Exam Ref 70-688 Supporting Windows 8.1 (2014)
Chapter 3. Support Windows clients and devices
This final chapter involves supporting the enterprise you have set up or been integrated into. Here you’ll learn how to support and manage operating systems, hardware, mobile devices, and so on to ensure compliance with the policies and security settings you’ve configured. This chapter focuses quite a bit on Windows Intune for management tasks, including managing remote computers and devices from virtually anywhere you can access the Internet securely.
Objectives in this chapter:
Objective 3.1: Support operating system and hardware
Objective 3.2: Support mobile devices
Objective 3.3: Support client compliance
Objective 3.4: Manage clients by using Windows Intune
Objective 3.1: Support operating system and hardware
Part of your job as a network administrator involves supporting installed operating systems and hardware. This includes resolving problems when they arise and optimizing performance wherever you can. In this objective you’ll learn about the support and optimization tools that are listed as exam goals; however, you won’t see many other ways to support your clients.
This objective covers how to:
Resolve hardware and device issues, including STOP errors and use Reliability Monitor
Optimize performance by using the Windows Performance Toolkit (WPT), including Xperf.exe, Xbootmgr.exe, XperfView.exe, and Windows Performance Recorder (WPR)
Monitor performance by using Data Collector Sets, Task Manager, and Resource Monitor
Monitor and manage printers, including NFC Tap-to-Pair and printer sharing
Remediate startup issues by using the Diagnostics and Recovery Toolkit (DaRT)
Resolving hardware and device driver issues
Problems with external or internal hardware or connected devices such as scanners and printers are generally related to the device drivers associated with them. You can often resolve the problems by reinstalling, updating, obtaining, and rolling back installed drivers. Device drivers also can cause problems for internal hardware, such as installed graphics cards. You can also use Reliability Monitor to uncover and troubleshoot unknown problems, if you aren’t sure what device, application, Windows Update, or other issue is causing the problem.
Resolving hardware and device driver issues
Device drivers and computer hardware go hand in hand. Each requires the other to function properly. A long time ago, most devices came with their own device driver disks for installing the appropriate driver, but now, driver installation is generally automatic. In most instances, the necessary device driver is available in the Windows 8.1 Driver Store (on the computer itself) or from Windows Update (on the Internet), and the driver obtained there works fine. Occasionally, though, problems arise. This happens when a compatible, Windows 8.1 device driver isn’t available, when the installed driver doesn’t function properly, or when the driver isn’t approved by Microsoft’s Windows Hardware Certification Program (and is unsigned as a result).
Troubleshooting and Updating a Driver with Device Manager
You use Device Manager to view, install, uninstall, disable and otherwise manage hardware devices. You can access Device Manager a number of ways, including by right-clicking the Start button and clicking Device Manager from the resulting list. You can also find Device Manager in the Computer Management Console, under the System Tools node. By default, the list is organized by the various types of devices, but other viewing and sorting options are available.
When you use Device Manager to resolve a device driver issue, most often you’ll opt to update the driver. To get started, locate the problematic device in Device Manager and double-click it. Click Update Driver on the Driver tab, or click Update Driver from the General tab as shown inFigure 3-1. In the Update Driver Software dialog box, choose how to locate the driver. If it’s one you’ve downloaded and saved to your computer, click Browse My Computer For Driver Software. Otherwise, click Search Automatically For Updated Driver Software, which automatically looks for a driver in all the usual places. The latter is a good option if you think a driver is available from Windows Update, or if you’ve inserted a driver disk into the CD/DVD drive.
FIGURE 3-1 Use Device Manager to troubleshoot device drivers.
If this option doesn’t resolve your hardware issue, you can try others. You’ll have to try other options if the device doesn’t appear in Device Manager, for instance. One way to resolve an issue is to open Action Center and see whether a solution is waiting for you. Although this is an end-user’s solution to a driver problem and not necessarily a network administrator’s, it’s still an option that can be quite useful. Action Center can identify problems, search for solutions automatically, and, when a solution is found, offer it up.
Another option for installing a device driver is to download it from the manufacturer’s website, and then double-click an executable file that contains it. You have to do this manually; no automated task can do it for you.
You can perform additional tasks with Device Manager. You use similar methods to disable and troubleshoot drivers as you do to update them. Disable is an option from the Driver tab of the device’s Properties dialog box. When you disable a device, you turn it off. This is different from uninstalling a device. When the device is turned off, Windows can’t use it and won’t try to reactivate it. In contrast, if you uninstall a device such as a graphics or audio driver, Windows reinstalls it on restart in most instances (if not before, when you scan for hardware changes in Device Manager). You might want to disable a specific device to determine whether it is causing a system conflict or problem. You also can disable devices that don’t work properly or that you don’t need in order to free up system resources. One example is a docking station with Ethernet versus a laptop with Wi-Fi. You could disable other unwanted hardware, such as modems.
Sometimes, installing a new driver over an older driver causes more problems than it resolves. In such a situation, you can roll back the driver. Roll Back Driver is available only after you install a second driver; otherwise, the option is grayed out. You can find this option from Device Manager from a Properties dialog box, from the Driver tab.
Managing Legacy Hardware
Occasionally you’ll need to manage legacy hardware. In many organizations, legacy hardware still plays a very important role in getting the job done. It might be a printer that connects to a parallel port, an infrared device, or even a modem. This hardware might not be detected automatically on a computer running Windows 8.1 (it won’t be if it’s a parallel-port printer, for example). An option in Device Manager can help you install these kinds of devices (Action menu, Add Legacy Hardware). To use this option, insert any installation media you have for the device (if you have it), and then follow these steps:
1. Open Device Manager. From the Action menu, click Add Legacy Hardware.
2. Click Next to start the wizard and then select either of these options:
Search For And Install The Hardware Automatically (Recommended)
Install The Hardware That I Manually Select From A List
3. Follow the resulting prompts. This might involve selecting a port for a printer, selecting the device from a list, or making other choices.
Using Sigverif.exe to Check for Unsigned Drivers
Device drivers have the potential to damage a computer when they are laced with hidden malware by dishonest programmers. Thus, technology is in place to test, approve, and then sign drivers to verify that they are safe to install and haven’t been altered since the testing and approval process completed. When approved, the drivers are digitally signed by an approved authority (often a trusted organization or publisher). This signature is created using a cryptographic algorithm and is appended to the device driver. This verifies that the driver is authentic and secure when you get it, because the algorithm is verified before installation.
When installed, unsigned drivers can cause various computer problems, especially those that are difficult to diagnose, even if those drivers have no integral malware. You can check to see whether any unsigned drivers are installed on any computer by using the command-line tool Sigverif.exe. To perform this check, follow these steps:
1. Right-click the Start button and click Command Prompt (Admin).
2. At the command prompt, type sigverif.exe and press Enter.
3. Start the File Signature Verification, and then view the results.
4. Click Close.
Using Pnputil.exe to Manage Device Drivers
You can use the command-line tool Pnputil.exe to manage device drivers manually at an elevated command prompt. You can also use the command to manage the driver store by adding, deleting, and listing driver packages. A driver package consists of all the data needed to install the driver, including but not limited to
Driver files Generally, this is a dynamic link library (DLL) with the .sys file extension.
Installation files These files have the file extension .inf and contain the installation files.
Driver Catalog file Included with the installation files, this .cat file contains the information related to the driver’s digital signature.
Additional files These can be icons, device property pages, and even items related to an installation wizard.
The syntax for the Pnputil.exe command is
pnputil.exe –a <path to the driver> /<drivername>.inf
Here are some parameters to consider:
-a specifies the path to the driver’s .inf file.
-d deletes a specific .inf file.
-f forces the deletion of a specific .inf file.
To see the DriverStore folder, navigate to C:\Windows\System32\DriverStore\FileRepository.
Resolving STOP Errors
A STOP error is one that’s so severe, the computer stops working and then generally offers up a long error code to try to shed some light on the problem. These problems are often hard to diagnose, unless you can write down the error code and look it up online. If you can find a resolution, you can generally work through the fix to bring the computer back up. Sometimes this involves installing an update from Microsoft. You can also try the Microsoft Fix It website at http://support.microsoft.com/fixit/default.aspx.
Some STOP errors don’t have anything to do with a part of the operating system or a device connected to it though. For example, a STOP error might occur if a problem has occurred with Random Access Memory (RAM). If you suspect this is the problem, you can run a memory diagnostic test using the Windows Memory Diagnostic Tool. To access this tool, from the Start screen type diagnose, and then click Diagnose Your Computer’s Memory Problems in the results. You can also run it from an elevated command prompt by typing mdsched. Either way, you have to restart the computer so that the test can run.
If you think the STOP error is related to problems on your hard disk, you can opt for a different tool. ChkDsk (pronounced Check Disk) scans your disk for errors and tries to resolve them. Like other options, you can search for ChkDsk from the Start screen or run it from an elevated command prompt with the chkdsk command. Figure 3-2 shows an example of ChkDsk in action.
FIGURE 3-2 Use ChkDsk to check for errors on the hard drive.
You can also get STOP errors if a device driver tries to write to an incorrect memory address. If you get an error related to an interrupt request (IRQ), this might be the problem, and you might have to use Device Manager for help resolving it.
Really, the possibilities for these kinds of errors are endless because of the sheer number of computer manufacturers, drivers, and devices. Here are a few STOP errors that have been reported and resolved by using Windows updates and hotfixes:
The memory manager code was changed in order to remove a potential lock contention. This problem was first addressed in Windows Server 2012 R2 and Windows 8.1. A hotfix is now available for Windows Server 2012 and Windows 8. This STOP error is 0x9E and the Knowledge Base (KB) article that addresses it is 2916993.
You have a Windows 8 or Windows Server 2012-based computer that has high performance disks, and low performance processors or a single core CPU. You put the computer into hibernate (S4). You try to resume the computer from hibernate but problems ensue. There is a cumulative update that resolves this issue. This STOP error is 0x000000A0 (parameter1, parameter2, parameter3, parameter4) and the KB article that addresses it is 2823506.
You use the right mouse button as the primary mouse button, and you have enabled the Use numeric keypad to move mouse around the screen option. When you press some keys on a Windows 8.1 or Windows Server 2012 R2-based touch device, you receive a STOP error. There is an update for this. This STOP error is 0x0000003B and describes a SYSTEM_SERVICE_EXCEPTION issue. The KB article that addresses it is 2927067.
Using Reliability Monitor
The Reliability Monitor tool lets you explore a system’s stability. It also can help you locate and resolve problems. To open the tool, type Reliability at the Start screen and click View Reliability History.
Figure 3-3 shows a sample report on a recently reinstalled computer. Clicking any of the blue icons on the report causes the list below the graph to populate. You can see that on this day (for this recently reinstalled machine) several successful Windows updates and driver installations occurred. If, for example, you were having intermittent problems with a monitor flickering on and off, and you discovered here that the graphics card driver installation was unsuccessful, you would certainly have a starting point for your troubleshooting.
FIGURE 3-3 Use Reliability Monitor to discover problems.
You can also view the technical details of any entry. The technical details might offer a driver name and manufacturer; information about updates for Windows Defender, Windows Intune, or Windows Update; and so on. What you see depends on several factors, such as the type of entry you’ve requested more information about. Notice also that an option to check for solutions to all problems appears at the bottom of the Reliability Monitor window.
Note: Reliability Monitor Details
Reliability Monitor gathers information using the Reliability Access Component Agent (RACAgent). The Stability Index Score is based on the data collected over time and ranges from 1 to 10.
Optimizing performance
The Windows Performance Toolkit (WPT) is available from the Windows Assessment and Deployment Kit (Windows ADK). The WPT consists of two independent tools: Windows Performance Recorder (WPR) and Windows Performance Analyzer (WPA). The WPT enables you to monitor performance and create performance profiles of both operating system and installed applications.
The WPT can help you analyze various types of performance problems, including application start times, startup issues, deferred procedure calls (DPCs) and interrupt activity (ISRs), system responsiveness issues, application resource usage, and interrupt storms. You’ll use this tool when you are told by a client that a system is slow, that it takes longer than usual for apps to open, that the disk light is on often, that they are getting poor battery life, and similar, vague, related issues.
You can download the Windows ADK for Windows 8.1 Update from www.microsoft.com/en-us/download/details.aspx?id=39982. In this update, support is available for Xperf, the previous command-line tool related to this, but XperfView is no longer supported.
Optimizing performance with the WPT
The WPT contains two tools. It includes the WPR and the WPA. You use the WPR for troubleshooting; you use it to run a trace analysis. Using the WPR you could profile the CPU’s performance, disk input and output (I/O), memory performance, and so on. Figure 3-4 shows the options. You begin by clicking Start and end by clicking Save. Go ahead and accept the default save area in Documents as prompted when working through the process. Figure 3-4 shows the screen you see when you open the WPR. I’ve clicked More so that you can see all the options here. Even if you don’t select any specific items, a trace will still capture the relevant data. While the trace runs, make note of any dropped events, because this can signal a report that’s not completely valid.
FIGURE 3-4 Use the Windows Performance Recorder to perform a trace analysis.
After the analysis is complete, you can use the WPA to review the information acquired. In the Analyzer window, click File, click Open, browse to the file location, and then follow the instructions offered to add a graph to Graph Explorer. Make sure that you can see the Diagnostic Console (see Figure 3-5) as well as the graph itself. You can add multiple graphs and interact with them with your mouse. Be sure to explore this before continuing. You or a technician can use the information to uncover the problems, which can include an overused disk, problems with storage and read/write times, problems that occur from too little memory, and so on. By resolving these problems, you improve system performance.
FIGURE 3-5 Use the Windows Performance Analyzer to review the trace logs you’ve acquired.
More Info: Learn More about the WPT
The video at http://channel9.msdn.com/events/BUILD/BUILD2011/HW-59T shows how to change the view from Graph to other options, how to change the layout, how to review the data, and more.
Using Xperf.exe, Xbootmgr.exe, and XperfView.exe
Xperf.exe, Xbootmgr.exe, and XperfView.exe are command-line tools you can use to create and manage trace recordings, assuming you prefer to get the recordings without the luxury of the GUI available from the WPT. However, the use of these tools appears to be fading. The WPT tools do still support Xperf.exe and Xbootmgr.exe, but with Windows 8.1 XperfView.exe is no longer supported. This means that you still can use the WPA to open recordings you’ve created by using Xperf, Xbootmgr, or the WPR, or recordings that are created from the Assessment Platform, if that’s how you prefer to handle it. Although this objective might soon disappear from this exam, you should still review the command-line references available for Xperf and Xbootmgr. Review the following before continuing:
At an elevated command prompt, type xbootmgr.exe -help to review the options associated with this tool.
At an elevated command prompt, type xperf.exe -help to review the options available with this tool.
To learn more, including how to use the options and parameters, read the article “Xperf Command-Line Reference” at http://msdn.microsoft.com/en-us/library/windows/hardware/hh162920.aspx.
Monitoring performance
You can monitor how well your systems perform in several ways. For example, you can use Performance Monitor to create Data Collector Sets and then review the logs to see where improvements can be made. You can use Task Manager to see what’s using most of your computer’s resources. You can also use Resource Monitor to view long-term performance data, including reviewing past problems that still need to be resolved.
Creating Data Collector Sets
You use Performance Monitor to view performance data in real time or to collect data in log files that you can review later. To do the latter, you need to configure a Data Collector Set, which gathers data related to the performance counters you select, as well as event trace sessions. Event trace data is collected from trace providers, which are features of the operating system or of individual applications that report actions or events. You can combine output from multiple trace providers into a trace session. You can also gather system configuration information (registry key values).
You can create a Data Collector Set from a template that’s already configured to monitor specific data types, from an existing set of Data Collectors you’ve created, or by configuring your own Data Collector Set by selecting each individual item yourself. To open Performance Monitor, either search for it from the Start screen or type perfmon in a Run dialog box and click OK or press Enter.
The easiest way to collect a set of data is to create a Data Collector Set from a template, as follows:
1. In the Performance Monitor navigation pane, expand the Data Collector Sets node and right-click User Defined.
2. Click New, Data Collector Set.
3. Enter a name for your Data Collector Set.
4. Click Create From A Template and click Next.
5. Click the template you want to use (see Figure 3-6).
FIGURE 3-6 Creating a Data Collector Set from a template.
6. Click Finish. (You also can click Browse to define where to save the file.)
When you run the Data Collector Set, the collected data is saved on your root drive (unless you click Browse and choose a different folder) in a subfolder of a folder named PerfLogs. You can see the path and other relevant information by right-clicking the Data Collector Set that appears in the Navigation pane and clicking Properties. You also can see the options to view the results in the Navigation Pane of Performance Monitor under Reports.
To run the Data Collector Set, right-click it in the Navigation pane and then click Start. Click Stop when ready. You can right-click to see other options, including Save Template, Latest Report, and Data Manager. You can review the latest data collected in the Data Collector Set by right-clicking again and clicking Latest Report. Look closely at the report in Figure 3-7 and notice that the Hardware Device And Driver Checks has Failed beside it. This indicates a problem that you should address.
FIGURE 3-7 Reviewing Data Collector Set data.
You can create Data Collector Sets in more ways than this. In the Navigation pane, notice several options in the Data Collector Sets option in addition to User Defined:
System This consists of System Diagnostics and System Performance. You can run these predefined Data Collector Sets by right-clicking and clicking Start and then Stop.
Event Trace Sessions and Startup Event Trace Sessions You can create a new Data Collector Set in both these locations in a manner similar to what’s outlined in the prior steps, but you choose the event trace providers manually.
Continue to explore Performance Monitor as time allows. Continue on through this chapter when you are ready.
Using Task Manager
Task Manager is one of the most useful tools available in Windows 8.1 (and in earlier versions of Windows as well). Task Manager enables you to manage processes (discrete tasks) that use system resources and to see how those active processes affect those resources. Its simplicity enables end users to end problematic processes, disable apps that don’t need to run at Startup, view logged-on users, and more. However, because Task Manager is such a powerful and feature-rich tool, the savviest network administrator can use it to monitor, diagnose, and improve computer performance quickly.
Because running processes are so important to system performance, Task Manager has been redesigned so you can see the process tree, which groups related processes together. The entire interface also is much more user-friendly. Task Manager has seven tabs. You need to know how you can use each tab to improve performance, and you need to know what each offers before you take the exam.
You can open Task Manager in several ways, but the simplest is to press Ctrl+Shift+Esc. Open Task Manager on your own computer now and explore the tabs as you read the rest of this section.
Using the Processes Tab
This tab shows all running processes grouped together as process trees. Processes with trees have a right-facing arrow beside them. Click that arrow to see the related processes. You can click a single process or a process tree name and then click End Task when you want to close one that is problematic. You can sort the processes based on resource usage. Figure 3-8 shows this tab.
FIGURE 3-8 Use the Processes tab to select and end problematic processes.
Using the Performance Tab
This tab shows real-time statistics for CPU, Memory, Disk, Ethernet, Bluetooth, and Wi-Fi Usage. Under the graph you can see the adapter name, SSID, DNS name, connection type, IPv4 and IPv6 addresses, and signal strength. Right-click any entry on the left and click Summary View to minimize the window and to show only the left pane. Doing so lets you keep an eye on the usage without using up much of your desktop area.
Using the App History Tab
This tab shows usage associated with apps (not desktop apps). All apps are represented here, even if they aren’t currently in use. You can use this tab to determine the load placed on the system from these apps. Columns here include CPU Time, Network, Metered Network, and Tile Updates. Like the Processes tab, you might see related trees. For instance, the Mail, Calendar, And People app has a right-facing arrow beside it. You can double-click any entry here to open the app or switch to it.
Using the Startup Tab
This tab shows what applications start when the computer starts. You can select and disable any application listed here to keep it from starting when Windows does. When it’s disabled, you can return here to re-enable it. You can also view the startup impact caused by the application, which can be marked None, Low, Medium, or High; its status (Enabled or Disabled); and more. You can also right-click any entry to open the file location for it.
Exam Tip
In earlier operating system editions, you could type msconfig.exe in the Run dialog box to open the System Configuration window (and you still can), and from there you could click the Startup tab to configure what applications started when Windows did. If you do that now, under the Startup tab of the System Configuration window, you’ll see only one option: Open Task Manager. I imagine that if a relevant question arises on the exam regarding configuring startup applications, the System Configuration window will be listed and will be (although technically a valid way to access the startup options) counted incorrect. You’ll need to choose Task Manager.
Using the Users Tab
This tab shows all users logged on to the computer, including those logged on remotely. You can expand the tree associated with any user (click the right-facing arrow) to view the processes open for that user. You can select any of these processes and end them by clicking End Task at the bottom of the window, and you can disconnect a user by clicking the user name and clicking Disconnect in the same way. The active user will be prompted regarding the disconnect command when you use it.
Using the Details Tab
This tab shows what the old Processes tab showed in earlier versions of Task Manager. You can right-click any process to end the task, end the process tree, set a priority, set affinity, create a dump file, and more. Like other tabs, you can click any category name to sort the lists appropriately.
Using the Services Tab
This tab displays all enabled services. Like other tabs, you can right-click a service to perform a task. The options include Start, Stop, Restart, Open Services, Search Online, and Go To Details.
Exam Tip
Explore the bottom of each tab of Task Manager. For the exam, you should know that the Performance tab has an option to open Resource Monitor and the Services tab has an option to open Services.
Using Resource Monitor
Resource Monitor is a powerful tool that you can use to see even more statistics regarding real-time resources. You can open Resource Monitor from the Performance tab of Task Manager, or you can use myriad other ways, including searching for it from the Start screen. You can also launch it directly by typing Resmon.exe in a Run dialog box. When you have it open, you need to spend some time reviewing each tab.
Figure 3-9 shows Resource Monitor, the Overview tab, the graphs available (which are available from any tab), and two suspended processes. Suspended processes can cause problems, so if you see them, take note. Understand that I did not manually suspend these processes myself; these processes were marked as suspended when I accessed this tab from Resource Monitor.
FIGURE 3-9 Use the Overview tab to see the bigger picture.
For the most part, you use Resource Monitor to troubleshoot problems that you couldn’t uncover and resolve by using Task Manager and other tools. For instance, from the Memory tab, you can sort processes by how much memory is committed to them. You might find that a single process uses a lot of memory and is problematic. You might not even need to run the application. From there, you can right-click to end the process, and then return to Task Manager’s Startup tab to stop the process from starting when Windows restarts to keep the problem from occurring in the future. This also reduces the memory load, which will, in the end, improve computer performance.
More Info: Resource Monitor and Related Terms
As you explore each tab, you’ll see many terms that you’ll need to know regarding Resource Monitor, including PID (the Process ID of the application) and Commit (the amount of memory committed by an application). Not enough space is available here to discuss all these terms, so you’ll have to study them yourself. You can learn about Resource Monitor from this TechNet article: http://technet.microsoft.com/en-us/library/dd883276(WS.10).aspx.
Monitoring and managing printers
Although many companies are trying to get to a place where they can run a “paperless” office, printers generally are still a very large part of any enterprise. You might be assigned to manage those printers, including monitoring and sharing them, and you’ll also need to understand how near field communication (NFC) Tap-to-Pair works and how to set it up.
Monitoring and managing printers as an end user or administrator
Devices And Printers, available from Control Panel or by searching for it from the Start screen, offers a place to view connected devices such as printers, mice, media devices, and fax machines. You can immediately discern whether a device has a known problem because of the exclamation point on top of it. You can right-click any device listed to configure device preferences, create a shortcut, troubleshoot the device, and view the device’s properties.
Depending on what you click from the contextual menu, you see options that enable you to configure settings and preferences for the selected device (see Figure 3-10). For instance, if you click Printer Properties, you can access more than just options to print on both sides of the page or print a test page. You can also configure the following:
Sharing This enables you to choose whether to share the printer and render print jobs on client computers. You can also opt to provide additional drivers to other workstations that need it.
Ports This enables you to add, delete, and configure the port the printer is connected to. You can also enable printer pooling and bidirectional support.
Security This enables you to choose the groups or users to allow or deny access to the printer.
FIGURE 3-10 Devices And Printers offers a place to view connected devices .
You also can monitor a printer by right-clicking and selecting See What’s Printing. When you are in the printer window, you can view the jobs waiting to print, pause print jobs, cancel all documents that are waiting to print, and delete a single entry from the print queue (right-click the entry). You also can access the printer’s properties to perform tasks on the printer such as changing the print cartridges and performing other management tasks, and even manage the printer’s color profiles.
The management and monitoring options for printers that have been discussed so far are really end-user management tools. Windows 8.1 Pro and Windows 8.1 Enterprise both include the Print Management console for administrators. You can use this console to manage your printers and gain access to more tools than are available to end users. For example, you can right-click any printer to delete or rename it, or to access options such as Open Printer Queue and Deploy With Group Policy (see Figure 3-11). Notice also the dimmed option: Enable Branch Office Direct Printing.
FIGURE 3-11 The Print Management console offers administrator-level printer options.
If you choose to deploy with a Group Policy Object, a new window opens that enables you to set the GPO name, as well as deploy the printer to the users or computers that this GPO applies to. Note that it doesn’t open the Group Policy Management Console.
As you explore the window, be sure to expand each option, select each option, and right-click each option. Because too much is available to go over here, you’ll have to cover that part on your own. However, I do want to point out the sharing options in the next section.
Sharing printers
To configure sharing options for any printer through the Print Management console, right-click the printer to share and click Manage Sharing. The printer Properties dialog box appears, with the Sharing tab displayed (see Figure 3-12). From here you can share the printer and add any drivers you have available for the computers that will access the printer.
FIGURE 3-12 Share a printer from its Properties dialog box.
Before continuing, you should explore every option in the Print Management console, including Printers With Jobs, Print Servers, and Deployed Printers. In the Print Servers section, what you see when you are in a domain and logged on as an administrator is quite extensive. For instance, you will also see the other computers in that domain and, for each computer listed, information about the driver versions used, form size (such as Legal or Ledger), ports used, and printers installed. On a local workgroup, you’ll see your own computer there.
Finally, to add a network printer to a Windows 8.1 machine, open the Devices And Printers window, click Add Printer, and if the printer appears in the list of available printers, select it and work through the rest of the wizard. If you don’t see the network printer there, click The Printer That I Want Isn’t Listed, and type the path to the printer (see Figure 3-13). Then, work through the rest of the wizard.
FIGURE 3-13 Locate the printer on the client to add it.
Exam Tip
You might be asked how to troubleshoot a printer remotely by using Windows PowerShell. Make sure that you are familiar with the commands Get-Printer, Get-PrintJob, Remove-PrintJob, and others that you see at http://technet.microsoft.com/en-us/library/hh918357.aspx.
Understanding NFC
NFC allows users to “tap” a device (such as a tablet) onto a physical device (such as a printer) and connect to it, in this case, to print. Users must be 4 cm or closer. NFC isn’t Bluetooth, and there is no manual pairing; NFC uses short-range radio waves for discovery and for transmitting data. NFC requires users to employ some sort of NFC hardware, such as tags, stickers, key fobs, or cards, but the technology might be built right in to their laptops or tablets. Note that both devices must be NFC capable and enabled for this to work.
Here are a few more things to know about NFC in an enterprise:
Administrators must be able to configure an NFC tag for their printer(s) or have printers with NFC built in.
These connection types are acceptable for the printer: Universal Naming Convention (UNC), Web Services on Devices (WSD), and Wi-Fi Direct.
Administrators can use the Windows PowerShell cmdlet Write-PrinterNfcTag to provision an NFC tag with information about a printer.
Remediating startup issues
The Diagnostics and Recovery Toolkit (DaRT) 8.1 supports Windows 8.1 and is part of the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance. You can use DaRT to quickly repair unbootable or locked-out systems. You can also use it to diagnose what happened, restore missing files, and detect and remove malware.
Before you can use DaRT you must meet a few requirements:
You must be a Microsoft Software Assurance customer.
You must have the Windows Assessment and Development Kit 8.1 installed.
You must have Microsoft .Net Framework 4.5.1.
You must have the Windows 8.1 Debugging Tools to access the Crash Analyzer.
Because very little information about DaRT 8.1 is publically available, what you see in this section has been mined from the information available for DaRT 8.0. The steps involved in using DaRT likely haven’t changed much, and this should be sufficient, at least until information about DaRT 8.1 becomes available.
To use DaRT, you must create a recovery image and copy it to a DVD, CD, or USB drive. You can also use a Windows Server Update Services (WSUS) server. A wizard will guide you through the process. You must select the image to use (it must match the platform of the computer you want to recover), clear any recovery tools you don’t want your local user to access (you can still access them as an administrator), and include the latest Windows 8.1 Debugging Tools and Windows Defender malware definitions. With all that done, you can create your bootable recovery disk, which you’ll use to start up to the DaRT recovery options. For the most part, you’ll use DaRT to recover systems that can’t start up to Windows, although you can also use it to reset passwords and recover lost files.
Exam Tip
Understand that other ways exist to recover a computer, including using a Recovery Drive, performing a System Restore, refreshing and restoring, and using a System Image Recovery disk. You might be asked which of these options would be best, given a specific scenario, and DaRT could be included. Generally the option that details the “least amount of administrative effort” and gets the job done the quickest is the one you’ll want to select.
Recovering computers
You recover a computer by starting to the applicable DaRT recovery disk. Then, you navigate through the usual recovery screens to troubleshoot. You select the tool to use based on the type of problem you believe you’re having.
More Info: Using the DaRT Recovery Image Wizard
Learn a little about how you use the DaRT Recovery Image Wizard to create an ISO recovery image under various circumstances. For instance, to deploy a DaRT image to a Windows Deployment Services (WDS) server, you need to extract the boot.wim file from the ISO image first. That’s because WDS servers support only Windows Imaging (WIM) and Virtual Hard Disk (VHD) format and don’t support ISO files. You can learn more about creating a DaRT Recovery image at http://technet.microsoft.com/en-us/library/jj713343.aspx.
Computer Management Use this tool to view system information and event logs, work with disks, manage services, manage drivers, and so on.
Crash Analyzer Use this tool to examine the dump file associated with the computer failure. The report might offer a name for the device driver that might have caused it. You can use the Computer Management tool, and the Services and Drivers node to disable the problematic driver.
Defender Use this tool to scan for and remove malware and viruses. This includes rootkit malware.
Disk Commander Use this tool to recover and repair disk partitions or volumes by restoring the master boot record (MBR), restoring partition tables, and saving those tables for backup. You should back up the partition tables before directing Disk Commander to repair it. DaRT can’t recover dynamic disks.
Disk Wipe Use this tool to completely wipe a disk of all its data, using technology that meets current U.S. Department of Defense standards.
Explorer Use this tool to browse the files on the local system as well as network shares and to copy that data before you try to repair or reimage the computer.
File Restore Use this tool to restore deleted files that were too big for the Recycle Bin.
File Search Use this tool to search for files by type, path, date range, or size for the purpose of backing them up before attempting to recover the computer.
Hotfix Uninstall Use this tool to remove hotfixes or service packs installed on the computer, if you believe they caused the problem.
Locksmith Use this tool to set or change the password for the computer you are repairing.
Registry Editor Use this tool to add, remove, or edit registry keys and values.
SFC Scan This tool runs the System File Repair Wizard to repair/replace any system files that prevent Windows from starting.
Solution Wizard Use this tool to work through a series of questions when you don’t know where to start with DaRT, and then review any solutions offered that might suit your needs.
TCP/IP Config When DHCP isn’t available, you can use this tool to manually configure TCP/IP settings.
Exam Tip
You might see a question on the exam that asks why DaRT can’t be used to resolve a problem, or DaRT might be listed as an answer when it can’t be used. For example, DaRT doesn’t support dynamic disks but does support computers with Unified Extensible Firmware Interface (UEFI) and BIOS interfaces, GUID Partition Table (GPT) and MBR partition schemes, and 32-bit and 64-bit versions of Windows 8 and Windows Server 2012. When you see DaRT as an answer, make sure the requirements listed in the scenario meet the DaRT prerequisites.
Diagnosing system failures
You can use DaRT to diagnose system failures, using the available Crash Analyzer tool. The Crash Analyzer uses the Microsoft Debugging Tools for Windows (which you must install) to inspect a memory dump file to discover what caused the computer to fail (often a device driver). You generally run the Crash Analyzer on the problematic, local, end-user’s computer. However, if you cannot access the Microsoft Debugging Tools for Windows or the symbol files on the end-user’s computer, you can copy the dump file from it and analyze the information on a different computer. That secondary computer must have the stand-alone version of the Crash Analyzer installed on it. It must also have DaRT 8.0 installed.
To debug applications that have stopped responding, you also need access to the symbol files. Symbol files are automatically downloaded when you run the Crash Analyzer, but you must have Internet access to get them. Some ways to ensure that you’ll have access to symbol files while debugging a computer are detailed at http://technet.microsoft.com/en-us/library/jj713361.aspx.
To run the Crash Analyzer on a local, end-user’s computer, follow these steps:
1. In the Diagnostics and Recovery Toolset window on the problematic computer, click Crash Analyzer.
2. Provide the required information for the Microsoft Debugging Tools for Windows, the symbol files, and the memory dump file. You can find the location of the memory dump file by using these steps:
A. In a Run dialog box, type sysdm.cpl and press Enter.
B. Click the Advanced tab.
C. In the Startup and Recovery area, click Settings.
D. Note the location listed for the dump file before continuing.
3. Use the information to decide how you will attempt to resolve the problem. You might have to disable or update a device driver by using the Services and Drivers node of the Computer Management tool in DaRT 8.1.
Thought experiment: Repairing/restoring an unbootable computer
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You need to recover a computer that won’t start. You think it might suffer from malware or a virus. You prefer not to reimage the machine if possible. You work for a large enterprise that has a Software Assurance agreement with Microsoft.
1. What tool is available to help you resolve this startup issue with the least amount of effort?
2. What will you use in this toolset to start the problematic computer?
3. What tool should you use first to try to salvage the data files on the machine?
4. What tool will you select to try to remove the malware?
Objective summary
Device Manager is often your first choice when you need to view, install, uninstall, update, roll back, disable, and otherwise manage hardware devices, including legacy hardware.
Use Sigverif.exe to view unsigned drivers and Pnputil.exe to manage drivers and the driver store from an elevated command prompt.
When you see STOP errors, you might have to search online for a solution based on the error number, use the Windows Memory Diagnostic Tool, use ChkDsk, and/or review inconsistencies in Device Manager.
Use Reliability Monitor to gauge the stability of a system and to search for errors involving Windows updates, driver installations, application failures, Windows failures, and more.
The WPT consists of two independent tools: WPR and WPA. The WPR lets you monitor performance and create performance profiles; WPA lets you review the results.
Use Performance Monitor to create Data Collector Sets and review the logs to see where you can make performance improvements.
Use Task Manager to see what’s using most of your computer’s resources, to end processes, to stop applications from starting when Windows does, and more.
Use Resource Monitor to view long-term performance data, such as past problems that still need to be resolved.
You can share and manage printers in multiple ways, including by using the Devices And Printers window and the Print Management console.
You can configure NFC printers to be used by other NFC-enabled devices to tap and connect.
DaRT can help you recover from myriad startup problems and can be used when Windows is offline.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. You have connected a legacy scanner by using a parallel part. You can’t access the scanner, and Windows doesn’t recognize the device. What should you do?
A. In the Devices And Printers window, click Add A Device and work through the wizard.
B. In Device Manager, from the Action tab, click Add Legacy Device.
C. Windows doesn’t recognize the device because the device driver isn’t signed. Installing the device isn’t possible.
D. At an elevated command prompt, type pnputil.exe –f <path to the driver> /<drivername>.inf and press Enter.
2. You receive a STOP error on a client’s computer. The Event ID suggests it is associated with the loss of the ability to write data to the hard disk. What command should you run to find out whether this is the problem?
A. Sigverif.exe
B. Mdsched
C. ChkDsk
D. Perfmon
3. What tool should you use when a client tells you that a computer is “running slowly,” is often “unresponsive,” and that the hard disk light is on a lot?
A. Performance Monitor
B. Reliability Monitor
C. Sigverif.exe
D. Windows Performance Toolkit (WPT)
4. You are using Task Manager to find out what exactly is using the most computer resources, specifically CPU resources. Which tab of Task Manager is the best to use to review this information?
A. The Processes tab.
B. The App History tab.
C. The Services tab.
D. You shouldn’t use Task Manager; you should type msconfig.exe in a Run dialog box to access the System Configuration window.
5. Which of the following ways can enable you to share a printer on a Windows 8.1 Pro computer?
A. In the Devices And Printers window, right-click the printer, click Printer Properties, and click the Sharing tab.
B. In the Devices And Printers window, right-click the printer and click Sharing.
C. In the Print Management console, right-click the printer and click Manage Sharing.
D. In the Print Management console, right-click the printer and click Sharing.
6. You are attempting to resolve a startup problem by using DaRT. You believe that the problem involves a recently installed device driver, and you know the driver name. Which DaRT option should you try first to resolve the problem?
A. Solution Wizard
B. Explorer
C. Disk Commander
D. Computer Management
Objective 3.2: Support mobile devices
When mobile devices first became widely available, companies generally purchased them outright and then provisioned them to employees to use. This has fallen out of favor in many enterprises; instead, management allows users to bring their own devices to work (known as Bring Your Own Device or BYOD). This objective focuses on understanding the tools you’ll need to incorporate to support this strategy. The devices considered here include Windows RT, Windows 8.1, and various mobile phones (those running Windows 8.1, Android, and iOS) that your users already own and want to use at work. Specifically, this objective looks at how to secure those devices, how to allow them to connect and sync, and how to manage them for the long term.
This objective covers how to:
Support mobile device policies, including security policies, remote access, and remote wipe
Support mobile access and data synchronization, including Work Folders and Sync Center
Support broadband connectivity, including broadband tethering and metered networks
Support mobile device management via Windows Intune, including Windows RT, Windows Phone 8, iOS, and Android
Supporting mobile device policies
Because users own devices such as tablets and phones, and because they want to use those devices on your enterprise network to do work, at some point you’ll likely need to configure Bring Your Own Device (BYOD) policies and create an infrastructure that supports those devices. When the policies are in place, you can register and enroll those clients to authenticate them on your network. You’ll do all of this before you let your users access any data on corporate servers, including their own data, apps you make available in the company portal (perhaps), and data that’s available to all your users, perhaps from an intranet site.
Configuring mobile device policies
Before you can configure mobile device policies, you must be very sure that you know exactly how you want your mobile clients to function. Should the devices be encrypted? What apps and data will you allow users to access from those devices? What will you do when a device goes missing? What types of passwords will you allow your employees to use? As you might guess, you have a lot more questions to answer before you can start configuring policies. After you decide what policies to apply, you need to create an infrastructure to support those policies.
You can choose from several options when planning a mobile device policy strategy, putting the applicable infrastructure in place, and so on. Some of the more popular options include Windows Intune and Microsoft System Center 2012. Other possibilities are available, but because this exam likely will focus on Windows Intune over others, this section puts its focus there. You learned a little about Windows Intune in Chapter 1, “Support operating system and application installation.”
A popular mobile device management solution, Windows Intune—with or without System Center Configuration Manager—lets you deploy mobile devices, create security policies, upload and publish software packages, and manage inventory without any type of onsite infrastructure. Windows Intune offers various levels of security that you can configure and apply to your users and mobile devices, although not all options apply to every type of device that you might want to register and enroll. Although you can review the entire list of compliance options athttp://technet.microsoft.com/en-us/library/dn600287.aspx, this section lists a few just to give you an understanding of what’s available. You can apply the items in this list to every supported device type, including Windows 8.1, Windows RT 8.1, Windows Phone 8 and Windows Phone 8.1, iOS 6 or later, and Android 4.0 and later:
Minimum password length
Number of repeated sign-in failures to allow before the device is wiped of corporate data
Minutes of activity before the screen turns off
Password expiration
Password history
Links to the Windows Store, Windows Phone Store, App Store, and Google Play Store
Featured apps
You can apply many other compliance (security) policies to some but not all mobile devices, either because they are unique to the device or not supported on all devices. For example, you can enable Smart Screen on Windows RT 8.1 or Windows 8.1 but not on anything else, because Smart Screen is unique to Windows. You can allow backup to iCloud on iOS devices and no others, because iCloud is unique to iOS. You can allow a pop-up blocker on Windows RT 8.1, Windows 8.1, and iOS, but not on Android or Windows Phone 8.
To explore Windows Intune as you read along, you need to sign up for and set up a free Windows Intune trial account. With that done, sign in, navigate to the administrator console, and click Policy in the left pane (see Figure 3-14).
FIGURE 3-14 Configure security policies in the administrator console, in Policy.
You can use a predefined template to create your first security policy, but if you opt for a custom policy, you can better see all your options:
1. In the left pane, click Policy. This opens the Policy workspace.
2. Click Add Policy under Tasks.
3. In the Create a New Policy Wizard, leave Mobile Device Security Policy selected, and then click Create And Deploy A Custom Policy.
4. Click Create Policy.
5. From the Overview tab, name the policy, type a description, scroll down, and then carefully read and configure each option as desired (see Figure 3-15).
FIGURE 3-15 Use Windows Intune to create a custom security policy.
6. Click the Security tab, the Cloud tab, and the other tabs to review the options.
7. When you’re ready, click Save Policy.
After you save the policy, you can choose to deploy it. If you do, you can continue working in the console to choose the users and groups to apply the policy to, as well as configure other options.
Exploring access policies
The preceding section focused on creating security policies. Other policies available include those that relate to Windows Firewall Settings. As with the security policy option, the Windows Firewall Settings policy option also includes a template you can use, but if you opt to create a custom policy instead, you can review all the available settings. To see these options, follow the steps in the preceding section to open the Create a New Policy Wizard, and this time choose Windows Firewall Settings. Again, opt for Create And Deploy A Custom Policy. The options you see inFigure 3-16 let you control incoming and outgoing network traffic on devices to which the policy is deployed. The policies are grouped by profile: Domain, Private, and Public.
FIGURE 3-16 Use Windows Intune to create a custom firewall policy.
Some options you can enable or disable for any profile includes whether or not to:
Block all incoming connections.
Configure exceptions for things such as BranchCache, Connect to a Network Projector, File and Printer Sharing, and Core Networking.
Notify users when Windows Firewall blocks a program.
Allow or deny Remote Assistance, Remote Desktop, and/or Remote Administration.
You can configure these policies and apply them to users and groups to maintain control over what kinds of data can enter or leave your network. As you can see in Figure 3-16, you can enable Remote Administration for any profile, and here, Domain is selected. Below this you might be able to see Remote Assistance and Remote Desktop, which enable you to control what kinds of access your users have to the resources on the enterprise network.
Exploring Remote Wipe
Windows Intune provides tools you can use to perform a remote wipe of a device. Remote Wipe is an important option because mobile devices often hold sensitive data that’s unique to your enterprise, and those devices also offer access to your company’s resources. If a user loses a device or if a device is stolen, that data can be compromised. Thus, knowing how to perform a remote wipe quickly is important. Users can also initiate a remote wipe from the company portal; this might be something you also would want to inform your users about. Finally, you’ll want to wipe a device when you are ready to retire it.
Two types of wipe are available: Full and Selective. The article at http://technet.microsoft.com/en-us/library/jj676679.aspx#bkmk_pass provides lots of information about the differences between a full wipe and a selective wipe, including under what circumstance a wipe can occur. For example, what can be wiped selectively depends on the platform you are working with. Although you can wipe email from Windows 8.1 and Windows RT 8.1 devices that are enrolled as mobile devices, you can’t wipe email from other platforms such as Windows RT, Windows Phone 8 and 8.1, iOS, or Android. You really need to read the aforementioned article on your own to learn the limitations of Remote Wipe.
To initiate a remote wipe as an administrator, follow these steps:
1. Open the Windows Intune administrator console.
2. Click Groups in the left pane.
3. Click All Users, and then click the name of the user who needs a device wiped.
4. Click View Properties.
5. Click the Devices tab.
6. Select the device to wipe.
7. Click Retire/Wipe.
8. Click Yes to confirm.
Supporting mobile access and data synchronization
If your users will do work on their devices (meaning laptops and compatible tablets), you have to provide them some way to sync data between those devices and your network servers. Two types of data access and synchronization to discuss are Work Folders and Sync Center.
You can use Work Folders with Windows RT 8.1 and Windows 8.1 laptops and tablets only. You can use Sync Center for older Windows clients that don’t support Work Folders, such as Windows Vista and Windows 7, or when you don’t want to put a Work Folders infrastructure in place. Sync Center has been around a long time, since Windows XP, and is still available in Windows 8.1.
Both options enable users to keep cached copies of important files on their devices so that they can access the data when they can’t access the network. Group Policy settings are available to configure to manage these relationships.
Implementing mobile device synchronization of Work Folders
A new feature in Windows 8.1, Work Folders allows users to sync data from their user folders, located in their company’s domain or data center, to their devices and back again. This is done automatically and is part of the file system. Before this feature was introduced, users had to be joined to the domain or at least required to input domain credentials before syncing could occur. Now, users can retain local copies of their work files on their devices, with automatic synchronization back to the company file servers occurring behind the scenes.
End users can find the Work Folders option in the Windows 8.1 Control Panel. They can select the Set Up Work Folders option, if you have set it up and configured it on the company network. The Work Folders window appears with Set Up Work Folders available for configuring (seeFigure 3-17).
FIGURE 3-17 Users can set up their own Work Folders after the infrastructure is in place.
When users opt to set up Work Folders, they must work through a few setup tasks:
1. They must input a company email address.
2. They must wait while the wizard searches the network for their Work Folders.
3. After the folders are found, the users must accept (or change if applicable and available) where the files will be saved on their computers.
4. The users must read the security policy and then accept those polices.
5. Users can now access the documents under the Work Folders location from any compatible device, and the documents are kept in sync by Work Folders automatically. (Work Folders appears as a folder in File Explorer when This PC is selected in the navigation pane.)
Note: Ensuring Full Functionality of Work Folders
The client and server must be running the same milestone release for Work Folders to function properly. For example, if the server is running this milestone release of Windows Server 2012 R2, the client must be running the same milestone release of Windows 8.1 if the client wants full functionality.
More Info: Work Folders
To learn more about Work Folders, refer to this TechNet article: http://technet.microsoft.com/en-us/library/dn265974.aspx.
Designing a Work Folders implementation in a domain involves several steps, including installing Work Folders on a domain-joined file server, creating security groups for Work Folders, and creating sync shares for user data. These steps are detailed in depth athttp://technet.microsoft.com/en-us/library/dn528861.aspx, and although this material is beyond the scope of this book, you might want to read it anyway. Group Policy settings are also available for Work Folders that you as an administrator should be aware of, including these two:
From User Configuration, Policies, Administrative Templates, Windows Components, WorkFolders you can specify Work Folders settings.
From Computer Configuration, Policies, Administrative Templates, Windows Components, WorkFolders you can force automatic setup of Work Folders for all users.
Supporting mobile device synchronization with Sync Center
Sync Center enables your users to sync files between a compatible device (such as a laptop running Windows 7 Enterprise) and applicable network servers in a domain or workgroup. Sync Center is available in Windows 8.1 as well as earlier operating systems. You use Sync Center when your users need to be able to keep a copy of their data on their own devices so that they can access that data when they aren’t connected to your network.
See Also: Group Policy for Offline Files
In the next section, “Supporting broadband connectivity,” read the subsection “Exploring Group Policy” to learn more about controlling the behavior of offline files.
To get started, you must first create a sync partnership on the client computer. To do this, navigate to a share on a different computer (not on the client) or file server, right-click that share, and click Always Available Offline. Then, on the client computer, open Sync Center (type Sync Center at the Start screen on a Windows 8.1 client). You should see what’s shown in Figure 3-18. Make a note of the options on the left side before moving forward here; you can use these options as soon as syncing is configured to manage syncing tasks. You’ll want to return here and click each option to see what’s offered there. One option, Manage Offline Files, lets you view the Offline Files dialog box, where you can disable offline files, view offline files, check disk usage, encrypt your files, and more.
FIGURE 3-18 Open Sync Center to view and manage sync partnerships.
In Sync Center, as soon as a sync partnership is available, you can opt to sync everything (Figure 3-18 shows Sync All) or you can select the Offline Files folder, click Schedule (not shown), and work through the wizard provided to configure sync settings. Two options are available:
At a scheduled time For example, every Monday at 11 A.M. or every day at 2 A.M.
When an event occurs For example, every time you log on to your computer
Depending on your choice, you set more scheduling options, such as only syncing when the computer has been idle for a specific amount of time or if the computer is running on external power (and not on its battery). You can also opt to trigger synchronization to coincide with a specific event, such as when the client logs on, when the computer is idle for a specific amount of time, when the client locks Windows, and when the client unlocks Windows.
Note that two types of syncing options are available. A one-way sync is used when only data on the computer is transferred to the device, but nothing from the device is synced back. More common in an enterprise is a two-way sync, in which data can be transferred in both directions.
Note: Forcing a Sync
Users can force a sync from Windows Mobility Center by clicking Sync in the Sync Center box anytime they like.
Note: Sync Conflicts
When multiple versions of a file exist and those versions are synced, a sync conflict occurs. When this happens, the user is prompted regarding what to do. Users might want to keep both versions, or they can choose one over the other.
Supporting broadband connectivity
Some users have mobile devices that let them connect to the Internet when traditional options are unavailable. Traditional options include free and personal Mi-Fi networks, VPNs, workgroup and domain networks, broadband connections from ISPs, and Ethernet connections to networks. When these options are unavailable, users can opt for a built-in or personal cellular or metered broadband connection option, or another person’s shared Internet connection.
Windows 8.1 comes with built-in support for these newer connectivity models. For instance, any Windows 8.1 user can connect to a broadband connection from their personal device (if the device is so enabled) from the Networks pane using familiar connection options. Users can also connect through a shared personal hotspot, assuming they have the required credentials.
Connecting to a shared personal hotspot
Users can connect to shared, metered connections configured as personal hotspots by others through the traditional Networks pane they use to connect to all other networks. They also can use that pane to disconnect. Figure 3-19 shows the Networks pane in which a shared hotspot is available. The user has connected to this network in the usual way, by clicking it and typing the applicable network information and password.
FIGURE 3-19 Users can connect to shared hotspots.
Connecting with a personal broadband connection
Some mobile devices, including those enabled for Long-Term Evolution (LTE), come with mobile broadband technology built in. Users connect in the same manner as always, by locating the network connection in the Networks pane and entering the desired credentials. These connections can also start automatically when no other network is available.
Windows 8.1 enables users to share their personal connections with others. Briefly, users connect to the Internet using the connection available on their own devices, and then opt to share the connection. This is done in PC Settings, Network, Connections and by clicking the connection to share. After the connection is shared, users can also change the service set identifier (SSID)—the password for the Wi-Fi network—and see how many people are sharing the connection. The person sharing the connection has to have purchased a data plan that supports tethering for this to work.
More Info: Windows 8.1 Features for Broadband
Refer to this article for more information about the new features for broadband in Windows 8.1: http://msdn.microsoft.com/en-us/library/windows/hardware/dn247045.aspx.
Managing metered connections
If the user’s connection is metered, you should configure the Networks pane to show the estimated usage so that your users can more easily manage that connection. Marking that connection as metered is also important. You can find these options under PC Settings, Network, Connections.Figure 3-20 shows the options to show the estimated usage and configure the network as metered.
FIGURE 3-20 Configuring a network as metered and showing estimated usage in the Networks pane.
Exploring Group Policy
You should explore Group Policy settings that enable you to better maintain control over what happens when users are connected to a metered network. Specifically, here you look at how offline files are handled when users are on metered networks.
To enable background file synchronization of offline files on metered networks (which isn’t enabled by default), follow these steps:
1. Open Group Policy Management.
2. Right-click the applicable GPO and click Edit. The Group Policy Management Editor appears.
3. Navigate to Computer Configuration, Policies, Administrative Templates, Network, Offline Files.
4. Right-click Enable File Synchronization On Costed Networks, and then click Edit.
5. Click Enabled, and then click OK.
You can enable Always Offline mode so that users can have faster access to cached files and redirected folders. Always Offline also lessens the amount of bandwidth used because users are always working offline, even when they are connected through a high-speed network connection. To enable Always Offline mode, follow these steps:
1. Open Group Policy Management.
2. Right-click the applicable GPO and click Edit. The Group Policy Management Editor appears.
3. Navigate to Computer Configuration, Policies, Administrative Templates, Network, Offline Files.
4. Right-click Configure Slow-Link Mode, and then click Edit.
5. In the Configure Slow-Link Mode window, click Enabled. See Figure 3-21.
FIGURE 3-21 Configuring applicable Group Policy settings.
6. Click Show. The Show Contents window appears.
7. In the Value Name box, specify the file share for which you want to enable Always Offline mode.
8. To enable Always Offline mode on all file shares, type * (asterisk).
9. In the Value box, type Latency=1 to set the latency threshold to one millisecond, and then click OK.
Exam Tip
Before taking the exam, you must review all Group Policy settings located in the Computer Configuration, Administrative Templates, Network, Offline Files area so that you are aware of other policies that you can enable (or disable). A few include Enable Transparent Caching, At Logoff, Delete Local Copy Of User’s Offline Files, and Encrypt The Offline Files Cache.
Supporting mobile device management
Windows Intune offers enterprises, small to medium companies, and network administrators complete mobile device management options for their clients who use Windows RT, Windows Phone 8 or 8.1, iOS, and Android devices both on the local network and off. Windows Intune enables you to secure corporate data; manage mobile inventory; offer access to applications you create and access to applications created elsewhere; and wipe data from devices when they are lost, stolen, or ready to be retired or reassigned (as you learned earlier in this chapter). Users can control, manage. and personalize their own devices while you maintain control of device enrollment and enterprise data access and management. Users agree to let you have corporate control when they enroll; you set the policies and security settings as desired, and you have the right to wipe corporate data off their devices if necessary and at any time.
You have a lot to consider when creating a mobile device management infrastructure, but the objective here is to support specifically named mobile devices by using Windows Intune, which means setting up direct management of those devices, provisioning them, and enrolling them.
More Info: Windows Intune Mobile Device Management
Only a few pages can be used here to devote to the topic of mobile device management with Windows Intune, but you can find pages upon pages of documentation regarding this topic at http://technet.microsoft.com/en-us/library/jj733654.aspx and http://technet.microsoft.com/en-us/library/dn408185.aspx.
Many steps are required to set up Windows Intune for mobile device management and to enroll devices, as outlined in the following sections.
Meeting the prerequisites
To get started, you must first meet the prerequisites, which includes setting up external dependencies for the devices you want to enroll. These dependencies vary for each type of device:
For Windows Phone 8 Deploy the applicable company portal app to the phone along with the required security certificates.
For iOS Obtain an Apple Push Notification service certificate. This enables Windows Intune to communicate securely with the Apple Push Notification service.
For Android Download the Windows Intune Company Portal app from the Google Play Store.
For app management of Windows 8, Windows 8.1, or Windows RT Obtain sideloading keys and sign all apps.
Setting up the Windows Intune administrator console
Next, you must choose how to manage your devices: the Windows Intune administrator console (see earlier) or the Configuration Manager console. To use the Windows Intune administrator console, follow these steps:
1. Click the Admin Console.
2. Click Mobile Device Management.
3. Click Set Mobile Device Management Authority.
4. Click Yes to continue the setup process.
Setting up direct management for the devices to support
You can set up direct management for the device types you want to support. The process varies for each device type. To set up direct management for Windows devices, follow these steps:
1. In the Windows Intune administrator console, click the Administration icon.
2. Under Mobile Device Management, click Windows (see Figure 3-22).
FIGURE 3-22 Setting up mobile device management for Windows.
3. Under Step 1: Enrollment Server Address, type the name of the verified domain, and then click Test Auto-Detection.
Note: Sideloaded Apps
Sideloaded apps don’t have to be certified by (or installed from) the Windows Store. However, they can be installed only on devices capable of sideloading, and you must have and add the applicable sideloading product activation keys.
To add sideloading keys, follow these steps:
1. Under Step 2: Add Sideloading Keys, click Add Sideloading Key.
2. Enter a key name, the product activation key, the number of activations, and an optional description.
3. Click OK.
To set up direct management for iOS devices, follow these steps:
1. In the Windows Intune administrator console, click Administration, click Mobile Device Management, and then click iOS.
2. Click Upload An APNs Certificate.
3. Click Browse to locate and then select the Apple Push Notification service (APNs) certificate you obtained in the prerequisite setup process.
Provisioning users for device enrollment
Now you must add the members you want to enroll into the Windows Intune user group. You have two options. If you have Active Directory Domain Services (AD DS) in your environment, you can configure Active Directory synchronization. When you do, local users and security groups are synchronized and can appear in the Windows Intune administrator console. If you don’t have AD DS in your environment, you need to add users manually to the Windows Intune account portal.
To add users manually, follow these steps:
1. Open the Windows Intune account portal from https://account.managem.microsoft.com/admin/default.aspx.
2. In the header, click Admin.
3. In the left pane, under Management, click Users (see Figure 3-23).
FIGURE 3-23 Adding users manually.
4. Click New, and in the drop-down list that appears, click User.
5. Input the user information. Click Next.
6. Click Yes to assign the user an administrator role, if desired. Otherwise, select a role from the available drop-down list.
7. Select the user’s work location, and then click Next.
8. Accept Windows Intune as the user group and click Next.
9. Leave Send Email selected to send an email to yourself and add the recipients of your choice by typing their email addresses. Click Create.
10. Click Finish.
Enrolling the devices
Finally, you must enroll the devices. Users generally do this, but you can do it yourself if you have access to the device.
1. For Windows Phone 8 Open system settings and select company apps. Select Install company app or Hub.
2. For Windows RT Select Start, type System Configuration, and open Company Apps. Enter credentials to authenticate.
3. For Windows RT 8.1 From the Settings Charm, click Change PC Settings. Click Network, Workplace. Enter the user ID, click Turn On, and agree to allow apps and services when prompted. Click Turn On.
4. For iOS 6 or later Get the Windows Intune Company Portal app from the app store. Open the app to work through the enrollment process. Users also can enroll online at m.manage.microsoft.com.
5. For Android 4.0 or later Users download the Windows Intune Company Portal app from the Google Play Store. Open the app to work through the enrollment process.
Monitoring the devices
Now you can monitor the devices. You’ve already explored some of the management options, including wiping data from a device. To access all management options, follow these steps:
1. In the left pane of the Windows Intune administrator console, click Groups.
2. Expand All Mobile Devices, and then click All Direct Managed Devices.
From the General tab you can see the status of various items, including Alert Status, Update Status, Endpoint Protection Status, Policy, Software Status, and Device Health Status. If any problems exist, click the information offered to see what’s wrong and how to resolve it. You also can manage devices individually from the Devices tab, shown in Figure 3-24.
FIGURE 3-24 Managing devices from the Windows Intune administrator console.
Thought experiment: Setting up offline files
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You want to give your users the option to keep cached copies of important files on their devices so that they can access the data when they can’t access the network. You support many different types of clients. You do have an AD DS domain and have set up the required infrastructure for setting up this option for users.
1. What offline files option would you choose for your Windows 8.1 laptop and tablet users so that they can sync data from their user folders, located in their company’s domain or datacenter, to their devices and back again, automatically?
2. Where would those Windows 8.1 users go to set up this option?
3. What offline files option would you use for your Windows 7 clients?
4. What are some of the available options regarding when to sync those Windows 7 clients beyond syncing when the client logs on?
5. Which is the most common scenario for syncing data in an enterprise: one-way or two-way?
Objective summary
Windows Intune is a popular mobile device management solution. Windows Intune (with or without Configuration Manager) lets you deploy mobile devices, create security policies, upload and publish software packages, remotely wipe devices, and manage inventory without any type of onsite infrastructure.
You can configure security policies from scratch or by using a template to create rules for password history, password expiration, and so on. You create access policies in the same way to create rules unique to accessing data over a specific network type: Domain, Private, or Public.
Work Folders and Sync Center enable users to keep cached copies of important files on their devices so that they can access the data when they can’t access the network. Group Policy settings are available to configure to manage these relationships.
Windows 8.1 users can connect to a broadband connection from their personal devices from the Networks pane using familiar connection options. Users can also connect through a shared personal hotspot, assuming they have the required credentials.
To manage mobile devices, you can set up Windows Intune, provision and enroll the devices, and then learn where and how to manage them for the long term.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. Which of the following Windows Intune security policies are available to apply to all your mobile clients (Windows 8.1, Windows RT 8.1, Windows Phone 8, iOS, Android 4.0 and later)? (Choose all that apply.)
A. Password expiration
B. Allow a pop-up blocker
C. Password history
D. Maximum password length
2. From the Windows Intune administrator console, where do you perform a remote wipe of a device?
A. In the Software pane, from the Manage Deployment option
B. In the Groups pane, from All Users, and from the user’s Properties page
C. In the Administrator pane, from Mobile Device Management, from the applicable device type section
D. In the Policy pane, from All Polices
3. Some of your users access your network and the data on it from metered cellular or broadband connections. You want to reduce how much bandwidth they use and offer faster access to cached files. Which of the following Group Policy settings should you enable and how should you configure them? Choose two.
A. Enable file synchronization on costed networks.
B. In the Value box, type Latency=0 to set the latency threshold to one millisecond.
C. In the Value box, type Latency=1 to set the latency threshold to one millisecond.
D. Configure slow-link mode.
4. How and where do you, as an administrator, provision mobile users for device enrollment if you don’t have AD DS in your environment?
A. In the Windows Intune administrator console, from the Administrator pane in Mobile Device Management
B. In the Windows Intune administrator console, from the Groups pane, in All Mobile Devices
C. In the Windows Intune account portal, under Admin, from the Users tab
D. In the Windows Intune account portal, under Admin Console, from the Users tab
E. In the Windows Intune Company Portal
Objective 3.3: Support client compliance
You can use several strategies to keep your client computers healthy. You could simply list all the things your clients need do to keep their machines safe (scan with Windows Defender, install Windows updates, and so forth) and tell them to do those things, but chances are this wouldn’t work for the long term. Another option is to manage the security of these machines yourself by using tools such as Windows Intune, Group Policy, and Microsoft System Center 2012 Endpoint Protection. This objective discusses these things and more, including Internet Explorer 11 security and new and improved Group Policy features.
This objective covers how to:
Manage updates by using Windows Update and Windows Intune, including non-Microsoft updates
Manage client security by using Windows Defender, Windows Intune Endpoint Protection, or Microsoft System Center 2012 Endpoint Protection
Manage Internet Explorer 11 security
Support Group Policy application, including Resultant Set of Policy (RSoP), policy processing, and Group Policy caching
Managing updates by using Windows Update and Windows Intune
Microsoft has provided Windows updates as part of its ongoing attempt to keep its operating systems safe and secure week after week, year after year, for decades. These updates often offer new features or functionality, but for the most part they are pushed out to fix security issues, address new security threats, and provide new device drivers. This is a necessary part of any company’s maintenance plan, because someone always will try to hack into systems, unleash viruses, hide malware, and so on. You need to be protected. Thus, you have to install these updates, and creating a policy for doing so is the best way to go.
In small organizations that don’t use an Active Directory infrastructure but instead are small peer-to-peer networks, most client computers are simply configured to install updates automatically. Often, such companies have no policy and no one to oversee the process. In larger organizations, even those configured as workgroups (and not Active Directory domains), administrators often prefer to set policies for updates via Local Group Policy. Companies with Active Directory domains commonly have isolated labs where updates are tested before they are rolled out, and sometimes even have specialized servers that cache those updates first, to lessen the required bandwidth if each client gets their updates directly from Microsoft. With this approach, updates also can be tested before releasing them to clients. Of course, administrators can use Group Policy settings for Windows updates to manage them as well.
If you prefer not having to manage the updates in any of these ways, or none of these fit your infrastructure properly (perhaps because of specific mobile clients and network type), you can use Windows Intune instead. The Windows Intune administrator console includes an Updates tab (to access the Updates workspace) that enables you to fully manage the process. Updates can be Microsoft or non-Microsoft updates, and you can view pending updates, approve or decline updates, configure automatic approval settings, and set a deadline for update installation by configuring an automatic approval rule.
Exam Tip
You might see questions that ask you to propose a solution for configuring approval and automatic updates, given a specific scenario. If that scenario includes Windows RT devices, remember that Windows RT can’t join a domain, so any domain-based solution won’t work. In these cases, consider Windows Intune as an answer if given.
Using Windows Update
Windows Update is the client side of the equation. For stand-alone computers and computers in small workgroups, Windows Update might be ideal, assuming that you configure the settings appropriately. The settings you need to access are available in the Windows Update window, from Control Panel, System And Security, Windows Update. You’ll find the options Check For Updates, Change Settings, View Update History, Restore Hidden Updates, Installed Updates, and Add Features To Windows 8.1. You’ll also see any available scheduled updates to install, optional updates, and information about when you receive any updates. Figure 3-25 shows this window.
FIGURE 3-25 Clients can manage their own updates from Windows Update in Control Panel.
Note: Using Windows Update
You can use PC Settings, Update And Recovery to quickly see whether a client machine is configured to receive updates. You can also view the update history and choose how updates are installed. However, most network administrators still prefer the Windows Update window, available from Control Panel, because all options are available there, not just the ones that end users would likely access.
To configure update settings from Control Panel, follow these steps:
1. Click System And Security, and then click Windows Update.
2. From the Windows Update window shown in Figure 3-25, click Change Settings.
3. Make your preferred choices, using the options available in the drop-down list under Important Updates:
Install Update Automatically (Recommended)
Download Updates But Let Me Choose Whether To Install Them
Check For Updates But Let Me Choose Whether To Download Or Install Them
Never Check For Updates (Not Recommended)
4. Click the scheduling option shown. The default entry is Updates Will Be Automatically Installed During The Maintenance Window.
5. If desired, use the drop-down list next to Run Maintenance Tasks Daily At to choose a different time. The default is 3 a.m.
6. If desired, select Allow Scheduled Maintenance To Wake Up My Computer At The Scheduled Time.
7. Click OK twice.
Note: Managing Updates
When a new device is connected to a computer, Windows 8.1 searches for a driver on the computer, and if it doesn’t find one, it looks to Windows Update.
Standard users can install drivers that have been downloaded from Windows Update without a User Access Control (UAC) prompt.
Optional updates might be available in the Windows Update window that weren’t installed automatically, so occasionally check to see whether any are available.
When you need more control over how Windows updates are applied to client machines, you can enable local and domain Group Policy settings. You’ll find the settings in the applicable Group Policy Editor from Computer Configuration, Policies, Administrative Templates, Windows Components, Windows Update. Be sure to review these before continuing here. Remember, too, that when you enable a specific Group Policy setting, you are configuring the policy to do exactly what it says it will do. So if the policy setting starts with the words “Do not display...”, when you enable the setting, whatever it is wilI not be displayed. A policy starting with the words “Turn on...” means that when you enable that policy, the thing is turned on. Alternatively, and unless otherwise stated, when you disable a policy, the result is the same as not configuring it at all.
Applying updates with Windows Intune
Applying updates with Windows Intune is only one part of the much larger concept of managing device security. Part of managing security is to manage the updates. Managing updates with Windows Intune includes:
Selecting the product categories to include. This includes many Microsoft products by default (Office, Windows, Windows elements such as language packs and dictionary updates, Windows Live, and Works), but you can select more (Active Directory, Bing, Exchange, and so on).
Creating Automatic Update Approval rules. This enables you to automatically approve desired updates.
Approving or declining specific updates.
Creating a non-Microsoft Update Software Package for distributing non-Microsoft updates.
You’ll go through these tasks next, but you can learn more about Windows Intune and the larger security management tasks at http://technet.microsoft.com/en-us/library/jj676558.aspx.
To select product categories for updates you’d like to receive, follow these steps:
1. Open the Windows Intune administrator console.
2. Click Administration in the left pane to open the Administrator workspace.
3. Click Updates (see Figure 3-26).
FIGURE 3-26 Use the Windows Intune administrator console to select product categories for updates you’d like to receive.
4. In the Product Category area, select the specific products or categories that represent the items you want to manage.
5. In the Update Classification area, select the classifications to include.
6. Click Save.
To create an Automatic Update Approval rule and run the rule now, follow these steps:
1. Open the Windows Intune administrator console.
2. Click Administration in the left pane and then click Updates.
3. Scroll down to the Automatic Approval Rules area, and then click New.
4. Type the name of the new automatic approval rule (and optionally a description), and then click Next.
5. Specify the products for which you want to have updates approved automatically by selecting the check boxes, and then click Next.
6. Specify the update classifications that you want to have approved automatically, and then click Next.
7. Click the desired groups or devices to apply the rule to and click Add.
8. If desired, select the Enforce An Installation Deadline For These Updates check box, and then select an installation deadline interval after the rule is approved.
9. Click Next and then click Finish.
10. Note the new rule in the Automatic Approval Rules area, as shown in Figure 3-27. Also note the option to edit the rule or to run it now.
FIGURE 3-27 New rules appear in the Automatic Approval Rules section.
To approve an update, follow these steps:
1. Open the Windows Intune administrator console.
2. In the left pane, click Updates.
3. On the Updates Overview page, in the Update Status area, click New Updates To Approve. (You won’t see this unless new updates are available.)
4. Select an update and click Approve on the taskbar. (You can Ctrl+click to select multiple updates.)
5. Click the desired groups or devices to apply the rule to and click Add.
6. For each group on the approval list, choose either Required Install, Do Not Install, or Uninstall.
7. From the Deadline list, select one of the following:
None No deadline is enforced, and users can decline the update.
As Soon As Possible
Custom Specify the date and time when approved updates are installed.
8. Click Finish.
To decline an update, follow these steps:
1. Open the Windows Intune administrator console.
2. Click Updates.
3. On the Updates Overview page, in the Update Status area, click New Updates To Approve. (You won’t see this unless new updates are available.)
4. Select an update to decline and click Decline in the taskbar.
5. Click Decline again to verify.
6. In the Decline dialog box, click Decline to decline this update, or click Cancel.
To create and upload a non-Microsoft Update Software Package for distributing updates, follow these steps:
1. Open the Windows Intune administrator console.
2. Click the Updates tab.
3. In the Uploads Overview pane, click Upload. (The first time you do this, you have to install the required software.)
4. Sign in if prompted, and click Next to start the wizard.
5. Click Browse to locate the setup files required to install the update package. This can be a Windows Installer (.msi) file, Windows Installer patch (.msp) file, or .exe program file.
6. If additional files or folders are required to successfully install the update, select the Include Additional Files And Subfolders From The Same Folder check box.
7. Click Next.
8. Type a name for the publisher and make other changes to the prepopulated areas as desired. Click Next.
9. Select the desired architecture (Any, 32-bit, or 64-bit) and operating system for the target computers. Click Next.
10. The Detection Rules page lets you specify how Windows Intune determines whether the update already exists on targeted client computers. Specify a way to detect whether the update is installed. You can choose to use the default detection rules, or create your own rule as shown inFigure 3-28. You can add multiple rules. If you create your own rule, select it, click Add, and work through the rest of the creation process.
FIGURE 3-28 Choose how to detect whether the update is already installed.
11. Click Next.
12. If applicable, specify the software on which the update depends and click Next. Otherwise, click None and then click Next.
13. If applicable, specify any command-line arguments. Otherwise, click No and click Next.
14. Specify whether you want return codes interpreted (these are considered failures).
15. Review the summary and click Upload.
16. The Upload page displays the status of the update as it uploads to Windows Intune.
17. After the upload successfully completes, click Close.
Managing client security
You need to protect your computer and the ones you are responsible for from viruses, spyware, and malware in general. You need real-time protection that’s available 24/7. You have many choices for this, but this section focuses on three of them: Windows Defender, Windows Intune Endpoint Protection, and Microsoft System Center 2012 Endpoint Protection.
Exploring Windows Defender
Windows 8.1 provides malware protection through Windows Defender. For the most part, Windows Defender is an end-user solution, although you can rely on it for protecting stand-alone computers in homes and in business workgroups. If you see an exam question about Windows Defender, it will likely ask on which tab you find a particular feature. With that said, you should open Windows Defender and explore those tabs thoroughly.
Although this book could dedicate several pages to Windows Defender alone, I believe that you can review this information on your own and the pages can be used to talk about other technologies you might not yet be familiar with. However, the following sections briefly discuss what you’ll find on each Windows Defender tab.
Note: Windows Defender
The Windows Defender window looks just like the Windows Intune Endpoint Protection window, detailed next. The same tabs and features are available.
Using the Home Tab
On the Home tab you can see the status of your real-time protection, including whether it’s turned on and whether the virus and spyware definitions are up to date. It also shows when the last scan was run. You can also run a manual scan for malware (Quick, Full, or Custom) if you believe the computer was put at risk since the last scan. This is also where you can access the option to change the scan schedule, which simply takes you to the Settings tab.
Using the Update Tab
Windows Defender updates virus and spyware definitions automatically, and you can review information regarding this update from here. You can see the date on which the last definitions were created, when the definitions were last updated, the virus definition version, and the spyware definition version. You can also click Update here to update the definitions manually.
Using the History Tab
Here you can review past problems that were detected. For example, you can view items that were prevented from running but not removed from your PC; and these are Quarantined Items. You can view items you were warned about but opted to run anyway: Allowed Items. Finally, you can see all the detected items under All Detected Items. With administrative privileges you can also remove or restore items listed here.
Using the Settings Tab
The Settings tab offers many options for configuring how Windows Defender should run (see Figure 3-29). Here are a few of the things you can do here:
Run a scheduled scan or change when scans run.
Choose what happens when a potential threat is found.
Configure real-time protection.
Set excluded files, locations, processes, and file types.
Configure advanced settings, such as when to remove quarantined files; whether to scan removable drives; whether to create a system restore point before removing, running, or quarantining detected items; and so on.
Join MAPS, the Microsoft Active Protection Service. This automatically reports malware and other unwanted software to Microsoft so that the company can improve its services.
FIGURE 3-29 Windows Defender lets you configure various settings.
Exploring Windows Intune Endpoint Protection
Windows Intune Endpoint Protection is another way to incorporate real-time protection for your clients. It does the same thing Windows Defender does—updates virus definitions, scans for malware, and so on—but you, not Windows or your employees, are in charge of how it’s used. As with other Windows Intune tasks, you use the Windows Intune administrator console—specifically, the Endpoint Protection workspace—to perform tasks. As you can see in Figure 3-30, Endpoint Protection has two tabs: Overview (shown) and All Malware.
FIGURE 3-30 Windows Intune offers an Endpoint Protection workspace.
In this workspace you can see the status of your computers quickly, and if problems exist you can take control of the situation immediately. You can also configure notifications be sent via email to yourself or others when problems are detected.
You can perform a multitude of tasks with Windows Intune regarding endpoint protection, and I’m not sure about which you’ll be tested on. The following list includes most of these tasks, and you can review how to perform them at http://technet.microsoft.com/en-us/library/jj676558.aspx.
Create a Windows Intune policy (such as a firewall policy).
Configure Windows Intune updates.
Monitor computers, report issues, and configure alerts when issues arise.
Run remote tasks such as forcing an Endpoint Protection update, running a scan, remotely wiping a computer, restarting a computer, and refreshing policies.
Troubleshoot device security.
You should understand how to do two things regarding Windows Intune: how to run a remote scan of a computer and how to schedule a scan by creating a new policy.
Note: Running and Scheduling Scans
A quick scan checks locations, memory processes, and registry files on the hard disk in which malware generally appears. A full system scan checks all files on the hard disk and all currently running programs. Quick scans are less taxing on the computer than full scans, and full scans can cause the computer to run slowly. The best time to schedule these scans is when the user isn’t at the computer.
To run an on-demand remote scan, follow these steps:
1. Open the Windows Intune administrator console.
2. Click Groups, and then do one of the following:
Click Overview. In the Search pane type the name of the computer to scan.
Click Expand All Devices, click the group name, and then click the Devices tab. Select the computer or Ctrl+click to select multiple computers.
3. On the Remote Tasks list on the taskbar, click one of the following:
Run A Full Malware Scan
Run A Quick Malware Scan
4. Review the summary message, and then click Close.
5. To view the task status, click the Remote Tasks link in the lower-right corner of the Windows Intune administrator console. If necessary, take any required action to complete the scan process.
To schedule a scan by using a policy, follow these steps:
1. Open the Windows Intune administrator console.
2. Click Policy.
3. Click Add Policy under Tasks.
4. In the Create A New Policy dialog box, shown in Figure 3-31, do the following:
A. Under Template Name, click Windows Intune Agent Settings.
B. Under How Would You Like To Use The Selected Template, do one of the following:
Select Create And Deploy A Policy With The Recommended Settings, click Create Policy, and then skip to step 11.
Select Create And Deploy A Custom Policy and continue here.
C. Click Create Policy.
FIGURE 3-31 Creating a policy to schedule a scan.
5. Type a name and description for your new policy.
6. Scroll down to the Scan Schedule area, and then
A. Specify whether to schedule a daily quick scan and when the scan is to run.
B. Specify whether to schedule a full scan and when the scan is to run.
C. Configure additional options as necessary.
7. Scroll down and configure settings for the Excluded Files And Folders, Excluded Processes, and Excluded File Types, as needed.
8. Click Save Policy.
9. Click Yes to deploy the policy immediately, or No to deploy the policy later.
10. If you clicked Yes in step 9, select the device groups to which you want to deploy this policy and then click Add.
11. Click OK.
As soon as you configure Windows Intune to run on a client computer, Windows Defender is no longer available. If you want to see how Windows Intune Endpoint Protection is configured on a client, type Endpoint Protection on the Start screen and then click it in the results. Figure 3-32 shows the window available on the client, which offers a place to manage the client somewhat at the computer itself. The tabs here are the same as those in Windows Defender, so if you didn’t read that information earlier, do so now.
FIGURE 3-32 The Windows Intune Endpoint Protection window on a client looks similar to Windows Defender.
Understanding Microsoft System Center 2012 Endpoint Protection
You can extend your device management capabilities by integrating System Center 2012 SP1 or System Center 2012 R2 Configuration Manager into your existing infrastructure. When partnered with the Windows Intune connector site system role available through the Configuration Manager console, you can manage onsite Windows PCs, Macs, and UNIX/Linux servers, as well as mobile devices that run Windows, Windows Phone, Apple iOS, and Android. (An excellent article at http://technet.microsoft.com/en-us/library/jj884158.aspx details how to manage mobile devices using these technologies.) This enables you to manage your infrastructure more completely through a single, unified administrator console. This is important for big companies that need the flexibility of both System Center and Windows Intune. You can also incorporate these Endpoint Protection tools and features:
Deploy and configure the Endpoint Protection client from a single, central location.
Configure your own antimalware policies and apply them to computer groups.
Create and deploy your own Windows Firewall settings to computer groups.
Automatically download the latest antimalware definition files to keep client computers up to date.
Incorporate the Endpoint Protection Manager Security role to allow others to manage the antimalware policies and Windows Firewall settings.
Configure Endpoint Protection so that you and others will get email notifications when computers you manage report that malware has been detected.
View detailed information from the Configuration Manager console.
More Info: Endpoint Protection with Microsoft System Center 2012
You can find more information about Endpoint Protection at http://technet.microsoft.com/en-us/library/hh508836.aspx and http://technet.microsoft.com/en-us/library/gg682041.aspx.
The steps involved in the process of setting up System Center 2012 so that you can install a client and enroll, manage, and protect them—at least in relation to mobile clients—includes several steps. The required steps follow, but you need to consider other optional steps. For more information on each of these steps, refer to the TechNet article at http://technet.microsoft.com/en-us/library/gg712327.aspx.
The required steps are as follows:
1. Deploy a web server certificate to site system servers.
2. Deploy a client authentication certificate to site system servers.
3. Create and issue a certificate template for mobile device enrollment.
4. Configure the management point and distribution point.
5. Configure the enrollment proxy point and the enrollment point.
6. Configure client settings for mobile device enrollment.
7. Enroll mobile devices.
To enroll devices, you deploy the System Center 2012 Endpoint Protection (SCEP) client, available with System Center 2012, to the devices you want to manage. Enrolling a device installs the Configuration Manager client on the device, requests and installs the required certificate, and then points the client to the enrollment site. You can opt to provide the client with the applicable link in an email, among other options.
You can deploy the client in several ways:
Push the software to the client.
Use the Configuration Manager software update feature.
Use Group Policy.
Use logon scripts.
Manually install the client.
Automatically upgrade the client.
Use client imaging.
After a client device is set up, the client interface looks like Windows Defender or Windows Intune Endpoint Protection and contains the same tabs: Home, Update, History, and Settings. Also, the interface you’ll use is similar to the Windows Intune interface you’re already familiar with, but with many more features. This interface includes the Configuration Manager, where you can create policies, monitor devices, remediate problems, and force compliance, among other things.
Managing Internet Explorer 11 security
Just like you have to lock down and manage devices, the data users can access, and how they can connect, you must also keep Internet Explorer 11 safe, too. Internet Explorer 11 offers various security and privacy options that you can explore and apply. To start, click the Tools button and click Internet Options. Two tabs deal with security: Security and Privacy. These two tabs offer options related to security settings for the four zones (Internet, Local Intranet, Trusted Sites, and Restricted Sites) and how you want to protect your privacy (such as never allowing websites to require your physical location, using the Pop-Up Blocker, and so on).
The other tabs also offer a few security and privacy options. For example, the General tab offers the ability to delete your browsing history each time you exit Internet Explorer 11. The Content tab lets you manage AutoComplete settings and how you’d like to use certificates for encrypted connections and identifications. You should explore each of these tabs to see what’s available and to ensure that you know how to make changes when needed. Understand that the changes you make here also affect the Internet Explorer app on the Start screen. You might use these options for managing stand-alone computers and those in small workgroups; however, for the most part, you’ll control Internet Explorer through Group Policy.
You need to be familiar with many Internet Explorer 11 Group Policy settings. Make sure that you understand what happens when you enable, disable, or don’t configure various policies. Figure 3-33 shows some of the options available in Group Policy to configure in the Local Group Policy Editor. Note all the options under Internet Explorer, including but not limited to Corporate Settings, Delete Browsing History, Privacy, and what’s shown in Figure 3-33, Security Features with Restricted Protocols Per Security Zone. You can double-click any entry in the right pane to enter restricted protocols for a specific zone to further secure Internet Explorer for any group of users.
FIGURE 3-33 There are a several Group Policy settings for Internet Explorer.
You can explore other areas of Group Policy beyond the Security Features options. For example, if you click Internet Explorer in the left pane, in the right you’ll see options that include Security Zones: Do Not Allow Users To Change Policies and Disable Automatic Install Of Internet Explorer items.
Exam Tip
No one knows how heavily you’ll be tested on the Group Policy settings for Internet Explorer 11, so you should go through them all at least one time. In doing so, you can see what features are available in Internet Explorer to both users and administrators. This can help you become more proficient with Internet Explorer 11.
You should also familiarize yourself with the newly added entries to Group Policy for Internet Explorer. Some of these directly relate to security and privacy settings. This list contains what’s new for Internet Explorer 11:
Turn off loading websites and content in the background to optimize performance When this setting is enabled, Internet Explorer preemptively loads websites and content in the background. This helps speed up performance.
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar If this setting is enabled, Internet Explorer provides enhanced suggestions when the user types something to search for in the Address bar.
Turn off phone number detection This policy setting determines whether phone numbers are recognized and turned into hyperlinks. When enabled, this setting can be used to summon the default phone application that is installed on the device.
Allow Internet Explorer to use the SPDY/3 network protocol Enable this setting to have Internet Explorer use the SPDY/3 network protocol. SPDY/3 works with HTTP requests to improve how fast network requests are returned by using compression, multiplexing, and prioritization.
Don’t run antimalware programs against ActiveX controls (Internet, Restricted Zones) Use this policy setting to determine whether Internet Explorer will run antimalware programs against ActiveX controls to check to see whether those ActiveX controls are safe to run on any particular webpage in the specified zone.
Don’t run antimalware programs against ActiveX controls (Intranet, Trusted, Local Machine Zones) Use this policy setting to determine whether Internet Explorer will run antimalware programs against ActiveX controls to check to see whether those ActiveX controls are safe to run on any particular webpage in the specified zone.
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows Enable this option to run all Content Processes at 64 bits (while in Protected Mode). When not enabled, Content Processes will run at 32 bits for compatibility with 32-bit ActiveX controls, toolbars, and so on.
Turn off sending UTF-8 query strings for URLs Use this setting to determine whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in URLs before those strings are sent to servers or proxy servers.
Turn off sending URL path as UTF-8 Use this setting to determine whether to let Internet Explorer send the path part of a URL using the 8-bit Unicode Transformation Format (UTF-8) standard. This standard defines characters so they can be read in any language. You can also exchange Internet addresses (URLs) with characters available in any language.
Turn off the flip ahead with page prediction feature This policy setting determines whether a user can swipe across a screen or click Forward to go to a website’s next preloaded page. This feature is available only in the Internet Explorer app.
Prevent deleting ActiveX Filtering, Tracking Protection and Do Not Track data
In Internet Explorer 9 and 10 If enabled, this setting prevents users from deleting ActiveX Filtering and Tracking Protection data. Users can also enable the Personalized Tracking Protection List, which blocks third-party items during any Internet Explorer session.
With Internet Explorer 11 If enabled, this setting prevents users from deleting ActiveX Filtering, Tracking Protection data, and Do Not Track exceptions that are stored for any website they’ve visited.
Always send Do Not Track header This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header.
Exam Tip
You might be asked about InPrivate Browsing on the exam. InPrivate Browsing prevents Internet Explorer from collecting any data during the session including cookies, tracking, browsing history, passwords, and user names. Like other features, you can control InPrivate Browsing behavior through Group Policy.
Another desktop area of Internet Explorer 11 to explore is the Manage Add-ons dialog box, shown in Figure 3-34.
FIGURE 3-34 The Manage Add-ons dialog box lets you enable and disable features that the user has added.
From this dialog box, you can view information about the following and see how they are configured on the local computer:
Toolbars And Extensions You can see what toolbars have been added to Internet Explorer 11 and disable them, if desired. These are sometimes from Microsoft Corporation and sometimes from third parties. This is where some malware appears, too. Click any entry to see options to enable or disable it.
Search Providers You can see what search providers are in use on the local computer. You’ll see Bing, but you might also see additional providers such as eBay, Ask.com, Amazon Search Suggestions, and so on. You can select any item in the list and remove it, set it as the default, or disable suggestions from it. You can also change the order of the list. Select and then right-click any entry to see additional options that don’t appear in the dialog box itself.
Accelerators You can view what accelerators are configured for the local machine. You’ll probably see Map with Bing, Translate with Bing, and perhaps others. These help users perform tasks in a single click (such getting directions to a place with Bing Maps). Click any entry to remove, disable, or set it as the default.
Tracking Protection You can get a Tracking Protection List online and use it to help enhance your privacy by preventing websites from automatically sending data they collect about your visit to other websites and content providers. Those providers use the information to tailor advertisements based on what you do online. You have to click Your Personalized List and then click Enable to get started. When you select a list, you can configure settings for it, such as blocking all content or choosing the content to block or allow.
Exam Tip
Explore each tab of the Internet Properties dialog box available from the Tools menu. Know that the Content tab offers a way to access the installed certificates, that the Connections tab lets you add a VPN or view Local Area Network (LAN) settings, that the Programs tab lets you set one Internet Explorer app as the default, and that the Advanced tab offers all kinds of options for accessibility, browsing, HTTP settings, and so on.
Note: Using the Alt Key in Internet Explorer
When in Internet Explorer, you can press the Alt key to show the Menu bar, and from the Tools menu perform all kinds of tasks including but not limited to deleting your browsing history, managing media licenses, and reporting unsafe websites, among other things.
Supporting Group Policy application
You know about Group Policy, how to apply policies to groups, and what applying those policies means to your users. What you might not know are the effects of a policy or groups of policies on a single computer or for a specific user, domain, or organizational unit. You might need new ways to process those policies, too, or more effectively update those policies without taxing your network. You can use three new tools that can help you support Group Policy application in Windows Server 2012 and Windows 8 (and Windows 8.1): Resultant Set of Policy (RSoP), policy processing, and Group Policy caching.
Using RSoP
Resultant Set of Policy (RSoP) is a report of all your Group Policy settings. The report can show how those settings affect your network, users, computers, and devices. You can use the RSoP snap-in to create these reports.
RSoP has two modes: logging and planning. Logging mode displays policy settings that are applied to computers or logged-on users. Planning mode simulates policy settings that you plan to apply to a computer or user. Planning mode also lets you review policy settings for a computer that’s currently unavailable or a user who’s not currently logged on.
You need to set up RSoP before you can use it, though. To add the snap-in to a Microsoft Management Console (MMC), follow these steps:
1. In a Run window, type mmc and press Enter.
2. In the empty MMC that appears, click File, and then click Add/Remove Snap-In.
3. In the left pane, click Resultant Set Of Policy, and then click Add.
4. Click OK.
Note: Opening RSoP as an MMC Snap-In
To open RSoP as an MMC snap-in and display RSoP logging mode for the currently logged on user and computer, type rsop.msc in a Run dialog box and click OK.
You can run an RSoP query on a computer account, a user account, a domain, an organizational unit, a site, and a local computer. Because the focus is on Windows 8.1 here, this section introduces the latter. To run an RSoP query in logging mode on a local computer (you can’t run planning mode on a local computer) follow these steps:
1. In the MMC you created in the preceding steps, right-click Resultant Set Of Policy, and then click Generate RSoP Data.
2. In the Resultant Set of Policy Wizard (see Figure 3-35), click Next.
FIGURE 3-35 Use the Resultant Set of Policy Wizard to simulate a policy implementation.
3. Click Logging Mode, and then click Next.
4. Click This Computer and click Next.
5. Leave Current User selected and click Next.
6. Review the information and click Next.
7. Click Finish.
Now, you can expand any node in the left pane and dive into any item to review. When you do, you’ll see the results of your Group Policy settings. Figure 3-36 shows sample results for the Sleep settings configured for a computer: Require A Password When A Computer Wakes (Plugged In) is listed as Enabled.
FIGURE 3-36 Use RSoP to review all Group Policy settings for a local computer.
Understanding policy processing
If you’ve used RSoP but aren’t getting the results you want from a local or remote computer, you can force a Group Policy update by using Gpupdate.exe. This command-line tool lets you verify that the computer has indeed received and processed the latest Group Policy settings. With Windows Server 2012 and Windows 8, you can refresh these settings remotely for all computers in an organizational unit (OU) from the Group Policy Management Console (GPMC) on the applicable server. You can optionally use the Windows PowerShell cmdlet Invoke-GPUpdate to refresh Group Policy on any group of computers, including those not included in the OU structure.
More Info: New Group Policy Features
Windows 8 and Windows Server 2012 have introduced several new features for Group Policy updates, and you can review them in more depth at http://technet.microsoft.com/en-us/library/jj574108.aspx. These new features include but aren’t limited to the following:
Remote Group Policy Update
Group Policy Infrastructure Status
Local Group Policy Support for Windows RT
Fast Startup
Before moving on, you should learn about a few new features, such as Local Group Policy support for Windows RT. Although this is turned off by default, you can enable it as a local administrator:
1. From the Start screen, type Services.msc.
2. Double-click Group Policy Client.
3. Set the Startup type to Automatic, and then click Start.
You also can use sign-in optimizations when slow links are used. These improvements allow users to sign in faster when a slow link is determined by letting Group Policy switch automatically to asynchronous processing. See the following Note to learn more about asynchronous processing if you aren’t familiar with it. (Note that if speed can’t be determined, Group Policy defaults to slow-link mode.)
A new policy setting also enables administrators to configure all 3G connections as slow links. To disable 3G slow-link connections, enable the Configure Group Policy Slow Link Detection policy setting and then select the Always Treat WWAN Connections As Slow Link check box. You’ll find this in the Group Policy Management Editor here: Computer Configuration, Policies, Administrative Templates, System, Group Policy.
Note: Asynchronous Processing and Synchronous Processing
Asynchronous processing refers to processes that don’t require other processes to complete before they can run. Thus, the processes can run simultaneously, which means that the client computer is ready faster, and the user can sign in more quickly. In contrast, synchronous processing refers to processes that depend on other process outcomes, which must complete before other processes can run.
The Fast Startup feature reduces the amount of time required to shut down and start a computer. This allows the computer to go into hibernation rather than completely shut down. However, Group Policy settings and scripts that are configured to be applied during the startup or shutdown process might not be applied, which can be a source of trouble if Fast Startup is enabled for your clients. You can read more about the effects of allowing Fast Startup and how it affects Group Policy at http://technet.microsoft.com/en-us/library/jj573586.
One more additional change is that you can configure the Group Policy Client service to sleep when it is idle for more than ten minutes. This way, the clients can perform better by letting Group Policy refresh as a scheduled task, not as a service refresh. By default, refreshes occur about every 90 minutes.
Exam Tip
Be sure to review the links offered in this section before taking the exam so that you are familiar with the other new and changed functionality in Group Policy.
Configuring Group Policy caching
Cached data can be accessed faster than when it must be retrieved from a remote source. Thus, Group Policy caching (theoretically) improves performance when configured to do so. A new policy, Configure Group Policy Caching, is available for this purpose. When Configure Group Policy Caching is enabled, the local computer first gets the latest version of a policy from the domain controller, and then writes that policy to its local store. The next time the computer starts up in synchronous mode, it retrieves the Group Policy settings from its own local store rather than download it anew. You might consider enabling this feature for computers you know are on slow connections to help improve performance.
To configure Group Policy Caching in Windows 8.1, follow these steps:
1. In a Run dialog box, type gpedit.msc and press Enter.
2. Navigate to Computer Configuration, Administrative Templates, System, Group Policy.
3. Double-click Configure Group Policy Caching (see Figure 3-37).
FIGURE 3-37 Review Group Policy settings in the Local Group Policy Editor.
4. Click Enabled.
5. Click OK.
Before continuing, review every Group Policy setting shown in Figure 3-37 (by double-clicking it and reading the information offered). Specifically, note the following:
Turn Off Background Refresh Of Group Policy
Turn Off Local Group Policy Objects Processing
Configure Group Policy Slow Link Detection
Set Group Policy Refresh Interval For Computers
Configure Logon Script Delay
Turn Off Resultant Set Of Policy Logging
Change Group Policy Processing To Run Asynchronously When A Slow Network Connection Is Detected
Specify Startup Policy Processing Wait Time
Configure User Group Policy Loopback Processing Mode
Thought experiment: Providing a malware solution
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You need to protect your clients from malware and viruses. You want the solution to meet the following criteria: provide real-time protection for workstations and mobile clients, get alerts when a computer in your organization is at risk, and run remote tasks such as wiping a compromised computer. You don’t need to manage servers or Linux/UNIX machines, and you don’t want to spend any more money than you have to.
1. From the options introduced in this section, which protection option would you choose?
2. Using the technology you selected in question 1, how do you run a scan of a remote computer you believe has been affected by malware?
3. How can you manage this technology while sitting in front of the client machine?
Objective summary
Windows updates often offer new features or functionality, but for the most part they are pushed out to fix security issues, address new security threats, and provide new device drivers.
You can manage, control, approve, and decline Windows updates in your organization with Windows Intune. You can also upload and manage non-Microsoft updates here.
Windows Defender, Windows Intune Endpoint Protection, and Microsoft System Center 2012 Endpoint Protection can all be used to provide real-time protection from viruses, malware, and other threats.
Internet Explorer 11 offers its own set of built-in protection tools, including but not limited to security zones, ways to manage add-ins and toolbars, and options to manage privacy.
Resultant Set of Policy (RSoP) offers a report of all your Group Policy settings. The report can show how those settings affect your network, users, computers, and devices. You can use the RSoP snap-in to create these reports. RSoP uses two modes: logging and planning.
You can configure clients in various ways to process Group Policy, including but not limited to letting the Group Policy refresh on its own synchronously or asynchronously at intervals you configure by using Windows PowerShell, the command line, and more.
You can enable Group Policy Caching to let clients cache Group Policy settings for fast startup.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. Where in the Group Policy Management Editor can you find settings for Windows Update?
A. Computer Configuration, Windows Settings, Windows Components, Windows Update
B. Computer Configuration, Administrative Templates, Windows Components, Windows Update
C. User Configuration, Administrative Templates, Windows Components, Windows Update
D. User Configuration, Windows Settings, Windows Components, Windows Update
2. You are trying to approve Microsoft updates by using the Windows Intune administrator console. You’ve navigated to the Updates tab, the Updates Status area, and clicked New Updates. But you don’t see any updates there. Why?
A. You need to be in the Admin Console, not the administrator console.
B. You need to click the Administration tab in the left pane, not the Updates tab.
C. You have to upload the updates that you want to approve first.
D. No new updates are available to approve.
3. In Windows Defender, what tab do you use to configure when scheduled scans are run?
A. Home
B. Update
C. History
D. Settings
4. When performing scans with Windows Intune Endpoint Protection, which of the following is true?
A. A quick scan checks the locations, processes in the memory, and registry files on the hard disk where malware generally appears.
B. A full system scan checks all files on the hard disk and all currently running programs.
C. The best time to schedule these scans is when the user isn’t at the computer.
D. All of the above.
5. You want to set up System Center 2012 Endpoint Protection in your enterprise. What is the first thing you need to do?
A. Deploy a web server certificate to site system servers.
B. Deploy a client authentication certificate to site system servers.
C. Create and issue a certificate template for mobile device enrollment.
D. Configure the management point and distribution point.
E. Configure the enrollment proxy point and the enrollment point.
F. Configure client settings for mobile device enrollment.
G. Enroll mobile devices.
6. You have enabled the Group Policy setting Turn Off The Flip Ahead With Page Prediction Feature for Internet Explorer 11. Some clients complain they can’t use the feature, even though it’s enabled. Why?
A. You must also enable the setting Allow Internet Explorer To Use The SPDY/3 Network Protocol.
B. You have disabled the setting Turn Off Loading Websites And Content In The Background To Optimize Performance.
C. This feature is available only in the Internet Explorer app, but the problematic users are using the Internet Explorer 11 desktop app.
D. This feature is available only in Windows RT 8.1, and the problematic users are using another version of Windows 8.
7. You’ve applied Group Policy but notice that a few clients aren’t compliant. What could be the problem and how can you resolve it?
A. The client needs to refresh; you can refresh the client in various ways, including by using GPupdate.exe.
B. The Group Policy might be in conflict with other policies and groups; run the RSoP and review the results.
C. The Group Policy isn’t being applied at startup. You need to enable Fast Startup.
D. The policies aren’t being cached. You need to enable Group Policy Caching through Computer Configuration, Policies, Administrative Templates, System, Group Policy.
Objective 3.4: Manage clients by using Windows Intune
You’ve already learned quite a bit about Windows Intune in this book. This last objective looks at it one more time. Here, you’ll learn how to create and manage user and computer groups, how to configure monitoring and set an alert when something goes awry, how to manage policies, and how to manage computers remotely.
This objective covers how to:
Manage user and computer groups; configure monitoring and alerts; and manage policies
Manage remote computers
Managing user and computer groups
With Windows Intune configured and with users and devices added and enrolled, you can now manage them. Management tasks include creating user and computer groups as well as monitoring them, creating alerts, and configuring policies, among other things.
Managing groups with Windows Intune
If you’ve ever managed users or devices in any setting—whether it’s a local workgroup or an enterprise domain—you likely know something about groups. In enterprises using AD DS, administrators generally create user accounts, create groups to house those accounts (users), and then apply the desired permissions to these groups for the purpose of managing multiple users at once. With groups, administrators can easily remove and add users, as well as manage hundreds or thousands of users more easily. Deciding how groups will be created in this scenario involves quite a bit of planning, and taking your time to do so is important.
Like with AD DS, you can create a group structure using Windows Intune. Also like with AD DS, you can establish a group plan for your organization in many ways. For example, you can group users by geographic location if you want to manage users and computers based on where they are located. You can also group members by department (such as Accounting or Sales) or by other characteristics. When dealing with computers, for instance, you can group devices by what kind of hardware they run on, what type of device they are, or what operating system they use. A device or a user can belong to more than one group, although users and devices never appear in the same group.
Windows Intune has four built-in, ready-to-use groups that can’t be removed: All Users, Ungrouped Users, All Devices, and Ungrouped Devices. You can tell by their names that these groups are very general. However, they offer access to everything you’ve enrolled, all the computers you manage, and all the users you’ve added. You build down from there, creating your own structure as desired.
Here are a few caveats to creating groups:
Groups contain either users or devices. They never contain both.
Groups can be empty.
You can name the groups you create and edit the names (descriptions and so on) when needed.
You don’t need AD DS to create groups in Windows Intune. If AD DS isn’t used, though, you do need to add users and groups manually in the Windows Intune account portal.
Groups can be dynamic, and you can query them to sort what’s included when necessary. You can create your own dynamic groups. You also can create static groups, such as Accountants, that include only specific members.
If you want to include mobile devices in a group, the devices must be discovered and added to the Windows Intune inventory.
You create a group in the Groups workspace in the Windows Intune administrator console. You saw this tab earlier if you’ve worked through this chapter. Figure 3-38 shows this, with All Users selected.
FIGURE 3-38 Use the Groups workspace to view the available groups.
The following steps show how to create a new computer group from the Windows Intune administrator console and then how to create a new user group. Later you’ll see how to create a security group from the Windows Intune account portal.
To create a new computer group from the Windows Intune administrator console, follow these steps:
1. Click Groups in the left pane, click Overview, and click Create Group under Tasks.
2. Type a group name and description, select All Devices (see Figure 3-39), and then click Next (not shown).
FIGURE 3-39 Creating a new computer group.
3. Select the applicable Device Type. There are three options: All Devices (Computers And Mobile Devices); Computer; Mobile. (Note that this group is dynamic because membership can and will change.)
4. If applicable, choose how to start the group. There are two choices: All Computers In The Parent Group; Empty Group.
5. Choose to include or exclude members from OUs or domains, as desired. Click Next.
6. If applicable, opt to include or exclude specific members from the group. Click Next.
7. Review the items on the Summary page and click Finish.
To create a new user group from the Windows Intune administrator console, follow these steps:
1. Click Groups in the left pane, click Overview, and click Create Group under Tasks.
2. Type a group name and description, select All Users, and then click Next.
3. Click All Users and click Next.
4. Choose how to start the group. There are two choices: Empty Group; All Users In The Parent Group.
5. Opt to include or exclude members from security groups, as desired.
6. Open to include or exclude members with these managers, as desired, and click Next.
7. If applicable, opt to include or exclude specific members from the group. Click Next.
8. Review the items on the Summary page and click Finish.
You can now locate both of these new groups in the Groups list. The new computer group is listed under All Devices; the new user group is listed under All Users. Click either and note the options available. Under Tasks, for example, you can edit the group, create a group, or delete the group. You can view the total users or devices, review the membership criteria, and see the date the group was created. You can also check for any software deployment issues or policy issues. When you see problems here, you can use this workspace to try to resolve them.
Exam Tip
You might be asked on the exam to explain why Windows Intune can’t be used in a particular situate, or, you might be given a scenario with Windows Intune as an option for resolving a problem. You’ll need to know these things to answer those types of questions: Windows Intune can’t be used to manage 64-bit Windows XP Professional or 32-bit Windows 8 operating systems. Windows Intune Client software needs to be installed on compatible desktop operating systems such as Windows 8 Enterprise and Pro, Windows 7 Enterprise, Ultimate, or Professional, Windows Vista Enterprise, Ultimate, or Business, and Windows XP Professional SP3. Client software isn’t installed on devices that run Windows RT, Windows Phone, iOS, or Android.
You might also want to create a security group, which you can use to assign permissions to shared resources. If you use AD DS in your environment, you can specify synchronized security groups as membership conditions. To manually add security groups, you use the Windows Intune account portal (http://account.manage.microsoft.com):
1. At the top of the Windows Intune account portal, click Admin.
2. In the left pane, under Management, click Security Groups.
3. Click New.
4. Type a display name and description for the group, and then click Save.
5. In the List Type list, select Users or Groups (for this example, click Users).
6. Select the members to include (see Figure 3-40) and then click Add.
FIGURE 3-40 Creating a new security group.
7. Click Save and Close.
More Info: Creating Groups
For more information about users and groups in Windows Intune, refer to the TechNet article at http://technet.microsoft.com/en-us/library/dn646967.aspx#Step3. Specifically, refer to Step 2: Add Windows Intune Users and Step 3: Create Groups To Organize Users And Devices.
Configuring monitoring and setting alerts with Windows Intune
The next logical step after setting up Windows Intune, adding users, creating groups, and so on is to monitor inventory and configure alerts when something is amiss.
Monitoring Status
You can monitor the status of almost anything regarding your Windows Intune infrastructure from the applicable tab (workspace) in the Windows Intune administrator console. In this instance, the word monitor simply means to look at the entries to see the current status of a specific thing. You can try to resolve any issues from the same area. Another type of monitoring deals with creating alerts, and you configure those alerts by selecting severity levels, using filters to determine when an alert is necessary, configuring threshold settings, and so on. This section focuses on the former; the next section focuses on the latter.
For this example, you’ll monitor the mobile devices on your network. You can use the same technique to access and monitor other items, including users (although you won’t see nearly as much data for users as you do computers).
To get started, open the Windows Intune administrator console and follow these steps:
1. In the left pane, click Groups.
2. Click All Mobile Devices, All Computers, Ungrouped Devices or any other applicable subgroup.
3. Review the information offered.
The information you’ll find in step 3 includes the following, which you can monitor as often as you like (under the General tab). Remember, if a problem exists, you can click the available link to learn more or resolve the issue.
Alert Status This shows you whether any alerts specific to the inventory selected have occurred.
Update Status This shows you whether any problems related to updates are occurring.
Endpoint Protection Status You can see whether any problems with endpoint protection have developed.
Policy You can see whether issues have occurred with policies you’ve created and configured.
Software Status This lists the status of installed software.
Device Health Status This shows the health of devices.
Membership Criteria You can review the criteria for membership.
Computer Summary You can review information regarding inventory, including but not limited to the top five manufacturers and top five operating systems used in your inventory list.
More Info: Monitoring Mobile Devices
To learn more about monitoring mobile devices, refer to the following TechNet article: http://technet.microsoft.com/en-us/library/jj733634.aspx.
You can use Windows Intune to monitor in other ways. For example, in the Windows Intune administrator console, from the System Overview tab, you can view and monitor alerts (see Figure 3-41). You also can change how you view the alerts; View By Date is the default, but you can switch to View By Category or View By Severity. You can also opt to view more information about the alerts. You can see any service announcements here, too, in an area named Notice Board. You can export these if desired.
FIGURE 3-41 Viewing and managing alerts from the System Overview workspace.
As with the Windows Intune System Overview tab (which offers information about alerts), you can access the Windows Intune Updates tab (which offers information about updates, update status, and cloud storage status). You explored this tab when you configured automatic approval settings earlier in the chapter.
Explore the other tabs now, too: Endpoint Protection Overview (status of malware and computers), which you explored when you opted to schedule a scan of a remote computer; Software (software status and cloud storage status), which you explored when you needed to add non-Microsoft software to Windows Intune for deployment; Licenses (licenses status); and Policy (the status of policies you’ve created), which you’ll explore shortly.
Note: Creating a Report
You can create a report in the Windows Intune administrator console. Click the Reports tab, and then click the type of report to create (Update, Detected Software, Computer Inventory, Mobile Device Inventory, License Purchase, or License Installation). Work through any tasks required. Then, save or view the report as applicable. If you don’t get any output, disable the pop-up blocker in your web browser.
Configuring Alerts
Things will go wrong, and you might not always be in front of the Windows Intune administrator console when they do. Thus, it’s best to configure Windows Intune so that when problems arise, you are notified. You can also configure it so other people are notified.
Alerts all have similar properties. For example, they all offer the time the alert was created; the number of times the alert happened; the source of the alert; whether the alert is still active, modified, or has been resolved; and any applicable path related to the issue.
When configuring alerts, you have lots of options. You can decide how severe the problem must be before you receive a notification about it. You can display a threshold to determine how often a single alert must occur before it’s considered important enough to garner a notification. You can enable and disable alerts as desired. And you can configure settings that are unique only to a single type of alert. Alerts are categorized as follows:
Endpoint Protection These alerts deal with malware warnings and unprotected devices.
Monitoring These alerts are created when a service is stopped, when a disk is highly fragmented, and when disk space is running low.
Notices These alerts deal with service announcements.
Policy These alerts are created when a device has an issue with a policy setting and can’t apply or comply.
Remote Assistance These alerts are created when a managed computer requests remote assistance.
System These occur when a client deployment has failed. You can also be alerted if a mobile device has a connectivity issue.
Updates These alerts are specific to updates waiting for approval, including Security and Critical updates.
Alerts can be assigned to one of three severity levels:
Critical A serious problem that needs immediate attention
Warning A potentially serious problem you should look into
Informational A smaller issue that still requires attention
To configure an alert, follow these steps:
1. Open the Windows Intune administrator console and click the Administration tab.
2. Click Alerts And Notifications and then Alert Types (see Figure 3-42).
FIGURE 3-42 Configuring an alert.
3. Right-click any alert type, and then click Configure.
4. Change the state from Disable to Enable.
5. If desired, change the Severity.
6. If desired, change the Display Threshold.
7. Click OK.
Now you can create a notification based on this alert. To do this in the Windows Intune administrator console, follow these steps:
1. Click the Alerts tab, and then click Configure Notification Rules.
2. Click Create New Rule.
3. Type the name for the rule.
4. Select the category to apply the rule to. (These match the alert categories listed earlier.)
5. Select the severity.
6. Click Next.
7. Select Device Groups and click Next.
8. Specify the email addresses that will be notified.
As you continue to work with alerts, right-click as you explore. You’ll find options to close an alert in some instances, view an alert’s properties, and so on.
Managing policies with Windows Intune
The Policy workspace in the Windows Intune administrator console lets you create policies that help you control the computers and mobile devices you manage. You can force these policies or not configure them at all. For settings you don’t care to manage, you can leave the decision to your end users. You create policies based on available templates, which you can change or accept the defaults for. The defaults for these templates match up with Microsoft Best Practices.
Note: Creating and Deploying Policies
You create policies for computers and deploy them to device groups. You create policies for mobile devices and deploy them to user groups.
How much the exam objective “Manage Policies” covers can’t be predicted, but this section covers what I think you’ll see. This includes creating and deploying a policy, but I’ll also include how to view existing policies, edit and delete those policies, and review and address policy conflicts. You can learn more about Windows Intune policies from this set of TechNet articles at http://technet.microsoft.com/en-us/library/jj662710.aspx.
You can create four types of policies:
Mobile Device Security Policy This policy helps you configure things such as password length, whether to allow simple passwords, whether to require encryption, and so on.
Windows Firewall Settings This policy helps you configure things such as turning on the firewall, creating exceptions for specific network profiles, and so on.
Windows Intune Agent Settings This policy lets you configure other policies that include things such as installing endpoint protection, creating a system restore point before you try to remediate malware, enabling real-time protection, and so on.
Windows Intune Center Settings This policy lets you configure what users see when they open the Windows Intune Center, which is installed on all the computers you manage. This can contain support contact information such as a name, phone number, email address, website name, and so on.
Creating and Deploying a Policy with Recommended Settings
As noted earlier, when you create a policy with recommended settings, you let Microsoft do all the work by applying the settings that are in the best interests of most enterprises. To create and deploy a policy with the recommended settings, follow these steps:
1. In the Windows Intune administrator console, click the Policy tab.
2. From the Policy Overview page, click Add Policy.
3. Select a template that matches the type of policy to configure:
Mobile Device Security Policy
Windows Firewall Settings
Windows Intune Agent Settings (selected in Figure 3-43)
FIGURE 3-43 Creating a policy.
Windows Intune Center Settings
4. Click Create And Deploy A Policy With The Recommended Settings, and then click Create Policy.
5. Select the groups to which you want to deploy the policy, click Add, and then click OK.
6. If you are prompted to deploy the policy, click Yes to deploy now, or No to deploy later.
More Info: Deploying a Policy
If you didn’t deploy the policy when you created the policy or if you want to deploy the policy to more groups, refer to this article on TechNet: http://technet.microsoft.com/en-us/library/jj662643.aspx.
To create and deploy a custom policy, follow these steps:
1. In the Windows Intune administrator console, click the Policy tab.
2. From the Policy Overview page, click Add Policy.
3. Select a template that matches the type of policy to configure:
Mobile Device Security Policy
Windows Firewall Settings
Windows Intune Agent Settings
Windows Intune Center Settings
4. Click Create And Deploy A Custom Policy, and then click Create Policy.
5. Type the name and description of the policy.
6. Configure the applicable policy settings.
7. Select the groups to which you want to deploy the policy, click Add, and then click OK.
8. Click Save Policy.
9. Click Yes to deploy the policy now or No to deploy the policy later.
Reviewing a Policy List and Managing Listed Policies
You can review a list of configured policies from the Windows Intune administrator console, in Policy, from the All Policies tab. From there you can also add, edit, delete, and manage the deployment of policies. When you opt to edit a policy, the Create a New Policy Wizard opens and you can simply reconfigure the parts of the policy as desired.
Handling Conflicts
Sometimes multiple policies conflict with one another. When this happens, one of the policies must be the “winner,” and the winning policy is applied automatically. The winning policy setting is determined as follows:
If a computer is a member of two groups and the policies applied to those groups vary, the policy associated with the deepest group in the group tree structure wins.
If two policies are deployed to the same group, or if two groups are at the same depth in the group structure, the setting with the most recent Last Modified Time entry wins.
Sometimes multiple policies are applied to users, too. The winning policy setting is determined as follows:
If a user is a member of two groups and the policies applied to those groups vary, the policy associated with the deepest group in the group tree structure wins.
If two policies are deployed to the same group, or if both groups are at the same depth in the group structure, the older policy setting wins.
When a conflict occurs and the older policy setting is applied, a Policy Conflict alert is raised. You’ll see these in the Policy Conflicts area of the Policy workspace.
If a user’s device is managed by Windows Intune direct management and Exchange ActiveSync, the policies are compared. The most secure policy wins.
Review the Policy Conflicts tab in the Policy workspace. This is where you review and manage conflicts when they arise.
Finally, take a minute to look at the Exchange Access For Mobile tab in the Policy workspace. If you incorporate Exchange in your network infrastructure, you can create rules here. Note the three options:
Allow All Mobile Devices To Access Exchange, Unless A Custom Rule States Otherwise
Block All Mobile Devices From Accessing Exchange, Unless A Custom Rule States Otherwise
Quarantine All Mobile Devices So I Can Decide Later For Each Individual Mobile Device, Unless A Custom Rule States Otherwise
Notice that you can also view quarantined devices, set user notifications, and set administrator notifications here.
More Info: Exchange Access for Mobile
The Windows Intune administrator console also offers a place where you can manage mobile devices through Exchange ActiveSync. To learn about this, review the article “Windows Intune Capabilities for Directly Managed and Exchange ActiveSync-Managed Mobile Devices” athttp://technet.microsoft.com/en-us/library/jj662631.aspx.
Managing remote computers with Windows Intune
You can use Windows Intune to perform remote tasks on computers (and mobile devices) you manage. Several tasks are available:
You can force an Endpoint Protection Definition Update in Windows Intune.
You can run a Windows Intune Endpoint Protection scan.
You can protect data with Remote Wipe, Remote Lock, or Passcode Reset by using Windows Intune.
You can restart a computer by using Windows Intune.
You can refresh Windows Intune policies.
You can refresh inventory in Windows Intune.
This chapter already covered the first two (about Endpoint Protection). You also saw how to perform a remote wipe and how to refresh policies. This section looks at a few other tasks: performing a remote lock, resetting a password, restarting a computer, and refreshing inventory.
Setting a Remote Lock
When a user loses a device, or perhaps leaves it in another office or at home, you can opt to lock the device to secure it. Remote Lock isn’t supported on all platforms, but you can lock iOS and Android devices easily. You can also lock Windows RT and Windows RT 8.1 devices if the device’s current user is the same person who enrolled it. This is also true for Windows 8.1 computers. You can’t remotely lock a Windows Phone 8 yet—at least, not at the time this book was written.
To lock a mobile device, open the Windows Intune administrator console, and then follow these steps:
1. Click Groups, expand All Devices, and expand All Mobile Devices (or the applicable group).
2. Click any applicable subgroup.
3. From the Devices tab, click the device (or devices) you want to lock, and then click Remote Tasks (you might have to first click a double-facing arrow).
4. Click Remote Lock.
Resetting a Password
Another common task you’ll perform remotely is resetting a password. You do this when a user forgets his or her password (passcode). By resetting a password, you force a new, temporary password, which the user must type in, and then the user can regain access.
You can reset a password on iOS and Android devices. For now, you can’t reset a password for Windows Phone 8, Windows RT, Windows RT 8.1, or Windows 8.1.
To reset a password, open the Windows Intune administrator console, and then follow these steps:
1. Click Groups, All Devices, All Mobile Devices.
2. Click any applicable subgroup.
3. From the Devices tab, click the device or devices that you want to reset the password for, click Remote Tasks, and then click Passcode Reset.
Restarting Remotely
You can restart a managed computer remotely. When you do, you can also watch the status of the restart from the Windows Intune administrator console. To restart a device, open the Windows Intune administrator console, and then follow these steps:
1. Click Groups.
2. Click All Devices or the appropriate group.
3. Select a computer or device. You can select more than one.
4. Click Remote Tasks, and then click Restart Computer.
5. On the Summary page, click Close.
You can encounter any of four status messages during the restart process:
Queued The request has been sent but not yet delivered to the device.
Running The task was received by the remote device and is running now.
Completed The task has completed.
Failed The task failed.
Refreshing Inventory
You can refresh data involving inventory in your enterprise. Follow these steps:
1. Open the Windows Intune administrator console.
2. Click Groups, and then click All Devices (or the appropriate group).
3. Select a computer or a group of computers, click Remote Tasks, and then click Refresh Inventory.
4. Click Close.
Thought experiment: Protecting your computers
In this thought experiment, apply what you’ve learned about this objective. You can find answers to these questions in the “Answers” section at the end of this chapter.
You manage a combination of 100 computers, mobile devices, and laptops. One of your responsibilities is to ensure that those computers are protected from malware. You use Windows Intune Endpoint Protection and want to configure alerts so that you are notified quickly when a problem is found.
1. Of the available alert categories, which category will you choose to configure alerts that have to do with malware?
2. You want to catch any problems as quickly as possible and remediate them. What severity level would you choose when creating the alerts?
3. In the Windows Intune administrator console, what workspace do you use to create alerts?
Objective summary
Windows Intune has four built-in, ready-to-use groups that can’t be removed: All Users, Ungrouped Users, All Devices, and Ungrouped Devices.
You can create Windows Intune groups to give you options for managing everything you’ve enrolled and all the users you’ve added.
You can configure alerts so that you are notified when problems occur. Alerts offer the time the alert was created; the number of times the alert happened; the source of the alert; whether the alert is still active, modified, or has been resolved; and any applicable path related to the issue. Several alert categories are used.
The Policy workspace in the Windows Intune administrator console lets you create policies that help you control the computers and mobile devices you manage. You can force these policies or not configure them at all.
You can remotely manage computers with Windows Intune and remotely lock or wipe enrolled devices, reset passwords, and restart computers, among other things.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
1. Which of the following is true regarding Windows Intune groups that you create?
A. As soon as you create a group, you can’t change its name.
B. A single group can contain both computers and users.
C. You must have AD DS to create groups in Windows Intune.
D. Groups can be empty.
2. What’s the main difference between a Windows Intune user group and a Windows Intune security group? Choose two.
A. You create the user group in the Windows Intune administrator console and a security group in the Windows Intune account portal.
B. User groups contain users, but security groups assign permissions to shared resources.
C. You can delete a user group you’ve created, but you can’t delete a security group you’ve created.
D. You can delete a security group you’ve created, but you can’t delete a user group you’ve created.
3. You need to create an alert that informs you if any device you manage can’t or didn’t install a required update. What kind of alert would you create?
A. Policy
B. Software Status
C. Update Status
D. Computer Summary
4. What types of policies can you create in Windows Intune? (Choose all that apply.)
A. Mobile Device Security Policy
B. Windows Firewall Settings
C. Windows Intune Agent Settings
D. Windows Intune Center Settings
E. All of the above
5. When policies conflict because two policies are deployed to the same group, which policy is applied?
A. The policy with the most recent Last Modified Time entry.
B. The policy that is deepest in the tree structure.
C. The most stringent policy wins.
D. The least stringent policy wins.
6. On what types of devices can you reset a passcode with Windows Intune? (Choose all that apply.)
A. Windows 8.1 computers
B. Windows 8.1 mobile computers
C. iOS
D. Android
E. Windows 8 phones
F. Windows RT and Windows RT 8.1 devices
Answers
This section contains the solutions to the thought experiments and answers to the lesson review questions in this chapter.
Objective 3.1: Thought experiment
1. DaRT is the best tool for this problem if you are a Software Assurance customer. Otherwise you’ll have to come up with a different solution, perhaps reimaging, scanning with Windows Defender, or using a third-party tool.
2. You need to create and use a recovery image that you create with DaRT.
3. Explorer lets you copy data files before trying to repair the computer.
4. Defender can help you resolve issues with malware and viruses.
Objective 3.1: Review
1. Correct answer: B
A. Incorrect: If you click Add A Device in the Devices And Printers window, Windows looks for a wireless or network device.
B. Correct: This is the applicable option.
C. Incorrect: You should be able to install the device if you can find an applicable device driver.
D. Incorrect: Although Pnputil.exe can be used to manage device drivers, the –f parameter is used to force the deletion of a driver and thus isn’t applicable here.
2. Correct answer: C
A. Incorrect: Sigverif.exe is used to scan the computer for unsigned drivers, not check for bad disk sectors.
B. Incorrect: Mdsched is used to schedule a scan using the Windows Memory Diagnostic tool to check for memory errors.
C. Correct: ChkDsk scans the hard disk for bad sectors.
D. Incorrect: PerfMon opens the Performance Monitor.
3. Correct answer: D
A. Incorrect: You generally use Performance Monitor to create Data Collector Sets to see where performance improvements can be made.
B. Incorrect: You can use Reliability Monitor to review events, installations, and other information about a computer’s performance, but the WPT is better suited to the problem detailed here.
C. Incorrect: You use Sigverif.exe to locate unsigned drivers. This would be a good tool to use if you thought a driver was causing the issue, but because the hard disk light is on and additional vague problems are occurring, trying the WPT first would be best.
D. Correct: The Windows Performance Toolkit (WPT) is the best tool to use in this situation.
4. Correct answer: A
A. Correct: This tab shows all running processes, grouped together as process trees, and offers columns that show the resources allotted and their usage.
B. Incorrect: The App History tab shows usage associated with apps (but not desktop apps). Although you can review the load apps place on the computer, App History isn’t the best place to review processes for the entire computer.
C. Incorrect: This tab displays all the enabled services and enables you to manage them.
D. Incorrect: Msconfig.exe opens the System Configuration window and only offers access to the Task Manager and no way to monitor discrete processes.
5. Correct answers: A, C
A. Correct: In the Devices And Printers window, right-click the printer, click Printer Properties, and click the Sharing tab.
B. Incorrect: Sharing isn’t an option in the Devices And Printers window when you right-click the printer.
C. Correct: In the Print Management console, right-click the printer and click Manage Sharing.
D. Incorrect: Sharing isn’t an option in the Print Management console when you right-click the printer.
6. Correct answer: D
A. Incorrect: The Solution Wizard lets you work through a series of questions when you don’t know where to start with DaRT, and then review solutions offered that might suit your needs. Because you believe the problem to be a device driver, this likely isn’t the best option.
B. Incorrect: Explorer lets you browse the files on the local system as well as network shares, and copy that data before you try to repair or reimage the computer. Although this might be a good first step, it won’t help you resolve the driver issue.
C. Incorrect: Disk Commander lets you recover and repair disk partitions or volumes by restoring the master boot record (MBR), restoring partition tables, and saving those tables for backup. This isn’t the best solution here.
D. Correct: Computer Management enables you to view system information and event logs, work with disks, manage services, manage drivers, and so on. You can locate the driver here and uninstall it or disable it.
Objective 3.2: Thought experiment
1. Work Folders.
2. Control Panel, Work Folders.
3. Sync Center.
4. You can configure syncing to occur when the computer has been idle for a specific amount of time or if the computer is running on external power (and not on its battery). You can also opt to trigger synchronization to coincide with a specific event, such as when the computer is idle for a specific amount of time, when the client locks Windows, and when the client unlocks Windows.
5. Two-way is most common because syncing occurs from device to server and server to device.
Objective 3.2: Review
1. Correct answers: A, C
A. Correct: Password expiration is available to set for all named devices.
B. Incorrect: Allowing a pop-up blocker isn’t available for Windows Phone 8 or Android devices.
C. Correct: Password history is available to all named devices.
D. Incorrect: Maximum password length isn’t correct, although minimum password length is an available policy for all.
2. Correct answer: B
A. Incorrect: You can’t wipe a device from here. This is where you add software and agreements.
B. Correct: This is where you opt to wipe a device.
C. Incorrect: You can manage devices here, but it’s used for enrollment and other mobile device management tasks.
D. Incorrect: You set policies here. You don’t wipe devices from here.
3. Correct answers: C, D
A. Incorrect: Enabling file synchronization on costed networks requires more bandwidth because you enable the option to sync files over metered networks.
B. Incorrect: Setting the Latency=0 isn’t the correct option for the latency threshold; the correct value is 1.
C. Correct: In the Value box for configuring slow-link mode, type Latency=1 to set the latency threshold to one millisecond.
D. Correct: You configure slow-link mode to achieve the desired results.
4. Correct answer: C
A. Incorrect: The Windows Intune administrator console, from the Administrator pane in Mobile Device Management, is not the desired solution here.
B. Incorrect: Although you can manage devices in the Windows Intune administrator console from the Groups pane in All Mobile Devices, you can’t add users manually here.
C. Correct: You add users manually from the Windows Intune account portal, under Admin, from the Users tab.
D. Incorrect: No Users tab is available (which is what you need to locate) in the Windows Intune account portal, under Admin Console.
E. Incorrect: You can’t add users manually in the Windows Intune Company Portal.
Objective 3.3: Thought experiment
1. Windows Intune provides support for all these items. Windows Defender won’t support all mobile clients, nor will it offer alerts. System Center 2012 Endpoint Protection is too much in this scenario because servers and Linux/UNIX machines aren’t a part of what you need to manage.
2. Open the Windows administrator console. From the Groups tab, locate the device to manage, and then click Run A Full Malware Scan (or Run A Quick Malware Scan).
3. Open the Windows Intune Endpoint Protection window (which looks like the Windows Defender window) and choose the desired tab to make the appropriate changes.
Objective 3.3: Review
1. Correct answer: B
A. Incorrect: Windows Update isn’t available from Windows Settings.
B. Correct: Computer Configuration, Administrative Templates, Windows Components, Windows Update is the proper area.
C. Incorrect: Windows Update isn’t available in User Configuration; it’s a computer element.
D. Incorrect: Windows Update isn’t available in User Configuration; it’s a computer element.
2. Correct answer: D
A. Incorrect: The administrator console is the proper place to look for new updates to approve.
B. Incorrect: The Updates tab in the left pane is the proper place to look for new updates to approve.
C. Incorrect: You have to upload the non-Microsoft updates that you want to approve first, but not the Microsoft updates.
D. Correct: No new updates are available to approve.
3. Correct answer: D
A. Incorrect: Home is where you can see the status of your real-time protection, including whether it’s turned on and whether the virus and spyware definitions are up to date.
B. Incorrect: Update is where you can see the date on which the last definitions were created, when the definitions where last updated, the virus definition version, and the spyware definition version.
C. Incorrect: History is where you review past problems.
D. Correct: Settings is where you schedule scans.
4. Correct answer: D
A. Incorrect: A quick scan does check the locations, memory processes, and registry files on the hard disk where malware generally appears, but the other answers are also correct.
B. Incorrect: A full system scan does check all files on the hard disk and all currently running programs, but the other answers are also correct.
C. Incorrect: Scheduling these scans when the user isn’t at the computer is best, but the other answers are also correct.
D. Correct: All the answers are correct.
5. Correct answer: A
A. Correct: The first thing you must do is appropriate the proper certificates.
B. Incorrect: This is the second thing you do.
C. Incorrect: This is the third thing you do.
D. Incorrect: This is the fourth thing you do.
E. Incorrect: This is the fifth thing you do.
F. Incorrect: This is the sixth thing you do.
G. Incorrect: This is the very last thing you do.
6. Correct answer: C
A. Incorrect: The setting Allow Internet Explorer To Use The SPDY/3 Network Protocol isn’t required for Flip Ahead.
B. Incorrect: The setting Turn Off Loading Websites And Content In The Background To Optimize Performance isn’t required for Flip Ahead.
C. Correct: This feature is available only in the Internet Explorer app and the problematic users are using the Internet Explorer 11 desktop app.
D. Incorrect: This feature is available in all versions of Windows 8 for the Internet Explorer 11 app.
7. Correct answers: A, B
A. Correct: The client might need to have new policies refreshed.
B. Correct: You should use RSoP to see if any conflicts exist.
C. Incorrect: Fast Startup reduces the amount of time required to shut down and restart a computer by allowing the computer to go into hibernation rather than completely shut down. However, Group Policy settings and scripts that are configured to be applied during the startup or shutdown process might not be applied, which can be a source of trouble if Fast Startup is enabled for your clients.
D. Incorrect: You can enable Group Policy caching from here, but doing so won’t resolve the problem.
Objective 3.4: Thought experiment
1. Endpoint Protection alerts
2. Critical
3. Administration
Objective 3.4: Review
1. Correct answer: D
A. Incorrect: As soon as you create a group, you can change its name.
B. Incorrect: A single group can’t contain both computers and users.
C. Incorrect: You don’t need AD DS to create groups in Windows Intune.
D. Correct: Groups can be empty.
2. Correct answers: A, B
A. Correct: You create a user group in the Windows Intune administrator console and a security group in the Windows Intune account portal.
B. Correct: User groups contain users, but security groups assign permissions to shared resources.
C. Incorrect: You can delete any group you create.
D. Incorrect: You can delete any group you create.
3. Correct answer: C
A. Incorrect: Policy alerts deal with policies you’ve created and deployed.
B. Incorrect: Software Status alerts deal with the status of installed software.
C. Correct: Update Status is the applicable alert type.
D. Incorrect: Computer Summary lets you review inventory information, including but not limited to the top five manufacturers and top five operating systems used in your inventory list.
4. Correct answer: E
A. Incorrect: Mobile Device Security Policy is a valid policy type, but other answers are also correct, so the correct answer is E.
B. Incorrect: Windows Firewall Settings is a valid policy type, but other answers are also correct, so the correct answer is E.
C. Incorrect: Windows Intune Agent Settings is a valid policy type, but other answers are also correct, so the correct answer is E.
D. Incorrect: Windows Intune Center Settings is a valid policy type, but other answers are also correct, so the correct answer is E.
E. Correct: All of the above.
5. Correct answer: A
A. Correct: In this case, the policy with the most recent Last Modified Time entry is applied.
B. Incorrect: The question states that the groups are equal in the tree structure.
C. Incorrect: The most stringent policy doesn’t win in this case. However, if a user’s device is managed by Windows Intune direct management and Exchange ActiveSync, the policies are compared and the most secure wins.
D. Incorrect: The least stringent policy doesn’t win.
6. Correct answers: C, D
A. Incorrect: Windows 8.1 computers can’t be reset in this manner.
B. Incorrect: Windows 8.1 mobile computers can’t be reset in this manner.
C. Correct: iOS devices can be sent a passcode reset.
D. Correct: Android devices can be sent a passcode reset.
E. Incorrect: Windows 8 phones can’t be reset in this manner.
F. Incorrect: Windows RT and Windows RT 8.1 devices can’t be reset in this manner.