Horus' quick study guide for 70-687
horusthesun
Member Posts: 289
70-687 super duper study guide
Windows 8 Editions
Windows RT (Surface Tablets)
· ARM processor
· Only runs Windows Store Apps
Windows 8
Answer is always 64 on 64 bit CPUs
Higher CPU utilization
32 bit can consume up to 4 GB (including shared video memory)
Win 8 (64bit) -> 128 GB Win 8 Pro/Enterprise (64bit) -> 512GB
Client Hyper-V
Better Security (DEP= Data Execution Prevention, KAP, Requires Signed Drivers)
Broad driver availability (Most Win 7 on Win
Screen Resolution:
Minimum Start screen / Windows 8 naïve apps : 1024 X 768
“Snap” Feature: 1366X 768 (load win 8 apps side by side)
Maximum: 2560 X 1440
Which SKU to upgrade?
Full Upgrade
Windows 7 starter, home basic/Premium -> Win 8
Windows 7 starter, Home Basic/Premium, Professional, Ultimate ->Win 8 Pro
Windows 7 Pro, Ent -> Win 8 Ent
Migration:
-Vista RTM /SP1, XP SP3 -> Win8, Win8 pro
32-bit -> 32-bit
64-bit -> 64bit
Upgrade or Clean Install
“Fully Compatible” upgrade Clean Install
Personal Files (User Folder) inherit no problems
Windows Settings Requires Centrally Stored data
ü Profile home directory or backup/restore
ü Hardware settings Must install APPs
Applications app deployment solutions
ü Some might need reinstallation Baseline Images (golden image )
ü Disable A/V Check vendor upgrade Reconfigure windows Settings
Minimal Interaction & Fast (Roaming profiles)
5-Step process
ü 1 Evaluate (ACT, MAP, ADK)
ü 2 Back up
ü 3 Upgrade
ü 4 Verify
ü 5 Update
Windows to Go
Problem: in another location /w no pc of your own (BYOD)
ü Reluctance to loan a workstation
ü Concern of malware
Solutions:
ü RDP, CITRIX
ü GUEST VMs
ü Windows to Go!
ü Used on a flash drive (External HDD) àit is better to use with USB 3.0
ü 32BG only works with Windows Enterprise (may need to configure BIOS)
Windows to Go Overview
Entire Win8 Enterprise
ü OS
ü User Settings Can use Reference Image
ü Programs
ü DATA
ü Considerations
ü Windows recovery not available (re-image)
ü Bitlocker Available w/o TPM
ü No push button RESET
ü No Hibernate/Sleep mode
ü No Internal Disk visible
ü Loads appropriate drivers & reloads when reconnecting
ü Might need to suspend Bitlocker on host
ü Store is disabled by default
Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows 8 deployment tools such as DiskPart, ImageX, and the Deployment Image Servicing and Management (DISM) tool.
These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the Windows Assessment and Deployment Kit to review deployment tools available
Make sure you use the versions of the deployment tools provided for Windows 8. The deployment tools from previous version don’t support Windows to go
Windows key + F, Type Windows to go --> follow the Wizard
*Must use a password … no TPM*
List of windows to go certified USB drives
ü Imation IronKey Workspace
ü Kingston DataTraveler Workspace
ü SPYRUS Portable Workplace
ü SPYRUS Secure Portable Workplace (w/ Hardware Encryption)
ü SuperTalent Express RC8
For Host PC:
When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria:
Item
Requirement
Boot process
Capable of USB boot
Firmware
USB boot enabled. (PCs certified for use with Windows 7 or Windows 8 can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)
Processor architecture
Must support the image on the Windows To Go drive
External USB Hubs
Not supported; connect the Windows To Go drive directly to the host machine.
Processor
1 Ghz or faster
RAM
2 GB or greater
Graphics
DirectX 9 graphics device with WDDM 1.2 or greater driver.
USB port
USB 2.0 port or greater
Migration Overview
Goal: Transfer Data & User settings to New Windows 8 computer
Upgrade no t available
Want clean install w/o loss
AKA “Refresh Computer Scenario”
Two Methods
In place:àSource & Destination PCs are the same
Side-by-Sideà Source & Destination PCs are Different
Requires more time & steps
ADVANTAGES
DISADVANTAGES
VERY CLEAN
MORE TIME CONSUMING
UPGRADE PATH NOT RELEVANT
REQUIRES MIGRATIONS TOOLS
ü Windows Easy Transfer
ü User State Migration tool
IMPROVED PERFORMANCE
REINSTALL APPS
AVOIDS INHERITING
ü Poor configurations
ü Malware
ü Remnant files, deprecations
STORAGE FOR SETTINGS
MAY IMPACT USER PRODUCTIVITY
WET Migration
ü On win8 DVD
ü Source: old PC, Target: NEW Win8
ü Migrate:
1. User profile (Admin: All users)
2. Data
3. App Settings
ü Single, Small Migration
ü Transfer via cable (USB easy transfer cable), network, ext storage
Helpful tip decrypt all EFS files before transfer with WET
User State Migration Tool (USMT) Technical Reference- The User State Migration Tool (USMT) 5.0 is included with the Windows® Assessment and Deployment Kit (Windows ADK) for Windows® 8. USMT provides a highly customizable user-profile migration experience for IT professionals.
USMT 5.0 includes three command-line tools:
No direct side-by-side (network)
Export w/ scan state
Import w/load state
**No DC Necessary to apply domain profiles**
**Run as Admin to ensure all settings migrate (elevate to admin in command prompt) **
Example:
Source PC
C:\ scanstate m:\scanstate /o /ue:*/* /ui:example\user /i:migdocs.mxl /i:migapp.xml /encrypt /key:”usmtsecret”
Target PC
C:\loadstate m:\scanstate /mu:example\user :example\user /i:migdocs.xml /i:migapp.xml /decrypt /key:”usmtsecret”
VHD (X) Advantages
Install to VHD
Deploy WIM to VHD
WINPE
WINPE,SHIFT-F10,DISKPART
SHIFT-F10
COPY WIM to VHD
DISKPART
IMAGEX /APPLY
INSTALL
DETACH VDISK, COPY to Server
Copy to Client
BCDBOOT
Folder Redirection:
Default “My Documents”
Locally Stored à no central backup à no central virus scan
Might be illegal
Folder Redirection Fixed theses problems
Do not depend on roaming profiles
Manual configuration in my Documents properties or AUTOMATE in GPO (uses Users setting in Group Policy)
Speeds logon
Enables offline files
What is a Device Driver?
Intermediary software that exchanges communication between the OS and the hardware
Associated Files: .sys, .inf, .cat, .dll
32-bit + 64-bit
Signed
Plug and Play Automation
Install/Attach device
OS searches for driver based on Hardware ID
Devices usually available immediately
Substantially more reliable than initial versions
Some Devices also need accompanying software
Signed Drivers
Required in 64-bit
Driver tested in WHQL (Windows Hardware Quality Labs)
Good Drivers Receive Signature in CAT
If Driver files change signature doesn’t match (Integrity)
Signature Tools: sigverif + driversquery /si
The Driver Store
C:\ Windows\Systems32\Driverstore
Many default drivers
More added/updated
*windows updates
*pre-staging with pnputil.exe in command prompt
Need to be at least a Local admin to add/update drivers
Users can load existing drivers
Can use Alternate driver locations
Driver path = registry Hkey_Local_Machine --> Software à Microsoft à Windowsà CurrentVersion à DevicePath
Windows update
Manual from media website
Device Manager
· Primary device UI à devmgmt.msc
· Main Functions
· Add legacy hardware
· View hidden devices (in the top menu viewà show hidden devices)
· View device properties
· Driver Management (update, disable, rollback uninstall)
· Very specific details
· View events
· Power management
· Resources
· Configure driver settings
(work in progress)
Windows 8 Editions
Windows RT (Surface Tablets)
· ARM processor
· Only runs Windows Store Apps
Windows 8
- Basic...
- For home and SOHO...
- Geared toward consumers
- Small to medium Businesses
- Encryption (Bitlocker & Bitlocker to go)
- Mobility (Direct Access)
- WTG- Windows to go (Windows on a USB flash drive)
Answer is always 64 on 64 bit CPUs
Higher CPU utilization
32 bit can consume up to 4 GB (including shared video memory)
Win 8 (64bit) -> 128 GB Win 8 Pro/Enterprise (64bit) -> 512GB
Client Hyper-V
Better Security (DEP= Data Execution Prevention, KAP, Requires Signed Drivers)
Broad driver availability (Most Win 7 on Win
Screen Resolution:
Minimum Start screen / Windows 8 naïve apps : 1024 X 768
“Snap” Feature: 1366X 768 (load win 8 apps side by side)
Maximum: 2560 X 1440
Which SKU to upgrade?
Full Upgrade
Windows 7 starter, home basic/Premium -> Win 8
Windows 7 starter, Home Basic/Premium, Professional, Ultimate ->Win 8 Pro
Windows 7 Pro, Ent -> Win 8 Ent
Migration:
-Vista RTM /SP1, XP SP3 -> Win8, Win8 pro
32-bit -> 32-bit
64-bit -> 64bit
Upgrade or Clean Install
“Fully Compatible” upgrade Clean Install
Personal Files (User Folder) inherit no problems
Windows Settings Requires Centrally Stored data
ü Profile home directory or backup/restore
ü Hardware settings Must install APPs
Applications app deployment solutions
ü Some might need reinstallation Baseline Images (golden image )
ü Disable A/V Check vendor upgrade Reconfigure windows Settings
Minimal Interaction & Fast (Roaming profiles)
5-Step process
ü 1 Evaluate (ACT, MAP, ADK)
ü 2 Back up
ü 3 Upgrade
ü 4 Verify
ü 5 Update
Windows to Go
Problem: in another location /w no pc of your own (BYOD)
ü Reluctance to loan a workstation
ü Concern of malware
Solutions:
ü RDP, CITRIX
ü GUEST VMs
ü Windows to Go!
ü Used on a flash drive (External HDD) àit is better to use with USB 3.0
ü 32BG only works with Windows Enterprise (may need to configure BIOS)
Windows to Go Overview
Entire Win8 Enterprise
ü OS
ü User Settings Can use Reference Image
ü Programs
ü DATA
ü Considerations
ü Windows recovery not available (re-image)
ü Bitlocker Available w/o TPM
ü No push button RESET
ü No Hibernate/Sleep mode
ü No Internal Disk visible
ü Loads appropriate drivers & reloads when reconnecting
ü Might need to suspend Bitlocker on host
ü Store is disabled by default
Enterprises install Windows on a large group of computers either by using configuration management software (such as System Center Configuration Manager), or by using standard Windows 8 deployment tools such as DiskPart, ImageX, and the Deployment Image Servicing and Management (DISM) tool.
These same tools can be used to provision Windows To Go drive, just as you would if you were planning for provisioning a new class of mobile PCs. You can use the Windows Assessment and Deployment Kit to review deployment tools available
Make sure you use the versions of the deployment tools provided for Windows 8. The deployment tools from previous version don’t support Windows to go
Windows key + F, Type Windows to go --> follow the Wizard
*Must use a password … no TPM*
List of windows to go certified USB drives
ü Imation IronKey Workspace
ü Kingston DataTraveler Workspace
ü SPYRUS Portable Workplace
ü SPYRUS Secure Portable Workplace (w/ Hardware Encryption)
ü SuperTalent Express RC8
For Host PC:
When assessing the use of a PC as a host for a Windows To Go workspace you should consider the following criteria:
- Hardware that has been certified for use with either Windows 7 or Windows 8 operating systems will work well with Windows To Go.
- Running a Windows To Go workspace from a computer that is running Windows RT is not a supported scenario.
- Running a Windows To Go workspace on a Mac computer is not a supported scenario.
Item
Requirement
Boot process
Capable of USB boot
Firmware
USB boot enabled. (PCs certified for use with Windows 7 or Windows 8 can be configured to boot directly from USB, check with the hardware manufacturer if you are unsure of the ability of your PC to boot from USB)
Processor architecture
Must support the image on the Windows To Go drive
External USB Hubs
Not supported; connect the Windows To Go drive directly to the host machine.
Processor
1 Ghz or faster
RAM
2 GB or greater
Graphics
DirectX 9 graphics device with WDDM 1.2 or greater driver.
USB port
USB 2.0 port or greater
Migration Overview
Goal: Transfer Data & User settings to New Windows 8 computer
Upgrade no t available
Want clean install w/o loss
AKA “Refresh Computer Scenario”
Two Methods
In place:àSource & Destination PCs are the same
Side-by-Sideà Source & Destination PCs are Different
Requires more time & steps
ADVANTAGES
DISADVANTAGES
VERY CLEAN
MORE TIME CONSUMING
UPGRADE PATH NOT RELEVANT
REQUIRES MIGRATIONS TOOLS
ü Windows Easy Transfer
ü User State Migration tool
IMPROVED PERFORMANCE
REINSTALL APPS
AVOIDS INHERITING
ü Poor configurations
ü Malware
ü Remnant files, deprecations
STORAGE FOR SETTINGS
MAY IMPACT USER PRODUCTIVITY
WET Migration
ü On win8 DVD
ü Source: old PC, Target: NEW Win8
ü Migrate:
1. User profile (Admin: All users)
2. Data
3. App Settings
ü Single, Small Migration
ü Transfer via cable (USB easy transfer cable), network, ext storage
Helpful tip decrypt all EFS files before transfer with WET
User State Migration Tool (USMT) Technical Reference- The User State Migration Tool (USMT) 5.0 is included with the Windows® Assessment and Deployment Kit (Windows ADK) for Windows® 8. USMT provides a highly customizable user-profile migration experience for IT professionals.
USMT 5.0 includes three command-line tools:
- ScanState.exe version 6.2
- LoadState.exe version 6.2
- UsmtUtils.exe version 6.2
- MigApp.xml
- MigDocs.xml
- MigUser.xml
No direct side-by-side (network)
Export w/ scan state
Import w/load state
**No DC Necessary to apply domain profiles**
**Run as Admin to ensure all settings migrate (elevate to admin in command prompt) **
Example:
Source PC
C:\ scanstate m:\scanstate /o /ue:*/* /ui:example\user /i:migdocs.mxl /i:migapp.xml /encrypt /key:”usmtsecret”
Target PC
C:\loadstate m:\scanstate /mu:example\user :example\user /i:migdocs.xml /i:migapp.xml /decrypt /key:”usmtsecret”
VHD (X) Advantages
- VHDX= windows server2012
- VHD = windows server 2008
- Useful for VM and physical machines
- Device detection
- Software
- Uniform File Management
- Common Tools
- Single File Restore
- Performance Compared to VMS
Install to VHD
Deploy WIM to VHD
WINPE
WINPE,SHIFT-F10,DISKPART
SHIFT-F10
COPY WIM to VHD
DISKPART
IMAGEX /APPLY
INSTALL
DETACH VDISK, COPY to Server
Copy to Client
BCDBOOT
Folder Redirection:
Default “My Documents”
Locally Stored à no central backup à no central virus scan
Might be illegal
Folder Redirection Fixed theses problems
Do not depend on roaming profiles
Manual configuration in my Documents properties or AUTOMATE in GPO (uses Users setting in Group Policy)
Speeds logon
Enables offline files
What is a Device Driver?
Intermediary software that exchanges communication between the OS and the hardware
Associated Files: .sys, .inf, .cat, .dll
32-bit + 64-bit
Signed
Plug and Play Automation
Install/Attach device
OS searches for driver based on Hardware ID
Devices usually available immediately
Substantially more reliable than initial versions
Some Devices also need accompanying software
Signed Drivers
Required in 64-bit
Driver tested in WHQL (Windows Hardware Quality Labs)
Good Drivers Receive Signature in CAT
If Driver files change signature doesn’t match (Integrity)
Signature Tools: sigverif + driversquery /si
The Driver Store
C:\ Windows\Systems32\Driverstore
Many default drivers
More added/updated
*windows updates
*pre-staging with pnputil.exe in command prompt
Need to be at least a Local admin to add/update drivers
Users can load existing drivers
Can use Alternate driver locations
Driver path = registry Hkey_Local_Machine --> Software à Microsoft à Windowsà CurrentVersion à DevicePath
Windows update
Manual from media website
Device Manager
· Primary device UI à devmgmt.msc
· Main Functions
· Add legacy hardware
· View hidden devices (in the top menu viewà show hidden devices)
· View device properties
· Driver Management (update, disable, rollback uninstall)
· Very specific details
· View events
· Power management
· Resources
· Configure driver settings
(work in progress)
Comments
-
horusthesun
Member Posts: 289
Sorry I haven't add anything lately
been busy at work
People quite, so I am pulling doubles and training noobs -
horusthesun
Member Posts: 289
Secure boot :
Signature Databases and Keys:
The firmware has two databases.
1) List of the signers or image hashes of the UEFI applications, OS loaders and UEFI drivers(Signature DB)
2) list the revoked images for items that are no longer trusted (Revoked Signature DB)
Microsoft® signs the Microsoft Operating System Loader (called Boot Manager) with a signer that must be included in the database when systems are manufactured.
Key Enrollment Key database (KEK) is a separate database of signing keys that can be used to update the signature database and revoked signatures database. Microsoft requires a specified key to be included in the KEK database so that in the future Microsoft can add new operating systems to the signature database or add known bad images to the revoked signatures database.
The OEM stores the signature database, revoked signatures database, and KEK signature databases on the firmware nonvolatile RAM
After these databases have been added, and after final firmware validation and testing, the OEM locks the firmware from editing, except for updates that are signed with the correct key or updates by a physically present user who is using firmware menus, and then generates a platform key (PK). The PK can be used to sign updates to the KEK or to turn off Secure Boot.
Boot Sequence:
When the pc is turned on ... signature databases are checked against the platform key
IF the firmware is not trusted, the UEFI firmware must initiate OEM-specific recovery to restore trusted firmware
When the Windows Boot manager fails to load the firmware will attempt to boot a back copy of Windows Boot Manager.
When the back up Windows Boot manager the firmware will initiate the OEM-specific remediation
After Windows Boot Manager has started running, if there is a issue with the drivers or NTOS kernel, Windows Recovery Environment (Windows RE) is loaded so that theses drivers or the kernel image can be recovered.
After this, Windows loads anti-malware software
Finally, Windows loads other kernel drivers and initializes the user mode processes
*Secure Boot does not require a Trusted Platform Module (TPM).*
-
horusthesun
Member Posts: 289
Example of manage-bde
C:\WINDOWS\system32>manage-bde -status
BitLocker Drive Encryption: Configuration Tool version 6.2.9200
Copyright (C) 2012 Microsoft Corporation. All rights reserved.
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume F: [Catwoman]
[Data Volume]
Size: 1863.01 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Volume G: [redhoodbackupdrive]
[Data Volume]
Size: 736.10 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
Volume C: [Gateway]
[OS Volume]
Size: 684.54 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Key Protectors: None Found
Volume A: [share]
[Data Volume]
Size: 195.41 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found -
horusthesun
Member Posts: 289
RandoM Windows 8 Knowledge
When you add multiple gateways under the Advance TCP/IP settings and change the metric for each gateway, the computer will use the lowest metric as log as it is reachable When the gateway becomes unreachable, it will use the gateway with the next lowest metric
You Should use the same Microsoft account to log onto all the computers, to ensure all the computers have the same Windows Store Apps
* Associated the Windows settings with your user account and make them available when you sign in t your windows 8 pc
* Save sign-in Credentials for the different apps and websites and associate the with your Microsoft Account
* Make your purchased windows apps available on multiple Windows 8 PC
Unified Extensible Firmware Interface is the new standard for PC firmware. It has Windows boot components that are incompatible with PCs that still use the older style BIOS firmware
In order to configure a Windows to GO USB stick to support both types of machines you need to run this command
bcdboot %windir% /s <your USB stick drive letter> /f ALL
by doing this, you can create a single FAT32 partition at the start of the USB stick that supports booting from either type of PC firmware. In this instance, the Windows 8 OS partitions is still protected by NTFS and bitlocker
To create a custom system image that can be used for windows refresh you should use the recovery image creation utility, recimg.exe.
This utility is designed for creating a snapshot of the OS and installed applications. The snap shot is stored in the .WIM file