Certification: Exam 70-687: Configuring Windows 8 Part 1:
Install and Upgrade to Windows 8 (14%)Posted byJohn
BryntzePublished inCertification,Microsoft,Windows 8Exam70-687:
Configuring Windows 8is scheduled for 17th September and instead of
waiting for study material I will create my own and post here,
first out isInstall and Upgrade to Windows 8that is14%of the whole
exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In
this part 1 we will look into these 3 objectives Evaluate hardware
readiness and compatibility Install Windows 8 Migrate and configure
user dataIf you write the exam before 31st May 2013 be sure to
register for a second shot (which means if you fail it you can
retake it for
free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Evaluate
hardware readiness and compatibilitySystem hardware requirements
Processor: 1 gigahertz (GHz) or faster RAM: 1 gigabyte (GB)
(32-bit) or 2 GB (64-bit) Hard disk space: 16 GB (32-bit) or 20 GB
(64-bit) Graphics card: Microsoft DirectX 9 graphics device with
WDDM driverdetermine whether 32 bit or 64 bit is appropriateThe
only real reasons to run 32-bit version of Windows 8 is if you run
older hardware that got an CPU that only support 32-bit
architecture or if a critical software/driver only exist in 32-bit
such a VPN client or older scanner and so on (but in that case
upgrade the software would be a better idea). 32-bit OS cannot run
any 64-bit software.Many more reasons to run 64-bit version such as
the Windows 8 feature Hyper-V (version 3) only exist on 64-bit
version, can address more memory than 4GB and make usable to the
system if exists. Most 32-bit software can be installed on 64-bit
OS, all except those hat goes deep into the system such as VPN
client,If you are running not too old hardware and all your
applications can run on on 64-bit OS then 64-bit Windows 8 should
be the most appropriated.determine screen resolutionThe only reason
I can see why Windows 8 exam has a section of screen resolution is
due to the new Metro User Interface, Metro style applications have
a minimum of 1024768 screen resolution, and 1366768 for the snap
feature (running metro application side by side another metro app
or desktop).Windows 8 wont give you the option to give a lower
resolution than 1024768 unless you go into advance settings.
If you go into advance and change to a none supported screen
resolution and start a metro application you get this error
message: The screen resolution is too low for this app to run
choose between an upgrade or a clean installationPersonally I
always prefer clean installation but for the exam you need to know
that you can only upgrade a 32-bit OS to Windows 8 32-bit and the
same for 64-bit only works from previous 64-bit OS to Windows 8
64-bit OS.Any previousWindows 7edition
(home/premium,/professional/ultimate/enterprise) can be upgraded to
Windows 8 and retain Applications Windows settings Personal
filesWindows Vista with Service Pack 1or higher can be upgraded to
Windows 8 and retain Windows settings Personal filesWindows Vista
with no service packandWindows XP with Service Pack 3can be
upgraded to Windows 8 but only retain Personal filesSo remember
that only windows 7 can do a true in-place upgrade to keep
applications (there are a few applications that wont run in Windows
8) and keep all windows settings and personal files, the others
will install Windows 8 but only keep either Windows settings or
Personal files or both.determine which SKU to installWindows 8 will
exist in 4 different SKU (Stock-keeping Unit).1. Windows 82.
Windows 8 Pro3. Windows 8 Enterprise4. Windows 8 RTWindows 8 The
most basic version (can not join to a domain), only Windows 7
edition starter, home basic and home premium can be upgraded to
this version.Windows 8 Pro includes all standard Windows 8
features, all Windows 7 editions (except Enterprise) can be
upgraded to this version.Windows 8 Enterprise includes all standard
Windows 8 features plus Windows to Go, DirectAccess, BranhceCache,
RemoteFX and MetroStyle application development. This
edition/version can only be acquired throughSoftware
Assurancecustomer.Windows 8 RT you cannot really chose this edition
since it comes pre-installed on ARM processors and can therefor not
run any previous Windows programs.Basically Windows 8 RT can only
be installed on ARM processor, Windows 8 for home use, Windows 8
Pro for businesses that doesnt have Software Assurance and Windows
8 Enterprise for those with Software Assurance agreements.Install
Windows 8install as Windows to GoWindows to Go is an Enterprise
feature which makes it possible for you to boot Windows 8 from a
USB 2/3 stick, first boot takes longer due to driver installs but
all after goes faster.One way (notthe way the exam will ask about)
is to install Windows to Go onto an USB stick/disk is to open an
elevated CMD prompt and with ImageX.exe (get it from Windows
ADKhttp://www.microsoft.com/en-us/download/details.aspx?id=29929)
and the ISO of Windows 8 and extract the install.wim file.When you
have all that and NTFS formatted the USB disk you run this command
in the elevated CMD prompt (make sure imagex.exe is in your path
and in the example below the USB drive letter is E:):imagex.exe
/apply install.wim 1 E:\Once imagex finished to apply the wim file
make it bootable by running this commandbcdboot.exe E:\windows /s
E: /f ALLNow you got an USB drive that can boot on any hardware,
even on Mac (depending on which ISO media you used you could be
limited to only 32-bit hardware)Another way to install Windows to
Go and the more official way (read what will be asked on the exam)
will be on a Windows 8 Enterprise edition machine launch the
Windows To Go Creator Wizard.Exam tip: Know that Windows To Go only
can be created from Windows 8 Enterprise edition and for license
you need a Microsoft Software Assurance, then you can even run this
on a home computer.To create one of these start theWindows To
Gowizard from aWindows 8 Enterprisemachine.
Windows To Go support both USB 2.0 and 3.0 but of course
recommend USB 3.0 for better performanceInsert a external/removable
USB disk and it shows up, as seen as below all removable disks must
be Windows To Go certified to be accepted but all external fixed
disks are supported.
Notice that the wizard let you know that the device is a USB 2.0
and that USB 3.0 is recommended but it wont stop you from using
it.When inserted a supported device the Next button activates,
chose your disk you want to put Windows To Go on andpressNextbutton
to continue.
Now you need to have the source files (basically a install image
from Windows 8 enterprise, install.wim), either a DVD inserted or
the install iso mounted and then if not already seen by
wizardclickAdd search locationand browse it.Once foundclickon
theNextbutton to continue.
You can enable BitLocker password which required to type in
before the OS loads (take care with keyboard layout, it will be
US-EN when booted on a standard boot.wim)Once all
configuredpressNextbutton to continue.
Here you will get a summary and also be warned that the USB
drive will be reformatted and any data on it will be
lost.PressCreateto start the creation of the Windows To Go USB
drive.
This process will take awhile, depends on the disk itself but
about 10 minutes.
When finished you can chose boot options (Do you want to
automatically boot from it when you restart your PC?): Yes It will
modify boot to automatically boot from this USB disk No you will
have to manually chose to boot from it, for example on Dell press
F12 and chose USB device.If you chose Yes you can if wanting to
test it directlypressSave and restartelse (and if chosen
No)pressSave and close
migrate from Windows XP or Windows VistaMigrating from Windows
XP with Service Pack 3 to Windows 8 works only to 32-bit version of
Windows 8 (due to XP with SP3 only exist in 32-bit) and will rename
previous windows folder to windows.old and install a new Windows 8
and then migrate over personal files. (no program or windows
settings will be kept)Migrating from Windows Vista with no service
pack will migrate the same as above for Windows XP, you can migrate
to Windows 8 64-bit OS if previous Vista was 64-bit.Migrating from
Windows Vista with service pack 1 or later will migrate windows
settings and personal files but not programs.upgrade from Windows 7
to Windows 8 or from one edition of Windows 8 to another edition of
Windows 8Upgrade from Windows 7 to Windows 8 in-place on same
machine the Windows 8 Setup program will scan your PC to determine
whether it can run Windows 8 what app and devices are compatible
and provide a report that you can save or print.If currently
running Windows 7 starter, home basic, home premium you can upgrade
to either Windows 8 or Windows 8 Pro, if using Windows 7
professional or Ultimate you can only upgrade to Windows 8 Pro.
Windows 7 Enterprise cannot be upgraded and need a fresh install
(normally not an issue since enterprise normally got enterprise
tools to reinstall)Upgrade from Windows 8 from one edition of
Windows 8 to another edition, it is my guess it is only upgrading
from Windows 8 to Windows 8 Pro since you cannot upgrade to Windows
8 RT and Windows 8 Enterprise you can only get by Software
Assurance, doubt you can downgrade from Windows 8 Pro to Windows
8.Anyway to upgrade to a different version launch Get more features
with a new edition of Windows.
Here either buy a new product key (for Windows 8 Pro) or if you
already got one enter it in to upgrade, all files, settings,
programs stays the same. (the screenshot below shows Release
Preview version, not sure if that can be upgraded but either way
that wont be an exam question).
install VHDBoot from Virtualized Hard Drive (VHD) is a feature
in Windows 8 Pro and Windows 8 Enterprise (not in Windows 8 and
Windows 8 RT).First we need to create the VHD by either diskpart or
Disk Management, 50GB is a good starting size.
once created initialize disk and be sure to chose MBR (GPT
doesnt work ATM but maybe in future)
Then create a new simple volume with NTFS formatted.
Once ready we apply our Windows 8 WIM to the VHD with imageX a
laimagex /apply[path to wim]\install.wim 1[drive letter for
VHD]When the VHD file contain out Windows 8 WIM we just need to
make it boot-able with BOOTSECT.EXE with the command below.bootsect
/nt60[Drive letter of VHD]/mbrLast step is toMark Parition as
Activein Disk Management.
Now got a Windows 8 boot-able VHD (to actually use it you need
to change the boot sector to use it).Migrate and configure user
datamigrate user profilesTo migrate user profile from one machine
to Windows 8 you got many ways, for the exam I assume these 2 ways
will be tested on1. Windows Easy Transfer (MigWiz.exe) (home/SOHO
tool)2. USMT User State Migration Tool (enterprise tool)Windows
Easy TransferWorks well for home users and one time user profile
migration to run through the wizard (MigWiz.exe) on you got 3
options to use either An Easy Transfer Cable, A Network (will give
a code that needs to be used as authentication) or An external hard
disk or USB flash drive.
If you chose An external hard disk or USB flash drive and your
old PC is running Windows XP or Windows Vista you need to install
Windows Easy Transfer.
For more detailed information how to run this follow this
link:http://www.addictivetips.com/windows-tips/transfer-files-settings-from-windows-7-to-windows-8/USMT
User State Migration ToolWorks well in enterprise and can be very
customized and run scripted/automated.USMT version 5 (compatible
with Windows 8) is included in Windows ADK (replace WAIK) and can
be downloaded
here:http://www.microsoft.com/en-us/download/details.aspx?id=30652USMT
5 works as before withscanstate.exeto capture files and settings
andloadstate.exeto apply the files and settings captured by
scanstate.exe and still using XML files to define what should be
captured.USMT 5 still works with Windows XP and later.For more
detailed information about USTM version 5 follow this
link:http://blogs.technet.com/b/askds/archive/2012/04/13/new-usmt-5-0-features-for-windows-8-consumer-preview.aspxconfigure
folder redirectionFolder Redirection is a good way to make user
profile virtual and accessible from multiple devices (roaming
profile is another) and is nothing new for Windows 8 and Windows
Server 2012 but some extra features has been added.Since this exam
is a Windows 8 exam and not Server 2012 I will only list the new
Local Group Policy objects for Folder Redirection.Do not
automatically make specific redirection folders available offlineAs
the name implies if you enable this policy you need to check each
folder that you dont want to be automatically available offline,
the user can still manually check files and set them as available
offline (it just wont be done automatically)
Enable optimized move of content in Offline File cache on Folder
Redirection server path changeIf you enable this policy setting,
when the path to a redirected folder is changed from one network
location to another and Folder Redirection is configured to move
the content to the new location, instead of copying the content to
the new location, the cached content is renamed in the local cache
and not copied to the new location.
Redirect folders on primary computers onlyNew feature which
require Active Directory Schema update on windows Server 2012 that
adds a new attribute to set a users primary computer so that you
can exclude Redirect Folders on for example training/test and
conference machine.
configure profilesNot sure what this exam objective is asking
for, will when found out update it, could be something linked to
new account type.With a Microsoft account you got more freedom to
use it on any machine than a local or domain account, also your
profile is saved in the cloud.
ertification: Exam 70-687: Configuring Windows 8 Part 2:
Configure Hardware and Applications (16%)Posted byJohn
BryntzePublished inCertification,Microsoft,Windows 8Exam70-687:
Configuring Windows 8is scheduled for 17th September and instead of
waiting for study material I will create my own and post here, part
two isConfigure Hardware and Applicationsthat is16%of the whole
exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In
this part 2 we will look into these 6 objectives Configure devices
and device drivers Install and configure desktop applications
Install and configure Windows Store applications Control access to
local hardware and applications Configure Internet Explorer
Configure Hyper-VIf you write the exam before 31st May 2013 be sure
to register for a second shot (which means if you fail it you can
retake it for
free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure
devices and device driversinstall, update, disable, and roll back
driversNothing related to this exam but there are few native
Microsoft Windows 8 drivers at todays date but Windows 7 drivers
works most often just fine.Note: Nearly nothing changed in driver
management so if you used this in XP/Vista/7 you can skip this
partAll x64 device drivers must have a digital signature, boot
critical drivers must have an embedded signature.To install a
driver you can do like always, download the correct driver and run
the setup file.
Drivers get updated regularly and Microsoft keep some drivers on
Windows update which you can access from Device Manager in Update
Driver or download the driver for the manufacture (often more later
driver) and either install it or click on Update Driver in Device
Manager (see image above)To disable a device you can either right
click on the device itself in Device Manager or under driver tab
press Disable (see that on the image above)If you update a driver
and the device starts to malfunctioning you have the option to Roll
Back Driver, and the system have kept the previous driver and add
it back (if this option is greyed out there never were a previous
driver)resolve driver issuesIt is not very unlikely that if you
install Windows 8 on hardware from pre year 2012 (and even 2012)
manually and at first start looking in Device Manager you got some
device that are missing drivers, those are seen with a yellow
triangle icon with ayellow!in it. To resolve this driver issue just
download the correct driver and install it.
If a device icon shows an arrow down in a circle means the
device has been disabled. To resolve this driver issue just right
click on the device andchoseenable, make sure that it doesnt goes
to another state such as missing driver.
configure driver settingsIn device manager you canright clickon
a device andchosepropertiesand some device drivers got settings
such as network drivers if the device should run when machine is
low on battery or if WiFi adapters wireless mode a/b/g
Install and configure desktop applicationsset compatibility
modeRight clickon any exe-file and takeProperties, there you see a
tab calledCompatibility.
Here you can specify to run the exe-file as previous Windows
versions, notice that Windows NT 4 isnt on the list. This can be
useful if you run an older program that could run on Windows 8 but
is hard-coded to look if it is a specific Windows version and only
run on that.You can also reduce color mode and screen resolution,
and run as administrator (if you experience UAC issues)install and
repair applications by using Windows InstallerWindows Installer =
MsiExecTo use the Windows Installer requires the install files
includes a MSI file, some software comes only as an exe file but
then extract msi file to a temp folder and run them, such as all
Apple softwares QuickTime, iTunes etc work that way. Then you have
programs that comes native in MSI format such as 7-Zip, Adobe Flash
Player and so on, then you also have programs that doesnt come at
all as msi but their own installer such as Firefox and VLC, for
those you need to package yourself to get in MSI format if needed
(if you deploy software with GPO you need them in msi format).So if
you run an exe install file or msi directly in explorer.exe you get
to answer some questions in a wizard.To run by command line you can
answer these questions and run this silently with msiexe, below a
typical example:msiexec /ic:\jbkb\jbkb-1.0.0.msi/qn /norestart/i=
Install,/qn= quiet and No UserInterface,/Norestart= no restart even
if program demands one.
To repair you can either go to Program and Features
andright-clickon the program you want to repair and
choseChange.
ThenchoseRepairand follow the instructions
You can also repair with MsiExec as the example below/msiexec
/foc:\jbkb\jbkb-1.0.0.msi
/f= repair/o= repair only if file missing or older file is
installed.
configure default program settingsin command line you can
usedism.exeto either export settings from a machine to xml, modify
the xml file and import it to the machine that need these program
settings.In GUI goControl Panel\Programs\Default Programs\Set
Default Programsto modify the default program settings.
modify file associationsin command line you can useAssocorDismto
view and modify file associations.In GUI you can go toControl
Panel\Programs\Default Programs\Set Associationsand modify the file
associations you want.
manage App-V applicationsUnfortunately there is no native App-V
client in Windows 8 but App-V 5.0 (currently in Beta) and later is
supported in Windows 8.Unsupported but it works to install App-V
4.6 with SP but watch out since Windows 8 isnt on the valid list on
the OSD file.Install and configure Windows Store
applicationsinstall, reinstall, and update Metro applicationsTo
install a Metro (now Modern UI Style) applications just simply go
to the Store app, start typing the app that you want.
Then simply click on Install button to start downloading and
install the application.
To reinstall an application you uninstalled or had on another
machine go inStoreandright-clickandchoseYour appsand you will be
able to reinstall the applications.
If an update becomes available for an app you will see this in
theStoreand simplyclickonApp updatesand chose to update all or
select the once you want to update.
restrict Windows Store contentEach Windows Store app got an Age
rating, if it contains violence/sex/weapon and other inproperate
content for children (or adults).You can then restrict the Windows
Store content (well what you can see) by usingFamily
Safety(Parental Control) it doesnt show up default on a Windows 8
domain joined machine, but you can make it visible byenableMake
Family Safety control panel visible on a DomainGPO
Restriction is set per user account (only work for standard
users/none-admin but set by admin) and underControl Panel\All
Control Panel Items\Family Safety\User Settings\Game and Windows
Store Restrictionscheck[Username]can only use games and Windows
Store apps I allowradio button, thenclickonSet game and Windows
Store ratings.
Here you can decide how it should handle games (apps) with no
rating and more important restrict content based on Age Rating1.
Early Childhood for 3+ ratings2. Everyone for 6+ ratings3. Everyone
10+ for 10+ ratings4. Teen for 13+ ratings5. Mature for 17+
ratings6. Adults Only for 18+ rating
add internal content (side loading)Side loading means installing
an app without going through Windows Store, this could be LOB apps.
These doesnt have to be certified or installed through Windows
Store but must be signed with a certificated trusted by the machine
that will install the app.Note: Not 100% sure but Technet
documentation specific mention Windows 8Enterprise(and server 2012)
so it is possible this is only supported on Enterprise edition.
(but the GPO doesnt mention it)If your machine is not joined to the
domain you must activate a sideloading key before you can run the
app.If your machine is joined to a domain justenablethe GPOAllow
all trusted apps to installbefore you can add a sideloaded
appandrun it.
If the above is not fulfilled the app tiles will show a X in the
bottom right corner.To install sideloading apps you can do it with
2 tools, dism.exe and Powershell PowerShell command
add-appxpackageC:\JBKB.appxDependencyPathC:\JBKBccc.appx Dism.exe
command -DISM /Online /Add-ProvisionedAppxPackage
/PackagePath:C:\JBKB.appx/SkipLicensedisable Windows StoreTo
disable Windows Store justenable[User | Computer] Configuration
-> Administrative Templates -> Windows Components -> Store
->Turn off the Store applicationGPO.
Notice that Windows RT can use Local Machine Policies but take
care because the Group Policy Client service, gpsvc, is disabled by
default on Windows RT.Control access to local hardware and
applicationsconfigure AppLockerNew in AppLocker for windows8 is
that you can restrict Package Apps and Package Apps installer
(.appx). Else it works pretty much the same as in Windows 7 and
works only in Enterprise edition (you can create AppLocker rules in
other version but not use it)To configure AppLocker you either use
the prefered Global Group Policy or as in this post use Local
Computer Policy, navigate toComputer Configuration -> Windows
Settings -> Security Settings -> Applications Control
Policies -> AppLocker.
If you for example want to restrict normal users (local
administrators are excluded by default rules) from running a
specific app (*appx) you can either manually create a rule for each
approved or not approved app or you can scan through a template
computer that got all apps already installed and set only those to
allowed, will go through both examples and this also works
onExecutable Rules(.exe, .com),Windows Installer Rules(.msi, .msp,
.mst) andScript rules(.ps1)Manually Create a AppLocker RuleStart
byright-clickonPackaged app RulesandchoseCreate New Rule...
A Wizard starts atBefore You Beginthat explains what the wizard
will do, justclickonNext >to continueAtPermissionyou decide
actionAlloworDeny, if two rules exist for same application the Deny
rule wins.Here you also decide for which group it applies to,
default iseveryone.In this example we setAllowtoEveryoneand
thenpresstheNext >button.
AtPublisheryou either browse/select an app already installed or
an app reference.In this example wepressSelectbutton
andcheckMicrosoft SkyDriveapp and thenslide uptoPackage
NameandPackaged Versionchange from version number to * (any
version) which means that even if we update SkyDrive it will be
allowed to run it. To continuepressNext >button.
AtExceptionsyou can specify exceptions to the rule, in this
example we have no exception and continue topressNext >AtNameyou
name the rule (the image shows the default name given) and you can
also add a description such as why this rule was created and the
goal with it.PressCreateto finish the rule.
Automatically Generate AppLocker RulesStart
byright-clickonPackaged app RulesandchoseAutomatically Generate
Rules...
A Wizard start and on first page you have to chose who this
rules will apply to, default is Everyone group but you can browse
any group.You also have to chose if it should generate a rules for
those apps that is already installed on the machine you are running
the wizard from or from a folder where you put all apps in.In this
example we leave default theEveryonegroup and radio button
onGenerate rules for all packaged apps installed on this computer,
and set a suitable name for these rules.PressNext >button to
continue.
AtRule Preferenceyou have only one choice that is enabled by
default:Reduce the number of rules created by grouping similar
applications,pressNext >button to continue.The wizard will now
crawl through all installed packaged apps on the machineAtReview
Rulesyou get an overview how many Rules created for the packaged
apps, if you in the step before left the default the number of
rules are fewer. If you are happy with the
rulespressCreatebutton.
Now you see the extra created rules, all starting with the name
specified in the start of the wizard.
Active AppLocker rulesIf enforcement is not configured it is
enabled by default unless a Group Policy is defined then that value
over write.To configure enforcement on a local machine
youright-clickonAppLockerandchosePropertiesChose for each sections,
if you dont want to enforce the rules you created you can chose
Audit Only and you will only see what should have been
blocked/locked but AppLocker wont block anything.
configure access through Group Policy or local security
policyUnclear what objective this is aiming at but guess it
isSoftware Restriction Polices.This is nothing new in Windows 8 and
existed before so most likely not too many questions on this topic
on the exam.There are 3 different security levels (default is
Unrestricted)1. Disallowed Software will not run, regardless of the
access rights of the user.2. Basic User Allows programs to execute
as a user that does not have Administrator access rights, but can
still access resources accessible by normal users.3. Unrestricted
Software access rights are determined by the access rights of the
user.To create a Software Restriction Policy rule go:Local Computer
Policy ->Computer Configuration -> Windows Settings ->
Security Settings -> Software Restriction
PoliciesRight-clickonAdditional Rulesand chose one of the 4 rule
types1. Certificate Rule2. Hash Rule3. Network Zone Rule4. Path
Rule
Certificate Rule can reduce performance by using this, you
browse a certificate and chose security level.Hash Rule More secure
than Path Rule since if a file is modified by malware or alike it
will get another hash and not allowed to runNetwork Zone Rule
Follow the same zones as Internet Explorer and you can restrict
installation per zone.Path Rule Easy to implement but less secure,
if a file exist in certain path it can depending on the security
level be allowed to run, but if a malware replace a file in the
path it will be allowed to run (in opposite of hash rules)
Path Rule not allowing Windows Media Player to runmanage
installation of removable devicesNote: Havent found anything
specially new in Windows 8 for this but some GPO that can help
manage installations of removable devices but most of those existed
already in Windows Vista.At Local Computer Policy:Computer
Configuration -> Administrative Settings -> System ->
Device Installation -> Device Installation Restrictions
If you want to prevent installation of removable devices (and
that existing can update their driver),enablePrevent installation
of removable devicesIf you only want to prevent certain removable
devices (or allow) you must find out the device ID withAllow
installation of devices that match any of these device
IDsalternativePrevent installation of devices that match any of
these device IDs. To find out these device IDs you can plug the
device and go to Device Manager and take properties and read
Hardware ID, the image below is a Western Digital external USB
disk, example:GenDisk,USBSTOR\GenDiskand so on.
Configure Internet ExplorerIn Windows 8 you are offered 2
different Internet Explorer 10, one in Modern UI Style mode called
just Internet Explorer (support no ActiveX) that is full screen and
one in desktop mode called Internet Explorer for the desktop that
works like previous Internet Explorer with ActiveX
support.configure compatibility viewSome sites on Internet check
theuser-agent stringto check what version of browser is requesting
their content, for example if a sitehttp://john.bryntze.netknow
that the content wont display good in Internet Explorer 6 the site
can check user-agent string and notify users with Internet Explorer
6 that the site wont look good and recommend an upgrade or alike.
With Internet Explorer 10 the user-agent string has of course
changed, and more than normally due to 10.0 now is an extra digit
from earlier MSIE 6.0, 7.0, 8.9, 9.0, so some might just compare
the first digit and then by mistake think version 10.0 is version
1Below is the user-agent string for Internet Explorer 10 on Windows
8Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; Trident/6.0)So
even if an Internet page would display perfectly in Internet
Explorer 10 it might get blocked because the page cannot handle the
new user-agent string and therefor block access, one way around
this is to enable compatibility view for this site and it will
trick it to be an Internet Explorer 7 browser with this user-agent
string (note it still shows it is Windows 8 (=6.2))Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 6.2; Trident/6.0)
To configure Compatibility View Settings you usecommand bar(if
not visiblepressALTkey) and goTools -> Compatibility View
SettingsHere you can add URLs that should be in compatibility view
mode (IE7 mode). Also decide if all websites should be viewed in
compatibility view or if all Intranet URLs should default be in
this mode (to support Intranet applications developed against older
browsers). You can also download an updated list Microsoft provides
about sites that views best in compatibility view.
All the above settings can of course be set by Group Policies
User Configuration -> Administrative Templates Windows
Components -> Internet Explorer -> Compatibility View
Notice: Nothing new in Internet Explorer 10. all the above has
worked and been possible since Internet 8, the only little new is
that now Microsoft keep a compatibility view list for sites that
needs Flash for Internet Explorer 10 in Advanced UI Style mode (the
version without ActiveX but that still got a slim Flash Player (not
all features and drain less battery).configure security
settingsInternet Explorer 10 includes a lot of security settings,
most existed already in Internet Explorer 9, here are the most
common one and a short description InPrivate Browsing activated by
CTRL + SHIFT + P and makes the browser to not save an browser
history, cookies or temp file during this session. Toolbar and
extensions are disabled by default.
Tracking Protection Some provider such as Google that provides
Map/Advertisement and other tools can share this information to
give a better experience but also less integrity. You can either
have it to automatically block it or set per sitealloworblock.
ActiveX Filtering If enabled you see the round blue circle with
a line going through it, clicking on it you can do an exception for
that website to use ActiveX control else it is disabled by default
when ActiveX Filtering is enabled.
SmartScreen Filter On by default and check the URL against a
Microsoft database if it is set as dangerous and then give the
advice to not visit that site. You can also check a site manually
and you can also report a site to Microsoft that you think is a
phishing site or alike.
manage add-onsNot much new in Internet Explorer 10, works more
or less as earlier versions. These settings can be set with Group
Policies but also manually: Toolbars and Extensions: Disable or
Enable specific ActiveX controllers, some got extra options to
configure but no standard. Search Providers: Add search providers,
default is Bing but you can add google/yahoo and others.
Accelerators: Chose accelerators for Email/Map/Translators Tracking
Protection: was covered earlier in this blog post, can add that you
can use your own list but also get a list online.
configure websocketsWebsockets new in Internet Explorer 10 but
has existed in earlier versions of alternative web browsers, ws://
or wss:// is a web standard to speed up where traditional HTML slow
down.Had problem finding how to configure WebSockets, no GUI in
Internet Options, but there is one Group Policy setting Turn off
the WebSocket Object which can disable WebSockets that is enabled
by default (which block data access cross domain)
configure Download ManagerDownload managers has existed long
time in alternative browsers such as Firefox and isnt a new feature
in Internet Explorer 10 but havent been there in older versions.To
reach Download Manager you eitherpressCTRL + Jor goOptions View
downloads
So far pretty basic, this exam sub objective includes manage
download manager and when you are in it you can press options link
and get to chose download location and if when finished to download
prompt, and thats it! My guess is that thisw objective is to manage
download manager with Group Policies and there are a few (yeah not
that many really), all listed below: Windows Components ->
Internet Explorer ->Delete Browsing History ->Prevent
DeletingDownload History -As the name imply, users cannot delete
their own download history Windows Components -> Internet
Explorer -> Prevent users from bypassing SmartScreen Filters
application reputation warnings about files that are not commonly
downloaded from the Internet Again as the name imply, if
SmartScreen warn about a file downloaded users cannot go around
it.
Configure Hyper-VHyper-V 3.0 on Windows 8 is the first Hyper-V
that runs on Client OS and also support sleep mode.Exam tip:
Remember that Hyper-V can only run on 64-bit OS so be careful with
questions mentioning you want to run Hyper-V on a 32-bit Windows 8,
it wont be possible.create and configure virtual machinesSteps to
create a virtual machine is pretty straight forward in GUI by doing
the following:1. Right-clickon Hyper-V server and goNew ->
Virtual Machineand a wizard starts.
2. At sectionBefore You Beginjust read through and thenpressNext
>button to continue.3. At sectionSpecify Name and Locationyou do
exactly that, you specify the name of the virtual machine and also
location, default location
is:C:\ProgramData\Microsoft\Windows\Hyper-V\but I recommend to
create your own root folder andcheckthe box:Store the virtual
machine in a different location. Once donepressNext >button to
continue.
4. At section Assign Memory you specify how much memory (in
Megabytes) the guest OS will use, this depends of course how much
the OS and applications on it requires, once decidedpresstheNext
>button to continue.
5. At sectionConfigure Networkingyou can if created chose the
network you want and after wizard finished add more, basically you
got 3 different, private, intranet and external.Chose your
connection and thenpressNext>to continue.
6. At sectionConnect Virtual Hard Diskyou have the choices to
create a new Virtual hard disk (and add site in Gigabytes), or add
an existing (requirements is that they are in VHD or VHDX format)
or add a virtual hard disk later.Once chosen press Next> button
to continue.
7. At sectionInstallation Optionsyou can install the OS now or
later, if you do it now you can either access the media from the
Hyper-V phusical CD/DVDV drive, browse a ISO file, or install from
virtual floppy disk (VFD format)
8. At sectionSummaryverify all looks good and finish it and the
Virtual Machine gets created.Once the wizard has finished you can
modify the Virtual Machine, such as add a Legacy Adapter (needed
for PXE booting for example) and adjust Memory, add more disk and
so on.Under the section Management you got some settings Name you
can edit the name or add notes to it. Integrated Services- Is
installed by default on newer Hyper-V aware OS but might need to be
installed on older Windows OS Operating System shutdown The Hyper-V
host can do a clean shut down guest OS. Time Synchronization The
guest OS sync its time against the host OS (you can still have
different time zone that adjust the time of course) Data Exchange
Provides a mechanism to exchange data between the virtual machine
and the operating system running on the physical computer.
Heartbeat The heartbeat service allows the host OS to detect when a
virtual machine has locked up, crashed or otherwise ceased to
function. The host OS sends heartbeat messages to the guest
operating system at regular intervals. It is then the job of the
Hyper-V Heartbeat Service installed on the guest operating system
to send a response to each of these heartbeat messages Backup
(volume snapshot) A VSS requester is installed that will allow VSS
writers in the guest operating system to participate in the backup
of the VM Snapshot File Location default the same location as
virtual machines and then the name of the virtual machine, example:
C:\Hyper-V Virtual Machines\JBKB-VM01 Smart Paging File Location
same default as Snapshot File Location. Memory management technique
to provide a reliable restart experience for virtual machines
configured with less minimum memory than startup memory Automatic
Start Actions- When the host OS starts you got 3 Automatic start
actions for Guest O Nothing Automatically start if it was running
when the service stopped default Always start this virtual machine
automatically
create and manage snapshotsTo take a Snapshot just simply select
the Virtual Guest you want to take a snapshot on and click on the
Snapshot link.
If youright-clickon the snapshot you candeleteit, or take a new
snapshot of current state and thenapplythe snapshot
Snapshot location was explained above, it can be changed as long
as no snapshot has been taken, once there is a snapshot you cannot
change location anymore (it is greyed out).Snapshot files has the
file extension.avhdx
create and configure virtual switchesVirtual switches/ Hyper-V
VLAN you can create 3 different types of virtual switches depending
the needs of your virtual machines and one single machine can use
multiple virtual NICs that is member of different Virtual
Switches.1. External This virtual switch binds to the physical
network adapter and create a new adapter you can see inControl
Panel\Network and Internet\Network Connectionsso if a virtual
machine needs contact outside the host machine this one is a
must.2. Internal This virtual switch can be used to connect all
virtual machines and the host machine but cannot go outside that.3.
Private This virtual switch can only be used by the virtual
host
The 3 different Switch types have some smaller
configurations.External network you have to chose in a drop down
box which physical NIC to bind it too, new in Hyper-V 3 is that you
can bind to a WIFI NIC (there was dirty none supported work around
in Hyper-V 2 you could make it work) and also chose virtual VLAN
ID..Internal networks you can chose virtual VLAN ID.Private
networks got no configuration, just to chose a name.
create and configure virtual disksFrom within Hyper-V console
you can create virtual disks.Hyper-V 3 support 2 different disk
formats: VHD support virtual hard disk up to 2,040 GB in size VHDX-
support virtual hard disk up to 64 TB (this format is not supported
in Hyper-V version 1 and 2)
You got 3 different Disk Types1. Fixed size- it will create a
VHD or VHDX file that take up the disk size even if it is empty or
not used, this can be useful when an application check for disk
space before allows to install.2. Dynamically expanding use less
space than Fixed Size and dynamically expand when disk is needed3.
Differencing you can have a static disk and add a differencing disk
were all changes are written to. This is for example very good in a
lab/training environment where you can restore to default by just
delete differencing disk.
You can configure the disk size (remember the limits with VHD
and VHDX) and even copy content from a physical disk/virtual disk
to the newly created virtual disk or keep it blank.
Certification: Exam 70-687: Configuring Windows 8 Part 3:
Configure Network Connectivity (15%)Posted byJohn BryntzePublished
inCertification,Microsoft,Windows 8Exam70-687: Configuring Windows
8is scheduled for 17th September and instead of waiting for study
material I will create my own and post here, partthreeisConfigure
Network Connectivitythat is15%of the whole
exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In
this part 3 we will look into these 4 objectives Configure IP
settings. Configure networking settings. Configure and maintain
network security. Configure remote management.If you write the exam
before 31st May 2013 be sure to register for a second shot (which
means if you fail it you can retake it for
free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure
IP settingsconfigure name resolutionNo big changes from Windows 7
you can either get your name resolution DNS servers (or/and WINS)
from DHCP or manually configure them inNetwork and Sharing
CenterYou can also configure DNS through command line:netsh
interface ip set dns Local Area Connection static 10.46.0.10connect
to a networkConnect to a networkis the exact name of a Windows 8
native app that shows up if you type in search, as image shows
below. You can connect in none Modern UI mode also as before.Here
you get on the right side of your screen of all connections
possible, such as WiFi connections, VPN connections if any
configured and even DirectAccess if configured.
configure network locationsAssume network locations is Network
Profiles that has existed since Windows Vista, you got 3 different
that you can associate with different network adapters/network
(these network profiles are also used by Windows Firewall) Private
Useful at home/SOHO Guest or Public Useful when connecting to
airports WiFi spot or public places. Domain For domain networks
You can for each of these Network Profiles decide if network
sharing and printer sharing should be turned on or off.in Group
Policy Network List Policy Manager you can prepare SSID with which
Network Location and if user got rights to change it.resolve
connectivity issuesTo resolve a connectivity issue you must first
find where the issue is, some basic steps.1. find out if it is only
one or more machines that got connectivity issues, if it is
multiple computers is it likely it is not an issue on the local
machine2. If it is only one machine that got the issue on the
network check that it got an IP-address withipconfig(/all), if not
check media and try other outlets or verify machine is within WiFi
range.3. If machine got an correct IP address check that it can
ping its gateway, if it can it is mot likely a name resolution
issue, check that DNS answer withnslookupor simply ping (or
pathping) john.bryntze.net and see it resolve to an IP-address.It
is very rare but if using static IP-addresses check for IP-address
conflicts or if using DHCP look that not two scopes are
overlapping.You can alsoright-clickon a connection and
choseTroubleshoot problemsand a wizard will suggest some
actions.
IPv6Notice: Extra added due to rumors that Microsoft start to
push for IPv6 on examsSince Windows Vista IPv6 is enabled by
default, think about a few things: IPv6 addresses are128-bit
hexadecimal numbers, that means that instead of before 32-bit it is
128-bit (1 or 0) and hexadecimal Identify amulticastIPv6 address
with that it always start withFF0 Identify alink local unicastIPv6
address with that is always start withFE80 In IPv4 loopback address
is for some strange reasons 127.0.0.1 (removing a full A-net) but
inIPv6 loopback addressis more
logically:0000:0000:0000:0000:0000:0000:0000:0001but know that you
can reduce all 0000 so this address can be written::0001or even
sometimes just::1 If you are used with 255.255.0.0 subnet mask that
is not applicable in IPv6, IPv6 still uses subnet but it is
included in the address. Of the 128-bits the first 48 bits are
network pre-fix, then the16 bitsafter are thesubnet IDand used to
create subnet. The last 64 bits are device ID. IPv6 also uses DNS
but host records that in IPv4 was A areAAAAin IPv6. Windows 8
support a lot of tunnel technologies that can transport IPv6
packages over IPv4 nets such as Teredo and isatap.A few Windows 8
functions only work with IPv6 such as DirectAccess and
HomeGroup.Configure networking settingsconnect to a wireless
networkIf it is a wireless network broadcasting its SSID it is just
click on it and connect (might require some steps if a key is
needed to be entered WEP)If the wireless network isnt broadcasting
its SSID you need to manually connect to it by usingSet Up a
Connection or NetworkandselectManually connect to a wireless
networkthen specify Network name, Security type, Encryption type,
Security key (needed for example WEP).
manage preferred wireless networksTo manage preferred wireless
networks is a feature that was introduced in Windows XP Service
Pack 2, and existed until now! no it still exist in Windows 8 but
you cannot really configure it, it is automatically managed by
Windows 8 itself, here is a statementTo make sure we connect to the
right network when multiple networks are available, Windows
maintains an ordered list of your preferred networks based on your
explicit connect and disconnect actions, as well as the network
type. For example, if you manually disconnect from a network,
Windows will no longer automatically connect to that network. If,
while connected to one network, you decide to connect to a
different network, Windows will move the new network higher in your
preferred networks list. Windows automatically learns your
preferences in order to manage this list for youNot related to this
exam but you can see history of SSID you connected to in this
folder per
interface:C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{Interface
ID} in XML files.configure network adaptersNot much changed in
Windows 8 from previous version.Most configuration on a network
adapter are to check protocols, the protocol that require
configurations are TCP/IP protocol to set how to aquire an
IP-address, mask, default gateway, DSN/WNS, and domain suffix and
so on. On tabSharingyou can enableInternet Connection Sharingwhich
can share a connection with other computers/devices (mostly for
home usage/SOHO)
PressingtheConfigurebutton gives your more configuration options
such as drivers, if WiFi you can modify signal strength, 802.11x
mode, Power Management if it should shut down to save battery.
configure location-aware printingLocation-aware printing is not
a new feature, it existed already in Windows 7, it works that your
default printer follows you, so at work you can have one default
printer and another at home without manually switching.Just click
on an installed printer in control panel andselectManage default
printers.
Be sureChange my default printer when I change
Networksisselectedand then manage per network which printer you
want to be default.
Location-Aware Printing is dependent upon theNetwork ListService
and theNetwork Location Awarenessservice. If either one of these
services are stopped or malfunctioning, then Windows will not be
able to detect network changes and may not switch default printers
as expectedConfigure and maintain network securityconfigure Windows
FirewallWindows Firewall havent changed a lot either, it now
mention everything as App and not Program.If you dont see you app
in the list you can add it byclickingAllow another Appand then
browse the executive file. You can also chose which Network
Profile/Type do allow this for (Domain/Public/Private)
InAllowed appsyou can decide which program can access and under
which Network Profile by simplycheckingthe check boxes.
Default setting is to not allowed incoming connections to any
program that is not in the Allow apps list.configure Windows
Firewall with Advanced SecurityWindows Firewall has existed since
Windows XP Service Pack 2, at that time you could only block
inbound, now since Windows Vista and forward you can block outgoing
traffic also.Windows Firewall with Advanced Security you can
specify with rules for both inbound or outbound based on Program,
Protocol and Ports, Scope.
Program You can select one of the following: All Programs -if
you need a rule that applies to all and then limit it on Protocol
and Ports instead. This program path examplec:\program
files\jbkb\jbkb-test.exe Services Drop down list to deice if it
apply toall program and services, oronly servicesor aspecific
serviceorservice short nameProtocol and Ports Most common are
protocols TCP and UDP but you can even specify some other such as
ICMP (Ping for example), GRE (for some VPN) etc, or use a custom
and type in any Protocol there exists.If you chose TCP or UDP you
need to specify port number also and local/remote. An example rule
could be to block Local Port/All Ports to Remote Port/Port 25 to
block malware from trying to send SPAM directly. You can specify
that all protocols/ports and restrict on Programs instead.
Scope there are two sections to fill in Which local IP-addresses
does this rule apply to default isAny IP-addressbut you can can
change and specify a IP-address range by clickingThese IP-addresses
Which remote IP-addresses does this rule apply to default isAny
IP-addressbut you can can change and specify a IP-address range by
clickingThese IP-addressesAction If this rule is met by all the
above you can decide what action will happen, one of these 31.
Block the connection default option2. Allow the connection3. Allow
the connection if it is secure If connection is with IPSec (explain
in section below) it is allowed.Profile Here you chose if this rule
applies toDomainor/andPrivateor/andPublicNetwork Profile.Name
PutNameof the rule and an optionalDescription.configure connection
security rules (IPSec)Connection Security Rulesare created
withinWindows Firewall with Advanced Security, justright-clickand
choseNew Ruleand you can create a new connection security rule.
With Connection Security Rule you can specify with rules for
which net/clients that need IPSec security based on Endpoint,
Requirements, Authentication Methods, Protocol and Ports and
Network Profile.
Endpoints Create a secure (IPSec) connection between computers
in Endpoint 1 and Endpoint 2. You got to settings to configure1.
Which computers are in Endpoint 1? Any IP address (default) These
IP addresses2. Which computers are in Endpoint 2? Any IP
address(default) These IP addressesRequirements When do you want
authentication to occur? 4 different choices1. Request
authentication for inbound and outbound connections notice when it
is writtenrequest, it will just check if it is possible, if not it
will still continue, difference again Require that is forced.2.
Require authentication for inbound connections and request
authentication for outbound connections inbound connections must
(=require) authenticate and outbound if possible (=request)3.
Require authentication for inbound and outbound connections inbound
and outbound connection must authenticate else it fail.4. Do not
authenticate all connections will work without
authentication.AuthenticationMethods choose between 4 different
options Default the authentication specified in IPsec settings.
Computer and user (Kerberos V5) Restrict connections to only domain
joined users and computers. Computer (Kerberos V5) Restrict
connections to only domain joined computers. Advanced here you can
specify NTLMv2, Certificate, shared Secret and other authentication
methodsProtocol and Ports Most common are protocols TCP and UDP but
you can even specify some other such as ICMP (Ping for example),
GRE (for some VPN) etc, or use a custom and type in any Protocol
there exists.If you chose TCP or UDP you need to specify port
number also and local/remote.Network Profile Here you chose if this
rule applies toDomainor/andPrivateor/andPublicNetwork Profile.Name
PutNameof the rule and an optionalDescription.configure
authenticated exceptionsIf some machines cannot authenticate but
still needs to communicate you can add them to an Authentication
Exceptions list. It is still configured withinWindows Firewall with
Advanced Securityand create a new Connection Security Rule and
chooseExempt Computersas Rule Type.Exempt computers You can select
which machines(s) should not be secured with IPsec, you can add
IP-address, subnet, IP range or Predefined set of computers such as
DNS server, Default gateway, DHCP servers and more.
Network Profile Here you chose if this rule applies
toDomainor/andPrivateor/andPublicNetwork Profile.Name PutNameof the
rule and an optionalDescription.To read
more:http://technet.microsoft.com/en-us/library/cc947812%28v=ws.10%29.aspxconfigure
network discoveryNetwork Discovery is a feature since windows Vista
and is enabled by default in Windows 8 and you can disable/enable
it per Network Locations (Domain/Private/Public). this feature if
on makes the machine visible on the network.To modify go toNetwork
and Sharing Center -> change Advance Sharing Settings, there
modify perNetwork Profileif network discovery is turned on or off
and extra option toTurn on automatically setup of network connected
devicesif set toon.
manage wireless securityThere are some changed to wireless in
general in Windows 8.Added support for Wi-Fi autentication type:
WISPr (Wireless Internet Services Provider roaming) EAP-SIM/AKA/AKA
Prime (SIM-based authentication), easier and quicker when
connecting to Wi-Fi hotspots EAP-TTLSWISPr is enabled by default in
Windows 8 but you can disable it in Group Policies bydisableEnable
Hotspot Authentication
Configure remote managementThis is a Client OS exam, for me
remote management would be to install RSAT
toolshttp://www.microsoft.com/en-us/download/details.aspx?id=28972but
again that is to remote manage server services and I dont think
that is what this exam is after. Hesitate if Remote Management
would be WinRM which enables by running:WinRM QuickConfigbut now
thinking it could be Remote Assistance/Remote Desktop it is
after?choose the appropriate remote management toolsIf you want to
remotely help a user and see the same as the user is seeing Remote
Assistance is the tool (msra.exe)
If you just need to work on the machine (logged in users get
disconnected not logged out as in Windows XP) you can use Remote
Desktop (mstsc.exe)
configure remote management settingsSeveral settings (that is
not dependent on each other): RunWinRM Quickconfigto enable remote
management Make sure serviceRemote Registryisrunning. If Remote
Assistance is needed enable in Group Policy to enableAllow Remote
Assistance connection to this computer If Remote Desktop session is
needed enable in Group Policy and specify which users got the
rights (local administrators are added by default), also decide if
connections require NLA (supported from Vista clients and
later)modify settings remotely by using MMCs or Windows
PowerShellModify settings using MMC you can startComputer
Managementand then goActions -> Connect to a another
computer
For some of these settings remote registry service must be
enabled and of course permission on the remote client.To modify
remote settings with PowerShell you can either if hte Power Shell
command itself accept a remote machine input specify remote machine
or run an interactive Power Shell session with command
(JBKB-Client01 is the remote machine in this
example)enter-pssession JBKB-Client01tification: Exam 70-687:
Configuring Windows 8 Part 4: Configure Access to Resources
(14%)Posted byJohn BryntzePublished
inCertification,Microsoft,Windows 8Exam70-687: Configuring Windows
8is scheduled for 17th September and instead of waiting for study
material I will create my own and post here, part four isConfigure
Access to Resourcesthat is14%of the whole
exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In
this part 4 we will look into these 4 objectives Configure shared
resources Configure file and folder access Configure local security
settings Configure authentication and authorizationIf you write the
exam before 31st May 2013 be sure to register for a second shot
(which means if you fail it you can retake it for
free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure
shared resourcesconfigure shared folder permissionsDefault share
permission iseveryone read, but I recommend the old school to set
everyone full control on share level and set permission on NTFS
level, it is easier to manage that way.You can configure shared
folder permission in explorer.exe in two ways Share When using this
you cannot decide share name, it will have same name as the folder
itself, you get created as owner and you can add users and give
them read or read/write permission Advanced sharing here you can
decide share name, set more granular permission, decide cache
options.
configure HomeGroup settingsHomeGroup came in Windows 7 and is a
3rd option to Domain/WorkGroup. HomeGroup is as the name implies
most usefully at home and the security boundaries is made up by
password (shared secret).Requirements for HomeGroup to work:
Require IPv6 is enabled (it is enabled by default) The following
services must be running on all machines in the HomeGroup DNS
Client Function Discovery Provider Host Function Discovery Resource
Publication Peer Networking Grouping HomeGroup Provider HomeGroup
Listener SSDP Discovery UPnP Device HostA Windows 8 machine that is
already member of a domain cannot host a HomeGroup but can join one
(and still be member of a domain) and cannot share its own
libraries but access others.To join a HomeGroup for example on a
Windows 7 machine named EMMA-LAPTOP do the following:1. In Control
Panel click HomeGroup and if a HomeGroup exist (and the machine
hosting it is started) you will see it (even if IPv6 is not
enabled), to join this HomeGroupclickJoin Nowbutton.
2. A Wizard starts explaining what you will be able to do (if
you are joined on a domain you cannot share your own files just
access others),clickNextto continue.
3. You need to know the shared secret, the machines joined to
the HomeGroup can get it by clicking View or print the homegroup
password in control panel -> HomeGroup (you only see this option
if you are joined to the homegroup already).When you know the
shared secret or homegroup password as it is called, type it in
andpressNextto continue.
4. If you entered correct homegroup password you get it verified
you have joined the homegroup (if wrong go back and retype it
correct) also if IPv6 is not enabled you will get a warning and
need to enable it before to continue.
So when your machine is member of a HomeGroup the control panel
item is displayed differently, now you can do the following: View
or print the homegroup password if another machine needs to join
this homegroup you can click here and see the password in clear
text and share. Change the password If decided to change the
HomeGroup password, you must change it on all other members of the
HomeGroup. Leave the homegroup you have to verify it and get a
chance to cancel the action. Change advanced sharing settings there
is a section there about HomeGroup, default managed by Windows and
the password but you can also do it more WorkGroup alike to use
Windows user account, but that requires all members in the
HomeGroup got the same username and password. Start the HomeGroup
troubleshooter Wizard based that suggest some actions and tools to
fix any issues (it check IPv6 and the services mentioned above
also)
So in the example with the Windows 7 machines HomeGroup we
joined we can now see the libraries chosen to be seen in this
HomeGroup (default Documents isnt shared but it is just a check box
away to be shared) in explorer.exe
configure file librariesFile librarieswas new in Windows 7 and
the basic behind it was that a lot of people like to create
c:\my-important-data alike folder and it would then be located
outside the c:\users folder for indexing and alike. File libraries
over come this since it could link in those folders into this
libraries and index from root c:\users and still get content
outside of it.All libraries are saved default
here:%appdata%\Microsoft\Windows\LibrariesIf you for example would
like to give all in your sales a specific library called JBKB-Sales
and folder C:\JBKB-Sales you would do the following:1. Create a new
library
2. Copy it from%appdata%\Microsoft\Windows\Librariesto
c:\JBKB-Sales3. Enable Group PolicyLocation where all default
Library definition files for users/machines resideand setDefault
libraries definition locationto: C:\JBKB-Sales
4. Now all who log into this machine and apply to the GPO will
get this library created in step 1Windows 8 gives you 5 default
libraries Documents Pictures Music Videos PodcastsYou can right
click on each of them and take properties and add more music
folders than those default (you cannot change icon on the default
but if you create your own library you can chose your library
icon)you can set one Set save location and one Set public save
location but you can set both on same folder (default Public is on
Public)
configure shared printersOn a printers properties go to Sharing
tab and you can share the printer to other machines. this requires
of course that the machine is online for the others to be able to
use it.You also got a check box to decide if printer job should
render on clients computers. Default if you install a printer on a
Windows 8 it will only install Windows 8 drivers, if the sharing
clients are running other OS such as Windows XP you can add those
drivers byclickingAdditional drivers
set up and configure SkyDriveTo set up SkyDrive is pretty
straight forward, start it:
Once it finished preparing it will ask you to login, if no
existing account create a new one
Now a new folder is created in the
profile%userprofile%\SkyDrivewith sub folders that sync to the
SkyDrive cloud.Configuring SkyDrive you can go by SkyDrive system
tray icon andchoseSettings.
Here you can configure settings such as auto start of SkyDrive,
and make this machine available to other devices with same SkyDrive
account, and let Office sync the files to SkyDrive so other can
work at same time on the file.If you want to remove the SkyDrive
connection you canclickonUnlink SkyDrivebutton.
SkyDrive gives 7GB for free.configure Near Field Communication
(NFC)Very interesting feature, unfortunately found nothing to
configure in windows 8 concerning this, it could be because my test
devices doesnt support it. What is know is that windows 8 got APIs
built-in that support NFC, which is a RFID technique to communicate
to other devices supporting NFC. The difference between NFC and for
example Bluetooth is that bluetooth devices need
electricity/battery/power where NFC could be a paper (with a RFID
alike in it)Notice: nothing useful in this section, will update
when finding anything, for now just know that Windows 8 got NFC
APIs and support it.Configure file and folder accessencrypt files
and folders by using EFSKnow that EFS is only included inWindows 8
ProandWindows 8 Enterpriseedition.Know that BitLocker encrypt a
whole disk and EFS can be used to encrypt separate files or
folders. EFS has existed since Windows 2000.To encrypt a folder
or/and files:1. right-clickand choseproperties2. clickon
theAdvancedbutton3. checkthe boxEncrypt contents to secure dataand
thenpressOKbutton4. Press theApplybutton.5. Decide if you want to
only encrypt this folder or all sub folders and files within this
folder and then pressOKbutton.
EFS is only supported on NTFS file system and when copied it is
decrypted during transfer and encrypted again on the destination
(if NTFS)All users on the Windows 8 machine will see the folder but
all except the user who encrypted it wont be able to open the files
and read the content. You can backup the certificate that encrypts
your file so in case your user is lost or alike you can decrypt the
files by runningManage File Encryption Certificateswizard.
configure NTFS permissionsNotice: No changes in Windows 8, if
you know NTFS dont lose time reading the belowDifference from Share
permission is that NTFS permission always apply (Share only when
you access the folder/file from network not locally). Default NTFS
permissions set on a parent folder is inherited to a child folder
and files, you can block inheritance on a child folder and then
chose if you want to copy the parents permission or start from a
clean ACL.
Nothing change from before, deny permission always win over
allow and it is often a basic design error if you think you need to
set deny access.Permissions (most common): Full Control includes
everything, even take ownership of files. Modify which includes the
permission Write, Read, Read & execute. Write take care if you
can only write but not read/list you cannot see what you save Read
if you got only read and no write permission you can open files but
not modify themIf a user John belongs to group Marketing and on a
file the NTFS ACL/ACE specify that John got Read and Marketing
group got Modify, the user John got effective permission Modify, it
is accumulative.If a user Emma belongs to group Sales and on a file
the NTFS ACL/ACE specify that Emma got Read and Write to a file and
Sales group got deny Write, the user Emma got effective permission
Read (the Deny wins)configure disk quotasDisk quotas are set at
disk level (not folder/files level) and takepropertiesandgoto
theQuotatab.By default it is disabled, you enable it
bycheckingEnable quota managementand then specify options such if
it should only be warning/logging or an actual consequence when you
reach the quota such as checkingDeny disk space to users exceeding
quota limit.Set one limit and one warning, of course warning must
be lower than limit. funny to see that a client OS have EB
(Exabyte) Windows 8 seems to be a OS built for the futureDisk Quota
is limited due to only put per disk and one level for all users,
running Windows Server 2012 you can set different limit per
users.
configure object access auditingFirst make sureAudit object
accessis enabled for either success or fail or both by going:Local
Computer Policy -> Computer configuration -> Windows Settings
-> Security Settings -> Local Policies -> Audit Policy
Once that is enabled nothing will be logged until you specify
which objects (file/folders) should be audited, if you audit
everything it be too much to read and not useful.Right-clickon the
folder you want to audit andchoseProperties->selectSecuritytab
->clickadvancedbutton ->clickonAuditingtab ->
andpressAddbuttonFill in who should be audited, and for what
actions (All/Success/Fail)
Audit entries are written to the Event Viewer Security
log.Configure local security settingsconfigure local security
policyConfigure local security policies you do atLocal Computer
Policy -> Computer Configuration -> Windows Settings ->
Security Settings -> Local PoliciesA few new and updated local
policies exist in Windows 8.Accounts: Block Microsoft
accountsDefault undefined, but can be set to one of the following
This policy is disabled Users cant add Microsoft accounts Users
cant add or log on with Microsoft accounts.
Interactive logon: Do not require CTRL + ALT + DELNot a totally
new policy but it is only for Windows 8 it is recommended to set
toenable, for Windows 7 and earlier it is recommended to
disable.
configure User Account Control (UAC) behaviorTo configure UAC
behavior is also done with local security policies
Here are the 10 different settings, the important for the exam
inbold:1. User Account Control: Admin Approval Mode for the
built-in Administrator account This isdisableddefault, which means
that default account administrators bypass UAC, if enabled it is
treated as all other administrators account.2. User Account
Control: Allow UIAccess applications to prompt for elevation
without using the secure desktop This isdisableddefault, if enabled
it means that applications such Remote Assistance can be run
without getting blocked by Secure Desktop.3. User Account Control:
Behavior of the elevation prompt for administrators in Admin
Approval Mode This is set toPrompt for consent for non-Windows
binariesdefault4. User Account Control: Behavior of the elevation
prompt for standard user This is set toPrompt for credentials on
the secure desktopdefault (more about this setting further below in
this KB)5. User Account Control: Detect application installations
and prompt for elevation This isenableddefault onWindows 8edition
anddisableddefault onPro and enterpriseedition; due to in
enterprise you might deploy applications with SMS/SCCM/GPO and want
that to install silent.6. User Account Control: Only elevate
executables that are signed and validated This isdisableddefault,
even if this is good for security it is not practical since not all
executables are signed.7. User Account Control: Only elevate
UIAccess applications that are installed in secure locations This
isenableddefault, only elevate UIAccess applications installed
into%SystemDrive%\Program Files(including
sub-folders),%SystemDrive%\Program Files (x86)(including
sub-folders for 64-bit editions)
and%SystemDrive%\windows\system328. User Account Control: Run all
administrators in Admin Approval Mode This isenableddefault, and if
it is disabled whole UAC is disabled! know this for the exam as
they will try to trick you on this one.9. User Account Control:
Switch to the secure desktop when prompting for elevation This
isenableddefault, All elevates request goes to Secure Desktop that
dims the screen until you answer.10. User Account Control:
Virtualize file and registry write failures to per-user locations
This isenableddefault, if a none elevated program tried to write
itHKLMregistry or for examplec:\program
files,c:\windows\system32etc and fails this setting does so it
writes to the user profile instead so the program work. Good
example ishttp://triplea.sourceforge.net/a game who want saved
games to be saved in a sub folder of the game installation that is
default inc:\program filesand instead get saved
under%UserProfile%\AppData\Local\VirtualStoreconfigure Secure
BootSecure Boot is new in Windows 8 and require you dont use
traditional BIOS but UEFI. Know that UEFI Secure Boot cannot be
disabled in Windows 8 RT edition.Know for the exam that if a
Windows 8 OS has been installed with a traditional BIOS there is no
way to convert over to UEFI and Secure Boot, you must reinstall
Windows 8.UEFI OS install is done differently from a normal OS
install, it requires in BIOS Setup setBoot -> CSM is disabledand
then reboot andpressF7toBIOS Boot Selector Menu, in this
menuchoseBuilt in EFI Shell. At the shell navigate
toEFI\Bootandpressenter and then in there
type:BOOTX64.EFIandpressenter and then the boot will look like
normally and show Press any key to boot from the CDTo Enable Secure
Boot:Reboot and press F2 to enter BIOS setup, navigate toSecurity
-> Secure Boot, set theSecure Boot ModetoCustom, select Custom
Key Management, selectInstall Factory Defaultsto load the keys, set
the Secure Boot Mode back toStandard,exit and reboot to
OS.configure SmartScreen filterSmartScreen filter is enabled by
default but you can configure it either manually or by GPO and per
Internet Explorer Security Zone, you can for exmaple disable
SmartScreen Filtering in Trusted and intranet site/zone and keep it
enabled on Internet Zone.You can manually configure one of the
following (or use the Policy Configure Windows SmartScreen): Get
administrator approval before running an unrecognized app from the
Internet (recommended) this is default Warn before running an
unrecognized app, but dont require administrator approval Dont do
anything (turn off Windows SmartScreen)
Configure authentication and authorizationconfigure rightsUsers
rights are configuredLocal Company Policies -> Computer
Configuration -> Windows Settings -> Security Settings ->
Local Policies -> User Rights Assignment
Here you can configure who have rights tochange system time(all
users in Windows 8 got right to change time zone but not system
time),Take ownership of files and folders,Allow log on locallyand a
lot of other rights.manage credentialsCredential Manager has
existed in different forms since Windows XP but in Windows 8 it has
updated a little.You find itControl Panel -> Credential
ManagerIt is divided into 2 parts, Web Web Credentials For websites
that uses credentials but not system prompted Windows Credentials-
got 3 sub sections Windows Credentials Certificate-Based
Credentials Generic CredentialsWhats new is that you can backup
(and restore) Windows Credentials, if you backup you have to browse
a save location and the file be saved with.crdExam Tip: Be careful
if a question ask about backup/restore of credentials, know that
only Windows Credentials works and not Web Credentials
manage certificatesCertificates are managed bycertmgr.msc
If added certificate from MMC you get to chose which storage to
use My User Account same as above, manage user certificates Service
account gives UAC prompt to manage service certificates Computer
account gives UAC prompt to manage computer certificates.configure
smart cardsWindows 8 continue support for smart card, most laptops
got smart card readers built-in but desktop computers need an
external smart card readers. New in Windows 8 is that you can have
a virtual smart card which doesnt require a physical device, but it
requires your machine got a TPM supported BIOS.Example on a command
to enabled virtual smart cards is:TpmVscMgr create /name MyVSC /pin
default /adminkey random /generateThere are 2 Windows services
related to smart cards Smart Card set to start-up typeAutomatic
(trigger start)and is needed for smart card to work, if disabled no
usage of smart cards is possible. Smart Card Removal Policy set to
start-up typeManualand is used so that if someone remove the smart
card the user session is locked, practical for security if users
use the same smart card to leave the building for lunch.configure
biometricsBiometric in Windows 8 is built on Windows Biometric
Framework and relies on Windows Biometric service that is set to
start up manual by default.
This can be used to instead of touch scroll (where your finger
will hide what you click on) or use a mouse you can control with
your eyes for example (this require 3rd party which uses the
Biometric framework).By default you are allowed to log on with
biometric for example log on with your thumb but if you dont want
this possibility you can disable it with a GPO namedAllow the use
of biometricsconfigure picture passwordNew in Windows 8 is that you
can log on with gestures, it works of course best with a touch
screen but you can also do this with the mouse. If it is a domain
user that uses this the domain password will be cached in the
system vault.TypeCreate or change picture passwordand start that
and you come toPC settings -> Usersand thereclickon the
buttonCreate a picture password
Here you need to browse for an image where you will do the
gesture (twice) and then you can use that to log on to the machine
instead of password (you can still use password if you fail with
gesture)
There is also a policy namedTurn off picture password
sign-inthat can be enabled if this isnt needed.
configure PINSign in with PIN code (4-digit code) is not
possible for a domain user, it is not even visible inPC Settings
-> Users(if machine is not domain joined you see it). To enable
it for even domain joined computer/users you canenablethe
policyTurn on PIN sign-inand it becomes visible.
When you create a PIN code for a domain user you must first
enter your password, then enter in a 4 digit PIN code twice
This is obviously a good sign-in method for touch screens and
after entering the last digit you dont have to press enter or
anything it sign-in automatically.set up and configure Windows Live
ID (Microsoft account)Notice: Windows Live ID has been replaced
with Microsoft Account, if you see a question on the exam
mentioning Windows Live ID read it as Microsoft AccountTo set up a
Microsoft account you can go toPC Settings -> Usersandclickon
the+ Add a user
Now a wizards starts, if you already got an e-mail address that
can sign into Microsoft services (a common mistake to think it can
only be a hotmail/MSN/live account, even gmail and all other can be
used if enabled for Microsoft services). If no email address exist
you can create one in this wizard by goingsign up for a new email
addressor create one on this or another machines.It is with this
account you buy Apps from Windows store and sync your settings to
the cloud so it follows you regardless which machine you log
onto.When you got an email address type it in andpressNext.
it will connect to Internet and configure and then finish, you
got one configuration options, if it is a child or another account
you want to use Family Safety on check this box.
ThenclickFinish
To modify Microsoft Account you can go to Manage User Accounts,
select the Microsoft account andpressPropertiesbutton.On
tabGeneralyou fill inuser name,full nameanddescription. OnGroup
Membershiptab you can modify permission:Standard
user,AdministratororOther(can be backup operator, log viewer etc,
rarely used for Microsoft account.
Certification: Exam 70-687: Configuring Windows 8 Part 5:
Configure Remote Access and Mobility (14%)Posted byJohn
BryntzePublished inCertification,Microsoft,Windows 8Exam70-687:
Configuring Windows 8is scheduled for 17th September and instead of
waiting for study material I will create my own and post here, part
five isConfigure Remote Access and Mobilitythat is14%of the whole
exam:http://www.microsoft.com/learning/en/us/exam.aspx?id=70-687In
this part 5 we will look into these 3 objectives Configure remote
connections Configure mobility options Configure security for
mobile devicesIf you write the exam before 31st May 2013 be sure to
register for a second shot (which means if you fail it you can
retake it for
free:http://www.microsoft.com/learning/en/us/offers/secondshot.aspx)Configure
remote connectionsconfigure remote authenticationFor other
computers to connect to the Remote Desktop service in Windows 8 you
can configure so it requireNetwork Level Authentication, which is
more secure and completes user authentication before you establish
a remote desktop connection and the logon screen appear (helps
against DOS attacks).The only down side is that now all
none-Windows (or older Windows such as windows XP SP2) support NLA
and then cannot connect.To enable Network Level Authentication you
just have to check the box:Allow connections only from computers
running Remote Desktop with Network Level Authentication
(recommended)or enable the GPOComputer Configuration -> Policies
-> Administrative Templates -> Windows Components ->
Remote Desktop Services -> Remote Desktop Session Host ->
Security -> Require user authentication for remote connections
by using Network Level Authentication
configure Remote Desktop settingsThere are settings for those
who connect to the Windows 8 machine and settings when using
Windows 8 to connect to Remote Desktops services.If Remote Desktop
is set toAllow remote connections to this computerlocal
administrators will always be able to remote into this machine with
RDP (if accessible over network/Internet and firewall port open),
but you can also specify regular users in the Remote Desktop Users
(it is also a right).Remote Desktop connection(MSTSC) can be
configured per connection or saved to a RDP file (it is clear text
file you can modify after in notepad if you want) General enter in
remote host, specify username and password (or wait until after
connected), can also save the settings to a RDP file or open an
existing. Display screen size/resolution default set to full
screen, can also set color depth. Local Resources How much of your
local resources do you ant to bring to the session you can add;
Printers Clipboard Smart card drives, configure audio and keyboard
settings. Programs any path to script or program will be executed
once logged on. Experience If your connection is fast you can set
to better experience (fast rendering, see wallpaper background,
font smoothing and so on) and slower connection worse experience
for performance win. Advanced Remote Desktop Gateway settings and
how to behave if server authentication fails (default set to
warn)
establish VPN connections and authenticationNotice: So much
still works as Windows 7 that most of the text below is directly
taken
from:http://www.mcmcse.com/microsoft/guides/70-680/remote_connections.shtmlwhich
I recommend everyone to read.Windows 8 support 4 types of VPN
Point-to-Point Tunneling Protocol (PPTP) Based on PPP, the Point to
Point Tunneling Protocol (PPTP) provides for the secure transfer of
data from a remote client to a private server by creating a
multi-protocol Virtual Private Network(VPN) which encapsulates PPP
packets into IP datagrams. PPTP is considered to have weak
encryption and authentication, therefore, IPsec is typically
preferred. Layer 2 Tunneling Protocol (L2TP) / IP security (IPsec):
L2TP is the next-generation tunneling protocol partially based on
PPTP. To provide encryption, L2TP acts as a data link layer (layer
2 of the OSI model) protocol for tunneling network traffic between
two peers over an existing network (usually the Internet). It is
common to carry Point-to-Point Protocol (PPP) sessions within an
L2TP tunnel. L2TP does not provide confidentiality or strong
authentication by itself. IPsec is often used to secure L2TP
packets by providing confidentiality, authentication and integrity.
The combination of these two protocols is generally known as
L2TP/IPsec. IPSec ensures confidentiality, integrity, and
authenticity of data communications across a public network. IPSEC
is made of two different protocols: AH and ESP. AH (Authentication
header) is responsible for authenticity and integrity, while ESP
(Encapsulating Security payload) encrypts the payload. Secure
Socket Tunneling Protocol (SSTP) Introduced in Windows Vista. A
tunneling protocol that uses the HTTPS protocol over TCP port 443
to pass traffic through firewalls and Web proxies that might block
PPTP and L2TP/IPsec traffic. SSTP provides a mechanism to
encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel
of the HTTPS protocol. The use of PPP allows support for strong
authentication methods, such as EAPTLS. SSL provides
transport-level security with enhanced key negotiation, encryption,
and integrity checking. Internet Key Exchange (IKEv2)-Introduced
Windows 7. IKEv2 is a tunneling protocol that uses the IPsec Tunnel
Mode protocol over UDP port 500. An IKEv2 VPN is useful when the
client moves from one wireless hotspot to another or when it
switches from a wireless to a wired connection. The use of IKEv2
and IPsec provide strong authentication and encryption
methods.AuthenticationProtocolDescription
PAPThis protocol uses plaintext passwords. Typically used if the
remote access client and remote access server cannot negotiate a
more secure form of validation. PAP is the least secure
authentication protocol. It does not protect against replay
attacks, remote client impersonation, or remote server
impersonation. PAP is not enabled by default for Windows 8 and is
not supported by remote access servers running Windows Server
2008.
CHAPCHAP uses a 3-way handshake in which the authentication
agent sends the client program a key to be used to encrypt the user
name and password. CHAP uses the Message Digest5 (MD5) hashing
scheme to encrypt the response. CHAP is an improvement over PAP, in
that the password is not sent over the PPP link. CHAP requires a
plaintext version of the password to validate the challenge
response. CHAP does not protect against remote server
impersonation. Although remote access servers running Windows
Server 2008 do not support this protocol, it is enabled by default
for Windows 8 VPN connections for legacy VPN connections.
MS-CHAP v2Supports two-way mutual authentication. The remote
access client receives verification that the remote access server
that it is dialing in to has access to the users password. MS-CHAP
v2 provides stronger security than CHAP.
EAP-MS-CHAPv2Allows for arbitrary authentication of a remote
access connection through the use of authentication schemes, known
as EAP types. EAP offers the strongest security by providing the
most flexibility in authentication variations. This protocol
requires the installation of a computer certificate on the VPN
server.
Just like the VPN protocols, by default, Windows first tries to
use the most secure authentication protocol that is enabled, and
then falls back to less secure protocols if the more secure ones
are unavailable.
enable VPN reconnectVPN reconnect was a feature that came in
Windows 7. VPN Reconnect uses IKEv2 as the name implies it
automatically re-establishing a VPN connection when temporarily
lost Internet connections. This could be useful for wireless mobile
broadband that for example traveling a train that passes areas
where no connection will cut.The only configuration on client side
is to setNetwork outage time(default to 30 minutes and maximum 8
hours) which decide how long the connection can be down before it
stop to try reconnect.
manage broadband connectionsA wizard to create a broadband
connection which basically just connection name, save username and
password from ISP. You can also make it usable by all users who use
the machine.
If you modify an existing Broadband connection you get more
options such as modify authentication protocols, IPv4/IPv6
settings, Internet Connection Sharing, hang up settings, PPP
settings and Service Name.Configure mobility optionsconfigure
offline file policiesOffline files is not enabled by default, but
easily enabled bypressingEnable offline filesbutton.
There are 2 new Offline Files policies in Windows 81. Remove
Work offline commands it removes the option in Explorer.exe to make
files (folders) available offline.
2. Enable file synchronization on costed networks is by default
disabled and will not synchronize offline files in the background
on connections that are roaming and close to its data limit.
configure power policiesDefault there are 3 Power Plans1.
Balanced (recommended) default2. Power Saver -uses least battery
power3. High Performance uses the most battery power.You can create
your own by Group Policy Preferences but if only access to local
machine as this exam expects you can create your own Power Policy
based on one of the 3 existing and then switch by clicking on the
battery system tray icon
Something new in Windows 8 with power settings is the GUI how to
add hibernate toPower Button, default hibernation is supported (if
drivers support it) but not visible it looks as below with Sleep,
Shut down and Restart.
To add hibernation to the Power menu go toControl panel ->
Power Options -> System SettingsandclickonChange settings that
are currently unavailable
Now all that was greyed out before is changeable such
ascheckingthe boxHibernation(Show in Power Menu). You can also
control if you want the lock function in picture menu
If you checked Hibernate above your power button menu will look
like below:
configure Windows to GoWindows To Gois one of the coolest new
features and therefor sadly only available in Windows 8 Enterprise
edition, it can be seen as a full version of Windows 8 running
(even booting) from a mass storage device such as USB Flash drives
and externally hard drives.Exam tip: Know that Windows To Go only
can be create