bar (if not visible press ALT key) and go Tools > Compatibility View Settings Here you can add URLs that should be in compatibility view mode (IE7 mode). Also decide if all websites should be viewed in compatibility view or if all Intranet URLs should default be in this mode (to support
Intranet applications developed against older browsers). You can also download an updated list Microsoft provides about sites that views best in compatibility view.
All the above settings can of course be set by Group Policies User Configuration -> Administrative Templates Windows Components -> Internet Explorer -> Compatibility View
Notice: Nothing new in Internet Explorer 10. all the above has worked and been possible since Internet 8, the only little new is that now Microsoft keep a compatibility view list for sites that needs Flash for Internet Explorer 10 in Advanced UI Style mode (the version without ActiveX but that still got a slim Flash Player (not all features and drain less battery).
configure security settings

Internet Explorer 10 includes a lot of security settings, most existed already in Internet Explorer 9, here are the most common one and a short description
InPrivate Browsing activated by CTRL + SHIFT + P and makes the browser to not save an browser history, cookies or temp file during this session. Toolbar and extensions are disabled by default.
Tracking Protection Some provider such as Google that provides Map/Advertisement and other tools can share this information to give a better experience but also less integrity. You can
either have it to automatically block it or set per site allow or block.
ActiveX Filtering If enabled you see the round blue circle with a line going through it, clicking on it you can do an exception for that website to use ActiveX control else it is disabled by default when ActiveX Filtering is enabled.
SmartScreen Filter On by default and check the URL against a Microsoft database if it is set as dangerous and then give the advice to not visit that site. You can also check a site manually
and you can also report a site to Microsoft that you think is a phishing site or alike.
manage add-ons
Not much new in Internet Explorer 10, works more or less as earlier versions. These settings can be set with Group Policies but also manually:
Toolbars and Extensions: Disable or Enable specific ActiveX controllers, some got extra options to configure but no standard. Search Providers: Add search providers, default is Bing but you can add google/yahoo and others. Accelerators: Chose accelerators for Email/Map/Translators Tracking Protection: was covered earlier in this blog post, can add that you can use your own list but also get a list online.
configure websockets
Websockets new in Internet Explorer 10 but has existed in earlier versions of alternative web browsers, ws:// or wss:// is a web standard to speed up where traditional HTML slow down. Had problem finding how to configure WebSockets, no GUI in Internet Options, but there is one Group Policy setting Turn off the WebSocket Object which can disable WebSockets that is enabled by default (which block data access cross domain)
configure Download Manager

Download managers has existed long time in alternative browsers such as Firefox and isnt a new feature in Internet Explorer 10 but havent been there in older versions. To reach Download Manager you either press CTRL + J or go Options View downloads
So far pretty basic, this exam sub objective includes manage download manager and when you are in it you can press options link and get to chose download location and if when finished to download prompt,
and thats it! My guess is that thisw objective is to manage download manager with Group Policies and there are a few (yeah not that many really), all listed below:
Windows Components -> Internet Explorer ->Delete Browsing History -> Prevent Deleting Download History - As the name imply, users cannot delete their own download history Windows Components -> Internet Explorer -> Prevent users from bypassing SmartScreen Filters application reputation warnings about files that are not commonly downloaded from the Internet Again as the name imply, if SmartScreen warn about a file downloaded users cannot go around it.
Configure Hyper-V
Hyper-V 3.0 on Windows 8 is the first Hyper-V that runs on Client OS and also support sleep mode. Exam tip: Remember that Hyper-V can only run on 64-bit OS so be careful with questions mentioning you want to run Hyper-V on a 32-bit Windows 8, it wont be possible.
create and configure virtual machines

Steps to create a virtual machine is pretty straight forward in GUI by doing the following:
1.
Right-click on Hyper-V server and go New -> Virtual Machine and a wizard starts.
2. 3.
At section Before You Begin just read through and then press Next > button to continue. At section Specify Name and Location you do exactly that, you specify the name of the virtual machine and also location, default location is: C:\ProgramData\Microsoft\Windows\Hyper-V\ but I recommend to create your own root folder and check the box: Store the virtual machine in a different location. Once done press Next > button to continue.
4.
At section Assign Memory you specify how much memory (in Megabytes) the guest OS will use, this depends of course how much the OS and applications on it requires, once
decided press the Next >button to continue.
5.
At section Configure Networking you can if created chose the network you want and after wizard finished add more, basically you got 3 different, private, intranet and external. Chose your connection and then press Next> to continue.
6.
At section Connect Virtual Hard Disk you have the choices to create a new Virtual hard disk (and add site in Gigabytes), or add an existing (requirements is that they are in VHD or VHDX
format) or add a virtual hard disk later. Once chosen press Next> button to continue.
7.
At section Installation Options you can install the OS now or later, if you do it now you can either access the media from the Hyper-V phusical CD/DVDV drive, browse a ISO file, or install from virtual floppy disk (VFD format)
8.
At section Summary verify all looks good and finish it and the Virtual Machine gets created.
Once the wizard has finished you can modify the Virtual Machine, such as add a Legacy Adapter (needed for PXE booting for example) and adjust Memory, add more disk and so on. Under the section Management you got some settings
Name you can edit the name or add notes to it. Integrated Services- Is installed by default on newer Hyper-V aware OS but might need to be installed on older Windows OS
o o o o
Operating System shutdown The Hyper-V host can do a clean shut down guest OS. Time Synchronization The guest OS sync its time against the host OS (you can still have different time zone that adjust the time of course) Data Exchange Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer. Heartbeat The heartbeat service allows the host OS to detect when a virtual machine has locked up, crashed or otherwise ceased to function. The host OS sends heartbeat messages to the guest operating system at regular intervals. It is then the job of the Hyper-V Heartbeat Service installed on the guest operating system to send a response to each of these heartbeat messages
Backup (volume snapshot) A VSS requester is installed that will allow VSS writers in the guest operating system to participate in the backup of the VM
Snapshot File Location default the same location as virtual machines and then the name of the virtual machine, example: C:\Hyper-V Virtual Machines\JBKB-VM01 Smart Paging File Location same default as Snapshot File Location. Memory management technique to provide a reliable restart experience for virtual machines configured with less minimum memory than startup memory
Automatic Start Actions- When the host OS starts you got 3 Automatic start actions for Guest O
o o o
Nothing Automatically start if it was running when the service stopped default Always start this virtual machine automatically
create and manage snapshots

To take a Snapshot just simply select the Virtual Guest you want to take a snapshot on and click on the Snapshot link.
If you right-click on the snapshot you can delete it, or take a new snapshot of current state and then apply the snapshot
Snapshot location was explained above, it can be changed as long as no snapshot has been taken, once there is a snapshot you cannot change location anymore (it is greyed out). Snapshot files has the file extension .avhdx
create and configure virtual switches

Virtual switches/ Hyper-V VLAN you can create 3 different types of virtual switches depending the needs of your virtual machines and one single machine can use multiple virtual NICs that is member of different Virtual Switches. 1. External This virtual switch binds to the physical network adapter and create a new adapter you can see in Control Panel\Network and Internet\Network Connections so if a virtual machine needs contact outside the host machine this one is a must. 2. Internal This virtual switch can be used to connect all virtual machines and the host machine but cannot go outside that. 3. Private This virtual switch can only be used by the virtual host
The 3 different Switch types have some smaller configurations. External network you have to chose in a drop down box which physical NIC to bind it too, new in Hyper-V 3 is that you can bind to a WIFI NIC (there was dirty none supported work around in Hyper-V 2 you could make it work) and also chose virtual VLAN ID.. Internal networks you can chose virtual VLAN ID. Private networks got no configuration, just to chose a name.
create and configure virtual disks

From within Hyper-V console you can create virtual disks. Hyper-V 3 support 2 different disk formats:
VHD support virtual hard disk up to 2,040 GB in size VHDX - support virtual hard disk up to 64 TB (this format is not supported in Hyper-V version 1 and 2)
You got 3 different Disk Types 1. Fixed size- it will create a VHD or VHDX file that take up the disk size even if it is empty or not used, this can be useful when an application check for disk space before allows to install. 2. Dynamically expanding use less space than Fixed Size and dynamically expand when disk is needed 3. Differencing you can have a static disk and add a differencing disk were all changes are written to. This is for example very good in a lab/training environment where you can restore to default by just delete differencing disk.
You can configure the disk size (remember the limits with VHD and VHDX) and even copy content from a physical disk/virtual disk to the newly created virtual disk or keep it blank.
Certification: Exam 70-687: Configuring Windows 8 Part 3: Configure Network Connectivity (15%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part three is Configure Network Connectivity that is 15% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 3 we will look into these 4 objectives
Configure IP settings. Configure networking settings. Configure and maintain network security. Configure remote management.
Configure IP settings
configure name resolution
No big changes from Windows 7 you can either get your name resolution DNS servers (or/and WINS) from DHCP or manually configure them in Network and Sharing Center You can also configure DNS through command line:
netsh interface ip set dns Local Area Connection static 10.46.0.10
connect to a network
Connect to a network is the exact name of a Windows 8 native app that shows up if you type in search, as image shows below. You can connect in none Modern UI mode also as before. Here you get on the right side of your screen of all connections possible, such as WiFi connections, VPN connections if any configured and even DirectAccess if configured.
configure network locations

Assume network locations is Network Profiles that has existed since Windows Vista, you got 3 different that you can associate with different network adapters/network (these network profiles are also used by Windows Firewall)
Private Useful at home/SOHO Guest or Public Useful when connecting to airports WiFi spot or public places. Domain For domain networks
You can for each of these Network Profiles decide if network sharing and printer sharing should be turned on or off. in Group Policy Network List Policy Manager you can prepare SSID with which Network Location and if user got rights to change it.
resolve connectivity issues

To resolve a connectivity issue you must first find where the issue is, some basic steps. 1. find out if it is only one or more machines that got connectivity issues, if it is multiple computers is it likely it is not an issue on the local machine
2.
If it is only one machine that got the issue on the network check that it got an IP-address with ipconfig(/all), if not check media and try other outlets or verify machine is within WiFi range.
3.
If machine got an correct IP address check that it can ping its gateway, if it can it is mot likely a name resolution issue, check that DNS answer with nslookup or simply ping (or pathping) john.bryntze.net and see it resolve to an IP-address.
It is very rare but if using static IP-addresses check for IP-address conflicts or if using DHCP look that not two scopes are overlapping. You can also right-click on a connection and chose Troubleshoot problems and a wizard will suggest some actions.
IPv6
Notice: Extra added due to rumors that Microsoft start to push for IPv6 on exams Since Windows Vista IPv6 is enabled by default, think about a few things:
IPv6 addresses are 128-bit hexadecimal numbers, that means that instead of before 32-bit it is 128-bit (1 or 0) and hexadecimal Identify a multicast IPv6 address with that it always start with FF0 Identify a link local unicast IPv6 address with that is always start with FE80 In IPv4 loopback address is for some strange reasons 127.0.0.1 (removing a full A-net) but in IPv6 loopback address is more logically: 0000:0000:0000:0000:0000:0000:0000:0001 but know that you can reduce all 0000 so this address can be written ::0001 or even sometimes just ::1
If you are used with 255.255.0.0 subnet mask that is not applicable in IPv6, IPv6 still uses subnet but it is included in the address. Of the 128-bits the first 48 bits are network pre-fix, then the 16 bits after are the subnet ID and used to create subnet. The last 64 bits are device ID.
IPv6 also uses DNS but host records that in IPv4 was A are AAAA in IPv6. Windows 8 support a lot of tunnel technologies that can transport IPv6 packages over IPv4 nets such as Teredo and isatap.
A few Windows 8 functions only work with IPv6 such as DirectAccess and HomeGroup.
Configure networking settings

connect to a wireless network
If it is a wireless network broadcasting its SSID it is just click on it and connect (might require some steps if a key is needed to be entered WEP) If the wireless network isnt broadcasting its SSID you need to manually connect to it by using Set Up a Connection or Network and select Manually connect to a wireless network then specify Network name, Security type, Encryption type, Security key (needed for example WEP).
manage preferred wireless networks

To manage preferred wireless networks is a feature that was introduced in Windows XP Service Pack 2, and existed until now! no it still exist in Windows 8 but you cannot really configure it, it is automatically managed by Windows 8 itself, here is a statement
To make sure we connect to the right network when multiple networks are available, Windows maintains an ordered list of your preferred networks based on your explicit connect and disconnect
actions, as well as the network type. For example, if you manually disconnect from a network, Windows will no longer automatically connect to that network. If, while connected to one network, you decide to connect to a different network, Windows will move the new network higher in your preferred networks list. Windows automatically learns your preferences in order to manage this list for you
Not related to this exam but you can see history of SSID you connected to in this folder per interface:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{Interface ID} in XML files.
configure network adapters

Not much changed in Windows 8 from previous version. Most configuration on a network adapter are to check protocols, the protocol that require configurations are TCP/IP protocol to set how to aquire an IP-address, mask, default gateway, DSN/WNS, and domain suffix and so on. On tab Sharing you can enable Internet Connection Sharing which can share a connection with other computers/devices (mostly for home usage/SOHO)
Pressing the Configure button gives your more configuration options such as drivers, if WiFi you can modify signal strength, 802.11x mode, Power Management if it should shut down to save battery.
configure location-aware printing
Location-aware printing is not a new feature, it existed already in Windows 7, it works that your default printer follows you, so at work you can have one default printer and another at home without manually switching. Just click on an installed printer in control panel and select Manage default printers.
Be sure Change my default printer when I change Networks is selected and then manage per network which printer you want to be default.
Location-Aware Printing is dependent upon the Network List Service and the Network Location Awarenessservice. If either one of these services are stopped or malfunctioning, then Windows will not be able to detect network changes and may not switch default printers as expected
Configure and maintain network security

configure Windows Firewall
Windows Firewall havent changed a lot either, it now mention everything as App and not Program. If you dont see you app in the list you can add it by clicking Allow another App and then browse the executive file. You can also chose which Network Profile/Type do allow this for (Domain/Public/Private)
In Allowed apps you can decide which program can access and under which Network Profile by simplychecking the check boxes.
Default setting is to not allowed incoming connections to any program that is not in the Allow apps list.
configure Windows Firewall with Advanced Security

Windows Firewall has existed since Windows XP Service Pack 2, at that time you could only block inbound, now since Windows Vista and forward you can block outgoing traffic also. Windows Firewall with Advanced Security you can specify with rules for both inbound or outbound based on Program, Protocol and Ports, Scope.
Program You can select one of the following:
All Programs - if you need a rule that applies to all and then limit it on Protocol and Ports instead. This program path example c:\program files\jbkb\jbkb-test.exe Services Drop down list to deice if it apply to all program and services, or only services or a specific serviceor service short name
Protocol and Ports Most common are protocols TCP and UDP but you can even specify some other such as ICMP (Ping for example), GRE (for some VPN) etc, or use a custom and type in any Protocol there exists.If you chose TCP or UDP you need to specify port number also and local/remote. An example rule could be to block Local Port/All Ports to Remote Port/Port 25 to block malware from trying to send
SPAM directly. You can specify that all protocols/ports and restrict on Programs instead.
Scope there are two sections to fill in
Which local IP-addresses does this rule apply to default is Any IP-address but you can can change and specify a IP-address range by clicking These IP-addresses Which remote IP-addresses does this rule apply to default is Any IP-address but you can can change and specify a IP-address range by clicking These IP-addresses
Action If this rule is met by all the above you can decide what action will happen, one of these 3 1. 2. 3. Block the connection default option Allow the connection Allow the connection if it is secure If connection is with IPSec (explain in section below) it is allowed. Profile Here you chose if this rule applies to Domain or/and Private or/and Public Network Profile. Name Put Name of the rule and an optional Description.
configure connection security rules (IPSec)

Connection Security Rules are created within Windows Firewall with Advanced Security, just right-click and choseNew Rule and you can create a new connection security rule.
With Connection Security Rule you can specify with rules for which net/clients that need IPSec security based on Endpoint, Requirements, Authentication Methods, Protocol and Ports and Network Profile.
Endpoints Create a secure (IPSec) connection between computers in Endpoint 1 and Endpoint 2. You got to settings to configure 1. Which computers are in Endpoint 1?
o o
2.
Any IP address (default) These IP addresses
Which computers are in Endpoint 2?
o o
Any IP address (default) These IP addresses
Requirements When do you want authentication to occur? 4 different choices 1. Request authentication for inbound and outbound connections notice when it is written request, it will just check if it is possible, if not it will still continue, difference again Require that is forced. 2. Require authentication for inbound connections and request authentication for outbound connections inbound connections must (=require) authenticate and outbound if possible (=request) 3. Require authentication for inbound and outbound connections inbound and outbound connection must authenticate else it fail. 4. Do not authenticate all connections will work without authentication.
Authentication Methods choose between 4 different options
Default the authentication specified in IPsec settings. Computer and user (Kerberos V5) Restrict connections to only domain joined users and computers. Computer (Kerberos V5) Restrict connections to only domain joined computers. Advanced here you can specify NTLMv2, Certificate, shared Secret and other authentication methods
Protocol and Ports Most common are protocols TCP and UDP but you can even specify some other such as ICMP (Ping for example), GRE (for some VPN) etc, or use a custom and type in any Protocol there exists.If you chose TCP or UDP you need to specify port number also and local/remote. Network Profile Here you chose if this rule applies to Domain or/and Private or/and Public Network Profile. Name Put Name of the rule and an optional Description.
configure authenticated exceptions

If some machines cannot authenticate but still needs to communicate you can add them to an Authentication Exceptions list. It is still configured within Windows Firewall with Advanced Security and create a new Connection Security Rule and choose Exempt Computers as Rule Type. Exempt computers You can select which machines(s) should not be secured with IPsec, you can add IP-address, subnet, IP range or Predefined set of computers such as DNS server, Default gateway, DHCP
servers and more.
Network Profile Here you chose if this rule applies to Domain or/and Private or/and Public Network Profile. Name Put Name of the rule and an optional Description. To read more: http://technet.microsoft.com/en-us/library/cc947812%28v=ws.10%29.aspx
configure network discovery

Network Discovery is a feature since windows Vista and is enabled by default in Windows 8 and you can disable/enable it per Network Locations (Domain/Private/Public). this feature if on makes the machine visible on the network. To modify go to Network and Sharing Center -> change Advance Sharing Settings, there modify per Network Profile if network discovery is turned on or off and extra option to Turn on automatically setup of network connected devices if set to on.
manage wireless security
There are some changed to wireless in general in Windows 8. Added support for Wi-Fi autentication type:
WISPr (Wireless Internet Services Provider roaming) EAP-SIM/AKA/AKA Prime (SIM-based authentication), easier and quicker when connecting to WiFi hotspots EAP-TTLS
WISPr is enabled by default in Windows 8 but you can disable it in Group Policies by disable Enable Hotspot Authentication
Configure remote management

This is a Client OS exam, for me remote management would be to install RSAT toolshttp://www.microsoft.com/en-us/download/details.aspx?id=28972 but again that is to remote manage server services and I dont think that is what this exam is after. Hesitate if Remote Management would be WinRM which enables by running: WinRM QuickConfig but now thinking it could be Remote Assistance/Remote Desktop it is after?
choose the appropriate remote management tools

If you want to remotely help a user and see the same as the user is seeing Remote Assistance is the tool (msra.exe)
If you just need to work on the machine (logged in users get disconnected not logged out as in Windows XP) you can use Remote Desktop (mstsc.exe)
configure remote management settings
Several settings (that is not dependent on each other):
Run WinRM Quickconfig to enable remote management Make sure service Remote Registry is running. If Remote Assistance is needed enable in Group Policy to enable Allow Remote Assistance connection to this computer If Remote Desktop session is needed enable in Group Policy and specify which users got the rights (local administrators are added by default), also decide if connections require NLA (supported from Vista clients and later)
modify settings remotely by using MMCs or Windows PowerShell

Modify settings using MMC you can start Computer Management and then go Actions -> Connect to a another computer
For some of these settings remote registry service must be enabled and of course permission on the remote client. To modify remote settings with PowerShell you can either if hte Power Shell command itself accept a remote machine input specify remote machine or run an interactive Power Shell session with command (JBKB-Client01 is the remote machine in this example)
enter-pssession JBKB-Client01
tification: Exam 70-687: Configuring Windows 8 Part 4: Configure Access to Resources (14%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part four is Configure Access to Resources that is 14% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 4 we will look into these 4 objectives

Configure shared resources Configure file and folder access Configure local security settings Configure authentication and authorization
Configure shared resources

configure shared folder permissions
Default share permission is everyone read, but I recommend the old school to set everyone full control on share level and set permission on NTFS level, it is easier to manage that way. You can configure shared folder permission in explorer.exe in two ways
Share When using this you cannot decide share name, it will have same name as the folder itself, you get created as owner and you can add users and give them read or read/write permission
Advanced sharing here you can decide share name, set more granular permission, decide cache options.
configure HomeGroup settings

HomeGroup came in Windows 7 and is a 3rd option to Domain/WorkGroup. HomeGroup is as the name implies most usefully at home and the security boundaries is made up by password (shared secret). Requirements for HomeGroup to work:
Require IPv6 is enabled (it is enabled by default) The following services must be running on all machines in the HomeGroup
o o o o o o o o
DNS Client Function Discovery Provider Host Function Discovery Resource Publication Peer Networking Grouping HomeGroup Provider HomeGroup Listener SSDP Discovery UPnP Device Host
A Windows 8 machine that is already member of a domain cannot host a HomeGroup but can join one (and still be member of a domain) and cannot share its own libraries but access others. To join a HomeGroup for example on a Windows 7 machine named EMMA-LAPTOP do the following: 1. In Control Panel click HomeGroup and if a HomeGroup exist (and the machine hosting it is started) you will see it (even if IPv6 is not enabled), to join this HomeGroup click Join Now button.
2. A Wizard starts explaining what you will be able to do (if you are joined on a domain you cannot share your own files just access others), click Next to
continue.
3. You need to know the shared secret, the machines joined to the HomeGroup can get it by clicking View or print the homegroup password in control panel -> HomeGroup (you only see this option if you are joined to the homegroup already). When you know the shared secret or homegroup password as it is called, type
it in and press Next to continue.
4. If you entered correct homegroup password you get it verified you have joined the homegroup (if wrong go back and retype it correct) also if IPv6 is not
enabled you will get a warning and need to enable it before to continue.
So when your machine is member of a HomeGroup the control panel item is displayed differently, now you can do the following:
View or print the homegroup password if another machine needs to join this homegroup you can click here and see the password in clear text and share.
Change the password If decided to change the HomeGroup password, you must change it on all other members of the HomeGroup.
Leave the homegroup you have to verify it and get a chance to cancel the action.
Change advanced sharing settings there is a section there about HomeGroup, default managed by Windows and the password but you can also do it more WorkGroup alike to use Windows user account, but that requires all members in the HomeGroup got the same username and password.
Start the HomeGroup troubleshooter Wizard based that suggest some actions and tools to fix any issues (it check IPv6 and the services mentioned above also)
So in the example with the Windows 7 machines HomeGroup we joined we can now see the libraries chosen to be seen in this HomeGroup (default Documents isnt shared but it is just a check box away to be shared) in explorer.exe
configure file libraries

File libraries was new in Windows 7 and the basic behind it was that a lot of people like to create c:\my-important-data alike folder and it would then be located outside the c:\users folder for indexing and alike. File libraries over come this since it could link in those folders into this libraries and index from root c:\users and still get content outside of it.
All libraries are saved default here: %appdata%\Microsoft\Windows\Libraries If you for example would like to give all in your sales a specific library called JBKBSales and folder C:\JBKB-Sales you would do the following: 1. Create a new library
2. Copy it from %appdata%\Microsoft\Windows\Libraries to c:\JBKB-Sales 3. Enable Group Policy Location where all default Library definition files for users/machines reside and set Default libraries definition location to: C:\JBKBSales
4. Now all who log into this machine and apply to the GPO will get this library created in step 1 Windows 8 gives you 5 default libraries

Documents Pictures Music Videos Podcasts
You can right click on each of them and take properties and add more music folders than those default (you cannot change icon on the default but if you create your own library you can chose your library icon) you can set one Set save location and one Set public save location but you can set both on same folder (default Public is on Public)
configure shared printers

On a printers properties go to Sharing tab and you can share the printer to other machines. this requires of course that the machine is online for the others to be able to use it. You also got a check box to decide if printer job should render on clients computers. Default if you install a printer on a Windows 8 it will only install Windows 8 drivers, if the sharing clients are running other OS such as Windows XP you can add those drivers by clicking Additional drivers
set up and configure SkyDrive

To set up SkyDrive is pretty straight forward, start it:
Once it finished preparing it will ask you to login, if no existing account create a new one
Now a new folder is created in the profile %userprofile%\SkyDrive with sub folders that sync to the SkyDrive cloud. Configuring SkyDrive you can go by SkyDrive system tray icon and chose Settings.
Here you can configure settings such as auto start of SkyDrive, and make this machine available to other devices with same SkyDrive account, and let Office sync the files to SkyDrive so other can work at same time on the file. If you want to remove the SkyDrive connection you can click on Unlink SkyDrive button.
SkyDrive gives 7GB for free.
configure Near Field Communication (NFC)
Very interesting feature, unfortunately found nothing to configure in windows 8 concerning this, it could be because my test devices doesnt support it. What is know is that windows 8 got APIs built-in that support NFC, which is a RFID technique to communicate to other devices supporting NFC. The difference between NFC and for example Bluetooth is that bluetooth devices need electricity/battery/power where NFC could be a paper (with a RFID alike in it) Notice: nothing useful in this section, will update when finding anything, for now just know that Windows 8 got NFC APIs and support it.
Configure file and folder access

encrypt files and folders by using EFS
Know that EFS is only included in Windows 8 Pro and Windows 8 Enterprise edition. Know that BitLocker encrypt a whole disk and EFS can be used to encrypt separate files or folders. EFS has existed since Windows 2000. To encrypt a folder or/and files: 1. right-click and chose properties 2. click on the Advanced button 3. check the box Encrypt contents to secure data and then press OK button 4. Press the Apply button.
5. Decide if you want to only encrypt this folder or all sub folders and files within this folder and then pressOK button.
EFS is only supported on NTFS file system and when copied it is decrypted during transfer and encrypted again on the destination (if NTFS) All users on the Windows 8 machine will see the folder but all except the user who encrypted it wont be able to open the files and read the content. You can backup the certificate that encrypts your file so in case your user is lost or alike you can decrypt the files by running Manage File Encryption Certificates wizard.
configure NTFS permissions

Notice: No changes in Windows 8, if you know NTFS dont lose time reading the below Difference from Share permission is that NTFS permission always apply (Share only when you access the folder/file from network not locally). Default NTFS permissions set on a parent folder is inherited to a child folder and files, you can block inheritance on a child folder and then chose if you want to copy the parents permission or start from a
clean ACL.
Nothing change from before, deny permission always win over allow and it is often a basic design error if you think you need to set deny access. Permissions (most common):

Full Control includes everything, even take ownership of files. Modify which includes the permission Write, Read, Read & execute. Write take care if you can only write but not read/list you cannot see what you save
Read if you got only read and no write permission you can open files but not modify them
If a user John belongs to group Marketing and on a file the NTFS ACL/ACE specify that John got Read and Marketing group got Modify, the user John got effective permission Modify, it is accumulative. If a user Emma belongs to group Sales and on a file the NTFS ACL/ACE specify that Emma got Read and Write to a file and Sales group got deny Write, the user Emma got effective permission Read (the Deny wins)
configure disk quotas

Disk quotas are set at disk level (not folder/files level) and take properties and go to the Quota tab.
By default it is disabled, you enable it by checking Enable quota management and then specify options such if it should only be warning/logging or an actual consequence when you reach the quota such as checking Deny disk space to users exceeding quota limit. Set one limit and one warning, of course warning must be lower than limit. funny to see that a client OS have EB (Exabyte) Windows 8 seems to be a OS built for the future Disk Quota is limited due to only put per disk and one level for all users, running Windows Server 2012 you can set different limit per users.
configure object access auditing

First make sure Audit object access is enabled for either success or fail or both by going: Local Computer Policy -> Computer configuration -> Windows Settings ->
Security Settings -> Local Policies -> Audit Policy
Once that is enabled nothing will be logged until you specify which objects (file/folders) should be audited, if you audit everything it be too much to read and not useful. Right-click on the folder you want to audit and chose Properties -> select Security tab > click advanced button ->click on Auditing tab -> and press Add button Fill in who should be audited, and for what actions (All/Success/Fail)
Audit entries are written to the Event Viewer Security log.
Configure local security settings

configure local security policy
Configure local security policies you do at Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies A few new and updated local policies exist in Windows 8. Accounts: Block Microsoft accounts Default undefined, but can be set to one of the following

This policy is disabled Users cant add Microsoft accounts Users cant add or log on with Microsoft accounts.
Interactive logon: Do not require CTRL + ALT + DEL Not a totally new policy but it is only for Windows 8 it is recommended to set to enable, for Windows 7 and earlier it is recommended to disable.
configure User Account Control (UAC) behavior

To configure UAC behavior is also done with local security policies
Here are the 10 different settings, the important for the exam in bold: 1. User Account Control: Admin Approval Mode for the built-in Administrator account This is disableddefault, which means that default account administrators bypass UAC, if enabled it is treated as all other administrators account. 2. User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop This is disabled default, if enabled it means that applications such Remote Assistance can be run without getting blocked by Secure Desktop. 3. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This is set to Prompt for consent for non-Windows binaries default 4. User Account Control: Behavior of the elevation prompt for standard user This is set to Prompt for credentials on the secure desktop default (more about this setting further below in this KB) 5. User Account Control: Detect application installations and prompt for elevation This is enabled default on Windows 8 edition and disabled default on Pro and enterprise edition; due to in enterprise you might deploy applications with SMS/SCCM/GPO and want that to install silent. 6. User Account Control: Only elevate executables that are signed and validated This is disabled default, even if this is good for security it is not practical since not all executables are signed. 7. User Account Control: Only elevate UIAccess applications that are installed in secure locations This is enabled default, only elevate UIAccess applications installed into %SystemDrive%\Program Files(including subfolders), %SystemDrive%\Program Files (x86) (including sub-folders for 64-bit editions) and%SystemDrive%\windows\system32 8. User Account Control: Run all administrators in Admin Approval Mode This is enabled default, and if it is disabled whole UAC is disabled! know this for the exam as they will try to trick you on this one. 9. User Account Control: Switch to the secure desktop when prompting for elevation This is enableddefault, All elevates request goes to Secure Desktop that dims the screen until you answer.
10. User Account Control: Virtualize file and registry write failures to per-user locations This is enableddefault, if a none elevated program tried to write it HKLM registry or for example c:\program files,c:\windows\system32 etc and fails this setting does so it writes to the user profile instead so the program work. Good example is http://triplea.sourceforge.net/ a game who want saved games to be saved in a sub folder of the game installation that is default in c:\program files and instead get saved under%UserProfile%\AppData\Local\VirtualStore
configure Secure Boot

Secure Boot is new in Windows 8 and require you dont use traditional BIOS but UEFI. Know that UEFI Secure Boot cannot be disabled in Windows 8 RT edition. Know for the exam that if a Windows 8 OS has been installed with a traditional BIOS there is no way to convert over to UEFI and Secure Boot, you must reinstall Windows 8. UEFI OS install is done differently from a normal OS install, it requires in BIOS Setup set Boot -> CSM is disabled and then reboot and press F7 to BIOS Boot Selector Menu, in this menu chose Built in EFI Shell. At the shell navigate to EFI\Boot and press enter and then in there type: BOOTX64.EFI and press enter and then the boot will look like normally and show Press any key to boot from the CD To Enable Secure Boot: Reboot and press F2 to enter BIOS setup, navigate to Security -> Secure Boot, set the Secure Boot Mode toCustom, select Custom Key Management, select Install Factory Defaults to load the keys, set the Secure Boot Mode back to Standard, exit and reboot to OS.
configure SmartScreen filter

SmartScreen filter is enabled by default but you can configure it either manually or by GPO and per Internet Explorer Security Zone, you can for exmaple disable
SmartScreen Filtering in Trusted and intranet site/zone and keep it enabled on Internet Zone. You can manually configure one of the following (or use the Policy Configure Windows SmartScreen):
Get administrator approval before running an unrecognized app from the Internet (recommended) this is default
Warn before running an unrecognized app, but dont require administrator approval
Dont do anything (turn off Windows SmartScreen)
Configure authentication and authorization
configure rights
Users rights are configured Local Company Policies -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
Here you can configure who have rights to change system time (all users in Windows 8 got right to change time zone but not system time), Take ownership of files and folders, Allow log on locally and a lot of other rights.
manage credentials
Credential Manager has existed in different forms since Windows XP but in Windows 8 it has updated a little. You find it Control Panel -> Credential Manager It is divided into 2 parts, Web

Web Credentials For websites that uses credentials but not system prompted Windows Credentials- got 3 sub sections
o o o
Windows Credentials Certificate-Based Credentials Generic Credentials
Whats new is that you can backup (and restore) Windows Credentials, if you backup you have to browse a save location and the file be saved with .crd Exam Tip: Be careful if a question ask about backup/restore of credentials, know that only Windows Credentials works and not Web Credentials
manage certificates
Certificates are managed by certmgr.msc
If added certificate from MMC you get to chose which storage to use

My User Account same as above, manage user certificates Service account gives UAC prompt to manage service certificates Computer account gives UAC prompt to manage computer certificates.
configure smart cards

Windows 8 continue support for smart card, most laptops got smart card readers builtin but desktop computers need an external smart card readers. New in Windows 8 is that you can have a virtual smart card which doesnt require a physical device, but it requires your machine got a TPM supported BIOS. Example on a command to enabled virtual smart cards is:
TpmVscMgr create /name MyVSC /pin default /adminkey random /generate

There are 2 Windows services related to smart cards
Smart Card set to start-up type Automatic (trigger start) and is needed for smart card to work, if disabled no usage of smart cards is possible.
Smart Card Removal Policy set to start-up type Manual and is used so that if someone remove the smart card the user session is locked, practical for security if users use the same smart card to leave the building for lunch.
configure biometrics
Biometric in Windows 8 is built on Windows Biometric Framework and relies on Windows Biometric service that is set to start up manual by default.
This can be used to instead of touch scroll (where your finger will hide what you click on) or use a mouse you can control with your eyes for example (this require 3rd party which uses the Biometric framework). By default you are allowed to log on with biometric for example log on with your thumb but if you dont want this possibility you can disable it with a GPO named Allow the use of biometrics
configure picture password
New in Windows 8 is that you can log on with gestures, it works of course best with a touch screen but you can also do this with the mouse. If it is a domain user that uses this the domain password will be cached in the system vault. Type Create or change picture password and start that and you come to PC settings -> Users and there clickon the button Create a picture password
Here you need to browse for an image where you will do the gesture (twice) and then you can use that to log on to the machine instead of password (you can still use password if you fail with gesture)
There is also a policy named Turn off picture password sign-in that can be enabled if this isnt needed.
configure PIN
Sign in with PIN code (4-digit code) is not possible for a domain user, it is not even visible in PC Settings -> Users (if machine is not domain joined you see it). To enable it for even domain joined computer/users you can enablethe policy Turn on PIN signin and it becomes visible.
When you create a PIN code for a domain user you must first enter your password, then enter in a 4 digit PIN code twice
This is obviously a good sign-in method for touch screens and after entering the last digit you dont have to press enter or anything it sign-in automatically.
set up and configure Windows Live ID (Microsoft account)
Notice: Windows Live ID has been replaced with Microsoft Account, if you see a question on the exam mentioning Windows Live ID read it as Microsoft Account To set up a Microsoft account you can go to PC Settings -> Users and click on the + Add a user
Now a wizards starts, if you already got an e-mail address that can sign into Microsoft services (a common mistake to think it can only be a hotmail/MSN/live account, even gmail and all other can be used if enabled for Microsoft services). If no email address exist you can create one in this wizard by going sign up for a new email address or create one on this or another machines. It is with this account you buy Apps from Windows store and sync your settings to the cloud so it follows you regardless which machine you log onto. When you got an email address type it in and press Next.
it will connect to Internet and configure and then finish, you got one configuration options, if it is a child or another account you want to use Family Safety on check this box. Then click Finish
To modify Microsoft Account you can go to Manage User Accounts, select the Microsoft account and pressProperties button. On tab General you fill in user name, full name and description. On Group Membership tab you can modify permission: Standard user, Administrator or Other (can be backup operator, log viewer etc, rarely used for Microsoft account.
Certification: Exam 70-687: Configuring Windows 8 Part 5: Configure Remote Access and Mobility (14%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part five is Configure Remote Access and Mobility that is 14% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 5 we will look into these 3 objectives
Configure remote connections
Configure mobility options Configure security for mobile devices
Configure remote connections

configure remote authentication
For other computers to connect to the Remote Desktop service in Windows 8 you can configure so it requireNetwork Level Authentication, which is more secure and completes user authentication before you establish a remote desktop connection and the logon screen appear (helps against DOS attacks). The only down side is that now all none-Windows (or older Windows such as windows XP SP2) support NLA and then cannot connect. To enable Network Level Authentication you just have to check the box: Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended) or enable the GPOComputer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> Require user
authentication for remote connections by using Network Level Authentication
configure Remote Desktop settings

There are settings for those who connect to the Windows 8 machine and settings when using Windows 8 to connect to Remote Desktops services. If Remote Desktop is set to Allow remote connections to this computer local administrators will always be able to remote into this machine with RDP (if accessible over network/Internet and firewall port open), but you can also specify regular users in the Remote Desktop Users (it is also a right). Remote Desktop connection (MSTSC) can be configured per connection or saved to a RDP file (it is clear text file you can modify after in notepad if you want)
General enter in remote host, specify username and password (or wait until after connected), can also save the settings to a RDP file or open an existing.
Display screen size/resolution default set to full screen, can also set color depth.
Local Resources How much of your local resources do you ant to bring to the session you can add; Printers Clipboard Smart card drives, configure audio and keyboard settings.
Programs any path to script or program will be executed once logged on. Experience If your connection is fast you can set to better experience (fast rendering, see wallpaper background, font smoothing and so on) and slower connection worse experience for performance win.
Advanced Remote Desktop Gateway settings and how to behave if server authentication fails (default set to warn)
establish VPN connections and authentication
Notice: So much still works as Windows 7 that most of the text below is directly taken from: http://www.mcmcse.com/microsoft/guides/70680/remote_connections.shtml which I recommend everyone to read. Windows 8 support 4 types of VPN
Point-to-Point Tunneling Protocol (PPTP) Based on PPP, the Point to Point Tunneling Protocol (PPTP) provides for the secure transfer of data from a remote client to a private server by creating a multi-protocol Virtual Private Network(VPN) which encapsulates PPP packets into IP datagrams. PPTP is considered to have weak encryption and authentication, therefore, IPsec is typically preferred.
Layer 2 Tunneling Protocol (L2TP) / IP security (IPsec): L2TP is the nextgeneration tunneling protocol partially based on PPTP. To provide encryption, L2TP acts as a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec. IPSec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPSEC is made of two different protocols: AH and ESP. AH (Authentication header) is responsible for authenticity and integrity, while ESP (Encapsulating Security payload) encrypts the payload.
Secure Socket Tunneling Protocol (SSTP) Introduced in Windows Vista. A tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAPTLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
Internet Key Exchange (IKEv2) -Introduced Windows 7. IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500. An IKEv2 VPN is useful when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec provide strong authentication and encryption methods.
Authentication
Protocol
Description This protocol uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. PAP is the least secure authentication protocol. It does not PAP protect against replay attacks, remote client impersonation, or remote server impersonation. PAP is not enabled by default for Windows 8 and is not supported by remote access servers running Windows Server 2008. CHAP uses a 3-way handshake in which the authentication agent sends the client program a key to be used to encrypt the user name and password. CHAP uses the Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is an improvement over PAP, in that the password is not CHAP sent over the PPP link. CHAP requires a plaintext version of the password to validate the challenge response. CHAP does not protect against remote server impersonation. Although remote access servers running Windows Server 2008 do not support this protocol, it is enabled by default for Windows 8 VPN connections for legacy VPN connections. Supports two-way mutual authentication. The remote access client receives MS-CHAP verification that the remote access server that it is dialing in to has access to v2 the users password. MS-CHAP v2 provides stronger security than CHAP. Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. EAP offers the EAP-MSstrongest security by providing the most flexibility in authentication CHAPv2 variations. This protocol requires the installation of a computer certificate on the VPN server.
Just like the VPN protocols, by default, Windows first tries to use the most secure authentication protocol that is enabled, and then falls back to less secure protocols if the more secure ones are unavailable.
enable VPN reconnect

VPN reconnect was a feature that came in Windows 7. VPN Reconnect uses IKEv2 as the name implies it automatically re-establishing a VPN connection when temporarily lost Internet connections. This could be useful for wireless mobile broadband that for example traveling a train that passes areas where no connection will cut. The only configuration on client side is to set Network outage time (default to 30 minutes and maximum 8 hours) which decide how long the connection can be down before it stop to try reconnect.
manage broadband connections

A wizard to create a broadband connection which basically just connection name, save username and password from ISP. You can also make it usable by all users who use the machine.
If you modify an existing Broadband connection you get more options such as modify authentication protocols, IPv4/IPv6 settings, Internet Connection Sharing, hang up settings, PPP settings and Service Name.
Configure mobility options

configure offline file policies
Offline files is not enabled by default, but easily enabled by pressing Enable offline files button.
There are 2 new Offline Files policies in Windows 8
1. Remove Work offline commands it removes the option in Explorer.exe to make files (folders) available offline.
2. Enable file synchronization on costed networks is by default disabled and will not synchronize offline files in the background on connections that are
roaming and close to its data limit.
configure power policies

Default there are 3 Power Plans 1. Balanced (recommended) default 2. Power Saver - uses least battery power 3. High Performance uses the most battery power. You can create your own by Group Policy Preferences but if only access to local machine as this exam expects you can create your own Power Policy based on one of
the 3 existing and then switch by clicking on the battery system tray icon
Something new in Windows 8 with power settings is the GUI how to add hibernate to Power Button, default hibernation is supported (if drivers support it) but not visible it looks as below with Sleep, Shut down and Restart.
To add hibernation to the Power menu go to Control panel -> Power Options -> System Settings and click onChange settings that are currently unavailable
Now all that was greyed out before is changeable such as checking the box Hibernation (Show in Power Menu). You can also control if you want the lock function in picture menu
If you checked Hibernate above your power button menu will look like below:
configure Windows to Go
Windows To Go is one of the coolest new features and therefor sadly only available in Windows 8 Enterprise edition, it can be seen as a full version of Windows 8 running (even booting) from a mass storage device such as USB Flash drives and externally hard drives. Exam tip: Know that Windows To Go only can be created from Windows 8 Enterprise edition and for license you need a Microsoft Software Assurance, then you can even run this on a home computer. To create one of these start the Windows To Go wizard from a Windows 8 Enterprise machine (can be done with ImageX also but it wont be covered here).
Windows To Go support both USB 2.0 and 3.0 but of course recommend USB 3.0 for better performance Insert a external/removable USB disk and it shows up, as seen as below all removable disks must be Windows To Go certified to be accepted but all external fixed disks are supported.
Notice that the wizard let you know that the device is a USB 2.0 and that USB 3.0 is recommended but it wont stop you from using it. When inserted a supported device the Next button activates, chose your disk you want to put Windows To Go on and press Next button to continue.
Now you need to have the source files (basically a install image from Windows 8 enterprise, install.wim), either a DVD inserted or the install iso mounted and then if not already seen by wizard click Add search location and browse it. Once found click on the Next button to continue.
You can enable BitLocker password which required to type in before the OS loads (take care with keyboard layout, it will be US-EN when booted on a standard boot.wim) Once all configured press Next button to continue.
Here you will get a summary and also be warned that the USB drive will be reformatted and any data on it will be lost. Press Create to start the creation of the Windows To Go USB drive.
This process will take awhile, depends on the disk itself but about 10 minutes.
When finished you can chose boot options (Do you want to automatically boot from it when you restart your PC?):

Yes It will modify boot to automatically boot from this USB disk No you will have to manually chose to boot from it, for example on Dell press F12 and chose USB device.
If you chose Yes you can if wanting to test it directly press Save and restart else (and if chosen No) press Save and close
configure sync options

You still have Sync Center in Windows 8 for mobile device and it also have links to offline files but rather than that not much changed. If this exam objective is referring to the new sync option to sync user profile files with help of Microsoft Account a lot can be said so lets go with that.
If using a Microsoft Account all settings are synced by default automatically (but you can change what will be synced) and if you login with a domain account you must connect it to a Microsoft account. You connect a domain account to Microsoft account in PC settings -> Users and then
confirm the machine as a Trusted PC on the Microsoft account
Under PC Settings -> Sync your settings you can set the following:
Sync settings on this PC Set to On by default and if set to Off it over rides all settings below (further down the GPO that control this is explained)
Personalize if set to On it it sync your account picture, background, lock screen and color settings.
Desktop personalization if set to On it sync your taskbar, themes, contrast and more (?)
Passwords if set to On it sync passwords for websites, networks, HomeGroup and apps
Ease of Access if set to On it sync Narrator, Magnifier, On-Screen keyboard and more
Language Preferences if set to On it sync Keyboards, other input methods, display langauge and more
App settings if set to On it sync purchased and settings in an app Browser if set to On it sync browsers favorites, history and more (assume it is only Internet Explorer)
Other windows settings if set to On it sync File Explorer, mouse settings and more.
All these settings are configurable in local policies and group policies: Local Computer Policy -> Administrative Templates -> Windows Components ->Sync your settings showing below is Do not sync setting, if set to Not configured it is up to the user to decide and if set to Enabledit is disabled but you can keep it possible to sync and
use other polices to decide what is synced
configure WiFi direct

WiFi direct is a standard that for example Android 4.x systems support, it replaced what was called WiFi Ad Hoc before in windows, it means you can connect two WiFi devices and transfer files, connect to a WiFi printer and so on without an Access Point. Notice: Will have to update this section later but for now most seem to use netsh to setup a WiFi with the below but I doubt that will be on the exam, there will most likely be an update later, for now know that windows 8 support WiFi Direct
Create Ad Hoc/Wifi Direct WiFi (elevated cmd prompt, and key must be between 8 and 63 characters) netsh wlan set hostednetwork mode=allow ssid=JBKBSSID key=jbkbkey1 Start it by running netsh wlan start hostednetwork Then the Windows 8 machine will broadcast this SSID and allow connections without an Access Point.
Configure security for mobile devices

configure BitLocker and BitLocker To Go policies
Know that BitLocker is only supported on Windows 8 Pro and Windows 8 Enterprise edition. Know the 2 way to use BitLocker 1. Trusted Platform Mobile (TPM) 1.2 or 2.0 Chip, store decryption key in TPM (Preferred option). 2. Store decryption key on USB flash drive (this option needs to be activated in Group
Policy and is not enabled default) the USB Flash drive must be presented at each startup. If anything of the following changes, BitLocker will lock the drive and it will not be possible to read from it:

Disable TPM in BIOS Clear TPM The BitLocker-encrypted disk is moved to another computer Changes in boot files Boot without TMP, PIN, USB flash drive.
BitLocker To Go is used for removable storage and include a hidden driver for Windows 8 (discovery drive) but viewable for XP and Vista that contains software for BitLocker To Go Reader that is used to unlock the BitLocker To Go drive with a password. When you enable BitLocker on removable disks you get to chose how to unlock the drive; by password you specify or by smart card.
You then get 2 different options to store the recovery key; save to a file or print it.
Then choose if you should encrypt only the stored data or the whole drive (new feature in Windows 8)
After this encryption starts and you are asked to not remove it during this procedure.
Configuring BitLocker and BitLocker To Go policies Here are some of the most important BitLocker To Go GPOs:
Allow access to BitLocker-protected removable data drives from earlier versions of Windows If this is not configured or enabled versions such as Vista and XP SP2 and higher can unlock the drive with BitLocker To Go Reader. There is also an checkbox for Do not Install BitLocker To Go Reader on FAT formatted removable drives
Deny write access to removable drives not protected by BitLocker If this policy is enabled removable disks that isnt protected with BitLocker will be mounted as read-only.
Control use of BitLocker on removable drives If this policy is enabled or not configured user can run the BitLocker wizard to protect removable drives.
Here are some of the most important BitLocker GPOs:
Require additional authentication at startup If the checkbox Allow BitLocker without a compatible TPM is check you can boot with removable USB flash disk. This is not checked default and then only TPM chip enabled machines are allowed to use BitLocker. This policy also can set how TMP can be used together with Startup key/PIN/TPM
Configure minimum PIN length for startup If this is disabled or not configured the minimum length is 4 and maximum 20, if enabled you can set a value from 4 to 20.
Choose drive encryption method and cipher strength Default is AES128, AES-256.
Here are a few windows 8 BitLocker policies only (there are several I recommend you look through them all)
Enforce drive encryption type on fixed data drives Decide if forcing fixed drives to always encrypt the whole disk, even empty space or only encrypt space that has data and then expand if new data is written. Default is to let user
chose.
Allow network unlock at startup uses a specific server on a secured network and if both server and client got BitLocker Network Unlock Certificate
can unlock the machine over network during startup.
Allow Secure Boot for integrity validation Secure Boot (UEFI) has a more secure integrity check than BitLocker. If set to Not Configured or Enabled Secure Boot is allowed for integrity validation if set
toDisabled it is BitLocker legacy integrity validation that run.
If you have TPM 1.2 or 2.0 Chip you can use nothing else or together with a PIN or a Startup key or both. Without TPM you can only specify either Inser a USB flash drive at each start or
Enter a password at each start.
If BitLocker is enabled and you need to change BIOS, Hardware upgrades, OS updates from example Windows 7 to Windows 8 you should suspend protection and then do the changes. You could Turn Off BitLocker but then you would need to recreated it from start to get back encryption (also new keys are created). Data recovery agent support When enabling BitLocker you get the option to save or print the recovery key.
The Data Recovery Agent needs to been configured with a proper certificate and you must Add Data Recovery Agent to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings ->Public Key Policies > BitLocker Drive Encryption (close to same path in GPMC).
In the wizard either add a user who got a correct certificate or add a certificate directly (.cer) Know that the command line tool to manage all this is manage-bde. For example on a BitLocker enabled machine who is decryption (disabling BitLocker) you can run this command to see the status:
manage-bde -Status
In a Domain environment recommended is to store BitLock recovery information for system drives into AD DS Exam Tip: Be careful when enable PIN with BitLocker due to Windows 8 can be installed on devices that doesnt have a physical keyboard or input and the onscreen keyboard isnt loaded at the time the PIN is required.
configure startup key storage

Startup key is useful on machines who doesnt have (or support) TPM, the startup key is saved on USB storage and can be formatted with NTFS, FAT32 or FAT file system. To start a BitLocker enabled system without TPM you need to have the flash drive with the startup key inserted at each time the computer start.
configure remote wipe

Notice: Found no real documentation regarding remote wipe on Microsoft sites or any other sites, it is mentioned that Microsoft have implemented a killer switch so they can remove apps downloaded from Microsoft Store, but this exam objective speaks about configure remote wipe? Windows 8 include a Reset your PC function but it cannot easily be initiated remotely.
Will update if anything new comes up regarding this
configure location settings (GPS)

Location has always before been established by the location of the IP-address, but due to NAT and other techniques that isnt reliable, in Windows 8 there is support for real location service if it has a GPS built-in or GPS device connected. The settings are simple, either check Turn on the Windows location platform (it is checked default) and then approve manually per app if it is allow or not or uncheck Turn on the Windows location platform and localization is not allowed for any app.
The same setting can be set with Policy but named the opposite Turn off Windows Location Provider, if set toNot Configured or Disabled windows Location provider is on, if set to Enabled it is turn off.
Certification: Exam 70-687: Configuring Windows 8 Part 6: The last part/notes

Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part six is just a summary of the 2 last objectives and some general notes to finish of this serie. In this part 6 we will look into these 3 objectives that are sub objectives in Monitor and Maintain Windows Clients (13%) and Configure Backup and Recovery Options (14%) and DirectAccess that is not listed but will most likely be in the exam itself.

DirectAccess Storage Spaces File History
DirectAccess
DirectAccess was new in Windows 7 and still in Windows 8 Enterprise edition only, it is a VPN alike but always connected, user doesnt have to enter in username or alike. DirectAccess require IPv6 on client and server but between the IPv6 packages can travel capsuled within IPv4 packages with techniques such as 6to4 (used if direct connection, no NAT), Teredo tunneling (used behind NAT) or IP-HTTPS. DirectAccess uses port 443/tcp (same as https) which is open on most firewalls. Exam Tip: remember that DirectAccess is only available in Windows 8 Enterprise and requires IPv6 and communicate over 443/tcp Just think of DirectAccess as a VPN that is enabled automatically even if no user is log on or alike.
Storage Spaces
Storage Spaces is a function that comes from Microsoft Home Servers and group physical disks into pools, the disk can be of different type USB/SATA and different sizes (normal hardware RAID 1 for example use only the space of the smallest disk but that is not the case in Storage Spaces). The pools are made into spaces that you can format and use as a normal disk. The virtual drives (spaces) can be bigger than the disk can provide, it is called thin provisioning when you are running out of disk you can add. There are 3 different storage spaces
1. basic spaces - no fault tolerance if one disk fail all data is lost (I assume?) 2. mirror spaces at least 2 copies are made on 2 separate physical disks (like RAID 1) or even 3 copies can be made on 3 separate disks (like RAID 6 without parity) which means 2 disk can be removed and it still works. Pools can be given Hot spare disks to be used 3. parity spaces Can setup parity in a RAID 5 scenario where one disk can fail and also RAID 6 scenario where two disk can fail and it continue to work, it takes extra CPU and I/O when a disk fail.
File History
File History is new in Windows 8 and can be seen a little like Windows 7:s Previous version and Apple Time Machines. File History automatically backup files in your desktop, libraries, contacts, Favorites and SkyDrive. If you lost a file stored in any of these locations, you can use File History to restore it to any stored version. Exam Tip: Know that File History is disabled by default To enable File History go to File History in control panel, if a USB disk is inserted it will suggest to use it to store file history and if no external disk is found (could be an internal second disk) it will suggest to add a network location. Once a location is found press the Turn on button.
On the left side you got a few File History commands
Select drive Here you can see which disk to use and free space, or add a network share to use bypressing the Add network location button. You cannot chose the same disk you got libraries pointing to, example if you include a second internal disk and have d:\music included into a library you cannot use the second disk (d:) for File History.
Exclude folders Default no folders are excluded but if you for some reasons doesnt want some you can add them into exclude list
Advanced Settings
o
Save copies if files default set to every hour and can be changed to 10, 15, 20, 30 minutes or 1, 3, 6, 12 hour or daily.
Size of offline cache default 5% of disk space (local c:) but can be set to 2, 5, 10, or 20%. Offline Cache is saved on C: drive and useful for example if the external drive isnt inserted or the network location not available and you can still reach File History from the cache. So useful for portable systems.
Keep saved versions default set to Forever but can be changed to 1, 3, 6, 9 months or 1, 2 years.
Clean up versions (hidden in the image below due to drop down box) if you click on Clean up versions you get a new window deciding which versions to clean you got the same options as in Keep saved versions plus one extra: All but the latest
File History also support the usage of HomeGroup if your machine is not on a domain and member of a HomeGroup.
Restore Personal Files- Use this to first decide day/time by switching the windows left or right and then browse the file or files you want to Restore or Restore to
o o o
Preview Open the file and you can see/listen the content Restore restore the file to original location Restore to restore the file to the location you want (browse)
File History works in the background and once setup you dont have to touch it so much.
There is one GPO regarding File History, simply: Turn off File History if not configured or Disabled you got the option to activate File History, if set to Enabled you cannot activate File History.
Take care this policy if disabled/not configured doesnt automatically means you are using File History, you must still manually chose location and turn it on.
thats all folks remember that during the exam if you got 4 alternative and you got no idea at all the correct answer, you at least got 25% chance and if you can eliminate one answer considered as stupid you got 33% for example answers such as
modify manually on all machines in the company is most often incorrect, too strange regedit answers are also most often incorrect.

70-687 - Certification Study Guide

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

70-687 - Certification Study Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Certification: Exam 70-687: Configuring Windows 8 Part 1: Install and Upgrade to Windows 8 (14%)

Evaluate hardware readiness and compatibility

determine whether 32 bit or 64 bit is appropriate

determine screen resolution

choose between an upgrade or a clean installation

Applications Windows settings Personal files

Windows settings Personal files

determine which SKU to install

migrate from Windows XP or Windows Vista

Then create a new simple volume with NTFS formatted.

Last step is to Mark Parition as Active in Disk Management.

Migrate and configure user data

disk or USB flash drive.

configure folder redirection

Configure devices and device drivers

resolve driver issues

configure driver settings

Install and configure desktop applications

install and repair applications by using Windows Installer

msiexec /i c:\jbkb\jbkb-1.0.0.msi /qn /norestart

Then chose Repair and follow the instructions

You can also repair with MsiExec as the example below

/msiexec /fo c:\jbkb\jbkb-1.0.0.msi

/f = repair /o = repair only if file missing or older file is installed.

configure default program settings

modify file associations

manage App-V applications

Install and configure Windows Store applications

restrict Windows Store content

add internal content (side loading)

disable Windows Store

Control access to local hardware and applications

Manually Create a AppLocker Rule

Automatically Generate AppLocker Rules

Press Next > button to continue.

Active AppLocker rules

configure access through Group Policy or local security policy

Path Rule not allowing Windows Media Player to run

manage installation of removable devices

Configure Internet Explorer

configure compatibility view

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/6.0)

configure security settings

either have it to automatically block it or set per site allow or block.

configure Download Manager

create and configure virtual machines

decided press the Next >button to continue.

create and manage snapshots

create and configure virtual switches

create and configure virtual disks

netsh interface ip set dns Local Area Connection static 10.46.0.10

configure network locations

resolve connectivity issues

Configure networking settings

manage preferred wireless networks

configure network adapters

configure location-aware printing

Configure and maintain network security

configure Windows Firewall with Advanced Security

Program You can select one of the following:

Scope there are two sections to fill in

configure connection security rules (IPSec)