Manage identity (13%)

Install and manage software using Office 365 and Windows store, Sideloading, mobile
devices
 Office 365 Admin Center is for configuring accounts, domains, services, and tools
 https://status.office365.com can be used to track uptime for Office 365 products
 Office 365 allows adding multiple e-mail address aliases by modifying the Users setting for each user
 To create an Office 365 App-V package, run Office Deployment Tool and run “setup /download” then “setup /packager”
 Azure AD can be used by Intune and Office 365 for external users to log into
 Office Deployment Tool (ODT) allows admins to create “Click-to-Run” deployments of Office 2016
 Running “setup /download” with ODT creates a Click-to-Run installer
 Once an ODT configuration file is created you can run the install with “setup.exe /configure”
 ODT order: create configuration.xml, run setup.exe /download on the server, then run setup.exe /configure on the client
 Windows Store is only accessible if a Microsoft account is associated with the users local or domain account
 Setting the GPO “Allow All Trusted Apps To Install” to Disabled will disable Windows Store access
 Deeplinking app in Intune means taking a public app from the Windows Store and making it available in the Company Store
 When updating Line of Business (LOB) apps, the new one just needs to be added without any need to remove the old one
 Purchased Windows Store apps can be installed on up to 81 devices with Windows 8.1
 Windows Store apps are limited to 10 devices per Microsoft account with Windows 10
 “Set-AssignedAccess –Username TestName –Appname Test1” is used for grating Windows Store permissions
 AppLocker Packaged app rules can prevent the installation of specific Windows Store apps
 “Sync licenses” in Windows Store is under the Apps Updates section
 “Remove-AppxProvisionedPackage” should be used to remove pre-installed Windows Store apps from Windows 10. Programs and Features cannot do this
 Automatic App Updates is configured under Windows Store \ Settings \ App Updates \ Automatically update my apps
 PowerShell commands:
o Add-AppxPackage
o Get-AppxLastError - review the last error for an app package installation
o Get-AppxLog - review the app package installation log
o Get-AppxPackage - view list of app packages installed for a user profile
o Get-AppxPackageManifest - read the manifest of an app package
o Remove-AppxPackage
 Sideloading is a term used to describe making an app available to a company’s users without making it public on the Windows Store
 By default Sideloading is disabled
 GPO setting “Allow All Trusted Apps to Install” needs to be Enabled to allow Sideloading
 “Import-module appx” followed by “Add-appxpackage [path of app]” is used to install a Sideloaded app
 Add-AppxPackage is used to install or upgrade an app
 DISM can be used to Sideload apps into deployable Windows images
 Intune can be used to make Sideloaded apps available to authorized users
 Windows Intune Company Store is where a Sideloaded app will need to be installed from
 Company Portal is an app that needs to be installed from the Intune portal
 Log in using the Azure user name and password to access the Company Portal
 Provisioned Apps are just Sideloaded apps that were packaged into an image
 Maximum number of Provisioned Apps that can be put into an image is 24
 Sideloading is activated by using “slmgr /ipk <sideloading product key>” and “slmgr /ato”
 Sideloading is enabled under Settings \ Updates & Security \ For Developers
 Sideloading license keys are not required for Windows 10 like they were in Windows 8
 Sideloading requires the app be Digitally Signed
 Intune can sideload apps to RT, 8.1, and 10
 Intune doesn’t require license keys to sideload onto Windows 10 but does for other versions of Windows
 Intune requires 8.1 systems be joined to the domain to sideload
 Intune Sideloading key is added under Admin \ Mobile Device Management \ Windows
 Intune can Sideload .exe, .msi, .apk. ipa, .xap, .appx
 Sideloading allows setting a name, description, category, and an icon for the app
 Sideloaded apps need to have a group to be deployed to (like All Users or All Devices)
 Sideloaded apps have approval choices of Required Install, Available Install, or Uninstall for Users
 Sideloaded apps only allow the choices of Required Install or Uninstall if just Devices have rights to it
 Sideloaded apps need to be installed from the Windows Store which requires being logged in with a Microsoft account but once installed they can be run from
a domain account on the same machine
 “Add-AppxProvisionedPackage” will provision an app for all users when they first log in
 “DISM /online /add-provisionedappxpackage /PackagePath:C:\app1.appx” can also be used to install an app for users at first logon
 “Add-WindowsDriver” adds a driver to an offline image
 pnputil.exe can be used to install drivers
 pnputil.exe is used to install drivers from command line by referencing the .inf
 .cat files are cryptographic hash used to verify a driver hasn’t been altered
 Windows Portable Devices (WPD) are smartphones and tablets
 Android uses .apks files
 Windows uses .appx or .appxbundle files
 iOS uses .ipa files
 Windows Phone uses .xap, .appx, or .appxbundle files

Multi-factor Auth, Workplace join, Homegroups, virtual smart cards, Microsoft account
 Workplace Join allows mobile devices to access resources in a domain
 Workplace Join uses Azure Active Directory Device Registration service
 Workplace Join works with Android, iOS, and Windows phones
 Workplace Join requires an AD FS server and a Web Application Proxy
 Clients must trust the AD FS certificate to perform a Workplace Join
 Workplace Join is initiated under Settings \ Accounts \ Work Access \ Connect and entering a valid e-mail address
 Joining a HomeGroup requires the Peer Networking Grouping and HomeGroup Provider services be running
 HomeGroups depend on proper date/time configuration and that IPv6 be enabled
 By default, Homegroup resources grant read-only permissions to other members
 Homegroup resources permissions can be set for individual users or for all users
 Homegroups require IPv6 on all systems and time synched within 5 minutes
 There can only be one Homegroup per network
 Credential Manager logins get copied from computer to computer as long as Microsoft account is used for login
 Windows Hello enables use of biometrics to sign into a computer
 “Improve Recognition” for Windows Hello has been proven to be able to distinguish between identical twins for facial recognition
 Picture Passwords are used by drawing lines, circles, or taps. Can only be used on local logins, not domain
 Picture Passwords do not provide a high level of security
 Near Field Communication (NFC) Smart Tags are things that you put your phone near and it will configure your phone setting (turn wireless on/off, etc) or run
an app. Can be programmed for other tasks too
 Virtual Smart Cards require minimum of TPM 1.2
 Virtual Smart Cards require Windows 8 or Server 2012 and above, TPM 1.2, limit of ten smart cards per computer, and minimum of eight character PIN which
can include numbers, letters, and special characters
 Tpmvscmgr.exe is used to create or delete Virtual Smart Cards locally or remotely
 “tpmvscmgr.exe create /name tpmvsc /pin default /adminkey random /generate” will create a TPM Virtual Smart Card
 tpm.msc opens the TPM console
 How to enable a domain to support Virtual Smart Cards: https://technet.microsoft.com/en-us/library/dn579260.aspx#BKMK_Step1
 EAP authentication is required for Smart Cards
 GPO setting “Accounts: Block Microsoft accounts” can be used to prevent linking a Microsoft account to a local or domain account
 “Trusted PC” means a computer that you’ve added to the password reset information for your Microsoft account
 Microsoft recommends removing all devices from Trusted Devices if one is compromised and then re-adding them back in
 Reset Account Counter After must be less than or equal to the Account Lockout Threshold
 Global Catalog is used to locate objects in other domains

Plan desktop and device deployment (13%)

Migrate user profiles and power plans
 Profile Versioning occurs when a user profile that was used with Windows 7, 8, or 8.1 is given a “.V5” extension after being logged into using Windows 10 for
the first time
 Renaming ntuser.dat to ntuser.man creates a Mandatory profile
 Super Mandatory profiles are made by adding “.man” to the end of the user profile folder name
 Super Mandatory profiles prevent logins when the server that stores the mandatory profile is unavailable
 USMT is part of the Assessment and Deployment Toolkit (ADK)
 USMT includes Scanstate and Loadstate
 USMT uses migapp.xml, migdocs.xml, and miguser.xml
 USMT steps: install on tech PC, use Scanstate to generate config.xml, modify .xml files, copy files to share, scan PCs, run Loadstate on destination PCs
 /genconfig is used in ScanState to create a custom configuration file which can exclude certain OS settings
 “/ue:*\* /ui:*” in a ScanState or LoadState can be used to exclude copying domain user profiles and only include local user profiles
 powercfg.exe can be used to import and export power configuration
 “powercfg.exe -list”
 “powercfg –lastwake” will state why your computer last woke up
 “powercfg –devicequery wake_armed” will display what devices can wake up your computer
 “powercfg –energy” runs for 60 seconds and creates a file named energy-report.html
 “powercfg” /S = Set Active and /X = Change or Modify
 “Turn off hard disk after” is set to 10 minutes on battery and 20 minutes plugged in under every power plan

Configure Hyper-V, Windows To Go, Wi-Fi direct, BitLocker, Offline files

 Hyper-V requires SLAT, 4 GB RAM
 Gen 2 Hyper-V supports Secure Boot, SCSI boot, PXE boot, and must run at least Server 2012 or 64-bit Win 8
 Device Guard is used to protect Hyper-V credentials
 Hyper-V Integration Tools will be installed by Windows Update
 Integration Services are like VMware Tools
 Guest Services in Integration Services must be enabled to copy files to a running VM from the host without shutting down the VM
 RD Virtualization Host Server hosts virtual desktops
 “Copy-VMFile” will only work if the VM is running Guest Services
 “Enter-PSSession -VMname [VMname]” or “Invoke-Command -VMname [VMname] -ScriptBlocks [commands]” can remotely run commands on a VM
 Internal networks allow communication between VMs on the same switch and the host while Private is just for other VMs
 VHD max is 2 TB while VHDX is 64 TB
 VHDX protects against data loss, improves performance on large-sector disks, and improves performance for Differencing disks
 Differencing disk are used along with Parent disks
 “New-VM” creates a VM
 “Checkpoint-VM” creates a snapshot
 “Move-VMStorage “AppServer”” will do a storage vMotion on a live system
 Types of VM network switches are External, Internal, Private, and Dedicated
 VM file types - .avhd = checkpoint differencing file, .vsv = VM saved state, .bin = VM memory content
 Checkpoints create a .avhd and .xml
 Windows To Go enables running Windows 10 from a USB drive
 Windows To Go requires Enterprise edition
 Create A Windows To Go Workspace Wizard is used to create a Windows To Go USB
 Windows To Go has hibernate disabled by default but it can be enabled
 Windows To Go requires 1 GHz, 2 GB, and DirectX 9
 Windows To Go should be installed on USB drives that are certified by Microsoft as Windows To Go compatible
 Windows To Go can work in USB 2 or 3 ports but USB 3 is recommended
 Windows To Go installs are performed by running the Windows To Go Creator Wizard
 Wi-Fi Direct allows connecting one system to another without a router
 Wi-Fi Direct works with laptops, TVs, printers, PCs, and Xbox One
 Wi-Fi Direct only needs to be supported on one of the two devices
 Wi-Fi Direct requires the use of “netsh wlan set hostednetwork mode=allow ssid=[ssid] key=[password]”
 Wi-Fi Direct maximum distance is 656 feet
 “manage-bde.exe” is used to manage BitLocker
 “manage-bde –status” will show the progress of Bit-Locker encrypting a drive
 If BitLocker is required by the GPO “Require Additional Authentication at Setup “then it can be used even if no TPM chip exists
 BitLocker needs either a TPM chip or a USB drive
 BitLocker To Go protects USB, SD cards, removable hard disks formatted in NTFS, FAT32, FAT16 or exFat
 BitLocker can be configured to encrypt just written data or the entire disk
 Putting BitLocker into Disabled Mode only clears the passwords and keeps the drive encrypted. Even new written data gets encrypted
 “Suspend-BitLocker –MountPoint “C:”” will disable BitLocker
 BitLocker Network Unlock will unlock workstations when they connect to the corporate network
 BitLocker startup key can be backed up to ANY non-operating system drive, internal or external
 BitLocker uses AES 128 by default but can go to AES 256 with a GPO setting
 Suspend BitLocker before updating BIOS and re-enable afterwards
 BitLocker without TPM is enabled by enabling the “Require additional authentication at setup” and “Allow BitLocker without a compatible TPM” GPO
 BitLocker lets you backup the Startup key and the Recovery key. They are different
 BitLocker allows the creation of a Startup Key or a Startup PIN, but both cannot be used at the same time
 BitLocker Startup PIN is 4 to 20 digits
 Microsoft BitLocker Administration and Monitoring (MBAM) is for BitLocker or BitLocker To Go
 “Turn on TPM Backup to Active Directory Domain Services” will ensure the TPM info is stored to AD
 “Suspend-BitLocker –MountPoint “C:” –RebootCount 2” will keep BitLocker suspended for two reboots
 “Allow network unlock at startup” for BitLocker allows users to be able to remotely access their files on BitLocker protected machines
 Publishing the Data Recovery Agent certificate can allow users to unlock USB drives encrypted with BitLocker. Won’t work for hard drive encryption
 Network Unlock requires a wired connection to the corporate network and DHCP driver in the UEFI firmware
 Network Unlock works with TPM+PIN
 Enabling File Synchronization on Costed Networks via GPO will make offline files use less bandwidth
 Cost Aware Synchronization can be used with Offline Files to limit data usage
 Always Offline Mode can be used with Offline Files to keep files offline and limit bandwidth usage
 Always Offline Mode is enabled by configuring Slow-Link Mode and setting it to 1 millisecond
 CscService is used for Offline Files and Folders
 Offline Files are stored in %windir%\CSC
 Offline Files can synch on a regular schedule or on an event (such as idle time)
 By default, 10% of a drive is made available for automatic caching for Offline Files

Plan and implement a Microsoft Intune solution (11%)

Mobile device policies, Tethering and Metered Networks, Work Folders, support MDM with
Intune
 Intune remote wipe can remove just company data or do a factory reset
 Selective Wipe destroys the symmetric key associated with the domain making corporate data inaccessible
 Remote Business Data Removal (aka Selective Wipe) can be used to flag files as corporate or personal
 Intune can do a partial or full wipe. Full wipe takes off non-business data such as camera pictures
 Remote Wipe requires SMS and Cellular be enabled. Having a wifi connection doesn’t matter
 Remote Wipe from Intune requires going to the properties of a user, selecting their device from properties, then choosing Retire/Wipe
 Intune doesn’t require devices that use it to be on the domain
 Enrolling a laptop as a mobile device in Intune will allow remote wipe
 Intune Mobile Device Management (MDM) is supported for RT, iOS 7, Android 4, Windows Phone 8, and Windows 8.1 or later
 To configure MDM Authority under Intune, Administration page/MDM, check the box Use Intune To Manage My Mobile Devices
 Intune MDM lets you apply security and VPN profiles to mobile devices
 Intune MDM is what manages the Configuration Policies and Compliance Policies
 Intune MDM policies are like GPOs but they get overridden by GPOs if there is a conflict
 Intune MDM can deploy Apps to the Company Portal
 MDM Authority can be provided by Intune or System Center 2012 Configuration Manager or Office 365
 MDM for Office doesn’t support domain joined PCs or servers while Intune and SCCM does
 MDM for Office does support PCs that are connected to Azure AD
 Mobile Device Security Policy template controls Intune mobile device security settings
 Metered connections only download Priority updates, limit Start screen tiles from updating, stops offline files and Work Folders, and prevents apps from
downloading from the Windows Store
 To migrate Work Folders, click Stop using Work Folders, click Setup Work Folders, then choose new NTFS formatted location
 Work Folders synchronizes data between a mobile device and folders hosted on a corporate network file server
 Work Folders is for domain or non-domain joined devices
 Work Folders works with Windows 7 Pro and up as well as iOS 8 and up
 Work Folders synchs every 10 minutes by default
 Work Folders wont synch over metered connections
 Intune – External Link should be used to specify a URL for software being published
 Intune – Software Link is used to deploy App packages for Android and other mobile devices
 Near Field Communication (NFC) works up to about 4 inches
 NFC can be used for file sharing or connecting to devices like a printer
Deploy software updates with Intune
 Intune can push third party updates. Need to specify how to determine if the update is already installed (registry key, MSI code, etc)
 SCCM 2012 can use Intune as a management point by installing the connector site role
 Intune allows you to remotely push applications to other systems
 Intune Auto-Approval rules ensures updates get installed ASAP
 Intune Subscriptions are only used to purchase new Intune features, not to deploy apps
 Intune requires a minimum Internet speed of 768 Kbps to publish software install files
 Intune can use Parent and Child groups for setting permissions
 Deleting a Parent group automatically deletes a Child group
 To change the Parent of a Child group you need to recreate the group
 To create a group where you include some members and exclude others, add allows members to the Parent group and denied members to the Child group
 Intune and SCCM should be used together IF: more than 50k devices, most devices are on premise, and servers and computers are joined to a domain
 Enrolling a device into Intune requires going to portal.manage.microsoft.com and download the Intune Software
 Installing Intune agent requires admin rights on local system
 To configure automatic updates, in Intune go to Policy / Overview / Add Policy / Microsoft Intune Agent Settings and set “Automated or prompted installation
of update and applications”

Manage devices and user accounts with Intune

 Microsoft Intune user group contains all users who have a license to use the subscription
 Each Intune user license supports enrolling up to five devices
 Intune Device Enrollment Manager is able to enroll more than five devices at once
 https://accounts.manage.microsoft.com is the Intune Account Portal
 Intune uses Azure Active Directory (AAD) to store user information
 Azure Active Directory Synchronization Tool (DirSync) provides integration between AD DS and Intune
 DirSync is AKA Microsoft Azure Active Directory Synchronization Tool
 DirSync with Single Sign-on connects through ADFS
 DirSync with Password Sync works without ADFS
 Azure AD and AD synchronization requires user, contact, and password synchronization to an Azure AD tenant
 How to synchronize AD with Intune:
1. Activate AD’s synchronization on the company’s portal
2. Install and configure Active Directory Synchronization tool on your synchronization server
3. Verify directory synchronization on the company’s portal
4. Active synchronized users
 Synchronization in Intune refers to AD while Refresh is used for policies and inventory updates
 GPO policies supersedes Intune policies
 Intune roles:
o Tenant admin – Top admin, creates the Intune subscription, is also a Global admin
o Global admin – Has as many rights as the Tenant admin but there can be many of them
 o Billing admin – Manages purchases, subscriptions, support tickets, and monitors service health
o Password admin – Resets passwords but only for standard user and other password admins, manage service requests, and monitor service health
o User management admin – Resets passwords, manage service requests, manage user accounts and groups, and monitor service health
o Service support admin – Manage support tickets, view organization and user info, and monitor system health
 Intune Configuration Policies is like a GPO
 Intune Compliance policy takes precedence over the Configuration policy regardless of which is more restrictive
 Intune Configuration policies are used to manage security and features on devices
 Intune Agent policies deal a lot with Windows updates and Endpoint protection
 Microsoft Intune Center Settings template can be used to configure the support contact information
 Microsoft Intune Agent Settings template configures Endpoint Protection policies
 Windows Firewall Settings template controls Intune incoming and outgoing traffic
 Enable Real-time Protection in Intune configures monitoring and scanning of all files and applications
 Detected Software Report in Intune shows what applications are installed on managed devices
 Update Report in Intune shows all update info
 Intune alerts are automatically removed after 45 days
 Intune nodes: Dashboard, Groups, Alerts, Apps, Policy, Reports, Admin
 Intune setup:
1. Sign up for Intune
2. Ensure user accounts have a publicly registered UPN that can be verified by Intune
3. Deploy AD FS
4. Create a CNAME record for EnterpriseEnrollment.[FQDN]
5. Obtain certificate and keys for mobile devices
6. Create the Intune subscription
7. Add Intune connector site system role to SCCM
 https://blogs.technet.microsoft.com/configmgrdogs/2015/03/30/the-ultimate-intune-setup-guide-stage-4-enable-configmgr-2012-r2-management/
 Apple Push Notification (APN) service allows management of iOS devices
 APN certificates imported into an iOS device allows Intune to manage it
 With an APN, Intune can encrypt IP connection with the iOS device
 Intune Dynamic Groups can be made based on OU, Domain, or Device type for Computer groups and Security group or Manager for User groups

Configure networking (11%)

Connect to networks, wireless network, advanced security firewalls, IPsec, network
discovery
 Location Aware Printing requires Network Location Awareness and Network List services
 Location Aware Printing is configured under Manage Default Printers and choosing Change Default Printer When I Change Networks
 “get-netconnectionprofile” will show whether your profile is Public or Private
 “set-netconnectionprofile –interfacealias Ethernet –networkcategory Public”
 Domain firewall policy automatically applies if a DC is detected on the network
 Server-to-Server Connection Rule can be set in Windows Firewall to configure authentication
 Isolation Connection Rule can be used in Windows Firewall to restrict connections based on domain membership
 Isolation firewall rules can be used to require IPSec for inbound or outbound connections
 Tunnel Connection rule in Windows Firewall is used to authenticate connection between gateways
 Authentication Exception firewall rule prevents connections to certain computers
 “Set-NetFirewallProfile” can be used to enable the Domain, Public, or Private firewall profile
 “Notify me when Windows Firewall blocks a new program” is only for Private network
 “Change my default printer when I change networks” option allows changing default printer
 Adding “_optout” to the SSID of a wireless network will remove it from being shared out with WiFi Sense
 Adding “_nomap” to an SSID will remove it from WiFi Network Mapping
 “set-NetIPv6Protocol”
 “new-NetFirewallRule”
 “New-NetIPAddress” is used to configure IPs while “Set-NetIPAddress” is used to set interface properties
 “Set-NetIPv4Protocol –IGMPLevel None” disables multicast
 When changing an IP address on an already configured interface you have to use “New-NetIPAddress”
 Connection Security Rules can require or request on inbound or outbound
 Connection Security Rules create Main Mode and Quick Mode Security Associations with IPsec when two clients talk with each other
 Main Mode Security Associations have a lifetime of 8 hours
 Quick Mode Security Associations have a lifetime of 5 minutes
 Computer and User (Kerberos V5) is only an option for Vista or newer when doing an Isolation firewall rule
 WiFi Sense allows sharing of a hotspot with your contacts
 WiFi Sense contacts can be from Outlook.com, Skype, or Facebook
 DNS64 allows IPv6 clients to receive special IPv6 addresses that are convertible to IPv4
 NAT64 is a IPv6 to IPv4 proxy service
 An IPv6 address starting with “FE80” is like a 169.254 address

Configure storage (10%)

DFS client caching, storage spaces, OneDrive
 RAID must be disabled before a drive can be added to Storage Spaces
 Storage Spaces uses Resilient File System (ReFS)
 ReFS can repair file corruption
 Three-way mirror can sustain the loss of two drives and requires a minimum of five drives to implement
 Thin Provisioning in Storage Spaces terms means you can set the initial size of a Storage Space to something larger than the disks can accommodate. Later,
you can add more disks add more storage
 OneDrive uses Perfect Forwarding Secrecy (PFS)
 Recycle Bin holds up to 10% of disk capacity
 Recycle Bin keeps items a minimum of 3 days and up to 90 days
 After Unlinking from OneDrive, the files that were there are still available but are no longer synchronized
 OneDrive is built into 10, 8.1 and RT 8, and supported on 7 and Vista and also Mac
 OneDrive supports Mac OS and iOS
 OneDrive supports multiple users edition a spreadsheet at a time
 Files on OneDrive can be accessed without Internet connectivity if they have been cached locally
 Windows.old automatically gets deleted one month after upgrading Windows 8 to Windows 10
 Remote Differential Compression (RDC) is used in Distributed File System (DFS-R)
 RDC detects changes in files that need to be replicated
 Dfsutil.exe is used to troubleshoot DFS
 “Dfsutil /cache” is used to clear DFS cache
 Storage Spaces support two-way mirror, three-way mirror, parity, and simple
 “Remove-PhysicalDisk” removes a disk from specific storage pool
 When creating a pool in Storage Spaces, all existing data on the drives is lost
 When creating Storage Pools, do not initialize hard disks first
 Limit of 20 concurrent connections to a shared resource
 File Servers can use Access Based Enumeration (ABE) when creating a new share
 “Audit object access” enables auditing of files and registry keys
 “Audit privilege use” audits rights elevation but won’t catch edits to registry

NTFS shares, DAC, EFS and Data Recovery Agent, BitLocker To Go and Data Recovery
Agent, BitLocker Admin and Monitoring (MBAM)
 File Explorer can be set to open to Quick Access or This PC through Folder Options
 With NTFS, an explicit allow takes precedence over an inherited deny
 NTFS files can be encrypted or compressed, but not both
 “Support compound authentication” is used for claims and DAC
 DAC Claim is a single piece of information about an object such as an attribute
 Multiple Claims can be used on a single resource
 Compound Tokens allow devices to support Static Device Claims
 Compound Authentication and Kerberos Armoring and configured in GPO Computer \ Admin Templates \ System \ Kerberos
 Dynamic Access Controls - Properties of files and folders has a Classification tab that will show DCL information
 Dynamic Access Controls - Advanced Security Settings has a Central Policy tab next to Effective Access. Look for "Condition" at the bottom of the Permission
Entries list
 Dynamic Access Controls - For user account changes, log off and log back in is required just as it is for Security group change
 Microsoft BitLocker Administration and Monitoring (MBAM) is part of Microsoft Desktop Optimization Pack (MDOP)
 MBAM helps with the deployment and recovery of encryption keys, monitoring, automated provisioning of encrypted volumes, key recovery requests,
provides a self-help portal, and enforcement of BitLocker policies
 MBAM is a component of MDOP that allows management of drive encryption settings
 MBAM allows easy key recovery
 MBAM allows end users to recover encrypted keys using the Self-Service Portal
 MBAM allows automation of encrypting volumes across an enterprise

Manage data access and protection (11%)

HomeGroup settings, configure libraries, printers
 Libraries can be created and managed in File Explorer
 Type 3 print drivers are made specifically for a particular model of printer
 Type 4 print drivers are the universal drivers
 Driver rollback doesn’t work for printer drivers
 “PrintBrMui.exe” is used to export printer queues and drivers

EFS, disk quotas

 Disk Quotas can only be applied on a per volume level
 File Server Resource Manager (FSRM) is an improvement over disk quotas
 ReFS doesn’t support Disk Quotas
 “cipher” can be used to import an EFS certificate
 “cipher” manages file encryption
 “cipher /r:[filename]” will create an EFS recovery key
 EFS uses AES 256 bit
 EFS requires Windows 10 Pro, Enterprise, or Education
 EFS GPO - Computer \ Policies \ Windows Settings \ Security \ Public Key \ Encrypting File System
 EFS Data Recovery Agent (DRA)
 Best Practice is to create a unique "data recovery account" when configuring EFS Recovery Agent on the domain
 When creating a new data recovery account, all EFS keys stored under the previous account does NOT get transferred to the new account
 Disk Quotas do not apply to local admins
 Disk Quota GPOs are under Computer\Admin Template\System\Disk Quotas
 Disk Quota sizes don’t take into account compression
Manage remote access (10%)
Remote desktop, VPN authentication, VPN reconnect, broadband tethering
 PPP is the VPN for all dial up connections
 SSTP uses SSL, port 443
 IKEv2 is the most used mobile VPN protocol for Win 10 and 8.1
 EAP-MS-CHAPv2 is the most secure authentication protocol
 IKEv2 supports either EAP-MS-CHAPv2 or a certificate for authentication
 Always On VPN will activate at sign on
 App-Triggered VPN will activate when a certain application launches
 Traffic Filters for VPNs can be app-based (only allows traffic from certain apps) or traffic-based (based on protocol, source, dest)
 LockDown VPN profile overrides all other VPN profiles
 Broadband Tethering allows creation of a hot-spot
 Broadband Tethering is done by configuring a PPPoE connection in Control Panel \ Networking
 Broadband Tethering requires going into the properties of a PPPoE connection and going to the Sharing tab and allowing others to use the connection
 Broadband Tethering allows up to 10 connections at a time
 Broadband Tethering requires that Internet Sharing be enabled on the network connection
 Mstsc /admin requires the RD Session Host role be installed on the remote server
 Remote Desktop Web Access lets users access applications through a special website
 Remote Desktop Gateway can be used to RDP into a corporate computer from a public IP
 “Enable-PSRemoting” on a client allows it to receiving remote PS commands
 Clear the “Use default gateway on remote network” on the VPN connection to prevent data from being forwarded
 “winrs –r:Computer1 ipconfig /all” will run ipconfig on Computer1 if “winrm config” has already been run on that system
 “winrm quickconfig” needs to be run on a system that is trying to remotely manage another system
 There is a domain local group called Remote Desktop Users that works on DCs
 Clearing the “Use default gateway on remote network” for VPN allows data that cannot be sent on the local subnet to be forwarded across the VPN
 Pen Support is offered in Windows 10 and Server 2016 RDP sessions
 “Computer1:10557” when typed into an RDP window will try to connect on port 10557
 IKEv2 allows VPN Reconnect
 VPN Reconnect works by keeping the VPN session alive despite the client being disconnected
 VPN Reconnect requires a Computer Certificate in Windows 8.1
 VPN Reconnect requires a minimum of Server 2008 R2
 Windows 8.1 used Fast Reconnect
 “Add-VpnConnectionTriggerDns” can be used to connect automatically to a VPN when a DNS suffix is used
 VPN Auto-Trigger connects when applications or network locations are used
 PAP, CHAP, MS-CHAPv2, EAP, and Digital Certificates can be used for VPN authentication
 EAP supports the use of certificates
 “Add-VPNConnectionTrigger Application” is used for Auto-triggering a VPN connection when an application is opened
 VPN Auto-Triggering only works on machines that are NOT joined to a domain
 DirectAccess is for Windows 7 and up and Server 2012 R2 and up
 DirectAccess make an IPv6 connection
 Teredo-based DirectAccess requires ICMPv4 and ICMPv6 be opened on the firewall
 Easy Connect makes use of IPv6 through Teredo
 Teredo is disabled by default in a domain environment
 Easy Connect requires Teredo be set to Enterprise Client via GPO
 “CertReq” allows you to submit cert requests to a CA

Offline files, power policies, sync options

 Sleep states – S0 = Powered on, S1-S3 are sleep, S4 = Hibernate, S5 = Powered off
 Windows Mobility Center allows users to adjust brightness, volume, check battery status, change power settings, and turn wireless on/off
 GPO “Enabling Windows Update Power Management to automatically wake up the system” is for Windows 8 or below while “Allow scheduled maintenance to
wake up my computer at the scheduled time” is for Windows 10

Manage apps (11%)

RemoteApp and Desktop Connections, GPOs for signed packages, subscribe to
RemoteApp, export and import RemoteApp configs, iOS and Android, remote desktop
web access for RemoteApp distribution
 Azure RemoteApp is a subscription service hosted on a website like Citrix does
 Azure RemoteApp lets you log in with AD or your Live account
 Azure RemoteApp clients are available for IOS, Android, and Microsoft phones
 Azure RemoteApp allows you to publish cloud based apps to users
 RemoteApp allows applications to run remotely through RDS
 RD Session Host Server stores RemoteApp programs
 Azure RemoteApp and Intune are run from the cloud so requires an Internet connection
 First step in creating a RemoteApp is to create a Virtual Machine
 RemoteApp steps:
1. Create VM in Azure
2. Install programs that will be used and install all necessary roles
3. Create any user accounts that you’ll need to administer the server in the future
4. Use Sysprep to generalize the image
5. Click the Capture button in Azure and check the box that you have run Sysprep
6. In Azure go to RemoteApp and Add a RemoteApp template image from the Virtual Machines library
7. Under RemoteApp go to Publishing and then Publish the app
 Assigning a RemoteApp package in a user-specified policy in GPO will create a desktop link that will install when first run
 Access to RemoteApp is done by logging into Azure, going to RemoteApp \ User Access and entering in Microsoft e-mail addresses
 After copying the list of RemoteApp programs from one Remote Desktop Session Host to another you must create new .rdp files for the new server and create
new installer packages
 The above scenario is only necessary if the two servers are not in the same RD Session Host server farm
 Enabling RemoteFX USB Device Redirection along with running “Set-AzureRemoteAppCollection” allows redirecting USB devices to RemoteApp programs
 RemoteApp deployments in Azure require a separate Universal App created for Windows x64, IOS, and Android OS’s
 TXT record must be made in DNS to allow RemoteApp access with an e-mail address that translates to a URL
 App-V security updates are applied by using the “Open for Package Upgrade” feature
 RD Web Access allows access to RemoteApp programs and the Desktop Connection feature via the Start menu
 RemoteApps requires Android 4.0.4 and iOS 6.x
 Azure RemoteApp can make Cloud or Hybrid Collections
 Cloud Collections reside completely in Azure
 Hybrid Collections include a virtual network for on-premise access
 Hybrid Collections require the use of Azure AD and an on-premise AD environment
 Azure AD accounts can use Cloud or Hybrid Collections as long as passwords are synched
 Microsoft Accounts will only be able to use Cloud Collections
 App History tab in Task Manager shows App statistics
 Control Panel \ RemoteApp and Desktop Connections is where the RemoteApp Feed can be configured

Application Compatibility Toolkit (ACT) including shims and compatibility database, App-
V, User Experience Virtualization (UE-V)
 App-V virtualizes applications
 Application Compatibility Toolkit (ACT) is part of the Windows Assessment and Development Toolkit (ADK)
 ACT can be used to determine application compatibility or create Shims to resolve incompatibilities
 Windows Assessment Console is a GUI in ACT that lets you manage and create jobs
 ACT requires an ACT database in SQL
 Shims can be applied to applications to fix or modify them
 Application Compatibility Toolkit (ACT) lets you:
o Determine if apps, devices, and hardware are compatible with Windows 10
o Determine if a Windows update is compatible
o Make a risk assessment based on applications, devices, updates, and hardware
o Determine if Web applications and Web sites are compatible with IE updates
 App-V is available from Microsoft Desktop Optimization Pack (MDOP)
 App-V Server includes App-V Management Server, App-V Publishing Server, App-V Reporting Server, and App-V Reporting Database Server
 Software Assurance (SA) provides enterprises the ability to upgrade to the next version of Windows software when it comes out
 MDOP and App-V Sequencer need to be installed on a Windows 10 machine to virtualize an app
 User Experience Virtualization (UE-V) captures the OS, apps, and app settings that can be applied to a different computer
 UE-V comes with MDOP
 UE-V requires Windows 7 or above
 UE-V Agent watches for settings changes and saves them
 UE-V Synchronizes every 30 minutes by default
 UE-V Generator can be used to create custom templates
 User Experience Virtualization (UE-V) client needs to be installed on the client computer
 UE-V GPOs are stored under Computer \ Policies \ Windows Settings \ Admin Templates \ Windows Components
 UE-V Synchronization Timeout GPO setting sets the threshold of milliseconds computer waits when obtaining user settings from the settings store location
 Best Practice is that App-V is almost unused except when Remote App cannot be used
 With App-V, the client machine must meet the minimum requirement of the app being run while this is not the case with Remote App
 For a client off the network to open App-Vs, App-V Client Manager needs to be set to “Allow disconnected operation”
 “Set-AppvPublishingServer” is used to configure URL and global refresh unit of an application

Manage updates and recovery (10%)

System restore, previous versions, File History, recovery from OneDrive
 OneDrive can restore files by right clicking the file and choosing “Restore the Older Version”
 OneDrive restores need to be done from the website
 File History can be stored to an external hard disk, DVD, or network location
 File History by default will backup Libraries, Desktop, Favorites, and Contacts
 File History CANNOT backup up encrypted files
 File History only backs up Libraries, Contacts, Favorites, and OneDrive, not the entire contents of a hard disk
 “FhManagew.exe” is used for File History
 File History is like Previous Versions but it needs to be put on external storage like a network drive
 File History performs backups every hour
 File History supports both NTFS and FAT
 Recovery drive can be created by going to Control Panel \ Recovery
 “RECAGENTC.exe” is used to associate an Install.WIM with a recovery image
 Recovery Drive Wizards can use SDHC memory cards along with USB drives
 Recovery Drive requires at least 4 GB
 Recovery Drive can only be used during a reinstall
 System Restore uses VSS and requires NTFS
 System Restores can be kicked off from Windows Recovery Environment (RE)
 “wbadmin get versions” will list all Restore Points
 Restore Points were added back in after not being there in Windows 8
 System Image Recovery’s lose all files that weren’t there when it was made (ie pictures that were downloaded after the image was first made)
 Default time for system backups is 7pm on Sunday
 “shutdown /r /o” and Shift + Restart both reboot into troubleshooting mode
 Previous Versions was added back in Windows 10
 Backup and Restore can only be used on NTFS drives. Doesn’t even backup ReFS
 System Protection creates Restore Points which do not affect user data
 “recimg.exe” is used in Windows 8 to create an image that retains user data and apps
 Robocopy will copy permissions along with files
 512MB is the minimum size of a USB flash drive that can be used as a recovery drive
 Only one system image backup per computer can be kept in a backup location
 “Push Button Refresh” retains all user files while “Push Button Reset” will delete them
 A Recovery Drive must be created prior to doing a System Image Recovery
 Thumbdrives can be used to create a Recovery Drive
 “Reset-ComputerMachinePassword” will reset a computer account
 Last Known Good Configuration can be created by going to HKLM\System\CurrentControlSet\Control\Session Manager\Configuration Manager and editing
this key followed by running “bcdedit /Set “{Current}” BootMenuPolicy Legacy”
 System Images can get stored to external hard drives or network locations (if using Windows 10 Pro or 8.1 Enterprise)
 System Images CANNOT get stored to partitions on the same physical drive as the existing volume or a non-NTFS drive
 ImageX cannot apply upgrades to OS images
 ImageX only works with SysPrepped images and .WIM files
 DaRT = Diagnostics and Recovery Toolset
 DaRT includes a crash analyzer, MBR repair, disk wipe, file restore, password recovery, registry editor, SFC scan, and TCP/IP config
 DaRT can be used to create a customized Recovery boot partition

Windows Update, update Windows Store apps

 Windows Update Delivery Optimization allows other PCs to download Windows Updates from another PC on the same network
 Windows Update Delivery Optimization is on by default only for Enterprise and Education editions. Off by default for the rest
 Windows Update Delivery Optimization (WUDO) requires that Local Network Peering be enabled
 WUDO is a lot like BranchCache running in distributed mode
 Deferring updates allows delaying the install of an update for months
 Deferring updates is not available on Home edition
 Windows Update Branches:
o Current Branch – installs updates as they are released
o Current Branch for Business – only for Pro, Enterprise, and Education. Installs updates several months after they are released
o Long Term Servicing Branch (LTSB) – Never update
 LTSB requires installing Windows 10 Enterprise 2015 LTSB edition
 Disk Cleanup has an option to cleanup updates which will also free up space in WinSxS
 WinSxS folder retains files that have been updated by Windows Update
 Task Scheduler runs a StartComponentCleanup task that cleans up the WinSxS folder
 Windows Updates can only be uninstalled within the first 30 days after they are installed
 Windows Update cannot be turned off in Windows 10
 Automatic Maintenance Activation Boundary configures the time when Windows Updates get applies
 WSUS GPOs are Configure Automatic Updates, Specify intranet Microsoft update service location, and Enable client-side targeting
 Windows Updates get logged under the System log
 Windows Defender updates can be rolled back with Programs and Features
 SCCM User-specific vs computer-specific assigned packages: Users get desktop links that install when first run and computers install on next boot
 Windows Upgrade Assistant is for Windows 8.1, not Windows 10, though the requirements for the OS’s are similar enough that it can still be used

Misc
 Control Panel \ Mobility Center can be used to configure Presentation Mode
 Standard User Analyzer (SUA) is used to get around UAC related incompatibilities
 User needs their Exchange account configured from the Mail app to use Exchange ActiveSync policies
 msDS-Primary Computer attributes are configured on user accounts and contain the Distinguished Name attribute of the computer they are linking to
 Windows RT 8.1 can’t join a domain
 systeminfo.exe
 Secure Boot ensures that unauthorized OS’s cannot be installed on a computer
 Basic folder redirection forces all users to store to the same location while Advances lets you choose multiple locations