Identifying cause of and resolving desktop

application issues (2025%)

Solve software installation escalations
Installation permissions
Applocker
Publisher rule condition Specify a program by extracting
information from its digital signature(similar to SRP certificate rule).
This is the best way to specify an application in applocker. You can
make the rule apply to the publisher, any version of a specific
application or to specific versions of an application (including all
previous or future versions)
Applocker blocks all applications by default unless specifically
allowed. You create rules for one of four file types(executables,
Windows Installer, scripts or DLLs) when you first create a rule for
that file type. Then, when applocker is enabled, all applications of
that type are blocked and must be added to the allow list to run.
Create default rules and automatically create rules are allow rules
that apply to most applications. You must do this or it will
completely lock down the computer (will not allow explorer.exe to
run)
Applocker allows you to specify users and groups, you can also make
exceptions to rules. (For example, make a rule that allows any
application to run except a specific .exe file) SRPs only create rules
that apply to everyone
Test rules in audit only mode first
Applocker rules can actually be created on a PC running Windows 7
Pro, but they only apply to Enterprise and Ultimate
Applocker rules only apply to Windows 7 Enterprise/Ultimate. If a
GPO contains both SRP and Applocker rules, Windows 7 and Ultimate
will only read the Applocker rules
Set group Policy to set the startup type on the application identity
service to automatic
Software Restriction Policies
You can enforce SRP policies to all users, or all users except
administrators. Do this by modifying the enforcement properties

Local administrator requirement

You must be a local admin to install software
Its better to control local groups with restricted groups in Group
Policy
If you are a local admin but the installation still doesnt run, right
click it and run as administrator (it may now prompt you to provide
administrative credentials)

Licensing restrictions
 Some applications require licence keys or must be installed with a
specific user account. Verify CPU architecture compatibility too
You can use App-V to control licencing on deployed applications(For
instance, only allow a certain amount to be installed)

Digital signing
When you install a new program, Windows checks for a certificate
and digital signature to authenticate the publisher of the program.
To verify the digital signature properly, the local computer must
trust the root CA for the publisher certificate. (Root CA for publisher
certificate must be in Trusted Root certification Authority)
If the publisher is not trusted you will receive a UAC warning, which
you can click past. You should avoid running programs from
unsigned publishers
Avoid installing software that hasnt passed Windows 7 logo
testing(anti spyware guidelines, isolation from protected windows
resources, reversible installation and a digital signature on all files)

Solve software failure escalations

Checking the logs
Use event viewer to help determine when application related errors
began. Pay special attention to the application log/specific to the
application. Filter the logs by critical, warning and error. Google the
errors
Use event forwarding if the errors are occurring on multiple
computers

Checking whether the application runs in Safe mode

You can boot into safe mode to uninstall an application
If you can launch an application in safe mode but not when booted
normally, you can eliminate default settings and basic device drivers
as possible causes
Applications in the startup folder arent launched in safe mode
safe mode only loads basic services and drivers, diagnostic startup
allows windows to pick which drivers/services to load. Use safe
mode. Diagnostic startup not mentioned in exam prep

Running the application in a previous version of

Windows
Many applications check the version of an OS and behave differently,
or fail to run when an unexpected version number is detected.
Resolve this by setting compatibility modes or applying versioning
shims
You can create shims with the application compatibility toolkit
When you deploy a new version of an application and need to apply a
shim to the new version, you need to modify the shim database, and
run sdbinst.exe on the client computers to ensure it works on them
Program Compatibility Assistant
The PCA is a tool that automatically appears when Windows 7
detects compatibility issues in older programs. It can offer to fix the
problem, for example: conflicts with UAC or it can run the program in
a compatibility mode for an earlier Windows version. If the issue is
serious, it can warn you or block the program from running. When a
problem cant be fixed you have the option to check online for
solutions
PCA has a number of GP settings(All of which are the default
behaviour in Windows 7)
o Notify blocked drivers Notifies the user if drivers are
blocked due to compatibility issues and offers MS web site for
solutions
o Detect application failures caused by deprecated COM
objects
o Detect application failures caused by deprecated
Windows DLLs
o Detect application install failures provides an option
to restart the installation in Windows XP compatibility mode
o Detect application installers that need to be run as
administrator Provides an option to restart the installer with
elevated privileges
o Detect applications unable to launch installers under
UAC automatically grants administrative privileges that
allows the task to be performed next time it is run. (This
typically occurs when an application tries to automatically
launch an updater program)

Program Compatibility Troubleshooter

If you notice a program isnt running smoothly, you can use this to
configure the compatibility settings for the program
To start the wizard, go to control panel>programs>run programs
made for previous version of Windows. You can also start the wizard
by right clicking an application and selecting troubleshoot
compatibility
Compatibility Tab
An alternative to running the compatibility troubleshooter is using
the compatibility tab within the properties sheet of an application.
You can select:
o Compatibility mode (OS version)
o Run in 256 colours
o Run in 640x480 resolution
o Disable visual themes
o Disable desktop composition
o Disable display scaling on high DPI settings
o Run program as administrator
o Change settings for all users

When you need to support an application with compatibility that

cannot be resolved immediately you should run that application on
 an old OS inside a VM. For example:
o Virtual PC(required to run 16 bit applications on x64
Windows 7 installation)
o Windows XP mode downloadable enhancement to
Virtual PC. Requires Intel-VT/AMD-V enabled in the BIOS.
Performance is much better than Virtual PC, and applications
can be accessed from the start menu of the host OS
o Hyper-V Allows clients to connect to a VM(and
application) over the network
o Remote Desktop Services
XP Mode
Install XP mode download XP mode from MS website, run installer
Install applications inside XP mode:
o Install the program inside XP within virtual PC
o If you want to open the applications directly from your
Windows 7 installation. You must ensure Virtual PC is closed,
then go to:
Start> All Programs> Windows Virtual PC>
Windows XP mode applications > Figure Gemini
This will open the program in its own
windows as if its installed directly on the host PC
Integration Features This is where you select to share
drives/folders/clipboard from the host computer

Repairing the installation

If software stops functioning and you cannot revert to an earlier
state manually or automatically, try to repair the installation.
(reinstalls whilst keeping all application related user data) If there is
no repair option backup the user files and reinstall the application

Checking recently added programs

Reliability Monitor
Or you see error messages consistently pointing to a recently added
program, uninstall it. If it is required, install it in a lab environment
and test it further

Restoring or reimaging the system

If an application stops functioning after you install an update or
make a system change, consider using a system restore(does not
change user files eg. Documents or emails)
If Windows stops booting correctly after installing an application,
use system restore. Last known good config will NOT remove the
application
If a critical application fails but none of the other repair/restore
methods work you should restore the entire system from the last
backup. Backup the users files and folders first

Identifying cause of and resolving

networking issues (2025%)
Solve enterprise logon issues
Hardware vs. network
Branchcache is only supported on Windows 7
Ultimate/Enterprise
Branchcache can be configured to cache data
over HTTP(web sites)
When branchcache is used in distributed mode
you must enable inbound/outbound peer
discovery/content retrieval rule on the clients
When file sharing is enabled on Windows
7(workgroup) password protected sharing is
enabled by default, with password protected
sharing, a user must have an account on the
computer where the share is located in order to
access it
Check cables/switches/routers/hardware firewalls
There are no logon servers available to process your request
Probably a cable. DC could be down but check cable first
You must add Windows credentials to the Windows vault when
accessing shared folders on a homegorup if you want to prevent
users from having to type shit in. Only Windows 7 PCs can
participate in a homegroup

Password expiry
The maximum and the minimum password age
cannot be the same value
Use RSOP to view someones effective password policy
You can identify locked out accounts by examining logon audit
failures ID 4625

Trust relationships with machine accounts

Disjoin and then rejoin from the domain when trust relationship fails
Or.. use netdom to reset the computer account

Determining logon context

To determine logon context(local user database vs AD DS):
Run>Set>look for the USERDOMAIN line
 Computer name = local user account
Domain name = AD DS domain
You can also check the logonserver line to see if a DC authenticated
the user
Credential Manager stores passwords in an AD DS user object, so
users can store credentials, and use them from any logon session
within the domain. For example, if a user connects to a password
protected web server and ticks the remember my password check
box or uses the reconnect at logon checkbox on shared folder or
printer

Logon hours compliance

local accounts/workgroup computers logon
hours are configured through PARENTAL CONTROLS
It doesnt matter what timezone a workstation is in, because Active
Directory uses UTC, and just adds on the clients time before logon.
Even in a different timezone, logon hours do not have to be adjusted.
It will still enforce them correctly without further configuration

Solve enterprise network connectivity issues

Determining scope of issue
Windows Network Diagnostics
Automatically detects and fixes network related problems
Events are saved to the system log under the source
diagnostics-networking
To identify the source of a networking error:
If a red X is displayed over a network link, click the link to run
windows network diagnostics. If the X is between the network and
the internet, contact the network administrator
If you can browse the web, but cant access a shared folder. It is
probably an application connectivity problem
Ping
If you are waiting for a remote computer to turn on or off
use the t parameter to ping continuously
Pathping
Tests connectivity between a remote host and all routers in
between
Use this to determine problems in the way traffic is being
routed. For example routing loops, a failed router or poor network
performance
A Hop is a router. A Node/Link is a computer. RTT(Round Trip
Time) is how long it takes for a packet to get to its destination and
 receive a response
A router with high latency increases latency for every router
after it, but it is most likely the only one with a problem
Use the d option to stop pathping resolving every
intermediate routers name
PortQry
PortQry tests a specific network service. For instance HTTP
on a web server:
o Portqry n Microsoft.com e 80
If portqry isnt installed, use telnet client
If you can connect to a different application on the server it
means the server is online
Try to connect from different subnets

APIPA
Can potentially mean the computer is not authorised to connect to
the network

Determining whether its a PC or a network connectivity

issue
If other computers can connect to a network device/subnet the
problem is likely to be on one computer

TCP/IP
IPv4 TCP/IP settings are in network and sharing center
(Know the advanced settings)

Hardware and cabling

If all network adapters show a media state of media disconnected,
the computer is not physically connected to a wired/wireless
network. If a cable is plugged in, disconnect and reconnect both
ends. If the problem persists, replace the cable. Connect the original
cable to a new computer. If that works, the NIC has failed

Proxies
Internet explorer>Internet
options>connections>LAN
settings>advanced>exceptions
When you use Bypass proxy for local
addresses requests that use the host name bypass
the proxy server. However, if you specify a FQDN or
an IP address (even if they are local addresses)
they will be routed through the proxy server. You
must add these to the exception list
Use proxycfg.exe to configure proxies
 A global query block list protects a DNS server against spoofing.
When users use WPAD(WPAD is a protocol that web browsers rely on
to discover network proxy server settings), this address can be
spoofed, and users may be lead to a compromised network.
Configure a global query block list to block address ranges(the
leftmost portion of a FQDN is blocked)
Configure by using dnscmd /config /globalqueryblocklist wpad
blacktea (blacktea.greentea.org)

Default gateway
Make sure the Default Gateway is not set to the broadcast address

Solve enterprise names resolution issues

Checking which DNS is assigned
Ipconfig /all

Flushing the DNS cache

Ipconfig /flushdns or start/restart the DNS client service
Disable the cache with net stop dnscache

nslookup to DNS server

If you receive 2 or more addresses to an nslookup request it means
round robin is operating
Cant find contoso.com Non-existent domain means a DNS server
was contacted, but it couldnt find a record for the request
DNS request timed out means no DNS server is responding
Default servers are not available means no DNS server is configured
for the client

Checking the DHCP scopes

Options can be configured at scope or server level. Different subnets
will have different scopes, therefore they can also have different
DNS servers assigned to them

Solve enterprise network printer issues

Hardware failure
The printer troubleshooter can detect hardware problems. For
instance:
o No physical printer installed
o Out of paper
o Out of toner
o Paper jam
o Switched off
Open the printer troubleshooter by - control panel>system and
security>action center>troubleshoot common computer
problems>hardware and sound> use a printer
Server issues
Connecting a printer directly to the network rather than using a
server reduces your up front costs and doesnt go offline if the
server fails
Using a server has the following benefits:
o Integration with Windows security
o Integration with AD DS browsing
o Automatic installation of printer drivers(first time a
client connects)
o Integration with management tools (MS-COM)
Requirements for a print server:
o Must be running server service
o Must be running Print Spooler service
Clients must be running:
o Workstation service
o Print spooler service
For auditing when users print or manage printers, you have to
enable object access auditing on a Windows server 2008 R2 server

Printer failure
Problem printing to an existing printer, use the printer
troubleshooter by right clicking the printer in devices and printers
and selecting troubleshoot
Monitor print events by going to applications and services
logs\microsoft\Windows\printservice\admin
You can also log an event in the security log when a user connects to
a printer. This is done by enabling audit logon events policy in
computer configuration(GP)

Network issues
Problem connecting to a shared printer, use the Printer
troubleshooter action center>troubleshoot common computer
problems>hardware and sound>use a printer
allow print spooler to accept client connections(GP) verify this
setting is enabled if you have difficulties sharing a printer
Troubleshoot from the client:
o Stop offline file service may cause Windows to see a
server as online when it isnt
o Attempt to establish a netbios connection with net
view \\server25 (only if you are connecting via file and print
sharing. Other protocols wont work)
o Restart offline files service net start cscservice
o Verify dns resolution. If not working, connect via IP
o Use portQry to connect to TCP 445/TCP 139(only if you
are connecting via file and print sharing. If using IPP use port
80)
 Troubleshoot from the server:
o Verify printer functionality from the server
o Verify folder/printer is shared
o Verify server/print spooler services are started
o Verify users have permission to the resource
o Check the firewall configuration(file and print sharing
needs to be allowed explicitly from the server)
File and print sharing uses UNC
IPP uses HTTP. (Windows 7 can only act as
an IPP client, not a server)

Driver issues
In order to force drivers that have been individually configured, to
run in a separate process use override print driver execution
compatibility setting reported by print driver. (GP) Use this and
execute print drivers in an isolated process(GP) if the spooler is
failing
The quickest way to reinstall a driver is to reinstall the
printer(remove the printer and reinstall)
o If reinstalling the driver doesnt fix your problem, you
may have to remove some files located in
system32\spool\drivers remove any numbered subfolders
Disabling advanced print features may solve a driver related problem
Point and print allows users to automatically install
trustworthy(digitally signed drivers included with Windows) drivers
o Enabling point and print allows you to specify a list of
print servers to which clients are allowed to print to
o You can add specific servers to contain point and print
to drivers on those servers
o If users are getting UAC prompts edit the point and
print restrictions settings
o The only use package point and print is used to
determine whether clients can point and print to ptinters that
use package aware device drivers. It does not control the
printers that are available
You can also use the deployed printers setting to specify which
printers are available to an OU/domain etc

Managing and maintaining systems that run

Windows 7 client (2025%)
Identify and/or resolve performance issues
Analysing system and application logs
Event forwarding
applications and services logs\microsoft\windows\eventlog-
forwardplugin\operational use this log to verify a subscription was
created successfully
Event forwarding check the security log to ensure the
 forwarding/collecting computers are authenticating correctly.
(Enable success/failure auditing)
Source computer requires http/s inbound allowed on wf.msc
If you configuring a source initiated subscription, you also must run
winrm wc on the source computer, and create a source initiated
subscription on the collector computer by running wecutil cs
subscription.xml:
o You then must configure Computer
configuration\administrative templates\Windows
Components\event viewer - Configure the server address,
refresh interval, and certificate authority of a target
subscription manager> Subscription manager > and specify
the collector computer (Server=HTTPS://greentea-
mem1.greentea.org:5986/wsman/subscriptionmanager/WEC
Performance monitor
Stop condition
o To segment data (either when collection has reached a
certain size, or gone on for a certain amount of time) select
restart the data collector set at limits this will restart it when
it has reached the specify duration and or size
o Stop when all data collectors have finished - allows
data collectors to finish collecting when an overall duration has
been specified
Task You can run a scheduled task when the data collector set
stops
Data manager Allows you to configure what happens to data
created by data collector sets: eg delete previous data when a
minimum free disk space has been hit
o Minimum free disk space Set this to a certain value
eg. 100MB and then set the resource policy. So when your free
space in the folder gets to 100MB DCS will be deleted
o Maximum folders Number of subfolders that can be
created in the DCS directory
o Resource policy You can select either:
Delete largest(deletes largest Data
collector set)
Delete oldest(deletes oldest Data Collector
Set)
o Apply policy before the data collector set starts
deletes data before the DCS creates its new log file
o Maximum root path size You can set this to ensure
the root path doesnt grow larger than a certain size
Folder actions (tab inside data manager) Allows you to choose how
data is archived before it is permanently deleted. You may decide to
disable data manager limits in favour of managing all data with
folder actions:
o Lets you select a certain age/size when these
requirements are met you can select to convert the data into a
cab file, to delete the raw data and optionally, a directory to
copy cab files to (cabinet files are an archive file format
 created from raw log data and can be extracted when needed)

Analysing started services

Use msconfig to disable services and startup items until you
determine the source of the problem. Then re-enable them
Use the services console to stop a service from starting
automatically

Setting power management

To change other settings, click Change Advanced Power
Settings. Adjust the settings,
and then click OK. Some of the more useful performance-related
settings include:
o Turn off hard disk after - Windows can turn the
hard disk off to save power if it is
not used for a specific amount of time. Realistically, though,
applications continue
to use the hard disk even if the user is not actively working
with the computer.
o Wireless adapter settings - Wireless adapters
can use a significant amount of battery
power because they must transmit and receive radio
signals. By default, Windows 7
enables power saving for wireless connections when
running on battery power.
If wireless performance significantly decreases while on
battery power, you can
change the power saving mode to Maximum Performance
while on battery power
o Sleep - In Windows Vista and Windows 7, Sleep
is a power-saving mode that combines
both Standby (a low-power state that allows the computer
to recover in a few seconds)
and Hibernation (a zero-power state that stores the
computers memory to disk, but
takes longer to recover). By default, Sleep in Windows 7
initially enters Standby mode
and then enters Hibernation 20 minutes later. Adjust this
setting to change that default.
o USB settings - USB devices draw power from a
computer. With USB selective
suspend, Windows 7 can reduce the power usage of some
USB devices. By default,
USB selective suspend is enabled while Windows 7 is on
battery power.
o Power buttons and Lid - By default, Windows 7
automatically enters sleep mode
when the lid of a mobile computer is closed. You can change
this setting and
 configure how the power button functions.
o PCI express - Some mobile computers have a PCI
Express interface. This setting
configures the power savings mode used for the PCI Express
interface when on
battery power or plugged in.
o Processor power Management - Most modern
processors can run at different
speeds depending on the current processing requirements.
When less processor
time is needed, the processor runs slower, requiring less
power. You can use these
settings to change the minimum and maximum speed of the
processor.
o Multimedia settings - You can use this setting to
adjust video quality when on
battery power. Enabling a higher video quality increases
battery usage.
o Battery - Adjust how Windows responds when a
battery begins to run out of power
When deploying power settings with group policy, it is
faster to use a logon script with powercfg, than creating a power
plan and importing it with the custom active power plan setting

Checking hard drive space

To reduce fragmentation increase the amount of hard drive space. As
a rule you should keep 15% of a disks space free. (This only applies
to spinning hdds)
Use disk clean up to free up space
o Cleanmgr is the CMD line version of diskcleanup the
syntax is strange cleanmgr /dx -where x is the drive letter to
clean eg, for drive C: run cleanmgr /dc

Optimising virtual memory

You can optimise virtual memory by storing it on a different physical
disk than other files(OS)

Solve hardware failure issues

Identifying bad sectors
The system maintenance troubleshooter
includes a check for bad sectors, lost clusters, cross linked
files and directory errors
Ensure Windows will check for routine maintenance issues
and remind you when the system maintenance troubleshooter can
help fix problems is set to on
CHKDSK
Automatically finds and repairs disk volumes related to bad
 sectors, lost clusters, cross linked files and directory errors.
Can be ran online or offline, but if you want to scan the
system volume, it must be ran offline
Can be scheduled to run from the GUI the next time
Windows starts
Bad sectors can be caused by STOP errors, system freezes
and other errors. If a problem does not appear to be the result of a
recent system change, use CHKDSK to scan for errors
To check a disk online, open volume properties, click tools,
and click check now. You can choose to fix:
o File system errors and bad sectors
o Just file system errors
If the system volume is selected the
hard disk will be checked next time you start the PC

CHKDSK command line options

/f - fixes errors on disk
/v - displays the name of every file on the
directory
/r - locates bad sectors and recovers readable
information (/r includes the functionality of /f)
/x forces the volume to dismount (includes
functionality of /f)
/c - bypasses cycle checks (speeds up command)
/i - only check index entries (speeds up
command)
/b - Clears the list of bad clusters on the volume
and rescans all allocated and free clusters for errors (/b
includes the functionality of /r. Works only with NTFS
formatted disks)

Diagnosing memory issues

Memory issues cause intermittent problems
Run Windows memory diagnostics if you suspect memory issues
Windows memory diagnostics has to be run offline. It can be started
in the following ways:
o Windows interface schedule from admin tools or
running mdsched.
o Windows Boot manager Lets you select an OS, but
at the bottom of the page you can also select Windows Memory
Diagnostics
o System Recovery Options Choose a recovery tool in
Windows RE etc
After the tests have been completed, Windows restarts and displays
a notification bubble with the test results. Related events are saved
in the system log with a source of memorydiagnosticresults (ID
1201)
ReRun memory diagnostics with just 1 RAM stick in, and test until
you find the bad module
If problems persist after replacing the module, high temperatures
 can cause memory to go bad. Other devices can cause electrical
interference, Motherboard and CPU issues may cause memory
communication issues too
If a stop error refers to a memory error:
o Run memory diagnostics If no errors are detected or
the installed RAM is not seen by the PC:
Verify modules are seated properly
Verify theyre in the proper slots according
to the motherboard manual
Verify its correct memory for the board
Clean all slots and then insert one into one
slot and test, repeat for all

Recommending replacement hardware

Power Supply Unit
If the PSU appears dead, but is correctly plugged in, receiving power,
AC voltage is set correctly and the computer still doesnt turn on,
replace the PSU
If the computer freezes before the OS starts:
o Verify the PSU is providing enough wattage for your
board and components, if not replace
o Test with a multimeter to make sure the PSU is
delivering correct and consistent voltage, if not replace
If the computer shuts down unpredictably
o Verify the PSU fan is operating, if not, replace the PSU
fan
o Verify the motherboard fan is working, if not replace
the fan
o Run Windows memory diagnostics
o Run motherboard diagnostics
If neither of these uncover the problem
replace the PSU
Motherboard
Beep codes but PC doesnt start
o Disconnect all accessories, isolate problem devices
o Find out meaning of beep code via website/manual
o Fix the beep code component cause
o Replace component if necessary
Computer loses power after certain amount of time
o Verify CPU fan, replace if needed
o Make sure hot air cannot build up around the
computer
Computer shuts down randomly
o Run memory diagnostics
o Run motherboard diagnostics
o Make sure there is no hot air build up
OS cant use power management, virtualisation, USB or network
boot, hot swapping etc
o Enable in BIOS
No video and no beep codes:
 Disconnect everything and reconnect one at a time
Verify power connections/internal power switch/voltage
switch
Run Windows Memory diagnostics
Reset BIOS to defaults
Ensure jumpers are set properly
If there is no internal speaker for beep codes, replace the
video card
Replace the PSU
Replace the motherboard
Hard Disks
Loud whirring, screeching or clicking
o Back up all data and replace the drive
OS fails to start and one of the following error messages appears:
o Hard disk error
o Invalid partition table
o A disk-read error occurred
o Couldnt find loader
Verify BIOS boot settings
Verify hard drive contains OS
Run startup repair
Verify power/SATA connectors
Verify jumpers on hard drive
Recover with system image recovery
Replace the hard drive
The OS loads but performance decreases gradually
Run disk defragmenter
The OS loads but there has been data corruption/ the system
occasionally freezes and remains unresponsive:
Run CHKDSK
Run software diagnostics from hard drive manufacturer

Updating the BIOS

You may need to update your BIOS to enable certain features. For
instance, booting from USB/network devices

Determining which component is broken

A problem is caused by hardware when:
o The failure occurs before the OS loads
o The failure occurs randomly and suggests no relation
to any software activity
If the boot sequence fails to load the OS the problem is either:
o Incorrect selection of boot device in the BIOS
o Faulty MBR on the hard disk
o A failed driver (typically a SCSI hard drive)
o Failed hardware
Action Center
First and easiest place to look for problem of unknown
 origin
Often indicate software issues but can also relate to
missing/incompatible drivers
If no alerts are displayed when you are troubleshooting,
verify Windows Troubleshooting messages havent been turned off in
Action Center settings
Windows 7 Troubleshooters(Windows Troubleshooting Platform)
Available in Control Panel
Use the hardware and devices troubleshooter for hardware
related issues. If a problem is detected, but no information is
provided, use hardware specific diagnostics
Devices and Printers troubleshooter located in Devices and
Printers
o You can right click any device and select
troubleshoot
Many built in troubleshooters exist for solving hardware
issues
3rd Party vendors can design their own
Troubleshooters are created in Powershell scripts called
Troubleshooting Packs
Troubleshooting Packs are installed in
C:\Windows\Diagnostics\System
Device Manager
If a troubleshooter doesnt fix a hardware related problem,
use Device Manager
Problem devices(failed to communicate with Windows) are
displayed with a warning sign
Problem Devices are usually related to a faulty driver:
o Roll back If it was working before you last
updated it
o Update If the previous driver did not function
or a previous driver was never installed
Reliability Monitor
Look for critical events in the Windows Failure category. If
the system has been crashing, see if this coincides with a change to
the system
Infrequent crashes are more like to be application specific
Crashes that coincide with high read/write activity(a backup
for instance) could point to a bad hard drive
Reliability Monitor can help when something(for instance
memory failure) caused STOP errors, but cannot help when hardware
failures occur before Windows even started
Event Viewer
For hardware errors:
o View the system log
o Filter by critical and error
Startup Repair
When troubleshooting a system that doesnt start, rule out
software configuration and data corruption before doing anything
else by running startup repair
Startup Repair automatically detects and fixes hard disk
errors that prevent Windows from starting. It analyses and attempts
to fix:
o Boot sectors
o Boot manager
o Disk configuration
o Disk integrity
o Boot Configuration Data (bcd) registry file
integrity
o System file integrity
o Boot logs
o Event logs
If startup repair fails to fix your problem, you can safely
remove disk configuration as a possible source of the error
Startup repair>last known good config>system restore
Use msconfig to disable things TEMPORARILY for
troubleshooting only

Supporting mobile users (1520%)

Solve enterprise wireless connectivity issues
Signal strength
Move away from metal cabinets or computers
If connecting outdoors, remove screens from windows which
generate noise
Use a high gain(directional) antenna on both the WAP and the laptop
Increase the transmitter power
Increase the power at the client computer

Encryption types
802.1x provides authentication but no encryption
WPA2 supports fast roaming (When users need to connect to
different WAPs constantly in the building)

Encryption keys
Usually generated after entering a passphrase

Wireless profiles
You need to extend the ADDS schema on DCs released prior to
Server 2008. This is done by importing 802.11Schema.ldf with ldifde
If you try to connect to a device using netsh wlan, you must first
have a profile containing the SSID/security information saved. You
 can export profiles in an XML and distribute it to other computers
Load the imported profile with netsh wlan add profile filename=
You can use scripts and profiles to prevent users from ever having to
enter a wireless key
You can use netsh to allow or block access to wireless networks
based on their SSIDs:
o Netsh wlan add filter permission=allow ssid=toast
o Networktype=infrastructure
You can configure per-user profiles on computers with multiple
users(all-user profiles are the default)
netsh wlan show networks - shows networks in range (mode =bssid
option includes signal strength wireless radio type, channel, basic
rates and other rates) (show all option displays all infor about
interfaces) (mode=ssid outputs ssid, authentication and encryption
type. If you do not specify an option, the command runs in ssid
mode)

Mobile devices
The first time you connect with EAP, if you dont have the Enterprise
CAs certificate in trusted root, clear the validate server certificate
check box
If you cant reconnect to a wireless network, it is probably because
security settings have changed
Use the applications and services logs> Microsoft>Windows> WLAN-
autoconfig to analyse wireless problems (or applications and
services logs> Microsoft>Windows>\diagnostics-
networking\operational if you used windows networks diagnostics
troubleshooter)
Choose Smart card USER template if you need to encrypt the users
data

Solve enterprise remote access issues

VPN client not connecting
Verify that the VPN client connection is configured properly with the
VPN server name
or IP address.
Verify that the VPN client computer has an active Internet
connection. The VPN
connection can be established only when the client is connected to
the Internet.
Verify that the proper user credentials are defined in the VPN
connection.
Verify that the user is authorized for remote access.
Verify that certificates are configured properly for the VPN
connection. For
instance, verify that the certificate of the root CA that has issued the
VPN servers
computer certificate is installed in the Trusted Root Certification
Authorities store on
the VPN client computer. In the case of an L2TP/IPSec VPN, verify
 that the VPN client
computer has installed a computer certifcate that can be validated
by the VPN server.
If an error message with code 741 appears and indicates that the
local computer
does not support encryption, verify that that encryption settings
defned in the VPN
connection are compatible with those defned on the server.
Configure a host file on remote access clients so they can resolve the
VPN server address

IPv6 support
DA clients must have globally routable IPv6 address
ISATAP is used on internal networks
6to4 is used on the internet. Converts global IPv4 to IPv6. Their
routers IPv4 address is embedded in their IPv6 address
Teredo allows clients located behind an IPv4 NAT device to
communicate with IPv6 over the internet. Converts private IPv4 to
IPv6 (Only used when 6to4 isnt available.) Relies on clients, servers,
relays
IP-HTTPS allows hosts located behind a web proxy or a firewall to
connect to the IPv6 internet.(Only used when 6to4 and teredo arent
available)
NAT-PT/NAT64 allows connectivity through a NAT between global IPv6
and private IPv4 addresses
To configure a DA client, add them to a Windows group and specify
this group when you run the DA configuration wizard on the server
The network location server is a web server located on the perimeter
network
ISATAP makes an internal network fully IPv6 compatible
You can also use a NAT-PT device to translate DA traffic and make
your network IPv6 compatible
A CDP needs to be available for both internal and external clients(for
client and server authentication certificates, as well as NAP if it has
been implemented)
Perimeter firewall exceptions:
o UDP 3544 Teredo inbound
o IPv4 protocol 41 - 6to4
o TCP 443 IP-HTTPS
o Native IPv6 support:
ICMPv6
IPv4 protocol 50
When configuring teredo/6to4/IP-HTTPS use netsh interface and
connect to the first public IP of the direct access server(use the
FQDN with IP-HTTPS)
HRA must be located on the internet in order to distribute health
certificates to clients
Teredo client should be set to enterprise client
Remove ISATAP from global query block lists in DNS servers. Intranet
DNS server should also have an ISATAP A record
When using NAT-PT, the intranet servers will not have a global IPv6
address, ensure the NAT-PT device instead has a global IPv6 address
 DA client must correctly determine that is not on the intranet use
netsh namespace show effectivepolicy. If not check the NLS server
URL in the registry. Ensure it matches an exemption entry or does
not match the DNS suffix for your intranet namespace in the NRPT
DA client cant be assigned the domain firewall profile. If it is, ensure
you dont have an active VPN connection or a Domain Controller is
accessible and disable that connection
DA client must be able to contact its intranet DNS server through
IPv6. Use netsh namespace effectivepolicy to obtain the intranet
DNS servers and ping them
DA server must contain IPv4 routes on the intranet interface to allow
it to access all IPv4 destinations on the intranet
Ping IPv6 DNS intranet servers
Ping IPv6 intranet servers
Must be able to connect with application layer protocols. If file and
print sharing is enabled use net view \\intranetFQDN to test
Name Resolution Policy Table
The NRPT is used to separate intranet traffic from internet traffic(If a
name query is not found in the NRPT it is sent to the locally
configured DNS server)
DirectAccess requires special handling for name queries for specific
portions of the DNS namespace. If the DNS name matches specified
portions of the namespace, apply the special handling. If the DNS
name does not match the specified portions of namespace, perform a
normal DNS query using locally configured DNS servers. For example
o If you set suffix to greentea.org, all DNS requests that
end in greentea.org will be sent to the specified IPv6 DNS
server/s
o If you set prefix to server15, all DNS requests that
start with server15 will be sent to the specified IPv6 DNS
server/s
o To specify all DNS names select Any(rather than
suffix/prefix etc). Only use this with DirectAccess when route
all traffic through internal network GPO is enabled (This is like
the use Default gateway on remote network setting for a VPN
connection)
The network Location server must either be exempt from the NRPT
policy rules or must not match them (have a different suffix when
using suffix based rules for example)

Access and authentication to network resources (check

static routes)
RRAS can use Windows authentication(SAM or ADDS database) or
pass authentication to a RADIUS(NPS) server
Dial in properties and a matching network policy are required for
authorisation
External adapter of VPN server must be configured as a DHCP relay
agent
You must set the Connections to Microsoft Routing and Remote
Access server network policy in NPS to grant access (set to deny by
 default)
Split Tunnelling
If the default route to the gateway for the remote network is not
being used (Use default gateway on remote network CLEARED)
internet locations are accessible, but only intranet locations on the
same subnet as the VPN IP can be reached. Anything on the other
side of a router cannot be reached
If the default route to the gateway for the remote network is being
used (Use default gateway on remote network TICKED) all intranet
locations are accessible, but only the IP of the VPN server and other
pre-defined routes are available on the internet. All internet traffic is
then routed through the companys intranet
o To work around this Use split tunnelling. This means
using the default gateway on the LAN, forwarding all internet
traffic to the ISP(Use default gateway on remote network
CLEARED) , and configuring the routing table on the client with
specific routes that direct packets to the organisations
network(CONFIGURING STATIC ROUTE/S)
o Performance for the client is improved. Traffic for the
internet goes directly to the internet rather than through the
organisations intranet
o Network traffic on the VPN server is reduced
Enable packet filters to only allow inbound traffic from the remote
access client, so that an attacker doesnt compromise the remote
users connection to the intranet
You can create routes with CMAK/batch file/DHCPINFORM
message(from DHCP server) or manually using route -p add
192.168.0.12 mask 255.255.255.255 10.100.100.254
Identifying cause of and resolving security
issues (1520%)
Solve Windows Internet Explorer security issues
Adding trusted sites
Internet options>security>trusted sites>sites>add
If you need your users to download unsigned activex controls, add
the site that requires the unsigned control to the trusted sites list
and change download unsigned activex controls to prompt for the
trusted sites zone
If you have a problem with a specific ActiveX control, and the
developer informs you that the initialise and script controls not safe
for scripting setting is required, add the site to the trusted sites list
and enable this setting for only that zone
If you think Protected mode is causing a web application to fail, you
can add the site to the trusted sites list, which has protected mode
disabled by default

Advanced settings
Security Settings
Protected mode is not enabled by default in intranet zone and
trusted sites
All trusted sites must be secured with an SSL certificate
Use the custom level button in the security tab of internet options
to configure ActiveX control behaviour, scripting and user
authentication settings
You can also use the advanced settings to configure settings such as
whether internet explorer performs revocation checks, whether
smartscreen filter is enabled by default, which versions of SSL/TLS
are supported, whether windows authentication is supported, and
whether IE should display a warning when theres a mismatch
between an SSL certificate and a website address
Protected mode means any processes spawned by IE run with very
limited privileges. It does this by using Mandatory Integrity Control
(MIC) which labels processes/files/regkeys with 1 of 4 integrity levels
o Protected mode compatibility layer redirects write
locations to safe locations. So if a process tries to write to the
document library, its redirected to appdata\temp internet
files\virtualised. This only applies to add ons written for OS
lower than Vista. As Vista + natively write to these locations
Compatibility logging Some web applications/add ons developed for
earlier versions of IE dont work properly in IE8. Enable compatibility
logging in admin templates (GP) to find out the exact problem. Then
find the logs in application and services logs\internet explorer
Disable protected mode Internet Options>security> disable
protected mode for a particular zone. Retest application with
protected mode disabled(or add to trusted sites which disables
protected mode for that site permanently)
Protected mode is not available on Windows XP even with IE8
Group Policy - Enable the turn on Internet Explorer 7 standards
mode to enable compatibility view for websites in IE 8

Installing plug-ins
Tools>manage add-ons
If an add-on is preventing you from opening ie open the internet
options from control panel>network and internet>internet
options>manage browser add-ons
You can start ie without add-ons by opening internet explorer(no
add-ons) from programs>accessories>system tools or run
iexplore.exe extoff
To enable add ons in group policy (user configuration) provide the
class identifier for it (CLSID) eg {BDB57FF2-79B9-4205-9444-
F5FE85F37312}. This can be found in the <object> html tag of a web
page that references the add-on. Deny with 0. Allow with 1. Allow
and allow management by users with 2
You can also deny all add-ons unless theyre explicitly allowed in
group policy
Turn off crash detection(GP) use this to ensure an add on still runs
even if its causing IE to crash
 ActiveX add-ons may include:
o A component that allows you to manage VMs from a
MS virtual server web page
o A Microsoft update component that scans for missing
updates
o Shockwave Flash
o A component that tries to install malware
Configure activeX opt in by Internet Options>Security> Select Zone
> Custom Level > Allow previously unused ActiveX controls to run
without prompt Disabled means ActiveX Opt-in is enabled, and you
will be prompted. Enabled means ActiveX Opt-in is disabled, and
ActiveX controls will run without a prompt
Active-X opt in is enabled by default for internet and restricted sites
zone, but disabled for local intranet and trusted sites(so intranet and
trusted sites websites will install without prompting the user)
Active-X Opt in does not apply to Active-X controls in the
preapproved list which is contained in
HKLM\software\Microsoft\Windows\CurrentVersion\Ext\Preapproved
(Contains the CLSID of preapproved Active-X controls)
Automatic Prompting for ActiveX controls bypasses the information
bar and actively prompts the user to install the control. This is
disabled on all zones by default
You can reduce the number of prompts a user receives by enabling
download signed activex controls
Run activeX controls and plug ins If this is disabled, users will not
be able to run ActiveX controls at all
Configure the ActiveX installer service to allow standard users to
install ActiveX Controls on specific approved websites. Computer
Configuration\Administrative Templates\Windows
Components\ActiveX installer Service specify URLs that can
distribute activeX controls. Configure values for the approved
installation sites between 0 to block, 1 to prompt, 2 to install
automatically)

Identifying group policy restrictions

If a users IE isnt working as expected use RSOP to ensure group
policy settings are not responsible for the malfunction

Certificates
Certificate presented by a website was issued for a different website
address:
o Host name (or IP address) youre using to access the
site is not the sites primary address
o Server is impersonating a different server
You can add certificates to IE certificate store to trust certificates
To import a certificate, Internet
Options>content>certificates>import

Solve enterprise issues due to malicious software

Analysing services
 Use task manager to see unusual services
Disable services in services console so they cant run again

Analysing programs
Use msconfig to remove startup programs
Delete associated regkeys in both HKLM/HKCU, and write down the
paths of associated programs. Then delete these programs in
Windows explorer
If problems persist after virus scans, run startup repair and run a
system restore

Analysing processes
Use task manager to identify unusual processes

Analysing browser helper add-ons

Uninstall unnecessary programs from control panel

User account control

Always notify me (and do not dim my desktop) (only available to
standard users) This setting is good for standard users who need to
request elevation a lot
Admin approval mode for built in administrator account - Enabling
this enables UAC prompts. Disabled means all processes run using
administrator privileges. This is disabled in local security policy by
default
Allow UI access applications to prompt for elevation without using
the secure desktop allows remote assistance applications to
disable the secure desktop when prompted for elevation. Disabled
by default
There are less Group Policy options for configuring UAC for standard
users. For example there are no settings to allow a standard user to
prompt for consent (obviously)
Prompt for consent for non-Windows binaries is the default admin
approval mode setting in the local security policy
Run all administrators in admin approval mode (default in local
security policy) causes all administrative accounts (besides built in
administrator) to run in admin approval mode(see consent/credential
prompts when privilege escalation is required). If this is disabled,
administrators dont see prompts any more.
To disable UAC completely:
o Set Elevation prompt in admin approval mode to
elevate without prompting
o Disable UAC: detect application installs and prompt for
elevation
o Disable UAC: run all administrators in admin approval
mode
o Set Elevation prompt for standard users to
automatically deny elevation requests

Solve enterprise storage security issues

Requirements for installing
EFS/Bitlocker only fully supported on enterprise/ultimate
TPM must be enabled in BIOS
Bitlocker requires a minimum system partition of 100MB

Recovering encryption keys

When making MULTIPLE configuration changes
to bitlocker using a GPO, you must suspend
bitlocker, make the changes and then resume it.
This is because the encrypted drives may not be in
compliance with the new GPO settings. If you
making only 1 configuration change however, you
can make the change without suspending bitlocker
EFS Data Recovery Agents
Public Key Policies> Encrypting File System>Add/Create DRA Then
right click the certificate and export it(with the private key) to a
shared folder. This exact certificate corresponds to a users
encrypted file. You cannot generate a new one as the thumbprint
wont match.
Run Gpupdate on the clients to ensure that this certificate is listed
as a DRA in the encrypted files properties
Import the certificate into the personal store when recovering files
EFS in a workgroup
If a user forgets his password, do not reset the password
using an admin account. The user will lose access to encrypted
files, and credentials in the Windows vault will be lost. You must
use a password reset disk to preserve encrypted access/Windows
credentials
Bitlocker Data Recovery Agents
Configure the following Group Policy Settings:
o Provide the unique Identifiers for your organisation
Then, for any drives already encrypted run
manage-bde setidenitfier and specify the unique
identifier you previously configured
Verify with manage-bde status <drive
letter>
o Public Key Policies> Right click Bitlocker Drive
Encryption>Add Data Recovery Agent Add a DRA certificate
for a user
o Choose how Bitlocker-protected Operating
System/Fixed/ Removable data drives can be recovered
Allow data recovery agent
If a DRA has been configured and an identification field has been set
and assigned to a drive, it will be assigned the DRA that was
configured in Group Policy
 To find out the DRA certificate information on a drive run manage-
bde protectors get <drive letter>
To unlock the drive, the administrator would run manage-bde unlock
E: certificate ct 0234753948752034724a234e234
When running manage-bde -status remotely use the -cn
(computername) option to specify the remote computer

Key management
Configure AD DS before configuring bitlocker on clients. Otherwise
recovery information for those PCs will not automatically be added
to AD. (This can be done manually with manage-bde/bitlocker WMI
provider
Bitlocker recovery information is stored in a child object of the
computer object(incorporates a GUID+ date and time)
The CN for the recovery object is ms-FVE-RecoveryInformation, which
has several attributes. One of which is:
o Ms_FVE- KeyPackage This contains the encryption
key and allows you to decrypt a volume
If any Domain Controllers are running Server 2003 you need to
extend the schema with bitlocker and TPM attributes ldifde I v f
BitlockerTPMSchemaExtension.ldf. Then you must run cscript Add-
TPMSelfWriteACE.vbs to add an Access Control Entry to allow TPM
recovery information to be backed up
Group Policy configuration:
o Computer Configuration\Administrative
Templates\Windows Components Bitlocker Drive Encryption>
Choose how Bitlocker Protected fixed Drives can be recovered:
Enabled Save Bitlocker recovery
information to Active Directory Domain Services
(selected by default
Select Bitlocker recovery information to
store:
Recovery passwords and key
packages
Recovery Packages only
o Key Packages are
used with the repair-bde tool to perform
specialised recovery when a disk is damaged
or corrupted
Select Do not enabled Bitlocker until
recovery information is stored in AD DS for fixed data
drives - if you want to prevent users from enabling
bitlocker until the computer is connected to the domain,
and the recovery information has been successfully
restored
o Computer Configuration\Administrative
Templates\System Trusted Platform Module Services Turn on
TPM backup to Active Directory Services
Enabled (Require TPM backup to AD DS
selected by default) This means the TPM owner
password cannot be set or changed unless the computer
 is connected to the domain and AD DS backup succeeds
To turn on bitlocker and create a recovery password manage-bde
on C: -Recoverypassword
After it has encrypted run manage-bde protectors adbackup C: -id
{recoveryGUID}

Solve enterprise software update issues

Identifying software update level
MBSA

Checking whether client is receiving regularly scheduled

updates
Use WSUS/ configuration Manager. Alternatively you can use MBSA
and include non domain members too

Identifying incompatibility of update with other

applications
Test in a lab, and deploy to a pilot group first(savvy users)
Use reliability monitor to determine if it was an update that caused
the issue