Beruflich Dokumente
Kultur Dokumente
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, first out is Install and Upgrade to Windows 8 that is 14% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 1 we will look into these 3 objectives
Evaluate hardware readiness and compatibility Install Windows 8 Migrate and configure user data
If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free: http://www.microsoft.com/learning/en/us/offers/secondshot.aspx )
Processor: 1 gigahertz (GHz) or faster RAM: 1 gigabyte (GB) (32-bit) or 2 GB (64-bit) Hard disk space: 16 GB (32-bit) or 20 GB (64-bit) Graphics card: Microsoft DirectX 9 graphics device with WDDM driver
exist in 32-bit such a VPN client or older scanner and so on (but in that case upgrade the software would be a better idea). 32-bit OS cannot run any 64-bit software. Many more reasons to run 64-bit version such as the Windows 8 feature Hyper-V (version 3) only exist on 64-bit version, can address more memory than 4GB and make usable to the system if exists. Most 32-bit software can be installed on 64-bit OS, all except those hat goes deep into the system such as VPN client, If you are running not too old hardware and all your applications can run on on 64-bit OS then 64-bit Windows 8 should be the most appropriated.
If you go into advance and change to a none supported screen resolution and start a metro application you get this error message: The screen resolution is too low for this app to run
Windows Vista with Service Pack 1 or higher can be upgraded to Windows 8 and retain
Windows Vista with no service pack and Windows XP with Service Pack 3 can be upgraded to Windows 8 but only retain
Personal files
So remember that only windows 7 can do a true in-place upgrade to keep applications (there are a few applications that wont run in Windows 8) and keep all windows settings and personal files, the others will install Windows 8 but only keep either Windows settings or Personal files or both.
Install Windows 8
install as Windows to Go
Windows to Go is an Enterprise feature which makes it possible for you to boot Windows 8 from a USB 2/3 stick, first boot takes longer due to driver installs but all after goes faster. One way (not the way the exam will ask about) is to install Windows to Go onto an USB stick/disk is to open an elevated CMD prompt and with ImageX.exe (get it from Windows ADK http://www.microsoft.com/en-us/download/details.aspx?id=29929 ) and the ISO of Windows 8 and extract the install.wim file. When you have all that and NTFS formatted the USB disk you run this command in the elevated CMD prompt (make sure imagex.exe is in your path and in the example below the USB drive letter is E:): imagex.exe /apply install.wim 1 E:\ Once imagex finished to apply the wim file make it bootable by running this command bcdboot.exe E:\windows /s E: /f ALL Now you got an USB drive that can boot on any hardware, even on Mac (depending on which ISO media you used you could be limited to only 32-bit hardware) Another way to install Windows to Go and the more official way (read what will be asked on the exam) will be on a Windows 8 Enterprise edition machine launch the Windows To Go Creator Wizard. Exam tip: Know that Windows To Go only can be created from Windows 8 Enterprise edition and for license you need a Microsoft Software Assurance, then you can even run this on a home computer. To create one of these start the Windows To Go wizard from a Windows 8 Enterprise machine.
Windows To Go support both USB 2.0 and 3.0 but of course recommend USB 3.0 for better performance Insert a external/removable USB disk and it shows up, as seen as below all removable disks must be Windows To Go certified to be accepted but all external fixed disks are supported.
Notice that the wizard let you know that the device is a USB 2.0 and that USB 3.0 is recommended but it wont stop you from using it. When inserted a supported device the Next button activates, chose your disk you want to put Windows To Go on and press Next button to continue.
Now you need to have the source files (basically a install image from Windows 8 enterprise, install.wim), either a DVD inserted or the install iso mounted and then if not already seen by wizard click Add search location and browse it. Once found click on the Next button to continue.
You can enable BitLocker password which required to type in before the OS loads (take care with keyboard layout, it will be US-EN when booted on a standard boot.wim) Once all configured press Next button to continue.
Here you will get a summary and also be warned that the USB drive will be reformatted and any data on it will be lost. Press Create to start the creation of the Windows To Go USB drive.
This process will take awhile, depends on the disk itself but about 10 minutes.
When finished you can chose boot options (Do you want to automatically boot from it when you restart your PC?):
Yes It will modify boot to automatically boot from this USB disk No you will have to manually chose to boot from it, for example on Dell press F12 and chose USB device.
If you chose Yes you can if wanting to test it directly press Save and restart else (and if chosen No) press Save and close
upgrade from Windows 7 to Windows 8 or from one edition of Windows 8 to another edition of Windows 8
Upgrade from Windows 7 to Windows 8 in-place on same machine the Windows 8 Setup program will scan your PC to determine whether it can run Windows 8 what app and devices are compatible and provide a report that you can save or print. If currently running Windows 7 starter, home basic, home premium you can upgrade to either Windows 8 or Windows 8 Pro, if using Windows 7 professional or Ultimate you can only upgrade to Windows 8 Pro. Windows 7 Enterprise cannot be upgraded and need a fresh install (normally not an issue since enterprise normally got enterprise tools to reinstall) Upgrade from Windows 8 from one edition of Windows 8 to another edition, it is my guess it is only upgrading from Windows 8 to Windows 8 Pro since you cannot upgrade to Windows 8 RT and Windows 8 Enterprise you can only get by Software Assurance, doubt you can downgrade from Windows 8 Pro to Windows 8. Anyway to upgrade to a different version launch Get more features with a new edition of Windows.
Here either buy a new product key (for Windows 8 Pro) or if you already got one enter it in to upgrade, all files, settings, programs stays the same. (the screenshot below shows Release Preview version, not sure if that can be upgraded but either way that wont be an exam question).
install VHD
Boot from Virtualized Hard Drive (VHD) is a feature in Windows 8 Pro and Windows 8 Enterprise (not in Windows 8 and Windows 8 RT). First we need to create the VHD by either diskpart or Disk Management, 50GB is a good starting size.
once created initialize disk and be sure to chose MBR (GPT doesnt work ATM but maybe in future)
Once ready we apply our Windows 8 WIM to the VHD with imageX a la imagex /apply [path to wim]\install.wim 1 [drive letter for VHD] When the VHD file contain out Windows 8 WIM we just need to make it boot-able with BOOTSECT.EXE with the command below. bootsect /nt60 [Drive letter of VHD] /mbr
Now got a Windows 8 boot-able VHD (to actually use it you need to change the boot sector to use it).
If you chose An external hard disk or USB flash drive and your old PC is running Windows XP or Windows Vista you need to install Windows Easy Transfer.
For more detailed information how to run this follow this link: http://www.addictivetips.com/windows-tips/transfer-files-settings-from-windows-7to-windows-8/
USMT User State Migration Tool Works well in enterprise and can be very customized and run scripted/automated. USMT version 5 (compatible with Windows 8) is included in Windows ADK (replace WAIK) and can be downloaded here: http://www.microsoft.com/enus/download/details.aspx?id=30652 USMT 5 works as before with scanstate.exe to capture files and settings and loadstate.exe to apply the files and settings captured by scanstate.exe and still using XML files to define what should be captured. USMT 5 still works with Windows XP and later. For more detailed information about USTM version 5 follow this link:http://blogs.technet.com/b/askds/archive/2012/04/13/new-usmt-5-0-features-forwindows-8-consumer-preview.aspx
and set them as available offline (it just wont be done automatically)
Enable optimized move of content in Offline File cache on Folder Redirection server path change If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location.
Redirect folders on primary computers only New feature which require Active Directory Schema update on windows Server 2012 that adds a new attribute to set a users primary computer so that you can exclude Redirect Folders on for example training/test and conference machine.
configure profiles
Not sure what this exam objective is asking for, will when found out update it, could be something linked to new account type. With a Microsoft account you got more freedom to use it on any machine than a local or domain account, also your profile is saved in the cloud.
ertification: Exam 70-687: Configuring Windows 8 Part 2: Configure Hardware and Applications (16%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part two is Configure Hardware and Applications that is 16% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 2 we will look into these 6 objectives
Configure devices and device drivers Install and configure desktop applications Install and configure Windows Store applications Control access to local hardware and applications Configure Internet Explorer
Configure Hyper-V
If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free: http://www.microsoft.com/learning/en/us/offers/secondshot.aspx )
Drivers get updated regularly and Microsoft keep some drivers on Windows update which you can access from Device Manager in Update Driver or download the driver for the manufacture (often more later driver) and either install it or click on Update Driver in Device Manager (see image above) To disable a device you can either right click on the device itself in Device Manager or under driver tab press Disable (see that on the image above) If you update a driver and the device starts to malfunctioning you have the option to Roll Back Driver, and the system have kept the previous driver and add it back (if this option is greyed out there never were a previous driver)
If a device icon shows an arrow down in a circle means the device has been disabled. To resolve this driver issue just right click on the device and chose enable, make sure that it doesnt goes to another state such as missing driver.
Here you can specify to run the exe-file as previous Windows versions, notice that Windows NT 4 isnt on the list. This can be useful if you run an older program that could run on Windows 8 but is hard-coded to look if it is a specific Windows version and only run on that. You can also reduce color mode and screen resolution, and run as administrator (if you experience UAC issues)
So if you run an exe install file or msi directly in explorer.exe you get to answer some questions in a wizard. To run by command line you can answer these questions and run this silently with msiexe, below a typical example:
To repair you can either go to Program and Features and right-click on the program you want to repair and chose Change.
Then simply click on Install button to start downloading and install the application.
To reinstall an application you uninstalled or had on another machine go in Store and rightclick and chose Your apps and you will be able to reinstall the applications.
If an update becomes available for an app you will see this in the Store and simply click on App updates and chose to update all or select the once you want to update.
You can then restrict the Windows Store content (well what you can see) by using Family Safety (Parental Control) it doesnt show up default on a Windows 8 domain joined machine, but you can make it visible byenable Make Family Safety control panel visible on a Domain GPO
Restriction is set per user account (only work for standard users/none-admin but set by admin) and underControl Panel\All Control Panel Items\Family Safety\User Settings\Game and Windows Store Restrictionscheck [Username] can only use games and Windows Store apps I allow radio button, then click on Set game and Windows Store ratings.
Here you can decide how it should handle games (apps) with no rating and more important restrict content based on Age Rating 1. 2. 3. 4. 5. 6. Early Childhood for 3+ ratings Everyone for 6+ ratings Everyone 10+ for 10+ ratings Teen for 13+ ratings Mature for 17+ ratings Adults Only for 18+ rating
Note: Not 100% sure but Technet documentation specific mention Windows 8 Enterprise(and server 2012) so it is possible this is only supported on Enterprise edition. (but the GPO doesnt mention it)
If your machine is not joined to the domain you must activate a sideloading key before you can run the app. If your machine is joined to a domain just enable the GPO Allow all trusted apps to install before you can add a sideloaded app and run it.
If the above is not fulfilled the app tiles will show a X in the bottom right corner. To install sideloading apps you can do it with 2 tools, dism.exe and Powershell
PowerShell command add-appxpackage C:\JBKB.appx DependencyPath C:\JBKBccc.appx Dism.exe command - DISM /Online /Add-ProvisionedAppxPackage
/PackagePath:C:\JBKB.appx/SkipLicense
Notice that Windows RT can use Local Machine Policies but take care because the Group Policy Client service, gpsvc, is disabled by default on Windows RT.
If you for example want to restrict normal users (local administrators are excluded by default rules) from running a specific app (*appx) you can either manually create a rule for each approved or not approved app or you can scan through a template computer that got all apps already installed and set only those to allowed, will go through both examples and this also works on Executable Rules (.exe, .com), Windows Installer Rules (.msi, .msp, .mst) and Script rules (.ps1)
A Wizard starts at Before You Begin that explains what the wizard will do, just click on Next > to continue At Permission you decide action Allow or Deny, if two rules exist for same application the Deny rule wins. Here you also decide for which group it applies to, default is everyone. In this example we set Allow to Everyone and then press the Next > button.
At Publisher you either browse/select an app already installed or an app reference. In this example we press Select button and check Microsoft SkyDrive app and then slide up to Package Nameand Packaged Version change from version number to * (any version) which means that even if we update SkyDrive it will be allowed to run it. To continue press Next > button.
At Exceptions you can specify exceptions to the rule, in this example we have no exception and continue topress Next > At Name you name the rule (the image shows the default name given) and you can also add a description such as why this rule was created and the goal with it. Press Create to finish the rule.
A Wizard start and on first page you have to chose who this rules will apply to, default is Everyone group but you can browse any group. You also have to chose if it should generate a rules for those apps that is already installed on the machine you are running the wizard from or from a folder where you put all apps in. In this example we leave default the Everyone group and radio button on Generate rules for all packaged apps installed on this computer, and set a suitable name for these rules.
At Rule Preference you have only one choice that is enabled by default: Reduce the number of rules created by grouping similar applications, press Next > button to continue. The wizard will now crawl through all installed packaged apps on the machine At Review Rules you get an overview how many Rules created for the packaged apps, if you in the step before left the default the number of rules are fewer. If you are happy with the rules press Create button.
Now you see the extra created rules, all starting with the name specified in the start of the wizard.
Chose for each sections, if you dont want to enforce the rules you created you can chose Audit Only and you will only see what should have been blocked/locked but AppLocker wont block anything.
This is nothing new in Windows 8 and existed before so most likely not too many questions on this topic on the exam. There are 3 different security levels (default is Unrestricted) 1. 2. Disallowed Software will not run, regardless of the access rights of the user. Basic User Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users. 3. Unrestricted Software access rights are determined by the access rights of the user.
To create a Software Restriction Policy rule go: Local Computer Policy ->Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies Right-click on Additional Rules and chose one of the 4 rule types 1. 2. 3. 4. Certificate Rule Hash Rule Network Zone Rule Path Rule
Certificate Rule can reduce performance by using this, you browse a certificate and chose security level. Hash Rule More secure than Path Rule since if a file is modified by malware or alike it will get another hash and not allowed to run Network Zone Rule Follow the same zones as Internet Explorer and you can restrict installation per zone. Path Rule Easy to implement but less secure, if a file exist in certain path it can depending on the security level be allowed to run, but if a malware replace a file in the path it will be allowed to run (in opposite of hash rules)
If you want to prevent installation of removable devices (and that existing can update their driver), enable Prevent installation of removable devices If you only want to prevent certain removable devices (or allow) you must find out the device ID with Allow installation of devices that match any of these device IDs alternative Prevent installation of devices that match any of these device IDs. To find out these device IDs you can plug the device and go to Device Manager and take properties and read Hardware ID, the image below is a Western Digital external USB disk, example: GenDisk, USBSTOR\GenDisk and so on.
To configure Compatibility View Settings you use command bar (if not visible press ALT key) and go Tools > Compatibility View Settings Here you can add URLs that should be in compatibility view mode (IE7 mode). Also decide if all websites should be viewed in compatibility view or if all Intranet URLs should default be in this mode (to support
Intranet applications developed against older browsers). You can also download an updated list Microsoft provides about sites that views best in compatibility view.
All the above settings can of course be set by Group Policies User Configuration -> Administrative Templates Windows Components -> Internet Explorer -> Compatibility View
Notice: Nothing new in Internet Explorer 10. all the above has worked and been possible since Internet 8, the only little new is that now Microsoft keep a compatibility view list for sites that needs Flash for Internet Explorer 10 in Advanced UI Style mode (the version without ActiveX but that still got a slim Flash Player (not all features and drain less battery).
InPrivate Browsing activated by CTRL + SHIFT + P and makes the browser to not save an browser history, cookies or temp file during this session. Toolbar and extensions are disabled by default.
Tracking Protection Some provider such as Google that provides Map/Advertisement and other tools can share this information to give a better experience but also less integrity. You can
ActiveX Filtering If enabled you see the round blue circle with a line going through it, clicking on it you can do an exception for that website to use ActiveX control else it is disabled by default when ActiveX Filtering is enabled.
SmartScreen Filter On by default and check the URL against a Microsoft database if it is set as dangerous and then give the advice to not visit that site. You can also check a site manually
and you can also report a site to Microsoft that you think is a phishing site or alike.
manage add-ons
Not much new in Internet Explorer 10, works more or less as earlier versions. These settings can be set with Group Policies but also manually:
Toolbars and Extensions: Disable or Enable specific ActiveX controllers, some got extra options to configure but no standard. Search Providers: Add search providers, default is Bing but you can add google/yahoo and others. Accelerators: Chose accelerators for Email/Map/Translators Tracking Protection: was covered earlier in this blog post, can add that you can use your own list but also get a list online.
configure websockets
Websockets new in Internet Explorer 10 but has existed in earlier versions of alternative web browsers, ws:// or wss:// is a web standard to speed up where traditional HTML slow down. Had problem finding how to configure WebSockets, no GUI in Internet Options, but there is one Group Policy setting Turn off the WebSocket Object which can disable WebSockets that is enabled by default (which block data access cross domain)
So far pretty basic, this exam sub objective includes manage download manager and when you are in it you can press options link and get to chose download location and if when finished to download prompt,
and thats it! My guess is that thisw objective is to manage download manager with Group Policies and there are a few (yeah not that many really), all listed below:
Windows Components -> Internet Explorer ->Delete Browsing History -> Prevent Deleting Download History - As the name imply, users cannot delete their own download history Windows Components -> Internet Explorer -> Prevent users from bypassing SmartScreen Filters application reputation warnings about files that are not commonly downloaded from the Internet Again as the name imply, if SmartScreen warn about a file downloaded users cannot go around it.
Configure Hyper-V
Hyper-V 3.0 on Windows 8 is the first Hyper-V that runs on Client OS and also support sleep mode. Exam tip: Remember that Hyper-V can only run on 64-bit OS so be careful with questions mentioning you want to run Hyper-V on a 32-bit Windows 8, it wont be possible.
1.
Right-click on Hyper-V server and go New -> Virtual Machine and a wizard starts.
2. 3.
At section Before You Begin just read through and then press Next > button to continue. At section Specify Name and Location you do exactly that, you specify the name of the virtual machine and also location, default location is: C:\ProgramData\Microsoft\Windows\Hyper-V\ but I recommend to create your own root folder and check the box: Store the virtual machine in a different location. Once done press Next > button to continue.
4.
At section Assign Memory you specify how much memory (in Megabytes) the guest OS will use, this depends of course how much the OS and applications on it requires, once
5.
At section Configure Networking you can if created chose the network you want and after wizard finished add more, basically you got 3 different, private, intranet and external. Chose your connection and then press Next> to continue.
6.
At section Connect Virtual Hard Disk you have the choices to create a new Virtual hard disk (and add site in Gigabytes), or add an existing (requirements is that they are in VHD or VHDX
format) or add a virtual hard disk later. Once chosen press Next> button to continue.
7.
At section Installation Options you can install the OS now or later, if you do it now you can either access the media from the Hyper-V phusical CD/DVDV drive, browse a ISO file, or install from virtual floppy disk (VFD format)
8.
At section Summary verify all looks good and finish it and the Virtual Machine gets created.
Once the wizard has finished you can modify the Virtual Machine, such as add a Legacy Adapter (needed for PXE booting for example) and adjust Memory, add more disk and so on. Under the section Management you got some settings
Name you can edit the name or add notes to it. Integrated Services- Is installed by default on newer Hyper-V aware OS but might need to be installed on older Windows OS
o o o o
Operating System shutdown The Hyper-V host can do a clean shut down guest OS. Time Synchronization The guest OS sync its time against the host OS (you can still have different time zone that adjust the time of course) Data Exchange Provides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer. Heartbeat The heartbeat service allows the host OS to detect when a virtual machine has locked up, crashed or otherwise ceased to function. The host OS sends heartbeat messages to the guest operating system at regular intervals. It is then the job of the Hyper-V Heartbeat Service installed on the guest operating system to send a response to each of these heartbeat messages
Backup (volume snapshot) A VSS requester is installed that will allow VSS writers in the guest operating system to participate in the backup of the VM
Snapshot File Location default the same location as virtual machines and then the name of the virtual machine, example: C:\Hyper-V Virtual Machines\JBKB-VM01 Smart Paging File Location same default as Snapshot File Location. Memory management technique to provide a reliable restart experience for virtual machines configured with less minimum memory than startup memory
Automatic Start Actions- When the host OS starts you got 3 Automatic start actions for Guest O
o o o
Nothing Automatically start if it was running when the service stopped default Always start this virtual machine automatically
If you right-click on the snapshot you can delete it, or take a new snapshot of current state and then apply the snapshot
Snapshot location was explained above, it can be changed as long as no snapshot has been taken, once there is a snapshot you cannot change location anymore (it is greyed out). Snapshot files has the file extension .avhdx
The 3 different Switch types have some smaller configurations. External network you have to chose in a drop down box which physical NIC to bind it too, new in Hyper-V 3 is that you can bind to a WIFI NIC (there was dirty none supported work around in Hyper-V 2 you could make it work) and also chose virtual VLAN ID.. Internal networks you can chose virtual VLAN ID. Private networks got no configuration, just to chose a name.
VHD support virtual hard disk up to 2,040 GB in size VHDX - support virtual hard disk up to 64 TB (this format is not supported in Hyper-V version 1 and 2)
You got 3 different Disk Types 1. Fixed size- it will create a VHD or VHDX file that take up the disk size even if it is empty or not used, this can be useful when an application check for disk space before allows to install. 2. Dynamically expanding use less space than Fixed Size and dynamically expand when disk is needed 3. Differencing you can have a static disk and add a differencing disk were all changes are written to. This is for example very good in a lab/training environment where you can restore to default by just delete differencing disk.
You can configure the disk size (remember the limits with VHD and VHDX) and even copy content from a physical disk/virtual disk to the newly created virtual disk or keep it blank.
Certification: Exam 70-687: Configuring Windows 8 Part 3: Configure Network Connectivity (15%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part three is Configure Network Connectivity that is 15% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 3 we will look into these 4 objectives
Configure IP settings. Configure networking settings. Configure and maintain network security. Configure remote management.
If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free: http://www.microsoft.com/learning/en/us/offers/secondshot.aspx )
Configure IP settings
configure name resolution
No big changes from Windows 7 you can either get your name resolution DNS servers (or/and WINS) from DHCP or manually configure them in Network and Sharing Center You can also configure DNS through command line:
connect to a network
Connect to a network is the exact name of a Windows 8 native app that shows up if you type in search, as image shows below. You can connect in none Modern UI mode also as before. Here you get on the right side of your screen of all connections possible, such as WiFi connections, VPN connections if any configured and even DirectAccess if configured.
Private Useful at home/SOHO Guest or Public Useful when connecting to airports WiFi spot or public places. Domain For domain networks
You can for each of these Network Profiles decide if network sharing and printer sharing should be turned on or off. in Group Policy Network List Policy Manager you can prepare SSID with which Network Location and if user got rights to change it.
2.
If it is only one machine that got the issue on the network check that it got an IP-address with ipconfig(/all), if not check media and try other outlets or verify machine is within WiFi range.
3.
If machine got an correct IP address check that it can ping its gateway, if it can it is mot likely a name resolution issue, check that DNS answer with nslookup or simply ping (or pathping) john.bryntze.net and see it resolve to an IP-address.
It is very rare but if using static IP-addresses check for IP-address conflicts or if using DHCP look that not two scopes are overlapping. You can also right-click on a connection and chose Troubleshoot problems and a wizard will suggest some actions.
IPv6
Notice: Extra added due to rumors that Microsoft start to push for IPv6 on exams Since Windows Vista IPv6 is enabled by default, think about a few things:
IPv6 addresses are 128-bit hexadecimal numbers, that means that instead of before 32-bit it is 128-bit (1 or 0) and hexadecimal Identify a multicast IPv6 address with that it always start with FF0 Identify a link local unicast IPv6 address with that is always start with FE80 In IPv4 loopback address is for some strange reasons 127.0.0.1 (removing a full A-net) but in IPv6 loopback address is more logically: 0000:0000:0000:0000:0000:0000:0000:0001 but know that you can reduce all 0000 so this address can be written ::0001 or even sometimes just ::1
If you are used with 255.255.0.0 subnet mask that is not applicable in IPv6, IPv6 still uses subnet but it is included in the address. Of the 128-bits the first 48 bits are network pre-fix, then the 16 bits after are the subnet ID and used to create subnet. The last 64 bits are device ID.
IPv6 also uses DNS but host records that in IPv4 was A are AAAA in IPv6. Windows 8 support a lot of tunnel technologies that can transport IPv6 packages over IPv4 nets such as Teredo and isatap.
A few Windows 8 functions only work with IPv6 such as DirectAccess and HomeGroup.
To make sure we connect to the right network when multiple networks are available, Windows maintains an ordered list of your preferred networks based on your explicit connect and disconnect
actions, as well as the network type. For example, if you manually disconnect from a network, Windows will no longer automatically connect to that network. If, while connected to one network, you decide to connect to a different network, Windows will move the new network higher in your preferred networks list. Windows automatically learns your preferences in order to manage this list for you
Not related to this exam but you can see history of SSID you connected to in this folder per interface:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{Interface ID} in XML files.
Pressing the Configure button gives your more configuration options such as drivers, if WiFi you can modify signal strength, 802.11x mode, Power Management if it should shut down to save battery.
Location-aware printing is not a new feature, it existed already in Windows 7, it works that your default printer follows you, so at work you can have one default printer and another at home without manually switching. Just click on an installed printer in control panel and select Manage default printers.
Be sure Change my default printer when I change Networks is selected and then manage per network which printer you want to be default.
Location-Aware Printing is dependent upon the Network List Service and the Network Location Awarenessservice. If either one of these services are stopped or malfunctioning, then Windows will not be able to detect network changes and may not switch default printers as expected
In Allowed apps you can decide which program can access and under which Network Profile by simplychecking the check boxes.
Default setting is to not allowed incoming connections to any program that is not in the Allow apps list.
All Programs - if you need a rule that applies to all and then limit it on Protocol and Ports instead. This program path example c:\program files\jbkb\jbkb-test.exe Services Drop down list to deice if it apply to all program and services, or only services or a specific serviceor service short name
Protocol and Ports Most common are protocols TCP and UDP but you can even specify some other such as ICMP (Ping for example), GRE (for some VPN) etc, or use a custom and type in any Protocol there exists.If you chose TCP or UDP you need to specify port number also and local/remote. An example rule could be to block Local Port/All Ports to Remote Port/Port 25 to block malware from trying to send
SPAM directly. You can specify that all protocols/ports and restrict on Programs instead.
Which local IP-addresses does this rule apply to default is Any IP-address but you can can change and specify a IP-address range by clicking These IP-addresses Which remote IP-addresses does this rule apply to default is Any IP-address but you can can change and specify a IP-address range by clicking These IP-addresses
Action If this rule is met by all the above you can decide what action will happen, one of these 3 1. 2. 3. Block the connection default option Allow the connection Allow the connection if it is secure If connection is with IPSec (explain in section below) it is allowed. Profile Here you chose if this rule applies to Domain or/and Private or/and Public Network Profile. Name Put Name of the rule and an optional Description.
With Connection Security Rule you can specify with rules for which net/clients that need IPSec security based on Endpoint, Requirements, Authentication Methods, Protocol and Ports and Network Profile.
Endpoints Create a secure (IPSec) connection between computers in Endpoint 1 and Endpoint 2. You got to settings to configure 1. Which computers are in Endpoint 1?
o o
2.
o o
Requirements When do you want authentication to occur? 4 different choices 1. Request authentication for inbound and outbound connections notice when it is written request, it will just check if it is possible, if not it will still continue, difference again Require that is forced. 2. Require authentication for inbound connections and request authentication for outbound connections inbound connections must (=require) authenticate and outbound if possible (=request) 3. Require authentication for inbound and outbound connections inbound and outbound connection must authenticate else it fail. 4. Do not authenticate all connections will work without authentication.
Default the authentication specified in IPsec settings. Computer and user (Kerberos V5) Restrict connections to only domain joined users and computers. Computer (Kerberos V5) Restrict connections to only domain joined computers. Advanced here you can specify NTLMv2, Certificate, shared Secret and other authentication methods
Protocol and Ports Most common are protocols TCP and UDP but you can even specify some other such as ICMP (Ping for example), GRE (for some VPN) etc, or use a custom and type in any Protocol there exists.If you chose TCP or UDP you need to specify port number also and local/remote. Network Profile Here you chose if this rule applies to Domain or/and Private or/and Public Network Profile. Name Put Name of the rule and an optional Description.
Network Profile Here you chose if this rule applies to Domain or/and Private or/and Public Network Profile. Name Put Name of the rule and an optional Description. To read more: http://technet.microsoft.com/en-us/library/cc947812%28v=ws.10%29.aspx
There are some changed to wireless in general in Windows 8. Added support for Wi-Fi autentication type:
WISPr (Wireless Internet Services Provider roaming) EAP-SIM/AKA/AKA Prime (SIM-based authentication), easier and quicker when connecting to WiFi hotspots EAP-TTLS
WISPr is enabled by default in Windows 8 but you can disable it in Group Policies by disable Enable Hotspot Authentication
If you just need to work on the machine (logged in users get disconnected not logged out as in Windows XP) you can use Remote Desktop (mstsc.exe)
Run WinRM Quickconfig to enable remote management Make sure service Remote Registry is running. If Remote Assistance is needed enable in Group Policy to enable Allow Remote Assistance connection to this computer If Remote Desktop session is needed enable in Group Policy and specify which users got the rights (local administrators are added by default), also decide if connections require NLA (supported from Vista clients and later)
For some of these settings remote registry service must be enabled and of course permission on the remote client. To modify remote settings with PowerShell you can either if hte Power Shell command itself accept a remote machine input specify remote machine or run an interactive Power Shell session with command (JBKB-Client01 is the remote machine in this example)
enter-pssession JBKB-Client01
tification: Exam 70-687: Configuring Windows 8 Part 4: Configure Access to Resources (14%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part four is Configure Access to Resources that is 14% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 4 we will look into these 4 objectives
Configure shared resources Configure file and folder access Configure local security settings Configure authentication and authorization
If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free: http://www.microsoft.com/learning/en/us/offers/secondshot.aspx )
Share When using this you cannot decide share name, it will have same name as the folder itself, you get created as owner and you can add users and give them read or read/write permission
Advanced sharing here you can decide share name, set more granular permission, decide cache options.
Require IPv6 is enabled (it is enabled by default) The following services must be running on all machines in the HomeGroup
o o o o o o o o
DNS Client Function Discovery Provider Host Function Discovery Resource Publication Peer Networking Grouping HomeGroup Provider HomeGroup Listener SSDP Discovery UPnP Device Host
A Windows 8 machine that is already member of a domain cannot host a HomeGroup but can join one (and still be member of a domain) and cannot share its own libraries but access others. To join a HomeGroup for example on a Windows 7 machine named EMMA-LAPTOP do the following: 1. In Control Panel click HomeGroup and if a HomeGroup exist (and the machine hosting it is started) you will see it (even if IPv6 is not enabled), to join this HomeGroup click Join Now button.
2. A Wizard starts explaining what you will be able to do (if you are joined on a domain you cannot share your own files just access others), click Next to
continue.
3. You need to know the shared secret, the machines joined to the HomeGroup can get it by clicking View or print the homegroup password in control panel -> HomeGroup (you only see this option if you are joined to the homegroup already). When you know the shared secret or homegroup password as it is called, type
4. If you entered correct homegroup password you get it verified you have joined the homegroup (if wrong go back and retype it correct) also if IPv6 is not
enabled you will get a warning and need to enable it before to continue.
So when your machine is member of a HomeGroup the control panel item is displayed differently, now you can do the following:
View or print the homegroup password if another machine needs to join this homegroup you can click here and see the password in clear text and share.
Change the password If decided to change the HomeGroup password, you must change it on all other members of the HomeGroup.
Leave the homegroup you have to verify it and get a chance to cancel the action.
Change advanced sharing settings there is a section there about HomeGroup, default managed by Windows and the password but you can also do it more WorkGroup alike to use Windows user account, but that requires all members in the HomeGroup got the same username and password.
Start the HomeGroup troubleshooter Wizard based that suggest some actions and tools to fix any issues (it check IPv6 and the services mentioned above also)
So in the example with the Windows 7 machines HomeGroup we joined we can now see the libraries chosen to be seen in this HomeGroup (default Documents isnt shared but it is just a check box away to be shared) in explorer.exe
All libraries are saved default here: %appdata%\Microsoft\Windows\Libraries If you for example would like to give all in your sales a specific library called JBKBSales and folder C:\JBKB-Sales you would do the following: 1. Create a new library
2. Copy it from %appdata%\Microsoft\Windows\Libraries to c:\JBKB-Sales 3. Enable Group Policy Location where all default Library definition files for users/machines reside and set Default libraries definition location to: C:\JBKBSales
4. Now all who log into this machine and apply to the GPO will get this library created in step 1 Windows 8 gives you 5 default libraries
You can right click on each of them and take properties and add more music folders than those default (you cannot change icon on the default but if you create your own library you can chose your library icon) you can set one Set save location and one Set public save location but you can set both on same folder (default Public is on Public)
Once it finished preparing it will ask you to login, if no existing account create a new one
Now a new folder is created in the profile %userprofile%\SkyDrive with sub folders that sync to the SkyDrive cloud. Configuring SkyDrive you can go by SkyDrive system tray icon and chose Settings.
Here you can configure settings such as auto start of SkyDrive, and make this machine available to other devices with same SkyDrive account, and let Office sync the files to SkyDrive so other can work at same time on the file. If you want to remove the SkyDrive connection you can click on Unlink SkyDrive button.
Very interesting feature, unfortunately found nothing to configure in windows 8 concerning this, it could be because my test devices doesnt support it. What is know is that windows 8 got APIs built-in that support NFC, which is a RFID technique to communicate to other devices supporting NFC. The difference between NFC and for example Bluetooth is that bluetooth devices need electricity/battery/power where NFC could be a paper (with a RFID alike in it) Notice: nothing useful in this section, will update when finding anything, for now just know that Windows 8 got NFC APIs and support it.
5. Decide if you want to only encrypt this folder or all sub folders and files within this folder and then pressOK button.
EFS is only supported on NTFS file system and when copied it is decrypted during transfer and encrypted again on the destination (if NTFS) All users on the Windows 8 machine will see the folder but all except the user who encrypted it wont be able to open the files and read the content. You can backup the certificate that encrypts your file so in case your user is lost or alike you can decrypt the files by running Manage File Encryption Certificates wizard.
clean ACL.
Nothing change from before, deny permission always win over allow and it is often a basic design error if you think you need to set deny access. Permissions (most common):
Full Control includes everything, even take ownership of files. Modify which includes the permission Write, Read, Read & execute. Write take care if you can only write but not read/list you cannot see what you save
Read if you got only read and no write permission you can open files but not modify them
If a user John belongs to group Marketing and on a file the NTFS ACL/ACE specify that John got Read and Marketing group got Modify, the user John got effective permission Modify, it is accumulative. If a user Emma belongs to group Sales and on a file the NTFS ACL/ACE specify that Emma got Read and Write to a file and Sales group got deny Write, the user Emma got effective permission Read (the Deny wins)
By default it is disabled, you enable it by checking Enable quota management and then specify options such if it should only be warning/logging or an actual consequence when you reach the quota such as checking Deny disk space to users exceeding quota limit. Set one limit and one warning, of course warning must be lower than limit. funny to see that a client OS have EB (Exabyte) Windows 8 seems to be a OS built for the future Disk Quota is limited due to only put per disk and one level for all users, running Windows Server 2012 you can set different limit per users.
Once that is enabled nothing will be logged until you specify which objects (file/folders) should be audited, if you audit everything it be too much to read and not useful. Right-click on the folder you want to audit and chose Properties -> select Security tab > click advanced button ->click on Auditing tab -> and press Add button Fill in who should be audited, and for what actions (All/Success/Fail)
This policy is disabled Users cant add Microsoft accounts Users cant add or log on with Microsoft accounts.
Interactive logon: Do not require CTRL + ALT + DEL Not a totally new policy but it is only for Windows 8 it is recommended to set to enable, for Windows 7 and earlier it is recommended to disable.
Here are the 10 different settings, the important for the exam in bold: 1. User Account Control: Admin Approval Mode for the built-in Administrator account This is disableddefault, which means that default account administrators bypass UAC, if enabled it is treated as all other administrators account. 2. User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop This is disabled default, if enabled it means that applications such Remote Assistance can be run without getting blocked by Secure Desktop. 3. User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This is set to Prompt for consent for non-Windows binaries default 4. User Account Control: Behavior of the elevation prompt for standard user This is set to Prompt for credentials on the secure desktop default (more about this setting further below in this KB) 5. User Account Control: Detect application installations and prompt for elevation This is enabled default on Windows 8 edition and disabled default on Pro and enterprise edition; due to in enterprise you might deploy applications with SMS/SCCM/GPO and want that to install silent. 6. User Account Control: Only elevate executables that are signed and validated This is disabled default, even if this is good for security it is not practical since not all executables are signed. 7. User Account Control: Only elevate UIAccess applications that are installed in secure locations This is enabled default, only elevate UIAccess applications installed into %SystemDrive%\Program Files(including subfolders), %SystemDrive%\Program Files (x86) (including sub-folders for 64-bit editions) and%SystemDrive%\windows\system32 8. User Account Control: Run all administrators in Admin Approval Mode This is enabled default, and if it is disabled whole UAC is disabled! know this for the exam as they will try to trick you on this one. 9. User Account Control: Switch to the secure desktop when prompting for elevation This is enableddefault, All elevates request goes to Secure Desktop that dims the screen until you answer.
10. User Account Control: Virtualize file and registry write failures to per-user locations This is enableddefault, if a none elevated program tried to write it HKLM registry or for example c:\program files,c:\windows\system32 etc and fails this setting does so it writes to the user profile instead so the program work. Good example is http://triplea.sourceforge.net/ a game who want saved games to be saved in a sub folder of the game installation that is default in c:\program files and instead get saved under%UserProfile%\AppData\Local\VirtualStore
SmartScreen Filtering in Trusted and intranet site/zone and keep it enabled on Internet Zone. You can manually configure one of the following (or use the Policy Configure Windows SmartScreen):
Get administrator approval before running an unrecognized app from the Internet (recommended) this is default
Warn before running an unrecognized app, but dont require administrator approval
configure rights
Users rights are configured Local Company Policies -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment
Here you can configure who have rights to change system time (all users in Windows 8 got right to change time zone but not system time), Take ownership of files and folders, Allow log on locally and a lot of other rights.
manage credentials
Credential Manager has existed in different forms since Windows XP but in Windows 8 it has updated a little. You find it Control Panel -> Credential Manager It is divided into 2 parts, Web
Web Credentials For websites that uses credentials but not system prompted Windows Credentials- got 3 sub sections
o o o
Whats new is that you can backup (and restore) Windows Credentials, if you backup you have to browse a save location and the file be saved with .crd Exam Tip: Be careful if a question ask about backup/restore of credentials, know that only Windows Credentials works and not Web Credentials
manage certificates
Certificates are managed by certmgr.msc
If added certificate from MMC you get to chose which storage to use
My User Account same as above, manage user certificates Service account gives UAC prompt to manage service certificates Computer account gives UAC prompt to manage computer certificates.
Smart Card set to start-up type Automatic (trigger start) and is needed for smart card to work, if disabled no usage of smart cards is possible.
Smart Card Removal Policy set to start-up type Manual and is used so that if someone remove the smart card the user session is locked, practical for security if users use the same smart card to leave the building for lunch.
configure biometrics
Biometric in Windows 8 is built on Windows Biometric Framework and relies on Windows Biometric service that is set to start up manual by default.
This can be used to instead of touch scroll (where your finger will hide what you click on) or use a mouse you can control with your eyes for example (this require 3rd party which uses the Biometric framework). By default you are allowed to log on with biometric for example log on with your thumb but if you dont want this possibility you can disable it with a GPO named Allow the use of biometrics
New in Windows 8 is that you can log on with gestures, it works of course best with a touch screen but you can also do this with the mouse. If it is a domain user that uses this the domain password will be cached in the system vault. Type Create or change picture password and start that and you come to PC settings -> Users and there clickon the button Create a picture password
Here you need to browse for an image where you will do the gesture (twice) and then you can use that to log on to the machine instead of password (you can still use password if you fail with gesture)
There is also a policy named Turn off picture password sign-in that can be enabled if this isnt needed.
configure PIN
Sign in with PIN code (4-digit code) is not possible for a domain user, it is not even visible in PC Settings -> Users (if machine is not domain joined you see it). To enable it for even domain joined computer/users you can enablethe policy Turn on PIN signin and it becomes visible.
When you create a PIN code for a domain user you must first enter your password, then enter in a 4 digit PIN code twice
This is obviously a good sign-in method for touch screens and after entering the last digit you dont have to press enter or anything it sign-in automatically.
Notice: Windows Live ID has been replaced with Microsoft Account, if you see a question on the exam mentioning Windows Live ID read it as Microsoft Account To set up a Microsoft account you can go to PC Settings -> Users and click on the + Add a user
Now a wizards starts, if you already got an e-mail address that can sign into Microsoft services (a common mistake to think it can only be a hotmail/MSN/live account, even gmail and all other can be used if enabled for Microsoft services). If no email address exist you can create one in this wizard by going sign up for a new email address or create one on this or another machines. It is with this account you buy Apps from Windows store and sync your settings to the cloud so it follows you regardless which machine you log onto. When you got an email address type it in and press Next.
it will connect to Internet and configure and then finish, you got one configuration options, if it is a child or another account you want to use Family Safety on check this box. Then click Finish
To modify Microsoft Account you can go to Manage User Accounts, select the Microsoft account and pressProperties button. On tab General you fill in user name, full name and description. On Group Membership tab you can modify permission: Standard user, Administrator or Other (can be backup operator, log viewer etc, rarely used for Microsoft account.
Certification: Exam 70-687: Configuring Windows 8 Part 5: Configure Remote Access and Mobility (14%)
Posted by John Bryntze Published in Certification, Microsoft, Windows 8 Exam 70-687: Configuring Windows 8 is scheduled for 17th September and instead of waiting for study material I will create my own and post here, part five is Configure Remote Access and Mobility that is 14% of the whole exam: http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687 In this part 5 we will look into these 3 objectives
If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free: http://www.microsoft.com/learning/en/us/offers/secondshot.aspx )
General enter in remote host, specify username and password (or wait until after connected), can also save the settings to a RDP file or open an existing.
Display screen size/resolution default set to full screen, can also set color depth.
Local Resources How much of your local resources do you ant to bring to the session you can add; Printers Clipboard Smart card drives, configure audio and keyboard settings.
Programs any path to script or program will be executed once logged on. Experience If your connection is fast you can set to better experience (fast rendering, see wallpaper background, font smoothing and so on) and slower connection worse experience for performance win.
Advanced Remote Desktop Gateway settings and how to behave if server authentication fails (default set to warn)
Notice: So much still works as Windows 7 that most of the text below is directly taken from: http://www.mcmcse.com/microsoft/guides/70680/remote_connections.shtml which I recommend everyone to read. Windows 8 support 4 types of VPN
Point-to-Point Tunneling Protocol (PPTP) Based on PPP, the Point to Point Tunneling Protocol (PPTP) provides for the secure transfer of data from a remote client to a private server by creating a multi-protocol Virtual Private Network(VPN) which encapsulates PPP packets into IP datagrams. PPTP is considered to have weak encryption and authentication, therefore, IPsec is typically preferred.
Layer 2 Tunneling Protocol (L2TP) / IP security (IPsec): L2TP is the nextgeneration tunneling protocol partially based on PPTP. To provide encryption, L2TP acts as a data link layer (layer 2 of the OSI model) protocol for tunneling network traffic between two peers over an existing network (usually the Internet). It is common to carry Point-to-Point Protocol (PPP) sessions within an L2TP tunnel. L2TP does not provide confidentiality or strong authentication by itself. IPsec is often used to secure L2TP packets by providing confidentiality, authentication and integrity. The combination of these two protocols is generally known as L2TP/IPsec. IPSec ensures confidentiality, integrity, and authenticity of data communications across a public network. IPSEC is made of two different protocols: AH and ESP. AH (Authentication header) is responsible for authenticity and integrity, while ESP (Encapsulating Security payload) encrypts the payload.
Secure Socket Tunneling Protocol (SSTP) Introduced in Windows Vista. A tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through firewalls and Web proxies that might block PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol. The use of PPP allows support for strong authentication methods, such as EAPTLS. SSL provides transport-level security with enhanced key negotiation, encryption, and integrity checking.
Internet Key Exchange (IKEv2) -Introduced Windows 7. IKEv2 is a tunneling protocol that uses the IPsec Tunnel Mode protocol over UDP port 500. An IKEv2 VPN is useful when the client moves from one wireless hotspot to another or when it switches from a wireless to a wired connection. The use of IKEv2 and IPsec provide strong authentication and encryption methods.
Authentication
Protocol
Description This protocol uses plaintext passwords. Typically used if the remote access client and remote access server cannot negotiate a more secure form of validation. PAP is the least secure authentication protocol. It does not PAP protect against replay attacks, remote client impersonation, or remote server impersonation. PAP is not enabled by default for Windows 8 and is not supported by remote access servers running Windows Server 2008. CHAP uses a 3-way handshake in which the authentication agent sends the client program a key to be used to encrypt the user name and password. CHAP uses the Message Digest 5 (MD5) hashing scheme to encrypt the response. CHAP is an improvement over PAP, in that the password is not CHAP sent over the PPP link. CHAP requires a plaintext version of the password to validate the challenge response. CHAP does not protect against remote server impersonation. Although remote access servers running Windows Server 2008 do not support this protocol, it is enabled by default for Windows 8 VPN connections for legacy VPN connections. Supports two-way mutual authentication. The remote access client receives MS-CHAP verification that the remote access server that it is dialing in to has access to v2 the users password. MS-CHAP v2 provides stronger security than CHAP. Allows for arbitrary authentication of a remote access connection through the use of authentication schemes, known as EAP types. EAP offers the EAP-MSstrongest security by providing the most flexibility in authentication CHAPv2 variations. This protocol requires the installation of a computer certificate on the VPN server.
Just like the VPN protocols, by default, Windows first tries to use the most secure authentication protocol that is enabled, and then falls back to less secure protocols if the more secure ones are unavailable.
If you modify an existing Broadband connection you get more options such as modify authentication protocols, IPv4/IPv6 settings, Internet Connection Sharing, hang up settings, PPP settings and Service Name.
1. Remove Work offline commands it removes the option in Explorer.exe to make files (folders) available offline.
2. Enable file synchronization on costed networks is by default disabled and will not synchronize offline files in the background on connections that are
the 3 existing and then switch by clicking on the battery system tray icon
Something new in Windows 8 with power settings is the GUI how to add hibernate to Power Button, default hibernation is supported (if drivers support it) but not visible it looks as below with Sleep, Shut down and Restart.
To add hibernation to the Power menu go to Control panel -> Power Options -> System Settings and click onChange settings that are currently unavailable
Now all that was greyed out before is changeable such as checking the box Hibernation (Show in Power Menu). You can also control if you want the lock function in picture menu
If you checked Hibernate above your power button menu will look like below:
configure Windows to Go
Windows To Go is one of the coolest new features and therefor sadly only available in Windows 8 Enterprise edition, it can be seen as a full version of Windows 8 running (even booting) from a mass storage device such as USB Flash drives and externally hard drives. Exam tip: Know that Windows To Go only can be created from Windows 8 Enterprise edition and for license you need a Microsoft Software Assurance, then you can even run this on a home computer. To create one of these start the Windows To Go wizard from a Windows 8 Enterprise machine (can be done with ImageX also but it wont be covered here).
Windows To Go support both USB 2.0 and 3.0 but of course recommend USB 3.0 for better performance Insert a external/removable USB disk and it shows up, as seen as below all removable disks must be Windows To Go certified to be accepted but all external fixed disks are supported.
Notice that the wizard let you know that the device is a USB 2.0 and that USB 3.0 is recommended but it wont stop you from using it. When inserted a supported device the Next button activates, chose your disk you want to put Windows To Go on and press Next button to continue.
Now you need to have the source files (basically a install image from Windows 8 enterprise, install.wim), either a DVD inserted or the install iso mounted and then if not already seen by wizard click Add search location and browse it. Once found click on the Next button to continue.
You can enable BitLocker password which required to type in before the OS loads (take care with keyboard layout, it will be US-EN when booted on a standard boot.wim) Once all configured press Next button to continue.
Here you will get a summary and also be warned that the USB drive will be reformatted and any data on it will be lost. Press Create to start the creation of the Windows To Go USB drive.
This process will take awhile, depends on the disk itself but about 10 minutes.
When finished you can chose boot options (Do you want to automatically boot from it when you restart your PC?):
Yes It will modify boot to automatically boot from this USB disk No you will have to manually chose to boot from it, for example on Dell press F12 and chose USB device.
If you chose Yes you can if wanting to test it directly press Save and restart else (and if chosen No) press Save and close
If using a Microsoft Account all settings are synced by default automatically (but you can change what will be synced) and if you login with a domain account you must connect it to a Microsoft account. You connect a domain account to Microsoft account in PC settings -> Users and then
Under PC Settings -> Sync your settings you can set the following:
Sync settings on this PC Set to On by default and if set to Off it over rides all settings below (further down the GPO that control this is explained)
Personalize if set to On it it sync your account picture, background, lock screen and color settings.
Desktop personalization if set to On it sync your taskbar, themes, contrast and more (?)
Passwords if set to On it sync passwords for websites, networks, HomeGroup and apps
Ease of Access if set to On it sync Narrator, Magnifier, On-Screen keyboard and more
Language Preferences if set to On it sync Keyboards, other input methods, display langauge and more
App settings if set to On it sync purchased and settings in an app Browser if set to On it sync browsers favorites, history and more (assume it is only Internet Explorer)
Other windows settings if set to On it sync File Explorer, mouse settings and more.
All these settings are configurable in local policies and group policies: Local Computer Policy -> Administrative Templates -> Windows Components ->Sync your settings showing below is Do not sync setting, if set to Not configured it is up to the user to decide and if set to Enabledit is disabled but you can keep it possible to sync and
Create Ad Hoc/Wifi Direct WiFi (elevated cmd prompt, and key must be between 8 and 63 characters) netsh wlan set hostednetwork mode=allow ssid=JBKBSSID key=jbkbkey1 Start it by running netsh wlan start hostednetwork Then the Windows 8 machine will broadcast this SSID and allow connections without an Access Point.
Know that BitLocker is only supported on Windows 8 Pro and Windows 8 Enterprise edition. Know the 2 way to use BitLocker 1. Trusted Platform Mobile (TPM) 1.2 or 2.0 Chip, store decryption key in TPM (Preferred option). 2. Store decryption key on USB flash drive (this option needs to be activated in Group
Policy and is not enabled default) the USB Flash drive must be presented at each startup. If anything of the following changes, BitLocker will lock the drive and it will not be possible to read from it:
Disable TPM in BIOS Clear TPM The BitLocker-encrypted disk is moved to another computer Changes in boot files Boot without TMP, PIN, USB flash drive.
BitLocker To Go is used for removable storage and include a hidden driver for Windows 8 (discovery drive) but viewable for XP and Vista that contains software for BitLocker To Go Reader that is used to unlock the BitLocker To Go drive with a password. When you enable BitLocker on removable disks you get to chose how to unlock the drive; by password you specify or by smart card.
You then get 2 different options to store the recovery key; save to a file or print it.
Then choose if you should encrypt only the stored data or the whole drive (new feature in Windows 8)
After this encryption starts and you are asked to not remove it during this procedure.
Configuring BitLocker and BitLocker To Go policies Here are some of the most important BitLocker To Go GPOs:
Allow access to BitLocker-protected removable data drives from earlier versions of Windows If this is not configured or enabled versions such as Vista and XP SP2 and higher can unlock the drive with BitLocker To Go Reader. There is also an checkbox for Do not Install BitLocker To Go Reader on FAT formatted removable drives
Deny write access to removable drives not protected by BitLocker If this policy is enabled removable disks that isnt protected with BitLocker will be mounted as read-only.
Control use of BitLocker on removable drives If this policy is enabled or not configured user can run the BitLocker wizard to protect removable drives.
Require additional authentication at startup If the checkbox Allow BitLocker without a compatible TPM is check you can boot with removable USB flash disk. This is not checked default and then only TPM chip enabled machines are allowed to use BitLocker. This policy also can set how TMP can be used together with Startup key/PIN/TPM
Configure minimum PIN length for startup If this is disabled or not configured the minimum length is 4 and maximum 20, if enabled you can set a value from 4 to 20.
Choose drive encryption method and cipher strength Default is AES128, AES-256.
Here are a few windows 8 BitLocker policies only (there are several I recommend you look through them all)
Enforce drive encryption type on fixed data drives Decide if forcing fixed drives to always encrypt the whole disk, even empty space or only encrypt space that has data and then expand if new data is written. Default is to let user
chose.
Allow network unlock at startup uses a specific server on a secured network and if both server and client got BitLocker Network Unlock Certificate
Allow Secure Boot for integrity validation Secure Boot (UEFI) has a more secure integrity check than BitLocker. If set to Not Configured or Enabled Secure Boot is allowed for integrity validation if set
If you have TPM 1.2 or 2.0 Chip you can use nothing else or together with a PIN or a Startup key or both. Without TPM you can only specify either Inser a USB flash drive at each start or
If BitLocker is enabled and you need to change BIOS, Hardware upgrades, OS updates from example Windows 7 to Windows 8 you should suspend protection and then do the changes. You could Turn Off BitLocker but then you would need to recreated it from start to get back encryption (also new keys are created). Data recovery agent support When enabling BitLocker you get the option to save or print the recovery key.
The Data Recovery Agent needs to been configured with a proper certificate and you must Add Data Recovery Agent to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings ->Public Key Policies > BitLocker Drive Encryption (close to same path in GPMC).
In the wizard either add a user who got a correct certificate or add a certificate directly (.cer) Know that the command line tool to manage all this is manage-bde. For example on a BitLocker enabled machine who is decryption (disabling BitLocker) you can run this command to see the status:
manage-bde -Status
In a Domain environment recommended is to store BitLock recovery information for system drives into AD DS Exam Tip: Be careful when enable PIN with BitLocker due to Windows 8 can be installed on devices that doesnt have a physical keyboard or input and the onscreen keyboard isnt loaded at the time the PIN is required.
The same setting can be set with Policy but named the opposite Turn off Windows Location Provider, if set toNot Configured or Disabled windows Location provider is on, if set to Enabled it is turn off.
If you write the exam before 31st May 2013 be sure to register for a second shot (which means if you fail it you can retake it for free: http://www.microsoft.com/learning/en/us/offers/secondshot.aspx )
DirectAccess
DirectAccess was new in Windows 7 and still in Windows 8 Enterprise edition only, it is a VPN alike but always connected, user doesnt have to enter in username or alike. DirectAccess require IPv6 on client and server but between the IPv6 packages can travel capsuled within IPv4 packages with techniques such as 6to4 (used if direct connection, no NAT), Teredo tunneling (used behind NAT) or IP-HTTPS. DirectAccess uses port 443/tcp (same as https) which is open on most firewalls. Exam Tip: remember that DirectAccess is only available in Windows 8 Enterprise and requires IPv6 and communicate over 443/tcp Just think of DirectAccess as a VPN that is enabled automatically even if no user is log on or alike.
Storage Spaces
Storage Spaces is a function that comes from Microsoft Home Servers and group physical disks into pools, the disk can be of different type USB/SATA and different sizes (normal hardware RAID 1 for example use only the space of the smallest disk but that is not the case in Storage Spaces). The pools are made into spaces that you can format and use as a normal disk. The virtual drives (spaces) can be bigger than the disk can provide, it is called thin provisioning when you are running out of disk you can add. There are 3 different storage spaces
1. basic spaces - no fault tolerance if one disk fail all data is lost (I assume?) 2. mirror spaces at least 2 copies are made on 2 separate physical disks (like RAID 1) or even 3 copies can be made on 3 separate disks (like RAID 6 without parity) which means 2 disk can be removed and it still works. Pools can be given Hot spare disks to be used 3. parity spaces Can setup parity in a RAID 5 scenario where one disk can fail and also RAID 6 scenario where two disk can fail and it continue to work, it takes extra CPU and I/O when a disk fail.
File History
File History is new in Windows 8 and can be seen a little like Windows 7:s Previous version and Apple Time Machines. File History automatically backup files in your desktop, libraries, contacts, Favorites and SkyDrive. If you lost a file stored in any of these locations, you can use File History to restore it to any stored version. Exam Tip: Know that File History is disabled by default To enable File History go to File History in control panel, if a USB disk is inserted it will suggest to use it to store file history and if no external disk is found (could be an internal second disk) it will suggest to add a network location. Once a location is found press the Turn on button.
Select drive Here you can see which disk to use and free space, or add a network share to use bypressing the Add network location button. You cannot chose the same disk you got libraries pointing to, example if you include a second internal disk and have d:\music included into a library you cannot use the second disk (d:) for File History.
Exclude folders Default no folders are excluded but if you for some reasons doesnt want some you can add them into exclude list
Advanced Settings
o
Save copies if files default set to every hour and can be changed to 10, 15, 20, 30 minutes or 1, 3, 6, 12 hour or daily.
Size of offline cache default 5% of disk space (local c:) but can be set to 2, 5, 10, or 20%. Offline Cache is saved on C: drive and useful for example if the external drive isnt inserted or the network location not available and you can still reach File History from the cache. So useful for portable systems.
Keep saved versions default set to Forever but can be changed to 1, 3, 6, 9 months or 1, 2 years.
Clean up versions (hidden in the image below due to drop down box) if you click on Clean up versions you get a new window deciding which versions to clean you got the same options as in Keep saved versions plus one extra: All but the latest
File History also support the usage of HomeGroup if your machine is not on a domain and member of a HomeGroup.
Restore Personal Files- Use this to first decide day/time by switching the windows left or right and then browse the file or files you want to Restore or Restore to
o o o
Preview Open the file and you can see/listen the content Restore restore the file to original location Restore to restore the file to the location you want (browse)
File History works in the background and once setup you dont have to touch it so much.
There is one GPO regarding File History, simply: Turn off File History if not configured or Disabled you got the option to activate File History, if set to Enabled you cannot activate File History.
Take care this policy if disabled/not configured doesnt automatically means you are using File History, you must still manually chose location and turn it on.
thats all folks remember that during the exam if you got 4 alternative and you got no idea at all the correct answer, you at least got 25% chance and if you can eliminate one answer considered as stupid you got 33% for example answers such as
modify manually on all machines in the company is most often incorrect, too strange regedit answers are also most often incorrect.