Key Admin Tools

Control Panel > View by: Large Icons

Settings app: more for users and touch friendly

System

PS: Verb followed by a Noun

In search bar type: gr to edit group policy (admin access required)

cmd: gpupdate

Some things can only be done in PS

Scripts and Automation is useful

Install Apps Using Office 365

Activation online gives grace period for 30 days if no access

Offline version 2016 but mainly online

Click To Run – Setup.exe streamed install from internet, better and faster than MSI

Users can click this with correct permission and install themselves

https://technet.microsoft.com/en-us/library/jj219427.aspx

Portal – If you are small company you can setup for users to install themselves. Need appropriate user rights

Larger enterprises would have Office365 Apps downloaded to network share

Office Deployment Tool – Free tool

setup.exe /download downloadconfig.xml – Indicates exactly what you want downloaded on prem

select language, customise such as exclude publisher

most companies will dl everything then do custom installation for different departments

setup.exe /configure installconfig.xml – used when you install on a machine

See Office 365 Identities and Requirements 70-346 Course which goes more in depth and has certification

SCCM is not required for this exam

Windows Store Apps

Enabled by default but not useful unless you connect with MS Account

10 copies allowed on your devices

Universal in nature – Will run on xbox, mobile, surface etc

Click Store button on taskbar

Apps category

Apps update by default

In Settings control App Updates On/Off so you can do manually

Live tile on/off

Check for updates button

Settings App > System > Storage > Save location for apps

Apps and features > Move apps if required

CP > Large > Programs and features > Windows Apps are not in this list

To uninstall right click item in Start menu

You can search app in search bar and install from there directly

To disable store
GP > Computer config > admin templates > win components > store

turn off store, disable apps, only display private store

Windows Store for Business

Volume licensing for apps in win store for users in enterprise

3 different uses of store, private home user, business user and then store for business

relying on private and public apps

Sideloading Apps

If you are a business and want to completely bypass the Windows Store

Side stepping the windows store

Settings app > update and security > for developers > sideload apps selected default

license key not required

certificate to validate app, publicly signed and trusted cert to deploy with no user intervention

device no longer needs to be on domain for sideloading

Use DISM to add Sideload Apps to Win 10 Image

AppX extension

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/sideload-apps-with-dism-s14

DISM /Online /Add-ProvisionedAppxPackage /PackagePath:C:\App1.appx /SkipLicense

PS: Add-AppxProvisionedPackage -Online -FolderPath C:\Appx -SkipLicense

Sideload on running Win 10 using PS:

Install Cert then run Add-AppxPackage Cmdlet

MS Intune can also be used

https://docs.microsoft.com/en-us/windows/application-management/sideload-apps-in-windows-10

SCCM can also be used but not in the exam

MS Account on Win 10

Settings App > Accounts > Family & Other People > Add MS Account or click I don’t have sign in info > Add user without MS Account

Local account does not have sync available

Settings > Accounts > local user can choose to use MS Account here

Sync settings:
Theme, IE Settings, Passwords (verify with code), Language, ease of access, other win settings

You can also remove > delete ms account and data

GP > Comp config > win settings > security settings > local policies > security options > Accounts: Block MS Accounts (User’s can’t add ms accounts so if you want you can preset their ms accounts)

Add family > Control spending in store

Set up assigned access link > create account and what apps it has access too. Used for a kiosk type account

Other Authentication Options

Settings App > Accounts > Other People > Add someone to PC > Local users console

Workgroup/Domain join requires reboot

Shared folder between 2 computers on same workgroup

Settings app > accounts > sign-in options > Windows Hello

requires finger, iris, face recognition camera (biometric authentication) default on surface

known as multi factor authentication sends to MS Passport in the background

Pin with password or certificate with Pin

Picture password for lower security use gestures on picture

Services > Windows Biometric Service (required for hello)

search Cert in search bar for Certificate Management

Secure Channel –

Apps use Secure Channel API in Win 10 to make secure connection if it needs it

similar to TLS/SSL (HTTPS://)

CP > Credential Manager

Windows Credential or Web Credential (Not to be confused with Credential Caching which is part of AD Domain)

Account Policies

gpedit > Comp Config > Win Settings > Sec Settings > Account Policies > Password Policy (complexity, lock out time etc)

Multi Factor Authentication – SmartCard

Insert card and provide pin

Virtual Smart Card so you don’t need card reader on each machine

This uses TPM o Trusted Platform Module n the motherboard for storing the virtual smartcard information

TPM.msc – You can see if you have TPM

If you did have one then you can run cmd:

TpmVscMgr create /name /MyVSC /pin default /adminkey random /generate

This will create the environment on a standalone system

User Profiles

C:\Users\Administrator

View Hidden: AppData, NTUSER.DAT

Local Profile

Roaming Profile > AD Domain, Profile tab: shared location

NTUSER.MAN (renaming makes it a mandatory file and read only)

Migrate profile from 7/8.1 using USMT part of ADK

Win 10 has version 5 profile version

Win 10 Anniversary is v6 profile

USMT folder:

C:\Program Files x86\Windows Kits\10\Assessment and Deployment Kit\User State Migration Tool\amd64

CMD Admin: scanstate and loadstate

cd amd64

scanstate u:\ /o /ue:*.* /ui:WIN10E-1\Administrator /i:migdocs.xml /i:migapp.xml /encrypt /key:Pa$$w0rd (copies profile to U drive and excludes all other profiles only copies Admin)

Copies profile to U drive in USMT folder and creates USMT.MIG file

On the other machine cmd admin:

cd amd64

loadstate u:\ /mu:WIN10E-1\Administrator:WIN10E-2\Administrator /i:migdocs.xml /i:migapp.xml /decrypt /key:Pa$$w0rd

https://docs.microsoft.com/en-us/windows/deployment/usmt/usmt-what-does-usmt-migrate

So calculator does not appear on taskbar need to logout and in first,

profile documents appear straight away

Hyper V

Pro, Education or Enterprise

Check you have hw requirements.

Install feature in programs and features

Hyper-V manager under administrative tools

Right click and go to V switch manager

Setup MySwitch and set VLAN ID to 101 to identify traffic from this VM

Hyper-V settings setup VHD and VMs path to C:\VMs

Always set new VM to Gen 2 newer features

Switch types: Private, Internal, External

Integration Settings – right click Shutdown (Will now be gracefully shutdown)

Turn off is direct shutdown

Moving VM Disk files to another drive

Right click VM > Move > Wizard to move all files and disk

Checkpoint and then apply

These take disk space

Offline Files and Work Folders

Create shared folder on C drive

ping 2^nd machine ip

on 2^nd machine look at network share

map as Z drive

right click doc > always available offline

control sync of the file in CP > Sync Center > Sync partnership > Open to see files

Be careful not to sync too much

Manage offline files > disk usage, encryption, network (controlled through GP)

You can test this by disabling network on one machine then go back online and view sync center

sync conflicts appear > choose version you want to keep or save both versions

GP > Comp config > Admin Templates > Network > Offline files > turn off offline files or change settings

Work Folders

Private internal use only onedrive for yourself, syncs and gets encrypted

Setup on Win Server 2012 R2 > Add feature > update system and clients > create cert >bind cert for users > edit dns so it can be found easily > setup GPO

cbt course windows server 2012 70-410 Video 33 Configure Work Folders or look at server 2016 course

Windows To Go

Run your own Windows with your apps on a usb stick

CP > Win To Go > Choose usb drive > select windows 10 image file > Bitlocker optional

This can be automated with PS and Win To Go Scripts

Some usb sticks are certified for Windows To Go

Cannot upgrade Win2go

No Recovery, No reset – You need to make a new win2go drive

No Hibernation

No Sleep

Drivers will load to stick when you connect stick and will be available next time

GP > Comp Config > Admin Templates > Win Components > Portable Operating System (not much to configure and not recommended)

Machine needs to be able to:

Boot to USB

Host disk not available

Host must not be bitlockered

Architecture must be same, 64bit to 64bit

meet Win7 requirements for win2go to work

license only some versions, home not available

WiFi Direct

Bluetooth is slow

Mobile hotspot is not wifi direct

Miracast is Wifi direct

wifi direct send, print

On Win 10 you can make your own Wifi direct signal

Your network adapter needs to support wifi direct too

use cmd: netsh wlan set hostednetwork mode=allow ssid=WIFIDIRECT key=Microsoft1234

netsh wlan start hostednetwork

netsh wlan stop hostednetwork

Power

Settings App > System > Power & Sleep > Screen and when to put to sleep

Battery > Usage by app and battery saver at 20% with slider

Additional power options link to CP

Balanced, Power Saver – Change plan and can restore default too

Create new power plan, advanced settings such as hard disk, closing lid, adaptive brightness

Pin power options to start menu if you want

Cmd: powercfg /?

powercfg /l

for enterprise use GP such as all laptops on a power scheme

GP > Computer Config > Admin Templates > System > Power management

Bitlocker

NTFS encrypt option is specific folders, files

Bitlocker protects entire disk

You can combine encrypting file system inside of a bitlocker protected disk

Pro, Ent and Edu

Works well with TPM 1.2/2.0, surface pro and surfacebook have this

It is possible to bitlocker the windows drive without a TPM Module

Bitlocker To Go – Encrypt entire usb drive

Corporate Tool MBAM – MS Bitlocker Administration and Management Tool

Lets you build a recovery drive for users who have lost key information

Dual or triple authentication: TPM, startup pin, startup key

Or TPM and Pin, or TPM and startup key

startup key

TPM

tpm.msc to see if you have TPM. Make sure it is not disabled in BIOS/UEFI

Encrypt Windows without TPM (workaround)

CP > Bitlocker Drive Encryption > Will give message that no TPM

GP > Computer Config > Admin Template > Win Component > Bitlocker drive encryption > operating system drives >

require additional authentication at startup GPO – set to enabled

tick box: allow bitlocker without TPM (requires password or startup key on usb flash drive)

You can have password only or usb drive with startup key

save recovery key to usb, ms account, file or print key to pdf/printer

New encryption mode option for Win 10

Bitlocker can affect boot time but not much

Bitlocker cmd tool

cmd admin: manage-bde /?

PS: Get-BitLockerVolume

https://technet.microsoft.com/library/jj649829(v=wps.620).aspx

Turn off bitlocker it will start decrypting

For enterprise setup data recovery agent. Works with certs on win server (DRA)

https://blogs.technet.microsoft.com/askcore/2015/10/16/setting-up-data-recovery-agent-for-bitlocker/

Not in the exam

MS Intune

Cloud based management service for mobile phones, laptops and desktops.

Designed for small businesses

You can download trial of Intune and re install as many times with different company names

2 ways to implement:

standalone

hybrid: connect to SCCM

This will probably be moved to Azure soon

Office365 Admin Center

Users > status Intune

Admin centers > Intune and Azure AD

Intune Portal > Users/Groups, Alerts, Apps, Policy, Reports, Admin

Admin > mobile device management > not connecting to sccm or office365 so select Intune only to manage the platform. If you select this then need to call MS to undo

enable different platforms, Windows, Win phone, Android etc

In the Intune users there is no user but there is in O365 accounts

Intune users are now managed in Azure AD

Manage Apps, Configure devices, Set device compliance, conditional access, devices & groups, manage users, enroll devices, access control, open classic intune portal

User account should be visible in Azure AD and the license should be visible for intune in Azure AD

Create new group: name, membership type: assigned, dynamic device, dynamic user

office features enabled yes/no

select member and create group

you can create users in Office365 Admin center. Auto filled domain, password auto generated or your own, intune license selected, user role admin or user.

You should see new user in AzAD after 20 secs

Click new user and add to group

Mobile device policy > Configuration Policies > Common mobile device settings > Mobile Device Security

This has common settings but you can customise policies

When you save policy it asks do you want to deploy policy?

Select group to assign policy to.

Compliance policies > org rules checks compliance being met

Conditional Access – control services to only devices that meet those requirements

Mobile Devices with Intune

Click Manage mobile devices > enable iOS Mac OS X > upload apple APN trusted certificate

DL APN Certificate file with .csr extension

Apple push certificate portal and upload that file to Apple. Sign in to Apple with your general Apple ID for your organisation. DL .pem certificate file and upload into Intune.

On iPhone DL Intune Company Portal from AppStore. Login to Intune. Message to enroll device. Install Profile and Trust remote management

Check compliance and run test

Once Portal appears you can click device details:
Reset phone, remove from Intune, Rename or Sync (If given the right permissions)

Sync for new apps or new policies

Devices > Lists devices double click for General, Alerts, Hardware, Apps, Policy, Wipe and Reset options, Retire to remove Intune management

Results of policies on the device

Remote lock and Intune portal does not need to be open

Configuration policies > applications > hardware > allow camera: no

lock phone and back in the camera icon should be removed

Manage Computers with Intune

Older computer install client sw

Admin > Client sw dl > Run setup and includes certificate

GP to push out client to many older computers

In Win 10 client sw not required

Go to groups > AzAD > Home > Licenses > Try/Buy free trial of AzAD Premium.

Improved capabilities and reporting. Ability to auto enroll Win10 devices as if they are mobile devices

Assign Trial Premium License

Select premium license to make sure the users and groups are licensed or assign license in the groups section

Main AD link in side menu > Mobility (MDM and MAM) > MS Intune > User Scope: All

Win10 Settings App > Accounts > Access work or school > Connect > Intune Account details >

Policies applied > Setup PIN as mobile devices also have pin policy

This should now appear in devices

You can remove older win device within Intune console or:

If you do not use Intune on an older windows device then you can remove client software using cmd admin: cd program files, cd microsoft, cd online management, cd common

ProvisioningUtil /UninstallAgents /WindowsIntune

Right click icon in taskbar > Company Portal > Login > My Devices > If device listed click to identify it. You can also enroll your device.

Intune Console > Groups > Devices > Desktop should now be there. To test it is actually managed you can run remote malware scan

More Management Using Intune

Apps Deployment

Apps > Add App > Install sw, external link or managed ios app

copy url for ios app and paste into intune apps > upload to store

20gb limit for storage, linking does not take storage

Select groups >

deployment action > right click available install, required install you can set a deadline

admin > storage use > no size use as it is deep linking to the app

sideload apps > add software > software installer, appx or msi > uploaded to intune storage in the cloud

Install will be trickled down to the user system

Manage deployment, app can be uninstalled and updated from console

Policy problems > view issues > you can click the issue to view the policy

Alerts > can be setup in Admin > Alert types > use search bar

email alerts and notification rules for alerts

Remote tasks in bottom corner > tasks completed and failed

WSUS on Windows server. Intune has a smaller version of that

Admin > Updates > Windows 10 > select all in update classification > auto approve critical updates > select devices

manual approval of other updates

in Update section you can view the pending updates

Hybrid connect Intune to SCCM using connector role in Server

MS is moving away from the Intune console to Azure Portal

Hybrid will be Azure and SCCM

Configure IP and Network Settings

Ipconfig /all for dns info

cannot ping if no ipv4 dns addresses

public network cannot do network discovery or printer sharing

cannot change from public to private

regedit

HKLM\CurrentControlSet\Control\Network\Network\NewNetworkWindowOff

(this disables option in settings app > network > click network > make pc discoverable)

wifi options

connect automatically, set as metered

hotspot

Configure and Maintain Network Security

Windows Firewall

Windows Firewall and Security (advanced)

Set as default this could break stuff if you have apps configured

Turn on/off firewall for private and public networks

in advanced you can right click and import/export policy or use GP

logging settings for public profile

logging dropped packets is off by default

you can check the log to see the local firewall is dropping traffic with a rule

be specific as possible for security purposes

firewall will block ping incoming by default

Rule type > custom > all programs > protocols and ports > ICMPv4 for Ping > specific ICMP type: Echo Request > specific ip 192.168.0.1 (localhost) > allow connection

Windows protects against ddos logging attack so logging can be enabled

IPSec

Standard that allows security:
Authentication

Encryption

Accounting

Integrity

New rule > Isolation policy type >Require authentication for inbound and outbound > advanced > add authentication > Preshared Key > Name as IPSec Rule

Right click connection security rules > new isolation rule

do the same setting as above on other computer then the ping will work as both computers can authenticate

view security associations under monitoring > shows successful connection

GP > Comp config > win settings > security settings > win firewall with advanced > inbound rule > right click new rule (this is good for many machines)

Know the common ports and protocols

Port TCP/UDP Protocol

20 TCP FTP data

22 TCP SSH

23 TCP Telnet

25 TCP SMTP

53 UDP DNS

67, 68 UDP DHCP

69 UDP TFTP

80 TCP HTTP

110 TCP POP3

161 UDP SNMP

443 TCP SSL/TLS

Data Storage Topics

Storage Spaces – virtual storage

Storage spaces direct for failover clustering storage on server side

Create pool of multiple format disks

NTFS or REFS (Resilient)

NTFS – No Resiliency, 2 way mirror,

3 way mirror requires 5 disks, lose 2 and still retain data

parity – need at least 3 disks

You can use thin provisioning

Prepare for removal > wait for data to be moved of the disk then> remove drive option

Storage Pool > tick box option: Optimize drive usage to spread existing data across all drives

this is dynamic and does not lose data

GP > Comp config > admin template > win component > onedrive > prevent the usage of onedrive for file storage

GP > Comp config > admin template > system > removable storage access

In your profile the onedrive folder is there and the sw is built into win 10

When logging into onedrive app you can change folder location and choose to sync everything

right click onedrive icon > settings,

account: storage used of 5gb, get more storage, choose folders

auto save

network limit

OneDrive for Business – per user plans, better security and storage, better integration with sharepoint

DFS/DAC

DFS-N Distributed File System- Namespace

Consolidated share from multiple servers

DFS-R Replication keep syncronised

This is server based technology

DAC – Dynamic Access Control

Above and beyond NTFS security controls

Can set folders for only healthcare users to see

DAC lets you tag these folders and control and audit those files

Encrypting File System (EFS)

This is no longer tied to NTFS and can be done on FAT32

File properties > General > advanced > encrypt contents

encrypt file or parent folder too

encrypted file thumbnails are now shown with lock symbol

click details in advanced > shows users who can access file and recovery certificate

you can dynamically decrypt the file

if in domain environment you will see domain admins certificate

you will not have recovery agent.

In domain environment you can create certificate, assign recovery agent, push it out with GP

In workgroup > setup recovery agent to get into files that are encrypted

when not in a domain environment you need a cipher utility to create a cert for your recovery agent

cmd admin: cd \

cipher /r:dra

Enter password, your .CER and .PFX file were created successfully

setup data recovery agent for EFS in GP

GP > Comp config > Win settings > security settings > public key policies > encrypting file system > right click add data recovery agent > select .cer file and install

so a DRA is associated on here good if people leave and have encrypted files in a workgroup environment

Search bar: cert (certmgr)

personal > certificates > delete the cert > sign out

so you can view details of encrypted file but not contents as the cert has been deleted

so use DRA double click the keying information .PFX file and it will open the wizard, enter the password and this will import the key info. You should now be able to access the files

You can then decrypt the file/folder in the file properties

Share and NTFS Permissions

Created new local user > login > create a local folder

network sharing center > view type of network you are connected as > change advanced sharing

if file sharing is off for guest/public

if you right click folder and share then you will get uac and can provide admin password

Best Practice for Permission

If in NTFS system then go to share permission and give ‘Everyone’ Read/Write access

This is set to everyone so the permission do not conflict with where user will set them which is in the NTFS. This is more powerful as NTFS are in place even on the machine and not just over the network

File properties > Security Tab (This is NTFS share permissions)

Everyone will be listed as full control – this is picked up from the share permission we set

Click Edit > Remove Everyone ‘Full control’ (cannot remove due to inheritance)

So go to advanced > disable inheritance and remove all inheritance > then go back to add then add the user who can have access to folder

PS: Get-SmbShare

Folder which do not have access Properties > Security tab > Take Ownership as admin account > View auditing to show trail of changes

Share permission example:

Sales dep: Read

Marketing dep: Full control

Research: Deny

If user has access to sales and marketing they will get full control as overall permission

If user has access to Research too then Deny will be overall permission

You can combine above with NTFS permission to make more restrictive

Properties > Effective access > shows a user permissions on specific files/folder

Libraries

Left pane of explorer > right click > show libraries

These are containers for other folders, when you are working on projects or show photos from other folders

Right click documents in the libraries > shows locations that are set and view of folders based on content such as music info and document info

Manage library, restore default

Changing files in the libraries will change them on the disk as normal

you can set default location folder to save files to

you can right click in white space of root of libraries and create new custom library

Quick access area > shortcuts and can be customised. Right click and pin to quick access

HomeGroups

Opposite of workgroup. For home users to share docs, vids, music, printers, pictures

network location must be private

ipv6 should be enabled

click wifi network and select make pc discoverable > this will allow homegroup

homegroup troubleshooter and network troubleshooter

this will not detect disabled ipv6

settings > change sharing, view homegroup password, leave homegroup, change advanced sharing settings, change password

On other computer go to network > homegroup > you have been invited to homegroup > join now

you need admin privileges to run homegroup troubleshooter

2^nd user can view 1^st user homegroup shared folder in explorer pane. They can also share additional files from the other homegroup

Printer and File Options

Network printer

Homegroup printer

Local printer> shared

GP can be used to push out shared printers

Add device >

Set printer as default manually: windows stops managing printer

Windows sets most recent used as default

Printer right click > properties > sharing > render jobs on client computers

security tab > admin can manage users can print

Print server properties > Add drivers such as 32bit for other machines

Start > admin tools > print management mmc

Disk management > shrink c drive by 5000mb > new simple volume, full size ntfs

Quotas are enabled on a volume basis

Disk properties > quota tab > show settings > enable quota management

deny disk space to users exceeding quota limit or you can be alerted instead

log events when user exceeds limit or their warning level

Quota entries > add user and set limit

warning level is for admins not the user

admins have no limit set

Auditing of NTFS permissions need to enable in GP

GP > comp config > win settings > security settings > local policies > audit policy > audit object access: failure

set in audit tab failure of deleting files when user is not allowed to delete

in event log Windows > system > view NTFS source and can filter for NTFS or username

event log > security > filter: audit failure

Configure Remote Connections

Server 2012 R2 VPN

Server Manager > Local Server > Network Adapter > IPv4 192.168.1.102

cmd admin: ping windows client to check connectivity

Manage > Add roles and features > Remote Access > Role: DirectAccess and VPN and Routing

Tools >

If you have Cisco routers you will use Hardware based VPN and Cisco clients

MS Server can be used for VPN

Server side config is not in exam but nice to know

Tools > Routing and Remote Access Management Tool

Right click server > configure > Remote access > VPN > You need 2 nics to set this up normally in a production environment

Right click server > configure > Custom > VPN and LAN routing > finish > service starts

ipv4, EAP: Extensible Authentication Protocol and MS CHAP v2: these are default settings

Allow remote systems without authentication – this is useful for testing to see if connection works without security

ipv4 range for end clients

In Win 10 Client side:

Settings app > Network > VPN > VPN Type PPTP

Advanced options > not much available

Another way to setup VPN in CP > Change adapter options > network connections in CP > setup a new connection wizard

View properties of connection > PPTP, max strength encryption

You need to match the settings as setup on the server

View event view in server manager for connection issues. Change to require encryption option instead of max strength

Give admin account access in user properties > Dial-in > Network access permission: Allow access

You can now connect and in Routing and Remote access console you can view connected clients

Nice feature of IPSec: Open vpn connection properties > security tab: vpn type IKEv2 > advanced settings button: Mobility: 10 minutes if we disconnect for 10 mins don’t tear down so can auto reconnect when vpn becomes available (vpn reconnect feature)

Remote Desktop

Settings are in System properties > Remote tab

Win firewall blocks remote desktop by default and needs to be enabled

Deliver Apps from the Cloud

RemoteApp – Make apps available to clients that are installed in the server

App runs on server but using RDP to the client

Now Azure Remote App. Register free Azure account

App Services > Search for RemoteApp

Search in Azure marketplace for Citrix XenApp 7 trial > This can be added to Azure

MS is partnering with Citrix to deliver this service so RemoteApp will become Citrix XenApp Essentials Service

XenApp > Configure basic settings > subscription pay as you go (when trial expires), resource group: Florida sales, location

A VM gets setup to run the apps

You can run whole desktops and apps from the cloud by supplying a link to thin clients

admin web console > citrix studio > manage desktops and apps

Azure RemoteApp

Create RemoteApp collection > Region and plan, subscription, template image exists for Office desktop

This is good for MAC Users

You will get a remote desktop client url for clients to install the icons on their desktop. This should be deep linked into user desktop so they can easily install the apps.

control published apps and configure user access

On the url you can download this on windows, ios, android and mac

When launching RemoteApp console user will see list of RemoteApps

Support Desktop Apps

MS Application Compatibility Toolkit – ACT 5.6 no longer supported so asks to dl ADK for Win 10

in ACT Tool > Compatibility administrator > db of all the apps running and shows fixes for them

Search for fixes

Right click app > troubleshoot compatibility tab > run compatibility troubleshooter

App-V can run on the server and run on remote clients

ADK > App-V Sequencer

UE-V – User experience virtualisation – similar to roaming profile but stores all settings in a central location. More than just the profile settings.

User Experience Virtualisation Tool part of ADK. This will create template of settings for the application settings we want to save. Open app then close and it will scan registry and file locations the app uses and saves this as an xml file.

Manage Update and Recovery

CP large icons > Recovery > Create drive, backup system files will take more space. Without system files it will take 512mb

CP > Device Manager > Driver tab > Driver rollback

CP > Recover > System Restore

CP > System > System Protection Tab
Create restore points such as baseline. MS Auto creates restore points

Settings app > Update & Security > Recovery > Reset pc, advanced startup, more recovery options

Reset PC > Keep files or remove everything

Backup > File history option

Windows apps auto update or set to manual

Start updates and set active hours

custom restart timeline

give updates from other ms products tickbox

defer feature updates tick box

use my sign in info to auto finish setting up device after update tickbox

choose how updates are delivered > get updates from local network pcs only or from the internet too

Win Update Services setup in GP

GP > Comp Config > admin template > win components > win updates >

specify intranet ms update service location

Windows Home is Current Branch CB

Win PRO/ENT CBB

CBB defers the updates

LTSB updates from MS but you can set which updates to deploy by using WSUS

Ignite Video 70-697

Identity, Deployment, MDM, Networking, Storage, Data Access & Protection, Remote Access, Apps, Updates & Recovery – 9 Sections

This exam is focused on Device management and Identity

Integrate Users account into their org to enable synchronisation

Manage apps using O365 DSM and Intune

GP to manage apps, access to Win store for business

Cloud domain join is AzAD join

Work & School accounts

virtual smart cards

certmgr.msc

10 smart cards total on single pc

TPM 1.2 required

Win 8 or higher

Pin min 8 chars

MS Passport single sign on works as users transition from on premise to cloud

passport is easy to deploy 2 factor authentication

Win Hello infrared camera

Hello GPOs

Sideloading Store Apps

Add and Appx package

Add-AppxProvisionedPackage -Online -FolderPath C:\Appx

Get all appx packages installed for users

Get-AppxPackage -AllUsers

Get all appx packages installed for specific user

Get-AppxPackage -User domain\username

Get the manifest, including the package ID of an app:

Get-AppxPackageManifest -Package Package1

Apps are from store universal windows apps

Applications are traditional applications on Windows msi or exe

App management for win 10 you can use Chocolatey https://chocolatey.org/

Oneget is old command in ps you can use with chocolatey or nuget

You can build own secure repository using chocolatey and use powershell cmdlets to deploy

Configure virtual smart card

1. create certificate template 2. create the virtual TPM smartcard 3. Enroll the certificate on the TPM virtual smartcard

Understand how to use tpsvmcmgr.exe to configure smart card

tpmvscmgr.exe create /name tpmvsc /pin default /adminkey random /generate

if you have uefi device there is a TPM chip built in

PS: get-help Add-AppxProvisionedPackage -examples

scanstate, loadstate

enable hyper-v use program and features then restart. Dism and ps is easier

you can create a vm as a nested vm lab and just copy it to all your machines. Good for testing and running windows mobile emulator

Different types of virtual switch

Enterprise Data Protection – Does not require users to switch between personal and work containers. When used with RMS can also protect data locally.

This is now known as WIP Windows Information Protection but in exam EDP

Learn benefits, prereqs, enterprise scenarios, protection modes

https://technet.microsoft.com/library/dn985838.aspx

EFS Certificate automatically created first time a file is encrypted

Bitlocker new features:

encrypt and recover devices with AzAD

DMA Port protection

New GPO setting for configuring pre-boot recovery

Can customize recovery message and recover url displayed on the pre-boot screen

GP > CompC > AdmT > WinC > BitL Drive Encryption

Bitlocker security key for users can be stored in MBAM or GP

Bitlocker network unlock – auto unlocks OS volume at system reboot when connected to corporate network

Without this OS volumes protected by TPM+PIN require PIN to be entered making it difficult to patch or administer a powered down system

Specific hw requirements for above such as:
UEFI DHCP drivers

WDS must be reachable on network

Network unlock feature enabled on network

DHCP server which is separate from WDS server

Properly configured public/private key pairing

Network Unlock GPO settings configured

DHCP settings, WDS needs to be setup UEFI and bitlocker

Key combination required F9 to boot up system this needs to be physically and not remotely so be careful with this setting

EFS recovery agent

User whose cert will unlock an encrypted file that has been encrpyted by a different user

Encryptor (owner of encrypted file) must have a valid EFS user certificate

EFS recovery policy must specify at least one Recovery Agent

If Enterprise CA is not available EFS automatically generates its own certificates to users and default recovery agent accounts

Zero touch and hands free win install is only possible with SCCM, can be done with MDT/DISM but a lot more work

Intune: Manage mobiles, Software updates, devices

Work folders: sync work data on all managed devices, also available on win7/8/10, requires win server 2012 r2

Users > Policies > AdminT > WinC > WorkF

Intune Policies: OMA Settings

Config Policies > RequirePrivateStoreOnly > OMA-URI – Only shows store for business

New feature TeamViewer integration

MDM Authority

Defines management service with sets of permissions to manage the device

Once set, this cannot be changed

Can be set to: Intune, ConfigMgr with Intune, or O365 with MDM Solutions

Device management – prerequisites

Add Intune users: device owner must be registered before device can be enrolled

Create Groups (optional)

Add policies for devices (optional)

Set device enrolment limit (per user, optional)

Set Company Portal settings, Terms and Conditions, etc.

Tell users how to access Company Portal

You can get a free trial of Intune, O365, Azure you can use own domain or MS hosted domain

aka.ms/ems-trial – free for 90 days

Customize Company Portal

Users access company data and apps

App available for Windows, iOS and Android devices

Available from most web browsers: https://portal.manage.microsoft.com

Customise company name info, support contacts, colors, themes and logos

Apps can be required and get pushed to device or can be made available in the library

Can be customised with support information

Types of Policies:

Compliance Policies (apply to all device types)

Define settings/rules that device MUST conform to

PIN password requirements

Encryption requirements

whether device can be jailbroken/rooted – can prevent compliance if set

whether email account must be managed by intune

Used to setup conditional access

Configuration Policies: (platform specific)

Like compliance policies but more granular

System settings (screen capture, factory reset etc)

Cloud settings & Accounts (Backup to icloud or google cloud)

HW settings (Bluetooth, NFC, WiFi, Camera etc)

Application compliance

Conditional Access: who has access to resources such as exchange, sharepoint, skype for business, dynamics crm

azure ad joined, enrolled in intune, in compliance with rules that are set
Android harder to manage compared with ios and windows if it is rooted

Sideloaded app appears in Apps Hub in Company Portal

Intune Windows Custom Policy can be setup how you need

Known ports:

Http 80, Https 443, Ftp 21, Smtp 25, Pop3 110, Dns 53, Snmp 161

Netstat, Nslookup

PS and cmd equivalent

Test-Connection Ping

Get-NetIPConfiguration ipconfig

Get-NetRoute Route printers

New-SmbMapping Net use

Get-NetTCPConnection Netstat

New-NetFirewallRule Netsh advfirewall

Get-NetIPAddress

Get-NetIPv4Protocol

To forget network:

Settings app > Network Internet > Wifi > manage Wifi > bottom of page > click network > forget network

Firewall advanced, exam tip different wifi authentication methods

PS commands in the exam

DFS issues caching settings, storage spaces including capacity and fault tolerance

Configure VPN and broadband tethering

Design remote authentication VPN

VPN Reconnect

Power settings, powercfg ?

Diskpart /?

Diskpart /s – run diskpart script

list disk, select disk, convert gpt

PS: Get-Disk, Initialize-Disk, Set-Disk

CHAP is most secure password based authentication in Windows Vpn

Configure RemoteApp and Desktop Connection Settings (integrates apps into start via xml), GPOs for signed packaged, subscribe RemoteApp and Desktop Connection Feeds, export import remoteapp configs

Desktop Virtualisation solutions

On Prem: Session based desktops and remoteapp – cost effective easy to manage

VDI pooled – high performance, app compatibility

Cloud: RDS on IaaS – customizable with minimum capital

Azure remoteapp – delivered from azure cloud turnkey solution scale without large Capex

UE-V new version of roaming profiles, same technology used in sync settings

standard deployment:

AgentSetup.exe /quiet

Settings storage location: (mandatory if AD home directory isn’t set )

AgentSetup.exe /quiet SettingsStoragePath=”\\Server\SettingsShare\%username%”

VDI deployment:

AgentSetup.exe /quiet SyncMethod=”None”

Per user deployment:

AgentSetup.exe /quiet EnableSync=”False”

Defer reboot:

AgentSetup.exe /quiet /NoRestart

RemoteApp lets you store and manage apps on your network for multiple platforms such as Android iOS.

Win 10 File History

control frequency of backups, great solutions for remote users, a better backup and restore solution

start > settings > update & security > backup > add a drive and choose drive or network location for backups

Restore version of a file, individual files, after a hd crash.

Exam tip: you can add non-default location directories to file history through the settings app. User data is not included as part of system protection

Feature upgrades: includes full release of Win 10

Servicing updates: install security patching, when installing service update all patches installed, can’t selectively choose, 3 servicing updates available: CB, CBB, LTSB

CB new features available immediately after being published, min length of servicing lifetime 4 months, supported on Win 10 Home/Pro/Edu/Ent SKUs

CBB new feature upgrades available approx 4 months after being published, min length of servicing lifetime is 8 months, supported on Win 10 Pro/Edu/Ent SKUs

LTSB new feature upgrades available immediately after being published, min length of servicing lifetime is 10 years, supported on Win 10 Ent LTSB SKU only

16 months with new Win 10 but before was 12 months

Windows update group policies

Windows store apps group policies

Manage updates using: GP, WSUS, SCCM, Intune, Local Configuration

In onedrive.com you can right click file and restore previous version if data was deleted

GPO’s apply at different levels: Local Computer Policy, Site, Domain, Multiple OU’s

MSDN Video – 70-697

Know your authentication types, hello

What is required for smartcard

learn netsh as it can do a lot of things

setup virtual disks in vms and play with storage spaces

virtual hard drive can be added in windows, mounted, use in vms

virtual hard disk is something you create out of a storage space

MBAM tool part of MDOP

NTFS Permission basics, shares, folder and file level security – practice

how it works with shares the most restrictive applies in general

DFS how to provision and decrypt If missing cert, how multiple users will access it

create test users and groups

VPN Reconnect uses IKE tunnels and is not the same as Direct Access

Offline files where in GPO

create Custom power policy and deploy

azure can create app collections and deploy to groups of users such as sales

RemoteApps on Azure – runs on multiple devices and minimizes cost. Dont need to upload apps to multiple stores just into azure

App-V does not run on multiple platforms you need a Windows Client

Post Views: 3,810

Share this Post

70-697: Configuring Devices Notes