Вы находитесь на странице: 1из 502

M I C R O S O F T

20688D

L E A R N I N G

Supporting Windows 8.1

P R O D U C T

MCT USE ONLY. STUDENT USE PROHIBITED

O F F I C I A L

Supporting Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

ii

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, e-mail address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners

Product Number: 20688D


Part Number: X19-17752
Released: 04/2014

MCT USE ONLY. STUDENT USE PROHIBITED

MICROSOFT LICENSE TERMS


MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.
BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.
If you comply with these license terms, you have the rights below for each license you acquire.
1.

DEFINITIONS.
a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.
c.

Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.
e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.
f.

Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.
h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.
i.

Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j.

MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. MPN Member means an active Microsoft Partner Network program member in good standing.

MCT USE ONLY. STUDENT USE PROHIBITED

l.

Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.
n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Prerelease course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.
2.

USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1

Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft InstructorLed Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,

MCT USE ONLY. STUDENT USE PROHIBITED

vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft InstructorLed Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

MCT USE ONLY. STUDENT USE PROHIBITED

c.

If you are a MPN Member:


i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:


For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.
e. If you are a Trainer.
i.
For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.

MCT USE ONLY. STUDENT USE PROHIBITED

ii.

You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.
2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.
2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.
3.

LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject


matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.
b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.
c.

Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.

MCT USE ONLY. STUDENT USE PROHIBITED

4.

SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:

access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,

alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,

modify or create a derivative work of any Licensed Content,

publicly display, or make the Licensed Content available for others to access or use,

copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,

work around any technical limitations in the Licensed Content, or

reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.
6.

EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7.

SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8.

TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9.

LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10.

ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11.

APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.

MCT USE ONLY. STUDENT USE PROHIBITED

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.
12.

LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13.

DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS


AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14.

LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to


o
anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o
claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.
Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES


DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

MCT USE ONLY. STUDENT USE PROHIBITED

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.
Revised July 2013

MCT USE ONLY. STUDENT USE PROHIBITED


xi

Supporting Windows 8.1

Supporting Windows 8.1

Acknowledgments

MCT USE ONLY. STUDENT USE PROHIBITED

xii

Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.

Byron Wright Content Developer

Byron Wright is a partner in a consulting firm, where he performs network consulting, computer-systems
Implementation, and technical training. Byron is also a sessional instructor for the Asper School of
Business at the University of Manitoba, where he teaches management information systems and
networking. Byron has authored and coauthored a number of books on Windows Server operating
systems, Windows client operating systems, and Microsoft Exchange Server, including the Windows
Server 2008 Active Directory Resource Kit. To recognize Byrons commitment to sharing knowledge
with the technical community, he has been given the Microsoft Most Valuable Professional (MVP) award
for Exchange Server.

Andrew J. Warren Subject Matter Expert


Andrew Warren has more than 25 years of experience in the IT industry, many of which he has spent
teaching and writing. He has been involved as a subject matter expert for many of the Windows Server
2012 courses, and the technical lead on a number of other courses. Andrew also has been involved in
developing TechNet sessions on Exchange Server 2007. Based in the United Kingdom, Andrew runs his
own IT training and education consultancy.

Krystle Portocarrero Technical Reviewer

Krystle Portocarrero is a trainer and consultant with a wide variety of Microsoft Certified System Engineer
(MCSE) and Microsoft Certified IT Professional (MCITP) certifications in addition to several other industry
certifications. She has experience working with a wide range of Microsoft technologies, focusing on
enterprise network infrastructure and architecture design for enterprise collaboration. Krystle has worked
in several capacities with Microsoft, from technical reviewer on Microsoft courseware to subject matter
expert for multiple Microsoft certification exams.

Contents
Module 1: Implementing a Troubleshooting Methodology
Lesson 1: Overview of Windows 8.1

1-2

Lesson 2: Overview of Troubleshooting Steps

1-11

Lab: Troubleshooting Windows 8.1

1-22

Module 2: Troubleshooting Startup Issues


Lesson 1: Overview of the Windows 8.1 Startup Recovery
Environment

2-2

Lesson 2: Troubleshooting Startup Settings

2-13

Lesson 3: Troubleshooting Operating System Services Issues

2-22

Lab A: Troubleshooting Startup Issues

2-25

Lesson 4: Recovering BitLocker-Protected Drives

2-29

Lab B: Recovering BitLocker-Encrypted Drives

2-36

Module 3: Troubleshooting Hardware and Device Drivers


Lesson 1: Overview of Hardware Troubleshooting

3-2

Lesson 2: Troubleshooting Physical Failures

3-12

Lesson 3: Troubleshooting Device Driver Failures

3-17

Lesson 4: Monitoring Reliability

3-29

Lab: Troubleshooting Hardware and Device Drivers

3-32

Lesson 5: Configuring the Registry

3-37

Module 4: Troubleshooting Remote Computers


Lesson 1: Using Remote Desktop

4-2

Lesson 2: Using Remote Assistance

4-6

Lesson 3: Remoting with Windows PowerShell

4-9

Lab: Troubleshooting Remote Computers

4-16

Module 5: Resolving Network Connectivity Issues


Lesson 1: Determining Network Settings

5-2

Lesson 2: Troubleshooting Network Connectivity Issues

5-9

Lab: Resolving Network Connectivity Issues

5-30

Module 6: Troubleshooting Group Policy


Lesson 1: Overview of Group Policy Application

6-2

Lesson 2: Resolving Client Configuration Failures and GPO Application


Issues
Lab: Troubleshooting Group Policy

6-9
6-19

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1

xiii

Supporting Windows 8.1

Module 7: Troubleshooting User Settings


Lesson 1: Troubleshooting Sign-in Issues
Lab A: Troubleshooting Sign-in Problems

7-2
7-8

Lesson 2: Troubleshooting the Application of User Settings

7-12

Lab B: Troubleshooting the Application of User Settings

7-19

Module 8: Configuring and Troubleshooting Remote Connectivity


Lesson 1: Troubleshooting VPN Connectivity Issues

8-2

Lesson 2: Troubleshooting NAP

8-11

Lab A: Configuring Network Access Protection Client Settings

8-22

Lesson 3: Troubleshooting DirectAccess

8-25

Lab B: Configuring and Testing DirectAccess

8-33

Module 9: Troubleshooting Resource Access within a Domain


Lesson 1: Troubleshooting File Access Issues

9-2

Lesson 2: Troubleshooting File Permissions Issues

9-7

Lesson 3: Troubleshooting Printer Access Issues

9-21

Lab: Troubleshooting Resource Access within a Domain

9-25

Module 10: Configuring and Troubleshooting Resource Access for


Clients That Are Not Domain Members
Lesson 1: Configuring Workplace Join
Lesson 2: Configuring and Troubleshooting Work Folders
Lesson 3: Configuring and Troubleshooting OneDrive Access

10-2
10-7
10-13

Lab: Configuring and Troubleshooting Resource Access for Clients That


Are Not Domain Members

10-19

Module 11: Troubleshooting Applications


Lesson 1: Troubleshooting Desktop App Installation Issues

11-2

Lesson 2: Troubleshooting Desktop Apps

11-9

Lab A: Troubleshooting Desktop Apps

11-15

Lesson 3: Managing Windows Store Apps

11-18

Lesson 4: Troubleshooting Internet Explorer

11-24

Lab B: Troubleshooting Windows Internet Explorer

11-31

Lesson 5: Implementing Client Hyper-V

11-34

Module 12: Maintaining Windows 8.1


Lesson 1: Managing Windows Activation

12-2

Lesson 2: Monitoring and Configuring Performance Options in


Windows 8.1

12-8

Lab: Maintaining Windows 8.1

12-21

Lesson 3: Protecting Windows 8.1 from Malware and Viruses

12-24

Lesson 4: Applying Application and Windows Updates

12-28

MCT USE ONLY. STUDENT USE PROHIBITED

xiv

Module 13: Recovering Windows 8.1


Lesson 1: File Recovery in Windows 8.1
Lesson 2: Recovery Options in Windows 8.1

13-2
13-6

Lab A: Troubleshooting a Windows 8.1 Computer (1)

13-15

Lab B: Troubleshooting a Windows 8.1 Computer (2)

13-18

Lab Answer Keys


Module 1 Lab: Troubleshooting Windows 8.1

L1-1

Module 2 Lab A: Troubleshooting Startup Issues

L2-3

Module 2 Lab B: Recovering BitLocker-Encrypted Drives

L2-6

Module 3 Lab: Troubleshooting Hardware and Device Drivers

L3-9

Module 4 Lab: Troubleshooting Remote Computers

L4-13

Module 5 Lab: Resolving Network Connectivity Issues

L5-19

Module 6 Lab: Troubleshooting Group Policy

L6-23

Module 7 Lab A: Troubleshooting Sign-in Problems

L7-27

Module 7 Lab B: Troubleshooting the Application of User Settings

L7-31

Module 8 Lab A: Configuring Network Access Protection Client Settings

L8-35

Module 8 Lab B: Configuring and Testing DirectAccess

L8-37

Module 9 Lab: Troubleshooting Resource Access within a Domain

L9-41

Module 10 Lab: Configuring and Troubleshooting Resource Access for


Clients That Are Not Domain Members

L10-45

Module 11 Lab A: Troubleshooting Desktop Apps

L11-53

Module 11 Lab B: Troubleshooting Windows Internet Explorer

L11-56

Module 12 Lab: Maintaining Windows 8.1

L12-59

Module 13 Lab A: Troubleshooting a Windows 8.1 Computer (1)

L13-63

Module 13 Lab B: Troubleshooting a Windows 8.1 Computer (2)

L13-65

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1

xv

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course


This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.

Course Description

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xvii

This course will provide you with the knowledge and skills to troubleshoot, maintain, and recover
Windows 8.1. You will work through resolving technical issues pertaining to Windows 8.1 installation
and migration, and activation. You will also learn about Windows 8.1 profiles, settings and device
synchronization, and local and remote network access. Finally, you will learn about access to applications,
authentication, and access to data and printers. This course will also provide guidelines and considerations
that will help you manage performance issues, apply updates, protect Windows 8.1 from malware and
viruses, and recover Windows 8.1 if necessary.
Note Microsoft has renamed SkyDrive to OneDrive and SkyDrive Pro to OneDrive for
Business, and the course content uses the updated names. However, the virtual machines
in this course use the original release of Windows 8.1 Enterprise Edition that refers to
the formerly used terms SkyDrive and SkyDrive Pro. Because of this, in the labs and
demonstrations, you might see a discrepancy between the course content and the user
interface in the virtual machines.

Audience

This course is intended for Enterprise Desktop Support Technicians (EDST), who are experienced
information technology (IT) Professionals who provide support for a broad range of technical issues for
Windows operating systems, devices, cloud services, applications, networking, and hardware support. This
course is also appropriate for candidates preparing for Microsoft exam 70-688, Managing and
Maintaining Windows 8.1.
This course requires that you meet the following prerequisites:

Understanding of networking fundamentals, including TCP/IP, User Datagram Protocol (UDP), and
Domain Name System (DNS)

Active Directory Domain Services (AD DS) principles, and fundamentals of AD DS management

Understanding of the public key infrastructure (PKI) components, and working knowledge of the
fundamentals of Active Directory Certificate Services (AD CS)

Windows Server 2008 R2 or Windows Server 2012 fundamentals

Windows client operating system fundamentals, such as a working knowledge of Windows XP,
Windows Vista, Windows 7, Windows 8, or a combination thereof

Fundamentals of management and experience using Microsoft Office 2013 or Office 2010

Windows Automated Installation Kit (Windows AIK) components including the concepts and
fundamentals for: Windows Preinstallation Environment (Windows PE), Windows System Image
Manager (Windows SIM), Volume Activation Management Tool (VAMT), ImageX, User State Migration
Tool (USMT), and Deployment Image Servicing and Management (DISM)

Course Objectives
After completing this course, students will be able to:

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xviii

Describe a typical troubleshooting methodology and apply it to troubleshooting Windows 8.1.

Troubleshoot startup settings, Windows operating system services, and recover drives encrypted with
BitLocker Drive Encryption.

Troubleshoot physical hardware failures and hardware device drivers.

Use Remote Desktop, Remote Assistance, and Windows PowerShell remoting to manage remote
computers.

Configure and troubleshoot network connections.

Describe how to apply Group Policy Objects (GPOs) to computers and resolve client-side
configuration failures and GPO application issues.

Troubleshoot user sign-in issues and the application of user desktop settings.

Troubleshoot virtual private network (VPN) connections, Network Access Protection (NAP), and
DirectAccess.

Troubleshoot file access issues, file permissions issues, and printer access issues.

Configure Workplace Join, Work Folders, and Microsoft OneDrive access.

Troubleshoot desktop app installation and compatibility, Windows Store apps, and Internet Explorer,
and configure Client Hyper-V.

Monitor and configure performance options in Windows 8.1, protect Windows 8.1 from malicious
software and viruses, and update Windows 8.1.

Recover files in Windows 8.1, and recover a computer running Windows 8.1.

Course Outline
The course outline is as follows:

Module 1, Implementing a Troubleshooting Methodology" introduces the new Windows 8.1 features
and interface, and the enhancements it provides over previous versions of the Windows client operating
system. This module also describes the process of developing and applying a troubleshooting
methodology for Windows 8.1.

Module 2, Troubleshooting Startup Issues" explains how to identify and troubleshoot issues that
affect the Windows 8.1 operating systems ability to start, and how to detect problematic services that
are running on the operating system. It also describes how to use the Windows 8.1 operating system
advanced troubleshooting tools, collectively known as the Windows Recovery Environment (Windows RE).
Module 3, Troubleshooting Hardware and Device Drivers" explains how to troubleshoot physical
hardware failures and hardware device drivers. It also describes how to monitor Windows 8.1 reliability
and configure the registry.

Module 4, Troubleshooting Remote Computers" explains how to how to connect to remote computers,
and where possible, to manage those computers remotely. It describes three ways in which you can
remotely connect to and manage remote computers: Remote Desktop, Windows Remote Assistance, and
Windows PowerShell remoting.

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xix

Module 5, Resolving Network Connectivity Issues" explains how to configure network settings and
determine the network configuration of client computers. It also explains how to troubleshoot network
connections.

Module 6, Troubleshooting Group Policy" describes how Group Policy is useful in applying configuration
settings to multiple computers from a central location. It also describes how to resolve client-side
configuration failures and GPO application issues.
Module 7, Troubleshooting User Settings" focuses on user settings and how they can simplify user
experiences. It examines problems that can occur when users sign in, and also describes how to
troubleshoot the application of user settings

Module 8, Configuring and Troubleshooting Remote Connectivity" describes the use of VPNs, NAP, and
DirectAccess. It also explains common problems with their implementation and usage, and provides a
number of possible mitigations for those problems.
Module 9, Troubleshooting Resource Access within a Domain" covers the causes of issues such as
users inability to access or modify files, and difficulty accessing printers. This module also provides
troubleshooting information that you can use to help users who are having file access issues, file
permission issues, or printer access issues.

Module 10, Configuring and Troubleshooting Resource Access for Clients That Are Not Domain
Members" describes how to troubleshoot features that you can use to access files and applications
remotely. It explains how to configure Workplace Join and Work Folders. It also includes information on
configuring and troubleshooting access to OneDrive.
Module 11, Troubleshooting Applications" examines the issues that affect users abilities to install and
run desktop apps and Windows Store apps. This module also covers the ways in which students can
resolve Internet Explorerrelated issues.

Module 12, Maintaining Windows 8.1" describes procedures to monitor performance of computers that
are running Windows 8.1, protect them from malware, and ensure that they remain up-to-date with the
latest operating system updates and security fixes. It also explains how these procedures provide for the
ongoing maintenance of Windows 8.1.

Module 13, Recovering Windows 8.1" explains how to recover a computer by restoring system settings
instead of reinstalling the operating system and apps. It also describes how to use various tools to back up
and recover data.

Course Materials
The following materials are included with your kit:

Course Handbook: A succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.

Lessons: Guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.

Labs: Provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.

Module Reviews and Takeaways: Provide on-the-job reference material to boost knowledge
and skills retention.

Lab Answer Keys: Provide step-by-step lab solution guidance.

Course Companion Content: On the http://www.microsoft.com/learning/en-us


/companion-moc.aspx site. Searchable, easy-to-browse digital content with integrated premium
online resources that supplement the Course Handbook.

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xx

Modules: Include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.

Resources: Include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, MSDN, or Microsoft Press.

Course evaluation: At the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.

To provide additional comments or feedback on the course, send an email to


support@mscourseware.com. To inquire about the Microsoft Certification Program, send an
email to mcphelp@microsoft.com.

Virtual Machine Environment

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

This section provides the information for setting up the classroom environment to support the business
scenario of the course.

Virtual Machine Configuration


In this course, you will use Microsoft Hyper-V to perform the labs.
Important: At the end of each lab, you must revert the virtual machines to a snapshot. You
can find the instructions for this procedure at the end of each lab.
The following table shows the role of each virtual machine that is used in this course:
Virtual machine

Role

LON-DC1

Domain controller in the Adatum.com domain

LON-SVR1

Member server in the Adatum.com domain

LON-RTR

Member server in the Adatum.com domain

LON-CL1

Member workstation in the Adatum.com domain

LON-CL3

Member workstation in the Adatum.com domain

LON-CL4

Windows 8.1 Enterprise computer in a workgroup

LON-CL5

Virtual hard disk used to start the host computer

Software Configuration
The following software is installed on each virtual machine:

Windows Server 2012 R2, and Windows 8.1 Enterprise

Microsoft Office 2013

Remote Server Administration Tools (RSAT) for Windows 8.1

Microsoft Message Analyzer

Windows Assessment and Deployment Kit (Windows ADK) for Windows 8.1

StockViewer app

XML Notepad 2007

LeXProductsGrid81_1.1.0.4_AnyCPU ZIP app

Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.

xxi

Course Hardware Level

MCT USE ONLY. STUDENT USE PROHIBITED

About This Course

xxii

To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment


configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware is taught.
Hardware Level 7

64-bit Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor (2.8
gigahertz (GHz) dual core or more recommended)

Dual 500 gigabyte (GB) hard disks, 7200 RPM Serial ATA (SATA) or faster. Each hard disk must be
configured as a separate drive labeled Drive C and Drive D.

16 GB random access memory (RAM)

DVD (dual layer recommended)

Network adapter

Dual SVGA monitors 17 or larger, supporting 1,440 x 900 minimum resolution

Microsoft mouse or compatible pointing device

Sound card with amplified speakers

In addition, the instructor computer must be connected to a projection display device that supports
1,280 x 1,024 pixels, with 16-bit color.

Navigation in Windows Server 2012 R2 or Windows 8.1


If you are not familiar with the user interface in Windows Server 2012 R2 or Windows 8.1, then the
following information will help orient you to the new interface.

Sign in and Sign out replace Log in and Log out.

Administrative tools are found in the Tools menu of Server Manager.

Move your mouse to the lower right corner of the desktop to open a menu with:

Settings: This includes Control Panel and Power.

Start menu: This provides access to some applications.

Search: This allows you to search applications, settings, and files.

You may also find the following shortcut keys useful:

Windows key: Opens the Start menu.

Windows+C keys: Opens the same menu as moving the mouse to the lower right corner.

Windows+I keys: Opens Settings.

Windows+R keys: Opens the Run window.

MCT USE ONLY. STUDENT USE PROHIBITED


1-1

Module 1
Implementing a Troubleshooting Methodology
Contents:
Module Overview

1-1

Lesson 1: Overview of Windows 8.1

1-2

Lesson 2: Overview of Troubleshooting Steps

1-11

Lab: Troubleshooting Windows 8.1

1-22

Module Review and Takeaways

1-25

Module Overview

Windows 8.1 is the latest Microsoft client operating system. It provides several new features and
capabilities, and it builds on the core functionality of Windows 7 to provide a stable client experience
across a number of processor architectures. Additionally, Windows 8.1 provides many improvements and
enhancements over Windows 8 Release to Manufacturing (RTM). As an enterprise support technician, you
must understand these new features and know how to use them to improve productivity within your
organization. It also is important that you know how to troubleshoot the Windows 8.1 operating system
properly. This module introduces the new Windows 8.1 features and interface, and describes the process
of developing and applying a troubleshooting methodology for Windows 8.1.

Objectives
After completing this module, you will be able to:

Describe Windows 8.1.

Describe a typical troubleshooting methodology and apply it to troubleshooting Windows 8.1.

Lesson 1

Overview of Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

1-2 Implementing a Troubleshooting Methodology

Windows 8.1 can operate across a range of devices, including tablets and other touch-enabled computers.
To optimize your users experience, you can select between a number of editions of Windows 8.1, and a
number of processor architectures. This lesson describes the supported processor platforms and devices,
and the new features in Windows 8.1. It also provides you with information about the operating systems
architecture.

Lesson Objectives
After completing this lesson, you will be able to:

Describe Windows 8.1 devices.

Identify and differentiate between different Windows 8.1 editions.

Describe the new features of Windows 8.

Describe the additional features of Windows 8.1.

Explain the Windows 8.1 operating-system architecture.

Windows 8.1 Devices


In present-day enterprise environments, not all
users want to work on a single desktop computer
that has a wired connection to the corporate
network. Today, many users prefer wireless
connectivity and remote access to their work
environments. This enables users to work on
different devices and from different locations.
Depending on user requirements, the type of
device with which they might want to connect
to the corporate network may vary. Some users
may require the portability of a laptop computer,
whereas others may benefit from the use of a
touch-capable device, such as a tablet. Windows 8.1 is designed to be able to run across many device
types, and is not restricted to only desktop and laptop computing devices.
Windows 8.1 supports a number of form factors, including:

Desktop computers. This is the traditional computing platform that offers powerful performance but
limited mobility. To improve user productivity, you can combine desktop computers with touch
screens.

Laptop computers. Modern laptops computers can have a touch screen, which enables users to
perform tasks much more quickly than they would if they were using a traditional mouse. You can
convert some laptop computers into tablets through screen rotation, although these types of device
are not as portable as pure tablets.

Convertible laptops. These devices are tablet computers that come with a docking station that has a
keyboard and additional ports, such as universal serial bus (USB) and video expansion ports. When
separated from its docking station, this type of device provides all of the convenience of a tablet.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-3

When on its docking station, this type of device enables users to work in a more traditional fashion.
Some docking stations also have an additional battery.

11-inch tablets. These tablets are comparatively large, and you may find them more often on
convertible laptops with some kind of docking station.

10-inch tablets. Comparable in size with the Apple iPad, these tablets often are stand-alone devices,
although they sometimes include a keyboard cover. The Microsoft Surface 2 and Microsoft Surface
Pro 2 are both 10-inch tablets, and come with one of two optional keyboard covers. These types of
devices offer the best portability.

8-inch tablets. Microsoft recently modified the base video requirements of the Windows 8.1 operating
system to enable support for smaller screens with potentially lower screen resolutions. There are a
number of devices available now, or will be in the near future, that support this form factor. This type
of device, similar to the Apple iPad Mini, provides optimum portability. However, it may pose
challenges for certain types of use. For example, using an 8-inch tablet for heavy typing typically is
not an easy task, and you can find better devices for this purpose.

Note: It is important to understand that these are broad device categories, and some
devices do not fall into one category only.

After users select the type of device that suits their requirements, they may have additional needs. The
following factors affect the type of tablet or convertible device that a user may choose:

Battery life. This is a critical factor for some users. Many devices in the first generation of Windows
tablets used Intel Atom processors, which provided extended battery life. However, while these
devices provided solid performance, the Atom was not suited for heavy processing tasks.

Processor performance. Some Windows equipped tablets use Intel Core i5 or even Core i7 processors.
These processors are capable of a much higher workload, but they typically consume more power.

Screen size and resolution. Smaller and therefore more portable devices have smaller screen sizes. It
is not easy working with high resolutions on small screens, because users may find it difficult to
interpret the content on the screen. To help mitigate this issue, the screen resolution may be reduced.
For example, typical screen resolution for 10-inch Intel Atom-based tablets is 1366x768.

Memory. Many tablets with Atom processors have 2 gigabytes (GB) of available memory. This is
sufficient for relatively light workloads, but may not be adequate for heavy workloads. Core i5 and
Core i7 devices can have as much as 8 GB of memory installed, thereby providing support for much
heavier workloads.

Storage. Unlike desktop computers, and even some laptops, tablets come with a fixed storage
capacity. Smaller devices come with less storage, and 32 GB of storage capacity is typical for small
tablets. Some vendors provide the option to customize the storage when the user purchases their
device. Before making a decision on the amount of storage they require, users must think about how
they are going to be using a device. Fortunately, almost every Windows tablet provides some means
to expand the available storage by using secure digital (SD) or Micro SD cards, and in some cases,
support for USB storage devices.

Note: Although some vendors of tablet devices offer cloud-based storage, it is important
to remember that the amount of local storage is the capacity of your device, particularly when
you are not online.

Support Issues

MCT USE ONLY. STUDENT USE PROHIBITED

1-4 Implementing a Troubleshooting Methodology

The type of support issues that you encounter may vary based on the type of device being used. For
example, storage problems are more prevalent for tablet computers, because storage is more constrained.
In addition, users may choose to use cloud-based storage with their tablets, which may be less relevant for
desktop computer devices.
An increasing number of users want to connect their own devices to corporate networks. This practice
raises additional support concerns by introducing security issues and device management issues.

Windows 8.1 Editions


Once users determine how they want to use a
computing device, and select one that provides
the best mix of features for them, they may need
to select a suitable edition of the Windows 8.1
operating system. For most vendors, the edition of
the Windows 8.1 operating system is preinstalled.
For example, the Microsoft Surface Pro comes
preinstalled with a 64-bit edition of Windows 8.1
Pro. However, for desktop and laptop computers,
and to some extent, other devices, users may have
a choice.

Understanding the Windows 8.1 Editions


Windows 8.1 is available in three separate editions:

Windows 8.1. Windows 8.1 is the edition that contains only the key operating-system features. This
edition can run applications such as the Microsoft Office suite, and is appropriate for deployment in
home offices and small business environments that do not require features such as BitLocker Drive
Encryption, and DirectAccess. From a planning perspective, it is important to note that you cannot
join computers that are running this edition of Windows 8.1 to an Active Directory Domain Services
(AD DS) domain, and you can activate this Windows 8.1 edition only with a retail license key.

Windows 8.1 Pro. The Windows 8.1 Pro edition includes features such as BitLocker, Client
Hyper-V, Domain Join, Group Policy, and Boot from VHD. This edition of Windows 8.1 is suitable
for small and medium-sized businesses that do not require technologies such as AppLocker,
BranchCache, DirectAccess, and Windows To Go to meet business objectives. You can use
Windows 8.1 Pro with retail license keys and with volume licensing options such as Multiple
Activation Keys (MAKs) and Key Management Service (KMS) keys.

Windows 8.1 Enterprise. Windows 8.1 Enterprise is the edition of Windows 8.1 that you are most
likely to deploy in large business environments. This edition includes all the features that are available
in the Windows 8.1 operating system, including being able to be joined to an AD DS domain, to
edition-specific features such as AppLocker, BranchCache, DirectAccess, Windows To Go. This edition
also has the ability to sideload Windows Store apps. You can activate Windows 8.1 Enterprise only by
using a volume license key.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-5

The following table represents the key features available in each edition of Windows 8.1.
Feature

Windows 8.1

Windows 8.1 Pro

Windows 8.1
Enterprise

Maximum physical central


processing unit (CPU)

Maximum memory (x86)

4 GB

4 GB

4 GB

Maximum memory (x64)

128 GB

512 GB

512 GB

Workplace Join

Work Folders

Remote Desktop

Client only

Domain Join

Group Policy

Boot from virtual hard disk


(VHD)

BitLocker and BitLocker To


Go

Encrypting File System

Hyper-V

Only on x64

Only on x64

AppLocker

BranchCache

DirectAccess

Windows To Go

Understanding Windows RT

Windows Runtime (RT) is designed specifically to run apps that are built on the Windows RT platform,
and it is available only as a preinstalled operating system on tablets and similar devices with Advanced
RISC Machines (ARM) processors. ARM provides a lightweight form factor with excellent battery life,
specifically for mobile devices. Windows RT is preloaded with touch-optimized versions of Microsoft
Office applications, and is limited to running Windows Store apps. Devices that are running Windows RT
cannot be members of AD DS domains, but can use Workplace Join and work folders.
Note: It is important to remember that Windows 8.1 is available for ARM-based devices.

What are the Advantages of 64-bit Windows 8.1 Versions?

Each Windows 8.1 edition is available in both 32-bit and 64-bit versions. The 64-bit versions of
Windows 8.1 are designed to work with computers that utilize the 64-bit processor architecture. Though

the 64-bit versions are similar in features to their 32-bit counterparts, there are several advantages to
using a 64-bit version of Windows 8.1, including:

MCT USE ONLY. STUDENT USE PROHIBITED

1-6 Implementing a Troubleshooting Methodology

Improved performance. The 64-bit processors can process more data for each clock cycle. Therefore,
you can scale your applications to run faster. However, to benefit from this improved processor
capacity, you must install a 64-bit edition of the operating system.

Enhanced memory. A 64-bit operating system can use random access memory (RAM) more
efficiently, and it can address memory more than 4 GB. This is unlike all 32-bit operating systems,
including all 32-bit editions of Windows 8.1, which are limited to 4 GB of addressable memory.

Improved device support. Although 64-bit processors have been available for some time, in the past
it was difficult to obtain third-party drivers for commonly used devices, such as printers, scanners,
and other common office equipment. Since the release of the 64-bit versions of Windows 7, the
availability of drivers for these devices has improved greatly. Because Windows 8.1 is built on the
same kernel as Windows 7, most of the drivers that work with Windows 7 also work with Windows 8.

Improved security. The architecture of 64-bit processors enables a more secure operating system
environment through kernel patch protection, mandatory kernel-mode driver signing, and Data
Execution Prevention (DEP).

Support for the Hyper-V feature. Only the 64-bit versions of Windows 8.1 support this feature.
Hyper-V requires 64-bit processor architecture that supports second level address translation.

Note: The 64-bit versions of Windows 8.1 do not support the 16-bit Windows on Windows
environment. If your organization requires earlier versions of 16-bit applications, they will not run
natively on 64-bit versions of Windows 8.1. One solution is to run the application within a virtual
environment by using Hyper-V.

New Windows 8 Features


Windows 8 contains more than 300 new features.
The following section highlights some of the most
important features and changes:

Start screen. The Start screen represents a


significant change in the way users find
and interact with apps and information in
Windows 8. The Start screen is tile-based,
and its configurable tiles can display live
information and provide an interactive hub
experience for users. With its touch-friendly
layout, it is significantly different from the
Start button interface that Windows 95 and
subsequent Windows operating systems featured.

Cloud integration. Windows 8 provides increased integration with cloud-based services and
information. Users signing in to a Windows 8 computer can connect instantly to the information and
settings that are important to them. Windows 8 ensures a consistent user experience across any
computer, regardless of the computers location.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-7

Reset and refresh your PC. By using the Reset and Refresh feature, users and information technology
(IT) staff can return a computer to a specific default state, or recover Windows 8 from errors or
corrupt operating-system files:
o

Reset your PC removes all personal data, apps, and settings from the PC, and reinstalls Windows.

Refresh your PC keeps all personal data, Windows Store apps, and other important settings, and
reinstalls Windows, retaining the user experience and user data.

Windows To Go. This feature enables you to supply a fully functioning copy of Windows 8 that can
start and run from a USB storage device. When users boot from a Windows To Goenabled USB
device, they get a complete Windows 8 experience, and all of their applications, files, and settings.

Remote Desktop Services. Windows 8 now includes Remote Desktop Services (RDS) capability, which
enables multiple users to connect remotely to the same computing infrastructure, each in an isolated
session. You can use Windows 8 in Virtual Desktop Infrastructure (VDI) scenarios to provide robust
and universal access to Windows 8 desktops.

Client Hyper-V. Client Hyper-V on Windows 8 provides a flexible and high-performing client
virtualization environment. You can leverage this environment to use a single computer to test
applications and IT scenarios in multiple operating-system configurations. By using Client Hyper-V,
IT departments can provide a consolidated and efficient virtual environment through virtual machine
compatibility with Windows Server 2012. Client Hyper-V is available in Windows 8 Pro and
Windows 8 Enterprise.

Support for multiple processor architectures. Windows 8 is the first Windows operating system to
provide support for both the x86 and the ARM platform. Windows 8 runs on PCs in addition to
tablets and similar devices, thereby providing users with very pervasive access to the Windows 8
environment.

New Windows 8.1 Features


Although numerically only a point release,
Windows 8.1 represents a significant technical
advance from Windows 8. Windows 8.1 includes
a number of additional business-focused features
that make it easier to deploy, administer, and use.

Bring Your Own Device Improvements


Many users have their own personal computing
devices, and some will wish to connect these
devices to their corporate networks to access
applications and services, in addition to working
with data files. The ability to connect users
personal devices to your network is often referred
to as Bring Your Own Device. Windows 8.1 introduces a number of new features that improves the
support of users who wish to bring their own devices:

Workplace Join. Enables a device to neither completely join, nor completely be removed from the
domain. With Workplace Join, your users can work on the devices that they choose, and still have
access to enterprise network resources. You can control access to resources and provide a finer level
of control over devices that register through Workplace Join.

Work Folders. Work Folders enable a user to synchronize their data from their network user folder to
their device. When you implement Work Folders, locally-created files also synchronize to the network

MCT USE ONLY. STUDENT USE PROHIBITED

1-8 Implementing a Troubleshooting Methodology

folder location. The client computing device does not need to be domain-joined to access this shared
content.

Mobile Device Management. Once users enroll their devices, they join them to the Windows Intune
management service and get access to the company portal. This provides them with a consistent user
experience for access to their applications and data, which enables them to manage their own
devices. You have improved management over these devices, and can manage them as mobile
devices without having to deploy a full management client.

Web Application Proxy. This server-side feature enables publishing of access to corporate resources
to Windows 8.1 devices, and enforces multifactor authentication. Additionally, this feature applies
conditional access policies to verify user and device identity before granting access to resources.

Mobility Improvements

Virtual private network (VPN). In addition to the Microsoft VPN client, Windows 8.1 supports a
number of VPN clients from other vendors, including:
o

Check Point Client

Sonicwall Global VPN client

FirePass f5 client

Mobile broadband. Windows 8.1 provides support for embedded wireless radio. This support helps to
improve power efficiency, and to reduce the size of some devices.

Broadband tethering. You can turn your Windows 8.1 device into a Wi-Fi hotspot.

Auto-triggered VPN. If an app requires access to your companys intranet, Windows 8.1 can
automatically trigger a VPN connection.

Security Improvements

Remote Business Data Removal. With Windows 8.1 and Windows Server 2012 R2, you can use Remote
Business Data Removal to classify and flag corporate files, and to differentiate between these files
and user files. With this classification, the remote wipe of a Windows 8.1 device will not remove userowned data when securing or removing corporate data on the device.

Improved biometrics. Windows 8.1 provides a number of improvements in the area of biometrics,
including the use of Windows sign-in, remote access, and user account control. Furthermore, you can
configure biometric authentication to enable Windows Store access.

Pervasive device encryption. Device encryption is enabled by default, and you can configure
additional BitLocker protection. In addition, you can enable additional management capability on the
Pro and Enterprise editions of Windows 8.1. When your users use a Microsoft account, Windows 8.1
encrypts and protects devices automatically.

Malware resistance. Windows Defender now includes network-behavior monitoring that can help to
detect and prevent the execution of known and unknown malware.

Device lockdown. The Assigned Access feature enables you to restrict the Windows Store application
experience on a device to a specific subset of apps, or even to a single app. This could be a line-ofbusiness (LOB) app in a kiosk scenario, or a set of educational apps for children in a school setting.

Many other operating-system changes aim to improve the user experience. This includes small but
significant changes, such as the new Boot to Desktop feature, which is for those users who prefer the
traditional desktop user interface.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-9

Windows 8.1 Architecture


Microsoft has engineered Windows 8.1 to support
two different styles of apps. This has involved
modifying the architecture of the operating
system to provide dual stacks of application
programming interfaces (APIs):

Traditional desktop apps, such as Microsoft


Office, use the Win32 APIs and Microsoft .NET
Framework.

Windows Store apps use the Windows RT APIs

The benefit of this dual stack approach is that the


same operating system supports these disparate
application platforms.

Understanding the Operating-System Architecture

It is important to understand the differences between software applications, operating-system services,


and hardware devices and their associated device drivers in the operating-system kernel. The Windows 8.1
operating-system architecture comprises the operating-system kernel, system services, and applications.

Operating-system kernel

At the lowest level of the operating system, the operating system kernel consists of the Windows kernel
itself and low-level device drivers. The kernel is responsible for taking operating system requests from
system services. It then translates those requests into instructions for the computer hardware, including
the CPU, memory, and hardware devices, to perform.

When the operating system starts up, it is the kernel and its related low-level device drivers that initialize
first. The operating-system services then start.

System services

Operating-system services are part of the operating system rather than something that you install after
the operating system deploys. Additionally, operating-system services function with no user action. In fact,
they start before a user signs in to the computer.
Although both operating system services and device drivers are software, the difference between them is
that device drivers interact directly with hardware devices or components. Generally, a system service
interacts with other software components in the operating system.
Note: From a management perspective, the difference between device drivers and services
is more obvious. You can use Device Manager to manage device drivers, and you use the services
Microsoft Management Console (MMC) snap-in to manage system services.
System services include various executive services that provide distinct functions within the operating
system, including:

The I/O Manager handles input and output (I/O).

The virtual memory manager deals with virtualization of memory within the operating system.

Other components with the executive handle other aspects of the operating system.

The API sets enable Windows to support different types of apps. The Windows RT APIs enable the
operating system to run Windows Store apps, whereas Win32 and related API sets enable the
operating system to run traditional desktop apps.

Understanding Applications

MCT USE ONLY. STUDENT USE PROHIBITED

1-10 Implementing a Troubleshooting Methodology

At the upper level of the operating system, applications operate by integrating with the computer user,
and at a lower level by integrating with the operating-system services. You install applications after you
install the operating system, and you must start applications manually to use them.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-11

Lesson 2

Overview of Troubleshooting Steps

Whether you are troubleshooting computers, plumbing systems, or automobile engines, any
troubleshooting methodology has a common set of processes and procedures, including the following:

You perform a set of processes that typically resolve problems as quickly and efficiently as possible.

Classification, testing, escalation, and reporting provide the backbone of any troubleshooting
methodology.

The methodology evolves over time, as technologies change and new tools become available.

This lesson details the stages of a troubleshooting methodology. Additionally, it explains how you can
develop best practices for problem reporting, initial data collection, implementing a plan of action, and
recording incident resolution.

Lesson Objectives
After completing this lesson, you will be able to:

Identify the stages in a common troubleshooting methodology.

Discuss elements of common troubleshooting methodologies.

Describe the process of problem reporting.

Describe the process of initial data collection.

Determine and use best practices for developing an action plan.

Describe the process of implementing an action plan.

Describe the process of recording the problem resolution.

Discuss the benefits of using a methodology.

List and explain common troubleshooting issues in Windows 8.1.

Stages in a Troubleshooting Methodology


When you begin to troubleshoot a problem, you
should define the steps that you need to take to
resolve the problem clearly and concisely. A
troubleshooting methodology consists of problem
reporting, information gathering, development
and implementation of an action plan, and
documentation of the resolution.

Reporting the Problem

The reporting process begins when an end user


first calls the help desk. When the user reports a
problem, the help-desk staff must record the
details of the problem and ask the user pertinent
questions to help determine the problems scope. The answers to these questions enable the helpdesk
staff to prioritize the problem.

It is important that help-desk staff keeps the end user informed of progress throughout the entire
troubleshooting process. This starts with the first stage of problem reporting, when the help-desk staff
explains to the end user what the next step is in the process.

Gathering Information
The help desk staff may resolve the reported problem during the initial phone call or reporting stage.
This often happens with relatively simple problems. However, if it is not possible to resolve the issue
immediately, the help-desk staff must gather more information about the problem to help identify
possible causes. To gather additional information, you can use monitoring tools, examine event logs, or
simply ask the end user additional questions.

Developing an Action Plan


When there is sufficient information, you can attempt to determine the problems cause. There are two
possible approaches:

MCT USE ONLY. STUDENT USE PROHIBITED

1-12 Implementing a Troubleshooting Methodology

The linear approach is a methodology that reveals the root cause of a problem quickly by taking you
through a logical series of steps. Start with the problem statement, and then proceed in a methodical
manner until you uncover the problems source.

The subtractive approach is a methodology in which you form a mental picture of the computers
system components. Separate the components into two halves along a testable line. For example, you
might ask yourself whether a hardware component or a network component is causing the problem.
You then would perform tests to determine on which side of the line the problem falls, and then
continue in the same manner until you isolate the problem component.

At this stage, regardless of the approach you take, your aim is to isolate the problems cause. When you
feel you have determined the cause, you must test your assumptions. If the tests prove inconclusive, you
must continue testing until you determine the real cause. After your tests prove the problems cause,
you must plan your course of action. For instance, if the problem requires that you replace a disk in a
server, you must:
1.

Order the new disk.

2.

Determine a suitable time to perform the replacement.

3.

Back up existing data on the old disk.

4.

Shut down the server.

5.

Physically install the new disk.

6.

Restore data to the new disk.

Implementing the Action Plan

After planning your course of action, you must implement the plan. If you are implementing a plan of
action to resolve serious problems, you must consider the impact on service availability of any changes
that you want to make. Larger organizations implement change-management procedures, and you must
adhere to these procedures.

Before you make any configuration changes, consider how much of your reconfiguration work you can
undertake by using remote management tools and utilities. You can resolve many problems with remotemanagement techniques, and thereby avoid the need to work on the end users computer physically.
However, you cannot resolve all problems by using remote-management tools, and sometimes, a visit to
the end users computer is necessary.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-13

Documenting the Correction

When you resolve a problem successfully, you must document the resolution. This documentation
involves a number of processes, depending upon your technical support infrastructure. At the very least,
you must inform the end user that you resolved the problem, and if a logging system is in use, you must
close the incident on the log.

Many organizations use documentation to provide information about their IT systems configuration. In
the event that you reconfigure the users computer to resolve a problem, you must update the supporting
documentation to reflect the changes that you made.
Additionally, during the information-gathering stage, it often is useful to examine incident logs to
determine whether anyone else has reported a problem similar to the one on which you are working.
Finding whether another technician has documented a similar problem is possible only if, at incident
closure, technicians document what they did to resolve a problem.

Discussion: Common Components of Troubleshooting Methodologies


Your instructor will assign you a role in an
organization, and during this discussion, you
will consider the benefits of a troubleshooting
methodology for your role. The roles are:

End users

Help desk support staff

Desktop support staff

Managers and planners

During your discussion, create a list of benefits for


your organizational role. To help facilitate a useful
discussion, you might consider how a troubleshooting methodology results in the following outcomes:

Faster problem resolution

Improved productivity

Better accountability

Improved communications

Better update management

When you complete your discussion, share your conclusions with the class.

The Process of Problem Reporting


It is important that your organization have a
process that all of your end users understand
regarding the proper reporting of support
problems. A problem-reporting process comprises
problem detection, self-help options that the user
performs, contacting the help desk, classification
and initial support, escalation, resolution, and
problem closure. The following sections describe
these stages in more detail.

Detecting Problems

MCT USE ONLY. STUDENT USE PROHIBITED

1-14 Implementing a Troubleshooting Methodology

The process of reporting a support problem starts


when an end user detects a problem with his or
her computer hardware, operating system, or an application. If the problem is intermittent, the end user
may take no immediate action. If the problem occurs again, the end user may take further action. End
users may attempt to resolve the problem themselves or contact the help desk for assistance.

Encouraging Self-Help Attempts by End Users


Whenever possible, encourage end users to help themselves. You can help end users resolve some
problems quickly if the end user stops and thinks about the event or problem that occurred.
If you provide adequate training for your end users, they will get the best performance from their
applications and hardware, likely encounter fewer problems, and will be more likely to resolve many
problems themselves without contacting the help desk.

Contacting the Help Desk

No matter how much training or encouragement end users receive, there always are problems that they
cannot resolve themselves. It is important to provide a proper procedure for contacting the help desk, and
even more important to ensure that your end users understand this procedure. During this phase, the
help-desk personnel should record the problems details. You should consider using a database in which
to record details of the reported problem. You then can update the incident record in the help-desk
ticketing system that pertains to the problem. This helps you work toward a resolution.
If you lack the skills necessary to resolve the reported problem, assign the problem to other individuals in
your organization. For complex problems, you might assemble a specialist team to resolve the problem.
Update the incident record in the ticketing database to help track information about activity that you, or
others, perform in relation to the reported problem.

Detailing Classification and Initial Support

After an end user contacts the help desk, help-desk staff should attempt to classify the problem, and then
determine the problems scope and urgency. You and your fellow help-desk staff can do this by asking
end users very specific questions about their problems. Questions might include the following:

Who else has the same problem? If the problem is widespread, this points to a more general problem
and is less likely to be the end users particular computer. Additionally, problems affecting many end
users are more urgent than those that affect only one end user.

When did you first notice the problem? For example, it might be that the computer never worked
properly. It is very useful to know if the computer never worked properly, because this might indicate
a problem with deployment rather than usage.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-15

What changed around the same time that you noticed the problem? If the end user recently installed
new applications or updated drivers, and the problem arose after these changes, it is possible that the
changes contributed to the problem that the end user is reporting.

During this phase, you might determine a probable cause of the reported problem, but be careful not to
jump to any conclusions. This could waste significant time and resources. Your goal during this phase is to
define the problem accurately.

Escalating the Problem

When a problem requires escalation between support tiers or to external vendors, ensure that you record
an appropriate level of detail to pass to the next support level. It is very helpful to have a clearly defined
escalation procedure to ensure that you can do this efficiently. The procedure may contain the following
information:

A precise description of the reported problem.

A record of any error messages associated with the problem.

A record of the resolution attempts that support staff made, and the results of each attempted fix.

A record relating to any diagnostics tools that support staff use.

The length of time that can elapse before you must escalate the problem.

You might consider escalation to external vendors when:

You cannot resolve the problem.

You have insufficient internal resources to resolve the problem.

Your organization does not have the required skills to resolve the problem.

You have identified the problems probable cause, and it lies with a specific non-Microsoft
component.

Whenever you escalate a problem, always retain ownership of the problem, and use the database record
to track progress toward a resolution. Additionally, ensure that you provide any necessary assistance to
other support tiers and external vendors.

Resolving the Problem

After you determine a probable cause and develop an action plan, you should perform an assessment of
this plan, which should include:

Details regarding any liaisons with any specialist support staff that helped implement the plan.

Completion of any required requests according to change-management procedures.

Analysis of the possible impact of proposed changes on the IT infrastructure.

Testing details for the proposed plan.

Details of plans to roll back the changes if they do not achieve the desired result.

After you assess the proposed action plan, you can execute it. In the event that the action plan does not
resolve the problem, consider whether to roll back the changes you have made according to the actionplan assessment. You also must revisit the classification phase, because it is possible that the initial
diagnosis and classification were incorrect.

Closing the Problem

After you resolve the problem successfully, you must close it. To close a problem, update any database
records that relate to it, and indicate that you implemented a permanent resolution for the problem. You
then can close the database record.

The Process of Initial Data Collection


Collecting information about a reported problem
is vitally important. By following a prescribed,
logical series of steps, you can define the nature
of the problem clearly, and then work toward
establishing a precise cause.

Asking the Right Questions


The process starts when an end user follows
a defined procedure to contact the help desk,
typically by sending an email or making a phone
call. To define the problems cause clearly,
members of the help-desk team must question
the end user thoroughly and precisely.
Note: Many organizations provide a script for help-desk staff to use when performing
initial problem classification. This will help you and the help desk progress through all of the
fundamental questions that can help to classify the problem. If an issue is escalated to you,
ensure that you check the incident record in the ticketing system before you question the end
user yourself. Otherwise, you may be repeating questions asked by the help desk.

MCT USE ONLY. STUDENT USE PROHIBITED

1-16 Implementing a Troubleshooting Methodology

End users often are unable to provide a detailed description of their issues, or they may be reluctant to
explain the circumstances that caused the problem. When necessary, you must ask questions that help
you determine why the problem occurred. The following sections identify typical questions that may help
to determine the nature of the problem.

Determining the Answer to the Who Questions


If the incident record does not provide the following information, ask the end user:

Who was operating the computer when the problem first occurred?

Who else is operating the computer, and have they experienced similar problems?

Also, check the ticketing system to determine:

Who has worked on this problem, or one like it, previously?

Who has the same problem on another computer?

Determining the Answer to the When Questions

The following when questions help you determine when a problem occurred and establish a timeline of
activities that may relate to the problem. Check the open incident record to determine:

When this problem first occurred, and when it has since occurred.

When an application was installed, updated, or removed last from or on the computer.

When new hardware was installed last on the computer.

When disk maintenance tasks were last performed.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-17

Determining the Answer to the What Questions

The following what questions help you gather information about what the help-desk staff thinks may be
the problems cause, and also help you learn the solutions, if any, that the help-desk staff attempted
already. Check the open incident record to determine:

What does the help-desk staff suspect might be the problem?

What steps have the help-desk staff already taken to attempt resolution, if any?

What suggestions have the help desk received regarding a possible resolution?

Determining the Answer to the How and Why Questions


The following questions can often identify a solution quickly. Check the open incident record to
determine:

How does the help desk think that the problem occurred?

Why does the help desk think that the problem occurred?

Listening

When an end user reports a problem to you, listen carefully to what the user has to say. Often, as the user
responds to your questions, and repeats the history of a problem, he or she might reveal its cause. By
asking users to start from the beginning and explain exactly what they were doing immediately prior to
noticing the problem, and what they were doing when they noticed the problem, you may determine the
problems cause.
Note: It is important to record the problem in a database, along with any pertinent
information that the user communicates to you. You will use the database record that you create
throughout the problem life cycle to record progress toward a resolution.

Consulting the Database

When you record all of the pertinent information from the user, your next task is to determine the cause
of the reported problem. Start by consulting existing documentation about known problems. It is quite
possible that the problem has occurred before. If this is the case, you can move toward a resolution
quickly, and then close the incident.

Researching the Issue

If existing documentation does not reveal any probable causes, you must perform some research. You can
perform this research by using a variety of sources. For example, you might search the Microsoft Support
Knowledge Base for information about the problem. You also may search online forums for related
material to aid in problem resolution.

Developing an Action Plan

After you determine a probable cause, you must develop an action plan, which the next topic describes.

Best Practices for Developing an Action Plan


Simple problems are easy to resolve quickly, and
they might not require a detailed action plan. For
example, say that an end user reports that he has
forgotten his password. Your action plan probably
should include opening Active Directory Users and
Computers, and resetting the password. However,
more complex or serious problems require careful
consideration.

Analyzing the Available Data


Before you start making configuration changes,
analyze the available data. This will help you
ensure that you determine the problems
probable cause.

Reviewing the Documentation

MCT USE ONLY. STUDENT USE PROHIBITED

1-18 Implementing a Troubleshooting Methodology

Review any documentation that relates to the fix that you are proposing. For example, if the fix that you
propose requires the installation of a service pack, review the documentation that relates to the service
pack.

Escalating to Build a Test Environment

If the proposed fix or workaround involves significant reconfiguration work, or if problems arise during
the fix, this could affect the users productivity. You may need to escalate the problem so that appropriate
support personnel can build a test environment that closely resembles the production system. You then
would use this test environment to test your plan of action.
Note: Virtualization technologies provide a convenient way to build test environments
without having to invest significantly in additional hardware or software.

Considering the Impact of Changes

If you need to perform significant reconfiguration work to resolve problems that are more complex, the
changes that you plan to make may impact many areas of your organization. It is likely that problems of
this nature are escalated to Tier 3 support staff.

Planning for Rollback


If you implement a fix or workaround, and it does not resolve the problem as you expect, you might
consider rolling back the fix. Performing a rollback is not necessary, but it may be desirable in certain
circumstances.

For example, if the fix involves applying an update, removal of the update might be acceptable. However,
if the fix involves upgrading applications to include new features that might be useful to other end users,
it might be desirable to leave the new applications installed rather than revert to the older application.
You can use the test environment to practice implementing a rollback of your proposed fix or
workaround.
Note: Although the slide includes numbered steps for the action plan it depicts, you might
not complete the steps in the order that the slide lists.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-19

Implementing an Action Plan


Keep in mind that the specific stages of your plan
of action may vary because of the complexities or
circumstances of a specific problem. In general, an
action plan consists of implementing in a test
environment, consulting change management,
resolving the problem, monitoring and evaluating
the resolution, reporting on the resolution, and
then documenting the problem and resolution.

Implementing in a Test Environment


Before you attempt a fix on a production system,
implement your plan of action in your test
environment. Bear in mind that the process of
changing some aspect (or aspects) of a computers configuration might result in a fix for a specific
problem, but also could introduce other problems.

For example, if you apply a security update to the operating system to resolve a security problem, the
update may make applications behave differently. When you feel that you can introduce the fix or
workaround without causing additional problems, and that it fixes the reported problem, proceed to the
next stage. Simple problems might not require this testing stage.

Consulting Change Management

Large organizations implement change-management procedures to ensure that every member of the
support staff performs all changes to the IT infrastructure in a similar and appropriate manner, according
to specific guidelines, and with adequate documentation about any changes. If your organization uses a
change-management procedure, you must determine what it requires when you implement your fix or
workaround. Consult the relevant documentation, and when necessary, discuss the proposed changes
with the appropriate staff.

Resolving the Problem

Help-desk staff often can resolve common problems quickly, without having to involve product specialists.
Less common or more complicated problems often require the escalation to either desktop-support
specialists or external vendors, and occasionally require the creation of a specialist team that includes
people possessing the range of skills necessary to resolve a particular issue. When possible, consider the
use of remote-management tools, because these often result in quicker problem resolutions.

Monitoring and Evaluating the Resolution

If a fix or workaround takes time to complete, and involves a number of stages, you must monitor
progress toward the problems resolution. It is important that you evaluate the data that you collect
during this monitoring process, so that you can determine whether you are close to a solution. If data
indicates that a solution is not available, you might want to reconsider your plan of action.

Reporting and Documenting a Problems Resolution

Whether you resolve the problem successfully, you must document all of the steps that you took in an
attempt to resolve it, and then document the results. If you log the incident in a database to track a
reported problems status, you must update the record to reflect whether you resolve the problem and
whether you close the incident. The next topic looks more closely at the process of recording a problems
resolution.

Recording the Problem Resolution


In most support organizations, a process exists to
record and document a problem that a user
reports. Typically, the help-desk staff records the
reported incident in a database. When you resolve
a problem, you must close the reported incident,
and then communicate the resolution to the user
who reported the problem.

Updating the Current Documentation


If the problem exposes flaws in the current IT
infrastructure, working practices, or other areas,
you must update the current documentation with
information about these flaws and the relevant
fixes or workarounds.
For example, if you install an operating-system service pack throughout the organization to fix an
application-compatibility issue, you must record information in the current infrastructure-related
documentation about both the compatibility issue and the service packs installation process.

Creating New Documentation

MCT USE ONLY. STUDENT USE PROHIBITED

1-20 Implementing a Troubleshooting Methodology

Complex and serious problems often require significant infrastructure changes, so you must create the
necessary documentation to support these changes. For example, if you install a new version of an
application to resolve a problem, updating the existing documentation is insufficient. This is because the
new application may have new features, and therefore may work differently than the old version. You
must provide both users and administrators with the new information that they require to work with the
new application.

Logging the Resolution

You must update any database records associated with an incident. The update should include the
resolution and other relevant information about the fix or workaround required to resolve the problem.
Furthermore, you should not consider a problem resolved until the resolution is documented in a manner
that aids future incident resolution. Finally, you must update the incident record as closed.

Communicating with the End User

You must let the end user who reported the problem originally know that you resolved the problem. If the
user must take any special measures or steps to bypass the problem, you must communicate these steps
or procedures. If you made significant changes to the infrastructure, users might require additional
training.

Logging Preventative Measures

Problems have a habit of recurring. It is very important that you document the problem, its cause, and the
steps necessary to resolve it. Proper documentation ensures that, in the future, other support engineers
faced with similar incidents can discover a probable cause and a recommended solution early in the
troubleshooting process.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-21

Discussion: The Benefits of Applying Troubleshooting Stages by Using a


Methodology
Your instructor will initiate a classroom discussion
in the form of a brainstorming session. Please
consider the stages of a troubleshooting
methodology, and share your own experiences
with the class.
During the discussion, feel free to make practical
recommendations on the following topics:

How does your organization apply the


troubleshooting stages?

How much do self-help telephone and web


portals help users?

Who does the data collecting, and how do they do it?

How does your organization handle communications between the first-tier and second-tier support
staff and the end user?

How much can you achieve remotely?

How do you communicate problem resolutions to other support staff to help resolve future
problems?

Discussion: Common Troubleshooting Scenarios in Windows 8.1


Your instructor will initiate a classroom discussion
in the form of a brainstorming session.
During this discussion, consider common causes
of help-desk calls within your organization. As a
class, draw up a list of the problems reported
most commonly that relate to the Windows
operating system.

Lab: Troubleshooting Windows 8.1


Scenario
A. Datum Corporation is an engineering, manufacturing, and distribution company based in London,
England, with major offices located in Toronto, Canada, and Sydney, Australia.

MCT USE ONLY. STUDENT USE PROHIBITED

1-22 Implementing a Troubleshooting Methodology

A. Datum has a Tier 1 help desk that resolves the most simple user problems. When the help desk cannot
resolve user problems, help-desk staff assigns the trouble tickets to Tier 2 Desktop Support Technicians.
You are one of the Tier 2 Desktop Support Technicians for A. Datum. You retrieve trouble tickets assigned
to you and document their resolution.

Objectives
After completing this lab, you will be able to:

Develop a plan of action and discuss it with the class.

Lab Setup
Estimated Time: 20 minutes
Virtual machines: None required.
For this lab, you do not need any virtual machines.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-23

Exercise 1: Developing a Plan of Action


Scenario

A user has reported a problem with their upgrade to Windows 8.1 Pro. They initiated the upgrade by
using the Windows Store. You must attempt to determine the nature of the problem and then suggest a
plan of action for attempting a solution.
Incident Record (sample)
Incident Reference Number: 701338
Date of Call
Time of Call
User

February 23
13:30
Adam Barr (Marketing Department)
OPEN

Incident Details

Adam contacted the help desk after attempting to upgrade to Windows 8.1 by using the Windows Store.
The computer is his, but he wants to use it to access corporate documents.
Additional Information

The installation proceeded most of the way through, as far as the user could tell. However, the video
screen does not have the correct resolution. The icons and text are very big.
Plan of Action

Agreed Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help-desk Incident Record.

2.

Determine what questions you might ask the user.

3.

Discuss recommendations.

4.

Discuss the agreed plan of action.

Task 1: Read the help-desk Incident Record

Read help-desk Incident Record 701338 in the exercise scenario.

Task 2: Determine what questions you might ask the user

Discuss with the class, questions that you might ask the user so that you can develop a plan of action.

Task 3: Discuss recommendations


1.

Read the Additional Information section of the Incident Record above.

2.

Discuss your recommendations with other students.

Task 4: Discuss the agreed plan of action

Discuss the agreed-upon plan with other students.

MCT USE ONLY. STUDENT USE PROHIBITED

1-24 Implementing a Troubleshooting Methodology

Results: After completing this exercise, you should have developed a plan of action for the resolution of
the users reported problem.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 1-25

Module Review and Takeaways


Review Questions
Question: Considering the various form factors of devices that support Windows 8.1, which
do you expect your organizations users to implement?
Question: A user comes to you, asking whether it is okay to use his own Windows 8.1 tablet
to connect to, and access resources on the corporate intranet. Which feature or features of
Windows 8.1 will make this process easier?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


2-1

Module 2
Troubleshooting Startup Issues
Contents:
Module Overview

2-1

Lesson 1: Overview of the Windows 8.1 Startup Recovery Environment

2-2

Lesson 2: Troubleshooting Startup Settings

2-13

Lesson 3: Troubleshooting Operating System Services Issues

2-22

Lab A: Troubleshooting Startup Issues

2-25

Lesson 4: Recovering BitLocker-Protected Drives

2-29

Lab B: Recovering BitLocker-Encrypted Drives

2-36

Module Review and Takeaways

2-40

Module Overview

Corruptions in the system registry often cause startup-related problems. Issues with device drivers or
system service scan also cause these problems. Therefore, systematic troubleshooting is essential so that
you can determine the underlying cause of the startup problem quickly and efficiently.
This module describes how to identify and troubleshoot issues that affect the Windows 8.1 operating
systems ability to start, and how to identify problematic services that are running on the operating
system. It also describes how to use the Windows 8.1 operating system advanced troubleshooting tools,
collectively known as the Windows Recovery Environment (Windows RE).

Objectives
After completing this module, you will be able to:

Describe the Windows 8.1 startup recovery environment.

Optimize and troubleshoot startup settings.

Troubleshoot Windows operating system services.

Recover drives encrypted with BitLocker Drive Encryption.

Lesson 1

Overview of the Windows 8.1 Startup Recovery


Environment

MCT USE ONLY. STUDENT USE PROHIBITED

2-2 Troubleshooting Startup Issues

To recover Windows 8.1 computers that do not start, or those that are starting with errors, you must
recognize what the operating system looks like when it is starting properly. Additionally, a good working
knowledge of the recovery tools that Windows 8.1 provides should enable you to identify and resolve
problems that relate to startup issues.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the Windows 8.1 startup architecture.

Explain the repair and recovery options available in Windows 8.1.

Describe the recovery tools available at the command prompt in Windows RE.

Explore the advanced startup environment.

Describe the system restore process in Windows 8.1.

Access the Windows 8.1 System Restore tool to fix the startup environment.

Windows 8.1 Startup Architecture


The Windows 8.1 boot loader architecture
provides a quick and secure mechanism for
starting the Windows operating system.
The boot loader architecture has three main
components:

The Windows Boot Manager (Bootmgr.exe)

The Windows OS Loader (Winload.exe)

The Windows Resume Loader


(Winresume.exe)

Windows Boot Manager

As the computer starts, Bootmgr.exe loads first, and then reads the Boot Configuration Data (BCD), which
is a database of startup configuration information that the hard disk stores in a format similar to the
registry.
Note: The BCD provides a firmware-independent mechanism for manipulating the boot
environment data for any type of Windows operating system. Windows Vista and newer
Windows versions use the BCD to load the operating system or to run boot applications, such as
memory diagnostics. Its structure is very similar to a registry key, although you should not
manage it with the Registry Editor (regedit.exe).

Bootmgr.exe replaces much of the functionality of the NT Loader (NTLDR) bootstrap loader that
Windows XP and earlier versions of the Windows operating system use. Bootmgr.exe is a separate entity,
and it is unaware of other startup operations in the Windows operating system. Bootmgr.exe switches the

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-3

processor into 32-bit or 64-bit protected mode, prompts the user for which operating system to load (if
multiple operating systems are installed), and starts NTLDR if you have Windows XP or an earlier Windows
operating system installed.

Windows Operating System Loader

Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (ntoskrnl.exe) and (BOOT_START) device drivers, which, combined with
Bootmgr.exe, makes it functionally equivalent to NTLDR. Winload.exe initializes memory, loads drivers
that should start, and then transfers control to the kernel.

Windows Resume Loader

If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information
to Winresume.exe. Bootmgr.exe exits, and Winresume.exe then starts. Winresume.exe reads the
hibernation image file, and uses it to return the operating system to its prehibernation running state.

Windows 8.1 Startup Process

When you turn on a computer, the startup process loads the basic input/output system (BIOS), or on more
modern computers, the Unified Extensible Firmware Interface (UEFI). When it loads the UEFI or the BIOS,
the system accesses the master boot record (MBR) of the boot disk, followed by the boot sector of the
drive startup.
The Windows 8.1 cold startup process has seven steps:
1.

The UEFI or BIOS performs a power-on self test (POST). From a startup perspective, the BIOS enables
the computer to access peripherals, such as hard disks, keyboards, and the computer display, prior to
loading the operating system.

2.

The computer uses information in the UEFI or BIOS to locate an installed hard disk, which should
contain a MBR. The computer calls and loads Bootmgr.exe, which then locates an active drive
partition on sector 0 of the discovered hard disk.

3.

Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines
installed operating systems, and then displays a boot menu, if necessary.

4.

Bootmgr.exe either transfers control to winload.exe or calls winresume.exe for a resume operation. If
winload.exe selects an older operating system, such as Windows XP Professional, then Bootmgr.exe
transfers control to NTLDR.

5.

Otherwise, winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers (that have a start value of 0 configured in the registry, and are called BOOT_START drivers),
are for fundamental hardware components such as disk controllers and peripheral bus drivers.
Winload.exe then transfers control to the operating system kernel, ntoskrnl.exe.

6.

The kernel initializes, and then higher-level drivers (except BOOT_START and services), load. During
this phase, you will see the screen switch to graphical mode as the session manager (Smss.exe)
initializes the Windows subsystem.

7.

The operating system loads the Winlogon service, which displays the sign-in screen. Once the user
signs in to the computer, the Windows Explorer tool loads.

Windows Secure Boot

Secure Boot is a Windows 8.1 feature on UEFI-based devices that can help to increase the security of your
device by helping to prevent unauthorized software from running on your device during the startup
process. Secure Boot verifies that each piece of software has a valid digital signature. This verification
applies to the operating system itself.

MCT USE ONLY. STUDENT USE PROHIBITED

2-4 Troubleshooting Startup Issues

When you activate Secure Boot on a device, the device checks each piece of software against databases of
known good signatures maintained in the firmware. The firmware will only run software that it deems to
be safe by using this process.
The Windows 8.1 Secure Boot process requires firmware based on UEFI. The Secure Boot process utilizes
UEFI to prevent unknown or potentially unwanted operating-system boot loaders (such as firmware
rootkits) from launching between the systems firmware start and the Windows 8.1 operating system start.
Secure Boot is not mandatory for Windows 8.1, but it greatly increases the integrity of the boot process.

Windows Startup Recovery Options


If your Windows computer fails to start correctly,
you can use a number of tools to help resolve the
problem.

Windows RE
Windows RE is a recovery platform based on the
Windows Preinstallation Environment (Windows
PE). Windows RE provides two main functions:

Diagnose and repair startup problems


automatically.

Provide a centralized platform for additional


advanced recovery tools.

Accessing Windows RE
To access Windows RE:
1.

Insert the Windows 8.1 DVD, and then start the computer.

2.

When prompted, run the Windows 8.1 DVD Setup program.

3.

After you configure language and keyboard settings, select the Repair your computer option, which
scans the computer for Windows installations, and then presents you with a Choose an option menu.
Click Troubleshoot.

Automatic Failover

Windows 8.1 provides an on-disk version of Windows RE. A computer that is running Windows 8.1 can fail
over automatically to the on-disk Windows RE if it detects a startup failure.
During startup, the Windows OS Loader sets a status flag that indicates when the boot process starts.
Winload.exe clears this flag before it displays the Windows sign in screen. If the startup fails, the loader
does not clear the flag. Consequently, the next time the computer starts, Windows OS Loader detects the
flag, assumes that a startup failure has occurred, and then launches Windows RE instead of Windows 8.1.

The advantage of automatic failover to Windows RE Startup Repair is that you may not need to check the
problematic computer when a startup problem occurs.
Note: Note that the computer must start successfully for the Windows OS Loader to
remove the status flag. If there is an interruption to the computers power during the startup
sequence, the Windows OS Loader does not remove the flag, and instead initiates Startup Repair
automatically.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-5

Remember that this automatic failover requires the presence of both the Windows Boot Manager and the
Windows OS Loader. If either of these elements is missing or corrupt, automatic failover cannot function,
and you must initiate a manual diagnosis and repair of the computers startup environment.

Advanced Startup Settings


Windows 8.1 provides advanced startup settings that you can use to start the operating system in
advanced troubleshooting modes. These include:

Enable debugging

Enable boot logging

Enable low-resolution video

Enable safe mode

Enable safe mode with networking

Enable safe mode with command prompt

Disable driver signature enforcement

Disable early launch anti-malware protection

Disable automatic restart after failure

You will learn more about these troubleshooting modes during the next lesson.

Recovery Tools Available in Windows RE


Windows RE provides access to six recovery tools
that you can use to help recover your computers
startup environment. Note that many of these
tools are also available from the Recovery option
in the Windows operating system.
When you launch Windows RE, you are presented
with three options:

Refresh your PC

Reset your PC

Advanced options

Refresh Your PC

This option enables you to retain your personal data, Windows Store apps, and settings, but replaces the
Windows 8.1 operating system. This is useful when it is important to retain user-related files and settings,
but you do not have the time to determine the specific cause of or resolve a startup problem.
Note: Because user settings may have created the startup problem from which you are
attempting to recover, the Refresh your PC option does not restore all settings. For example, this
option does not restore file associations, display settings, and Windows Firewall settings during
the refresh process.
Remember that using Refresh your PC does not recover your computer to a specific point in time.
Consequently, it is likely that, following recovery, you will have to perform additional tasks, such as

installing desktop apps. Therefore, it might be wise to attempt other methods from recovering from a
startup problem first.
Note: It is possible to use the Recimg.exe command-line tool to create a refresh image,
which then enables you to refresh your computer to a specific point in time. This process will also
add Program Files and Program Files (x86) to the image, which enable you to retain your desktop
apps after a refresh operation.

Reset Your PC
This option removes all user data and settings, and apps, and then reinstalls Windows 8.1. You should
select this option when you do not need to retain user data or settings. By using this setting, you revert
your computer to the deployment default settings.

MCT USE ONLY. STUDENT USE PROHIBITED

2-6 Troubleshooting Startup Issues

As a method of recovering from a startup problem, Reset your PC is not ideal because it removes all user
data and settings. It will almost certainly resolve the startup problem. Consider using other recovery
methods before resorting to Reset your PC.
Note: If your computer has more than one drive when you launch Reset your PC, you can
choose to remove files from all drives, or only from the drive where Windows 8.1 is installed.
When you launch Reset your PC, you are prompted to:

Just remove my files. Use this option if you intend to keep your computer, but want to reset it to its
factory defaults.

Fully clean the drive. Choose this option if you want to wipe the drive completely in order to recycle
the computer. This process can take much longer.

Advanced Options
The following are tools you can access from the Advanced options menu in Troubleshooting.

System Restore

Windows 8.1 also provides System Restore capabilities that you can access from the System Tools folder. If
you have a system failure or another significant problem with your computer, you can use System Restore
to return your computer to an earlier state.
The primary benefit of System Restore is that it restores your system to a workable state without
reinstalling the operating system or causing data loss. Additionally, if the computer does not start
successfully, you can use System Restore by booting Windows RE from the product DVD. System Restore
is a preferable method of recovering from startup problems. You should attempt to use it before
considering either Refresh your PC or Reset your PC. Consider that using System Restore may resolve a
startup issue, but the computer may require additional configuration to bring it back to the correct state
following recovery.

You can create System Restore points by using the System Restore link in Recovery in Control Panel. First,
you must enable System Protection. You can do so by performing the following steps:
1.

In Control Panel, click Recovery, and then click Configure System Restore.

2.

On the System Protection tab, click Configure, and then click Turn On System Protection.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-7

System Image Recovery

System Image Recovery replaces your computers current operating system with a complete computer
backup that you created previously, and which you stored as a system image. You can use this tool only
if you have made a recovery drive of your computer. You should use this tool only if other methods of
recovery are unsuccessful, because it is a very intrusive recovery method that overwrites everything on the
computer.

Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. The following sections describe Startup Repair tool functions:

Replace or Repair Disk Metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupt, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Automatic Repair checks and, if necessary, repairs the disk metadata automatically.
Damage to the disk metadata often occurs because of unsuccessful attempts to install multiple
operating systems on a single computer. Another possible cause of metadata corruption is a virus
infection.

Repair Boot Configuration Settings. Windows XP and earlier Windows operating system versions
stored the boot configuration information in Boot.ini, a simple text file. However, Windows 8.1 uses
a configuration store that is in the C:\Boot folder.

If the boot configuration data is damaged or deleted, the operating system fails to start. The Startup
Repair tool then checks and, if necessary, rebuilds the BCD by scanning for Windows installations on
the local hard disks, and then storing the necessary BCD.

Resolve Incompatible Driver Issues. Installing a new hardware device and its associated device driver
often causes Windows operating systems to start incorrectly.
The Automatic Repair tool performs device driver checks as part of its analysis of your computer. If
Automatic Repair detects a driver problem, it uses System Restore points to attempt a resolution by
rolling back configuration to a known working state.

Note: Even if you do not create restore points manually in Windows 8.1, installing a new
device driver automatically causes Windows 8.1 to create a restore point prior to the installation.

The Startup Repair tool should be your primary startup recovery mechanism. It is the least invasive and
requires the least manual configuration following recovery.

Command Prompt
Windows 8.1 uses the Command Prompt window from the Windows RE tool set as its command-line
interface. The Command Prompt tool is more powerful than the Recovery Console command-line
interface from early Windows operating system versions The Windows RE Command Prompt features
are similar to the Command Prompt window that is available when Windows 8.1 is running normally:

Resolve Problems with a Service or Device Driver. If a computer that is running Windows 8.1
experiences problems with a device driver or Windows service, use the Windows RE Command
Prompt window to attempt a resolution. For example, if a device driver fails to start, use the
command prompt to install a replacement driver, or to disable the existing driver from the registry. If
the Netlogon service fails to start, at the command prompt, type Net Start Netlogon. You also can use
the SC tool (SC.exe) command-line tool or the Windows PowerShell start-service and stop-service
cmdlets to start and stop services.

MCT USE ONLY. STUDENT USE PROHIBITED

2-8 Troubleshooting Startup Issues

Recover Missing Files. The Windows RE Command Prompt tool also enables you to copy missing files
to your computers hard disk from original source media, such as the Windows 8.1 product DVD or
universal serial bus (USB) flash drive.

Access and Configure the BCD. Windows 8.1 uses a BCD store to retain information about the
operating systems that you install on the local computer. You can access this information by using
the BCDEdit.exe tool at the command prompt. You also can reconfigure the store, if necessary. For
example, you can reconfigure the default operating system on a dual-boot computer with the
BCDEdit.exe /default id command.

Repair the Boot Sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 8.1 will fail to start successfully. You can launch the
Bootrec.exe program at the command prompt to resolve problems with the disk metadata.

Run Diagnostic and Troubleshooting Tools. The Command Prompt tool provides access to many
programs that you can access from Windows 8.1 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the registry editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can
use to determine which programs and services are running currently.

Note: Windows PE is not a complete operating system. Therefore, when you use the
Command Prompt tool in Windows RE, remember that not all programs that work in a Windows
operating system will work at the command prompt. Additionally, because there are no logon
requirements for Windows PE and Windows RE, Windows restricts the use of some programs for
security reasons, including many that administrators typically run.

Demonstration: Examining the Advanced Startup Environment


Note: This is a practice session.
In this practice session, you will:

Launch Windows RE.

Use the Command Prompt tool.

Use Startup Repair.

Start Windows 8.1 normally.

Examine a Startup Repair log file.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-9

4.

5.

Sign in using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Launch Windows RE
1.

Restart 20688D-LON-CL1.

2.

When prompted to Press any key to boot from CD or DVD, press the space bar. The computer
boots into Windows Setup.

3.

In the Windows Setup Wizard, click Next.

4.

On the Install now page, click Repair your computer.

5.

On the Choose an option page, click Troubleshoot.

6.

On the Troubleshoot page, click Advanced options.

7.

On the Advanced options page, notice the four tools that are available.

Use the Command Prompt tool


1.

Click Command Prompt.

2.

At the command prompt, type diskpart, and then press Enter.

3.

At the command prompt, type list disk, and then press Enter.

4.

At the command prompt, type list volume, and then press Enter.

5.

At the command prompt, type exit, and then press Enter.

6.

At the command prompt, type e:, and then press Enter.

7.

At the command prompt, type dir, and then press Enter. This is the system drive.

8.

At the command prompt, type cd\windows\system32, and then press Enter.

9.

At the command prompt, type net start, and then press Enter. A list of running services is returned.

10. At the command prompt, type sc query, and then press Enter. A list of services and their current
status is returned.
11. At the command prompt, type regedit, and then press Enter. The Registry Editor opens.
12. Close the Registry Editor.
13. At the command prompt, type exit, and then press Enter.

Perform Startup Repair


1.

On the Choose an option page, click Troubleshoot.

2.

On the Troubleshoot page, click Advanced options.

3.

On the Advanced options page, click Startup Repair.

4.

On the Startup Repair page, click Windows 8.1. Automatic startup repair begins.

5.

On the Startup Repair page, notice the log file (E:\Windows\System32\Logfiles\Srt\SrtTrail.txt)


mentioned in the message, and then click Advanced options.

Start Windows normally


1.

On the Choose an option page, click Continue.

2.

Sign in as Adatum\administrator with the password Pa$$w0rd.

3.

In the Start screen, click the Desktop tile.

Examine Startup Repair log file


1.

On the taskbar, click the File Explorer icon.

2.

In File Explorer, navigate to C:\Windows\System32\Logfiles\Srt\. Notice that the volume label


when the operating system is running is now C.

3.

In the Srt folder, double-click SrtTrail.txt.

4.

Examine the file for any errors. There should be none.

5.

Close the file, and then close File Explorer.

Completion steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

System Restore
Windows 8.1 enables System Restore features
automatically. System Restore takes snapshots of
your computer system, and then saves them as
restore points. These restore points represent a
point in time for the computers configuration
when it was running successfully. Using System
Restore does not affect user data.
After you enable System Restore points,
Windows 8.1 creates them automatically when the
following actions occur:

You install a new application or driver.

You uninstall certain programs.

You install updates.

Windows 8.1 also creates System Restore points:

Manually, whenever you choose to create them.

Automatically, once daily.

Automatically, if you choose to use System Restore to restore to a previous point in time.

MCT USE ONLY. STUDENT USE PROHIBITED

2-10 Troubleshooting Startup Issues

In this last instance, System Restore creates a new restore point before it restores the system to a previous
state. This provides you with a recovery option should the restore operation fail or result in issues.
Windows RE does not create a restore point for the current state if you are in safe mode and you restore
to a previous state.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-11

Perform Driver Rollbacks

You may use System Restore when you install a device driver that results in a computer that is unstable,
or that fails to operate entirely. Earlier Windows operating system versions had a mechanism for driver
rollback, but it required the computer to start successfully from safe mode.
With Windows 8.1 computers, you can use System Restore to roll back drivers by accessing the System
Restore points, even when the computer does not start successfully.

Protect Against Accidental Deletion of Programs

System Restore also provides protection against accidental deletion of programs. When you add or
remove programs, System Restore creates restore points, and keeps copies of application programs (file
names with an .exe or .dll extension). If you accidentally delete an executable (.exe) file, you can use
System Restore to recover the file by selecting a recent restore point prior to when you deleted the
program.
Note: If you use System Restore to restore your computer to a previous point in time, be
aware that it may affect connectivity to the computers domain. Specifically, if the computers
password has changed since the restore point was created, your computer will be unable to sign
in to the domain. In this instance, you must reset the computers secure channel with the domain.
You can do this by using the Windows PowerShell Reset-MachineAccountPassword cmdlet.
You can also use Netdom and Active Directory Users and Computers.

Demonstration: Accessing System Restore


Note: This is a practice session.
In this practice session, you will:

Create a restore point.

Start a computer in Windows RE.

Launch System Restore.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. The required virtual
machines should already be running. If they are not, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Create a restore point

MCT USE ONLY. STUDENT USE PROHIBITED

2-12 Troubleshooting Startup Issues

1.

On LON-CL1, click Start.

2.

Beneath the Desktop tile, click the down arrow.

3.

Right-click This PC, and then click Properties.

4.

In the Properties dialog box, click Advanced system settings.

5.

In the System Properties dialog box, click the System Protection tab, and then click Create.

6.

In the System Protection dialog box, in the text box, type Initial System Restore Point, and then
click Create.

7.

Click Close, and then click OK.

Start a computer in Windows RE


1.

Right-click Start, point to Shut down or sign out, and then click Restart.

2.

When prompted to Press any key to boot from CD or DVD, press the spacebar.

3.

In the Windows Setup Wizard, click Next.

4.

On the Install now page, click Repair your computer.

5.

On the Choose an option page, click Troubleshoot.

6.

On the Troubleshoot page, click Advanced options.

Launch System Restore


1.

On the Advanced options page, click System Restore.

2.

On the System Restore page, click Windows 8.1.

3.

In the System Restore Wizard, click Next.

4.

On the Restore your computer to the state it was in before the selected event page, in the
unnamed drop-down list box, click Initial System Restore Point, and then click Next.

5.

On the Confirm your restore point page, click Finish.

6.

In the Once started, System Restore cannot be interrupted. Do you want to continue? dialog
box, click Yes. The system restore process begins.
Note: System Restore can take an extended period of time.

7.

When prompted, click Restart.

8.

After your computer has restarted, sign in as Adatum\administrator with the password Pa$$w0rd.

9.

In Start, click the Desktop tile.

10. In the System Restore dialog box, click Close.


11. Click Start.

Completion steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-13

Lesson 2

Troubleshooting Startup Settings

To troubleshoot a Windows 8.1 computer that fails to start properly, you must understand the startup
process, and the role of the BCD store in troubleshooting. This lesson describes the BCD store and how it
controls the startup process flow. It also describes the tools and utilities that you can use to configure the
Windows 8.1 startup process.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the role of the BCD store.

Describe BCD settings.

Repair the BCD store by using the BCDEdit command-line tool.

Describe how to configure environments by using the System Configuration tool.

Describe the advanced boot options available in Windows 8.1.

Use the System Configuration tool and the Advanced Startup options.

Windows 8.1 BCD Store


The Windows BCD store is an extensible database
of objects and elements that can include
information about a current hibernation image,
and special configuration options for booting
Windows 8.1 or an alternate operating system.
The BCD store provides an improved mechanism
for describing boot-configuration data for new
firmware models.
The boot sector loads Bootmgr.exe, which in
turn accesses the BCD store, and then uses that
information to display a boot menu to the user
(if multiple boot options exist), and to load the
operating system.
These parameters were previously in the Boot.ini file (in BIOSbased operating systems) or in the
nonvolatile random access memory (NVRAM) entries in operating systems based on an Extensible
Firmware Interface (EFI).

However, Windows 8.1 replaces the boot.ini file and NVRAM entries with the BCD store. This file is more
versatile than boot.ini, and it can apply to computer platforms that do not use BIOS to start the computer.
You also can apply the BCD store to firmware models, such as computers that are based on EFI.
Windows 8.1 stores the BCD as a registry hive. For BIOSbased systems, the BCD registry file is in the
active partition \Boot directory. For EFIbased systems, the BCD registry file is on the EFI system partition.

Configuring the BCD Configuration Settings


Depending on what you want to change, you can
use the following tools to modify the BCD store:

Startup and Recovery. The Startup and


Recovery dialog box enables you to select
the default operating system if you have
multiple operating systems installed on your
computer. You also can change the time-out
value. You can find these settings on the
Advanced tab in the System Properties dialog
box.

System Configuration tool (MSConfig.exe).


MSConfig.exe is an advanced tool that
enables you to select the following startup options:
o

Safe boot. Enables you to select:

MCT USE ONLY. STUDENT USE PROHIBITED

2-14 Troubleshooting Startup Issues

Safe boot: Minimal. On startup, opens Windows Explorer in safe mode, which means it runs
only critical system services. Networking is disabled.

Safe boot: Alternate shell. On startup, opens the Windows command prompt in safe mode,
and runs only critical system services. Networking and Windows Explorer are disabled.

Safe boot: Active Directory repair. On startup, opens Windows Explorer in safe mode, and
runs only critical system services and Active Directory Domain Services (AD DS). Safe boot
performs no function on a client operating system.

Safe boot: Network. On startup, opens Windows Explorer in safe mode, and runs only critical
system services. Networking is enabled.

No GUI boot. Does not display the Windows Welcome screen when starting.

Boot log. Records startup information into a log file.

Base video. Uses a generic video display adapter driver.

Advanced options:

Debug. Enables kernel-mode debugging for device driver development.

Number of processors. Limits the number of processors used on a multiprocessor system.

Maximum memory. Artificially limits the available random access memory (RAM).

BCDEdit.exe. You can use BCDEdit.exe, a command-line tool, to change the BCD, including removing
entries from the list that displays operating systems. This advanced tool is for administrators and IT
professionals. BCDEdit.exe replaces Bootcfg.exe.
The BCDEdit tool currently enables you to:
o

Add entries to an existing BCD store.

Modify existing entries in a BCD store.

Delete entries from a BCD store.

Export entries to a BCD store.

Import entries from a BCD store.

List currently active settings.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-15

Query a particular type of entry.

Apply a global change (to all entries).

Change the default time-out value.

Typical reasons to manipulate the BCD with BCDEdit include:


o

Adding a new hard disk to your Windows 8.1 computer, and changing the logical drive
numbering.

Installing additional operating systems on your Windows 8.1 computer to create a multiboot
configuration.

Deploying Windows 8.1 to a new computer with a blank hard disk, requiring you to configure the
appropriate boot store.

Performing a backup of the BCD.

Restoring a corrupted BCD.

The following table provides additional information about the command-line syntax for BCDEdit.exe.
Command

Description

Commands that operate on a store


/createstore

Creates a new empty BCD store.

/export

Exports the contents of the system BCD store to a


specified file.

/import

Restores the state of the system BCD store from a


specified file.

Commands that operate on boot entries in a store


/copy

Makes copies of boot entries.

/create

Creates new boot entries.

/delete

Deletes boot entries.

Commands that operate on element


/deletevalue

Deletes elements from a boot entry.

/set

Creates or modifies a boot entrys elements.

Command that controls output


/enum

Lists the boot entries in a store.

Commands that control Boot Manager


/bootsequence

Specifies a one-time boot sequence.

/default

Specifies the default boot entry.

Command

Description

/displayorder

Specifies the order in which Boot Manager displays


its menu.

/toolsdisplayorder

Specifies the order in which Boot Manager displays


the Tools menu.

/timeout

Specifies the Boot Manager Timeout value.

Commands that control debugging


/bootdebug

Enables or disables boot debugging for a boot


application.

/dbgsettings

Specifies global debugger parameters.

/debug

Enables or disables kernel debugging for an


operating system boot entry.

Commands that modify other commands


/store

Specifies the BCD store upon which a command


acts.

/v

Displays boot entry identifiers in full, rather than


using well-known identifiers.

Commands that control Emergency Management Services (EMS)

/bootems

Enables or disables EMS for a specified boot


application.

/ems

Enables or disables EMS for an operating system


boot entry.

/emssettings

Specifies global EMS parameters.

MCT USE ONLY. STUDENT USE PROHIBITED

2-16 Troubleshooting Startup Issues

BootRec.exe. You use BootRec.exe with the /rebuildbcd option to rebuild the BCD. You must run
Bootrec.exe in Windows RE. If rebuilding the BCD does not resolve the startup issue, you can export
and delete the BCD, and then run this option again. By doing this, you ensure that the BCD rebuilds
completely.

Demonstration: Using Command-Line Tools to Access the BCD Store


Note: This is a practice session.
In this practice session, you will:

Access advanced startup options.

Open the Command Prompt tool.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-17

Work with the boot store.

Restart the Windows operating system normally.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. The required virtual
machines should already be running. If they are not, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Access advanced startup options
1.

On LON-CL1, press the Windows + C keys to access the Charms menu.

2.

Click Settings, and then click Change PC settings.

3.

In PC settings, click Update and recovery.

4.

Click Recovery.

5.

In the results pane, under Advanced startup, click Restart now.

6.

On the Choose an option page, click Troubleshoot.

7.

On the Troubleshoot page, click Advanced options.

Open the Command Prompt tool


1.

On the Advanced options page, click Command Prompt. Your computer restarts into the
Command Prompt mode.

2.

On the Command Prompt page, click Admin.

3.

In the Password box, type Pa$$w0rd, and then click Continue.

Work with the boot store


1.

At the command prompt, type bcdedit /enum, and then press Enter. This lists the available boot
options in the store.

2.

At the command prompt, type bootrec /scanos, and then press Enter. This command scans the
partitions for viable operating systems.

3.

At the command prompt, type bootrec /rebuildbcd, and then press Enter. This command rebuilds
the boot store automatically.

4.

At the command prompt, type exit, and then press Enter.

Restart the Windows operating system normally


1.

On the Choose an option page, click Continue.

2.

Sign in as Adatum\administrator with the password Pa$$w0rd.

Completion steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

Configuring Environments with the System Configuration Tool


The System Configuration tool (MSConfig.exe)
automates the troubleshooting steps that assist
you in diagnosing issues with your systems
configuration. When you use this tool, you can
change the way Windows 8.1 starts up. You also
can select options to prevent services and
programs from loading during the Windows
startup process.
By using MSConfig, you can reset or change the
Windows 8.1 configuration settings to include
preferences for the following:

Startup options

Services that you want to start during the startup process

Programs that you want to load during the startup process

MCT USE ONLY. STUDENT USE PROHIBITED

2-18 Troubleshooting Startup Issues

If you select the Make All Boot Settings Permanent check box, any changes that you make using
MSConfig will be permanent. If you do not select this check box, then any changes are undone if later you
select the Normal startup option.
The System Configuration dialog box has five tabs:

General. Use the settings on this tab to select the startup environment. You can choose between
Normal, Diagnostic, or Selective startup.

Boot. Use the settings on this tab to select boot options, such as Safe boot, No GUI boot, and Base
video. On this tab, you also can select Advanced options, such as selecting the number of processors
that you want to use, setting the maximum memory available, or locking peripheral component
interconnect (PCI) devices to resources.

Services. You use this tab to view a list of all services that start when the computer boots, and
their current status, which is either Running or Stopped. You can use this tab to enable or disable
individual services at boot time to troubleshoot services that might be contributing to startup
problems. You also can select the option to Hide all Microsoft services, which enables you to identify
nonstandard services that might be causing a startup problem.

Startup. Use this tab to access a link to the Startup tab in Task Manager.

Tools. Use this tab as method shortcut to launch various system tools. For example, you can change
the settings for User Account Control, launch the Action tab, and access Computer Management and
other system tools.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-19

Advanced Startup Options in Windows 8.1


Windows 8.1 provides advanced startup options
that you can use to start the operating system in
an advanced troubleshooting mode.

Accessing the Advanced Startup Options


You can access advanced startup options when
the operating system is running by using the
following steps:
1.

Press the Windows + C keys to bring up the


Charms menu.

2.

Click Change PC settings.

3.

Click Update & recovery.

4.

Click Recovery.

5.

Under Advanced startup, click Restart now.

6.

Once your computer restarts, on the Choose an option page, click Troubleshoot.

7.

On the Troubleshoot page, click Advanced options.

8.

From the Advanced options page, you can access the following tools:

9.

System Restore

System Image Recovery

Startup Repair

Command Prompt

Startup Settings

Click Startup Settings, and then click Restart.

10. When your computer restarts, at the Startup Settings window, you can select the appropriate
advanced startup option by selecting the appropriate numeric key.
Note: If the operating system does not start, use Windows RE to access these advanced
startup options.

Available Options
The following options are available from the boot menu:

Enable debugging. Starts the Windows operating system in an advanced troubleshooting mode
intended for information technology (IT) professionals and system administrators. Debugging enables
you to examine the behavior of the Windows operating systems device drivers. This is especially
useful if the operating system stops unexpectedly, as it may provide additional information for driver
developers.

Enable log booting. Creates the Ntbtlog.txt file, which can be useful for advanced troubleshooting.
This file lists all drivers that the Windows operating system installs during startup.

Enable low-resolution video. Starts the Windows operating system using your current video driver,
with low resolution and refresh rate settings. Use this mode to reset your display settings.

MCT USE ONLY. STUDENT USE PROHIBITED

2-20 Troubleshooting Startup Issues

Enable safe mode. Starts the Windows operating system with a minimal set of drivers and services.
This is one of the most useful boot options, because it provides access to the operating system when
a high-level service or application prevents a normal boot. This enables you to perform diagnostics
and fix the problem.

Enable safe mode with networking. Starts the Windows operating system in safe mode, and includes
the network drivers and services that you need to access the Internet or other network computers.

Enable safe mode with command prompt. Starts the Windows operating system in safe mode with a
Command Prompt window, rather than the Windows GUI interface. You typically use this when other
startup options do not work.

Disable driver signature enforcement. Allows you to install drivers that contain improper signatures.

Disable early launch anti-malware protection. Prevents low-level anti-malware protection from
running. Early launch anti-malware protection loads an anti-malware driver before all non-Microsoft
boot drivers and applications, to test them and prevent unapproved drivers from loading.

Disable automatic restart after failure. Prevents the Windows operating system from restarting
automatically if an error causes the operating system to fail. Choose this option only if the computer
loops through the startup process repeatedly by failing to start correctly, and then attempting
another restart.

Demonstration: Using System Configuration and Advanced Startup


Options
Note: This is a practice session.
In this practice session, you will:

Load the System Configuration tool.

Enable Safe boot, and then restart.

Sign in to safe mode.

Revert to normal startup.

Access startup settings.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. The required virtual
machines should already be running. If they are not, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-21

Demonstration Steps
Load the System Configuration tool
1.

On LON-CL1, on the Start screen, type msconfig.exe, and then press Enter.

2.

In the System Configuration dialog box, click the Boot tab.

Enable Safe boot, and then restart


1.

On the Boot tab, select the Safe boot check box, and then click OK.

2.

In the System Configuration dialog box, click Restart.

Sign in to safe mode


1.

When the computer has restarted, sign in as Adatum\Administrator with the password Pa$$w0rd.

2.

Notice that the desktop is modified to include Safe Mode in each corner.

3.

On LON-CL1, click Start.

Revert to normal startup


1.

In Start, type msconfig.exe, and then press Enter.

2.

In the System Configuration dialog box, on the General tab, click Normal startup, and then
click OK.

3.

In the System Configuration dialog box, click Restart.

4.

When the computer has restarted, sign in as Adatum\Administrator with the password Pa$$w0rd.

5.

Notice that the Windows operating system starts normally.

Access startup settings


1.

On LON-CL1, press Windows + C to access the Charms menu.

2.

Click Settings, and then click Change PC settings.

3.

In PC settings, click Update and recovery.

4.

Click Recovery.

5.

In the results pane, under Advanced startup, click Restart now.

6.

On the Choose an option page, click Troubleshoot.

7.

On the Troubleshoot page, click Advanced options.

8.

On the Advanced options page, click Startup Settings.

9.

On the Startup Settings page, click Restart.

10. When the computer has restarted, on the Startup Settings page, press Enter to start normally. You
will not use any of the Startup Settings during this practice.

Completion steps
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Lesson 3

Troubleshooting Operating System Services Issues

MCT USE ONLY. STUDENT USE PROHIBITED

2-22 Troubleshooting Startup Issues

Failures of an operating system service often result in problems that are not severe enough to prevent the
computer from starting, but are enough to restrict functionality. Therefore, it is important that you
understand how to identify and resolve service-related startup problems.

Lesson Objectives
After completing this lesson, you will be able to:

Describe operating system services.

Identify failed services by using Windows 8.1 tools.

Explain how to use tools and utilities to disable services.

Operating System Services


To troubleshoot system service issues, you must
understand the differences between the different
system services. System services have three
distinct groups: software applications, operating
system services, and hardware devices and their
associated device drivers.
Applications operate at a high level through
personalization by the user, and at a lower level
by integrating with the operating system. You
install applications after you install the operating
system, and you must start applications manually
to use them.

Operating system services are part of the operating system rather than something that you install after
the operating system deploys. Additionally, operating system services function with no user action. In fact,
they start before a user logs on to the computer.
The difference between operating system services and device drivers is that device drivers interact directly
with hardware devices or components, while generally, an operating system service interacts with other
software components in the operating system. From a management perspective, the difference between
device drivers and operating system services is more obvious. You use Device Manager to manage device
drivers, and you use the services Microsoft Management Console (MMC) snap-in to manage system
services.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-23

Identifying Failed Services


When troubleshooting a computer that has
problems with its operating system services, the
operating system may return an error after you
log on to the computer. This error message may
indicate that a service failed to start.
Windows 8.1 provides several tools that can help
you determine which operating system service
failed to start correctly. Because some services are
dependent on other services or drivers to start
successfully, you should consider that the failure
of one service might cause the failure of another
service.

Event Viewer
Windows 8.1 includes a tool called Event Viewer, which allows you to examine certain log files that
provide information about applications, system events, and security-related matters. Event Viewer
provides access to the Windows logs, and to applications and services logs.
The Windows logs files provide the following information:

Application log. The application log contains events that applications generate. For example, a
database program records a file error in the application log, and the program developer decides
which events to record.

Security log. The security log records security events, such as valid and invalid logon attempts, and
events related to resource use, such as creating, opening, or deleting files. An administrator specifies
which events Windows 8.1 records in the security log by creating a domain-wide audit policy.

System log. The system log contains events that the system components in Windows 8.1 generate. For
example, if a driver or other system component fails to load during startup, Windows 8.1 records this
failure in the system log. Windows 8.1 predetermines the event types that the system components
log.

When you troubleshoot startup problems with services, pay special attention to error events that the
system log records. All users can access the application and system logs, but only members of the local
Administrators group can use the security log.
If you encounter problems with service startup, examine the system and application logs for related
events.
Windows 8.1 logs the following three events:

Information events

Warning events

Error events

Log Files

In addition to the logs accessible from Event Viewer, Windows 8.1 records other events in other log files.
For example, use MSConfig.exe to configure Windows 8.1 to record a boot log file when it starts. The boot
log file, Ntbtlog.txt, is stored in the Windows folder. It contains a list of all drivers and some services that
start during the boot process. If a problem occurs with a service, activate boot logging, and then examine
the log.

Stop Codes

MCT USE ONLY. STUDENT USE PROHIBITED

2-24 Troubleshooting Startup Issues

If the Windows 8.1 operating system experiences a system failure, it may display a stop code on a blue
screen. The stop code may contain the name of the device driver or service that is causing the system
failure, and may contain information to help you diagnose the reason for the failure. Windows 8.1 records
contain information related to the system failure in a system log file (called a memory dump file), which is
located in Windows\System32. Examine the contents of this memory dump file to help determine the
reason for the system failure.

Action Center

Action Center is a consolidated tool that enables you to track and repair reported problems. You also can
configure Action Center to determine how your computer reports problems. Additionally, you can use
Action Center to examine problems that Windows reports.

Disabling Services
After you determine which service is causing the
startup problem, you can disable it. Depending on
the circumstances, you can disable a service in
several ways:

Safe Mode

If the Windows 8.1 computer does not start


normally, try to start the computer in safe mode.
You can access the Safe Mode option from the
Advanced Boot Options menu, but you also can
activate safe mode from MSConfig.exe. In safe
mode, a minimal set of services load during the
startup process. However, these services are
sufficient to load the operating system. You then can use standard operating system tools such as Control
Panel, Computer Management, Registry Editor, the services MMC snap-in, and Event Viewer, to
troubleshoot the service startup problem.

Command Prompt Recovery Tool

If you can start the operating system either normally or in safe mode, you can access the command
prompt. If you cannot start the operating system, you can access the Command Prompt recovery tool
from Windows RE. At the command prompt, use either the net command or SC.exe to start, stop, activate,
and disable services manually.

System Configuration Tool

Use MSConfig.exe to specify which services you want to run on startup. MSConfig.exe displays a list of
services that start automatically, and you can selectively disable services. You also can use this tool to start
the computer in Safe mode, and to configure additional startup characteristics while you troubleshoot the
computer. To run the System Configuration tool, you must sign in with administrative rights.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-25

Lab A: Troubleshooting Startup Issues


Scenario

A number of users have reported startup problems to the help desk. You must investigate these problems
and attempt resolutions.

Objectives
After completing this lab, you will be able to:

Resolve two startup problems.

Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 3 for 20688D-LON-CL1.

Exercise 1: Resolving a Startup Problem (1)


Scenario

Adam tried to install an additional operating system on his computer to run a specific lineof-business
application. He did not get far in the installation process before abandoning the attempt. Since then,
Adam receives an error message on startup that begins with: Your PC needs to be repaired, the Boot
Configuration Data file is missing required information.
Incident Record
Incident Reference Number: 722137
Date of Call
Time of Call
User
Status

September 29
10:45
Adam Barr (Marketing Department)
OPEN

Incident Details
Adam Barr has reported that his computer will not start properly.

Incident Record
Additional Information
Adam had been trying to install an additional operating system on his computer so that he could
run a specific line-of-business application. He abandoned the installation after getting only partly
through the process. Since then, his computer displays the following error message when it starts:
Recovery
Your PC needs to be repaired
The Boot Configuration Data file is missing required information.
File: \Boot\BCD
Status: 0xc0000034
You will need to use the recovery tools on your installation media. If you do not have any installation
media (such as a disc or USB flash drive), contact your system administrator or PC manufacturer.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for Incident 722137.

2.

Update the Plan of Action section in the Incident Record.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for Incident 722137

Read the help desk Incident Record 722137.

Task 2: Update the Plan of Action section in the Incident Record


1.

Read the Additional Information section in the Incident Record.

2.

Update the Plan of Action section in the Incident Record with your recommendations.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod02\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of the startup architecture and the tools
available for troubleshooting the startup environment.

2.

Update the Resolution section in the Incident Record.

MCT USE ONLY. STUDENT USE PROHIBITED

2-26 Troubleshooting Startup Issues

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-27

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.

Results: After completing this exercise, you should have resolved the startup problem.

Exercise 2: Resolving a Startup Problem (2)


Scenario

Another user has been trying to install new devices and has experienced a problem following a recent
driver update. The computer starts up with errors. You visit the user computer to verify the problem and
then attempt to resolve it.
Incident Record
Incident Reference Number: 722140
Date of Call
Time of Call
User
Status

September 30
13:30
Chris Sells (Research Department)
OPEN

Incident Details
Chris contacted the help desk after attempting to install a new hard disk driver.
Since the attempt, his computer does not start correctly.

Additional Information
Help desk staff recorded the following message:
:(
Your PC ran into a problem and needs to restart. Were just collecting some error info, and then you
can restart. (0% complete)
If youd like to know more, you can search online later for this error: INACCESSIBLE_BOOT_DEVICE

Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for Incident 722140.

2.

Update the Plan of Action section of the Incident Record.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for Incident 722140

Read the help desk Incident Record 722140.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section in the Incident Record.

2.

Update the Plan of Action section in the Incident Record with your recommendations.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod02\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem

MCT USE ONLY. STUDENT USE PROHIBITED

2-28 Troubleshooting Startup Issues

1.

Attempt to resolve the problem by using your knowledge of the startup architecture and the tools
available for troubleshooting the startup environment.

2.

Update the Resolution section in the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.

Results: After completing this exercise, you should have successfully resolved a startup problem.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-29

Lesson 4

Recovering BitLocker-Protected Drives

BitLocker helps protect computers that are lost or stolen from data theft or exposure, and offers
more secure data deletion when computers are decommissioned. Data on a lost or stolen computer is
vulnerable to unauthorized access, either by running a software attack tool against it, or by transferring
the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on
lost or stolen computers by combining two major data-protection procedures: encrypting the entire
Windows operating system volume on the hard disk, and encrypting multiple fixed volumes.

Lesson Objectives
After completing this lesson, you will be able to:

Describe BitLocker.

Explain how BitLocker works with Trusted Platform Modules (TPMs).

Explain how to recover a BitLocker-encrypted drive.

Encrypt a drive with BitLocker.

Explain the benefits of BitLocker To Go.

Overview of BitLocker
BitLocker provides additional protection for a
computer operating system and any data that is
stored on the operating system volume. It helps
ensure that data stored on a computer remains
encrypted, even if someone tampers with the
computer while the operating system is not
running.

BitLocker provides a closely integrated solution


in Windows 8.1 to help address the threats of
data theft or exposure from lost, stolen, or
inappropriately decommissioned personal
computers. Data on these types of computers can
become vulnerable to unauthorized access when a hacker either runs a software attack tool against it or
transfers the computers hard disk to a different computer. BitLocker helps mitigate unauthorized data
access by enhancing Windows file and system protections. BitLocker also helps render data inaccessible
when you decommission or recycle BitLocker-protected computers.

BitLocker Drive Encryption performs two functions that provide both offline data protection and systemintegrity verification:

It encrypts all data stored on the Windows operating system volume (and configured data volumes).
This includes the Windows operating system, hibernation and paging files, applications, and data that
applications use.
BitLocker also provides an umbrella protection for non-Microsoft applications, which benefits the
applications automatically when they are installed on the encrypted volume.

It is configured, by default, to use a TPM to help ensure the integrity of early startup components by
ensuring that no one has made any modifications to the trusted boot path, such as BIOS, boot sector,

MCT USE ONLY. STUDENT USE PROHIBITED

2-30 Troubleshooting Startup Issues

and boot manager. Once the TPM has verified that there are no changes, it releases the decryption
key to the Windows OS Loader. If TPM does detect changes, it locks any BitLocker-protected volumes,
so they remain protected even if someone tampers with the computer when the operating system is
not running.
Note: The Windows 8.1 installation process partitions the computers hard disk to enable
the use of BitLocker.

BitLocker and TPMs


BitLocker uses TPMs to verify the integrity of the
startup process by:

Providing a method to verify that early boot


file integrity has been maintained, and to
help ensure that there has been no adverse
modification of those files, such as with boot
sector viruses or root kits.

Enhancing protection to mitigate offline


software-based attacks. Any alternative
software that might start the system does
not have access to the decryption keys for
the Windows operating system volume.

Locking the system when it is tampered with. If anyone has tampered with monitored files, the system
does not start. This alerts the user to the tampering because the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.

In conjunction with the TPM, BitLocker verifies the integrity of early startup components. This helps
prevent additional offline attacks, such as attempts to insert malicious code into these components. This
functionality is important because the components in the earliest part of the startup process must be
available in an unencrypted format so that the computer can start.
Note: You may need to enable the TPM functionality in your computers BIOS.

If an attacker can gain access to the startup process components, they can change the code in these
components, and then get access to the computer even though the data on the disk was encrypted. Once
the attacker gains access to confidential information such as the BitLocker keys or user passwords, the
attacker can circumvent BitLocker and other Windows security protections.

BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional
security of prestartup system-integrity verification. Perform the following steps to determine if a computer
has a TPM version 1.2 chip:
1.

Open Control Panel, click System and Security, and then click BitLocker Drive Encryption.

2.

In the lower left corner, click TPM Administration. The TPM Management on Local Computer
console opens. If the computer does not have the TPM 1.2 chip, the Compatible TPM cannot be
found message displays.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-31

Note: On computers that do not have TPM 1.2, you can still use BitLocker to encrypt the
Windows operating system volume. However, this implementation does not include a TPM, and
requires the user to insert a USB startup key to start the computer or resume from hibernation. It
also does not provide the prestartup system integrity verification that BitLocker provides when
working with a TPM.

Recovering a BitLocker-Encrypted Drive


When a BitLocker-enabled computer starts,
BitLocker checks the operating system for
conditions that may indicate a security risk.
If BitLocker detects such a condition, it does
not unlock the system drive and instead enters
recovery mode. When a computer enters recovery
mode, the user must enter the correct recovery
password to continue. The recovery password is
tied to a particular TPM or computer and not to
an individual user. The recovery password typically
does not change.
You should save the recovery information either
on USB flash drive or in AD DS using one of these formats:

A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker Recovery Console.

A recovery key in a format that the BitLocker Recovery Console can read directly.

Scenarios Where Recovery is Likely


There are a number of situations where BitLocker recovery might become necessary, including:

Switching the computer's encrypted hard drive to another computer.

Making the BitLocker encrypted drive a secondary drive to another computer to recover its data.

Turning the computer off during the encryption process.

Updating the computers firmware.

Changing the device boot order in the computers BIOS.

Locating a BitLocker Recovery Password


The BitLocker recovery password is a 48-digit password that unlocks a system in recovery mode. The
recovery password is unique to a particular BitLocker encryption, and you can store it in AD DS.
The recovery password will be required if you move the encrypted drive to another computer, or if
changes are made to the system startup information.
Note: This password is so important that we recommend that you make additional copies
of the password and store them in safe places to ensure access to your data.

If BitLocker enters a locked state, you will need the recovery password to unlock the encrypted data on
the volume. A recovery password is unique to a particular BitLocker encryption, and you cannot use it to
recover encrypted data from any other BitLocker encryption session.

A computer's password ID is a 32-character password unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords stored in
AD DS. To locate a password, the following conditions must be met:

You must be a domain administrator or have delegate permissions.

The client's BitLocker recovery information is configured for storage in AD DS.

The clients computer has been joined to a domain.

BitLocker must be enabled on the client's computer.

Prior to searching for and providing a BitLocker recovery password to a user, confirm that the person is
the account owner and is authorized to access data on the computer in question.
You search for the password in Active Directory Users and Computers by using one of the following:

Drive label

Password ID

When you search by drive label, after locating the computer, right-click the drive label, click Properties,
and then click the BitLocker Recovery tab to view associated passwords.
To search by password ID, right-click the domain container, and then click Find BitLocker Recovery
Password. In the Find BitLocker Recovery Password dialog box, enter the first eight characters of the
password ID in the Password ID field, and then click Search.

MCT USE ONLY. STUDENT USE PROHIBITED

2-32 Troubleshooting Startup Issues

Examine the returned recovery password to ensure that it matches the password ID that the user provides.
Performing this step helps to verify that you have obtained the correct unique recovery password.

Data Recovery Agent Support

BitLocker for Windows 8.1 provides data recovery agent support for all protected volumes. This provides
users with the ability to recover data from any BitLocker and BitLocker To Go device when the data is
inaccessible. This technology assists in the recovery of corporate data on a portable drive using the key
created by the enterprise.

Data recovery agent support allows you to dictate that all BitLocker-protected volumes (such as operating
system, fixed, and new portable volumes), are encrypted with an appropriate data recovery agent. The
data recovery agent is a new key protector that is written to each data volume so that authorized IT
administrators will always have access to BitLocker-protected volumes.

Demonstration: Encrypting a Partition by Using BitLocker


Note: This is a practice session.
In this practice session, you will:

Configure required Group Policy Object (GPO) settings.

Enable BitLocker.

Complete the process for configuring BitLocker.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-33

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1.

Demonstration Steps
Configure required GPO settings
1.

Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2.

At the Start screen, type gpedit.msc, and then press Enter.

3.

In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then expand BitLocker Drive Encryption.

4.

Click Operating System Drives.

5.

Double-click Require additional authentication at startup.

6.

In the Require additional authentication at startup dialog box, click Enabled, and then click OK.

7.

Close the Local Group Policy Editor.

8.

Right-click Start, and then click Command Prompt.

9.

At the command prompt, type gpupdate /force, and then press Enter.

Enable BitLocker
1.

On LON-CL1, on the desktop, on the Taskbar, click the File Explorer icon.

2.

In the navigation pane, click This PC.

3.

Right-click Floppy Disk Drive (A:), and then click Format.

4.

In the Format Floppy Disk Drive (A:) dialog box, click Start, and then click OK.

5.

Click OK again, and then click Close.

6.

In the navigation pane, click This PC.

7.

In the results pane, right-click Local Disk (C:), and then click Turn on BitLocker.

8.

In the BitLocker Drive Encryption (C:) dialog box, click Enter a password. This is necessary because
the virtual machine does not support USB flash drives.

9.

On the Create a password to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd, and then click Next.

10. On the How do you want to back up your recovery key? page, click Save to a file.
11. In the Save BitLocker recovery key as dialog box, click Floppy Disk Drive (A:).

12. Click Open, and then click Save.


Note: If you receive an error message saying that Disk A: is write protected at this point,
use this procedure to resolve the problem:
1.

On your host computer, in the 20688D-LON-CL1 on hostname Virtual Machine Connection


dialog box, click the Media menu.

2.

Point to Diskette Drive, and then click Eject 20688D-Floppy.vfd.

3.

Click Media, point to Diskette Drive, and then click Insert Disk.

4.

In the Open dialog box, type D:\Program Files\Microsoft Learning\20688\Drives


\20688D-Floppy.vfd, and then click Open.

5.

On the 20688D-LON-CL1 virtual machine, in the Save BitLocker recovery key as error message
dialog box, click OK.

6.

In the Save BitLocker recovery key as dialog box, click Save.

7.

Continue from step 13.

13. Click Next.


14. On the Are you ready to encrypt this drive? page, click Continue.
15. Right-click Start, point to Shut down or sign out, and then click Restart.
Completing the process of configuring BitLocker

MCT USE ONLY. STUDENT USE PROHIBITED

2-34 Troubleshooting Startup Issues

1.

During the restart sequence, when the BitLocker screen displays, in the Enter the password to
unlock this drive box, type Pa$$w0rd, and then press Enter.

2.

Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

3.

At the Start screen, click the Desktop tile.

4.

On the desktop, on the taskbar, click the File Explorer icon.

5.

In the navigation pane, click This PC.

6.

Right-click Local Disk (C:), and then click Manage BitLocker. Notice that the drive is now being
encrypted.

7.

Close the BitLocker Drive Encryption window.

8.

In This PC, double-click Floppy Disk Drive (A:), and then double-click the file that starts BitLocker
Recovery Key.

9.

Write down the recovery key that displays in the file. You will need this for the lab, so write carefully.

10. Close all open windows.

Completion steps

After you have completed the practice session, leave the virtual machines running for the lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-35

BitLocker To Go
If a laptop is lost or stolen, the loss of data
typically has more impact than the loss of the
computer asset. As more people use removable
storage devices, they can lose data without
losing a PC. BitLocker To Go provides enhanced
protection against data theft and exposure by
extending BitLocker Drive Encryption support to
removable storage devices, such as USB flash
drives. You manage BitLocker To Go through
Group Policy.

In Windows 8.1, users can encrypt their removable


media by opening Windows Explorer, rightclicking the drive, and clicking Turn On BitLocker. They must then choose a method to unlock the drive.
The options include:

Password: This is a combination of letters, symbols, and numbers the user will enter to unlock the
drive.

Smart card: In most cases, a users organization issues the smart card, and a user enters a smart card
PIN to unlock the drive.

After choosing the unlock method, users must print or save their recovery key. You can store this 48-digit
key in AD DS, so that you can access it if another unlock method fails, such as when users forget their
passwords. Finally, users must confirm their unlock selections to begin encryption.
When you insert a BitLocker-protected drive into your computer, Windows will detect that the drive is
encrypted automatically, and then will prompt you to unlock it.
Note: If a user forgets the passphrase for the device, he or she can use the I forgot my
passphrase option from the BitLocker Unlock Wizard to recover it. Clicking this option displays a
recovery password ID that the user supplies to an administrator, who then uses the password ID
to obtain the devices recovery password. This recovery password can be stored in AD DS and
recovered with the BitLocker Recovery Password tool.

Lab B: Recovering BitLocker-Encrypted Drives


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

2-36 Troubleshooting Startup Issues

A user contacts the help desk explaining that he cannot start his computer. You identify the problem as
relating to BitLocker. You must visit the users computer and attempt to recover the hard drive so that the
user can start his computer. After recovery, you must provide new BitLocker keys and passwords.

Objectives
After completing this lab, you will be able to:

Recover a BitLocker-encrypted drive.

Create a new BitLocker key.

Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. The virtual machines should
already be running from the preceding practice session. If they are not, you must complete the following
steps and then complete the preceding practice session:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-37

Exercise 1: Recovering a BitLocker-Encrypted Drive


Scenario

Dan cannot start his computer. He has logged a call with the help desk. Your job is to resolve the incident.
A work colleague has determined a plan of action. You must attempt a resolution based on this plan.
Incident Record
Incident Reference Number: 722151
Date of Call
Time of Call
User
Status

September 30
14:27
Dan Park (Sales Department)
OPEN

Incident Details
Dan cannot remember his BitLocker password and cannot start his computer.

Additional Information
The user has a recovery key somewhere, but has no idea what to do with it.
(Write the recovery key you recorded at the end of the last practice session below)
Recovery Key:

Plan of Action
Visit the users computer and verify the problem.
Locate the recovery key.
Attempt to recover the drive by entering the recovery key.

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for Incident 722151.

2.

Read the Plan of Action section in the Incident Record.

3.

Verify the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for Incident 722151

Read the help desk Incident Record 722151.

Task 2: Read the Plan of Action section in the Incident Record

MCT USE ONLY. STUDENT USE PROHIBITED

2-38 Troubleshooting Startup Issues

1.

Read the Additional Information section of the Incident Record. Update it with the recovery key you
recorded earlier.

2.

Read the Plan of Action section of the Incident Record.

Task 3: Verify the problem


1.

Restart LON-CL1 to verify the problem:


a.

On LON-CL1, right-click Start, point to Shut down or sign out, and then click Restart.

b.

During the restart sequence, when the BitLocker Drive Encryption screen displays, in the Enter
the password to unlock this drive text box, type wrong password, and then press Enter.
Notice that you cannot access the computer with the password the user has provided.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of BitLocker and the tools available for
troubleshooting it.

2.

Update the Resolution section in the Incident Record.

3.

If you are unable to resolve the problem, ask your instructor for additional guidance.

Results: After completing this exercise, you should have recovered a BitLocker-encrypted drive and
enabled the computer to startup.

Exercise 2: Creating a New BitLocker Password


Scenario
To help Dan, you decide to generate a new BitLocker password.
The main task for this exercise is as follows:
1.

Create a new BitLocker password.

Task 1: Create a new BitLocker password


1.

Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2.

Open BitLocker Management.

3.

Reset the password for drive C to Pa$$w0rd2.

4.

Restart LON-CL1 and verify the application of the new password.

Results: After you have completed this exercise, you should have created a new BitLocker password.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 2-39

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Module Review and Takeaways


Review Questions
Question: The boot environment of a users computer is corrupt, and you suspect a virus.
Before you can run virus removal tools, first you must recover the boot environment. What
command-line tools could you use?
Question: Your user adds a new hard disk to the computer, which changes the computers
partition numbering. To enable the computer to start, the user needs you to change the
BCD. What tool would you use?
Question: After installing a new video driver, your users computer becomes unstable and
will not start correctly. What would you try first to resolve this problem?

MCT USE ONLY. STUDENT USE PROHIBITED

2-40 Troubleshooting Startup Issues

MCT USE ONLY. STUDENT USE PROHIBITED


3-1

Module 3
Troubleshooting Hardware and Device Drivers
Contents:
Module Overview

3-1

Lesson 1: Overview of Hardware Troubleshooting

3-2

Lesson 2: Troubleshooting Physical Failures

3-12

Lesson 3: Troubleshooting Device Driver Failures

3-17

Lesson 4: Monitoring Reliability

3-29

Lab: Troubleshooting Hardware and Device Drivers

3-32

Lesson 5: Configuring the Registry

3-37

Module Review and Takeaways

3-43

Module Overview

Devices have become complex, multifunction peripherals that have evolved from hardware that you
install in your computer to hardware that you connect to your computer using USB, Bluetooth wireless
technology, and Wi-Fi. To support users with computers running Windows 8.1, you must understand how
to troubleshoot hardware devices and drivers.

Objectives
After completing this module, you will be able to:

Describe the process of troubleshooting hardware.

Troubleshoot physical hardware failures.

Troubleshoot hardware device drivers.

Monitor Windows 8.1 reliability.

Configure the Windows 8.1 registry.

Lesson 1

Overview of Hardware Troubleshooting

MCT USE ONLY. STUDENT USE PROHIBITED

3-2 Troubleshooting Hardware and Device Drivers

This lesson provides an overview of troubleshooting hardware-related problems, and discusses specific
considerations for using USB and cordless devices on computers that are running Windows 8.1. It is
important that you understand common hardware-related problems so that you can support your users.

Lesson Objectives
After completing this lesson, you will be able to:

Describe hardware-related problems.

Describe the considerations for using USB devices.

Describe considerations for using cordless devices.

Explain how you can use built-in diagnostic tools to gather hardware information.

Determine how best to approach hardware problems

Apply the guidelines for troubleshooting hardware-related problems.

Hardware-Related Problems
Hardware problems occur when a hardware
device fails or there is a failure of a device driver
that the hardware device uses. When you are
troubleshooting hardware-related problems,
you first must determine whether the underlying
cause of the hardware failure is because of a
device failure, or a device driver failure.

Failure of Physical Hardware


A computer contains several hardware
components, such as hard disk drives, a power
supply, motherboard, and video controller.
Many of these devices may be combined in single
physical components. If a single component or a combination of components fails, this can prevent the
computer from functioning correctly. However, you can take preventive measures to minimize the
possibility that your hardware will fail.
These preventative measures include ensuring that you operate hardware components in the
environmental conditions that the components vendor recommends. For example, you should avoid
using hardware components in areas with high volumes of dust or high temperatures, unless the
hardware is designed specifically for such environments.

Some components are more prone to failure than others are. Often, the components most susceptible to
failure are those with moving parts, such as hard disk drives, cooling fans, power supplies, and optical
drives.
Note: Many tablet devices are equipped with solid-state drives, which have no moving
parts and are less susceptible to physical failure.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-3

Failure of Device Drivers


A device driver can fail for three primary reasons:

Operating system version incompatibility. Drivers developed for previous Windows operating system
versions might not be entirely compatible with Windows 8.1. To avoid incompatibility issues, always
check for a Windows 8.1 driver version, and use it if available.

Driver bugs. Although hardware vendors use every precaution to ensure that device drivers are free
from error, occasionally problems occur. Ensure that you obtain the latest driver version from the
manufacturer, particularly if the new version fixes previous driver issues. Verify that the device driver
carries a signature from a trusted certificate-signing authority.

32-bit and 64-bit issues. Windows 8.1 is available in both 32-bit and 64-bit editions. Drivers that
manufacturers develop for the 32-bit edition do not work with the 64-bit editions, and vice versa.
Make sure that you obtain the appropriate device driver from the hardware vendor. You will be
unable to install the wrong platform driver.

Considerations for USB Devices


Early hardware devices required that you have
specialized knowledge and tools to install them
in your computer. These days, you can attach
most hardware devices to computers via USB.
USB hardware devices are much more convenient,
and require no special skills or tools to install
them. Instead, you install new USB hardware
by plugging the device into a free USB port, and
then following the on-screen instructions to install
the driver and related software. However, this
convenience poses a number of risks including
risks to your networks security and the reliability
of the device drivers manufacturer.
USB devices represent a potential security risk to your network because a malicious user could copy
sensitive or confidential network data onto a mobile device such as an external hard disk, and then
remove it from the workplace.

Because of the relative simplicity of USB device installation, users are installing an increasing number of
USB devices more frequently. As the number and variety of these devices increases, so do the associated
support and maintenance costs. Therefore, controlling use of these devices has become an important
consideration for administrators.
Many organizations restrict employee use of USB devices because of security and management reasons.
However, implementing restrictions on USB devices can affect user productivity. It also can have a
significant impact on hardware troubleshooting if person performing the troubleshooting wrongly
diagnoses these restrictions as hardware faults.

Windows 8.1 uses two methods to control USB device installation: device identification strings, and device
setup classes.

Device Identification Strings


Hardware manufacturers assign one or more device identification strings to each device. These
identification strings are in the setup information (.inf) file in the driver package. During device
initialization, Windows 8.1 retrieves these device identification strings, and matches them to
corresponding identification strings in the .inf file.
Identification strings are either general or specific. If specific, they identify the devices exact make and
model. Device identification strings are one of two types:

MCT USE ONLY. STUDENT USE PROHIBITED

3-4 Troubleshooting Hardware and Device Drivers

Hardware identifiers. Hardware identifiers provide an exact match between a device and a device
driver package. The first string in the device identifier list is the individual devices specific identifier.
Additional strings in the list identify the device in more general terms. This allows Windows 8.1 to
install a different device revision driver if the correct one is not available.

Compatible identifiers. Windows 8.1 uses compatible identifiers to select a device driver only if the
driver store has no available drivers for any of the hardware identifiers that Windows 8.1 retrieves
from the device. These strings are optional, and they are listed in decreasing order of suitability if the
hardware manufacturer provides them. Typically, the strings are generic and identify the hardware
device at the component level, such as a Small Computer System Interface (SCSI) hard disk drive. This
enables Windows 8.1 to select a generic SCSI driver for the disk drive, but may result in limited device
functionality and slower read/write performance.

Multifunction devices are physical devices that include more than one logical device. Manufacturers assign
hardware identifiers to each logical device so that it can manage part of the functionality of the physical
device. For example, an all-in-one scanner/printer/fax might have different device identification strings
for each function. To control installation of multifunction devices, you specifically must allow or deny all
hardware identifiers for each multifunctional device. Not doing so could cause unexpected results from
only some of the logical devices that have drivers installed for the one physical device.
The following code snippet is the relevant portion of an .inf file that Microsoft provides for a keyboard
device driver.

[MsMfg]
;========= Microsoft USB Internet Keyboard (IntelliType Pro)
%HID\VID_045E&PID_002D&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_002D&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (IntelliType Pro) - with Wireless
Optical Mouse
%HID\VID_045E&PID_005F&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_005F&MI_00
;========= Microsoft USB Wireless MultiMedia Keyboard (106/109) (IntelliType Pro) - with
Wireless Optical Mouse
%HID\VID_045E&PID_0061&MI_00.DeviceDesc%=MicrosoftKBD_Dev_109,HID\VID_045E&PID_0061&MI_00
;========= Microsoft USB Wireless Natural MultiMedia Keyboard (IntelliType Pro) - with
Wireless Optical Mouse
%HID\VID_045E&PID_0063&MI_00.DeviceDesc%=MicrosoftKBD_Dev,HID\VID_045E&PID_0063&MI_00

To interpret the preceding and subsequent configuration files, use the following key:

HID = Human Interface Device, such as keyboards and mice.

VID = Vendor ID

PID = Product ID

Device Setup Classes

The device setup class groups devices that you install and configure in the same way. For example, all
keyboards belong to the Keyboard device setup class, and they use the same co-installer when installed. A
GUID represents each device setup class. The manufacturer of a device driver package assigns the device
setup class, and then Windows 8.1 builds a memory-tree structure that contains the GUIDs for all devices

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-5

that it detects, including that of any bus that you attach to the device. You can use Group Policy to specify
the device class for which you allow or disallow installation.
The following code snippet is the relevant portion of an .inf file that Microsoft provides for a keyboard
device driver.
[Version]
CatalogFile.NT= type32.cat
;Digital Signing
Signature="$Windows NT$"
;All Platforms
Class=Keyboard
ClassGUID={4d36e96b-e325-11ce-bfc1-08002be10318}
Provider=Microsoft
LayoutFile=layout.inf
DriverVer=06/29/2010, 8.0.219.0

Controlling USB Device Access

In Windows 8.1, you can use Group Policy to control USB device access to your computer. Group Policy
does this by:

Preventing users from installing any device.

Allowing users to install only devices that are on an approved list.

Preventing users from installing devices that are on a prohibited list.

Denying read or write access to users for removable devices or for those that use removable media.

Restricting USB device installation can benefit hardware support in several ways:

Simpler data security. By limiting the devices that users can install, you can reduce the risk of data
theft by implementing simple and supported procedures. For example, allowing users to connect only
USB flash drives that are password protected provides additional protection for data that users
transfer from the corporate network.

Reduced support costs. You can ensure that users only install devices that your help desk has
preapproved and tested. This benefit reduces support costs and user confusion.

However, controlling USB device installation may cause issues, including:

Misdiagnosed faults. Unless policy restrictions are simple, consistent, and easily understood by users
and IT staff, the IT staff may diagnose a restriction as a hardware problem.

Policy management. Some manufacturers use a range of identifiers for similar device models. When
you have a batch of such devices, you may have difficulty supporting policy restrictions based on
identifiers. Consequently, the success of these policies may be inconsistent. For example, although a
batch of devices from a single vendor may appear identical, you should check each device identifier
to verify that the same identifier is used for the entire batch. If there is a range of identifiers, you will
need to modify your Group Policy settings to include all of these identifiers.

Note: Another consideration for USB devices is the version of USB on your computing
device. Many modern computers provide both USB 2 and USB 3 ports for peripheral devices.
However, some tablet devices provide only USB 2 ports. If your peripheral requires a USB 3
connection, then you will be unable to use that device with a USB 2 port.

Considerations for Wireless Devices


Users can connect many peripherals and devices
to their computers by using wireless connections.
Two prominent wireless technologies are
Bluetooth and Wi-Fi.

Troubleshooting Wireless Devices

MCT USE ONLY. STUDENT USE PROHIBITED

3-6 Troubleshooting Hardware and Device Drivers

When you are troubleshooting wireless devices,


keep in mind that any problems the devices
encounter might be due to wireless connectivity
rather than with the actual devices. For example,
many laptop computers allow users to disable the
Wi-Fi and Bluetooth ports, primarily to conserve
battery power. You must ensure that all ports are
enabled, and in the case of Bluetooth, are configured to be discoverable during the process of pairing the
device with the users computer.
If you cannot connect a device successfully by using a Wi-Fi or Bluetooth connection, perform the
following steps:
1.

Enable the Wi-Fi and/or Bluetooth receivers in the computers BIOS.

2.

Turn on the Wi-Fi and/or Bluetooth receiver by using the computers switches or keyboard shortcuts.

Note: On some computers, you cannot independently enable or disable Wi-Fi and
Bluetooth.
3.

Ensure that Flight mode is off as this disables all radio receivers.

4.

Use Device Manager to verify, and if necessary update the drivers for the computers Wi-Fi and/or
Bluetooth modules.

5.

For Bluetooth devices, run Bluetooth Settings to configure:


a.

Discovery. Enable discovery to ensure that the computer is visible. Additionally, you might need
to enable Discovery (sometimes also known as visibility) on peripheral devices.

b.

Connections. Enable the Allow Bluetooth devices to find this PC setting. Optionally, you can
select the setting to Alert me when a new Bluetooth device wants to connect.

c.

Pairing. In addition to the above settings, some peripherals require that you pair them to your
computer. This process requires that the computer and the device exchange a passcode or key to
establish the partnership. You may need to establish this process at either the computer or the
peripheral end.

Note: The device manufacturer often defines a devices passcode. For example, a Bluetooth
headset does not provide you with a mechanism for defining a passcode. However, 0000 often is
the default passcode. For more information, refer to the vendor documentation.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-7

6.

For Wi-Fi devices, follow standard wireless troubleshooting techniques:


o

Ensure that the devices are close enough for the signals to communicate.

Configure the devices to use the same wireless protocol and security settings.

Investigate possible sources of interference.

Note: Some Bluetooth peripheral devices (such as wireless mice and keyboards), often
come with a small Bluetooth module that you insert into a USB port on your computer. This USB
Bluetooth module allows you to use cordless devices without needing a built-in Bluetooth
module.

Gathering Hardware Information


Windows 8.1 includes a number of tools that
you can use to gather information about the
hardware installed on a computer. By becoming
familiar with the functionality offered by these
tools, you can identify the most appropriate tool
for a particular hardware monitoring or
troubleshooting scenario.

Event Viewer

Event Viewer is the starting point for


troubleshooting hardware failures. You should
check the system log and the application log for
information, warnings, or errors that hardware
devices or device drivers generate. Use Event Viewer to show logs both on remote computers and on the
local machine.
Event Viewer tracks information in several different logs, which provide detailed information, including:

A description of the event.

An event identification number.

The component or subsystem that generated the event.

Information, warning, or error status.

The time of the occurrence.

The users name on whose behalf the event occurred.

The computer on which the event occurred.

A link to Microsoft TechNet for more information about the event.

The Event Viewer has many built-in logs, including those in the following table.
Built-in log
Application log

Description and use

MCT USE ONLY. STUDENT USE PROHIBITED

3-8 Troubleshooting Hardware and Device Drivers

This log contains events that are classified as error, warning, or information,
depending on the events severity:
An error is a significant problem, such as data loss.
A warning is an event that is not necessarily significant, but which may
indicate a possible future problem.
An information event describes the successful operation of a program,
driver, or service.

Security log

This log reports the results of auditing, when it is enabled. Audit events are
described as successful or failed, depending on the event. An example is
whether a user who is trying to access a file is successful.

Setup log

This log contains events related to application setup.

System log

This log contains general events that are logged by Windows components
and services. Events are classified as error, warning, or information. Events
logged by system components are predetermined by the Windows
operating system.

Forwarded events

This log stores events collected from remote computers. To collect events
from remote computers, you first must create an event subscription.

Applications and Services logs are a new category of event logs that store events from a single application
or component rather than events that might have system-wide impact. This category of logs includes four
subtypes:

Admin. Admin logs are of interest to IT professionals who use the Event Viewer to troubleshoot
problems. These logs provide guidance about how to respond to issues, and primarily target end
users, administrators, and support personnel. The events found in the Admin logs indicate a problem
with a well-defined solution that an administrator can implement.

Operational. Events in the Operational log also are useful for IT professionals, but they likely require
more interpretation. You can use operational events for analyzing and diagnosing a problem or
occurrence, and trigger tools or tasks based on the problem or occurrence.

Analytic and Debug. Analytic and Debug logs are not as user-friendly. Analytic logs store events that
trace an issue, and they often log a high volume of events. Developers use debug logs when
debugging applications.

System Information
The System Information tool displays information about a computer, including reports on installed
hardware. You can use the System Information tool to look for hardware resource conflicts, and to
determine the resources that a hardware device is using, including the interrupt request (IRQ) line,
memory address range, and the base input/output (I/O) address range.

Device Manager

Device Manager displays information about the hardware installed on the computer, including hardware
resource settings and driver information. You can also use Device Manager to perform driver rollback,
check for hardware changes, enable and disable drivers, and where necessary, uninstall drivers.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-9

Reliability and Performance Monitors


The Reliability and Performance Monitor console includes two monitoring tools:

Reliability Monitor. The Reliability Monitor displays Windows 8.1 reliability over time, and any
hardware failures that have occurred. You can use the Reliability Monitor to identify hardware failure
trends so that you can be more proactive in your administration. This can help you to replace a device
suffering periodic failures before it fails altogether.

Performance Monitor. The Performance Monitor displays and collects performance information
related to hardware devices that are installed on a local computer and on remote computers. You can
use this information to track performance deterioration that might be a warning sign of potential
hardware failure.

Windows Memory Diagnostics Tool

The Windows Memory Diagnostics Tool can detect and resolve physical memory problems automatically.
If the Windows Memory Diagnostics Tool detects a faulty memory module or parity error, it displays a
message in the system tray that prompts the user to diagnose and fix the problem.
You can use Windows Memory Diagnostics to check the computers memory during the startup process.
You can choose to restart the computer immediately and perform the check, or to schedule the memory
check during the next computer restart. If you select an immediate check, ensure that you save any work
in progress, and close any open windows before restarting the computer.

Action Center

Windows 8.1 includes the Action Center, which provides a single point of reference for reliability issues.
From the Action Center, you can launch diagnostic tools to troubleshoot hardware problems.

Remote Desktop

An administrator can use Remote Desktop to collect hardware information about a remote computer on
the network. For example, you could use Remote Desktop to run tools that cannot connect to a remote
computer, such as System Information or Reliability Monitor. In a large network, it is important to be able
to connect to remote computers to perform hardware diagnostics without having to physically access the
users computers.

Centralized Inventory

Using additional products, including those from both Microsoft and other parties, you can gather
hardware information from devices across your enterprise network, and then store the analysis centrally.

Discussion: Approaches to Troubleshooting Hardware


Consider the following questions that relate to
troubleshooting hardware. Discuss with the class
how you approach hardware troubleshooting.
Provide any hints and tips about your approach,
and how you would manage an end-to-end
process.
Question: A user is unable to connect their
cordless mouse to their laptop computer.
What would you check first?
Question: You just added a new video display
to a users computer. The resolution of the
display is very low, despite being capable of
displaying at 1680x1050. What would you check?
Question: A users computer freezes repeatedly. When this occurs, the computer accepts no
input from the keyboard or mouse, and all processing stops. What would you suspect as the
problem? What would you try to resolve the issue?

Best Practices for Troubleshooting Hardware Issues


Outside of component failure, hardware-related
problems typically occur when you install a new
hardware device or update a device driver.
Common signs of a hardware-related problem
include spontaneous computer restarts and error
messages on a blue screen. To troubleshoot
hardware issues:

MCT USE ONLY. STUDENT USE PROHIBITED

3-10 Troubleshooting Hardware and Device Drivers

Verify that the computer has the


Compatible with Windows 8.1 logo, and
that the hardware devices are on the
Windows Marketplace Tested Products list. If
a problematic hardware device is not on the
Windows Marketplace Tested Products list, replace it with a listed device.

Remove or disable recently installed device drivers. If you have recently installed another companys
device driver or software package, try removing or disabling the driver to prevent it from loading, and
then restarting the computer. If that does not fix the problem, contact the hardware vendor, and
ensure that you have the latest available driver. If you are using the latest version of the driver,
contact the hardware vendor and log the issue as a support incident.

Use driver rollback to return to a previous driver version. If a failure occurs after installing an updated
device driver, use the driver rollback feature to return to the previous working driver version. To roll
back a device driver:
o

Access driver rollback from within Device Manager.

Start the computer in safe mode, if necessary, to access driver rollback.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-11

Note: If driver rollback is not possible, consider using System Restore to restore the
computers configuration to a previous point in time. Remember that using System Restore will
most likely rectify the driver problem, but will also revert other settings.

Consider upgrading the computers BIOS or firmware. This is a relatively straightforward process and
can usually be achieved in the Windows operating system by using a vendor-supplied tool. After
applying a BIOS or firmware update, you also might need to update some of the system device
drivers.

Use vendor support. Ensure that you have adequate support agreements and escalation procedures
with the hardware vendor, and then utilize this support if a hardware failure occurs. Many hardware
vendors offer extended support options, and will replace failed hardware components within a certain
period. You should have support options specified in your organizations service level agreements
(SLAs).

Establish an incident recording procedure. Users often find it difficult to determine the exact
sequence of events that led to failures. Many IT help desks adopt scripts that facilitate logical
interviewing techniques to determine whether users made changes to their computers prior to the
failure. Using a consistent procedure for recording incidents also aids with diagnosing problems.

Lesson 2

Troubleshooting Physical Failures

MCT USE ONLY. STUDENT USE PROHIBITED

3-12 Troubleshooting Hardware and Device Drivers

Hardware failures can be catastrophic unless you plan for device failure and replacement. You should have
procedures in place so that you can troubleshoot failed devices efficiently, particularly for your most
vulnerable devices such as hard disk drives and memory.

Lesson Objectives
After completing this lesson, you will be able to:

Apply device replacement considerations.

Identify the most vulnerable hardware devices.

Apply the guidelines for replacing hardware.

Considerations for Replacing Devices


Many organizations have SLAs and warranties
with hardware vendors in place. Before replacing
defective hardware, consider any procedures
that those SLAs detail before you can obtain
replacement hardware. Consideration of these
factors may enable you to fix the hardware
problem more quickly, and reduce the impact on
your users productivity and your organizations
budget.

SLAs
An SLA can specify what to do when hardware
fails, and how to log a failure incident with your
organizations service desk. The SLA also can dictate the expected response and replacement time for
device replacement.
Procedures also must be in place to ensure that sufficient spare hardware devices are available. Some
companies maintain a definitive hardware list, and spares for each device on this list.

Warranties

Most hardware vendors include a warranty with their products. The warranty generally lasts for an initial
period (such as twelve months), and covers the hardware against failure during this time. A basic warranty
usually stipulates a next-business-day response for device replacement. For a fee, most hardware vendors
offer additional warranty services with shorter response and replacement times. A typical option may
specify a four-hour telephone response time, with an engineer scheduled to visit the site within eight
hours to provide an on-site fix. Ensure that SLAs cover warranty agreements or other contracts with the
manufacturer or hardware vendor.

Escalation Procedures

Providing appropriate escalation procedures and resources can be as simple as providing a contact
telephone number for the hardware vendor. However, most procedures also should include providing a
customer account number for the vendor, a particular contact name, and any pertinent contract details.
This makes service-desk staff aware of agreed-upon response times.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-13

Issues with Data Security

If you need to replace a hard disk due to a hardware problem, you might need to return the broken disk
to the manufacturer. If this is the case, check the security requirements for removing sensitive or
confidential data from the hard disk before you return it.

Vulnerable Hardware Devices


To pinpoint why a computer is experiencing
a problem, you should identify if a hardware
component or device is the source of the
problem. Knowing which devices are most
susceptible to failure can help accelerate the
diagnosis.
Being aware of the conditions under which
vulnerable devices are most likely to fail can help
you avoid those conditions. You then can use
reliability measures to calculate the probability
of failure.

One such measure is mean time between failures


(MTBF). MTBF is the average time interval, usually expressed in thousands or tens of thousands of hours,
before a component fails and requires service.

Hard Disk Drives


There are five main reasons why hard disk drives fail:

Logical failure. Examples of logical failures include invalid entries in a file allocation table (FAT) or
master file table (MFT) on the NTFS file system volume. Logical failures are the least severe type of
failure. However, logical errors also can cause corruption and file system loss on a severely
fragmented drive. In such cases, you may need specialized tools to fix the problem.

Mechanical failure. Platters (one or more rotating, magnetically coated disks), store data on a hard
disk. Data is accessed through read/write heads mounted on rotating mechanical arms. One of the
most common mechanical failures occurs when the read/write heads of the hard disk come in contact
(momentarily or continuously), with the hard disk platters. Additionally, physical shock, computer
movement, static electricity, power surges, or mechanical read/write head failure can all cause head
crashes. Hard disk drives also may fail because of motor problems.

Electronic failure. An electronic failure is a problem with the hard disks controller board. If the
controller fails, the disk may be undetectable by the system BIOS. Additionally, electronic failure can
occur because of electrical surges that damage the controller board or because of defective board
components. However, you often can recover data because the disk platters and other mechanical
components remain undamaged.

Firmware failure. Hard disk firmware is code that controls the hardware. Often, it is stored on a flash
memory chip on the hard disk controller board. If the firmware becomes corrupt or unreadable, the
computer may be unable to communicate with the disk.

Bad sector. Bad sectors can be logical or physical sectors. A lost cluster is an example of a logical bad
sector that typically you can repair with software tools. Shock or vibrations often cause physical bad
sectors. Most hard disk drives have firmware that marks bad sectors, and so long as the damage is
minor, no data is lost. You can use drive-monitoring tools to determine when the number of physical
bad sectors is critical enough to replace the drive.

Note: Some disks implement Self-Monitoring Analysis and Reporting Technology. This
technology enables the operating system to monitor the hard disk proactively, checking for
reliability issues before they can result in data loss.

Solid-State Drives

MCT USE ONLY. STUDENT USE PROHIBITED

3-14 Troubleshooting Hardware and Device Drivers

Many devices, including tablets and some laptops, have solid-state drives (SSDs). This technology differs
from traditional hard drives and offers benefits to users in terms of physical device size, speed, and to
some extent, power consumption.

Although there are no moving parts, SSDs can fail, often resulting in data loss. Every time the operating
system writes to an SSD drive, memory cells are used to store the data. These cells can wear out after time,
resulting in errors or even drive failure. The more you use a drive, the sooner it will wear out.
Some drives offer error checking memory cells, which can help to mitigate data errors, and some users
report more problems with larger drives. However, it is important not to consider SSDs as a fail-safe
storage solution.

Power Supplies

The power supply converts regular current into low, direct current (DC) voltage that the computer can
use. A failing power supply can cause erratic behavior, including computers restarting randomly, memory
errors, or power being supplied to some devices and not others.
Symptoms of power supply problems can include:

No indicator lights, disk action, or screen display.

On/Off indicator lights are visible, but there is no disk action or screen display.

The system produces a continuous beep.

Optical Drives
Optical drives such as CD and DVD drives tend to have shorter life spans compared to other hardware
devices, and the MTBF is lower than that for a hard disk drive. Most hardware manufacturers provide a
one-year guarantee on optical drives and a three-year guarantee on hard drives.
The media quality in optical drives is a significant factor in the optical drives lifespan:

Higher-quality media can increase the device lifespan.

Unclean media may reduce the device lifespan.

Software settings also can affect optical drives. Using a high maximum write speed can result in a greater
number of irreparable and subsequently unusable disks, compared to using slower write speeds.
Optical drives can fail due to vibration because they require precise optical alignment in the device to
work properly. You can cause vibration by moving the computer while it is in use, or by operating the
computer in a location that is not stable. Excessive dust also can damage optical drives, which can be an
environmental factor.

Cooling Fans

The most common cause of cooling fan failures is dust building up inside the computer and around the
fan area. This accumulation can lead to failures in the fan bearings, motor, or power supply.

CPUs and GPUs

Central processing units (CPUs) and graphics processing units (GPUs) are the devices least likely to fail.
However, you can overheat and damage the CPU if you attempt to overclock the CPU. Overheating also
can occur because of a failure with the cooling fan. Additionally, power spikes and static electricity
discharge can cause CPU failures.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-15

System Memory

Memory problems can occur because of heat, power surges, or static electricity. You can use the Windows
Memory Diagnostics Tool to help identify and resolve memory issues.

Additional Components at Risk


In addition to the components listed above, there are other components that can fail. These include:

Batteries. Laptop computers and tablets have batteries installed in them. Although battery technology
has improved dramatically over the last few years, they still have a limited life. When your device
battery begins to degrade, consider replacing it.
Common signs of impending battery failure include:
o

Inability to maintain a charge for extended periods

Inability to supply a charge to a device for extended periods

Excessive time required to charge a battery

Note: Although almost all laptops support the ability for the user to replace the battery,
this is not the case with all tablets. Some tablets require the manufacturer or service agent to
replace the battery.

Docking stations. Many users rely on docking stations in order to use their Windows 8.1 devices. This
is especially true for smaller form factor devices such as Ultrabooks and tablets, by which the docking
station connects devices with peripherals such as keyboards and monitors. Failure of these
intermediate devices can result in loss of productivity for the user.

Displays. Modern laptop and tablet displays are very reliable, but they can fail. Generally, failure of a
laptop or tablet display is something that will likely require manufacturer replacement. Before acting
on a possible display failure, eliminate all other causes, including device drivers and the graphics card
or system board.

Guidelines for Replacing Hardware


To minimize the risk of a replacement device
failing, adhere to the following guidelines:

When you install a device, take care to


minimize the risk of damage during the
installation process.

Eliminate support issues by choosing


replacement devices that are compatible
with Windows 8.1.

Root Cause Analysis

Before replacing failed hardware devices,


determine the cause of the root failure so that you
can prevent this issue from damaging the replacement device. The root cause could be environmental,
such as heat or moisture-related failures. For example, devices placed in direct sunlight with poor
ventilation, or in a damp location where there might be condensation, may fail after a short time.
Alternatively, the root cause could be behavioral, such as users knocking or kicking the computer.

Static Electricity Issues

MCT USE ONLY. STUDENT USE PROHIBITED

3-16 Troubleshooting Hardware and Device Drivers

Because of the risks that static electricity poses to devices such as system memory, it is important that you
observe static electricity guidelines and train your IT staff accordingly. Initiate compulsory maintenance
procedures, and ensure that you use antistatic kits, which are inexpensive and available from numerous
hardware manufacturers. Hardware vendors operate professional hardware-qualification programs that
include detailed information about antistatic maintenance precautions. Additionally, ensure that IT staff
wears grounding straps when working with sensitive components.

Windows 8.1 Compatibility

When you buy a new computer, check for the Compatible with Windows 8.1 logo. The hardware in a
Windows 8.1 compatible computer has been tested and verified that its components are optimized to run
the Windows 8.1 operating system.
When buying hardware devices for a computer that is running Windows 8.1, check that the hardware has
the approval of the Windows Logo Program for Windows 8.1. This means that the hardware has been
tested for Windows 8.1 compatibility, and that it is listed on the Windows Marketplace website. Windows
Marketplace is an online service that replaces the previous Hardware Compatibility List (HCL).
Note: Discover which devices are compatible with Windows 8.1 by visiting the Windows
Compatibility Center at http://go.microsoft.com/fwlink/?LinkId=214077.
Note: Some devices, especially tablets, do not support user replacement of failed parts.
Typically, you will need to return the device to the manufacturer or their service agent to have
parts replaced.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-17

Lesson 3

Troubleshooting Device Driver Failures

A driver is a small software program that allows a computer to communicate with its hardware or devices.
A hardware device works only if its device driver is installed correctly and functioning properly. Drivers are
specific to operating systems.
A driver failure can render even the most sophisticated and expensive device useless. Malfunctioning
device drivers also can affect other hardware, and may stop the computer from operating properly.

This lesson focuses on troubleshooting problems related to hardware device drivers, which can include:

Disabling and removing device drivers.

Verifying driver signatures.

Installing or reinstalling drivers manually.

Lesson Objectives
After completing this lesson, you will be able to:

Describe management of device drivers.

Describe methods for disabling device drivers.

Describe the process to remove unsigned drivers.

Explain how to stage drivers.

Install and remove device drivers.

Describe effective ways to manage legacy devices.

Manage driver installation by using Group Policy settings.

Managing Device Drivers

Windows 8.1 makes it possible for users to install


their own device drivers. However, this can
potentially introduce security and reliability
problems. As an administrator, you can copy
driver packages to a protected area of a users
computer, called the driver store. A standard
user without any special user rights, then can
install drivers from the driver store. You also
can configure the client computer to search
particular local or network folders automatically
when a user attaches a new device, so that the
Windows operating system does not prompt the
user to insert media. The driver store, in conjunction with driver signing, increases computer security by
ensuring that standard users can install only those driver packages that you authorize and trust.

Driver Packages
A driver package is a set of files that make up a driver. The driver package includes:

The .inf file.

Any files that the .inf file references.

The catalog (.cat) file that contains the digital signature of the device driver.

Installing a driver is a two-stage process:

MCT USE ONLY. STUDENT USE PROHIBITED

3-18 Troubleshooting Hardware and Device Drivers

1.

Install the driver package into the driver store. You must use administrator credentials to perform this
step.

2.

Attach the device, and install the driver. A standard user can perform this step.

Driver Store

The driver store is the Windows 8.1 driver repository. Because the driver store is a trusted location, when
you connect compatible hardware, Windows 8.1 installs the appropriate driver automatically from the
stores cache of device drivers.
Because standard users can install any device driver from the driver store, users can install common
hardware accessories without calling the help desk. An OEM or IT administrator can preload the driver
store with the necessary drivers for commonly used peripheral devices. The driver store is located at
systemroot\System32\DriverStore.
During hardware installation, Windows 8.1 will report an unknown device if:

The driver store does not contain an appropriate driver.

Windows Update does not have an appropriate driver.

The user does not have a device driver on removable media.

Driver Signing

Digital signatures allow administrators and end users who are installing Windows-based software to know
that a legitimate publisher is providing the software package. A digital signature is an electronic security
mark that indicates the softwares publisher, and displays a message if someone changes the original
contents of the driver package. If a publisher signs a driver, then you can be more confident that the
driver comes from that publisher and has not been altered.

Disabling Device Drivers


If you have determined that the probable cause
of a reported problem is with a device driver, you
might need to disable that particular device
driver. Windows 8.1 provides several methods that
you can use to disable device drivers.

Disabling Device Drivers Using Device


Manager
You can disable a device driver through a GUI by
using the Device Manager as follows.
1.

From Control Panel, open Device Manager.

2.

Right-click the device driver that you want to


disable, and then click Disable.

The difference between disabling a device and uninstalling it is that when you disable a device, you are
disabling only the drivers; the hardware configuration does not change, and the driver software is not
removed from the computer, which it would be if you uninstall the device.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-19

Note: If a device appears to have failed and Device Manager displays a problem with the
device, you can uninstall the device. Windows then detects the device, and installs the driver
again. This may resolve the problem.

Disabling Device Drivers from a Command Prompt

You also can disable a device driver from a command prompt by using the DevCon command-line tool.
For example, to disable all devices that have a hardware identifier that ends in MSLOOP, at a command
prompt, type devcon disable *MSLOOP. You also can use the DevCon tool to list devices, their status,
and associated hardware resources.
For more information on the DevCon tool, refer to the following webpage:
The DevCon command-line utility functions as an alternative to Device Manager
http://go.microsoft.com/fwlink/?LinkId=335914

Managing Drivers with Windows PowerShell


You can use the following Windows PowerShell cmdlets to manage device drivers:

Get-Device

Get-Driver

Get-Numa

Enable-Device

Disable-Device

Disabling Device Drivers Remotely


You can use Remote Desktop to connect to a remote computer running Windows 8.1, and then use
Device Manager or DevCon to disable a device driver the same way you would on a local computer.

Disabling Device Drivers in Safe Mode


When you start a computer in safe mode, only a minimal number of device drivers start, including:

Drivers for the CD or DVD drive

Floppy disk

Hard disk

Keyboard

Mouse

VGA devices

If the failure of a device driver is preventing the operating system from starting, you can start the
computer in safe mode. You then can troubleshoot the device driver, which might involve disabling the
problem device before you attempt to restart the computer in normal mode.

Managing Signed Drivers


Because device drivers run with system-level
privileges and can access anything on the
computer, it is critical to trust installed device
drivers. Trust, in this context, includes two main
principles:

Authenticity. A guarantee that the package


came from its claimed source.

Integrity. An assurance that the package is


intact and has not been modified after its
release.

MCT USE ONLY. STUDENT USE PROHIBITED

3-20 Troubleshooting Hardware and Device Drivers

A digital signature uses the organizations digital


certificate to encrypt specific details about the package. The encrypted information in a digital signature
includes a thumbprint for each file that the package includes. A special cryptographic algorithm generates
the thumbprint. This is known as a hashing algorithm. The algorithm generates a code that only the files
contents can create, and changing a single bit in the file changes the thumbprint. After the file generates
the thumbprints, the publisher combines them into a catalog and encrypts them.
Microsoft uses digital signatures to indicate that a driver is certified for use with Windows 8.1.
Windows 8.1 checks for a drivers digital signature during installation, and prompts the user if no
signature is available. As the domain administrator, you should configure Group Policy to block the
installation of device drivers that do not have a digital signature. The signature file is stored as a .cat file
with the driver file.

Administrators and end users who are installing Windows-based software can use digital signatures
to verify that a legitimate publisher has provided the software package. The signature is an electronic
security mark that indicates the publisher of the software, and whether someone has changed the driver
packages original contents. If a publisher signs a driver, this indicates that the driver comes from that
publisher and has not been altered.

A digital signature uses the organization's digital certificate to encrypt specific details about the package.
The encrypted information in a digital signature includes a thumbprint for each file included with the
package. A special cryptographic algorithm referred to as a hashing algorithm generates this thumbprint.
The algorithm generates a code that only that files contents can create. Changing a single bit in the file
changes the thumbprint. After the thumbprints are generated, they are combined together into a catalog,
and then encrypted.
Note: 64-bit Windows 8.1 versions require that all drivers be digitally signed.

If your organization has a Software Publishing Certificate, you can use that to add your own digital
signature to drivers that you have tested and that you trust. If you experience stability problems after you
install a new hardware device, an unsigned device driver might be the cause.
Note: To disable the enforcement of driver signatures, access the Advanced Boot Options
menu, and then select Disable driver signature enforcement. The procedure for accessing the
Advanced Boot Options menu is described in the next topic.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-21

Signature Verification Tool

You can use the Signature Verification tool (Sigverif.exe) to check if unsigned device drivers are in the
system area of a computer. Sigverif.exe writes the results of the scan to a log file that includes the system
file, the signature file, and the signature files publisher. The log file shows any unsigned device drivers as
unsigned. You then can choose whether to remove the unsigned drivers.
To remove an unsigned device driver, follow these steps:
1.

Run Sigverif.exe to scan for unsigned drivers.

2.

Review the resulting log file.

3.

Create a temporary folder for unsigned driver storage.

4.

Manually move any unsigned drivers from systemroot\System32\Drivers into the temporary folder.

5.

Disable or uninstall the associated hardware devices.

6.

Restart the computer.

If this resolves the problem, try to obtain a signed driver from the hardware vendor or replace the
hardware with a device that is Windows 8capable.

You can obtain a basic list of signed and unsigned device drivers from a command prompt by running the
driverquery command with the /si switch.
Note: Some hardware vendors use their own digital signatures so that drivers can have a
valid digital signature, even if Microsoft has not tested them. The Sigverif report lists the vendors
for each signed driver. This can help you identify problem drivers issued by particular vendors.

Benefits of Signing and Staging Driver Packages

Because device driver software runs as a part of the operating system, it is critical that only known and
authorized device drivers are permitted to run. Signing and staging device driver packages on client
computers provide the following benefits:

Improved security. You can allow standard users to install approved device drivers without
compromising computer security or requiring help desk assistance.

Reduced support costs. Users can only install devices that your organization has tested and is
prepared to support. Therefore, you can maintain computer security as you simultaneously reduce
help desk demands.

Better user experience. A driver package that you stage in the driver store works automatically when
the user plugs in the device. Alternatively, driver packages that you place on a shared network folder
can be discovered whenever the operating system detects a new hardware device. In both cases, the
user is not prompted prior to installation.

Configuring the Certificate Store to Support an Unknown Certification Authority

On each computer, Windows 8.1 maintains a store for digital certificates. As the computer administrator,
you can add certificates from trusted publishers. If a package is received for which a matching certificate
cannot be found, Windows 8.1 requires confirmation that the publisher is trusted. By placing a certificate
in the certificate store, you inform the Windows operating system that packages signed by that certificate
are trusted.

You can use Group Policy to deploy the certificates to client computers. Using Group Policy, you can have
the certificate installed automatically on all managed computers in a domain, organizational unit (OU), or
site.

Note: It is unusual to install a root certificate into the Trusted Root Certification Authority
store simply to support driver signing.

Staging Device Drivers


When you install a device driver from an .inf filebased installation or from a setup application, the
driver package is copied automatically into the
package store. However, you also can extract
device drivers manually by using the new
Windows 8.1 Pnputil.exe tool. Pnputil.exe is an
important troubleshooting tool that you can use
to add driver packages, remove unnecessary or
problem driver packages, and list all the driver
packages that are in the driver store.

Manual Driver Extraction


You can use Pnputil to add a driver to the
Windows 8.1 driver store manually, by using the following procedure:
1.

Obtain a digitally signed driver package.

2.

Sign in as Administrator, and then open a Command Prompt window.

3.

Run pnputil.exe -a package_name.

4.

Windows 8.1 checks the drivers integrity and digital signature, and then copies the driver into the
driver store.

Note: The Pnputil.exe tool only runs at a command prompt with elevated user rights. The
tool cannot invoke the User Account Control dialog box.

Managing the Driver Store


You also can use the Pnputil.exe command-line tool to manage the driver store. You use Pnputil.exe to
both add and remove driver packages from the driver store, and to list non-Microsoft driver packages
that are already in the store.
You can use Pnputil.exe to perform the following tasks:

Add a driver to the driver store.

Add a driver to the driver store and install the driver in the same operation.

Delete a driver from the driver store.

List all drivers in the driver store.

MCT USE ONLY. STUDENT USE PROHIBITED

3-22 Troubleshooting Hardware and Device Drivers

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-23

The following table lists the Pnputil.exe command-line syntax.


Command line

Details

pnputil.exe a d:\usbcam\USBCAM.inf

Adds a package that USBCAM.inf specifies.

pnputil.exe a c:\drivers\*.inf

Adds all packages in C:\drivers.

pnputil.exe i a a:\usbcam\USBCAM.inf

Adds and installs a driver package.

pnputil.exe e

Lists all non-Microsoft packages.

pnputil.exe d oem0.inf

Deletes package oem0.inf.

pnputil.exe f d oem0.inf

Forces deletion of package oem0.inf.

Note: You also can choose to distribute drivers by adding them to the operating system
images that your organization uses. To do this, use the DISM.exe tool to mount the image that
you wish to modify and then inject the driver. Finally, commit the changes.
1.

Dism /Mount-Wim /WimFile:C:\test\images\install.wim /Name:"Windows 8.1 Image"


/MountDir:C:\test\offline

2.

Dism /Image:C:\test\offline /Add-Driver /Driver:C:\drivers\mydriver.INF

3.

Dism /Unmount-Wim /MountDir:C:\test\offline /Commit

Demonstration: Managing Device Drivers


Note: This is a practice session.
In this practice session, you will:

Update a device driver.

Uninstall a device driver.

Install a device driver into the driver store.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Update a device driver

MCT USE ONLY. STUDENT USE PROHIBITED

3-24 Troubleshooting Hardware and Device Drivers

1.

If necessary, sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password
Pa$$w0rd.

2.

On the Start screen, type This PC, right-click This PC, and then click Manage.

3.

In Computer Management, click Device Manager.

4.

Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver Software.

5.

In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.

6.

On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.

7.

In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and
then click Next.

8.

Click Close.

9.

In the System Settings Change dialog box, click Yes to restart the computer.

Uninstall a device driver


1.

Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.

2.

Type This PC, right-click This PC, and then click Manage.

3.

In Computer Management, click Device Manager.

4.

Expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key), and then click
Properties.

5.

In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab,
and then click Uninstall.

6.

In the Confirm Device Uninstall dialog box, click OK.

7.

In the System Settings Change dialog box, click Yes to restart the computer.

8.

Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.

9.

Type This PC, in the results section, right-click This PC, and then click Manage.

10. In Computer Management, click Device Manager.

11. Expand Keyboards, click Standard PS/2 Keyboard, and verify that you have successfully uninstalled
the driver.
12. Close Computer Management.

Install a device driver into the driver store


1.

Click Start.

2.

Type cmd, right-click Command Prompt, and then click Run as administrator.

3.

At the Command Prompt, type the following command, and then press Enter:
pnputil a
D:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files\driver\point64\point64.inf

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-25

4.

In the Command Prompt, type the following command, and then press Enter:
pnputil e

5.

Take note of the published name for the driver that you just installed into the store.

6.

Close the Command Prompt window.

Completion steps

After you complete this practice session, leave the virtual machines running for the next practice
session.

Managing Legacy Device Drivers


Device drivers written specifically for Windows 8.1
are designed to maximize the benefit of the
Windows 8.1 architectural improvements. If you
have a hardware device that does not come with
a Windows 8.1 driver, consider different factors
before deciding whether to use a legacy device
driver. Legacy drivers that were developed for
previous Windows versions might not work
effectively with Windows 8.1, or they might cause
interoperability issues with other devices.

Compatibility Issues

Before installing a device driver that was not


written specifically for Windows 8.1, check with the hardware vendor to find out if there are known issues
for computers that are running Windows 8.1. Compatibility issues can include:

Installation. The device driver might not install in the same way as in previous Windows operating
system versions. For example, the user access protection feature may complicate the Windows 8.1
finish-install process.

Loading. The device driver might not load the same way as in previous Windows operating system
versions. For example, the 64-bit Windows 8.1 editions do not load unsigned drivers.

Run time. The device driver might not run the same way as in previous Windows operating system
versions. Run-time compatibility problems include a range of issues that can occur during run time.
Some issues are quite serious, while others are relatively minor.

Functionality. The device driver may run, but its behavior might differ significantly from that in earlier
Windows operating system versions. For example, network driver interface specification (NDIS) 5.x
drivers must go through a translation layer that reduces their performance. Similarly, display drivers
for the Windows XP operating system, which are based on the display driver model of the Microsoft
Windows 2000 Server operating system, may function in Windows 8.1. However, upon use, they may
not display premium content such as high definition (HD)-DVD video.

Demonstration: Using Group Policy to Manage Driver Installation


Note: This is a practice session.
You can use Group Policy Objects (GPOs) to configure a number of settings that control installation of
devices and device drivers.

MCT USE ONLY. STUDENT USE PROHIBITED

3-26 Troubleshooting Hardware and Device Drivers

To access the GPOs, in Group Policy, under Computer Configuration, select Policies, Administrative
Templates, System, Driver Installation.
The following table identifies the relevant Group Policy settings.
Group Policy setting

Description

Allow non-administrators to install drivers


for these device setup classes

Enables users to install specified device drivers. You


can determine the appropriate driver setup class by
examining the .inf file that is provided as part of a
device driver.

Turn off the Windows Update device driver


search prompt

Determines whether the administrator is prompted to


search Windows Update for drivers during device
installation.

In Group Policy, under Computer Configuration, select Policies, Administrative Templates, System,
Device Installation\Device Installation Restrictions. The following table identifies the relevant Group
Policy settings.
Group Policy setting

Description

Allow administrators to override Device


Installation Restrictions policies

Enables members of the Administrators group to install


or update drivers for devices, regardless of policy
settings.

Allow installation of devices using drivers


that match these device setup classes

Enables the installation of devices that match the


specified setup class GUIDs.

Prevent installation of devices using


drivers that match these device setup
classes

Prevents the installation of devices that match the


specified setup class GUIDs.

Display a custom message when a policy


setting prevents installation

Allows the administrator to define a customized


message that displays when a policy setting prevents
device installation.

Display a custom message title when a


policy setting prevents device installation

Allows the administrator to define a customized


message title that displays when a policy setting
prevents device installation.

Allow installation of devices that match


any of these device identifiers

Enables the installation of devices that match the device


identifiers that you specify.

Prevent installation of devices that match


any of these device identifiers

Prevents the installation of devices that match the


device identifiers that you specify.

Time (in seconds) to force reboot when


required for policy changes to take effect

Enables you to define the time that the computer waits


to restart after a device installation.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-27

Group Policy setting

Description

Prevent installation of removable devices

Enables you to prevent users from installing removable


devices.

Prevent installation of devices not


described by other policy settings

Enables you to ensure that users cannot install any


drivers, even if there are no policies restricting
installation.

In this practice session, you will:

Modify Group Policy settings.

Locate the setup class GUID.

Complete the GPO configuration.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. These virtual
machines should be running from the preceding practice session. If they are not, before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Modify Group Policy settings
1.

On LON-CL1, on the desktop, double-click Administrative Tools.

2.

Double-click Group Policy Management.

3.

In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand


Adatum.com, and then click Default Domain Policy.

Note: Although you are editing the Default Domain Policy, it would be more usual to
create a new GPO and link it to the domain.
4.

In the Group Policy Management Console pop-up window, click OK.

5.

Right-click Default Domain Policy, and then click Edit.

6.

In Group Policy Management Editor, under Computer Configuration, expand Policies, expand
Administrative Templates, expand System, expand Device Installation, and then click Device
Installation Restrictions.

7.

In the right-pane, double-click Allow installation of devices using drives that match these device
setup classes.

8.

In the Allow installation of devices using drives that match these device setup classes dialog
box, click Enabled, and then click Show.

9.

Leave the window open.

Locate the setup class GUID


1.

Click File Explorer, in the address bar, type D:\Labfiles\Mod03\, and then press Enter.

2.

In Mod03, double-click Intellipoint.

3.

Double-click ipoint.

4.

Double-click setup64.

5.

Double-click files.

6.

Double-click driver.

7.

Double-click point64, and then double-click point64.inf.

8.

In Notepad, locate the line that starts with ClassGUID.

9.

Select and copy the GUID, including the opening and closing brackets {}.

Complete the GPO configuration

MCT USE ONLY. STUDENT USE PROHIBITED

3-28 Troubleshooting Hardware and Device Drivers

1.

Switch back to Group Policy Management Editor.

2.

In the Show Contents dialog box, click in the Value text box, and then paste the GUID into it.

3.

Click OK twice.

4.

In Group Policy Management Editor, double-click Allow administrators to override Device


Installation Restriction policies.

5.

Click Disabled, and then click OK.

6.

Double-click Display a custom message when installation is prevented by a policy setting.

7.

Click Enabled, and in the Detail Text text box, type Adatum Policy restricts installation of certain
devices, and then click OK.

8.

Close all open windows.

Completion steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-29

Lesson 4

Monitoring Reliability

Reliability is a measure of how a system conforms to expected behavior. A system that often deviates from
the behavior that you configure or expect indicates poor reliability. Typical factors that adversely affect
system reliability include:

Application failures.

Unresponsive or restarting services.

Driver initialization failures.

Operating system failures.

Hardware failures.

This lesson identifies tools that you can use in Windows 8.1 to help identify and resolve reliability issues.

Lesson Objectives
After completing this lesson, you will be able to:

Describe how to use Resource Monitor to identify reliability issues.

Explain how to use Task Manager to manage reliability issues.

Explain how Reliability Monitor can help to identify reliability issues.

Overview of Resource Monitor


Windows 8.1 provides a number of tools
for monitoring performance. You can use
Resource Monitor to help to identify and resolve
performance problems in Windows 8.1. You
can also use it to help you to identify reliability
problems, such as excessive use of system
resources.
To open Resource Monitor, from a command
prompt, type perfmon /res.

Task Manager
In Windows 8.1, Task Manager has been enhanced
to provide more information that helps you
identify and resolve reliability problems. Task
Manager includes the following tabs:

MCT USE ONLY. STUDENT USE PROHIBITED

3-30 Troubleshooting Hardware and Device Drivers

Processes. Displays a list of running programs,


which are divided into applications and
internal Windows operating system processes.
For each running process, this tab displays a
summary of processor and memory usage.

Performance. Displays a summary of CPU and


memory usage in addition to network
statistics.

App history. Displays statistics and resource consumption by application. This information can prove
useful for identifying a specific application that is consuming an excessive amount of resources.

Startup. Displays the items that are configured to run at startup. You can choose to disable any of the
listed programs.

Users. Displays resource consumption on a per-user basis. You can also expand the user view to see
more detailed information about the specific processes that a user is running.

Details. Lists all the processes that are running on the server and provides statistics about their CPU,
memory, and other resource consumption. You can use this tab to manage the running processes. For
example, you can stop a process, stop a process and all its related processes, and change the priority
values of processes. By changing the priority of a process, you determine how much CPU time the
process can consume. By increasing the priority, you allow the process to request more CPU time.

Services. Provides a list of the installed Windows services together with related information, including
whether the service is running and what the processor identity value of the running service is. You can
start and stop services by using the list on the Services tab.

Generally, you can consider using Task Manager when a reliability problem first becomes apparent. For
example, you might examine the startup items to determine whether a particular program is causing
problems after it has started.
To access Task Manager, press the Ctrl+Alt+Del keys, and then click Task Manager.

Reliability Monitor
You can use Reliability Monitor to view a
computers reliability and problem history. You
can track events such as application and operating
system failures against other events such as
software updates and application installation. This
gives you the ability to determine at a glance if a
particular change in system reliability is associated
with a change in the computers configuration.
The System Stability chart provides a running
chart that will display up to 365 days worth of
reliability data. The chart lists a system stability

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-31

index for each day, with the index rising when no problems are encountered, and falling when problems
are recorded.
The stability report provides you with information on the following items:

Application failures

Windows failures

Miscellaneous failures

Warnings

Information

You can track these events against informational events that include:

Application installation

Software update installation

Application uninstallation

Software update removal

Device driver update

Hardware configuration change

You can also review problem reports. Problem reports allow you to view data on:

Memory problems

Hard disk problems

Driver problems

Application failures

Miscellaneous failures

To open Resource Monitor, from a command prompt, type perfmon /rel.

Lab: Troubleshooting Hardware and Device Drivers


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

3-32 Troubleshooting Hardware and Device Drivers

The help desk has received a number of trouble tickets that relate to device drive installation. Your
manager has asked you to look into the reason why so many problems relate to devices and to suggest a
possible solution. You must then implement the solution within the network.

Objectives
After completing this lab, you will be able to:

Resolve hardware-related problem.

Configure Group Policy settings to control device installation.

Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-33

Exercise 1: Resolving Hardware Issues


Scenario
In this exercise, you will resolve the reported hardware problem that Tier 1 help desk staff could not
resolve.
Incident Record
Incident Reference Number: 722201
Date of Call
Time of Call
User
Status

October 1
3:30
Bobby Moore (Development Department)
OPEN

Incident Details
Bobby reports that his computer mouse is nonfunctional.

Additional Information
User reports that he attempted to install a new mouse, but abandoned the installation midway
through the process.
I attended the users computer and was unable to resolve the problem, as the mouse was
completely nonfunctional.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for Incident 722201.

2.

Update the Plan of Action section of the Incident Record.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for Incident 722201

Read the help desk Incident Record 722201.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod03\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of the startup architecture and the tools
available for troubleshooting the startup environment.

Note: On your host, in the 20688D-LON-CL1 on localhost Virtual Machine Connection


window, in the View menu, click Full Screen Mode.

MCT USE ONLY. STUDENT USE PROHIBITED

3-34 Troubleshooting Hardware and Device Drivers

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Note: When you have completed the exercise, change the virtual machine back from full
screen mode. In the 20688D-LON-CL1 on localhost window, click Restore Down.

Results: When you have completed this exercise, you should have resolved the hardware issue.

Exercise 2: Configuring Group Policy Settings to Control Device Installation


Scenario

Users in the Research department need to be able to install specific device driver types to complete their
research projects. However, it is important that users in other departments install only printer drivers.

Supporting Documentation
April Reagan
From:

Ed Meadows [Ed@adatum.com]

Sent:

5 October 10.20

To:

April@adatum.com

Subject: GPO changes


April,
Can you update the Group Policy to support the following requirements? The Tier 3 people are
overloaded at the moment, so although I realize this is out of scope for you, it would be a real help.

Research department needs to be able to install devices for setup class Mouse, Keyboard, and Printer.

All other departments must be restricted to install only printers.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-35

I want to be sure that drivers not defined by any other policy are restricted.

Administrators are not to be affected by any restrictions.


Thanks,
Ed
GPO Planning Document
Reference: CW0510/1
Date

October 5

Details
Update GPO settings to:
Restrict all users to install printer drivers only.
Enable Research Department users to install Printers, Mice, and Keyboard device drivers.
Do not restrict administrators from installing any drivers.
Additional Information
Use as few GPOs as possible.
Plan of Action
How many GPOs do you envision using?

To which containers will you link these GPOs?

How do you plan to configure the restriction for all users?

How will you accommodate the requirement to support the Research Departments needs?

How will you accommodate the administrators requirement?

The main task for this exercise is as follows:


1.

Read the email from Ed Meadows.

Task 1: Read the email from Ed Meadows


1.

Read the email in the Supporting Documentation section.

2.

Determine a plan of action.

3.

Answer the questions in the GPO planning document.

Results: After you have completed this exercise, you should have configured GPOs to control device
installation.

To prepare for the next practice session

MCT USE ONLY. STUDENT USE PROHIBITED

3-36 Troubleshooting Hardware and Device Drivers

When you have completed the lab, leave the virtual machines running for the next practice session.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-37

Lesson 5

Configuring the Registry


The registry is a database in which Windows 8.1 stores configuration settings. Both user-related and
computer-related settings are stored in the registry. Whenever you make a configuration change to
Windows 8.1, the change is recorded in the registry.

Usually, you do not need to make direct changes to the registry. In fact, making direct changes to the
registry risks introducing errors that may result in applications or devices behaving incorrectly, or even
resulting in your computer being unable to start at all.
However, as IT professionals engaged in troubleshooting, on occasion you might be required to work
directly with the registry by performing imports and exports of settings, and making edits of registry
settings.

This lesson explores the structure of the registry, and explains the tools that you can use to work with the
registry.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the registry.

Identify registry editing tools.

Edit the registry.

Overview of the Registry


The Windows registry is organized in a hierarchy.
At the top level, there are five registry hives. A
registry hive is a discreet collection of related
settings structured as a series of keys, subkeys,
and values.

Hives
The top-level hives are described in the following
table.

Hive
HKEY_CLASSES_ROOT

Purpose

This hive contains file association information and defines which


application opens when a user double-clicks a particular file type in the
file system. For example, it defines that the application for .xls files is
Microsoft Excel.
This hive is populated from the computer-related and user-related
settings that are stored in HKEY_LOCAL_MACHINE\Software\Classes and
HKEY_CURRENT_USER\Software\Classes.
You will most likely not make edits to this hive, and so you can disregard
it.

Hive

Purpose

MCT USE ONLY. STUDENT USE PROHIBITED

3-38 Troubleshooting Hardware and Device Drivers

HKEY_CURRENT_USER

This hive contains the configuration information for the currently signedin user. Items such as the users Windows operating system color scheme
and font settings are stored in relevant values below this hive. When
referencing this hive for the purposes of editing the registry, this hive is
sometimes referred to as HKCU. This hive is a shortcut to a key stored in
HKEY_USERS.

HKEY_LOCAL_MACHINE

This is probably the most important hive and the one to which you are
likely to make most direct edits. Sometimes abbreviated to HKLM, this
hive stores all the computer-related configuration settings.

HKEY_USERS

This hive contains a collection of all the configuration information for


all users that have signed in locally at this computer, including the
currently signed-in user. In fact, one of the keys beneath this hive is
HKEY_CURRENT_USER, although its label does not display that way.
It is important to know that you are only likely to make direct edits to the
user settings for the currently signed in user, which are stored in HKCU.
Therefore, you can disregard the rest of this hive.

HKEY_CURRENT_CONFIG

This hive contains information about the current hardware profile that
was used by the local computer during system startup. You do not
generally make edits to this hive, and so you can disregard this hive.

Most likely, you will only ever make direct changes to the values stored within the hives
HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER.
Note: Although the registry is a hierarchical database of values structured in hives,
keys, and subkeys, the actual registry database is stored on the local file system in the
C:\Windows\System32\Config. There is no requirement for you to access these files directly.

Keys and Subkeys

To maintain structure within the database, like settings are collected into a series of folders and subfolders
known as keys and subkeys. This makes it easier and accurate when you wish to reference a particular
registry value: you can specify a pathname by declaring the appropriate hive, key, subkey (or subkeys),
and value. For example:

HKCU\Control Panel\Desktop\Wallpaper is the value (Wallpaper) that stores the name and location of
a users desktop wallpaper.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run is the key that contains values that relate to


programs that start automatically when the computer starts and a user signs in. Typically, these are
programs that reside in the system tray.

Values
Values define the behavior of the operating system and are stored, as previously stated, in subkeys and
keys. There are a number of different types of values, depending upon the type of data that is stored
within. For example, you may wish to store text values, numerical data, variables, and so forth. The
following table lists the more common types of registry values.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-39

Value type

Data type

Description

REG_BINARY

Binary

Raw binary data. These values usually display in


hexadecimal format. Hardware information is often stored
in REG_BINARY values.

REG_DWORD

DWORD

4-byte numbers (a 32-bit integer). Many device driver and


service-related values are stored in REG_DWORD values.
For example, the START and TYPE values for device drivers
are always defined in REG_DWORD type values.

REG_SZ

String

A fixed-length text string. The values listed in the


HKLM\Software\Microsoft\Windows\CurrentVersion
\Run key are all REG_SZ values. These values store the path
and filename to the appropriate auto-start program.

REG_EXPAND_SZ

Expandable
string

A variable length text string. The Windows operating


system uses REG_EXPAND_SZ values to contain variables.
For example, the ImagePath value that defines the name
of a services executable in the file system is stored in an
expandable string: %systemroot%\System32\service.exe.

REG_MULTI_SZ

Multiple
strings

Multiple string values. This value is typically used


when multiple values are stored. For example, the
DependOnService value for a service is a REG_MULTI_SZ
data type, and contains the one or more services on which
this service is dependent.

When you decide to make a direct change to the registry, you must be accurate about the value name, its
type, and its full registry path including all subkeys, keys, and the appropriate hive. Failure to do this will
result in your changes not having the desired effect, and in addition may result in the computer failing to
work properly, or indeed at all.
For more guidance, refer to the following webpage:
Windows registry information for advanced users
http://go.microsoft.com/fwlink/?LinkId=335915

Working with the Registry


Typically, you will not need to edit the registry
directly. However, a software problem may arise,
and the software vendor may provide a solution
that involves making changes to the registry. After
you determine that you must make a direct
change to the registry, you must choose the most
appropriate tool. The choice that you make will be
influenced by the number of computers on which
you must make the required change. For example,
if you must make the required change once on a
single computer, then using the Registry Editor is
most likely the sensible choice. However, if you

must make the change across hundreds of computers, you may decide to use Windows PowerShell or
another bulk-editing tool to make the change. The following sections describe ways in which you can
make edits to a registry.
Note: As a best practice, back up the registry before making edits. You can either export
the specific key you are editing, or use a tool such as System Restore to capture a restore point.

Registry Editor

MCT USE ONLY. STUDENT USE PROHIBITED

3-40 Troubleshooting Hardware and Device Drivers

The Registry Editor is probably the easiest and most direct way to make changes to the registry. You can
use the Registry Editor to:

Search the registry for a given value entry, value name, subkey, or key.

Create, delete, and edit keys, subkeys, and values.

Import entries into the registry from an external file.

Export entries from the registry into an external file.

Back up the registry (effectively by exporting the entire registry).

Manage a remote computers registry.

Note: To manage a remote registry, from the registry editor, click File, and then click
Connect Network Registry. In the Select Computer dialog box, type the name of the remote
computer, and then click OK. You must have administrative credentials on the remote computer,
and the remote computers firewall must be configured to allow for remote management.

To access the Registry Editor, open an elevated command prompt, type regedit.exe, and then press Enter.
REG Files

You also can use a structured text file with a .reg extension (a registry entries file) to merge values into the
registry. The file will look like the following example:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\atapi]
"Start"=dword:00000001

Note: This particular .reg file edits the Start value stored in the HKEY_LOCAL_MACHINE
\SYSTEM\ControlSet001\services\atapi path, and assigns it the DWORD value of 1.
After you have created the .reg file, you can import the settings by:

Double-clicking the file and confirming that you want to continue.

Running a simple script that loads the file. The following command imports the settings stored in
setting1.reg without prompting the user to confirm:
regedit /s C:\Registry\setting1.reg > nul

Opening the Registry Editor and using the import option to access the appropriate .reg file.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-41

Windows PowerShell

Windows PowerShell provides you with a registry provider. This represents the registry much like a file
system, displaying each key and subkey much as you might see folders and subfolders represented in the
file system of drive C.
For example, to see the contents of the HKEY_LOCAL_MACHINE hive, open an elevated Windows
PowerShell command prompt, and then type the following command:
Get-ChildItem -Path hklm:\

To modify registry values, you must:


1.

Use the Set-Location cmdlet to change to the appropriate registry drive.

2.

Use the Set-ItemProperty cmdlet to assign a new value to the registry property.

For example:
Set-Location HKCU:\Software\Example
Set-ItemProperty . examplevaluename "assigned value"

In the preceding code snippet, assigned value is assigned to the value called examplevaluename in the
registry path, HKEY_CURRENT_USER\Software\Example.
For more information on using Windows PowerShell to edit the registry, refer to:
Working with Registry Keys
http://go.microsoft.com/fwlink/?LinkId=335918
Note: By using administrative templates (.adm and .admx files), you can make changes to
the registry, and then propagate those changes with GPOs.

Demonstration: Editing the Registry


Note: This is a practice session.
In this practice session, you will:

Export a registry key.

Modify a .reg file.

Import settings from a .reg file.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. These should still be
running after the completion of the lab. If they are not, you before you begin the practice session, you
must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

5.

Sign in using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Export a registry key

MCT USE ONLY. STUDENT USE PROHIBITED

3-42 Troubleshooting Hardware and Device Drivers

1.

On LON-CL1, click Start.

2.

In Start, type regedit.exe, and then press Enter.

3.

In the Registry Editor, click HKEY_LOCAL_MACHINE, expand SOFTWARE, expand Microsoft, expand
Windows NT, expand CurrentVersion, and then click Winlogon.

4.

Right-click Winlogon, and then click Export.

5.

In the Export Registry File dialog box, click Desktop.

6.

In the File name text box, type Winlogon, and then click Save.

Modify a .reg file


1.

Minimize the Registry Editor.

2.

Right-click Winlogon.reg, and then click Edit.

3.

Scroll down the file, and locate the line that begins with DisableCAD.

4.

Change the value from 00000001 to 0000000.

5.

Click File, and the click Save.

6.

Close the file.

Import settings from a .reg file


1.

On the desktop, right-click Winlogon.reg, and then click Merge.

2.

In the Registry Editor dialog box, click Yes.

3.

In the Registry Editor error dialog box, click OK. An error is expected as some of the settings are in
use.

4.

Switch to the Registry Editor.

5.

Scroll down the details pane, and verify that the DisableCAD value is now zero.

6.

Right-click Start, point to Shut down or sign out and then click Sign out.

7.

Notice that to sign in, you must press Ctrl+Alt+Del.

Completion steps
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 3-43

Module Review and Takeaways


Review Questions
Question: Users are complaining that when they visit customer sites, they are unable to
connect to their customers printers because of device installation restrictions. What two
possible actions could you take?
Question: Help desk employees have tried to install a new driver for a user in the marketing
department to enable the user to use a new scanner. The driver is not part of the driver store,
and Group Policy prohibits installation of additional drivers. What GPO setting would you
recommend changing to enable this driver to install?
Question: You decide to install the scanner driver into the driver store. Assuming the driver
is in the D:\scanner folder, and the driver .inf file is called Scanner.inf, what command would
you use?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


4-1

Module 4
Troubleshooting Remote Computers
Contents:
Module Overview

4-1

Lesson 1: Using Remote Desktop

4-2

Lesson 2: Using Remote Assistance

4-6

Lesson 3: Remoting with Windows PowerShell

4-9

Lab: Troubleshooting Remote Computers

4-16

Module Review and Takeaways

4-21

Module Overview

When managing computers, you must know how to connect to remote computers and, where possible,
how to manage those computers remotely. This is especially important in large networked environments
or in situations where the workforce is distributed across multiple locations. Visiting a users computer to
help to resolve problems is often time consuming and impractical.

You can use most management tools such as Event Viewer, Computer Management, Device Manager,
Print Management, Services, and the registry editor to connect to and manage remote computers. Doing
so is not much different from using the same tools to manage your local computer. Therefore, the focus
of this module is on using tools specifically designed to facilitate remote management connections.
This module explores three ways in which you can remotely connect to and manage remote computers:
Remote Desktop, Windows Remote Assistance, and Windows PowerShell remoting.

Objectives
After completing this module, you will be able to:

Use Remote Desktop to manage remote computers.

Use Remote Assistance to manage remote computers.

Use Windows PowerShell remoting to manage remote computers.

Lesson 1

Using Remote Desktop

MCT USE ONLY. STUDENT USE PROHIBITED

4-2 Troubleshooting Remote Computers

The Remote Desktop Protocol (RDP) provides remote display and input capabilities over network
connections for Windows-based applications. To support your organizations remote users, you need to
understand how to enable, configure, and use Remote Desktop connections.

Lesson Objectives
After completing this lesson, you will be able to:

Describe how to enable Remote Desktop.

Explain how to configure Remote Desktop by using Group Policy.

Overview of Remote Desktop


Remote Desktop uses RDP to enable users to
access files on their office computer from
another computer, such as one located at their
home. Additionally, Remote Desktop allows
administrators to connect to multiple sessions
of the Windows Server operating system
simultaneously for remote administration
purposes.
During the time that a Remote Desktop session is
active, Remote Desktop locks the target computer,
prohibiting interactive sign-ins for the sessions
duration.

Enabling Remote Desktop


You can enable Remote Desktop in the System Properties dialog box, on the Remote tab. You access
System properties through Control Panel, or by right-clicking Computer, and then clicking Properties.
Remote Desktop has three settings:

Dont allow connections to this computer. This is the default setting, in which remote connections are
disabled.

Allow remote connections to this computer. If you are unsure of the version of the remote desktop
client software, this is the best choice.

Allow connections only from computers running Remote Desktop with Network Level Authentication.
This setting limits connections to computers that are running operating systems more recent than the
Windows XP operating system with Service Pack 2 (SP2).
Network Level Authentication completes user authentication before the user establishes a remote
desktop connection and the sign in screen appears. This is more secure, and can help protect the
remote computer from hackers and malware. The advantages of Network Level Authentication are:
o It requires fewer remote computer resources initially.
o It can help provide better security by reducing the risk of denial-of-service attacks.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-3

Remote Desktop Permissions

By default, if you enable Remote Desktop, any member of the Administrators group can make a Remote
Desktop connection. Administrators can grant remote access to other users by adding them to the
Remote Desktop Users group on the local computer.

Remote Desktop uses RDP over TCP port 3389. By default, once you enable Remote Desktop, authorized
users can connect from any computer that is running the appropriate Remote Desktop client software.
You can use Windows Firewall to limit which computers can access port 3389.

Remote Desktop Security

By default, the client and server negotiate to use the highest encryption level that both the client and
server understand. For example, if a client that connects can only handle 64-bit encryption, then that is
the sessions encryption level. When possible, the entire Remote Desktop session is encrypted at 128-bits
for data transmissions in both the client-to-server and server-to-client directions. Use Group Policy to
enforce high encryption, as necessary.

Using Remote Desktop

The Remote Desktop Connection client software is built into Windows 8.1. This Remote Desktop version
supports Network Level Authentication to provide more secure communications.
To launch Remote Desktop Connection, from the Start screen, type Remote Desktop Connection, and
then press Enter. You also can type mstsc.exe in the Search box to launch a remote session.

To connect to the remote computer, you can type in either the name or the IP address of the remote
computer. When you connect, you will be asked for credentials. If another user is already signed in when
you attempt to connect, that user has 30 seconds to refuse to allow your connection. If the signed-in user
allows your connection or does not respond, your connection will occur successfully.
The following table lists the client options that you can configure by using the various tabs in the Remote
Desktop Connection dialog box.
Tab

Option

General

Enter the computer and user name, and select whether to save the
connection as an RDP file.

Display

Select the remote displays screen size and color quality.

Local Resources

Use remote computer resources in your session, such as the printer or


clipboard.

Programs

Configure a program to start automatically following a remote


connection.

Experience

Configure the way you want the remote session to appear visually. The
more features that you add, the more bandwidth it utilizes.

Advanced

Tell the Remote Desktop client how to behave if the RDP server fails to
prove its authenticity. You can choose whether to connect without
warning or to receive a warning, and whether you want to connect or
prevent the connection.

You can configure Remote Desktop connections, save them to RDP files, and then distribute them to
users. You can then open these files in Remote Desktop.

Configuring Remote Desktop by Using GPO


You can use Group Policy to control Remote
Desktop behavior across your organization. You
also can control all aspects of Remote Desktop
through policy settings for Remote Desktop
Services (formerly Terminal Services). You can
access policy settings for the computer by using
Group Policy Management.
Computer policy settings for Remote Desktop
include the policies that the following table
details.

Policy setting for the


computer

Description

MCT USE ONLY. STUDENT USE PROHIBITED

4-4 Troubleshooting Remote Computers

Remote Desktop Connection


Client>Do not allow passwords
to be saved

This setting controls whether users can save passwords on this


computer from Remote Desktop Services clients.

Remote Desktop Connection


Client>Prompt for credentials
on client computer

When you enable this setting, a user is prompted on the client


computer instead of on the terminal server to provide credentials
for a remote connection to a Remote Desktop server. If user
credentials are saved and available on the client computer, the user
is not prompted to provide credentials.

Remote Desktop Session


Host>Connections>Allow
users to connect remotely by
using Remote Desktop Services

When this setting is enabled, users who are members of the


Remote Desktop Users group on the target computer can connect
remotely to the target computer using Remote Desktop Services.

Remote Desktop Session Host


>Device and Resource
Redirection

These policies contain settings for each of the different resources,


such as audio and clipboard. Specify whether to prevent data
redirection from these devices to the remote client in a Remote
Desktop Services session.

Remote Desktop Session Host


>Security>Set client
connection encryption level

If you enable this setting, all communications between clients and


terminal servers during remote connections must use the
encryption method that this setting specifies. By default, the
encryption level is set to High.

Remote Desktop Session Host


>Session Time Limits

These policies control session time limits for disconnected, idle, and
active sessions, and controls whether to terminate sessions when
limits are reached.

You can access policy settings for the user by expanding User Configuration, expanding Policies,
expanding Administrative Templates, expanding Windows Components, and then expanding Remote
Desktop Services.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-5

The following table lists the options for user policy settings for Remote Desktop.
Policy setting for the user

Description

Remote Desktop Connection


Client>Do not allow passwords to be
saved

This policy setting controls whether users can save passwords


on this computer from Remote Desktop Services clients.

Remote Desktop Session Host


>Remote Session Environment> Start
a program on connection

This policy setting specifies a program to run automatically


when a user logs on to a remote computer. By default,
Remote Desktop Services sessions provide access to the full
Windows desktop, unless otherwise specified with this
setting. Enabling this setting overrides the Start Program
settings set by the server administrator or user.

Remote Desktop Session


Host>Session Time Limits

These policies control session time limits for disconnected,


idle, and active sessions, and controls whether to terminate
sessions when users reach these limits.

Lesson 2

Using Remote Assistance

MCT USE ONLY. STUDENT USE PROHIBITED

4-6 Troubleshooting Remote Computers

Remote Assistance is a built-in tool that you can use to control another operating system by connecting
to it remotely. Windows Remote Assistance is a useful tool for providing remote assistance when users
need help.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the new Remote Assistance features.

Describe how to offer or request remote assistance.

Describe how to configure Remote Assistance through Group Policy.

Using Remote Assistance to Assist Your Users


When you connect to a users computer using
Remote Assistance, you can view their desktop,
any open documents, and any visible private
information. Remote Assistance also creates a chat
session between you and the user, allowing you to
communicate via text messages.
Note: An important difference between
Remote Desktop and Remote Assistance is that
with the latter, the local user is not signed out;
which enables the remote helper to interact with
the local user.
If the user allows you to control his or her computer by remotely operating his or her mouse and
keyboard, you can perform various administrative functions such as deleting files or changing settings.
When you ask to share control of the desktop, a check box becomes visible to the user. When the user
selects this check box, it enables you to respond to User Account Control prompts. You can respond to
requests for administrator consent or administrator credentials, such as a user name or password. You
then can run administrator-level programs without the users participation.

For you or another helper to share the control of a computer, the user must grant permission. Likewise, if
the user wants to stop you or another helper from sharing control, they can click Cancel, and then click
Stop sharing, or, alternatively, press the E key.
You can offer Remote Assistance to users in anticipation of users requesting assistance from you. This is
useful in situations where you predict that users may require assistance, such as after you deploy a new
application or implement a new procedure.

The Help and Support Center provides links to assist helpers in offering Remote Assistance to users. By
using the computer name or IP address, you can send an invitation to the user. A remote session begins
when the user accepts the request.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-7

Remote Assistance in Windows 8.1


Remote Assistance provides a way for users to get
the help they need, and makes it easier and less
costly for corporate help desks to assist users.
Remote Assistance enables users to invite you to
connect to their computers so that you can view
their desktops when they need assistance. With
the users permission, the helper can even share
control of the users computer to resolve issues
remotely.
Windows 8.1 enables Remote Assistance by
default. In addition, Windows 8.1 enables remote
control of the local computer by default. To
launch Remote Assistance, on the Start screen, type msra.exe.

Sending an Invitation
A user who needs assistance can initiate a Remote Assistance session by sending an invitation to the
helper.
The following table lists the methods by which users can send invitations.
Invitation method

Description

Email

Email the invitation to the helper. Remote Assistance automatically


launches a blank email form. If the user does not have an email client
configured, then Windows Mail prompts the user for configuration.

Saving a file

Save the invitation to a file in a network location that the helper can
access. You can use the Help and Support Center links to assist in saving
the invitation as a file.

When you create an invitation, a password is created and displays in a Windows Remote Assistance dialog
box. The requester must communicate the password to the helper in a separate message or phone call.
The Windows Remote Assistance dialog box remains open and waits for an incoming connection. The user
must not close this window, or the helper will be unable to respond.
Administrators can control many aspects of the invitation, such as how long an invitation remains valid,
and whether someone can control the computer remotely. These settings are in the Advanced section of
the Remote tab in System Properties. The default settings allow remote control, and invitations are valid
for six hours.

Accepting an Invitation

After receiving your invitation, the recipient can respond by saving and then opening the attached file,
and then entering the password. Remote Assistance creates an encrypted connection either over the
Internet or over the network that connects the computers. The requesting user has to click Yes to
complete the transaction.
Note: When you use Remote Assistance, you can choose to connect by using Easy Connect.
When you use Easy Connect, Remote Assistance generates a temporary password that the person
you are helping gives to you. You can use the password to connect directly to that person's
computer. When the connection is made, contact information is exchanged between your
computer and the other persons computer. This information will allow you to quickly connect in
the future without using the password.

Configuring Remote Assistance by Using GPOs


You can manage some aspects of Remote
Assistance by using Group Policy. You configure
Group Policy Objects (GPOs) on the local
computer or in Active Directory Domain Services
(AD DS) to control the Remote Assistance
behavior. You can access Remote Assistance policy
settings by expanding Computer Configuration,
expanding Policies, expanding Administrative
Templates, expanding System, and then
expanding Remote Assistance.
The following table lists the Remote Assistance
policy settings.
Policy setting

Description

Allow only Windows Vista or newer


connections

Generate Remote Assistance invitations with improved


encryption. This setting does not affect Remote
Assistance connections that are initiated by unsolicited
Remote Assistance offers.

Turn on session logging

Turn logging on. Log files are located in the users


Documents folder under Remote Assistance.

Turn on bandwidth optimization

Improve performance in low bandwidth scenarios. This


setting scales incrementally from No optimization to
Full optimization.

Configure Solicited Remote Assistance

Enable Solicited Remote Assistance on this computer.


Disabling this setting prevents users from asking for
Remote Assistance. You also can configure invitation
time limits, and whether to allow remote control.

Configure Offer Remote Assistance

Turn on Offer (Unsolicited) Remote Assistance on this


computer. You must enable this policy for users to
receive unsolicited Remote Assistance.

MCT USE ONLY. STUDENT USE PROHIBITED

4-8 Troubleshooting Remote Computers

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-9

Lesson 3

Remoting with Windows PowerShell

Using Remote Desktop or Remote Assistance to manage remote computers is not always the most
convenient or practical solution. These technologies can make large-scale or automated management
difficult. Windows PowerShell addresses these issues with remote administration, also known as remoting.
Remoting lets you run Windows PowerShell commands for automated or interactive remote management
by using Windows Remote Management. Windows Remote Management is a Microsoft implementation
of the Web Services for Management protocol. Windows Remote Management enables you to:

Create scripts that run on one or many remote computers.

Take control of a remote Windows PowerShell session to run commands directly on that computer.

Collect reliability data across the network.

Lesson Objectives
After completing this lesson, you will be able to:

Describe Windows PowerShell remoting.

Describe the Windows PowerShell remoting requirements.

Explain how to connect to a remote computer by using Windows PowerShell remoting.

Describe how remote commands are processed.

Explain how to run commands by using Windows PowerShell remoting.

Overview of Windows PowerShell Remoting


While graphical management tools are often
easier to use than command-line tools, you can
achieve many administrative tasks more quickly
by using a simple script or a single command.
For example, the process of updating the same
information for many user accounts by using
Active Directory Users and Computers can be
very time-consuming. However, using the Active
Directory Domain Services module in Windows
PowerShell enables the administrator to perform
this repetitive task very quickly.

The purpose of Windows PowerShell remoting is


to connect to remote computers so that you can run commands on them, and then direct the results
back to your local computer. This enables you to execute Windows PowerShell commands on multiple
computers on your network from your client computer, rather than using a Remote Desktop Connection
to connect to each computer. A key goal of Windows PowerShell remoting is to enable batch
administration, which enables you to run commands on an entire set of remote computers
simultaneously.
There are three main ways to use remoting:

One-to-One remoting: In this scenario, you connect to a single remote computer and run shell
commands on it, exactly as if you had signed in to the computer and opened a Windows PowerShell
window.

One-to-Many remoting or Fan-Out remoting: In this scenario, you issue a command that will be
executed on one or more remote computers in parallel. You are not working with each remote
computer interactively. Rather, your commands are issued and executed in a batch, and the results
are returned to your computer for your use.

Many-to-One remoting or Fan-In remoting: In this scenario, multiple administrators make remote
connections to a single computer. Typically, those administrators will have differing permissions on
the remote computer, and might be working in a restricted session within the shell. This scenario
usually requires custom development of the restricted session, which will not be covered further in
this course.

Remoting Requirements
Remoting requires that both Windows PowerShell
and Windows Remote Management be installed
on your local computer and on any remote
computers to which you want to connect.
You also must enable Windows PowerShell
remoting. It is enabled by default in Windows
Server 2012 R2, but you must enable it on
Windows 8.1. To enable remoting, use the
following procedure:
Verify the status of the Windows Remote
Management service. To start Windows Remote
Management and configure the Firewall settings,
open Windows PowerShell, type the following command, and then press Enter:
Winrm quickconfig

Finally, to enable remoting, run the following command:


Enable-PSremoting -force

MCT USE ONLY. STUDENT USE PROHIBITED

4-10 Troubleshooting Remote Computers

Windows Remote Management is a Microsoft implementation of Web Services for Management, which is
a set of protocols that has been widely adopted across different operating systems. As the name implies,
Web Services for Management and Windows Remote Management use web-based protocols. An
advantage to these protocols is that they use a single, definable port, making them easier to pass
through firewalls than older protocols that randomly selected a port. Windows Remote Management
communicates via HTTP. By default, Windows Remote Management and Windows PowerShell remoting
use TCP port 5985 for incoming unencrypted connections, and TCP port 5986 for incoming encrypted
connections. Applications that use Windows Remote Management, such as Windows PowerShell, can also
apply their own encryption to the data that is passed to the Windows Remote Management service.
Windows Remote Management supports authentication, and uses the AD DS native Kerberos protocol by
default in a domain environment. Kerberos does not pass credentials across the network, and it supports
mutual authentication to ensure that incoming connections are coming from valid computers.

Any files and other resources necessary to run a particular command must be on the remote computer
because the remoting commands do not copy any resources. However, you can run local scripts. This is
because the scripts contents are sent to the remote computer, rather than the script file itself. Information
Technology (IT) professionals must have permission to:

Connect to the remote computer.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-11

Run Windows PowerShell.

Access data stores and the registry on the remote computer.

Processing Remote Commands


When you connect to a remote computer and
send it a remote command, the command is
transmitted across the network to a Windows
PowerShell instance on the remote computer, and
is then run on it. The command results are sent
back to the local computer, and display in the
Windows PowerShell session on the local
computer.

All of the local input to a remote command is


collected before any of it is sent to the remote
computer. However, the output is returned to
the local computer as it is generated. When you
connect to a remote computer, the system uses the user name and password credentials on the local
computer to authenticate you to the remote computer. By default, the Kerberos V5 authentication
protocol is used to perform the authorization and authentication. Therefore, an AD DS domain is required.
In cases where the remote computer is not in a domain, or is in an untrusted domain, you can allow a
client computer to connect by defining the remote computers as a trusted host. Additionally, in untrusted
environments, the remote computer also must enable a Windows Remote Management listener that is
encrypted with a valid Secure Sockets Layer (SSL) certificate. This enables the Windows PowerShell client
to connect with the UseSSL parameter of the Invoke-Command, New-PSWorkflowSession, and
Enter-PSSession cmdlets. This parameter uses HTTPS instead of HTTP, and is designed for use with
basic authentication, where passwords might be delivered in plain text.
The following new cmdlets support remoting:

Invoke-Command

Enter-PSSession

Exit-PSSession

Disconnect-PSSession

Receive-PSSession

Connect-PSSession

When you run commands on multiple computers, be aware of differences between the remote
computers, such as differences in operating systems, file system structures, and the system registries. For
example, the default home folder can vary depending on the version of the Windows operating system
that is installed. This location is stored in the %homepath% environment variable ($env:homepath). If
no home folder is assigned, the system assigns a default local home folder to the user account. This is
generally located on the root directory where the operating system files are installed as the initial version.

Managing Windows PowerShell Remote Sessions


Windows PowerShell has two types of remote
sessions:

Temporary session

Persistent session

You create a temporary connection by specifying


the name of the remote computer, or its NetBIOS
name or IP address. You can make persistent
connections by creating a Windows PowerShell
session on the remote computer, and then
connecting to it.

Creating a Temporary Session

MCT USE ONLY. STUDENT USE PROHIBITED

4-12 Troubleshooting Remote Computers

For a temporary session, you start the session, run the commands, and then end the session. Variables
or functions defined within commands are no longer available after you close the connection. This is an
efficient method for running a single command or several unrelated commands, even on a large number
of remote computers. To create a temporary connection, use the Invoke-Command cmdlet with the
ComputerName parameter, to specify the remote computers. Then use theScriptBlock parameter to
specify the command. For example, the following command runs Get-EventLog on the Client01
computer:
Invoke-Command ComputerName LON-CL1 ScriptBlock {Get-EventLog log system}

Creating a Persistent Session

To create a persistent connection with another computer, use the New-PSWorkflowSession cmdlet. For
example, the following command creates a session on a remote computer, and saves the session in the $s
variable:
$s = New-PSWorkflowSession ComputerName LON-CL1

Use the Enter-PSSession cmdlet to connect to and start an interactive session. For example, after you
open a new session on LON-CL1, the following command starts an interactive session with the computer:
Enter-PSSession $s

Once you enter a session, the Windows PowerShell command prompt on your local computer changes to
indicate the connection, for example:
[LON-CL1]: PS C:\>

The interactive session remains open until you close it. This enables you to run as many commands as are
required. To end the interactive session, type Exit-PSSession.

Managing Persistent Sessions

Beginning with Windows PowerShell 3.0, persistent sessions are saved on the remote computer. You
can use the Disconnect-PSSession cmdlet to disconnect your client connection and leave the persistent
session active. To retrieve a list of your persistent sessions on LON-CL1, you can run the following cmdlet:
Get-PSSession ComputerName LON-CL1

You can retrieve the results of your disconnected session by using the Receive-PSSession cmdlet. You
also can reconnect to a disconnected session by using the Connect-PSSession cmdlet.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-13

Using Windows PowerShell Remoting

You can establish a One-to-One remoting session by using the Windows PowerShell Integrated Scripting
Environment (ISE), and clicking the New Remote Windows PowerShell Tab option on the File menu. You
also can establish a remote Windows PowerShell session by using the Enter-PSSession cmdlet. For
example, to open a remote Windows PowerShell session on a computer named LON-CL1, you would
use the following syntax:
Enter-PSSession ComputerName LON-CL1

You can establish a One-to-Many remoting session by using the Invoke-Command cmdlet. To run the
Get-EventLog cmdlet, use the following command:
Invoke-Command ScriptBlock { Get-EventLog System Newest 5 }

Running Remote Commands


Creating a persistent session allows you to run a
series of remote commands that share data, such
as functions, aliases, and the values of variables.
To run commands by using an established
Windows PowerShell session, use the -Session
parameter of the Invoke-Command cmdlet. The
following command uses the Invoke-Command
cmdlet to execute the Get-command command
in the session on the LON-CL1 computer. The
command saves the processes in a $c variable in
each session:

Invoke-Command -Session $s -ScriptBlock {$c = Get-command}

Because the session uses a persistent connection, you can run another command in the same session, and
use the $c variable. The following command counts the number of commands saved in $c:
Invoke-Command -Session $s -ScriptBlock {$c.count}

To interrupt a command, press the Ctrl+C keys. The interrupt request is passed to the remote computer,
where it terminates the remote command.

Using the ComputerName Parameter

Several cmdlets have a ComputerName parameter that lets you retrieve objects from remote computers.
Because these cmdlets do not use Windows PowerShell remoting to communicate, you can use the
ComputerName parameter in these cmdlets on any computer that is running Windows PowerShell. You
do not have to configure the computers for Windows PowerShell remoting, or fulfill the system
requirements for remoting.

The following table provides more information about the ComputerName parameter.
Command

Description

Get-Command ParameterName
ComputerName

Get-Help <cmdlet-name>
-parameter ComputerName

Finds cmdlets that use the ComputerName parameter.

MCT USE ONLY. STUDENT USE PROHIBITED

4-14 Troubleshooting Remote Computers

Determine whether the ComputerName parameter requires


Windows PowerShell remoting.
Result: You see a statement similar to, This parameter does
not rely on Windows PowerShell remoting. You can use the
ComputerName parameter even if your computer is not
configured to run remote commands.

How to Run a Remote Command on Multiple Computers

You can run commands on more than one remote computer at a time. For temporary connections, the
Invoke-Command cmdlet accepts multiple computer names. For persistent connections, the Session
parameter accepts multiple Windows PowerShell sessions. The number of remote connections is limited
by the computer resources and their capacity to establish and maintain multiple network connections.

To run a remote command on multiple computers, include all computer names in the ComputerName
parameter with the Invoke-Command cmdlet, and separate the names with commas as demonstrated in
the following example:
Invoke-Command -ComputerName LON-CL1, LON-CL2, LON-CL3 -ScriptBlock {Get-Culture}

You can also run a command in multiple Windows PowerShell sessions. The following commands create
Windows PowerShell sessions on LON-CL1, LON-CL2, and LON-CL3, and then run a Get-Culture
command in each Windows PowerShell session:
$s = New-PSSession -ComputerName LON-CL1, LON-CL2, LON-CL3
Invoke-Command -Session $s -ScriptBlock {Get-Culture}

To include the local computer in the list of computers, type the name of the local computer or a period (.)
or localhost. To help manage resources on the local computer, Windows PowerShell includes a percommand throttling feature that limits the number of concurrent remote connections established for each
command. The default is 32 or 50 connections depending on the cmdlet. You can use the ThrottleLimit
parameter to set a custom limit.
The throttling feature is applied to each command and not to the entire session or to the computer.
When you are running commands concurrently in several temporary or persistent connections, the
number of concurrent connections is the sum of the concurrent connections in all sessions. To find
cmdlets with a ThrottleLimit parameter, use the following script:
Get-Command ParameterName ThrottleLimit

How to Run a Script on Remote Computers


To run a local script on remote computers, use the FilePath parameter with Invoke-Command. The
following command runs the Sample.ps1 script on the LON-CL1 and LON-CL2 computers:
Invoke-Command

-ComputerName LON-CL1, LON-CL2 FilePath C:\Test\Sample.ps1

The results of the script are returned to the local computer. By using the FilePath parameter, you do not
need to copy any files to the remote computers.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-15

Some tasks that IT professionals perform and that use Windows PowerShell include:

Running a command on all computers to check if the anti-virus software service is stopped, and to
restart it automatically, if necessary.

Modifying the security rights on files or shares.

Opening a data file and passing the contents into a preformatted output file, like an HTML page or
Microsoft Excel spreadsheet.

Searching output-specific information from event logs.

Remotely creating a System Restore point prior to troubleshooting.

Remotely querying for installed updates.

Editing the registry using transactions.

Remotely examining system stability data from the reliability database.

Lab: Troubleshooting Remote Computers


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

4-16 Troubleshooting Remote Computers

The IT manager has called a meeting with the help desk staff. The manager explains that, wherever
possible, staff should be using remote management techniques to help resolve users computer problems.
This will help resolve problems more quickly, and will help to reduce support costs.

Objectives
After completing this lab, you will be able to:

Use Remote Desktop.

Use Remote Assistance.

Use Windows PowerShell remoting.

Lab Setup
Estimated Time: 45 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1, and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1 and 20688D-LON-CL3.

Exercise 1: Using Remote Desktop


Scenario
You must use Remote Desktop to connect to a remote computer.
The main tasks for this exercise are as follows:
1.

Verify the Windows Firewall settings on LON-CL1.

2.

Establish a Remote Desktop Connection.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-17

Task 1: Verify the Windows Firewall settings on LON-CL1


1.

On LON-CL1, open Windows Firewall, and verify that the Remote Desktop program is allowed
through the firewall for all network location profiles (Domain, Private, and Public).

2.

In Control Panel, in System and Security, click Allow remote access, and then select the following
options:
o

Allow remote connections to this computer

Add Adatum\Adam as a Remote Desktop user.

3.

Confirm your changes, and then close all open windows.

4.

On LON-CL3, open Remote Desktop Connection.

5.

Specify the computer to which you will connect as LON-CL1, and then click Show Options.

6.

Click the Advanced tab.

7.

Under Server authentication, in the If server authentication fails list, click Connect and dont
warn me.

Task 2: Establish a Remote Desktop Connection


1.

Connect to LON-CL1. When prompted, enter the user name Adatum\Adam and the password
Pa$$w0rd.

2.

Determine the computer name within the Remote Desktop session.

3.

Close the Remote Desktop session, and then close all open windows.

4.

On LON-CL1, verify that you are signed out.

Results: After completing this exercise, you should have successfully used Remote Desktop to manage a
remote computer.

Exercise 2: Using Remote Assistance


Scenario

A user contacts the help desk to report a problem with Microsoft Word. They are uncertain how to use the
commenting feature in Word. You have been assigned to resolve the incident. Rather than visit the users
computer, you decide to use Remote Assistance to help to resolve the problem. You telephone the user
and explain to them how to initiate a Remote Assistance request.
The main tasks for this exercise are as follows:
1.

Create a Microsoft Word 2013 document.

2.

Enable and then request Remote Assistance.

3.

Provide remote assistance.

Task 1: Create a Microsoft Word 2013 document


1.

Switch to LON-CL1.

2.

Sign in as Adatum\Adam, and then open Word 2013.

3.

Create a document, and then save it.

Task 2: Enable and then request Remote Assistance


1.

Open Remote Settings, and then when prompted by User Account Control, specify administrative
credentials.

2.

Verify that remote access is allowed on this computer.

3.

Run msra.exe, and then request remote assistance.

4.

Save the invite to a shared folder location accessible by your invitee.

5.

Write down the password.

Task 3: Provide remote assistance


1.

Switch to LON-CL3.

2.

Retrieve the remote assistance request file and enter the password.

3.

Request access, and await acknowledgement.

4.

Take remote control and direct the user how to create a comment in a Word document.

5.

Create a chat window and ask the user if they are satisfied with the offered solution.

6.

Close the session.

MCT USE ONLY. STUDENT USE PROHIBITED

4-18 Troubleshooting Remote Computers

Results: After completing this exercise, you should have successfully used Remote Assistance to manage a
remote computer.

Exercise 3: Using Windows PowerShell Remoting


Scenario

Your manager wants you to test the process of using Windows PowerShell to perform remote
management. You decide to create a test environment using the LON-CL1 and LON-CL3 virtual machines.
The main tasks for this exercise are as follows:
1.

Enable Windows PowerShell remoting.

2.

Use Windows PowerShell remoting from LON-DC1.

Task 1: Enable Windows PowerShell remoting


1.

Switch to LON-CL1.

2.

Sign in as Adatum\Administrator with the password Pa$$w0rd.

3.

On the Start screen, type Windows PowerShell.

4.

Right-click Windows PowerShell, and click Pin to Taskbar.

5.

Click the Desktop tile.

6.

On the taskbar, click the Windows PowerShell icon.

7.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Winrm quickconfig

8.

When prompted, press Y, and then press Enter, and then press Y, and then press Enter again.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-19

9.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Enable-PSRemoting -Force

10. Switch to LON-CL3.


11. Repeat steps 2 through 9.

Task 2: Use Windows PowerShell remoting from LON-DC1


1.

Switch to LON-DC1.

2.

On the taskbar, click the Windows PowerShell icon.

3.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command ComputerName LON-CL1 ScriptBlock {Get-EventLog log system}

4.

At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession ComputerName LON-CL1

5.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Enter-PSSession $s

6.

At the Windows PowerShell prompt, type the following command, and then press Enter:
exit

7.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}

8.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}

9.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -ComputerName LON-CL1, LON-CL3 -ScriptBlock {Get-Culture}

10. At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession -ComputerName LON-CL1, LON-CL3

11. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}

12. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}

Results: After completing this exercise, you should have successfully established a remoting session and
performed remote management of LON-DC1 with Windows PowerShell cmdlets.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Microsoft Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1 and 20688D-LON-CL3.

MCT USE ONLY. STUDENT USE PROHIBITED

4-20 Troubleshooting Remote Computers

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 4-21

Module Review and Takeaways


Review Questions
Question:
Under what circumstances would you use Remote Desktop Connection or Remote
Assistance?
Question: With Windows PowerShell remoting, what is One-to-Many, or Fan-Out remoting?
Question: What methods exist for requesting Remote Assistance?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


5-1

Module 5
Resolving Network Connectivity Issues
Contents:
Module Overview

5-1

Lesson 1: Determining Network Settings

5-2

Lesson 2: Troubleshooting Network Connectivity Issues

5-9

Lab: Resolving Network Connectivity Issues

5-30

Module Review and Takeaways

5-36

Module Overview

Configuring network settings is a common administrative task that in many organizations can account for
a significant percentage of overall administrative effort. Windows 8.1 includes several tools that you can
use to set up and troubleshoot both wired and wireless network connections more efficiently. To support
your organizations network infrastructure, it is important that you understand how to configure and
troubleshoot network connections.

Objectives
After completing this module, you will be able to:

Determine the network configuration of client computers.

Troubleshoot network connections.

Lesson 1

Determining Network Settings


The network architecture in Windows 8.1 simplifies network management and the configuration of
network connections. By learning about this architecture and the tools that Windows 8.1 provides for
troubleshooting network connections, you will be better prepared to configure network clients and
support your users.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the networking components in Windows 8.1.

Describe the tools available for troubleshooting network configuration.

Networking Components of Windows 8.1


Windows 8.1 includes a variety of tools for
creating, managing, and troubleshooting both
wired and wireless network connections. The
following sections describe some of these tools
in more detail.

Network Charm
You can access the Network charm by clicking
the network symbol in the system tray from the
desktop. You can then enable or disable wireless
network connections, and by right-clicking a
connection, you can view network connection
properties. You also can access and enable
Airplane mode.

Network and Sharing Center

MCT USE ONLY. STUDENT USE PROHIBITED

5-2 Resolving Network Connectivity Issues

The Network and Sharing Center is the main user interface for managing network connections. It provides
a clear view of the status for any wired or wireless connection, and you can use it to create additional
network connections by using a wizard-driven interface. The Network and Sharing Center also provides
links for accessing other network-related tools, including:

Change advanced sharing settings

Internet Options

Windows Firewall

Network and Internet troubleshooting Wizard.

Network Location Categories

A network location category classifies network connections so that you can configure network security
through Windows Firewall. The Windows 8.1 operating system groups and classifies network connections
into Public, Private, and Domain categories. Windows 8.1 automatically configures the firewall and filesharing settings based on the specified network location categories, which include:

Public. When a computer is not connected to a domain, this category is the default network location
type. Public category settings are the most restrictive, and help protect the computer when you

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-3

connect it to an untrustworthy network. For example, all types of file and printer sharing are turned
off in the Public category. Use the Public category for networks that have direct connections to the
Internet or those that allow unmanaged clients to connect, such as wireless hot spot networks.
Note: By default, Windows 8.1 assigns the Public category to all network connections.

The Private category. The Private category applies only if a user with local Administrator rights
manually assigns it to a network that you set previously to Public. Use the Private network location
category only for a trusted network. You must assign the Private network location category only for
a network connection that the public cannot access directly. A local administrator must assign this
category, and Windows remembers the assignment the next time you connect to the network.
Windows describes the Private network location category in one of two ways:

Home network. If all computers connected to the network are at your home, then select the
Home Private network location category.

Work network: If all computers connected to the network are at your workplace, then select the
Work Private network location category.

The Domain category. The Domain category applies when a computer that is running Windows 8.1
connects to a network, and then authenticates to a domain controller that is in the computers
domain.

Windows 8.1 is capable of assigning a separate network location category to each connected network
interface. For example, if you connect your computer to your corporate network by using a virtual private
network (VPN) that you initiate from a wireless network hot spot (such as a coffee shop), then Windows
8.1 assigns two network location categories: Private for the corporate VPN, and Public for the wireless
network hot spot.
Note: By default, changing the network location on domain-joined computers does not
require administrative privileges. However, changing the network location for computers that are
not joined to a domain requires administrative privileges.

Homegroups

A homegroup is a collection of computers that are deployed on a home network and share resources
such as files and printers. When your computer is part of a homegroup, you can share images, media files,
documents, and printer devices with others in your homegroup. Once you enable a homegroup, you can
then define which libraries you will share, such as Pictures, Documents, or Videos.
You can enable a homegroup only on network interfaces that are defined as part of a private network
location profile. To provide for basic security, you can enable a password on your homegroup.
Note: Although domain-joined computers cannot create homegroups, they can connect to
existing homegroups.

Network Setup Wizard

Windows 8.1 provides a user-friendly interface called the Network Setup Wizard that you can use to
configure network settings. Windows 8.1 recognizes any unconfigured network devices on the computer,
and then automates the process of adding and configuring them. The Network Setup Wizard also
recognizes any wireless networks in range of the computer, and then guides you through the process of
configuring them.

MCT USE ONLY. STUDENT USE PROHIBITED

5-4 Resolving Network Connectivity Issues

You can save network settings to a USB flash drive for use when configuring additional computers. Saving
network settings to a USB device makes configuring similar new computers and devices quicker. You also
can use the Network Setup Wizard to enable sharing across your network for documents, photos, music,
and other files.

NDF

The Network Diagnostics Framework (NDF) provides a single, unified set of technologies to assist in
troubleshooting and diagnosing network problems. By using the NDF, you can diagnose and repair
network problems in the context of the application that experienced the problem. Additionally, with the
NDF, users can diagnose and attempt to resolve their own issues automatically before they call the help
desk. The NDF can help reduce the total cost of ownership and the volume of calls to the help desk. To
access the NDF, from within the Network and Sharing Center, click Troubleshoot problems.

Network Explorer

Network Explorer displays a view of all of the computers, devices, and printers on the network. You
can customize the icons for various network devices, if the manufacturer allows customization. You
use Network Explorer to perform limited remote computer management, such as adjusting settings or
controlling music playback. To access Network Explorer, from Control Panel (Category View) click Network
and Internet, and then click View network computers and devices.

Network Discovery
Windows 8.1 computers use network discovery to generate accurate network topologies with network
map. During the troubleshooting process, you can use network map to view the real-time status of any
wired or wireless network connections.
Note: For the network map to function, you must enable network discovery.
A computer running Windows 8.1 uses network discovery to find other computers and devices on the
network. The first time you connect to a network, use the Set Network Location dialog box to classify
the type of network to which you are connected. After you classify the network location category,
Windows 8.1 activates the appropriate security settings.

Link-Layer Topology Discovery

Network discovery uses Link Layer Topology Discovery, which works with both wired and wireless
connections. By using network discovery and file sharing, a computer that is running Windows 8.1 can
discover and access files and shared devices on other networked, Link Layer Topology Discoverycapable
devices. Network discovery and file sharing also allow other networked, Link Layer Topology Discovery
capable devices to discover your computer, and access files and shared devices.

Windows 8.1 supports Link Layer Topology Discovery through the Link-Layer Topology Discovery Mapper
service. The Link-Layer Topology Discovery Mapper service includes two components: the Link-Layer
Topology Discovery Responder, which enables your computer to be located on the network, and the
Link-Layer Topology Discovery Mapper I/O driver, which discovers and locates other computers and
devices on the network.
Windows 8.1 supports automatic discovery of Link Layer Topology Discoverycapable devices. In
combination with UPnP support, Windows 8.1 classifies the device capabilities, uses a unique, embedded
icon to represent the device, and accurately positions it on the network map. UPnPcertified devices
connect automatically to each other over the network, without the need for user configuration or
centralized servers.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-5

Tools for Troubleshooting Network Settings


Windows 8.1 includes a number of tools that you
can use to diagnose network problems, including:

Event Viewer

Windows Network Diagnostics

IPConfig

Ping

Tracert

NSLookup

Pathping

Unified Tracing

Windows PowerShell

Microsoft Message Analyzer

Event Viewer

Event logs are files that record significant events on a computer, such as when a process encounters an
error. IP conflicts are reflected in the system log and might prevent services from starting. When these
events occur, Windows records the event in an appropriate event log. You can use Event Viewer to read
the log. When you troubleshoot errors on Windows 8.1, you can view the events in the event logs to
determine the cause of the problem.

You can use Event Viewer to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings in the
System log related to network services.

Windows Network Diagnostics

You use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a
Windows 8.1 networking problem, the Diagnose Connection Problems option helps diagnose and repair
the problem. Windows Network Diagnostics then presents a possible description of the problem and a
potential remedy. The solution may require manual intervention from the user.

IPConfig
The IPConfig command displays the current TCP/IP network configuration. Additionally, you can use
IPConfig to refresh Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS)
settings. For example, you might need to flush the DNS cache. The following table provides a brief
description of some of the IPConfig command switches.
Command

Description

ipconfig /all

View detailed configuration information.

ipconfig /release

Release the leased configuration back to the DHCP server.

ipconfig /renew

Renew the leased configuration.

ipconfig /displaydns

View the DNS resolver cache entries.

Command

Description

ipconfig /flushdns

Purge the DNS resolve cache.

ipconfig /registerdns

Register/update the clients hostname with the DNS server.

Ping

MCT USE ONLY. STUDENT USE PROHIBITED

5-6 Resolving Network Connectivity Issues

You use the Ping command to verify IP-level connectivity to another TCP/IP computer. This command
sends and receives Internet Control Message Protocol (ICMP) echo request messages, and displays the
receipt of corresponding echo reply messages. The Ping command is the primary TCP/IP command used
to troubleshoot connectivity.
Note: Firewalls might block the ICMP requests. As a result, you may receive false negatives
when using ping as a troubleshooting tool.

Tracert

The Tracert tool determines the path taken to a destination computer by sending ICMP echo requests.
The path displayed is the list of router interfaces between a source and a destination. This tool also
determines which router has failed, and what the latency, or speed, is. These results may not be accurate if
the router is busy, because the router will assign the packets a low priority.

Pathping
The Pathping command traces a route through the network in a manner similar to the Tracert tool.
However, Pathping provides more detailed statistics on the individual steps, or hops, through the
network. The command can provide greater detail because it sends 100 packets for each router, which
enables it to establish trends.

NSLookup
The NSLookup tool displays information that you can use to diagnose the DNS infrastructure. You can
use the tool to confirm connection to the DNS server, and that the required records exist.

Unified Tracing

The Unified Tracing feature simplifies the process of gathering relevant data to assist in troubleshooting
and debugging network connectivity problems. Data is collected across all layers of the networking stack,
and then grouped into activities across the following individual components:

Configuration information

State information

Event or trace logs

Network traffic packets

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-7

Windows PowerShell

You also can use Windows PowerShell cmdlets for configuring and troubleshooting network settings.
The following table lists some of the network-related Windows PowerShell cmdlets and their purpose.
Cmdlet

Purpose

Get-NetIPAddress

Retrieves information about the IP address configuration.

Get-NetIPv4Protocol

Retrieves information about the IPv4 protocol configuration. (The


cmdlet Get-NetIP6Protocol returns the same information for the
IPv6 protocol.)

Get-NetIPInterface

Obtains a list of interfaces and their configurations. This does not


include IPv4 configuration of the interface.

Set-NetIPAddress

Sets information about the IP address configuration.

Set-NetIPv4Protocol

Sets information about the IPv4 protocol configuration. (The cmdlet


Set-NetIP6Protocol returns the same information for the IPv6
protocol.)

Set-NetIPInterface

Modifies IP interface properties.

Get-NetRoute

Obtains the list of routes in the local routing table.

Test-Connection

Runs similar connectivity tests to that used by the Ping command.


For example, test-connection lon-dc1.

Resolve-Dnsname

Provides a similar function to the NSLookup tool.

Get-NetConnectionProfile

Obtains the type of network (public, private, domain) to which a


network adapter is connected.

Clear-DnsClientCache

Similar to the IPConfig /flushdns command, this cmdlet clears the


clients resolver cache.

Get-DnsClient

Retrieves configuration details specific to the different network


interfaces on a specified computer.

Get-DnsClientCache

Similar to the IPConfig /displaydns command, this cmdlet retrieves


the contents of the local DNS client cache.

Get-DnsClientGlobalSetting

Retrieves global DNS client settings, such as the suffix search list.

Get-DnsClientServerAddress

Retrieves one or more DNS server IP addresses associated with the


interfaces on the computer.

Register-DnsClient

Registers all of the IP addresses on the computer onto the


configured DNS server.

Set-DnsClient

Sets the interface-specific DNS client configurations on the


computer.

Set-DnsClientGlobalSetting

Configures global DNS client settings, such as the suffix search list.

Set-DnsClientServerAddress

Configures one or more DNS server IP addresses associated with the


interfaces on the computer.

Microsoft Message Analyzer


Microsoft Message Analyzer is a tool that captures network traffic and then displays and analyzes
information about that traffic. You can use Microsoft Message Analyzer to monitor live network traffic,
or import, aggregate, and analyze data from log and trace files. Microsoft Message Analyzer is the
replacement for Network Monitor, which Microsoft last released as version 3.4.

MCT USE ONLY. STUDENT USE PROHIBITED

5-8 Resolving Network Connectivity Issues

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-9

Lesson 2

Troubleshooting Network Connectivity Issues


To support the users in your organization, you need to know what Windows 8.1 tools you can use to
troubleshoot network connections. Additionally, understanding the correct procedure with which to
manage common network problems will help you resolve them more quickly.

Lesson Objectives
After completing this lesson, you will be able to:

Apply best practices for troubleshooting wired network configurations.

Describe considerations for troubleshooting wireless network configurations.

Identify issues related to IPv4 configurations.

Determine network settings.

Describe the process for troubleshooting name resolution.

Troubleshoot DNS.

Describe the considerations for issues related to IPv6.

Describe the function of Microsoft Message Analyzer.

Use Microsoft Message Analyzer to capture network traffic.

Procedure for Troubleshooting Network Connections


As with troubleshooting any other kind of
problem, you must first develop a suitable
procedure for attempting to troubleshoot
network connection problems. Troubleshooting
a network problem involves the following steps:
1.

Determine the Scope of the Problem

2.

Determine the IP Configuration

3.

Determine the Network Hardware


Configuration

4.

Test Communications

Determine the Scope of the Problem

The first step in troubleshooting a network problem is identifying the scope of the problem. The causes
of a problem that affects a single user will most likely differ from a problem that affects all users. If a
problem affects only a single user, then the problem is likely related to the configuration of that one
computer. If a problem affects all users, then the problem is likely either a server configuration issue or a
network configuration issue. If a problem affects only a group of users, then you need to determine the
common denominator among that group of users.
Additional information about the problem helps you resolve network connection issues. If you are
troubleshooting a wired network connection, ask yourself the following questions:

How many users is the problem affecting? If the problem is affecting several users, this suggests a
server-side or network infrastructure problem rather than a client-side networking problem.

MCT USE ONLY. STUDENT USE PROHIBITED

5-10 Resolving Network Connectivity Issues

Is the problem persistent for the users that are affected? Intermittent problems can be more difficult
to reproduce and troubleshoot.

Does removing a problematic computer from the network solve the problem for other users? The
computer that you remove from the network may be generating a fault on the network.

Determine the IP Configuration

The second step is to determine the computers IP configuration. Determining the Windows 8.1
computers TCP/IP configuration also can help you troubleshoot a network problem. You can determine
the TCP/IP configuration in one of four ways:

From Network and Sharing Center, select Change adapter settings, display the network connection
properties, select either Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4
(TCP/IPv4), as required, and then view the protocol properties.

Open a command prompt. Type the IPConfig /all command to view the IPv4 address and IPv6
address configurations. Use the following command to save the IPv4 and IPv6 configuration
information as a text file for future reference:
IPConfig /all >c:\IPConfig.txt

This command creates a text file in the root of drive C that contains the IPConfig command output.

Use the Netsh command to display specific configuration information. For example, to display the
TCP/IP configuration for IPv4 only, type the following command:
netsh interface ipv4 show config

You also can use the Netsh command to display specific IPv6 configuration information:
netsh interface ipv6 show addresses

Use the following Windows PowerShell cmdlet to determine the computers IP configuration:
Get-netipaddress

Determine the Network Hardware Configuration


The third step in gathering information to help troubleshoot a connection problem is to determine
your connections properties. Determine the properties of your wired network adapter by using Device
Manager.
To determine the hardware configuration for the computers network adapter, including the make and
model, follow these steps:
1.

From Network and Sharing Center, click Change adapter settings, and then view the installed
network adapters.

2.

Right-click the appropriate adapter, and then click Properties.

3.

In the Adapter Properties dialog box, click Configure.

4.

In the Physical adapter Properties dialog box, click the Details tab to view the Device description
property value. This value displays the network adapter make and model.

5.

From the Advanced tab, in the Property list, click a property to view or edit its value.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-11

To view information about the driver used for the network adapter, follow these steps:
1.

In the Physical adapter Properties dialog box, click the Driver tab.

2.

Click Driver Details to view the full path to the driver file.

3.

Update or roll back the driver, as necessary.

Note: For wired networks, remember also to check the physical infrastructure. This might
include the wire that connects a computer to the nearest wiring port, and connections in the
wiring closet.

Test Communications

Having verified the local computers network configuration, you now may need to perform some basic
connectivity tests to help identify where the problem lies. A possible process is discussed later in this
lesson, but will include these fundamental elements:
1.

Verify basic connectivity.

2.

Determine the end-to-end routing and firewall configuration of your network.

3.

Test name resolution.

4.

Test connectivity to a specific remote host server process.

Considerations for Troubleshooting Wireless Networks


When you troubleshoot wireless networks, you
should approach the procedure in much the same
way as you do for wired networks. However, the
process for wireless networks is slightly modified,
and consists of the following steps:
1.

Determine the scope of the problem. This


process remains unaffected.

2.

Determine the IP configuration. Again, this


procedure is the same as for wired networks.

3.

Determine the network hardware


configuration. For wireless networks, you
must be aware that there are different physical hardware issues. Rather than needing to verify the
physical wiring, you must check that:
a.

The wireless adapter is not affected by interference.

b.

The computer is within range of a suitable wireless access point.

4.

Verify that security settings match. To ensure that wireless communications are secure, both the
network client and the wireless access point negotiate authentication and encryption settings before
they begin to communicate. You must verify these settings.

5.

Test communications. This process is the same as for wired connections.

To help you address the additional requirements for determining the wireless network configuration, use
the following tools and procedures.

Use the NDF

MCT USE ONLY. STUDENT USE PROHIBITED

5-12 Resolving Network Connectivity Issues

Use the NDF to troubleshoot wireless connections. If a wireless connection is unsuccessful, start Windows
Network Diagnostics to diagnose the problem and display a list of possible fixes.

Review Authentication and Encryption Configuration


Windows 8.1 simplifies the process for configuring and troubleshooting wireless networks. The most
common issues affecting wireless network configuration are mismatches between the client and the
access point or authenticator with regards to authentication and encryption settings.
Note: An authenticator is an authentication service that the access point uses to perform
the wireless authentication and encryption.

A configuration mismatch in the authentication and encryption settings between the client and the
wireless access point can lead to problems with wireless connections. Windows 8.1 includes support for
Wi-Fi Protected Access 2 (WPA2) encryption that allows for more secure wireless connections. You should
utilize WPA2 by upgrading your wireless access points to support WPA2. The following table summarizes
the wireless authentication and encryption standards that are available in Windows 8.1.
Security type

Authentication

Encryption

Open

No authentication (open)

No encryption

Shared (not recommended)

No authentication (open)

Shared key

WPA-Personal

Plain text passphrase

WPA with a pre-shared key (also


known as a pass phrase)
Temporal Key Integrity Protocol or
Advanced Encryption Standard (AES)

WPA-Enterprise

Institute of Electrical and


Electronics Engineers, Inc.
(IEEE) 802.1x authentication

WPA, Temporal Key Integrity


Protocol, or AES

WPA2-Personal

Plain test passphrase

WPA2 with a pre-shared key,


Temporal Key Integrity Protocol, or
AES

WPA2-Enterprise

IEEE 802.1x authentication

WPA2, Temporal Key Integrity


Protocol, or AES

802.1x

IEEE 802.1x authentication

WEP or Dynamic WEP

Configure Wireless Network Connections Manually or by Using Group Policy

To determine the wireless network settings, either review the wireless network connection settings or
examine the Group Policy settings. To view or configure wireless network Group Policy settings, open
Group Policy Management, expand Computer Configuration, expand Policies, expand Windows Settings,
expand Security Settings, and then click Wireless Network (IEEE 802.11) Policies. You can create or edit
wireless network Group Policy Objects (GPOs) for:

The Windows Vista operating system and newer Windows client operating system releases

The Windows XP operating system

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-13

The following table lists the settings that Group Policy enables you to configure.
Setting

Description

Infrastructure/Ad Hoc

Defines the connection type as either Ad Hoc (peer-to-peer), or


Infrastructure, which requires a wireless access point.

Connect automatically when this


network is in range

Automatically connects clients affected by this policy to the


configured network. This setting is enabled by default.

Connect to a more preferred


network if available

Ensures that the more preferred networks take precedence. This


setting is enabled by default.

Connect even if the network is


not broadcasting

Enables a client computer to connect to the network even if the


service set identifier (SSID) is not broadcast. This setting is disabled
by default.

Network Name(s) (SSID)

Identifies the wireless access point.

Encryption

Specifies the encryption mechanism. AES is the default.

Select a network authentication


method

Enables you to define how computers authenticate using the


Remote Authentication Dial-In User Service (RADIUS) server in your
organization. This setting is for use with WPA2-Enterprise, WPAEnterprise, and 802.1X authentication methods.

Authentication mode

Specifies the authentication mode. User, Computer, and Guest


authentication modes are available.

Ensure that the authentication and encryption method that you select on the client, or that you configure
by the policy, matches the access point capability.

Verify Wireless Address Allocation

A wireless connection, like any other connection, needs an IP address. You must configure the wireless
access point with a scope of IP addresses for the connecting clients. You must have sufficient IP addresses
in the scope to allocate addresses for the number of clients that are connecting to the network.
To determine whether a Windows 8.1based client has obtained an IP address, at a command prompt,
type IPConfig /all, and then review the address given to the wireless connection. If Windows 8.1 has
allocated a 169.254.x.y (Automatic Private Internet Protocol) address to the interface, the operating
system indicates that the client was unable to obtain a valid IP address from the wireless access point.

Troubleshooting IPv4 Connectivity


When you experience network connectivity
problems on an IPv4 network, follow a logical
troubleshooting process by using the available
Windows 8.1 tools. Your troubleshooting process
can consist of the following steps:
1.

Consult Windows Network Diagnostics.

2.

Check the local IP configuration.

3.

Verify two-way communication.

4.

Identify each hop between two systems.

5.

Verify DNS configuration.

6.

Verify port availability.

7.

Determine firewall configuration.


Note: You must enable the Telnet Client feature on Windows 8.1.

Consult Windows Network Diagnostics


If Windows 8.1 encounters a network connection problem, you use Windows Network Diagnostics to
perform diagnostic procedures. Windows Network Diagnostics analyzes the problem, and if possible,
presents a solution or a list of possible causes. If Windows Network Diagnostics cannot fix the problem,
you use the tools and procedures included in the following steps to troubleshoot the problem further.

Check Local IP Configuration

MCT USE ONLY. STUDENT USE PROHIBITED

5-14 Resolving Network Connectivity Issues

To determine the local IP configuration, use the IPConfig /all command or the Get-NetIPAddress and
Get-NetIPv4Protocol Windows PowerShell cmdlets. These commands provides information about the
local computer, including the following:

IP address

Subnet mask

Host name

DNS server configuration

DNS suffixes

Media access control (MAC) address

How the IP configuration was obtained, for example, whether the IP configuration was obtained by
using DHCP

After running these commands, compare the output of another computer that is in the same subnet as
the problematic host. When studying the output, remember that:

The IP address must be in the same host range for the given subnet as the other local computer,
while being unique within the subnet.

The subnet mask must match that of the other local host. If the subnet mask does not match, then
the computer has an incorrect network ID that can cause communication failures, particularly to
remote subnets.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-15

The default gateway must match that of the other local host. If the default gateway is incorrect or
missing, then the computer cannot communicate with remote subnets.

If the DNS server is incorrect or missing, the computer might not resolve names, and communication
can fail.

Because DHCP configures most computers, if the configuration does not match that of the other local
host, verify that the computer can obtain an IP address correctly by using the following procedure:
1.

Open an elevated command prompt, and release the existing address by using the IPConfig /release
command.

2.

Renew the address by using the IPConfig /renew command.

3.

Review the local IP configuration by using the IPConfig /all command.

If the host currently has an IP address in the range 169.254.0.0 to 169.254.255.254, the computer most
likely failed to obtain a dynamically assigned address. This Automatic Private IP Addressing (APIPA)
indicates one of three problems:

Failure to connect to the DHCP server

DHCP server configuration issues

Problem with one of the DHCPs scopes

Verify Two-Way Communication

If the computer has a valid IP configuration but cannot communicate with one or more remote hosts,
verify connectivity with the Portqry, Ping, Telnet, and Windows PowerShell cmdlets.

The Portqry command reports on the current port status of Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP) ports on a computer against which you run it. When you run Portqry, the
output returns one of the following responses about ports on the target:

Listening. A process is listening on the computers port that you select. Portqry received a response
from the port.

Not Listening. No process is listening on the target systems target port. Portqry receives an
ICMP Destination Unreachable - Port Unreachable message back from the target UDP port.
Alternatively, if the target port is a TCP port, Portqry receives a TCP acknowledgement packet with
the Reset flag set.

Filtered. The port on the computer that you select is being filtered. Portqry did not receive a
response from the port. A process may or may not be listening on the port. By default, Portqry
queries TCP ports three times, and queries UDP ports one time before a report indicates that the port
is filtered.

Portqry can query a single port, an ordered list of ports, or a sequential range of ports. For example, the
following command tries to resolve Microsoft.com to an IP address, and then queries TCP port 443 (the
port used by a listening web server for Secure Sockets Layer (SSL) requests) on the corresponding host:
portqry -n microsoft.com -p tcp -e 443

In this second example, the command sends a query to the directory service on LON-DC1 to verify that it
is listening:
portqry -n lon-dc1.adatum.com -e 389 -p udp

The Ping tool confirms two-way communication between two devices. This means that if Ping fails, the
local computers configuration may not be the problems cause. You can use Ping (or the Windows
PowerShell cmdlet test-connection) to ensure communication with a logical process, such as:

Ping the remote computer.

Ping the remote gateway.

Ping the local IP address.

Ping the loopback address 127.0.0.1.

Note: When you ping the loopback address, you are not testing the network interface card
(NIC), but the TCP stack.
When using the Ping tool (or test-connection PowerShell cmdlet), remember that:

MCT USE ONLY. STUDENT USE PROHIBITED

5-16 Resolving Network Connectivity Issues

You can ping both the computers name and IP address. If you ping the IP address successfully, but
not the name, it indicates that the name resolution is failing. If you successfully ping the name, but
the response does not resolve the fully qualified domain name (FQDN) name, the resolution did not
use DNS. This means that a process, such as broadcasts or Windows Internet Name Service (WINS)
was used to resolve the name, and applications that require DNS may fail.

A Request Timed Out message indicates that there is a known route to the destination computer, but
that the configuration is incorrect for one or more computers or routers along the pathincluding
the source and destination devices. Use Pathping or Tracert to help find the problem.

A Destination Host Unreachable message may indicate that the system cannot find a route to the
destination system, and therefore, does not know where to send the packet on the next hop. If you
verify that the local IP configuration is correct, use Pathping and Tracert to help isolate the routing
problem.

If you can successfully ping a remote host but cannot communicate with the applications installed on the
host, verify that the application is accessible from your local computer. For example, a firewall might be
blocking your communication attempt, or the remote host is not listening on the appropriate port. The
telnet and Portqry tools can help identify issues that relate to blocked or nonresponsive ports.

Identify Each Hop Between Two Systems

You can use Pathping and Tracert to identify each hop between the source and destination systems. If
communication fails, these tools can help you identify how many hops are successful, and at which hop
the system communication fails.

Although Tracert records the hops through which packets travel, Pathping provides more information
about the routing process. Ping and Pathping both use ICMP packets to test connectivity to every router
between the local host and the remote destination host. Pathping then calculates statistics about the
routes used and the routers involved, including the hop number, round-trip time, packet loss, host names,
and IP addresses or intermediate hosts. To test routing connectivity to a remote host with Pathping, open
a command prompt, and type the following command:
Pathping www.microsoft.com

The output displays all hops between local host and destination host, and the statistical output.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-17

Verify DNS Configuration

You can use NSLookup to ensure that the DNS server is available. NSLookup contains a record for the
computer with which you are attempting to communicate. This functionality is vital, because even if the
computer is available, if DNS is not working correctly you might not be able to communicate by using
computer names.

Verify Port Availability

If you can communicate successfully with a remote host by using the Ping tool, but cannot access an
application on the remote host, it is possible that the remote host is not listening for your request on the
expected port, or that local or remote firewalls are blocking your request.
To determine whether the remote computer is listening on the expected port, use either the Portqry or
telnet tools.
Note: Portqry must be downloaded from the Microsoft Download website.

For example, to determine if the HTTP port is accessible, type the following command from an elevated
command prompt:
PortQry n server e 80

The result will look something like this:


TCP port 80 (http service): LISTENING

A message that the port is FILTERED or NOT LISTENING can indicate either that a firewall along the path
between the two hosts is blocking the request, or that the application uses a different port or has failed
on the remote host. If other hosts on the local subnet can communicate successfully, the problem most
likely exists within the local firewall configuration settings.
You also can use telnet to verify that a port is listening. For example, if you want to verify Simple Mail
Transfer Protocol (SMTP) functionality, you can open a Telnet session to port 25 on the destination host.
Open a command prompt, and type telnet. From the Microsoft Telnet prompt, type the following
command:
Open LON-dc1.adatum.com 25

If the port is available, you will receive a message similar to this:


220 site.adatum.com Microsoft Exchange Server

Note: To troubleshoot applications by using telnet and Portqry, you must understand
which ports your applications use.

In addition to Portqry and telnet, you can use the Netstat command to discover information about ports
in use between your client computer and other remote systems. The following command lists the active
connections on your client computer:
Netstat n

Determine Firewall Configuration

MCT USE ONLY. STUDENT USE PROHIBITED

5-18 Resolving Network Connectivity Issues

If you cannot communicate successfully with a remote application, before troubleshooting the application
itself, verify that the local firewall is not blocking your attempt. To determine which firewall rules are
active, open Windows Firewall with Advanced Security, and then click the Monitoring node. The
Monitoring section lists the active rules. Determine if any rules are responsible for blocking your
connection attempt.
Remember that the network location category might be responsible for your connectivity problem,
because the public category is more restrictive than the private category. If you configure the network
with the wrong network location category, use the Network and Sharing Center to reconfigure the
network category.

Intermittent Problems

When users report inconsistent or intermittent problems, you might need to approach the
troubleshooting process slightly differently. For example, if a users email application functions while their
web browsing does not, this suggests a specific problem with web browsing rather than with the network
connectivity itself. The problem might lie with the client-side application, the browser, or the network
components through which web-browsing traffic passes, such as firewalls, Network Address Translation
(NAT) devices, and routers.

Demonstration: Determining Network Settings


Note: This is a practice session.
In this practice session, you will:

View IPv4 configuration from a GUI.

View IPv4 configuration from a command line.

Test connectivity.

Check Windows Firewall configuration.

Reconfigure the IPv4 configuration.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-19

Demonstration Steps
View IPv4 configuration from a GUI
1.

Switch to LON-CL1.

2.

Press the Windows + S keys, in the Search box, type Control, and then click Control Panel.

3.

In Control Panel, click Network and Internet.

4.

In Network and Internet, click View network status and tasks.

5.

In Network and Sharing Center, to the right of the Adatum.com Domain network, click
London_Network.

6.

In the London_Network Status dialog box, click Details. This window displays the same
configuration information for this adapter as the Ipconfig command would display.

7.

In the Network Connection Details window, click Close.

8.

In the London_Network Status dialog box, click Properties. You can configure protocols in this
window.

9.

Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties. You can configure the IP
address, subnet mask, default gateway, and Domain Name System (DNS) servers in this window.

10. Click Advanced. In the Advanced TCP/IP Settings window, you can configure additional settings, such
as additional IP addresses, DNS settings, and Windows Internet Name Service (WINS) servers for
NetBIOS name resolution.
11. Close all open windows without modifying any settings.

View IPv4 configuration from a command line


1.

Click Start.

2.

Type Windows PowerShell, and then press Enter.

3.

At the Windows PowerShell command prompt, type Get-NetIPAddress and then press Enter.

4.

At the Windows PowerShell command prompt, type Get-NetIPv4Protocol and then press Enter.

5.

At the command prompt, type netsh interface ipv4 show config, and then press Enter. The current
IPv4 configuration is displayed.

6.

At the Windows PowerShell command prompt, type ipconfig /all, and then press Enter.

Test connectivity
1.

At the Windows PowerShell command prompt, type test-connection LON-DC1, and then press
Enter.

2.

At the command prompt, type netstat -n, and then press Enter. Observe and describe the active
connections to 172.16.0.10. Most connections to services are transient.

3.

If no connections appear, then create a connection. To create a connection, click Start, type
\\LON-DC1, and then press Enter.

4.

In File Explorer, double-click NETLOGON.

5.

At the command prompt, type netstat -n, and then press Enter. Identify the services that LON-CL1
had connections to on LON-DC1.

6.

On the taskbar, click the Internet Explorer icon.

7.

In Windows Internet Explorer, in the Address bar, type http://LON-DC1, and then press Enter.

8.

Switch back to the command prompt.

9.

At the command prompt, type netstat n, and then press Enter. Identify the additional open
connections.

Check Windows Firewall configuration

MCT USE ONLY. STUDENT USE PROHIBITED

5-20 Resolving Network Connectivity Issues

1.

Click Start, type Windows Firewall, and then click Windows Firewall.

2.

In Windows Firewall, click Advanced settings.

3.

In Windows Firewall with Advanced Security, expand Monitoring, and then click Firewall. These are
the active firewall rules.

4.

Switch back to Windows PowerShell.

5.

At the command prompt, type netsh advfirewall firewall show rule name=all dir=in, and then
press Enter.

6.

Review the results, which display all inbound rules.

7.

Close all open windows.

Reconfigure the IPv4 configuration


1.

Click Start to return to the Start screen.

2.

Type Control, and then click Control Panel.

3.

Click Control Panel Home.

4.

In Control Panel, click Network and Internet.

5.

In Network and Internet, click View network status and tasks.

6.

In Network and Sharing Center, to the right of the Adatum.com Domain network, click
London_Network.

7.

In the London_Network Status dialog box, click Properties. In this window, you can configure
protocols.

8.

Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

9.

In the Properties dialog box, click Obtain an IP address automatically. Notice that when you click
this, the Alternate Configuration tab becomes available.

10. Click Obtain DNS server address automatically.

11. Click the Alternate Configuration tab. Configuration information on this tab is used when no DHCP
server is available.
12. Click OK to save the changes.
13. In the London_Network Properties dialog box, click Close.

14. In the London_Network Status dialog box, click Details. Notice that DHCP is enabled, and that the
IP address of the DHCP server displays.
15. Close all open windows.

Completion Steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-21

Troubleshooting Name Resolution


Host names are assigned to computers that are
running TCP/IP. This makes the computers easier
to identify. Host name resolution is the process of
resolving a host name to its corresponding IP
address.

What Is a Host Name?


The host name forms part of the FQDN. For
example, if a computers host name is LON-CL1,
and it is part of the adatum.com domain, the
FQDN for that computer will be LONCL1.adatum.com.
Note: The host name is up to 255 characters in length, and can contain alphanumeric
characters, periods, and hyphens. The FQDN, including the host name, cannot exceed 255
characters in length. The domain portion of the FQDN is the DNS suffix. The computers primary
DNS suffix is the name of the domain in which it is a member.

For computers that are not part of a domain, you can view the primary DNS suffix from the DNS Suffix
and NetBIOS Computer Name dialog box. You access this dialog box from the System Properties dialog
box on the Computer Name tab. By default, a non-domain member computer has no primary DNS suffix.
Note: You can assign a separate DNS suffix to each individual network connection. You
view or edit the connection-specific DNS suffixes from the Advanced TCP/IP Settings page that is
accessible from the IPv4 or the IPv6 for the relevant network connection.

The Host Name Resolution Process

When you troubleshoot name resolution, you must understand what name resolution methods the
computer is using, and in what order the computer uses them. The operating system resolves host names
either by using a local text file named hosts, or by using DNS. During the host name resolution process,
Windows 8.1:
1.

Checks whether the host name is the same as the local host name.

2.

Searches the DNS resolver cache.

3.

Sends a DNS request to its configured DNS servers.

Note: Windows 8.1 appends the primary and connection-specific suffixes to all names that
it is resolving. If initially the name resolution is unsuccessful, Windows 8.1 applies parent suffixes
of the primary DNS suffix. For example, if the DNS resolver attempts to resolve the name LONCL1, Windows 8.1 appends the .adatum.com suffix to attempt resolution. If that is unsuccessful,
the operating system appends .com to the name, and attempts to resolve it once again. You can
configure this behavior from the Advanced TCP/IP Settings page.

The primary tools for troubleshooting host name resolution are IPConfig and NSLookup, and their
Windows PowerShell equivalents Get-NetIPAddress, Get-NetIPv4Protocol, and Resolve-dnsname.

Note: You should perform standard network troubleshooting techniques, such as running
NDF and verifying basic connectivity, before you begin to test name resolution.
Be sure to clear the DNS resolver cache between resolution attempts.

The Process for Troubleshooting Name Resolution


If you cannot connect to a remote host, and if you suspect a name resolution problem, you can
troubleshoot name resolution using the following process:
1.

Open an elevated command prompt, and then clear the DNS resolver cache by typing the following
command:
IPConfig /flushdns

Note: Alternately, you can use the Windows PowerShell cmdlet Clear-DnsClientCache.
2.

Attempt to verify connectivity to a remote host by using its IP address. This helps you identify
whether the issue is because of name resolution. You can use the Ping command or the testconnection Windows PowerShell cmdlet. If the Ping command succeeds with the IP address but fails
by the host name, the problem is with name resolution.

Note: Remember that the remote host must allow inbound ICMP echo packets through its
firewall for this test to be viable.
3.

MCT USE ONLY. STUDENT USE PROHIBITED

5-22 Resolving Network Connectivity Issues

Attempt to verify connectivity to the remote host by its hostname, using the FQDN followed by a
period. For example, type the following command at the command prompt:
Test-connection LON-cl1.adatum.com.

Note: You can also use the ping command.


4.

If the test is successful, the problem likely does not relate to name resolution.

5.

If the test is unsuccessful, edit the C:\windows\system32\drivers\etc\hosts text file, and add the
appropriate entry to the end of the file. For example, add this line, and then save the file:
172.16.0.51

LON-cl1.adatum.com

6.

Perform the test-by-host-name procedure again. Name resolution should now be successful.

7.

Examine the DNS resolver cache to verify that the name resolved correctly. To examine the DNS
resolver cache, type the following command at a command prompt:
IPConfig /displaydns

Note: You can also use the Windows PowerShell cmdlet Get-DnsClientCache.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-23

8.

Remove the entry that you added to the hosts file, and then clear the resolver cache once more.
At the command prompt, type the following command, and then examine the contents of the
filename.txt file to identify the failed stage in name resolution:
NSLookup.exe d2 LON-cl1.adatum.com. > filename.txt

The Windows PowerShell equivalent command is:


Resolve-dnsname lon-cl1.adatum.com. > filename.txt

Interpreting NSLookup output

You should understand how to interpret the NSLookup command output so that you can identify
whether the name resolution problem exists with the client computers configuration, the name server,
or the configuration of records within the name server-zone database. In the first section of the following
output sample, the client resolver performs a reverse lookup to determine the DNS server host name.
You can view the query 10.0.16.172.in-addr.arpa, type = PTR, class = IN in the QUESTIONS section. The
returned result, name = LON-dc1.adatum.com, identifies the host name of the petitioned DNS server:
-----------SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
----------------------Got answer (73 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
10.0.16.172.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 10.0.16.172.in-addr.arpa
type = PTR, class = IN, dlen = 20
name = LON-dc1.adatum.com
ttl = 1200 (20 mins)
-----------Server: LON-dc1.adatum.com
Address: 172.16.0.10

MCT USE ONLY. STUDENT USE PROHIBITED

5-24 Resolving Network Connectivity Issues

In the following section, the client resolver performs a recursive query of the DNS server for the host
LON-cl1.adatum.com, type = A, class = IN. The returned result is in the ANSWERS section, which displays
in the following section. Note that the answer also includes a time-to-live (TTL) value, which determines
how long the record is valid:
-----------SendRequest(), len 36
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = A, class = IN
----------------------Got answer (52 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = A, class = IN
ANSWERS:
-> LON-cl1.adatum.com
type = A, class = IN, dlen = 4
internet address = 172.16.0.51
ttl = 1200 (20 mins)

In the remaining section, the client resolver performs a query for the IPv6 address of the lon-cl1 host, as
indicated in the QUESTIONS section. This query returns no information, as the lack of an ANSWERS
section in the following example indicates:
-----------SendRequest(), len 36
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = AAAA, class = IN
----------------------Got answer (91 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
LON-cl1.adatum.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> adatum.com
type = SOA, class = IN, dlen = 43
ttl = 3600 (1 hour)
primary name server = LON-dc1.adatum.com
responsible mail addr = hostmaster.adatum.com
serial = 45
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
-----------Name: LON-cl1.adatum.com
Address: 172.16.0.51

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-25

If you can resolve a computers name successfully but you cannot connect to an application on that
computer, investigate whether the local or remote firewalls are blocking your attempt.
Note: Responses from name servers will be either authoritative or non-authoritative. An
authoritative response is one from a DNS server that hosts the records that you are querying. A
non-authoritative response is one from a server that does not host the petitioned record, but is
able to respond with records stored in its cache.

Additional NSLookup commands

To look up different data types within the DNS by using NSLookup, use the set type or set q command
at the command prompt. For example, to query for the mail exchanger data, type the following:
NSLookup
> Set q=mx
> Mailhost

The output might look something like this:


Server: LON-dc1.adatum.com
Address: 172.16.0.10
mail.adatum.com
MX preference = 0, mail exchanger = mail.adatum.com
mail.adatum.com
internet address = 172.16.0.11

To query another name server directly, use the server or lserver commands to switch to that name server.
The lserver command uses the local server to get the address of the server to which you want to switch,
whereas the server command uses the current default server to get the address. For example:
NSLookup
> server 172.16.0.20
The output might look something like this:
Default Server: LON-dc2.adatum.com
Address: 172.16.0.20

Demonstration: Troubleshooting DNS


Note: This is a practice session.
In this practice session, you will:

View and clear the name cache.

Test name resolution to LON-DC1.

Create a record in the hosts file.

Test the new record.

Test name resolution.

Preparation Steps

MCT USE ONLY. STUDENT USE PROHIBITED

5-26 Resolving Network Connectivity Issues

For this practice session, you will need to use the available virtual machine environment. Before you begin
the practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
View and clear the name cache
1.

Switch to LON-CL1.

2.

Click Start.

3.

Type Windows PowerShell, and then press Enter.

4.

At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter.

5.

At the Windows PowerShell command prompt, type Get-DnsClientCache, and then press Enter.

6.

At the Windows PowerShell command prompt, type ipconfig /flushdns, and then press Enter.

7.

At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.

8.

At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter.

Test name resolution to LON-DC1


1.

At the Windows PowerShell command prompt, type test-connection lon-dc1, and then press Enter.

2.

At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.

3.

At the Windows PowerShell command prompt, type ipconfig /displaydns, and then press Enter.

Create a record in the hosts file


1.

At the Windows PowerShell command prompt, type notepad C:\windows\system32\drivers


\etc\hosts, and then press Enter.

2.

Scroll to the end of the file, type 172.16.0.10 intranet, and then press Enter.

3.

Click File, and then click Save.

4.

Close Notepad.

Test the new record


1.

At the Windows PowerShell command prompt, type test-connection intranet, and then press Enter.

2.

At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.

3.

View the intranet record in the cache.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-27

Test name resolution


1.

At the Windows PowerShell command prompt, type nslookup LON-DC1, and then press Enter.

2.

At the Windows PowerShell command prompt, type Resolve-Dnsname LON-DC1 | fl, and then press
Enter.

3.

At the Windows PowerShell command prompt, type nslookup d1 LON-DC1 > file.txt, and then
press Enter.

4.

At the command prompt, type notepad file.txt, and then press Enter.

5.

Review the information, and then close notepad.

6.

Close Windows PowerShell.

Completion Steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

Additional Considerations for IPv6 Networks


Windows 8.1 enables the IPv6 stack by
default, and it is the preferred transport for
communication. The Windows 8.1 IPv6 stack
does not impair IPv4 functionality, and enables
better network connectivity for applications that
support IPv6. IPv6 connections can use IPv6
transition technologies such as Teredo to operate
behind routers that use NAT, without requiring
NAT configuration or application modification.

Disabling IPv6
If your applications function in a purely IPv4
environment, you might consider disabling IPv6.
You cannot uninstall IPv6, but you can disable it by performing the following step:

In the Ethernet Properties dialog box, in the list under This connection uses the following items, clear
the Internet Protocol version 6 (TCP/IPv6) check box.

Note: Avoid disabling IPv6 unless there is no alternative, because other network
functionality may be affected.

Troubleshooting IPv6

The steps for troubleshooting an IPv6 connection are similar to those for troubleshooting an IPv4based
connection. You can use many of the IPv4 troubleshooting tools to gather information to help
troubleshoot IPv6 connection problems.

Microsoft Message Analyzer


You can use Microsoft Message Analyzer to
perform the following network analysis tasks:

Capture message data

Save message data

Import message data

View message data

Filter message data

MCT USE ONLY. STUDENT USE PROHIBITED

5-28 Resolving Network Connectivity Issues

Microsoft Message Analyzer uses several built-in


trace scenarios that you can access from the
Microsoft Message Analyzer interface. Trace
scenarios contain specific capture settings that you can use to start a trace session quickly, and capture
the information you need for your troubleshooting task. These trace scenarios include predefined capture
configuration for Windows Firewall troubleshooting, local area network (LAN) and wide area network
(WAN) monitoring, and web proxy troubleshooting. You can customize trace scenarios to remove items
that do not require monitoring.
The Microsoft Message Analyzer interface contains a Charts section that provides a visualization of
captured data according to customizable parameters. Charts help you to understand incoming trace data
more easily by visually presenting complicated traffic information. This feature is often helpful when you
need to perform mathematical calculations on the trace data, such as the number of retries required for a
packet being sent between hosts.
Microsoft Message Analyzer is capable of loading data from native Microsoft Message Analyzer files,
event tracing log (.etl) files, Network Monitor capture files (.cap), .csv files, and several other formats.

Demonstration: Using Microsoft Message Analyzer to Capture Network


Traffic
Note: This is a practice session.
In this practice session, you will:

Capture network traffic with Microsoft Message Analyzer.

Analyze the captured network traffic.

Filter the network traffic.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-29

4.

5.

Sign in using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Capture network traffic with Microsoft Message Analyzer
1.

On LON-CL1, click Start.

2.

Type Windows PowerShell.

3.

Click Windows PowerShell.

4.

At the Windows PowerShell prompt, type Clear-DnsClientCache, and then press Enter.

5.

On the desktop, double-click Microsoft Message Analyzer.

6.

In the Microsoft Message Analyzer Wizard, on the Welcome to Microsoft Message Analyzer page,
click Do not update items, and then click OK.

7.

In the navigation pane, click Capture/Trace, and then in the Trace Scenarios section, click Firewall.

8.

In Microsoft Message Analyzer, on the toolbar, click Start With.

9.

At the Windows PowerShell prompt, type ping LON-DC1.adatum.com, and then press Enter.

10. In Microsoft Message Analyzer, on the toolbar, click Stop.

Analyze the captured network traffic


1.

In Microsoft Message Analyzer, in the results pane, select the first ICMP packet group.

2.

In the result pane, click the plus (+) sign beside the selected packet group. Verify that it includes both
Echo Request and Echo Reply packets. This is a ping request.

3.

View the source and destination IP addresses for each packet.

Filter the network traffic


1.

On the Microsoft Message Analyzer toolbar, in the View Filter section, type the following into the box:
*DestinationAddress == 172.16.0.10

2.

In the View Filter section, click Apply Filter. Verify that the packets are now being filtered to show
only packets that match the filter.

3.

Close Microsoft Message Analyzer.

4.

Click Close without saving.

Completion Steps

After you have completed the practice session, leave the virtual machines running for the lab.

Lab: Resolving Network Connectivity Issues


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

5-30 Resolving Network Connectivity Issues

The help desk at A. Datum Corporation has received a number of network trouble tickets that they cannot
resolve. They have passed on these trouble tickets to you. You need to determine how to resolve each of
these problems, and then document your solution.

Objectives
After completing this lab, you will be able to:

Resolve a network problem (1).

Resolve a network problem (2).

Troubleshoot a wireless network.

Lab Setup
Estimated Time: 60 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. These virtual machines should still
be running from the preceding practice session. If they are not, before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

5.

Repeat steps 2 through 4 for 20688D-LON-CL1.

6.

You must now complete the practice session entitled: Determining Network Settings.

Note: This is only necessary if you restarted your virtual machines since completing the
practice session entitled: Determining Network Settings.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-31

Exercise 1: Resolving a Network Problem (1)


Scenario
A user has reported a networking problem to the help desk. You must investigate and attempt a
resolution.
Incident Record
Incident Reference Number: 723012
Date of Call
Time of Call
User
Status

October 21
14:02
Colin Wilcox (Research Department)
OPEN

Incident Details
Colin called the help desk. He is unable to connect to a server resource.
Additional Information
The resource is \\LON-DC1\Research. It is unavailable to Colin, and other users are affected as well.
Colin restarted his computer when he returned from lunch. Prior to lunch, he had no problem.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723012.

2.

Discuss recommendations.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723012

Read the help desk incident record 723012 above.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod05\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem

MCT USE ONLY. STUDENT USE PROHIBITED

5-32 Resolving Network Connectivity Issues

1.

Attempt to resolve the problem by using your knowledge of the network architecture and the tools
available for troubleshooting the network environment.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you should have resolved the network-related problem.

Exercise 2: Resolving a Network Problem (2)


Scenario

A user has reported a networking-related problem to the help desk. You must investigate and attempt a
resolution.
Incident Record
Incident Reference Number: 723101
Date of Call
Time of Call
User
Status

October 22
09:01
Colin Wilcox (Research Department)
OPEN

Incident Details
Colin is unable to access any network resources.
Additional Information
Colin is the only one affected in his department.
He cannot access the Research data folder on LON-DC1.
He cannot open a web browser connection to http://lon-dc1.
Plan of Action

Resolution

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-33

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723101.

2.

Discuss recommendations.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723101

Read the help desk Incident Record 723101 above.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod05\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of the network architecture and the tools
available for troubleshooting the network environment.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you will have resolved the network-related problem.

Exercise 3: Troubleshooting a Wireless Network


Scenario

Carol Troup is the Research manager for A. Datum in Cambridge, United Kingdom. She has decided that
providing wireless access for users in her department will increase productivity. As a result, wireless
network access points have been deployed and configured throughout her department.

Some weeks later, Carol placed a call to the help desk. The Cambridge Research wireless networks are a
success, but there have been ongoing problems with intermittent connections. Additionally, some staff
members can connect to the A. Datum corporate network from the parking lot. This represents a security
issue.

Incident Record
Incident Reference Number: 723123
Date of Call
Time of Call
User
Status

October 23
11:15
Carol Troup (Research Department)
OPEN

Incident Details
There are intermittent connection problems from computers connecting to the Cambridge Research
department.
Some users can connect to the Cambridge wireless access points from the parking lot.
Some users cannot connect to the wireless network at all.
Additional Information
None.
Plan of Action
How will you verify that these problems are occurring?
What do you suspect is causing these problems?
How will you resolve these problems?
Resolution

The main tasks for this exercise are as follows:


1. Read the help desk Incident Record for incident 723123.
2. Discuss recommendations.

Task 1: Read the help desk Incident Record for incident 723123

Read the help desk Incident Record 723123.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

Results: After completing this exercise, you should have successfully developed a plan of action for the
resolution of these incidents.

MCT USE ONLY. STUDENT USE PROHIBITED

5-34 Resolving Network Connectivity Issues

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 5-35

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Module Review and Takeaways


Review Questions
Question: After starting her computer, Amy notices that she is unable to access her normal
resources. What tool can she use to determine if she has a valid IP address?
Question: Amy notices that she cannot access normal enterprise websites. She knows that
she has a valid IP address, but wants to troubleshoot the DNS access of her computer. What
tool must she use?
Question: You are troubleshooting a network-related problem, and you suspect a name
resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do
you do that?

MCT USE ONLY. STUDENT USE PROHIBITED

5-36 Resolving Network Connectivity Issues

MCT USE ONLY. STUDENT USE PROHIBITED


6-1

Module 6
Troubleshooting Group Policy
Contents:
Module Overview

6-1

Lesson 1: Overview of Group Policy Application

6-2

Lesson 2: Resolving Client Configuration Failures and GPO Application Issues

6-9

Lab: Troubleshooting Group Policy

6-19

Module Review and Takeaways

6-24

Module Overview

Group Policy is an essential tool that you can use to configure the computer systems in an enterprise
environment. With Group Policy, you can quickly apply configuration settings to multiple computers from
a central location. This is faster and more practical than configuring hundreds or thousands of computers
manually.
In most cases, a server administrator administers an organizations Group Policy, rather than desktop
support staff. However, desktop support staff should to understand how Group Policy works, and how to
identify when an organization is not applying Group Policy Objects (GPOs) properly.

Objectives
After completing this module, you will be able to:

Describe how GPOs are applied to computers.

Resolve client-side configuration failures and GPO application issues.

Lesson 1

Overview of Group Policy Application

MCT USE ONLY. STUDENT USE PROHIBITED

6-2 Troubleshooting Group Policy

You can manage GPOs centrally, and store them on domain controllers. Client computers download GPOs
and apply them in specific ways. It is important for you to understand how Windows 8.1 processes GPOs
so that you can identify when Windows 8.1 is not processing them correctly.

Lesson Objectives
After completing this lesson, you will be able to:

Describe Group Policy options for deploying configuration settings.

Explain how Windows 8.1 processes GPOs.

Describe Group Policy inheritance.

Describe Group Policy application.

Describe loopback processing.

Explain how to configure Group Policy in Active Directory Domain Services (AD DS).

Options for Deploying Configuration Settings with Group Policies


Group Policy contains thousands of settings
for configuring Windows 8.1. Each Windows 8.1
computer has a local Group Policy that you can
edit to configure these settings. However, when
you are managing client computers in an
enterprise environment, modifying the local
Group Policy manually on each computer is not
practical. Instead, you can use AD DS to distribute
GPOs. By default, Windows 8.1 computers
download GPOs at startup and every 90 minutes
thereafter.

Inside a GPO, there are User Configuration


settings and Computer Configuration settings. The User Configuration settings apply to user accounts,
and the Computer Configuration settings apply to computer accounts. If the user account and computer
account are in different organizational units (OUs), a single GPO may apply to the user who logs on, but
not to the computer itself, and the other way around.

Within the User Configuration and Computer Configuration settings, there are policies and preferences.
Polices are Windows operating system configuration setting that are enforced on the client; preferences
are settings that are applied to the client, but that the user has the option to change. Preferences include
items such as drive mappings and printer selection.
Note: On a given computer, a local GPO applies to all local and domain users. However,
user settings in a GPO that AD DS distributes do not apply to local users.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-3

Processing GPOs
Windows 8.1 applies Group Policy to computers
when users start the computers, and applies
Group Policy to users when the user logs on to
the computer. Computer and user settings are
refreshed at regular, configurable intervals. The
default refresh interval is every 90 minutes.
However, you can also force an update by running
GPUpdate.exe at a command prompt.
Group Policy Objects are processed in the
following order:
1.

Local GPOs

Note: The local GPO is the least influential object in an AD DS environment because its
settings can be overwritten by GPOs that are associated with sites, domains, and organizational
units. In a nonnetworked environment, or in a networked environment that does not have a
domain controller, the local GPO settings are more important because other GPOs do not
overwrite them. Stand-alone computers use only local GPOs to control the environment.
Each Windows 8.1 computer has one local GPO that contains default computer and user settings,
regardless of whether the computer is part of an AD DS environment. In addition to this default
local GPO, you can create custom local user GPOs. You can maintain these local GPOs by using
the Group Policy Object Editor snap-in.
2.

Site-level GPOs

3.

Domain-level GPOs

4.

OU GPOs, including any nested OUs, starting with the OU furthest from the user or computer object

GPOs that are applied to higher-level containers pass through to all sub-containers in that part of the
Active Directory tree. For example, a policy setting that applies to an OU also applies to any child OUs
below it. The local GPO is processed first, and the OU to which the computer or user belongs is processed
last. The last GPO processed is the effective setting.
Other factors that can influence GPOs processing include:

Security filtering. An individual GPO can have security filtering applied that controls which users and
computers are able to apply the GPO. By using security filtering, you limit a GPO to a specific group
of users or computers. By default, Windows 8.1 applies a GPO to Authenticated Users, which allows all
users and computers to apply it.

Windows Management Instrumentation (WMI) filtering. You can link a WMI filter to an individual
GPO, which restricts to which computers the GPO applies. You can base a WMI filters parameters on
a wide variety of characteristics, such as installed software or hardware. An error in creating a WMI
query in a WMI filter may result in a GPO not applying to any computers.

Slow link processing. By default, some GPO settings are not applied over slow links because it may
take too long to download them. Slow links are defined as 500 kilobits per second (Kbps) or less.
Administrative templates and security settings are processed regardless of link speed. This may result
in roaming users with portable computers having a slightly different experience when they are not in
the office and connected to the corporate network.

Fast sign-in optimization. This feature is enabled by default to help speed up the sign-in process.
When enabled, Group Policy settings apply asynchronously when the computer starts and when the

MCT USE ONLY. STUDENT USE PROHIBITED

6-4 Troubleshooting Group Policy

user signs in. Consequently, the operating system does not wait for the network to be fully initialized
at startup and sign-in. Existing users sign in by using cached credentials, which results in shorter signin times. Group Policy is applied after the network becomes available. However, this can result in
GPOs not applying as expected.

Group Policy Inheritance


You can create and link GPOs to users and
computers by linking the GPOs to a site, domain,
or OU. When you apply multiple GPOs to these
containers, this aggregates the settings in the
GPOs. For most policy settings, the GPO with
the highest precedence that contains the specific
setting determines the settings final value. For a
few settings, the final value is actually the
combination of values across GPOs.

GPOs that Windows 8.1 processes last have the


highest precedence. GPOs follow the Local, Site,
Domain, or OU rule for processing: first the local
GPO is processed, then site GPOs, then domain GPOs, and lastly the OU GPOs, including nested OUs.
Nested OUs are OUs that have another OU as their parent. In the nested OUs scenario, GPOs associated
with the parent OUs are processed before the GPOs associated with the child OUs. In this processing
order, Windows 8.1 applies local GPOs first but they have the least precedence. Windows 8.1 processes
OU GPOs last, and they have the highest precedence.
Several Group Policy options can alter this default inheritance behavior. These options include:

Link Order. Link Order defines the precedence order for GPOs linked to a given container. Changing
the Link Order has no effect unless GPOs that link to the same location have conflicting settings. The
GPO link with a Link Order of 1 has the highest precedence on that container.

Enforced. The Enforced value defines whether a GPO takes precedence over any GPOs that link to
child containers. Additionally, a GPO that Windows 8.1 enforces at the domain level overrides a GPO
that it enforces at an OU. You typically enforce a GPO to ensure that computers use company-wide
settings, and that departmental administrators do not override these settings by creating a GPO.

Block Inheritance. Block Inheritance is the ability to prevent an OU or domain from inheriting GPOs
from any of its parent containers. Note that OUs and domains will always inherit Enforced GPO links.
You typically use Block Inheritance to allow a department to manage Group Policy settings separate
from the rest of the organization.

Link Enabled. Link Enabled is the ability to specify whether Windows 8.1 processes a specific GPO link
for the container to which it links. When you do not enable a link, Windows 8.1 does not process the
GPO. Typically, you do this during troubleshooting when you want to disable processing of a GPO to
eliminate it as a source of configuration errors.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-5

Discussion: Group Policy Application


Woodgrove Bank has a single domain with OUs
that represent three regional offices. In each
regional office, a single Computer OU contains
all computer accounts for that region. The
organization stores user accounts for each region
in various OUs based on workgroups. Each region
has the following workgroups:

Retail

Commercial

Managers

Use the material in the handbook to help answer


the following discussion questions.
Question: How would you use a GPO to distribute an application only to users in a single
region?
Question: You link the GPO to the Computers OU in that region. Which settings does
Windows 8.1 apply?
Question: Why might roaming users benefit from linking printer distribution to a site rather
than to a specific OU?
Question: How can you configure security settings in a GPO and ensure that they apply to
all regions?
Question: A GPO that links to the domain defines the home page for users. The home page
points at the company intranet. The managers have a new web-based application that they
want to define as their home page. You decide to distribute this setting via a GPO. How can
you do this?
Question: If the administrator of the Region 1 organizational unit configured the Block
Inheritance option on his or her OU, what would the effect be on any GPOs configured at the
domain level?
Question: If the domain administrator applied the Enforced value to the Default Domain
Policy, how would this affect the answer to the previous question?

Loopback Processing
By default, a users settings come from GPOs
scoped to the user object in AD DS. Regardless
of which computer the user logs on to, the
resultant set of policies that determine the users
environment is the same. There are situations,
however, in which you might want to configure
a user differently, depending on the computer
he or she uses. For example, you might want to
standardize and lock user desktops when users
sign in to computers in closely managed
environments, such as conference rooms,
reception areas, laboratories, classrooms, and
kiosks.

MCT USE ONLY. STUDENT USE PROHIBITED

6-6 Troubleshooting Group Policy

Imagine a scenario in which you want to enforce a standard corporate appearance for Windows-based
desktops on all the computers in conference rooms and other public areas of your office. How will you
manage this configuration centrally by using Group Policy? Policy settings that configure desktop
appearance are located in the User Configuration node of a GPO. Therefore, by default, the settings apply
to users, regardless of the computer to which they log on. Default policy processing does not provide a
way to scope user settings to apply them to computers, regardless of which user logs on. This is where
loopback policy processing can be useful.
Loopback policy processing alters the default algorithm that the Group Policy Client uses to obtain
the ordered list of GPOs that should apply to a users configuration. When you use loopback policy
processing, user configuration is not determined by the User Configuration node of GPOs that are scoped
to the user object. Instead, user configuration can be determined by the User Configuration node policies
of GPOs that are scoped to the computer object.
Like all policy settings, the Configure user Group Policy loopback processing mode policy setting can be
set to Not Configured, Enabled, or Disabled.

The Configure user Group Policy loopback processing mode policy setting is located in the Computer
Configuration\Policies\Administrative Templates\System\Group Policy folder. You access this folder from
the Group Policy Management Editor window.
When enabled, the policy can specify the Replace or Merge mode:

Replace. In this case, the GPO list already obtained for the computer at computer startup replaces the
GPO list for the user. The settings in the User Configuration policies of the computers GPOs apply to
the user.
Replace mode is useful in a situation such as a classroom where users should receive a standard
configuration, rather than in a less managed environment.

Merge. In this case, the GPO list obtained for the computer at computer startup is appended to the
GPO list obtained for the user when logging on. Because the GPO list obtained for the computer is
applied later, settings in GPOs on the computers list have precedence if they conflict with settings in
the users list.

This mode is useful for applying additional settings to users typical configurations. For example, you
might allow a user to receive the users typical configuration when logging on to a computer in a
conference room or reception area, but replace the wallpaper with a standard bitmap, and disable the
use of certain applications or devices.
Note: When you combine loopback processing with security group filtering, applying user
settings during policy refresh uses the computers credentials to determine which GPOs to apply
as part of the loopback processing. However, the logged-on user also must have Apply Group
Policy permission for the GPO to be applied successfully. Also, note that the loopback processing
flag is configured on a per-session basis, rather than per GPO.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-7

Demonstration: Using the Group Policy Management Console


Note: This is a practice session.
In this practice session, you will:

Use the Group Policy Management Console (GPMC) to create a new GPO.

Configure a new GPO to create a Desktop shortcut.

Update Group Policy on LON-CL1.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 to 4 for 20688D-LON-CL1.

Demonstration Steps
Use the Group Policy Management Console (GPMC) to create a new GPO
1.

On LON-CL1, click the Desktop tile, double-click Administrative Tools, and then double-click
Group Policy Management.

2.

Expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then click Adatum.com.

3.

Click the Linked Group Policy Objects tab. Notice that the Default Domain Policy and Marketing
GPOs link to the root of the Adatum.com domain.

4.

Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.

5.

In the New GPO dialog box, in the Name box, type Preferences, and then click OK.

Configure a new GPO to create a desktop shortcut


1.

In the left pane, expand Adatum.com.

2.

Click Preferences.

3.

Click OK to close the warning pop-up window.

4.

On the Scope tab, verify that no WMI filters are applied.

5.

On the Settings tab, verify that no settings are defined in this GPO.

6.

In the left pane, right-click Preferences. Notice in the context menu that the link is enabled but not
enforced.

7.

In the context menu, click Edit.

MCT USE ONLY. STUDENT USE PROHIBITED

6-8 Troubleshooting Group Policy

8.

In the Group Policy Management Editor window, review the available information. Notice that there
are two categories of settings, User Configuration and Computer Configuration, which are divided
further into Policies and Preferences.

9.

Under User Configuration, expand Preferences, expand Windows Settings, and then click
Shortcuts.

10. Right-click Shortcuts, point to New, and then click Shortcut.


11. In the New Shortcut Properties dialog box, enter the following information, and then click OK:
o

Action: Create

Name: Notepad

Target type: File System Object

Location: Desktop

Target Path: C:\Windows\System32\notepad.exe

12. Close the Group Policy Management Editor.


13. Close the GPMC.
14. Close Administrative Tools.

Update Group Policy on LON-CL1


1.

Right-click Start and then click Command Prompt.

2.

At the command prompt, type gpupdate /force, and then press Enter. The /force option ensures
that all policies are applied and not just updates.

3.

When the Group Policy update completes, close the Command Prompt window.

4.

Notice that the Notepad shortcut now displays on the desktop.

Completion steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-9

Lesson 2

Resolving Client Configuration Failures and GPO


Application Issues

Most issues that relate to the application of GPOs are due to incorrect configurations on the part of an
administrator. Despite the fact that you, as a desktop support person, may not be able to resolve GPO
application issues, it is important that you can identify them. After you identify an issue with a Group
Policy application configuration, you may need to escalate the issue to a server administrator who has the
necessary permissions to resolve the issue.

Lesson Objectives
After completing this lesson, you will be able to:

Discuss reasons for client configuration failures caused by incorrectly configured GPOs.

Explain how to resolve common client configuration issues that result applying GPOs.

Describe how to troubleshoot Resultant Set of Policy (RSoP).

Describe Group Policy events.

Use Group Policy application troubleshooting tools.

Explain how to resolve Group Policy application failures.

Identify when GPO settings become effective.

Discussion: Reasons for GPO Application Issues


A GPO application issue is any situation where
a GPO does not have the effect on users or
computers that you expect. Common indications
of GPO application issues are:

GPO settings, such as security restrictions or


drive mapping, not applying to specific users
or computers.

Unexpected GPO settings applying to users or


computers.

GPO settings applying to a user differently


based on physical location or computer.

Because a GPO can affect many users and computers, administrators should test GPO configurations
thoroughly before applying them. Even after testing, you may encounter situations in which settings in a
GPO do not apply to users and computers in the ways that you expect.
Question: What are some of the reasons that GPO settings might not apply as you think
they should?

Ways to Resolve GPO Application Issues


GPO application issues often result from
configuration errors. In many cases, resolution
is just a matter of identifying and resolving the
configuration error. One of the most common
errors is linking a new GPO to an incorrect
location. To avoid this error, you should verify that
a GPO with user settings links to the user objects
location. You should also verify that a GPO with
computer settings links to the computer objects
location.
If you want user settings in a GPO to apply only
when the user logs on to a particular computer or
group of computers, you must enable loopback processing for those computers. After you enable
loopback processing, the user settings in the GPOs that apply to the computer account are processed.

MCT USE ONLY. STUDENT USE PROHIBITED

6-10 Troubleshooting Group Policy

When a new GPO is applied, it may not take effect immediately. By default, GPOs are processed every
90 minutes on client computers. However, you can force the GPO to take effect immediately by running
gpupdate.exe /force at a command prompt.
If you update a GPO and it does not take effect, you may need to restart the computer. Some settings
apply correctly only during the computer startup process.
Finally, if GPOs do not take effect for remote users, you can disable slow link processing. However,
disabling this setting may result in slow sign-ins, because large GPOs will now download over a slow
connection. This is of particular concern when you use GPOs for software distribution.

Tools for Troubleshooting RSoP


Group Policy inheritance, filters, and exceptions
are complex, and can often be difficult to
determine which policy settings will apply.
RSoP is the net effect of GPOs applied to a
user or computer, taking into account GPO
links, exceptions such as Enforced and Block
Inheritance, and the application of security and
WMI filters.

RSoP also is a collection of tools that you can


use to evaluate, model, and troubleshoot the
application of Group Policy settings. RSoP can
query a local or remote computer and report back
the exact settings that applied to the computer and to any user who has logged on to the computer.
RSoP also can model the policy settings that are anticipated to be applied to a user or computer under a
variety of scenarios, including moving the object between OUs or sites, or changing the objects group
membership. With these capabilities, RSoP can help you manage and troubleshoot conflicting policies.
The following tools exist for performing RSoP analysis:

The Group Policy Results Wizard

The Group Policy Modeling Wizard

GPResult.exe

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-11

Group Policy Results Wizard

To help you analyze the cumulative effect of GPOs and policy settings on a user or computer in your
organization, use the Group Policy Results Wizard in the GPMC. If you want to understand exactly which
policy settings apply to a user or a computer and why they were applied, use the Group Policy Results
Wizard.

The Group Policy Results Wizard can access the WMI provider on a local or remote computer that is
running Window Vista or newer Windows client operating systems. The WMI provider can report
everything there is to know about the way Group Policy applies to the system. It knows when processing
occurs, which GPOs are applied, which GPOs are not applied and why, errors that are encountered, and
the exact policy settings and source GPOs that take precedence.
To run an RSoP report, right-click Group Policy Results in the GPMC console tree, and then click Group
Policy Results Wizard.

The wizard prompts you to select a computer. It then connects to the WMI provider on that computer
and provides a list of users that have logged on to it. You then can select one of the users, or you can skip
RSoP analysis for user configuration policies.
The wizard produces a detailed RSoP report in dynamic HTML format. If Internet Explorer Enhanced
Security Configuration is set, you will be prompted to allow the console to display the dynamic content.
You can expand or collapse each section of the report by clicking the Show or Hide link, or by doubleclicking the heading of the section.
The report displays on three tabs:

Summary. The Summary tab displays the status of Group Policy processing at the last refresh. You can
identify information that was collected about the system, the GPOs that were applied and denied,
security group membership that might have affected GPOs filtered with security groups, WMI filters
that were analyzed, and the status of Client-side extensions.

Settings. The Settings tab displays the RSoP settings that apply to the computer or user. This
tab shows you exactly what has happened to the user through the effects of your Group Policy
implementation. You can learn a tremendous amount of information from the Settings tab, although
some data is not reported, including Internet Protocol security (IPsec), wireless, and disk quota policy
settings.

Policy Events. The Policy Events tab displays Group Policy events from the target computers event
logs.

After you generate an RSoP report with the Group Policy Results Wizard, you can right-click the report
to rerun the query, print the report, or save the report as an .xml file or an .html file that maintains the
dynamic expanding and collapsing sections. You can open both file types with Internet Explorer, so the
RSoP report is portable outside the GPMC.
If you right-click the node of the report itself, under the Group Policy Results node in the console tree,
you can switch to Advanced View. In Advanced View, RSoP displays by using the RSoP snap-in, which
displays all applied settings, including IPsec, wireless, and disk quota policies.

Generating RSoP Reports with Gpresult.exe

MCT USE ONLY. STUDENT USE PROHIBITED

6-12 Troubleshooting Group Policy

The gpresult command is the command-line version of the Group Policy Results Wizard. gpresult uses
the same WMI provider as the Group Policy Results Wizard, produces the same information, and, in fact,
enables you to create the same graphical reports. When you run the gpresult command, you are likely to
use the following options.
Switch

Explanation

/s <COMPUTER>

Specifies the name or IP address of a remote


computer. Do not use backslashes. The default is the
local computer.

/u <USERNAME>

Uses the credentials of the specified user to run the


command. The default user is the user who is logged
on to the computer that issues the command.

/p [<PASSWORD>]

Specifies the password of the user account that is


provided in the /u parameter. If /p is omitted,
gpresult prompts for the password. /p cannot be
used with /x or /h.

/user [<TARGETDOMAIN>\]<TARGETUSER>

Specifies the remote user whose RSoP data is to be


displayed.

/scope {user | computer}

Displays RSoP data for either the user or the


computer. If /scope is omitted, gpresult displays
RSoP data for both the user and the computer.

[/x | /h] <FILENAME>

Saves the report in either XML (/x) or HTML (/h)


format at the location and with the file name that the
FILENAME parameter specifies. Cannot be used with
/u, /p, /r, /v, or /z.

/f

Forces gpresult to overwrite the file name that the /x


or /h option specifies.

/r

Displays RSoP summary data.

/v

Displays verbose policy information. This includes


detailed settings that were applied with a precedence
of 1.

/z

Displays all available information about Group Policy.


This includes detailed settings that were applied with
a precedence of 1 and higher.

/?

Displays Help at the command prompt.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-13

Examining Event Logs for GPO Events


Windows 8.1 improves your ability to
troubleshoot Group Policy by using RSoP tools,
and by improved logging of Group Policy events,
including:

System log. System log events display


high-level information about Group Policy,
including errors that the Group Policy Client
creates when it cannot connect to a domain
controller or locate GPOs.

Application log. You can use the Application


log to capture events recorded by client-side
extensions.

Group Policy Operational log. This log provides detailed information about Group Policy processing.

To find Group Policy logs, open the Event Viewer snap-in or console, and look for the System and
Application logs in the Windows Logs node. The Group Policy Operational log is found at
Applications And Services Logs\Microsoft \Windows\GroupPolicy\Operational.

Demonstration: Using GPO Application Troubleshooting Tools


Note: This is a practice session.
In this practice session, you will:

Use gpresult.exe to create a report.

Use the Group Policy Reporting Wizard to create a report.

Use the Group Policy Modelling Wizard to create a report.

Review GPO events in the event logs.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Use gpresult.exe to create a report
1.

On LON-CL1, click Start.

2.

On the Start screen, type cmd.exe, and then press Enter.

3.

In the Command Prompt window, at a command prompt, type gpresult /r, and then press Enter.

4.

Review the output in the Command Prompt window.

5.

At the command prompt, type the following command, and then press Enter:
GPResult /h c:\results.html

6.

Close the Command Prompt window.

7.

Click File Explorer, and navigate to drive C.

8.

In the details pane, double-click the results.html file.

9.

In the Windows Internet Explorer window, click Allow blocked content.

10. View the report results and then close Internet Explorer.

Use the Group Policy Reporting Wizard to create a report


1.

On the desktop, double-click Administrative Tools.

2.

Double-click Group Policy Management.

3.

In the Group Policy Management window, right-click Group Policy Results, and then click Group
Policy Results Wizard.

4.

In the Group Policy Results Wizard, click Next.

5.

On the Computer Selection page, click Next.

6.

On the User Selection page, click Next.

7.

On the Summary of Selections page, click Next.

8.

On the Completing the Group Policy Results Wizard page, click Finish.

9.

Review the Group Policy results.

MCT USE ONLY. STUDENT USE PROHIBITED

6-14 Troubleshooting Group Policy

10. Expand the Group Policy Results folder, right-click the Administrator on LON-CL1 report, and then
click Save Report.
11. In the Save GPO Report dialog box, click Desktop, and then click Save.

Use the Group Policy Modeling Wizard to create a report


1.

Right-click the Group Policy Modeling folder, and then click Group Policy Modeling Wizard.

2.

In the Group Policy Modeling Wizard, click Next.

3.

On the Domain Controller Selection page, click Next.

4.

On the User and Computer Selection page, under User information, click User, and then click
Browse.

5.

In the Select User dialog box, type Ed Meadows, and then click OK.

6.

Under Computer information, click Browse.

7.

In the Choose Computer Container dialog box, expand Adatum, click IT, and then click OK.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-15

8.

On the User and Computer Selection page, click Next.

9.

On the Advanced Simulation Options page, click Next.

10. On the Alternate Active Directory Paths page, click Next.


11. On the User Security Groups page, click Next.
12. On the Computer Security Groups page, click Next.
13. On the WMI Filters for Users page, click Next.
14. On the WMI Filters for Computers page, click Next.
15. On the Summary of Selections page, click Next.
16. On the Completing Group Policy Modeling Wizard page, click Finish.
17. Review the report.

Review GPO events in the event log


1.

Under Group Policy Results, click Administrator on LON-CL1.

2.

In the details pane, click the Policy Events tab, and then review the events.

3.

Close all open windows.

4.

On the desktop, double-click Administrative Tools, and then double-click Event Viewer.

5.

In the console tree, expand Windows Logs, and then click the System log.

6.

Sort the System log by Source.

7.

Locate events with Group Policy as the Source.

8.

Review the information associated with Group Policy events.

9.

In the console tree, expand Applications and Services Logs, expand Microsoft, expand Windows,
expand Group Policy, and then click Operational.

10. Review the events, and then close all open windows.

Completion steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Resolving GPO Application Failures


When you troubleshoot GPO application
failures, first verify that the client computer is
connected to the network properly, and that it is
authenticated. If a computer is unable to contact
the domain, it is unable to apply GPOs. You can
verify the computers authentication by either
ensuring that the user can access network
resources, or by looking in the event logs
for errors related to network connectivity or
computer account authentication. Alternatively,
you can run gpupdate /force to verify that GPOs
are downloading.

Verify That the Client Computer is Connected and Authenticated

MCT USE ONLY. STUDENT USE PROHIBITED

6-16 Troubleshooting Group Policy

If the client computer is not connected to the network properly and if it is not authenticated, you need to
resolve this first. Possible resolutions may include:

Fixing the network cabling.

Ensuring that the client computer is using an appropriate network IP address.

Verifying the Domain Name System (DNS) configuration.

Rejoining the domain to fix the computer account.

Verify That the GPO is Assigned Properly to the Computer or User

You should verify that the GPO is assigned properly to the computer or user by using RSoP or gpresult. If
these tools show that the GPO applies to the computer and user, then you know that the link to the GPO
is configured properly.
If RSoP shows that the GPO is not applied to the computer and user, you need to determine if the GPO is
linked to the correct location. You also need to confirm that the user and computer accounts are in the
correct location. You may need to escalate this task to someone with the necessary administrative
permissions.

Verify that the GPO Configuration Has the Proper Settings

If the GPO appears to be linked properly, you should verify that the GPO configuration has the proper
settings configured. It is possible that an administrator created and linked the GPO correctly, but did not
configure it correctly. One item to verify is whether loopback processing is enabled in the environments
that use it. Depending on your permissions to manage Group Policy, you may need to escalate this task.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-17

Identifying When GPO Settings Become Effective


Windows Server must complete several processes
before Group Policy settings actually apply to a
user or a computer. This topic explains these
processes.

GPO Replication Must Happen


Before a GPO can take effect, the Group Policy
container in AD DS must replicate to the domain
controller from which the Group Policy Client
obtains its ordered list of GPOs. Additionally, the
Group Policy template in SYSVOL must replicate
to the same domain controller.

Incorporating Group Changes

If you have added a new group or changed the membership of a group that is used to filter the GPO, that
change must also replicate. Furthermore, the change must be in the security token of the computer and
the user, which requires a restart for the computer to update its group membership, or a logoff and logon
for the user to update its group membership.

User or Computer Group Policy Refresh

Refresh happens at startup for computer settings, at sign-in for user settings, and every 90120 minutes
thereafter by default.
Note: Remember that the practical impact of the Group Policy refresh interval is that when
you make a change in your environment, it will be, on average, 4560 minutes before the change
starts to take effect.

By default, Windows 8.1 clients perform only background refreshes at startup and logon, which
means that a client might start up and a user might sign in without receiving the latest policies from
the domain. We highly recommend that you change this default behavior so that policy changes
implement in a managed, predictable way. Enable the policy setting called Always Wait For Network At
Startup And Logon for all Windows clients. The setting is located in Computer Configuration\Policies
\Administrative Templates\System\Logon. Be sure to read the policy settings explanatory text. Note that
this does not affect the startup or logon time for computers that are not connected to a network. If the
computer detects that it is disconnected, it does not wait for a network.

Sign In or Restart

Although most settings apply during a background policy refresh, some client-side extensions do not
apply the setting until the next startup or sign-in event. For example, newly added startup and logon
script policies do not run until the next computer startup or sign-in. Software installation will occur at the
next startup if the software is assigned in computer settings. Changes to Folder Redirection policies will
not take effect until the next sign-in.

Manually Refresh Group Policy

When you experiment with Group Policy processing, you might need to initiate a Group Policy refresh
manually so that you do not have to wait for the next background refresh. You can use the gpupdate
command to initiate a Group Policy refresh. Used on its own, this command triggers processing identically
to a Group Policy background refresh. Both computer policy and user policy are refreshed. Use the
/target:computer or /target:user parameter to limit the refresh to computer or user settings,
respectively. During background refresh, by default, settings apply only if the GPO has been updated.

MCT USE ONLY. STUDENT USE PROHIBITED

6-18 Troubleshooting Group Policy

The /force switch causes the system to reapply all settings in all GPOs scoped to the user or computer.
Some policy settings require a logoff or restart before they take effect. The /logoff and /boot switches of
gpupdate cause a logoff or restart, respectively. You can use these switches when you apply settings that
require a logoff or restart.
For example, the command that will cause a total refresh application, and if necessary, restart and logon,
to apply updated policy settings is:
gpupdate /force /logoff /boot

Most Client-Side Extensions Do Not Reapply Settings if the GPO Has Not Changed

Remember that most client-side extensions apply settings in a GPO only if the GPO version has changed.
This means that if a user can change a setting that Group Policy specified originally, the setting will not be
brought back into compliance with the settings that the GPO specifies until the GPO changes. Fortunately,
a nonprivileged user cannot change most policy settings. However, if a user is an administrator of his or
her computer, or if the policy setting affects a part of the registry or the system that the user has
permissions to change, this could be a real problem.
You have the option of instructing each client-side extension to reapply the settings of GPOs, even if the
GPOs have not been changed. You can configure the processing behavior of each client-side extension in
the policy settings found in Computer Configuration\Administrative Templates\System\Group Policy.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-19

Lab: Troubleshooting Group Policy


Scenario

The help desk has received a number of incident reports that relate to GPO application. Because you are
the desktop support technician who has the most experience with Group Policy, these tickets have been
assigned to you. In this lab, you will resolve the reported GPO application problems that Tier 1 helpdesk
staff could not resolve.

Objectives
After completing this lab, you will be able to:

Resolve GPO application issues.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1, and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1 and 20688D-LON-CL3.


Note: You did not use 20688D-LON-CL3 in the practice sessions.

Exercise 1: Resolving Group Policy Application (1)


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

6-20 Troubleshooting Group Policy

In this exercise, you will resolve the reported GPO application problem that Tier 1 helpdesk staff could not
resolve.
Incident Record
Incident Reference Number: 723151
Date of Call
Time of Call
User
Status

October 29
15:27
Anil
OPEN

Incident Details
User reports that the Research computer lab configuration is not applying properly to a new
computer named LON-CL3.
Additional Information
User reports that a new computer in the Research computer lab is not configured properly. The
standardized settings are applying correctly to all other Research lab computers, such as LON-LAB1.
I have verified that the computer is joined to the domain properly.
Looking at LON-LAB1, I can see that there is a desktop shortcut for the Research Lab application. If
this icon appears on the desktop, then we know that the settings are applying properly. This setting
should apply regardless of the user who signs in.
Plan of Action

Resolution

Note: There is no LON-LAB1 computer in the virtual machine environment. However, it does
exist in the Adatum.com domain.
The main tasks for this exercise are as follows:
1.

Read the help desk Incident Record for incident 723151.

2.

Update the Plan of Action section.

3.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723151

Read the help desk incident record 723151.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-21

Task 2: Update the Plan of Action section


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Attempt to resolve the problem


1.

On LON-CL3, sign in by using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

2.

In Start, click Desktop.

3.

Verify that the Desktop shortcut for the Research Lab application does not display. It should display
for any account.

4.

Using your knowledge of Windows Server GPOs, and the tools available for troubleshooting GPOs,
attempt to resolve the problem.

5.

To verify the correct solution, on LON-CL3, sign in by using the following credentials:
o

User name: Chris

Password: Pa$$w0rd

Domain: Adatum

6.

In Start, click Desktop.

7.

Verify that the Desktop shortcut ResearchLabApp displays.

8.

Update the Resolution section of the Incident Record.

9.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.

Results: After completing this exercise, you will have successfully resolved Group Policy Object (GPO)
application issues.

Exercise 2: Resolving Group Policy Application (2)


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

6-22 Troubleshooting Group Policy

In this exercise, you will resolve the reported GPO application problem that Tier 1 helpdesk staff could not
resolve.
Incident Record
Incident Reference Number: 723160
Date of Call
Time of Call
User
Status

October 30
16:10
Adam Barr (Marketing Department)
OPEN

Incident Details
User reports that his desktop settings are not applying as per his departmental standards.
Additional Information
The user (Adam) is not receiving group policy settings on his computer LON-CL1.
Other people in his department are not experiencing any issues. I have checked with the Active
Directory administrators, and his computer account is in the correct location (Computers).
Therefore, the location of the computer account is not an issue.
It appears as if GPOs are not applying, as gpupdate did not work.
We rebooted the computer with no improvement.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723160.

2.

Update the Plan of Action section.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723160

Read the help desk incident record 723160.

Task 2: Update the Plan of Action section


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 6-23

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod06\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Test whether gpupdate works.

2.

Attempt to resolve the problem by using your knowledge of Group Policies, and by using the tools
available for troubleshooting GPOs and their application on client computers.

3.

Update the Resolution section of the Incident Record.

4.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you will have successfully resolved GPO application issues.

To prepare for the next lab


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1 and 20688D-LON-CL3.

Module Review and Takeaways


Review Questions
Question: Do you use loopback policy processing in your organization? In which scenarios
and for which policy settings can loopback policy processing be helpful?
Question: Your organization has a computer lab that it uses for training. When users log
on to computers in this lab, they should only have lab-specific settings. The instructor in
the lab this week is indicating that users are not seeing the default home page for the web
application that they are using for training. You know that a new GPO for the lab was
created last Friday. What is the most likely cause of this problem?
Question: A new user in accounting has called the help desk indicating that she does not
have the standard drive mappings for the accounting department. These drive mappings are
configured by using Group Policy Preferences. What is the most likely cause of this problem?

MCT USE ONLY. STUDENT USE PROHIBITED

6-24 Troubleshooting Group Policy

MCT USE ONLY. STUDENT USE PROHIBITED


7-1

Module 7
Troubleshooting User Settings
Contents:
Module Overview

7-1

Lesson 1: Troubleshooting Sign-in Issues

7-2

Lab A: Troubleshooting Sign-in Problems

7-8

Lesson 2: Troubleshooting the Application of User Settings

7-12

Lab B: Troubleshooting the Application of User Settings

7-18

Module Review and Takeaways

7-22

Module Overview

Users should be are able to sign in quickly to gain access to their resources. When their personal settings
also are available on their Windows 8.1 device, this simplifies the users experience with the Windows
operating system environment. In this module, you will examine problems that can occur when users sign
in, and you will also learn about how to troubleshoot the application of user settings.

Objectives
After completing this module, you will be able to:

Troubleshoot user sign-in issues.

Troubleshoot the application of user desktop settings.

Lesson 1

Troubleshooting Sign-in Issues

MCT USE ONLY. STUDENT USE PROHIBITED

7-2 Troubleshooting User Settings

To troubleshoot the sign-in process successfully, you must have a thorough understanding of the process,
including how Windows 8.1 uses cached credentials, and Active Directory Domain Services (AD DS)
password and user policies. Additionally, you must be aware of the methods that you can use to identify
the cause of sign-in problems.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the sign-in process.

Explain cached credentials.

Describe potential problems in the sign-in process.

Explain password policies and user properties that can impact the sign-in process.

Describe methods to identify sign-in errors.

The Sign-in Process


The sign-in process authenticates both the
computer and user accounts. AD DS domain
controllers perform the authentication:

During the startup process for computer


accounts.

When the user signs in for user accounts.

At startup, a computer queries the configured


Domain Name System (DNS) server to discover
domain controllers that are available to perform
authentication. If you configure your AD DS sites
properly, a computer uses domain controllers in
the local physical location for authentication, which is much faster than authenticating to a domain
controller in another physical location.

If you do not configure the list of DNS servers on a Windows 8.1 computer appropriately, it cannot obtain
a list of domain controllers, and the following events might occur:

Authentication fails. The user is unable to access the local computer or network resources.

Windows 8.1 uses cached credentials. The user is able to access the local computer and might be able
to access some network resources.

Authentication is very slow but successful. This occurs when a suitable domain controller is on the
local subnet, and the client computer can locate the domain controller only by using NetBIOS
broadcasts.

Note: NetBIOS is a legacy session management protocol and is no longer required in


Windows 8.1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-3

During the sign-in process, Windows assigns a security token to both the computer and the user accounts.
The security token contains a list of groups of which the computer or user account is a member. Windows
uses this list of groups to identify permissions when the computer or user attempts to access resources. If
you add a computer or user account to a group, you must ensure that you reauthenticate the account to
update the security token with group membership.
Note: To reauthenticate a computer, you must restart the computer. To reauthenticate the
user account, the user must sign out and then sign in again.

Cached Credentials
Cached credentials allow users to authenticate to
a local computer by using domain credentials
when a domain controller is unavailable to
perform authentication. Cached credentials are
useful particularly for a roaming user who works
on a laptop computer. When you use cached
credentials, the user can sign in to a local
computer by using the cached domain sign-in
credentials, even when the users computer is not
connected to the domain. Users must have cached
credentials to access offline files and folders when
they are not connected to the network.

When a domain controller is available and a user signs in to a Windows 8.1 computer successfully,
Windows 8.1 creates and stores cached credentials locally. Windows 8.1 updates cached credentials each
time a user signs in to the domain.
Note: If users have not authenticated successfully to the domain from a computer since
their last password change, the cached credentials still contain the previous password. Users must
sign in by using the previous password when they use those cached credentials.

If a user does not have cached credentials on a computer, and the domain controller is unavailable,
Windows 8.1 cannot authenticate the user. By default, Windows 8.1 caches the credentials of the last 10
user accounts to sign into a specific computer. You can modify this number by using one of the following
two options:

Edit the registry. You can edit the registry, which is located atHKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount.

Use Group Policy. You can use a Group Policy setting, which is located at Computer Configuration
\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon:
Number of previous sign-ins to cache. By setting this value to zero, you disable cached logons.

The default number of cached credentials that Windows 8.1 can store is 10. However, you can configure
Windows 8.1 to store up to a maximum of 50 cached credentials. If you set the number of cached
credentials to zero, Windows 8.1 must contact a domain controller before users can obtain access to the
local computer.

Considerations for the Sign-In Process


Users must be able to sign in successfully so
that they can access the files, printers, and other
resources that they require to do their jobs. There
are a wide variety of reasons that a user might not
be able to sign in. Some of the sign-in problems
that users might experience include:

MCT USE ONLY. STUDENT USE PROHIBITED

7-4 Troubleshooting User Settings

Incorrect password. Many users accidentally


type in the wrong password or forget their
password. For example, users commonly
forget their password after being forced to
change it. In this scenario, you may need to
reset the user password.

Locked account. If a user attempts to sign in with an incorrect password too often, the account
is locked for a period of time. When the account is locked, the user is unable to sign in even with
the correct password. When an account is locked, it can be unlocked by an administrator with
appropriate Active Directory permissions, or the user can wait until the account unlocks automatically,
which is typically after 15 to 30 minutes.

Expired account. The user accounts for many contract workers are configured to expire on the date
when the contract ends. Sometimes contracts are renewed and the expiration date on the account is
not updated. After the expiration date, the users cannot sign in, so the expiration date of the user
account must be changed.

Deleted account. User accounts that are deleted accidentally by network administrators must be
undeleted (if the feature has been configured from the Active Directory Recycle Bin), restored from a
backup, or re-created.

Signing in with a local account. Ensure that users with domain user accounts are logging on to the
domain.

Using a Microsoft account. As when using a local account, ensure that if users have a domain account,
they use the domain account rather than a Microsoft account.

Corrupted computer account. When a computer account is no longer valid for a domain, users
cannot use that computer account to access domain resources because the computer is not trusted
by the domain. To resolve this problem, reset the computer account to rejoin the computer to the
domain.

Incorrect DNS settings. When a computer is configured to use an incorrect DNS server, the computer
cannot find domain controllers to perform the sign-in process. To resolve this problem, configure the
computer to use an appropriate DNS server.

General networking problems. Network connectivity issues can make domain controllers unavailable
to service user sign-in requests.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-5

Configuring Password Policies and User Properties


In a corporate environment, password policies
define the configuration of user passwords.
AD DS stores user accounts, which network
administrators or other support staff such as
help desk employees, manage.

Using Group Policy to Configure


Password Policies

Although domain administrators configure


password policies, you should know the available
password policy options so that you recognize
when they are affecting users ability to sign in.
You configure password policies in Group Policy,
which contains settings for account lockout. When you enable account lockout, a user who attempts to
sign in using an incorrect password is locked out after a defined number of attempts. Remember that
account lockouts can occur based on sign-in attempts to any system that authenticates users to AD DS.
The most common scenario is users signing in at workstations, but account lockout also applies to
applications such as Microsoft Outlook Web App.
The following table lists important Group Policy settings that can affect user sign-in process. These
settings are located at Computer Configuration\Windows Settings\Security Settings\Account Policies.
Setting

Description

Default setting

Password Policy\Enforce
password history

When you enable enforce password


history, users cannot reuse
passwords.

By default, Group Policy


remembers 24 passwords.

Password Policy\Maximum
password age

Maximum password age is the


longest span of time that a
password can exist before it must be
changed by the user.

By default, users must change


their password every 42 days.

Password Policy\Minimum
password age

Minimum password age is the


minimum amount of time that a
user must keep a password.

By default, user must keep a


password for one day. This
prevents users from cycling
quickly through a list of
passwords and defeating the
password history requirement.

Password Policy\Minimum
password length

Minimum password length is the


minimum number of characters
required for the password used by
domain users.

By default, a minimum length


of seven characters is required.

Password Policy\Passwords
must meet complexity
requirements

If you enable this, passwords must


meet complexity requirements.
Users must create complex
passwords that include uppercase
and lowercase characters, numbers,
and symbols.

Three of the four elements


must be present. This is
enabled by default.

Setting
Account Lockout
Policy\Account lockout
threshold

Description
This defines the number of invalid
sign-in attempts that users can
make before Windows locks their
account. When you enable Account
Lockout threshold, you can define
the period within which the invalid
attempts must occur, and how long
the account remains locked.

Default setting

MCT USE ONLY. STUDENT USE PROHIBITED

7-6 Troubleshooting User Settings

The default value is 0, which means


accounts never become locked.

User Account Settings That Can Affect the Sign-in Process

Each user account has settings that are relevant to the sign-in process. You need to be aware of these
settings so that you can identify them as potential sources of sign-in issues, and then escalate the issue to
the appropriate group in your organization.
Setting

Description

User logon name

This is the user name that should be used when signing in.

Unlock account

If an account is locked due to invalid sign-in attempts, use this


check box to unlock the account.

User must change password at


next logon

When you enable this setting, the user must change his or her
password during the next sign in. If the user does not change
their password, he or she may not be able to sign in.

User cannot change password

If you enable this setting, the user cannot change their password.
This setting overrides any requirements to change a password in
the domain password policy. You typically use this setting only
for service accounts.

Password never expires

When you enable this setting, users cannot be forced to change


their password. This setting overrides any requirements to
change a password in the domain password policy. This setting
often is used for service accounts, but may also be used for some
users who are exempt from changing passwords.

Account is disabled

Enabling this setting prevents users from signing in and using this
account. You typically use this setting when an employee is out
of the office for a long period of time, or when an employee is
terminated.

Smart card is required for


interactive logon

When you enable this setting, a user is required to use a smart


card to perform sign ins. Requiring a smart card enhances
security in environments with infrastructure to support smart
card-based sign ins.

Account expires

This setting allows configuration of a date after which an account


is disabled. You typically use this setting only for contract
employees or other temporary staff.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-7

Methods to Identify Sign-in Errors


You can quickly resolve most errors related to sign
in once you identify the problem. You can use the
following methods and tools to help troubleshoot
sign-in errors:

On-screen errors. Most user sign-in errors


provide an accurate description on the screen.
However, many users may not interpret these
messages correctly. Often, viewing the error
yourself is more accurate than relying on a
users description of it.

Active Directory Users and Computers. You


can use this tool to verify the users sign-in
name and whether the account is disabled. You also can use this tool to unlock the account and reset
the password, if necessary.

Note: You can also use Windows PowerShell to query user account status and to reset
these properties. For example, use the Get-ADUser cmdlet to retrieve user account properties,
the Unlock-ADAccount cmdlet to unlock a user account, and the Set-ADUser enabled $true
cmdlet to enable a user account.
If you wish to use these cmdlets from a Windows 8.1 client computer, install Remote Server
Administration Tools (RSAT) on that computer to install the necessary Windows PowerShell
cmdlets.

Event logs. You can use Event Viewer to view event logs that may give some indication of why a signin error is occurring. The Security logs on a computer or on a domain controller indicate if
authentication errors are occurring. The computers System log indicates if the computer account is
not authenticating correctly.

If a user is able to sign in but is unable to access network resources, the sign-in process might be using
the users cached credentials. If this happens, you should verify network connectivity for the computer,
and verify that the computer account is authenticating properly.

If your organization does not restrict user sign in to specific computers, the user can attempt to sign in to
a second computer, which identifies whether the authentication issue pertains to a specific computer. You
can use the results of this test to limit your troubleshooting to appropriate items. For example, if the issue
is not computer-specific, then it is not a local computer configuration issue.

Lab A: Troubleshooting Sign-in Problems


Scenario
A number of users have reported various problems with signing in to the corporate network. These
problems have been recorded by the help desk, and are being escalated to you for resolution.

Objectives
After completing this lab, you will be able to:

Resolve sign-in problem 1.

Resolve sign-in problem 2.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following procedure:

MCT USE ONLY. STUDENT USE PROHIBITED

7-8 Troubleshooting User Settings

1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Exercise 1: Resolving Sign-in Problem 1


Scenario

A user has reported that she cannot sign in from her laptop, LON-CL1. You have been assigned the helpdesk incident record and are assigned to resolve the problem.
Incident Record
Incident Reference Number: 723411
Date of Call
Time of Call
User
Status

November 5
09:27
Alex Darrow (Marketing Department)
OPEN

Incident Details
Alex cannot sign in to her laptop this morning. An error message displays: The trust relationship
between this workstation and the primary domain failed.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-9

Incident Record

Additional Information
Alex has not been in the office for a while, but sign-in worked fine last time she was here.
No one else is affected by the problem.
I reset her user account password, and that has made no difference.
I checked that the domain controller LON-DC1 is online, and it is fine.
The local account, LON-CL1\Admin (password is Pa$$w0rd), might be useful for troubleshooting this
computer.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723411.

2.

Update the Plan of Action section of the Incident Record.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723411

Read the help desk incident record 723411.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod07\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of potential sign-in problems, and by using
the tools that you can use to troubleshoot those problems.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment, and begin again.

Results: After you have completed this exercise, you should have resolved the sign-in problem.

Exercise 2: Resolving Sign-in Problem 2


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

7-10 Troubleshooting User Settings

Aidan, one of the senior managers, has called the help desk to report a problem signing in. You have been
assigned to resolve this problem. He has called the help desk twice since the call was logged, so it is
urgent that you resolve the issue.
Incident Record
Incident Reference Number: 723423
Date of Call
Time of Call
User
Status

November 6
13:47
Aidan Delaney (Manager)
OPEN

Incident Details
Aidan called to report a problem signing in. Turns out that quite a few of the management team are
experiencing problems. Error message There are currently no logon servers available to service the
logon request.
Additional Information
The management team computers are connected to their own subnet with their own local domain
controller, LON-DC1.
Some of the management team can still sign in, but most cannot.
You may need the local account LON-CL1\Admin (password is Pa$$w0rd) to sign in at Mr. Delaneys
computer.
A few network-related issues were reported in that subnet this morning, with failure to locate
resources by URL name.
Plan of Action

Resolution

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-11

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723423.

2.

Update the Plan of Action section of the Incident Record.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723423

Read the help desk incident record 723423.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod07\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of potential sign-in problems, and by using
the tools that you can use to troubleshoot those problems.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.

Results: After you have completed this exercise, you should have resolved the sign-in problem

To prepare for the next lab


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Lesson 2

Troubleshooting the Application of User Settings

MCT USE ONLY. STUDENT USE PROHIBITED

7-12 Troubleshooting User Settings

User profiles contain user settings that configure a computer for use by a specific user. In some cases,
you can configure roaming profiles to enable a user to retain their settings when they work on more than
one computer. To configure computers correctly for users, you must understand user profiles and how to
troubleshoot them. Some organizations implement Folder Redirection. It is important that you understand
this technology, how it impacts user settings, and how to troubleshoot it.

Lesson Objectives
After completing this lesson, you will be able to:

Describe user profiles and their contents.

Describe roaming user profiles.

Identify user accounts settings that synchronize with a Microsoft account.

Describe considerations for user profile issues.

Explain Folder Redirection.

Describe considerations for Folder Redirection problems.

User Profiles and Their Contents


A user profile is a collection of user-specific
settings in Windows 8.1. Each user has a folder
in C:\Users that contains the users profile. The
profile folders in C:\Users are named after the user
account. For example, if the user account is Adam,
the profile folder is C:\Users\Adam. In some cases,
you can append the domains name to the profile,
if the account name conflicts with an existing local
user such as C:\Users\Administrator.Adatum.
A user profile contains:

User part of the registry. User profiles contain


a file called NTuser.dat. This file is the user
part of the registry. When the user signs in, this file is loaded by the Windows operating system, and
is mapped to the HKEY_CURRENT_USER registry subtree. NTuser.dat contains user settings such as
desktop background and screen-saver settings.

Set of folders. For each user who signs in, a separate subfolder with the users name is created in the
Users folder. This folder is a container for applications, user settings, and data that are organized in
the following various subfolders:
o

Application configuration files (AppData)

Desktop

Favorites

Documents

Downloads

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-13

My Music, My Pictures, My Videos

Other folders that specific applications create

Windows 8.1 also has a public profile that it stores in C:\Users\Public. All user profiles include the contents
of this public profile when a user logs on. For example, if you create a shortcut in C:\Users\Public\Desktop,
it displays on the desktop of all users who sign in to that computer. For this reason, some applications
store system-wide configuration information in the public profile.

Roaming User Profiles


Windows 8.1 profiles are local by default, which
means that Windows 8.1 stores them only on
the local computer. If a user logs on to a second
computer, the users settings are not configured
on the second computer, and any profile
customization is not available. For example,
application configurations such as the one for
Microsoft Office Outlook or customizations in
Microsoft Word, are not available on the new
computer.

You can use roaming profiles to allow users to


roam between computers and still access their
configuration settings. A network file share stores the roaming profile, and when a user signs into a new
computer, Windows 8.1 copies the roaming profile from the network file share to the local computer.
When the user signs out, Windows 8.1 saves the profile locally, and then uploads it to the network file
share.

Configuring a Roaming Profile

To configure a users roaming profile, provide a profile path in the user account properties. If you copy a
profile, be sure to use the Copy To functionality in the Profiles window of Advanced System Settings. This
ensures that Windows 8.1 updates the security permissions, which allows other users to access the profile.
Note: A mandatory profile is a read-only roaming user profile. You can use a mandatory
profile to ensure that users do not change configuration settings. When the user signs in,
Windows copies the mandatory profile from the server to the local computer, in the same
manner as a standard roaming user profile. However, when the user signs out, Windows discards
any profile changes. In most cases, multiple users share a mandatory roaming profile. Instead of
using mandatory profiles, most organizations use Folder Redirection to achieve a standard
desktop.

User Settings That Synchronize with a Microsoft Account


You can use a Microsoft account to sign into your
Windows 8.1 computer instead of using a local
account or a domain account. In fact, some
features of Windows 8.1 require that you use a
Microsoft account. For example, saving your files
to Microsoft OneDrive (formerly known as
SkyDrive) requires that you identify yourself by
using your Microsoft account.
Note: You can link your Microsoft account
to your domain account. This enables you to sign
in with the domain account and still use online
features such as accessing the Windows Store and using OneDrive.
When you use a Microsoft account, you can synchronize some of your Windows settings between the
Windows 8.1 devices that you use. These settings include:

Start screen

Appearance

Desktop personalization

Installed apps

Passwords for apps, websites, and networks

App data

Language preferences

Ease of access settings

Web browser settings

When you first use your Microsoft account on a device, you can configure which of these settings you
wish to synchronize on the device. To do this, select Change PC settings from the Settings charm, and
then click Sync your settings.
Note: Network administrators can use Group Policy Object (GPO) to restrict which of these
settings can be synchronized. To control synchronization, open the Group Policy Management
Editor for the appropriate GPO, and then navigate to Computer Configuration\Policies
\Administrative Templates\Windows Components\Sync your settings.

MCT USE ONLY. STUDENT USE PROHIBITED

7-14 Troubleshooting User Settings

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-15

Considerations for Issues with User Profiles


Because user profiles contain the user-specific
configuration settings for Windows 8.1, user
profile configuration has a high impact on user
satisfaction. If user profiles are not working
correctly, the user might not have access to
settings such as drive mappings, desktop
shortcuts, and application settings. Some of the
issues that can occur that relate to user profiles
include:

Slow sign-ins. If roaming user profiles are


implemented, sign-ins may be significantly
slower. This is because the profile was copied
from the network during part of the sign-in process. This is typically a problem only when users store
large files in the profile, such as on the desktop or in a local Documents folder.

Corrupted roaming profiles. A corrupted roaming profile results when there are problems saving
changes to a roaming profile during sign out. Typically this occurs because an application has not
closed correctly. When a profile is corrupted, it might not be updated the next time a user signs in, or
the user may receive a prompt asking whether to use the local profile or the network profile.

Default profiles do not have corporate standard settings. The first time users sign in, their profile is
created from the default profile. The default profile on a computer does not contain application
settings and customizations, such as a default save location in Microsoft Word. As a result, the user
profile must be updated after it is created.

Machine specific settings do not roam. Whereas a roaming user profile enables user settings to move
between computers, the roaming user profile does not contain any computer-specific settings such as
applications or hardware drivers. Some user settings, such as shortcuts to applications, might not be
valid on all computers to which a user signs in. Invalid shortcuts still display, but they have an icon
indicating that they are invalid. Registry settings for non-existent applications are ignored.

Overview of Folder Redirection


Folder Redirection stores some user profile folders
on a network file share instead of in the local
profile. Unlike roaming profiles, the folders are not
synchronized between the network file share and
the local computer. The content for redirected
folders exists only on a network file share. This
means that large amounts of data can exist in a
redirected folder without affecting sign-in times.
Some reasons to use folder redirection include:

Ensuring the Documents folder is backed


up. Many users save documents in their
Documents folder by default. If this is on the
local hard drive, Windows 8.1 might never back up these files. However, you can redirect the contents
of the Documents folder to a home folder or a shared network drive.

Minimizing the size of roaming profiles. Redirecting folders removes them from a roaming profile.
This reduces the size of roaming profiles, which results in better sign-in performance.

MCT USE ONLY. STUDENT USE PROHIBITED

7-16 Troubleshooting User Settings

You can configure Folder Redirection manually or by using a GPO. For example, for the Documents folder,
you can configure redirection on the Location tab in the properties of the Documents folder, or by using a
GPO.
When you redirect a folder, you have the option to copy the files from the current location to the new
location. If you forget to copy the files, they will not be available to the user.
Note: If you forget to copy the files, the files continue to exist in the old location, and users
can copy them at a later time.

Configuring Folder Redirection

Although a network administrator typically enables and configures Folder Redirection, it is important that
you understand the basics of configuring this feature.

You use GPOs to configure Folder Redirection. To configure Folder Redirection, open Group Policy
Management, locate the appropriate GPO, and then open it for editing. Next, expand the User
Configuration node, expand Windows Settings and then expand Folder Redirection. You can select
each folder in turn and configure its redirection settings. When you have finished, the Folder Redirection
settings will apply to those users whose user accounts are stored either in a container to which this GPO is
linked, or in a container that inherits the GPO settings from a parent container.
Note: For more information on how to apply and filter GPOs, refer to Module 6.

The main folders that you can redirect are Desktop and Documents. You can then configure the Pictures,
Music, and Videos folders to follow the location you configure for Documents.
When you configure Folder Redirection, you have a number of options, including:

Basic Redirection. In this option, by default, each user is given exclusive access to a subfolder that is
created off the configured root folder for the redirection. For example, you may choose a folder
called \\LON-DC1\USERS as the Root Path. Each user would be granted full control over a subfolder
created with their name underneath this root. For example: \\LON-DC1\Users\Adam.

Advanced Redirection. With Advanced Redirection, you can specify a different redirection for each
security group affected by the folder redirection policy. For example, you might add the Sales
group and the Marketing group to the redirection policy, with each using a different UNC path:
\\LON-DC1\Sales and \\LON-DC1\Marketing, for instance. Beneath these folders, by default, a folder
for each user account within the group is created. Again, that user is granted exclusive access to her
or his own subfolder.

Note: There are more options that you can configure, but these are outside the scope of
this course.
When you configure Folder Redirection, the optimal method is to create the subfolder structure and
shared folder structure before you configure the GPOs folder redirection. This results in the correct
configuration of folder permissions.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-17

What Problems Can Occur with Folder Redirection?


Folder Redirection offers many benefits to
network administrators who wish to configure
and manage user settings. However, sometimes
the settings do not apply properly.
The most obvious issues that can affect Folder
Redirection are the generic problems that can also
affect the application of GPOs. If folder redirection
settings do not apply correctly, verify that GPOs
are applying correctly, and if necessary, use the
GPO troubleshooting tools and techniques
discussed in Module 6 Troubleshooting Group
Policy.
Some common reasons for GPO application failures include:

A GPO with user settings is not linked to a location where the user account resides.

A GPO with computer settings is not linked to a location where the computer account resides.

A computer is not able to communicate with a domain controller to download the GPO due to:
o

Network communication problems.

Incorrect time settings on the client computer.

Corrupted computer accounts.

Client-side extension problems.

Note: Client-side extensions run on client computers to process GPOs. Different client-side
extensions process different GPO settings. For example, a client-side extension exists to process
Group Policy Preferences.

A GPO was not properly tested and/or is configured incorrectly.

AD DS replication or SYSVOL replication is not functioning between domain controllers that are
handling the distribution of the GPOs to client computers.

Processing exceptions are preventing the GPO from processing, including:


o

Blocked inheritance

Enforcement

Link order

Windows Management Instrumentation (WMI) filtering

If the problem does not relate to GPO application, then consider whether the folder redirection policy has
been set up correctly, and whether the users and groups that use the policy have the correct file
permissions on the redirected folders.

When Folder Redirection is first established, the current contents of the users local folders are copied to
the new location by default. If users claim that files are missing, verify whether the files were copied, and if
so, whether they were copied to the correct location.

Lab B: Troubleshooting the Application of User Settings


Scenario
User settings for the marketing department are not as expected. You must investigate the problem and
resolve it as quickly as possible.

Objectives
After completing this lab, you will be able to:

Resolve a Folder Redirection problem.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:

MCT USE ONLY. STUDENT USE PROHIBITED

7-18 Troubleshooting User Settings

1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Exercise 1: Resolving Folder Redirection Problem (1)


Scenario

You have been asked to examine the problem in a help-desk incident record that the help-desk staff have
been unable to resolve. You must determine a course of action and then attempt resolution.
Incident Record
Incident Reference Number: 723425
Date of Call
Time of Call
User
Status

November 7
08:42
Boris Gresak (Marketing Department)
OPEN

Incident Details
Boris reports that his Documents folder is not available.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-19

Incident Record
Additional Information
All servers are operational, and other departments are not affected.
Boris cannot see his old files, and new files are showing as offline and not synced.
Suspect that the culprit is Folder Redirection.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help-desk Incident Record for incident 723425.

2.

Update the Plan of Action section of the Incident Record.

3.

Create the Folder Redirection infrastructure and then simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help-desk Incident Record for incident 723425

Read the help-desk incident record 723425.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Create the Folder Redirection infrastructure and then simulate the problem
1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod07\Scenario3.vbs script. Wait until the script completes.

4.

On the desktop, double-click Administrative Tools.

5.

Double-click Group Policy Management.

6.

In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand


Adatum.com, and then right-click Adatum.com.

7.

Click Create a GPO in this domain, and Link it here.

8.

In the New GPO dialog box, in the Name text box, type Folder Redirection, and then click OK.

9.

Right-click Folder Redirection, and then click Edit.

10. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, expand Folder Redirection, and then click Folder Redirection.
11. Right-click Documents, and then click Properties.

12. In the Documents Properties dialog box, in the Setting list, click Advanced Specify locations for
various user groups.

13. Click Add.

MCT USE ONLY. STUDENT USE PROHIBITED

7-20 Troubleshooting User Settings

14. In the Specify Group and Location dialog box, in the Security Group Membership text box, type
Marketing.
15. Press the Tab key.
16. In the Target Folder Location list, click Create a folder for each user under the root path.
17. In the Root Path text box, type \\lon-dc1\Departments\Marketing, and then click OK.
18. In the Documents Properties dialog box, click OK.
19. In the Warning dialog box, click Yes.
20. Close the Group Policy Management Editor.
Note: You will configure only the Marketing department for this lab.
21. Right-click Start, and then click Command Prompt.
22. At the command prompt, type gpupdate /force, and then press Enter.
23. When prompted, press Y, and then press Enter to close the Command window and sign out.
24. Sign in as Adatum\Boris with the password Pa$$w0rd.
25. Click Desktop.
26. Right-click the desktop, and then click Personalize.
27. In the Personalization window, click Change desktop icons.
28. In the Desktop Icons Settings dialog box, select the Users Files check box, and then click OK.
29. Close the Personalization window.
30. On the desktop, double-click Boris Gresak.
31. Right-click Documents, and then click Properties. Notice that the folder is redirected, and then
click OK
32. Sign out.
33. Sign in by using the following credentials:
o

User name: Adatum\Administrator

Password: Pa$$w0rd

34. Run the D:\Labfiles\Mod07\Scenario3b.vbs script. Wait until the script completes.
35. Sign out.
36. Sign in by using the following credentials:
o

User name: Adatum\Boris

Password: Pa$$w0rd

37. Click Desktop.


38. On the desktop, double-click Boris Gresak.
39. Double-click Documents.
40. Right-click an area of free space, point to New, and then click Text Document. Press Enter.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 7-21

41. Double-click New Text Document.


42. In Notepad, type This is my file, and then close the file.
43. Click Save when prompted.
44. In the Address bar, click Boris Gresak.
45. Right-click Documents, and then click Properties. Click the Offline Files tab.
46. Verify that the folder is showing as offline and not synced.
47. Sign out.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of Folder Redirection.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing the exercise, you should have resolved the Folder Redirection problem
successfully.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Module Review and Takeaways


Review Questions
Question: You are distributing new laptop computers to executives in your organization. Is
any additional configuration required to allow them to sign in by using their domain user
account name and password when they are out of the office?
Question: What are common reasons for users being unable to sign in?

MCT USE ONLY. STUDENT USE PROHIBITED

7-22 Troubleshooting User Settings

MCT USE ONLY. STUDENT USE PROHIBITED


8-1

Module 8
Configuring and Troubleshooting Remote Connectivity
Contents:
Module Overview

8-1

Lesson 1: Troubleshooting VPN Connectivity Issues

8-2

Lesson 2: Troubleshooting NAP

8-11

Lab A: Configuring Network Access Protection Client Settings

8-22

Lesson 3: Troubleshooting DirectAccess

8-25

Lab B: Configuring and Testing DirectAccess

8-33

Module Review and Takeaways

8-37

Module Overview

It is becoming increasingly important for users to access corporate resources and applications remotely.
To better support these user needs, you must be familiar with virtual private networks (VPNs), Network
Access Protection (NAP), and DirectAccess. This module explains these technologies, describes common
problems with their implementation and usage, and then provides a number of possible mitigations for
those problems.

Objectives
After completing this module, you will be able to:

Troubleshoot VPN connections.

Troubleshoot NAP.

Configure and troubleshoot DirectAccess.

Lesson 1

Troubleshooting VPN Connectivity Issues

MCT USE ONLY. STUDENT USE PROHIBITED

8-2 Configuring and Troubleshooting Remote Connectivity

VPNs provide a secure way of accessing your internal data and applications from user devices that attach
to the Internet. To support a VPN environment within your organization, you must understand tunneling
protocols, VPN authentication, and server-side configuration options. This lesson describes these
technologies.

Lesson Objectives
After completing this lesson, you will be able to:

Describe VPNs.

Explain the various VPN tunneling protocols.

Explain the available authentication options for VPNs.

Describe how to use network policies to manage VPN connections.

Describe common error codes that are encountered while troubleshooting VPNs.

Explain how to apply best practice to troubleshoot VPNs.

Overview of VPNs
A VPN provides a connection between
components of a private network, through a
public network such as the Internet. Tunneling
protocols enable a VPN client to establish and
maintain a connection to a virtual port that is
listening on a VPN server.
To emulate the point-to-point link, the VPN
client encapsulates the data and prefixes it with a
header. The header provides routing information
that enables the data to traverse the shared or
public network to reach its endpoint.
To emulate a private link, the VPN client encrypts
data, which helps to ensure confidentiality. Without encryption keys, packets that are intercepted on a
shared or public network are indecipherable. The VPN client encapsulates and encrypts private data on
the private link, or on the VPN connection.
There are two types of VPN connections:

Remote access VPN

Site-to-site VPN

Remote Access VPN


Users who are working from home, at a customer site, or from a public wireless access point can use
remote access VPN connections to access a server on their organizations private network. The remote
access VPN connection uses the infrastructure that a public network provides, such as the Internet.

From a users perspective, the exact infrastructure of the shared or public network is irrelevant because it
appears logically as if it is sending the data over a dedicated private link.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-3

Site-to-Site VPN

Site-to-site VPN connections, which are also known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices, or between your office and another
organization over a public network. This helps maintain secure communications.

A routed VPN connection across the Internet operates logically as a dedicated wide area network (WAN)
link. When networks connect over the Internet, a router forwards packets across a VPN connection to
another router.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN
initiator) authenticates itself to the answering router (the VPN responder). Then, if you use mutual
authentication, the answering router authenticates itself to the calling router.

In a site-to site VPN connection, the packets sent from either router across the VPN connection typically
do not originate at the routers; in other words, the site-to-site connection is not visible to the computers
that use the link.

Properties of VPN Connections

VPN connections that use the Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol
with Internet Protocol security (L2TP/IPsec), and Secure Socket Tunneling Protocol (SSTP), have the
following properties:

Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing
information that allows the data to traverse the transit network.

Authentication. Authentication for VPN connections takes the following three forms:

User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the


VPN connection, the VPN server authenticates the VPN client that is attempting the connection
by using a PPP user-level authentication method, and verifies that the VPN client has the
appropriate authorization. If you use mutual authentication, the VPN client also authenticates
the VPN server.

Computer-level authentication by using Internet Key Exchange (IKE). To establish an IPsec


security association, the VPN client and the VPN server use the IKE protocol to exchange
either computer certificates or a preshared key. In either case, the VPN client and VPN
server authenticate each other at the computer level. We recommend computer-certificate
authentication because it is a much stronger authentication method than a preshared key.
Computer-level authentication is only performed for L2TP/IPsec connections.

Data origin authentication and data integrity. To verify that the data sent on the VPN connection
originated at the other end of the connection and was not modified in transit, the data contains a
cryptographic checksum based on an encryption key known only to the sender and the receiver.
Data origin authentication and data integrity are only available for L2TP/IPsec connections.

Data encryption. To ensure the confidentiality of data as it traverses the shared or public transit
network, the sender encrypts the data, and the receiver decrypts it. The encryption and decryption
processes depend on the sender and the receiver both using a common encryption key.

Packets that are intercepted in the transit network are unintelligible to anyone who does not have the
common encryption key. The encryption keys length is an important security parameter. You can use
computational techniques to determine the encryption key. However, such techniques require more
computing power and computational time as the encryption keys get larger. Therefore, it is important
to use the largest possible key size to ensure data confidentiality.

VPN Tunneling Protocols


PPTP, L2TP, and SSTP depend on the features
originally specified for PPP. PPP was designed to
send data across dial-up or dedicated point-topoint connections. For IP, PPP encapsulates IP
packets within PPP frames, and then transmits the
encapsulated PPP packets across a point-to-point
link. PPP was defined originally as the protocol to
use between a dial-up client and a network access
server.

PPTP

MCT USE ONLY. STUDENT USE PROHIBITED

8-4 Configuring and Troubleshooting Remote Connectivity

You can use PPTP for remote access and site-tosite VPN connections. When using the Internet as
the VPN public network, the PPTP server is a PPTPenabled VPN server with one interface on the Internet,
and a second interface on the intranet.
PPTP enables you to encrypt and encapsulate data in an IP header multiprotocol traffic that is then sent
across an IP network or a public IP network, such as the Internet.

L2TP

L2TP enables you to encrypt multiprotocol traffic to send over any medium that supports point-to-point
datagram delivery, such as IP or asynchronous transfer mode (ATM). L2TP is a combination of PPTP
and Layer Two Forwarding (L2F). L2TP represents the best features of PPTP and L2F. Unlike PPTP, the
Microsoft implementation of L2TP does not use Microsoft Point-to-Point Encryption to encrypt PPP
datagrams. Instead, L2TP relies on IPsec in transport mode for encryption services. The combination of
L2TP and IPsec is known as L2TP/IPsec.

To utilize L2TP/IPsec, both the VPN client and server must support L2TP and IPsec. Client support for
L2TP is built into remote access clients on the following Windows client operating systems: Windows 8.1,
Windows 8, Windows 7, Windows Vista, and Windows XP. VPN server support for L2TP is built into
members of the Windows Server 2012, Windows Server 2008, and Windows Server 2003 families.

SSTP

SSTP is a tunneling protocol that uses the HTTPS protocol over TCP port 443 to pass traffic through
firewalls and web proxies, which otherwise might block PPTP and L2TP/IPsec traffic. SSTP provides a
mechanism to encapsulate PPP traffic over the Secure Sockets Layer (SSL) channel of the HTTPS protocol.
The use of PPP allows support for strong authentication methods, such as Extensible Authentication
Protocol-Transport Layer Security (EAP-TLS). SSL provides transport-level security with enhanced key
negotiation, encryption, and integrity checking.

When a client tries to establish an SSTP-based VPN connection, SSTP first establishes a bidirectional HTTPS
layer with the SSTP server. Over this HTTPS layer, the protocol packets flow as a data payload.

IKEv2

IKE version 2 (v2) uses the IPsec tunnel mode protocol over User Datagram Protocol (UDP) port 500. IKEv2
supports mobility, making it a good protocol choice for a mobile workforce. IKEv2-based VPNs enable
users to move easily between wireless hotspots, or between wireless and wired connections.
IKEv2 is supported only on computers that run Windows 8.1, Windows 8, Windows Server 2012 R2,
Windows Server 2012, Windows 7, and Windows Server 2008 R2. IKEv2 is the default VPN tunneling
protocol in Windows 7, Windows 8, and Windows 8.1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-5

VPN Authentication Methods


The authentication of access clients is an
important security concern. Authentication
methods typically use an authentication protocol
that is negotiated during the connection
establishment process. The Remote Access Service
role supports the following methods.

PAP

Password Authentication Protocol (PAP) uses


plaintext passwords and is the least secure
authentication protocol. It typically is negotiated
if the remote access client and remote access
server cannot negotiate a more secure form of
validation. PAP is included in Windows Server 2012 and Windows 8.1 to support older client operating
systems that support no other authentication method.

CHAP

The Challenge Handshake Authentication Protocol (CHAP) is a challenge-response authentication


protocol that uses the industry-standard MD5 hashing scheme to encrypt the response. Various vendors
of network access servers and clients use CHAP. Because CHAP requires the use of a reversibly encrypted
password, you should consider using another authentication protocol, such as Microsoft CHAP version 2
(MS-CHAPv2).

MS-CHAP V2
MS-CHAP v2 is a one-way, encrypted password, mutual-authentication process that works as follows:
1.

The authenticator, which can be the remote access server or the computer that is running Network
Policy Server (NPS), sends a challenge to the remote access client. The challenge consists of a session
identifier and an arbitrary challenge string.

2.

The remote access client sends a response that contains a one-way encryption of the received
challenge string, the peer challenge string, the session identifier, and the user password.

3.

The authenticator checks the response from the client and sends back a response that contains an
indication of the success or failure of the connection attempt and an authenticated response based
on: the sent challenge string, the peer challenge string, the clients encrypted response, and the user
password.

4.

The remote access client verifies the authentication response, and if correct, uses the connection. If
the authentication response is not correct, the remote access client terminates the connection.

EAP

With the Extensible Authentication Protocol (EAP), an arbitrary authentication mechanism authenticates a
remote access connection. The remote access client and the authenticator, which can be either the remote
access server or the Remote Authentication Dial-In User Service (RADIUS) server, negotiate the exact
authentication scheme to use. Routing and Remote Access service (RRAS) includes support for EAP-TLS by
default. You can plug in other EAP modules to the server that is running RRAS to provide other EAP
methods.

Other Options

MCT USE ONLY. STUDENT USE PROHIBITED

8-6 Configuring and Troubleshooting Remote Connectivity

In addition to the previously mentioned authentication methods, you can enable two other options when
selecting an authentication method:

Unauthenticated Access. Strictly speaking, this is not an authentication method, but rather the lack of
one. Unauthenticated access allows remote systems to connect without authentication. You should
never enable this option in a production environment, however, as it leaves your network at risk.
Nonetheless, this option can sometimes be useful for troubleshooting authentication issues in a test
environment.

Machine Certificate for IKEv2. Select this option if you want to use VPN Reconnect.

Note: VPN Reconnect uses the IKEv2 technology to provide consistent VPN connectivity.
Users who connect by using a wireless mobile broadband will benefit most from this capability.
With VPN Reconnect, Windows 8.1 devices reestablish active VPN connections automatically
when Internet connectivity reestablishes after a connection is lost. Even though the reconnection
might take several seconds, users do not have to reinstate the connection manually or
authenticate again to access internal network resources.

Network Policies
Network policies determine whether a connection
attempt is successful. If the connection attempt
is successful, the network policy then defines
connection characteristicssuch as day and time
restrictions and session idle-disconnect times.
Network policies are sets of conditions, constraints,
and settings that enable you to designate who is
authorized to connect to a network, and the
circumstances under which they can or cannot
connect. Additionally, when you deploy NAP, a
health policy is added to the network policy
configuration so that your NPS performs client
health checks during the authorization process.
You can view network policies as rules, with each rule having a set of conditions and settings. NPS
compares the rules conditions to the properties of connection requests. If a match occurs between the
rule and the connection request, the settings that you define in the rule are applied to the connection.

When you configure multiple network policies in NPS, they are an ordered set of rules. NPS checks each
connection request against the lists first rule, then the second, and so on until a match is found.
Note: After NPS discovers a matching rule, it disregards further rules. Therefore, it is
important to order your network policies appropriately.

Each network policy has a policy state setting that allows you to enable or disable the policy. When you
disable a network policy, NPS does not evaluate that policy when authorizing connection requests.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-7

Controlling Network Access with Network Policies

When NPS performs authorization of a connection request, it compares the request with each network
policy in the ordered list of policies, starting with the first policy and moving down the list.

If NPS finds a policy in which the conditions match the connection request, NPS uses the matching policy
and the dial-in properties of the user account to perform authorization.
If you configure the dial-in properties of the user account to grant or control access through network
policy, and if NPS authorizes the connection request, NPS applies the settings that you configure in the
network policy to the connection in the following way:

If NPS does not find a network policy that matches the connection request, NPS rejects the
connection unless the dial-in properties on the user account are set to grant access.

If the dial-in properties of the user account are set to deny access, NPS rejects the connection request.

The default network policies deny access to all users. This ensures that only users to which you have
specifically granted access are allowed access. To allow users access, you create additional network
policies with conditions that match authorized users.

When planning your network policies, consider how you want the constraints and conditions to control
the connection from particular groups of users, and then choose appropriate conditions to enable these
settings to have an effect on those users.
For example, suppose you have the following two objectives:

You want to allow members of the administrators group to connect at any time of the week, but insist
on an L2TP tunneltype connection.

You want all other users to connect with any tunnel type, but only on weekends.

You must consider how to implement two network policies to achieve this objective. If you configure a
condition of Any time of the week, in addition to administrators, all other user connection attempts will
match this condition, and subsequently the settings within the policy. Therefore, you might consider
creating a condition that looks for membership in the Domain Admins group, and then a constraint of
an L2TP tunneltype. You will require a second policy to address the needs of all other users.

Common VPN Errors


You might encounter other common issues
when using VPNs with Windows 8.1 and Windows
Server 2012. The following sections describe these
issues in more detail.

Error 800: VPN Server is Unreachable

Cause. PPTP/L2TP/SSTP packets from the VPN


client cannot reach the VPN server.

Solution. Ensure that the appropriate ports


are open on the firewall:
o

PPTP. For PPTP traffic, configure the


network firewall to open TCP port 1723,
and to forward IP Protocol 47 for Generic Route Encapsulation (GRE) traffic to the VPN server.

L2TP. For L2TP traffic, configure the network firewall to open UDP port 1701, and to allow IPsec
encapsulating security payloadformatted packets (IP Protocol 50).

SSTP. For SSTP, enable TCP port 443.

Error 721: Remote Computer is Not Responding

MCT USE ONLY. STUDENT USE PROHIBITED

8-8 Configuring and Troubleshooting Remote Connectivity

Cause. This issue can occur if the network firewall does not permit GRE traffic (IP Protocol 47). PPTP
uses GRE for tunneled data.

Solution. Configure the network firewall between the VPN client and the server to permit GRE.
Additionally, ensure that the network firewall permits TCP traffic on port 1723. Both of these
conditions must be met to establish VPN connectivity by using PPTP.
Note: The firewall might be on or in front of the VPN client, or in front of the VPN server.

Error 741/742: Encryption Mismatch Error

Cause. These errors occur if the VPN client requests an invalid encryption level or if the VPN server
does not support an encryption type that the client requests.

Solution. Check the properties on the Security tab of the VPN connection on the VPN client. If
Require data encryption (disconnect if none) is selected, clear the selection and retry the connection.
If you are using NPS, check the encryption level in the network policy in the NPS console, or check
the policies on other RADIUS servers. Ensure that the encryption level that the VPN client requested is
selected on the VPN server.

L2TP/IPsec Authentication Issues


The following list describes the most common reasons that L2TP/IPsec connections fail:

No certificate. By default, for IPsec peer authentication, L2TP/IPsec connections require that an
exchange of computer certificates occur between the remote access server and remote access client.
Check the Local Computer certificate stores of both the remote access client and the remote access
server that are using the Certificates snap-in to ensure that a suitable certificate exists.

Incorrect certificate. The VPN client must have a valid computer certificate installed, which was issued
by a trusted certification authority (CA) that follows a valid certificate chain from the issuing CA to a
root CA. Additionally, the VPN server must have a valid computer certificate installed that was issued
by a CA that follows a valid certificate chain from the issuing CA to a root CA, and that the VPN client
trusts.

A network address translation (NAT) device exists between the remote access client and remote
access server. If there is a NAT between a Windows Server 2008 L2TP/IPsec server and a Windows
2000 Server, Windows Server 2003, or Windows XPbased L2TP/IPsec client, you cannot establish an
L2TP/IPsec connection unless the client and server support IPsec NAT traversal (NAT-T).

A firewall exists between the remote access client and the remote access server. If there is a firewall
between a Windows L2TP/IPsec client and a Windows Server 2012 L2TP/IPsec server, and if you
cannot establish an L2TP/IPsec connection, verify that the firewall allows forwarding of L2TP/IPsec
traffic.

EAP-TLS Authentication Issues

When you use EAP-TLS for authentication, the VPN client submits a user certificate and the authenticating
server (the VPN server or the RADIUS server) submits a computer certificate. To enable the authenticating
server to validate the VPN clients certificate, the following must be true for each certificate in the
certificate chain that the VPN client sends:

The current date must be within the certificates validity dates. When certificates are issued, they are
issued with a range of valid dates before which they cannot be used, and after which they are
considered expired.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-9

The certificate has not been revoked. Issued certificates can be revoked at any time. Each issuing
CA maintains a list of certificates that are not considered valid, and publishes an up-to-date certificate
revocation list. By default, the authenticating server checks all certificates in the VPN clients
certificate chain (the series of certificates from the VPN client certificate to the root CA) for
revocation. If any of the chains certificates have been revoked, certificate validation fails.

The certificate has a valid digital signature. CAs digitally sign certificates that they issue. The
authenticating server verifies the digital signature of each certificate in the chain, with the exception
of the root CA certificate, by obtaining the public key from the certificates issuing CA and
mathematically validating the digital signature.
For a VPN client to validate an authenticating servers certificate for either EAP-TLS authentication,
the following must be true for each certificate in the certificate chain that the authenticating server
sends:
o

The current date must be within the certificates validity dates.

The certificate must have a valid digital signature.

Troubleshooting VPN Connections


To resolve general problems with establishing a
remote access VPN connection, perform the
following tasks:

Use the Test-Connection Windows


PowerShell cmdlet (or ping command)
to verify that the host name resolves to its
correct IP address. The ping itself might not
be successful because of packet filtering that
prevents the delivery of Internet Control
Message Protocol (ICMP) messages to and
from the VPN server.

Verify that the credentials of the VPN client


(which consist of user name, password, and domain name) are correct and that the VPN server can
validate them.

Verify that the user account of the VPN client is not locked out, expired, disabled. Verify also that
the time that the connection is being made is not in conflict with the configured logon hours. If the
password on the account has expired, verify that the remote access VPN client is using MS-CHAP v2.
MS-CHAP v2 is the only authentication protocol that Windows Server 2012 provides that allows you
to change an expired password during the connection process.

Reset expired administrator-level account passwords by using another administrator-level account.

Verify that the RRAS is running on the VPN server.

Verify that the VPN server is enabled for remote access from the VPN server Properties dialog box
General tab.

Verify that the WAN miniport PPTP and WAN miniport L2TP devices are enabled for inbound remote
access from the properties of the Ports object in the RRAS snap-in.

MCT USE ONLY. STUDENT USE PROHIBITED

8-10 Configuring and Troubleshooting Remote Connectivity

Verify that the VPN client, the VPN server, and the network policy that correspond to VPN
connections are configured to use at least one common authentication method.

Verify that the VPN client and the network policy that correspond to VPN connections are configured
to use at least one common encryption strength.

Verify that the connections parameters have permission through network policies.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-11

Lesson 2

Troubleshooting NAP

Your network is only as secure as the least-secure computer that is attached to it. Many programs and
tools exist to help you secure your network-attached computers, such as antivirus or malware detection
software. However, if the software on some of your computers is not up to date or not enabled or
configured correctly, these computers continue to pose a security risk.

Computers that remain within an office environment and always connect to the same network are
relatively simple to keep configured and updated. Computers that connect to different networks,
particularly unmanaged networks, are less easy to control. For example, it is more difficult to control
laptop computers that connect to customer networks or public Wi-Fi hotspots. Furthermore, unmanaged
computers that attempt to connect remotely to your network, such as computers that connect from
homes, also pose a security risk.
You can use NAP to create customized health requirement policies to validate the health of a computer
before allowing it to access or communicate with a network. Additionally, NAP updates compliant
computers automatically to ensure their ongoing compliance, and NAP limits noncompliant computer
access to a restricted network until they become compliant.
If your organization implements NAP, you must understand this technology to troubleshoot issues that
relate to NAP.

Lesson Objectives
After completing this lesson, you will be able to:

Describe NAP.

Describe the NAP enforcement methods.

Describe scenarios for implementing NAP.

Explain how to configure client-side NAP settings.

Describe how to implement tracing to troubleshoot NAP.

Explain how to use event logs to troubleshoot NAP.

Configure NAP server settings.

What Is NAP?
NAP provides components and an application
programming interface (API) that can help enforce
compliance with your organizations health
requirement policies for network access or
communication. NAP defines a healthy computer
as one that conforms with a health policy. The
health policy might define characteristics such as
whether the computer has:

An antivirus package installed.

The latest antivirus patterns installed.

The latest software updates.

A firewall enabled.

MCT USE ONLY. STUDENT USE PROHIBITED

8-12 Configuring and Troubleshooting Remote Connectivity

You can use NAP to create solutions for validating computers that connect to your networks, and to
provide needed updates or access to requisite health update resources. Additionally, NAP enables you to
limit the access or communication of noncompliant computers.
You can integrate NAPs enforcement features with software from other vendors, or with custom
programs.

Remember that NAP does not protect a network from hackers. Rather, it helps you automatically maintain
the health of your organizations networked computers, which in turn helps maintain your networks
overall integrity. For example, if a computer has all of the software and configuration settings that the
health policy requires, the computer is compliant and will have unlimited network access. However, NAP
will not prevent an authorized user with a compliant computer from uploading a malicious program to
the network or engaging in other inappropriate behavior.

How to Use NAP


You can use NAP in three distinct ways: to validate the health state, to enforce compliance with health
policies, and to limit access to a network:

To validate the health state. When a computer attempts to connect to the network, NAP validates the
computers health state against the health requirement policies that the administrator defines. You
also can define what to do if a computer is not compliant.
In a monitoring-only environment, all computers have their health state evaluated, and NAP logs
the compliance state of each computer for analysis. In a limited access environment, computers that
comply with the health requirement policies have unlimited network access. Computers that do not
comply with health requirement policies could find their access limited to a restricted network.

To enforce health policy compliance. You can help ensure compliance with health requirement
policies by automatically selecting to update noncompliant computers with missing software updates
or configuration changes. This can be done through management software such as Microsoft System
Center 2012 R2 Configuration Manager.
In a monitoring-only environment, NAP will ensure that computers update their network access
before they receive required updates or configuration changes. In a limited access environment,
noncompliant computers have limited access until the updates and configuration changes are
complete. In both environments, computers that are compatible with NAP can become compliant
automatically, and you can define exceptions for computers that are not NAP-compatible.

To limit network access. You can protect your networks by limiting noncompliant computer
access. You can base limited network access on a specific amount of time, or on what resources the
noncompliant computer can access. In the latter case, you define a restricted network that contains
health update resources, and the limited access will last until the noncompliant computer comes into
compliance. You also can configure exceptions so that computers that are not compatible with NAP
do not have limited network access.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-13

NAP Enforcement Methods


Components of the NAP infrastructure, known
as enforcement clients and enforcement servers,
require health state validation. These components
enforce limited network access for noncompliant
computers. Windows XP SP3, Windows Vista,
Windows 7, Windows 8, Windows 8.1, Windows
Server 2008, and Windows Server 2012 include
NAP support for the following network access or
communication methods:

IPsec-protected traffic. IPsec enforcement


confines communication to compliant
computers after they connect successfully and
obtain a valid IP address configuration. IPsec enforcement is the strongest form of limited network
access or communication in NAP.

Institute of Electrical and Electronics Engineers (IEEE) 802.1Xauthenticated network connections.


IEEE 802.1X enforcement requires that a computer is compliant to obtain unlimited network access
through an IEEE 802.1Xauthenticated network connection. Examples of this type of network
connection include an authenticating Ethernet switch or an IEEE 802.11 wireless access point.

Remote access VPN connections. VPN enforcement requires that a computer be compliant to obtain
unlimited network access through a remote access VPN connection. For noncompliant computers,
network access is limited through a set of IP packet filters that the VPN server applies to the VPN
connection.

DirectAccess connections. DirectAccess connections require that a computer be compliant to obtain


unlimited network access through a DirectAccess server. By using the infrastructure tunnel for
noncompliant computers, network access is limited to the set of computers that are defined as
infrastructure servers. Compliant computers can create the separate intranet tunnel that provides
unlimited access to intranet resources. DirectAccess connections use IPsec enforcement.

DHCP address configurations. Dynamic Host Configuration Protocol (DHCP) enforcement requires
that a computer be compliant to obtain an unlimited access Internet Protocol version 4 (IPv4) address
configuration from a DHCP server. For noncompliant computers, network access is restricted with an
IPv4 address configuration that limits access to the restricted network.

These network access or communication methods, or NAP enforcement methods, are useful separately or
together for limiting noncompliant computer access or communication. A server that runs NPS in
Windows Server 2012 acts as a health policy server for all of these NAP enforcement methods.

Scenarios for NAP


NAP provides a solution for scenarios such as
roaming laptops, desktop computers, visiting
laptops, and unmanaged computers. Depending
on your needs, you can configure a solution for
your network to address any or all of these
scenarios.

Roaming Laptops

MCT USE ONLY. STUDENT USE PROHIBITED

8-14 Configuring and Troubleshooting Remote Connectivity

Portability and flexibility are two primary


advantages of a laptop, but these features also
present a system health threat. Users frequently
connect their laptops to other networks. While
users are away from your organization, their
laptops might not receive the most recent software updates or configuration changes. Additionally,
exposure to unprotected networks such as the Internet can introduce security-related threats to laptops.
NAP allows you to check any laptops health state when it reconnects to an organizations network,
regardless of whether it connects through a VPN, a Windows 8.1 DirectAccess connection, or the
workplace network connection.

Desktop Computers

Although users typically do not remove their desktop computers from company buildings, they still can
present a threat to your network. To minimize this threat, you must maintain these computers with the
most recent updates and required software. Otherwise, these computers are at risk of infection from
websites, email, files from shared folders, and other publicly accessible resources. You can use NAP to
automate health state checks to verify each desktop computers compliance with health requirement
policies. You can check log files to determine which computers do not comply. Additionally, by using
management software, you can generate automatic reports and automatically update noncompliant
computers. When you change health requirement policies, you can configure NAP to provision computers
automatically with the most recent updates.

Visiting Laptops

Organizations frequently need to allow consultants, business partners, and guests to connect to their
private networks. The laptops that these visitors bring into your organization might not meet system
health requirements and can present health risks. NAP enables you to determine which visiting laptops
are noncompliant and limit their access to restricted networks. Typically, you would not require or provide
any updates or configuration changes for visiting laptops. You can configure Internet access for visiting
laptops, but not for other organizational computers that have limited access.

Unmanaged Home Computers

Unmanaged home computers that are not a member of a companys Active Directory Domain
Services (AD DS) domain can connect to a managed company network through VPN. Unmanaged home
computers provide an additional challenge because you cannot physically access these computers. Lack
of physical access makes enforcing compliance with health requirements, such as the use of antivirus
software, more difficult. However, you can use NAP to verify the health state of a home computer every
time it makes a VPN connection to the company network, and to limit its access to a restricted network
until it meets system health requirements.
Note: Both roaming laptops and unmanaged home computers can become part of the
managed infrastructure of your organization by using DirectAccess connections. You can
implement NAP with DirectAccess to ensure the health compliance of such computers.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-15

Configuring Client-Side NAP Settings


When you configure NAP clients, use the
following guidelines:

Some NAP deployments that use system


health validator (SHV) require that you enable
Windows Security Center.

You must enable the Network Access


Protection client service when you deploy
NAP to NAP-capable client computers.

You must configure the appropriate NAP


enforcement clients on NAP-capable client
computers.

Enable Security Center in Group Policy


You can use the following procedure to enable Security Center on NAP-capable clients.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To enable Security Center in Group Policy, perform the following procedure:
1.

Open the Group Policy Management Console.

2.

In the console tree, double-click Local Computer Policy, double-click Computer Configuration,
double-click Administrative Templates, double-click Windows Components, and then double-click
Security Center.

3.

Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.

Enable the NAP Service on Clients

When you deploy NAP, you must enable the NAP service on NAP-capable client computers. You can use
the following procedure to enable and configure NAP service on NAP-capable client computers.
Note: To complete this procedure, you must be a member of the Domain Admins group,
the Enterprise Admins group, or the Administrators group on the local computer.
To enable the NAP service on client computers, perform the following procedure:
1.

Open Control Panel, click System and Security, click Administrative Tools, and then double-click
Services.

2.

In the services list, scroll through, and then double-click Network Access Protection Agent.

3.

In the Network Access Protection Agent Properties dialog box, change Startup Type to
Automatic, and then click OK.

Enable and Disable NAP Enforcement Clients


You can use the following procedure to enable or disable one or more NAP enforcement clients on
NAP-capable computers. These clients can include:

DHCP Quarantine Enforcement Client

IPsec Relying Party

RD Gateway Quarantine Enforcement Client

EAP Quarantine Enforcement Client

To enable and disable NAP enforcement clients:


1.

Open the NAP client configuration console (Napclcfg.msc).

2.

Click Enforcement Clients.

3.

In the details pane, right-click the enforcement client that you want to enable or disable, and then
click Enable or Disable.

Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. If the computer
is joined to a domain, members of the Domain Admins group will be able to perform this
procedure.

Verifying Client Settings by Using Netsh


Use the netsh NAP command to help troubleshoot NAP issues. The following command displays the
status of a NAP client, including the following:

Restriction state

Status of enforcement clients

Status of installed system health agents (SHAs)

Trusted server groups that have been configured


netsh NAP client show state

The following command displays the local configuration settings on a NAP client, including:

Cryptographic settings

Enforcement client settings

Settings for trusted server groups

Client tracing settings that have been configured


netsh NAP client show config

The following command displays the Group Policy configuration settings on a NAP client, including:

Cryptographic settings

Enforcement client settings

Settings for trusted server groups

MCT USE ONLY. STUDENT USE PROHIBITED

8-16 Configuring and Troubleshooting Remote Connectivity

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-17

Client tracing settings that have been configured


netsh NAP client show group

Using Tracing to Troubleshoot NAP


Monitoring and troubleshooting NAP are
important administrative tasks. Each NAP
enforcement method requires that you have a
certain level of expertise. You can use trace logs,
which are available for NAP, to troubleshoot and
evaluate a networks health and security. However,
trace logs are disabled by default.

Tracing

You can use the NAP Client Configuration


console to configure NAP tracing. Tracing records
NAP events in a log file, which is useful for
troubleshooting and maintenance. Additionally,
you can use tracing logs to evaluate your networks health and security. You can configure three levels of
tracing: Basic, Advanced, and Debug.
You should enable NAP tracing when you need to troubleshoot NAP problems, or when you want to
evaluate the overall health and security of your organizations computers.
In addition to trace logging, you can view NPS accounting logs. These logs could contain useful NAP
information. By default, NPS accounting logs are located in %systemroot%\system32\logfiles.
The following two log files can potentially contain details about NAP-related information:

IASNAP.LOG. Contains information about NAP processes, NPS authentication, and NPS authorization.

IASSAM.LOG. Contains information about user authentication and authorization.

Windows 8.1 includes two tools for configuring NAP tracing: the NAP Client Configuration console, which
is part of the Windows user interface, and the netsh command-line tool.

Using the NAP Client Configuration console

You can use the NAP Client Configuration console to enable or disable NAP tracing and to specify the
level of recorded detail. To do this, perform the following procedure:
1.

Open the NAP Client Configuration console by running napclcfg.msc.

2.

In the console tree, right-click NAP Client Configuration (Local Computer), and then click
Properties.

3.

In the NAP Client Configuration (Local Computer) Properties dialog box, select either Enabled or
Disabled.

Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a security
best practice, consider performing this operation by using the Run As command.
4.

If you select the Enabled check box, under Specify the level of detail at which the tracing logs are
written, click either Basic, Advanced, or Debug.

Using Netsh

MCT USE ONLY. STUDENT USE PROHIBITED

8-18 Configuring and Troubleshooting Remote Connectivity

To use a command-line tool to enable or disable NAP tracing, and to specify the level of recorded detail,
perform the following steps:
1.

Open an elevated command prompt.

2.

To enable or disable NAP tracing, do one of the following:


o

To enable NAP tracing and configure for basic or advanced logging, type the following
command.
netsh nap client set tracing state=enable level =[advanced or basic]

To enable NAP tracing for debug information, type the following command.
netsh nap client set tracing state=enable level =verbose

To disable NAP tracing, type the following command.


netsh nap client set tracing state=disable

Note: To perform this procedure, you must be a member of the Administrators group on
the local computer, or you must have been delegated the appropriate authority. As a security
best practice, consider performing this operation by using the Run As command.

Viewing log files

To view the log files, go to the %systemroot%\tracing\nap directory, and then open the particular trace
log that you want to view.

Troubleshooting NAP with Event Logs


NAP services record NAP-related events into the
Windows event logs. To view these events, on the
NPS server, open Event Viewer, expand Custom
Views, expand Server Roles, and then expand
Network Policy and Access Services. The following
events provide information about NAP services
that run on an NPS server:

Event ID 6272. Network Policy Server granted


access to a user. Occurs when a NAP client
authenticates successfully, and depending on
its health state, obtains full or restricted
access to the network.

Event ID 6273. Network Policy Server denied access to a user. Occurs when an authentication or
authorization problem arises, which is associated with a reason code.

Event ID 6274. Network Policy Server discarded the request for a user. Occurs when a configuration
problem arises, if the RADIUS client settings are incorrect, or if NPS cannot create accounting logs.

Event ID 6276. Network Policy Server quarantined a user. Occurs when the client access request
matches a network policy that is configured with a NAP enforcement setting of Allow Limited Access.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-19

Event ID 6277. Network Policy Server granted access to a user, but put it on probation because the
host did not meet the defined health policy. Occurs when the client access request matches a network
policy that is configured with a NAP enforcement setting of Allow Full Network Access For A Limited
Time When The Date Specified In The Policy Has Passed.

Event ID 6278. Network Policy Server granted full access to a user because the host met the defined
health policy. Occurs when the client access request matches a network policy that is configured with
a NAP enforcement setting of Allow Full Network Access.

Demonstration: Configuring NAP Server Settings


Note: This is a practice session.
In this practice session, you will:

Configure NPS as a NAP health policy server.

Configure health policies.

Configure network policies for compliant computers.

Configure network policies for noncompliant computers.

Configure the DHCP server role for NAP.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Configure NPS as a NAP Health Policy Server
1.

Switch to LON-DC1.

2.

In Server Manager, click Tools and then click Network Policy Server.

3.

In the navigation pane, expand Network Access Protection, expand System Health Validators,
expand Windows Security Health Validator, and then click Settings.

4.

In the right pane, under Name, double-click Default Configuration.

5.

In the navigation pane, click Windows 8/Windows 7/Windows Vista.

6.

In the details pane, clear all check boxes except the A firewall is enabled for all network
connections check box.

7.

Click OK to close the Windows Security Health Validator dialog box.

Configure health policies

MCT USE ONLY. STUDENT USE PROHIBITED

8-20 Configuring and Troubleshooting Remote Connectivity

1.

In the navigation pane, expand Policies.

2.

Right-click Health Policies, and then click New.

3.

In the Create New Health Policy dialog box, under Policy name, type Compliant.

4.

Under Client SHV checks, verify that the Client passes all SHV checks is selected.

5.

Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.

6.

Right-click Health Policies, and then click New.

7.

In the Create New Health Policy dialog box, under Policy Name, type Noncompliant.

8.

Under Client SHV checks, click Client fails one or more SHV checks.

9.

Under SHVs used in this health policy, select the Windows Security Health Validator check box,
and then click OK.

Configure network policies for compliant computers


1.

In the navigation pane, under Policies, click Network Policies.

2.

Disable the two default policies found under Policy Name by right-clicking the policies, and then
clicking Disable.

3.

Right-click Network Policies, and then click New.

4.

On the Specify Network Policy Name and Connection Type page, under Policy name, type
Compliant-Full-Access, and then click Next.

5.

On the Specify Conditions page, click Add.

6.

In the Select condition dialog box, double-click Health Policies.

7.

In the Health Policies dialog box, under Health policies, click Compliant, and then click OK.

8.

On the Specify Conditions page, click Next.

9.

On the Specify Access Permission page, click Next.

10. On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next twice.

11. On the Configure Settings page, click NAP Enforcement. Verify that Allow full network access is
selected, and then click Next.
12. On the Completing New Network Policy page, click Finish.

Configure network policies for noncompliant computers


1.

Right-click Network Policies, and then click New.

2.

On the Specify Network Policy Name and Connection Type page, under Policy name, type
Noncompliant-Restricted, and then click Next.

3.

On the Specify Conditions page, click Add.

4.

In the Select condition dialog box, double-click Health Policies.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-21

5.

In the Health Policies dialog box, under Health policies, select Noncompliant, and then click OK.

6.

On the Specify Conditions page, click Next.

7.

On the Specify Access Permission page, verify that Access granted is selected, and then click Next.

8.

On the Configure Authentication Methods page, clear all check boxes, select the Perform
machine health check only check box, and then click Next twice.

9.

On the Configure Settings page, click NAP Enforcement, and then click Allow limited access.

10. Clear the Enable auto-remediation of client computers check box, click Next, and then click
Finish.

Configure the DHCP server role for NAP


1.

In Server Manager, click Tools, and then click DHCP.

2.

In DHCP, expand LON-DC1.Adatum.com, expand IPv4, right-click Scope [172.16.0.0] Adatum, and
then click Properties.

3.

In the Scope [172.16.0.0] Adatum Properties dialog box, click the Network Access Protection tab,
click Enable for this scope, and then click OK.

4.

In the navigation pane, under Scope [172.16.0.0) Adatum, click Policies.

5.

Right-click Policies, and then click New Policy.

6.

In the DHCP Policy Configuration Wizard, in the Policy Name text box, type NAP Policy, and then
click Next.

7.

On the Configure Conditions for the policy page, click Add.

8.

In the Add/Edit Condition dialog box, in the Criteria list, click User Class.

9.

In the Operator list, click Equals.

10. In the Value list, click Default Network Access Protection Class, and then click Add.
11. Click OK, and then click Next.
12. On the Configure settings for the policy page, click No, and then click Next.
13. On the Configure settings for the policy page, in the Vendor class list, click DHCP Standard
Options.
14. In the Available Options list, select the 006 DNS Servers check box.
15. In the IP address field, type 172.16.0.10, and then click Add.
16. In the Available Options list, select the 015 DNS Domain Name check box.
17. In the String value text box, type restricted.adatum.com, and then click Next.
18. On the Summary page, click Finish.
19. Close DHCP.

Completion Steps

After you have completed the practice session, leave the virtual machines running for the lab.

Lab A: Configuring Network Access Protection Client


Settings
Scenario
Users are unable to connect to corporate resources since NAP deployed.

Objectives
After completing this lab, you will be able to:

Configure and verify client-side NAP settings.

Lab Setup
Estimated Time: 25 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

MCT USE ONLY. STUDENT USE PROHIBITED

8-22 Configuring and Troubleshooting Remote Connectivity

For this lab, you need to use the available virtual machine environment. The virtual machines must still be
running from the preceding practice session. If they are not, before you begin the lab, you must complete
the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

5.

Repeat steps 2 through 4 for 20688D-LON-CL1.

6.

You must then complete the preceding practice session to get the virtual machines into the correct
state for this lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-23

Exercise 1: Configuring and Verifying Network Access Protection (NAP)


Client Connectivity
Scenario
A user is unable to connect to the corporate network. The help desk suspects the NAP settings are
incorrect on the client. You must configure these settings.
Incident Record
Incident Reference Number: 723467
Date of Call
Time of Call
User
Status

November 7
16:02
Josh Bailey (Research department)
OPEN

Incident Details
Josh is able to connect to the corporate network even though NAP is being enforced and the client
computer is not compliant.
Additional Information
The computer is not configured for NAP.
Plan of Action

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723467.

2.

Update the Plan of Action section of the Incident Record.

3.

Configure NAP client settings.

4.

Test NAP.

Task 1: Read the help desk Incident Record for incident 723467

Read the help desk Incident Record 723467.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Configure NAP client settings


1.

Switch to LON-CL1.

2.

Open napclcfg.msc, and then enable the DHCP Quarantine Enforcement Client on LON-CL1.

3.

Open services.msc, and then start the Network Access Protection Agent service.

4.

Open gpedit.msc and navigate to Local Computer Policy\Computer Configuration


\Administrative Templates\Windows Components\Security Center.

5.

Use the local Group Policy Management Console to enable the Security Center.

6.

Reconfigure LON-CL1 to obtain an IP address from a DHCP server.

Task 4: Test NAP


1.

On LON-CL1, verify the obtained configuration by using ipconfig.

2.

Disable and stop the Windows Firewall service.

3.

In the notification area, click the Network Access Protection pop-up warning.

Note: Depending on the point at which your computer becomes noncompliant, you might
not receive a warning in the notification area. However, you may proceed.

MCT USE ONLY. STUDENT USE PROHIBITED

8-24 Configuring and Troubleshooting Remote Connectivity

4.

Review the information in the Network Access Protection dialog box, and then click Close.

5.

Verify the obtained configuration by using ipconfig.

6.

Notice that the computer has a subnet mask of 255.255.255.255 and a Domain Name System (DNS)
suffix of restricted.Adatum.com.

7.

Leave all windows open.

Results: After completing this exercise, you should have configured the client computer for NAP.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-25

Lesson 3

Troubleshooting DirectAccess

The DirectAccess feature in Windows Server 2012 and Windows 8.1 enables remote access to intranet
resources without first establishing a user-initiated VPN connection. DirectAccess also helps to ensure
seamless connectivity to the application infrastructure for both internal users and remote users.

Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application that supports Internet Protocol version 6 (IPv6) on the client computer to have
complete access to intranet resources. DirectAccess also enables you to specify resources and client-side
applications that are restricted for remote access. You should understand this technology to support
connectivity for DirectAccess users.

Lesson Objectives
After completing this lesson, you will be able to:

Describe DirectAccess.

Explain how DirectAccess works.

Explain how to troubleshoot DirectAccess.

Describe how to configure DirectAccess server-side settings.

Overview of DirectAccess
Organizations that utilize DirectAccess provide
a way for IT staff to manage remote computers
in the same way that they would manage local
computers. By using the same management and
update servers, you can ensure that remote
computers are always up-to-date and in
compliance with your security and system health
policies. You can also define more detailed access
control policies for remote access when compared
with defining access control policies in VPN
solutions.
DirectAccess offers the following features:

Connects automatically to an organizations intranet when connected to the Internet.

Uses various protocols, including HTTPS, to establish IPv6 connectivityHTTPS typically is allowed
through firewalls and proxy servers.

Supports selected server access and end-to-end IPsec authentication with intranet network servers.

Supports end-to-end authentication and encryption with intranet network servers.

Supports management of remote client computers.

Allows remote users to connect directly to intranet servers.

DirectAccess also provides the following benefits:

MCT USE ONLY. STUDENT USE PROHIBITED

8-26 Configuring and Troubleshooting Remote Connectivity

Always-on connectivity. Whenever a user connects a client computer to the Internet, the client
computer is also connected to the intranet. This connectivity enables remote client computers to
access and update applications more easily. It also makes intranet resources always available, and
enables users to connect to the organizations intranet from anywhere at any time, thereby improving
their productivity and performance.

Seamless connectivity. DirectAccess provides a consistent connectivity experience, regardless of


whether a client computer is local or remote. This allows users to focus more on productivity and less
on connectivity options and processes. This consistency can reduce training costs for users, with fewer
support incidents.

Bidirectional access. You can configure DirectAccess in a way that the DirectAccess clients have
access to intranet resources, and you can have access from the intranet to those DirectAccess clients.
Therefore, DirectAccess can be bidirectional. This ensures that client computers receive recent security
updates, the domain Group Policy is enforced, and there is no difference whether users are on the
organizational intranet or on a public network. This bidirectional access also results in:
o

Decreased update time.

Increased security.

Decreased rate of missed updates.

Improved compliance monitoring.

Manage-out support. Provides the ability to enable only remote management functionality in the
DirectAccess client. This new sub-option of the DirectAccess Client Configuration Wizard automates
policy deployments that are used for managing the client computer. Manage-out support does not
implement any policy options that allow users to connect to the network for file or application access.
Manage-out support is unidirectional, and provides incoming-only access for administration purposes
only.

Improved security. Unlike traditional VPNs, DirectAccess offers many levels of access control to
network resources. This gives security architects tighter, more precise control over remote users
who access specified resources. You can use a detailed policy to define which specific user can use
DirectAccess, and the location from which the user can access it. You can use IPsec encryption for
protecting DirectAccess traffic so that users can ensure that their communication is safe.

Integrated solution. DirectAccess integrates with server isolation, domain isolation, and NAP solutions,
resulting in the integration of security, access, and health requirement policies between the intranet
and remote computers.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-27

DirectAccess Components
To deploy and configure DirectAccess, your
organization must support the following
infrastructure components:

DirectAccess server

DirectAccess clients

Network location server

Internal resources

An AD DS domain

Group Policy

Public key infrastructure (PKI), optional for the internal network

DNS server

NAP server

DirectAccess Server
The DirectAccess server can be any computer that meets the following conditions:

Is running Windows Server 2012

Is joined to a domain

Accepts connections from DirectAccess clients

Establishes communication with intranet resources

This server provides authentication services for DirectAccess clients and acts as an IPsec tunnel mode
endpoint for external traffic. The new remote access server role allows centralized administration,
configuration, and monitoring for both DirectAccess and VPN connectivity.

Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium-sized organizations. The wizard does so by
removing the need for full PKI deployment and removing the requirement for two consecutive public IPv4
addresses for the physical adapter that is connected to the Internet. In Windows Server 2012, the wizard
detects the actual implementation state of the DirectAccess server. The wizard automatically selects the
best deployment, thereby not showing the administrator the complexity of manually configuring IPv6
transition technologies.

DirectAccess Clients
A DirectAccess client can be any domain-joined computer that runs the Enterprise edition of the
Windows 7, Windows 8, or Windows 8.1 operating systems.
Note: With off-premise provisioning, you can join the client computer in a domain without
connecting the client computer in your internal premises.

The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.

If a firewall or proxy server prevents the client that is using 6to4 or Teredo from connecting to the
DirectAccess server, the client computer automatically attempts to connect by using the IP-HTTPS
protocol, which uses an SSL connection to ensure connectivity.

Network Location Server

MCT USE ONLY. STUDENT USE PROHIBITED

8-28 Configuring and Troubleshooting Remote Connectivity

A DirectAccess client uses the network location server to determine its location. If the client computer can
connect securely to the network location server by using HTTPS, the client computer assumes it is on the
intranet, and the DirectAccess policies are not enforced. If the network location server is not contactable,
the client assumes it is on the Internet. The network location server is installed on the DirectAccess server
with the Web server role.
Note: The URL for the network location server distributes by using Group Policy Object
(GPO).

Internal Resources

You can configure any IPv6-capable application that is running on internal servers or client computers to
be available for DirectAccess clients. For older applications and servers that do not have IPv6 support,
such as Windows Server 2003 or other non-Microsoft operating systems, Windows Server 2012 includes
native support for a protocol translation (NAT64) and name resolution (DNS64) gateway to convert IPv6
communication from a DirectAccess client to IPv4 for internal servers.
Note: You can also configure DirectAccess by using Microsoft Forefront Unified Access
Gateway.

Active Directory Domain

You must deploy at least one AD DS domain that at a minimum is running at a Windows Server 2003
domain functional level. DirectAccess provides integrated multiple-domain support, which allows client
computers from different domains to access resources that might be located in different trusted domains.

Group Policy

You need to use Group Policy for the centralized administration and deployment of DirectAccess settings.
The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.

PKI

PKI deployment is optional for simplified configuration and management. DirectAccess enables client
authentication requests to be sent over a HTTPS-based Kerberos proxy service that is running on the
DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and
domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf of the
client.
However, for a full DirectAccess configuration that allows NAP integration, two-factor authentication, and
force tunneling, you still must implement certificates for authentication for every client that will
participate in DirectAccess communication.

DNS Server

When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 SP2 or newer, or a
non-Microsoft DNS server that supports DNS message exchanges over the ISATAP.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-29

NAP Servers

NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking, and to enforce security policy for DirectAccess clients over the Internet. DirectAccess provides
the ability to configure NAP health checks directly from the setup user interface.

Troubleshooting DirectAccess Client Issues


When a DirectAccess client computer cannot
connect to intranet resources from the Internet,
there can be a number of possible reasons.
Note: Troubleshooting DirectAccess client
connectivity relies on many of the tools and
procedures that you have used already during this
course, particularly those that relate to network
connectivity and GPO application
troubleshooting.
Use the following high-level procedure to help
pinpoint the problem:
1.

Verify that the client is running a supported operating system. A DirectAccess client computer
must be running Windows 7 Ultimate, Windows 7 Enterprise, Windows 8 Enterprise, Windows 8.1
Enterprise, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2.

Note: If you configured DirectAccess by using the Getting Started Wizard, the DirectAccess
client computer must be running Windows 8, Windows 8.1, Windows Server 2012, or Windows
Server 2012 R2.
2.

Verify that the client computer is part of an AD DS domain within your forest.

3.

Verify that the client computer belongs to a suitable AD DS security group for the purposes of
applying GPOs for DirectAccess. The appropriate group is configured during the setup of
DirectAccess.

4.

Verify that the two client GPOs are created and configured correctly. Use the Group Policy
troubleshooting tools to verify the correct application of GPOs for DirectAccess.

5.

Check that the server configuration GPOs are applying to the DirectAccess server. Again, use standard
GPO troubleshooting tools and techniques.

6.

Check IPv6 connectivity from the DirectAccess client to the DirectAccess server. IPv6 connectivity is
required for DirectAccess.

7.

Also, check that the DirectAccess client has IPv6 connectivity to the intranet DNS servers. The
DirectAccess client must be able to use these servers to resolve intranet fully qualified domain names
(FQDNs).

8.

Verify that the DirectAccess client has correctly determined its location as being on the Internet. You
can use the netsh dnsclient show state command to make this determination. The determined
network location displays in the Machine Location field.

Useful Netsh Commands for DirectAccess

MCT USE ONLY. STUDENT USE PROHIBITED

8-30 Configuring and Troubleshooting Remote Connectivity

In addition to the command shown above, you can use the following Netsh commands to troubleshoot
DirectAccess connectivity issues:

Netsh interface Teredo show state. This command is useful for determining whether the client-side
GPOs have successfully applied.

Netsh interface httpstunnel show interface. Displays detailed information about the IP-HTTPS
adapter on your computer. Enables you to see the name of the IP-HTTPS listener that runs on your
DirectAccess server, in addition to whether the adapter is currently connected.

Netsh namespace show policy. Should display the same information as you entered into the Name
Resolution Policy Table during the setup process on your DirectAccess server. If it does not, it means
that the GPOs have not applied to the local computer yet.

Netsh namespace show effectivepolicy. When the DirectAccess client is external, the output
mirrors the output from the netsh namespace show policy command. When the DirectAccess client
is internal, the output says Note: DirectAccess settings would be turned off when computer is inside
corporate network.

Netsh advfirewall show currentprofile. Shows which Windows Firewall profile is active. The IPsec
tunnels are only enabled on the Public and Private profiles. If the Domain profile is active, then
DirectAccess is not enabled.

Windows PowerShell
You can use the following Windows PowerShell cmdlets to investigate DirectAccess client problems:

Get-DAClientExperienceConfiguration. This cmdlet retrieves the DirectAccess client configuration.

Get-DAConnectionStatus. This cmdlet retrieves the status of a DirectAccess connection in


Windows 8.1.

DirectAccess Connectivity Assistant

You can also use the DirectAccess Connectivity Assistant 2.0. In Windows 8.1, you can access this tool from
the Networks list. Click the networking icon in the notification area to access the Networks list. This tool
enables you to:

Obtain DirectAccess connectivity information so that you can view DirectAccess connectivity status
from a client computer.

Obtain diagnostic and troubleshooting information. The tool helps users to reconnect to an
organizational network if problems occur. The tool creates diagnostics information that you can use
to help diagnose a connectivity problem.

Use one-time password authentication for DirectAccess users.

Demonstration: Configuring DirectAccess by Using the Getting Started


Wizard
Note: This is a practice session.
In this practice session, you will:

Verify network configuration on LON-RTR.

Verify readiness for DirectAccess.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-31

Configure DirectAccess by using the Getting Started Wizard.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
lab, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-SVR1 and 20688D-LON-RTR.

Demonstration Steps
Verify network configuration on LON-RTR
1.

Switch to LON-RTR.

2.

In Server Manager, click Tools, and then click Routing and Remote Access.

3.

In the Routing and Remote Access console, in the navigation pane, right-click LON-RTR (local), and
then click Disable Routing and Remote Access.

4.

Click Yes in Routing and Remote Access dialog box. This step is needed to disable the Routing and
Remote Access that was preconfigured for this lab.

5.

Close Routing and Remote Access.

6.

Right-click Start, and then click Network Connections.

7.

In the Network Connections window, verify that there are two network adapters: London_Network
and Internet.

8.

In the Network Connections window, right-click the London_Network adapter, and then click
Disable.

9.

In the Network Connections window, right-click the London_Network adapter, and then click
Enable.

10. Repeat steps 8 and 9 for the Internet network connection.

Verify readiness for DirectAccess


1.

Switch to LON-DC1.

2.

In Server Manager, click Tools, and then click Active Directory Users and Computers.

3.

In the Active Directory Users and Computers console tree, right-click Adatum.com, click New, and
then click Organizational Unit.

4.

In the New Object Organizational Unit dialog box, in the Name box, type DA_Clients OU, and
then click OK.

5.

In the Active Directory Users and Computers console tree, expand Adatum.com, right-click
DA_Clients OU, click New, and then click Group.

6.

In the New Object - Group dialog box, in the Group name box, type DA_Clients.

MCT USE ONLY. STUDENT USE PROHIBITED

8-32 Configuring and Troubleshooting Remote Connectivity

7.

Under Group scope, ensure that Global is selected, and under Group type, ensure that Security is
selected, and then click OK.

8.

In the details pane, right-click DA_Clients, and then click Properties.

9.

In the DA_Clients Properties dialog box, click the Members tab, and then click Add.

10. In the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, click Object
Types, select the Computers check box, and then click OK.
11. In the Enter the object names to select (examples) box, type LON-CL3, and then click OK.
12. Verify that LON-CL3 is displays under Members, and then click OK.
13. Close the Active Directory Users and Computers console.

Configure DirectAccess by using the Getting Started Wizard


1.

Switch to LON-RTR.

2.

In Server Manager, click Tools, and then select Remote Access Management.

3.

In the Remote Access Management console, under Configuration, click DirectAccess and VPN.

4.

Click Run the Getting Started Wizard.

5.

On the Configure Remote Access page, click Deploy DirectAccess only.

6.

Verify that Edge is selected, and in Type the public name or IPv4 address used by clients to
connect to the Remote Access server box, type 131.107.0.10, and then click Next.

7.

On the Configure Remote Access page, click the here link.

8.

On the Remote Access Review page, verify that two GPO objects are created, Direct Access Server
Settings and DirectAccess Client settings.

9.

Click the Change link beside Remote Clients.

10. Select Domain Computers (Adatum\Domain Computers), and then click Remove.
11. Click Add, type DA_Clients, and then click OK.
12. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
13. On the DirectAccess Client Setup page, click Finish.
14. On the Remote Access Review page, click OK.
15. On the Configure Remote Access page, click Finish to finish the DirectAccess Wizard.
16. In the Applying Getting Started Wizard Settings dialog box, click Close.

Completion steps

After you have completed the practice session, leave the virtual machines running for the lab.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-33

Lab B: Configuring and Testing DirectAccess


Scenario
The server team has implemented the internal configuration to deploy DirectAccess. You now must
complete the deployment by configuring the clients.

Objectives
After completing this lab, you will be able to:

Configure and test DirectAccess deployment.

Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-SVR1, 20688D-LON-RTR, and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. The virtual machines should still
be running from the preceding practice session. If they are not, before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

5.

Repeat steps 2 through 4 for 20688D-LON-SVR1 and 20688D-LON-RTR.

6.

Do not start 20688D-LON-CL3 until instructed to do so.

7.

You then must complete the preceding practice session to get the virtual machines into the correct
state for this lab.

Exercise 1: Configuring DirectAccess Client-Side Settings


Scenario
You must now configure the client-side DirectAccess settings and test them.
Incident Record
Incident Reference Number: 723469
Date of Call
Time of Call
User
Status

November 8
10:22
Josh Bailey (Research department)
OPEN

Incident Details
DirectAccess is not configured on Joshs computer, and he cannot access intranet resources from his
home network.
Additional Information
Josh cannot connect to intranet resources from home.
His computer, LON-CL3, must be configured for DirectAccess.
Plan of Action

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723469.

2.

Update the Plan of Action section of the Incident Record.

3.

Test a client on the internal network.

4.

Move the client to the Internet, and test compliance.

Task 1: Read the help desk Incident Record for incident 723469

Read the help desk Incident Record 723469.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Test a client on the internal network

MCT USE ONLY. STUDENT USE PROHIBITED

8-34 Configuring and Troubleshooting Remote Connectivity

1.

Start the 20688D-LON-CL3 virtual machine, and then sign in as Adatum\Administrator with the
password Pa$$w0rd.

2.

In the Command Prompt window, run the following commands to verify that the correct policies are
applying to the DirectAccess client:
gpupdate /force
gpresult /r

3.

You should see the DirectAccess Client Settings GPO listed under Applied Group Policy Objects.

4.

From the taskbar, start Internet Explorer.

5.

In the Address bar, type http://LON-SVR1.adatum.com, and then press Enter.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-35

6.

Verify that the Adatum Intranet page displays.

7.

Close Internet Explorer.

Task 4: Move the client to the Internet, and test compliance


1.

On LON-CL3, disable the London_Network network adapter.

2.

Change the Internet network adapter settings as follows:


o

IP address: 131.107.0.50

Subnet mask: 255.255.0.0

Default gateway: 131.107.0.10

Preferred DNS server: 172.16.0.10

3.

Enable the Internet adapter.

4.

Using Internet Explorer, open http://LON-SVR1.adatum.com.

5.

Verify that the Adatum Intranet page displays.

6.

At the command prompt, run the ipconfig command.

7.

Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.

8.

At the command prompt, type the following command:


Netsh name show effectivepolicy

9.

Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.

10. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration

Notice the DirectAccess client settings.


11. Switch to LON-RTR.
12. In the Remote Access Management console pane, click Remote Client Status.

Notice that the client is connected via IPHttps. In the Connection Details pane, in the lower-right of
the screen, note the use of Kerberos for the Machine and the User. If no data shows, restart LON-CL3,
and then sign in as Adatum\Administrator with the password Pa$$w0rd. Then repeat step 4 and 9
and 10 above.
13. Close all open windows.

Results: After completing this exercise, you should have configured the client-side settings for
DirectAccess and tested access to internal resources.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1, 20688D-LON-SVR1, 20688D-LON-RTR, and


20688D-LON-CL3.

MCT USE ONLY. STUDENT USE PROHIBITED

8-36 Configuring and Troubleshooting Remote Connectivity

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 8-37

Module Review and Takeaways


Review Questions
Question: Users are complaining that they are unable to connect to the corporate network
by using VPNs following recent firewall configuration changes. The team responsible for
implementing security policies has determined that only TCP port 443 is allowed through
into the internal network. Which tunneling protocol supports this restriction?
Question: On a client computer, what steps must you perform to ensure that the clients
health is being assessed?
Question: How do you configure DirectAccess clients?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


9-1

Module 9
Troubleshooting Resource Access within a Domain
Contents:
Module Overview

9-1

Lesson 1: Troubleshooting File Access Issues

9-2

Lesson 2: Troubleshooting File Permissions Issues

9-7

Lesson 3: Troubleshooting Printer Access Issues

9-21

Lab: Troubleshooting Resource Access within a Domain

9-25

Module Review and Takeaways

9-29

Module Overview

To perform their jobs effectively, users need to have access to all of the resources that they require. For
example, users must have access to the data stored in their files, and have access to their printers. File and
printer access have unique issues that can negatively affect the user experience. You must be able to
troubleshoot and resolve issues related to both of these areas.
This module covers the causes of these issues, such as users inability to access or modify files, and
difficulty accessing printers. This module also provides troubleshooting information that you can use to
help users who are having file access issues, file permission issues, or printer access issues.

Objectives
After completing this module, you will be able to:

Troubleshoot file access issues.

Troubleshoot file permissions issues.

Troubleshoot printer access issues.

Lesson 1

Troubleshooting File Access Issues

MCT USE ONLY. STUDENT USE PROHIBITED

9-2 Troubleshooting Resource Access within a Domain

One of the most common tasks that users perform is accessing and modifying documents. To perform this
task, users must have access to those documents. Most users access documents over the network by using
mapped drives. You can configure mapped drives manually, by using logon scripts, and by using Group
Policy Preferences. You must understand and be able to troubleshoot these methods for accessing files.

Lesson Objectives
After completing this lesson, you will be able to:

Describe considerations for troubleshooting file access issues.

Describe how to configure drive mappings manually.

Describe how to use logon scripts for drive mappings.

Create a drive mapping by using Group Policy Preferences.

Considerations for Troubleshooting File Access Issues


Most organizations store files centrally on a file
share. Users can access files shares by using a
Universal Naming Convention (UNC) path, but
that is too complex for most users. Typically, users
are given a drive mapping that connects them
to a file share. Windows 8.1 also provides the
option to redirect folders and use offline files and
folders. However, some issues can occur with file
access, including:

Missing drive mappings. If drive mappings are


missing, users cannot access their files. This
typically is because of an error in configuring
the drive mappings.

Disconnected network drives. After signing in, drive mappings can display as disconnected. This
typically is due to network connectivity problems.

Folders not redirected properly. If you do not configure folder redirection properly, then users are
unable to access their files. For example, if you do not redirect the Documents folder to a network
location, Windows 8.1 uses the default local Documents folder in the user profile. This typically is
because of an incorrect folder redirection configuration.

Incorrect file system permissions or shared folder permissions. Users that do not have appropriate
permissions cannot access their files. Often, this may be a result of incorrect permission assignment or
incorrect group membership.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-3

Configuring Drive Mappings Manually


Drive mapping provides a simple way for users to
access network files. Typically, an organization will
have standardized drive mappings for access to
network files. For example, drive S might map to a
shared folder with shared files, and drive H might
map to a users home folder.
You can create drive mappings manually for
users on their computer. However, Windows 8.1
does not retain drive mappings that you create
manually for multiple logon sessions unless you
select the Reconnect at sign-in check box during
creation, which makes the drive mapping
persistent. Windows 8.1 stores persistent drive mappings in the user profile.

Typically, configuring drive mappings manually is beneficial and prudent only for very small organizations.
It is time-consuming and inefficient to create drive mappings manually in each user profile, because
changing drive mappings requires you to visit each users computer.
Note: Creating a drive mapping does not configure the necessary permissions so that a
user can access and modify files. You must configure permissions in a separate step.

Configuring Drive Mappings by Using Logon Scripts


Another common way to implement drive
mappings is by using logon scripts. You can
configure a logon script in the properties of a
user or in a Group Policy Object (GPO). Logon
scripts that reference user properties are in the
Netlogon share of each domain controller. Logon
scripts that are configured in a GPO are stored as
part of the GPO in the Sysvol folder of the domain
controllers.
The main benefits of using logon scripts for drive
mappings are:

Cross-computer application. A logon script


runs on each computer to which a user signs in. This ensures that the drive mapping appears on each
computer to which the user signs in, without having to use roaming profiles.

Simplified updates. When you need to update drive mapping, you only have to update a single,
central logon script, rather than having to update multiple user profiles individually and manually.

Increased flexibility. You can configure scripts to perform drive mappings that are specific to users,
groups, or computers.

The syntax for creating drive mappings varies depending on the type of logon script that you are using.
Two of the most common types of logon scripts are batch files (.bat) and Microsoft Visual Basic
Scripting Edition (VBScript) (.vbs). In Windows 8.1, you can also use Windows PowerShell for logon
scripts.

The following three examples map drive S to \\Server1\SharedData.


The syntax for mapping a drive in a batch file is:
net use S: \\Server1\SharedData

The syntax for mapping a drive in VBScript is:


Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "S:",\\Server1\SharedData

The syntax for mapping a drive in Windows PowerShell is:


New-PSDrive Name S PSProvider FileSystem Root \\Server1\SharedData Persist

Note: Whether you decide to use scripts to create users drive mappings, or use GPO
Preferences, you must use Group Policy to distribute these settings to your users. This means that
failure to apply the drive mapping can be related to generic GPO application problems. For
further information about troubleshooting the application of GPOs, please see Module 6:
Troubleshooting Group Policy.

Demonstration: Using Group Policy Preferences for Drive Mappings


Note: This is a practice session.
In this practice session, you will:

Configure a drive mapping with Group Policy Preferences.

Target the preference.

Test the preferences.

Preparation Steps

MCT USE ONLY. STUDENT USE PROHIBITED

9-4 Troubleshooting Resource Access within a Domain

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-5

Demonstration Steps
Configure a drive mapping with Group Policy Preferences
1.

On LON-CL1, in Start screen, click the Desktop tile.

2.

Double-click Administrative Tools.

3.

Double-click Group Policy Management.

4.

In the console tree, expand Forest: Adatum.com, expand Domains, expand Adatum.com, and then
click the Group Policy Objects container.

5.

In the Group Policy Objects folder, in the details pane, right-click the Default Domain Policy, and
then click Edit.
Note: It is not usual to edit the Default Domain Policy to store drive mappings.

6.

Expand User Configuration, expand Preferences, expand Windows Settings, right-click Drive
Maps, point to New, and then click Mapped Drive.

7.

In the New Drive Properties dialog box, in the Action list, click Create.

8.

In the Location text box, type \\lon-dc1\Research.

9.

Select the Reconnect check box.

10. In the Use list, click R.

Target the preference


1.

On the Common tab, select the Item-level targeting check box, and then click Targeting.

2.

In the Targeting Editor dialog box, click New Item, and then click Security Group.

3.

Next to the Group text box, click the ellipses () button.

4.

In the Select Group dialog box, in the Enter the object name to select (examples) text box, type
Adatum\Research and then click OK.

5.

Click OK two more times.

Test the preferences


1.

Right-click Start, and then click Command Prompt.

2.

At the command prompt, type the following command, and then press Enter:
gpupdate /force

3.

Restart LON-CL1.

4.

Sign in to LON-CL1 as Adatum\Allie with the password Pa$$w0rd.

5.

From the Start screen, click the Desktop tile.

6.

On the taskbar, click the File Explorer icon.

7.

In File Explorer, verify the presence of the mapped network drive R.

Note: If a Welcome to the Research Lab dialog box displays, this is a user assigned logon
script. Click OK to close the dialog box.

Completion Steps

MCT USE ONLY. STUDENT USE PROHIBITED

9-6 Troubleshooting Resource Access within a Domain

After you have completed the practice session, revert the virtual machines running in preparation for the
lab:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-7

Lesson 2

Troubleshooting File Permissions Issues

The most common way that users collaborate is by using network file shares. Consequently, supporting
collaboration is an important part of your job. Your users might create documents that they share only
with departmental users, or they may work with a remote team member who needs access to those files.
Because of collaboration requirements, you must understand how to support shared folders in a network
environment.

You can control access to file shares with file share permissions, and with file and folder permissions.
Understanding how to determine effective permissions is essential to securing your files. You can use file
system permissions to define the level of access that users have to files that are available on your network,
or that are available locally on your Windows 8.1 computer.

Lesson Objectives
After completing this lesson, you will be able to:

Describe shares and Share permissions.

Describe the methods for sharing folders.

Describe file and folder permissions.

Describe file and folder permission inheritance.

Describe the interaction between folder and Share permissions.

Explain how to calculate effective permissions.

Explain how to troubleshoot permissions for file access.

File Sharing in Windows 8.1


You can store files in shared folders according
to categories or functions. For example, you can
put shared files for the Sales Department in one
shared folder, and shared files for executives in
another. Although most organizations deploy
dedicated file servers to host shared folders, you
can also share folders on client computers.
Windows 8.1 uses the Public folder to simplify file
sharing. With Public folder sharing enabled, the
Public folder and all the folders within the Public
folder are shared automatically.
Note: You enable Public folder sharing via
the Network and Sharing Center. In the Network and Sharing Center, click Change advanced
sharing settings, and then click Turn on file and printer sharing.

You do not have to configure file sharing on separate folders. Just move or copy the file or folder that you
want to share on the network to the Public folder on your Windows 8.1 client.

There are several different ways in which you can share folders with others on a network:

Through the Microsoft Management Console (MMC) snap-in entitled Shared Folders

Through File Explorer

From the command prompt

Through computer management

Using Windows PowerShell cmdlets

Sharing Through the MMC Shared Folders Snap-in

MCT USE ONLY. STUDENT USE PROHIBITED

9-8 Troubleshooting Resource Access within a Domain

You can use the MMC Shared Folders snap-in to manage all file shares centrally on a computer. Use the
Shared Folders snap-in to create file shares and set permissions, and to view and manage open files and
the users who are connected to the computers file shares. Additionally, you can view the properties for
the folder, which would allow you to perform actions such as specifying folder permissions.

When you are creating a new share, the Shared Folders snap-in opens the Create a Shared Folder Wizard.
By default, the share name will be the same as the folder name, and all users have read access Share
permissions.

Sharing Through File Explorer


You can share a folder through File Explorer by using either of the following two options:

Using the Share with option from the context menu or ribbon.

Using the Sharing tab in the Properties dialog box.

Using the Share with option from the context menu or ribbon

The Share with option is a simple and fast way to share a folder. When you right-click a folder and then
click Share with, a shortcut menu displays. You can use this shortcut menu to either stop sharing the
folder, or share the folder with specific people. When you share with specific people, you can click
Everyone, or share the folder with specific groups by typing their names. After selecting who you want
to share the folder with, you can set either Read or Read\Write permissions. Note that the file system
permissions are configured automatically based on what you selected. The share name will be the same
as the folder name.

Using the Sharing tab on the Properties dialog box

Using the Properties dialog box provides two options. You can click the Share button, which then presents
the same dialog box as Share with Specific people. You also can click the Advanced Sharing button and
specify the share name. The default name is the same as the folder name, and you can specify share
permissions as Full Control, Change, or Read. In addition, because you are in the Properties dialog box,
you can click the Security tab and set folder permissions.

Sharing from the Command Prompt


You can share a folder through the command-line interface by using the net share command. The
following example shows this in its basic form:
Net Share name=drive:path

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-9

This command will create a simple share, which uses the share name that you specify, and which grants all
authenticated users Read permissions. The following table describes some additional command-line
options that you can use.
Option

Description

/Grant:user permission

Allows you to specify Read, Change, or Full Share permissions for the
specified user.

/Users:number

Allows you to limit the number of users that can connect to the share.

/Remark:text

Allows you to add a comment to the share.

/Cache:option

Allows you to specify the caching options for the share.

sharename /Delete

Allows you to remove an existing share.

Sharing through Computer Management

The Computer Management tool is a collection of MMC snap-ins that include the Shared Folders Snap-in.
Using the Computer Management tool, you can:

View and configure shared folders, and stop sharing a folder.

View and manage user sessions from remote computers connected to shared folders on the local
computer.

View and manage open files in the shared folders on the local computer.

Sharing by Using Windows PowerShell Cmdlets

Windows PowerShell provides several cmdlets that you can use to manage shares in Windows 8.1. The
Windows PowerShell command for creating a share is:
New-SmbShare Name ShareName Path C:\LocalFolder

Additional Windows PowerShell commands for managing shares include:


Command

Description

Get-SmbShare

Displays a list of the existing shares on the computer.

Set-SmbShare

Modifies an existing share.

Remove-SmbShare

Removes an existing share.

Get-SmbShareAccess

Retrieves the Share permissions for a share.

Get-Acl

Retrieves the access control list (ACL) (this cmdlet is not new).

Grant-SmbShareAccess

Sets Share permissions on a share.

Set-Acl

Sets the ACL for a specified resource (this cmdlet is not new).

Methods for Sharing Folders


Windows 8.1 provides two methods for sharing
folders directly from your computer:

Folder sharing: Share music, photos, and


other files from any folder on your computer,
without having to move them from their
current location. There are two types of folder
sharing: basic, and advanced.

Public folder sharing: Public folders serve as


open drop boxes. Copying a file into a public
folder makes it immediately available to other
users on your computer or network.

Basic Folder Sharing

MCT USE ONLY. STUDENT USE PROHIBITED

9-10 Troubleshooting Resource Access within a Domain

Basic folder sharing is the simplest form of folder sharing, because it enables users to share a folder
quickly and simply. You create basic folder shares by using File Explorer. To share a folder this way, rightclick the folder, point to Share with, and then click Specific people. You can also use the Net share
command without any additional options.

Advanced Folder Sharing

You can use advanced sharing to maintain more control over the Folder sharing process. To use advanced
sharing, use the following procedure:
1.

Right-click a folder, and then click Properties.

2.

In the Properties dialog box, click the Sharing tab.

3.

On the Sharing tab, click the Advanced Sharing button.

4.

In the Advanced Sharing dialog box, specify the following settings:


o

Share name. The default name is the folder name.

The maximum number of concurrent connections to the folder. The default setting is 20
concurrent connections.

Shared folder permissions. The default permissions are Read permissions for the group
Everyone.

Caching options. The default caching option allows user-selected files and programs to be
available offline. You can disable offline files and programs, or configure files and programs to be
available offline automatically.

You can also access advanced sharing by using the Net share command with additional options.

Public Folder Sharing

When you turn on Public folder sharing in Windows 8.1, anyone with an account on your computer, or a
PC on your network, can access the contents of these folders. To share something, copy or move it into
one of these public folders.
By default, Windows 8.1 provides the following Public folders:

Documents

Music

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-11

Pictures

Videos

You can view these folders by launching File Explorer, and then clicking Libraries to expand the folders.
By default, Public folder sharing is not enabled. However, files stored in the Public folder hierarchy are
available to all users who have an account on a given computer and can sign in to it locally.

To configure Windows 8.1 to allow access to the Public folders from the network, access the Change
advanced sharing settings link in the Network and Sharing Center, under the All Networks section. You
can either:

Turn on sharing, so that anyone with network access can read and write files in the Public folders.

Turn off Public folder sharing (people logged in to this computer can still access these folders).

Public folder sharing does not allow users to fine-tune sharing permissions, but it does provide a simple
way for users to make their files available to others. When you enable public folder sharing, the system
group Everyone is granted full control permissions for the share and the underlying folder permissions.

Shared Folder Permissions

When you share a folder, you must decide the permissions that a user or group will have when they
access the folder through the share. These permissions are known as shared folder permissions. The
permissions that you can use to secure a shared folder depend on the way in which you share a folder.
In Windows 8.1, basic sharing permissions offer two choices:

Read. Users can open, but not modify or delete a file.

Read/Write. Users can open, modify, or delete a file.

Note: When you use basic sharing, the permissions you assign are also assigned to the
underlying folder structure by using folder permissions. This provides for a simple and quick way
of securing and sharing a folder.
Advanced sharing in Windows 8.1 enables you to configure slightly different permissions:

Read. Users can open, but not modify or delete a file.

Change. Users can perform most actions on files within the shared folder.

Full Control. Users can perform all actions on files within the shared folder.

Note: When you use advanced sharing, the permissions that you assign are assigned to
the shared folder only, and not to the underlying folder. Although more time-consuming, this
method provides more control over the assignment of permissions. Keep in mind that when
using advanced sharing, the default shared folder permission is Read, which is assigned to the
Everyone group.

File and Folder Permissions


Permission is the authorization to perform an
operation on a specific object, such as a file. The
objects owners, or anyone with authority to grant
permissions, can do so. This typically includes
system administrators. If you own an object,
you can grant any user or security group any
permission on that object, including the
permission to take ownership.

MCT USE ONLY. STUDENT USE PROHIBITED

9-12 Troubleshooting Resource Access within a Domain

Every container and object on the network has a


set of access control information attached to it.
Known as a security descriptor, this information
controls the type of access allowed to users and
groups. Permissions are defined within an objects security descriptor, and are associated with or assigned
to specific users and groups.
File and folder permissions define the type of access that you grant to a user, group, or computer.
Note: File and folder permissions are available for volumes formatted with either the NTFS
or Resilient (ReFS) File Systems. File and folder permissions are not available for FAT32 volumes.
In the past, when ReFS was not available, file and folder permissions were often referred to as
NTFS permissions.
For example, you can allow one user to read a files contents, while you allow another user to make
changes to that file. You also can prevent all other users from accessing that file. You can set similar
permissions on folders as well.
There are two levels of permissions:

Shared folder permissions. Shared folder permissions allow security principals, such as users, to access
shared resources from across the network. Shared folder permissions are only in effect when a user
accesses a resource from the network.
Note: The next lesson covers this topic in greater detail.

File system permissions. File system permissions are always in effect, whether a user accesses the file
by connecting across the network or by signing in to the local machine on which the resource is
located. You can grant permissions to a file or folder for a named group or user.

Each NTFS or ReFS file and folder has an ACL with a list of users and groups that are assigned permissions
to the file or folder. Each entry in the ACL is an access control entry that identifies the specific permissions
granted to a user or group.

Types of File and Folder Permissions


There are two types of file and folder permissions:

Standard permissions are the most commonly used permissions.

Special permissions provide a finer degree of control for assigning access to files and folders.
However, special permissions are more complex to manage than standard permissions.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-13

Standard file and folder permissions


The following table lists the standard file and folder permissions. You can choose whether to allow or
deny each of the following permission types.
File permissions

Description

Full Control

Complete control of the file/folder and control of permissions.

Modify

Read and write accessthis applies to the object and any child objects by
default. The specific permissions that make up Modify permissions are
Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read
Extended Attributes, Create Files/Write Data, Create Folders/Append Data,
Write Attributes, Write Extended Attributes, Delete, and Read Permissions.

Read and Execute

Folder content can be viewed, files can be read, and programs can be
startedthis applies to the object and any child objects by default. The
specific permissions that make up Read and Execute permissions are Traverse
Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended
Attributes, and Read Permissions.

Read

Read-only accessthis applies to the object and any child objects by default.
The specific permissions that make up Read permissions are List Folder/Read
Data, Read Attributes and Read Extended Attributes.

Write

Folder and file content can be changedthis applies to the object and
any child objects by default. The specific permissions that make up Write
permissions are Create Files/Write Data, Create Folders/Append Data, Write
Attributes, and Write Extended Attributes.

Special permissions

This is a custom configuration.

Note: Groups or users that are granted Full Control on a folder can delete any files in that
folder, regardless of the permissions protecting the file.

To modify file permissions, you must be given the Full Control permission for a folder or file. The one
exception is for file and folder owners. The owner of a file or folder can modify file or folder permissions,
even if they do not have any current file or folder permissions. Administrators can take ownership of files
and folders to make modifications to file and folders permissions.

Special file and folder permissions

MCT USE ONLY. STUDENT USE PROHIBITED

9-14 Troubleshooting Resource Access within a Domain

Special permissions give you a finer degree of control for assigning access to files and folders. However,
special permissions are more complex to manage than standard permissions. The following table defines
the special permissions for which you can provide custom configuration for each file and folder.
File permissions

Description

Traverse Folder/Execute
File

The Traverse Folder permission applies only to folders. This permission


allows or denies the user from moving through folders to reach other files or
folders, even if the user does not have permissions for the traversed folders.
Traverse Folder takes effect only when the group or user is not granted the
Bypass Traverse Checking user right.
The Bypass Traverse Checking user right checks user rights in the Group
Policy snap-in. By default, the Everyone group is given the Bypass Traverse
Checking user right.
The Execute File permission allows or denies access to program files that are
running. If you set the Traverse Folder permission on a folder, the Execute
File permission is not set automatically on all files in that folder.

List Folder/Read Data

The List Folder permission allows or denies the user from viewing file names
and subfolder names in the folder. The List Folder permission applies only to
folders and affects only the contents of that folder. This permission is not
affected if the folder on which you are setting the permission is listed in the
folder list.
The Read Data permission applies only to files, and allows or denies the user
from viewing data in files.

Read Attributes

The Read Attributes permission allows or denies the user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. The file
system defines the attributes.

Read Extended
Attributes

The Read Extended Attributes permission allows or denies the user from
viewing the extended attributes of a file or folder. Extended attributes are
defined by programs, and they can vary by program.

Create Files/Write Data

The Create Files permission applies only to folders, and allows or denies the
user from creating files in the folder.
The Write Data permission applies only to files, and allows or denies the user
from making changes to the file and overwriting existing content.

Create Folders/Append
Data

The Create Folders permission applies only to folders, and allows or denies
the user from creating folders in the folder.
The Append Data permission applies only to files, and allows or denies the
user from making changes to the end of the file but not from changing,
deleting, or overwriting existing data.

Write Attributes

The Write Attributes permission allows or denies the user from changing the
attributes of a file or folder, such as read-only or hidden. The file system
defines the attributes.
The Write Attributes permission does not imply that you can create or
delete files or folders. It includes only the permission to make changes to
the attributes of a file or folder.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-15

File permissions

Description

Write Extended
Attributes

The Write Extended Attributes permission allows or denies the user from
changing the extended attributes of a file or folder. Programs define the
extended attributes, which can vary by program.
The Write Extended Attributes permission does not imply that the user can
create or delete files or folders. It includes only the permission to make
changes to the attributes of a file or folder.

Delete Subfolders and


Files

The Delete Subfolders and Files permission applies only to folders and
allows or denies the user from deleting subfolders and files, even if the
Delete permission is not granted on the subfolder or file.

Delete

The Delete permission allows or denies the user from deleting the file or
folder. If the user has not been assigned Delete permission on a file or
folder, he or she still can delete the file or folder if the user is granted the
Delete Subfolders and Files permission on the parent folder.

Read Permissions

Read permissions allows or denies the user from reading permissions about
the file or folder, such as Full Control, Read, and Write.

Change Permissions

Change Permissions allows or denies the user from changing permissions on


the file or folder, such as Full Control, Read, and Write.

Take Ownership

The Take Ownership permission allows or denies the user from taking
ownership of the file or folder. The owner of a file or folder can change
permissions on it, regardless of any existing permissions that protect the file
or folder.

File System Permission Inheritance


When you manage permissions, there are two
types of permissions to consider:

Explicit permissions. Explicit permissions


are permissions that are set by default on
nonchild objects when the object is created,
or by user action on nonchild, parent, or child
objects.

Inherited permissions. Inherited permissions


are permissions that are propagated to an
object from a parent object. Inherited
permissions ease the task of managing
permissions, and ensure consistency of
permissions among all objects within a given container.

Permissions inheritance allows the folder permissions that are set on a folder to be applied automatically
to files that users create in that folder and its subfolders. This means that you can set permissions for an
entire folder structure at a single point. If you have to modify the permissions, you then only have to
perform the change at that single point.
For example, if you create a folder named MyFolder, all subfolders and files created within MyFolder
inherit that folders permissions automatically. Therefore, MyFolder has explicit permissions, whereas all
subfolders and files within it have inherited permissions.

MCT USE ONLY. STUDENT USE PROHIBITED

9-16 Troubleshooting Resource Access within a Domain

You also can add permissions to subfolders and files below the initial point of inheritance, without
modifying the original permissions assignment. This grants a specific user or group a different file access
than the inherited permissions.

Inheritance for All Objects

If the Allow or Deny check boxes associated with each of the permissions are unavailable (grayed out), the
file or folder has inherited permissions from the parent folder. There are three ways to make changes to
inherited permissions:

Make the changes to the parent folder, and then the file or folder will inherit these permissions.

Select the opposite permission (Allow or Deny) to override the inherited permission.

Choose not to inherit permissions from the parent object. You then can make changes to the
permissions, or remove the user or group from the Permissions list of the file or folder.

You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her
file, even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him
permission to read the file. This is typically how explicit denies are used to exclude a subset (such as
Bob) from a larger group (such as Marketing) which has permission to perform an operation.

Note that using explicit denials increases the complexity of the authorization policy, which can create
unexpected errors. For example, you might want to allow domain administrators to perform an action but
deny domain users. If you attempt to implement this by explicitly denying domain users, you also deny
any domain administrators who also are domain users. Though it is sometimes necessary, you should try
to avoid using explicit denials.

In most cases, Deny overrides Allow unless a folder is inheriting conflicting settings from different parents.
When this occurs, the setting inherited from the parent closest to the object in the subtree will have
precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited permissions,
even inherited Deny permissions.
Only inheritable permissions are inherited by child objects. When you set permissions on the parent
object, you can choose whether folders, subfolders, and files can inherit permissions. Perform the
following steps to assign inheritable permissions:
1.

In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.

2.

In the Advanced Security Settings for name dialog box, the Inherited From column displays from
where the permissions are inherited. The Applies to column lists the folders, subfolders, or files to
which the permissions apply.

3.

Double-click the user or group for which you want to adjust permissions.

4.

In the Permissions Entry for name dialog box, click the Applies to drop-down list box, and then
click one of the following options:
o

This folder only

This folder, subfolders, and files

This folder and subfolders

This folder and files

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-17

5.

Subfolders and files only

Subfolders only

Files only

Click OK in the Permission Entry for name dialog box, click OK in the Advanced Security Settings
for <name> dialog box, and then click OK in the Properties dialog box.

If the Special Permissions entry in Permissions for User or Group is grayed out, this means that a special
permission is selected. It does not imply that this permission is inherited.

Preventing Permission Inheritance

After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit
these permissions. You can block permission inheritance to restrict access to these files and subfolders. For
example, all accounting users may be assigned Modify permission to the Accounting folder. However, on
the subfolder Wages, you can block inherited permissions and allow only a few specific users access to the
folder.
Note: When permissions inheritance is blocked, you have the option to copy existing
permissions, or to begin with blank permissions. If you want to restrict only a particular group or
user, then copying existing permissions simplifies the configuration process.
To prevent a child file or folder from inheriting a permission on a parent folder, when you set up
permissions for the parent folder, select This folder only in the Applies to list box.

To prevent a folder or file from inheriting permissions from a parent folder, perform the following steps:
1.

In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.

2.

In the Advanced Security Settings for file or folder dialog box, click Disable inheritance.

3.

In the Block Inheritance dialog box, select any of the following options:

4.

Convert inherited permissions into explicit permissions on this object

Remove all inherited permissions from this object

Cancel

Click OK in the Advanced Security Settings for name dialog box, and then click OK on the
Properties page.

Forcing Permission Inheritance


The Advanced Security dialog box for folders includes a check box labeled Replace all child object
permission entries with inheritable entries from this object. Selecting this check box will replace the
permissions on all child objects that you can change permissions on, including child objects that had
Block inheritance configured. This can be particularly useful if you need to change permissions on a
larger number of subfolders and files, particularly when the original permissions were set incorrectly.

MCT USE ONLY. STUDENT USE PROHIBITED

9-18 Troubleshooting Resource Access within a Domain

Discussion: Consider the Interaction of Shared Folder Permissions and File


and Folder Permissions
When you create a shared folder on a partition
that is formatted with the NTFS file system,
both the shared folder permissions and the file
system permissions are combined to protect file
resources. File system permissions apply whether
the resource is accessed locally or over a network,
but they are filtered against the shared folder
permissions.
When you grant shared folder permissions on an
NTFS or ReFS volume, the following rules apply:

Except when using the Share with Wizard, the


Everyone group is granted the shared folder
permission Read.

In addition to the appropriate shared folder permissions, users must have the appropriate file system
permissions for each file and subfolder in a shared folder to access those resources.

When file system permissions and shared folder permissions are combined, the resulting permission is
the most restrictive of the effective shared folder permissions, or the effective file system permissions.

When accessing content through a share, the Share permissions on a folder apply to that folder, to all
files in that folder, to subfolders, and to all files in those subfolders.

Note: If the guest user account is enabled on your computer, the Everyone group includes
anyone. As a best practice, remove the Everyone group from any permission lists, and replace it
with the Authenticated Users group.
The following analogy can be helpful in understanding what happens when you combine file system
permissions and Share permissions. When you are working with a shared folder, you must always go
through the shared folder to access its files over the network. Therefore, you can think of the shared
folder permissions as a filter that only allows users to perform those actions that are acceptable to the
Share permissions. All file system permissions that are less restrictive than the Share permissions are
filtered out, so that only the most restrictive permissions remain.

For example, if the share permission is set to Read, then the most that you can do is read through the
share, even if individual file permission is set to Full Control. If you are configuring the share permission to
Modify, then you are allowed to read or modify the share. If the file permission is set to Full Control, then
the Share permissions filter the effective permission to Modify.
Question: If a user has Full Control file system permissions to a file but is accessing the file
through a share with Read permission, what will be the effective permission the user will
have on the file?
Question: If you want a user to view all files in a shared folder, but the user can modify only
certain files in the folder, what permissions should you give the user?
Question: Identify a scenario at your organization where it might be necessary to combine
file system permissions and Share permissions. What is the reason for combining
permissions?

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-19

Determining Effective Permissions


Each file and folder contains user and group
permissions. Windows 8.1 determines a file or
folders effective permissions by combining its
user and group permissions. For example, if a user
is assigned Read permission and a group the user
is a member of is assigned Modify permission, the
effective permissions of the user are Modify.
Note: When you combine permissions, a
Deny permission takes precedence and overrides
an Allow permission.

Effective Access Feature

The Effective Access feature determines the permissions a user or group has on an object by calculating
the permissions that are granted to the user or group. The calculation takes into account the permissions
in effect from group membership and any of the permissions inherited from the parent object. It looks up
all domain and local groups in which the user or group is a member.
Note: The Effective Access feature always includes the Everyone group when calculating
effective permissions, provided the selected user or group is not a member of the Anonymous
Logon group.

The Effective Access feature produces only an approximation of the permissions that a user has. The actual
permissions the user has may differ, because permissions can be granted or denied based on how a user
signs in. The permissions that are specific to how a user signs in cannot be determined by the Effective
Access feature, because the user may not sign in. Therefore, the effective permissions it displays reflect
only those permissions specified by the user or group, and not the permissions specified by the logon. For
example, if a user is connected to a computer through a file share, then the logon for that user is marked
as a Network Logon. Permissions can be granted or denied to the well-known security ID (SID) Network,
which the connected user receives. This way, a user has different permissions when signed in locally than
when logged on over a network.
You can view effective access in the Advanced Security Settings for folder dialog box. You can access this
dialog box from a folders Properties dialog box, by clicking the Advanced button on the Security tab. You
also can access it directly from the Share menu on the ribbon in File Explorer.

Troubleshooting File Access Permissions


If you connect a client computer properly to a
network, then most network file access problems
are due to permissions that you configure
incorrectly. This is most likely to occur for new
users or during the creation of new file shares.
The first troubleshooting step that you should
perform is checking the users effective file system
permissions. If the effective permissions are not
what you expect them to be, you must identify
how to assign the correct permissions to that user.
In most cases, you assign a group the appropriate
file system permissions, so your first step is to
verify that the user is a member of the correct group or groups.

MCT USE ONLY. STUDENT USE PROHIBITED

9-20 Troubleshooting Resource Access within a Domain

When you are evaluating file system permissions, be aware that the Deny permission overrides the Allow
permission. For example, if your group has the Modify permission set to Allow, and a user in that group
has the Modify permission set to Deny, the user is denied the Modify permission.

If the effective file system permissions are correct, then you should verify that the Share permissions are
configured correctly. Share permission can limit the ability of users to access and modify files, even if
the appropriate file system permissions are assigned. For example, if you assign a group Read share
permission and Modify file system permission, the members of the group are limited to Read permission.
To simplify the interaction of share and file system permissions, many organizations assign the Everyone
group Full Control share permission. This means that file system permissions control access to files.
When troubleshooting permissions, use the following procedure to help to determine the problem:
1.

2.

Check effective file system permissions:


a.

Is the user part of the correct group or groups?

b.

Are those groups assigned the correct permissions?

c.

Are there any explicit permissions set?

d.

Are there any Deny permissions set?

Verify Share permissions:


a.

Does the user or group have Share permissions?

b.

Are those more or less restrictive than file system permissions?

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-21

Lesson 3

Troubleshooting Printer Access Issues

When users finish working with documents, they often print them. Users who cannot print their
documents often become frustrated. To ensure that printing is available to users and that it functions
correctly, you must understand the Windows 8.1 printing architecture and how to install printers. You also
must understand how to install printer drivers and how location-aware printing works.

Lesson Objectives
After completing this lesson, you will be able to:

Describe considerations for issues related to printer access.

Describe methods to install printers.

Describe how to add a printer driver to a network printer.

Explain how to manage client-side printing.

Considerations for Printer Access Issues


Printing is one of the core network services that
your organization provides to users. When users
cannot print properly, they typically become
frustrated and often call the help desk. Some
issues that can arise that relate to printing include:

A network printer is not available to all users


on a computer. When you install a network
printer on a Windows 8.1 computer, the
printer is specific to the user profile, and is
not installed for all users on that computer.

A user is unable to find a local printer.


When users roam to different areas of the
organization, it can be difficult for them to determine the name of a local printer and how to install it.

A printer is not available automatically to users. Users can become frustrated when they have to
install their own printers. This can be a problem, particularly when you replace older printers and
need to update the printers for all users.

The default printer is not appropriate. Roaming users need to use different printers depending on
their location. If the default printer is static, then the user is forced to select the appropriate printer
each time.

A user is unable to install a printer driver. Roaming users often need to install printers in remote
locations. However, standard users do not have permission to add new printer drivers.

Users are unable to locate a printer with a published location in Active Directory Domain Services
(AD DS). When a printer is shared on a server, it can be published in AD DS, enabling users to locate
printers by searching AD DS. If the printer is not listed in the correct location, or if the AD DS sites and
subnet objects do not match the physical network topology, then users will not be able to locate
these printers.

Methods for Installing Printers


When you install and share a printer in
Windows 8.1, you must define the relationship
between the printer and two printer components:
the printer port, and the printer driver. Generally,
Plug-and-Play devices install automatically.
However, when you use the Add devices and
printers button in Devices and Printers to add a
wireless device or printer, Windows 8.1 must be
able to communicate with the device to complete
the wizard. To specify all the connection
information for a printer manually, use the
Advanced printer setup button.
Note: You can use Group Policy Preferences to distribute printers.

Defining the Printer Port

MCT USE ONLY. STUDENT USE PROHIBITED

9-22 Troubleshooting Resource Access within a Domain

Windows 8.1 detects printers that you connect to your computer, and if the driver is available in the driver
store, it installs the driver for the printer automatically. However, Windows 8.1 might not detect printers
that connect by using older ports, such as serial or parallel ports, or network printers. In these cases, you
must configure the printer port manually.

Installing a Driver

The printer driver is a software interface that enables your computer to communicate with the printing
device. Without a printer driver, the printer that connects to your computer will not work properly. The
printer driver is responsible for converting the print job into a page-description language (PDL) that the
printer can use to print the job. The most common PDLs are PostScript, Printer Control Language (PCL),
and XML Paper Specification (XPS).
In most cases, drivers come with the Windows operating system. Alternatively, you can find them by
going to Windows Update in Control Panel, and checking for updates.
Note: If your organization does not allow automatic updates from Windows Update, you
must use alternative methods to distribute printer drivers.

If the Windows operating system does not have the driver you need, you can find it on the disk that came
with the printer, or on the manufacturer's website.

If the Windows operating system does not recognize your printer automatically, you must configure the
printer type during the installation process. The Printer Setup Wizard presents you with an extensive list of
currently installed printer types. However, if your printer is not on the list, you must obtain and install the
necessary driver.
Note: You can preinstall printer drivers into the driver store, thereby making them available
in the printer list by using the Pnputil.exe command-line tool.

When you connect a new printer to your computer, the Windows application attempts to find and install
a software driver for the printer. Occasionally, you might see a notification that a driver is unsigned or

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-23

altered, or that Windows cannot install it. You have a choice whether to install a driver that is unsigned or
has been altered since it was signed.
Note: Many USB printers require that you install the printer driver before you attach the
printer. Failure to follow this procedure can result in the printer failing to function correctly.
Check the product documentation before attaching the printer to your computer.

Installing Printer Drivers on Clients


Printer driver installation and the permissions
required to install printer drivers vary depending
on how you install the printer. Standard users
have the necessary permissions to install both
local and network printers, but not to add new
printer drivers.

When you add a new local printer, Windows 8.1


searches for an appropriate printer driver in the
driver cache. If Windows 8.1 does not find an
appropriate driver in the driver cache, standard
users are unable to install the printer. To allow a
standard user to install the printer, you may add
an appropriate printer driver to the driver cache by using Pnputil.exe. Alternatively, you can edit the local
security policy to allow standard users to load and unload device drivers.
Note: It is important to ensure that you download and use the appropriate architecture
driver. That is, an X86 driver for 32-bit versions of Windows 8.1, and an X64 driver for 64-bit
versions of Windows 8.1. This issue is particularly relevant for older printers for which a 64-bit
driver may not be available.

Managing Client-Side Printing


Print Management provides a single interface that
you can use to administer multiple printers and
print servers.
To open the MMC snap-in for Print Management,
open the Control Panel, click System and Security,
click Administrative Tools, and then click Print
Management. You can use Print Management
to perform all the basic management tasks for a
printer. You also can manage printers from the
Devices and Printers page in Control Panel.

View the Print Queue

Once you initiate a print job, you can view, pause, or cancel the job through the print queue. The print
queue displays what is printing, or what is waiting to print. It also displays information such as job status,
who is printing what, and how many unprinted pages remain. From the print queue, you can view and
maintain the print jobs for each printer.

MCT USE ONLY. STUDENT USE PROHIBITED

9-24 Troubleshooting Resource Access within a Domain

You can access the print queue from the Print Management MMC snap-in through the See whats
printing option on the Devices and Printers page in Control Panel. Documents that are listed first will be
the first to print.
Note: A corrupted print job can stall print queue processing. It is necessary to delete
such a corrupted job to allow other queued print jobs to process. Consider that if the user that
submitted the corrupted print job tries to print again, the queue may stall once more.

Cancel Print Jobs


If a print job is started by mistake, you can cancel it, even if printing is underway. To cancel a print job:
1.

Open the print queue for the specific printer by performing the steps outlined previously.

2.

To cancel an individual print job, right-click the print job you want to remove, and then click Cancel.

3.

To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item currently
printing might finish, but the remaining items will be cancelled. To cancel other users print jobs, you
must have at least Manage Documents permissions on the printer object.

Note: If you are unable to delete a stalled print job, you can stop the Print Spooler service
and then delete the spool files manually. You can then restart the Print Spooler service. Use the
Services.msc management console to start and stop the Print Spooler service. You can find the
spool files in the C:\Windows\System32\Spool folder.

Pause or Resume a Print Job


You can pause and resume a single print job or multiple jobs in the queue. To pause or resume a
print job:
1.

Open the print queue for the specific printer by performing the steps outlined previously.

2.

To pause or resume an individual print job, right-click the print job, and then click Pause or Resume.

3.

To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing,
click Resume Printing.

Restart a Print Job

If you need to restart a print job (for example, if the print job is printing in the wrong color ink or on the
wrong paper), you can restart it by using the following steps:
1.

Open the print queue for the specific printer by performing the steps outlined previously.

2.

Right-click the print job to be reprinted, and then click Restart.

Reorder the Print Queue

If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the
print queue:
1.

Open the print queue for the specific printer by performing the steps outlined previously.

2.

Right-click the print job to be reordered, and then click Properties.

3.

Click the General tab, and then drag the Priority slider left or right to change its print order. Items
with higher priority print first.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-25

Lab: Troubleshooting Resource Access within a Domain


Scenario
In this lab, you will resolve the reported problems that Tier 1 help desk staff could not resolve.

Objectives
After completing this lab, you will be able to:

Resolve a scripting problem.

Resolve a file permissions issue.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1.

Exercise 1: Resolving a Logon Script Problem


Scenario

Dana Birkby does not have access to the Marketing shared folder when she signs in. You must determine
why, and then take the appropriate corrective action.
Incident Record
Incident Reference Number: 723307
Date of Call
Time of Call
User
Status

October 20
11:47
Dana Birkby (Marketing Department)
OPEN

Incident Details
User reports that she does not have access to the Marketing shared folder.

Incident Record

MCT USE ONLY. STUDENT USE PROHIBITED

9-26 Troubleshooting Resource Access within a Domain

Additional Information
User reports that she started her job last week, and does not have access to the Marketing shared
folder, which is at \\LON-DC1\Marketing. She is signing in to LON-CL1.
I walked the user through accessing the share by using the Universal Naming Convention (UNC) path.
This is an acceptable short-term solution. However, this user should map drive letter M to the
Marketing shared folder like other users in that department.
Drive mappings are assigned using a Windows PowerShell script by using GPOs. I confirmed that the
user account is in the correct organizational unit (OU).
Other research users such as Adam Barr are experiencing no problems with the drive mapping.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for Incident 723307.

2.

Discuss recommendations.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for Incident 723307

Read the help desk Incident Record 723307 above.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod09\Scenario.vbs script.

4.

Wait until the script completes.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-27

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of GPOs and logon scripts.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you should have resolved a file access issue.

Exercise 2: Resolving a File Permissions Issue


Scenario

Users in the Marketing department have a data folder to which they should have exclusive access. Some
users from the Research department have recently been accessing content from these folders. You must
determine how that is possible, and then take corrective action.
Incident Record
Incident Reference Number: 723308
Date of Call
Time of Call
User
Status

October 20
12:05
Adam Barr (Marketing Department)
OPEN

Incident Details
Users from other departments seem to have access to the departmental data folder.

Additional Information
The user, Adam, reports that non-Marketing users have access to Marketing data in the
\\lon-dc1\Marketing shared folder.
I signed in as Adam, a member of the Marketing department. He has appropriate access. However, I
also signed in as Allie Bellew, from Research. Although I had to manually create a drive mapping, I
could then access files in the Marketing share. However, I could not save files to this share.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for Incident 723308.

2.

Discuss recommendations.

3.

Verify the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for Incident 723308

Read the help desk Incident Record 723308 above.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

Task 3: Verify the problem


1.

Switch to LON-CL1.

2.

Sign in as Adatum\Allie with the password Pa$$w0rd.

3.

Click Desktop, and then click the File Explorer icon.

4.

In the address bar, type \\lon-dc1\Marketing, and then press Enter.

Note: Theoretically, this mapping should not work as Allie is not in the Marketing group.
However, the mapping is successful.

Task 4: Attempt to resolve the problem

MCT USE ONLY. STUDENT USE PROHIBITED

9-28 Troubleshooting Resource Access within a Domain

1.

Attempt to resolve the problem by using your knowledge of file permissions and shared folder access.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you should have resolved a file access issue.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 9-29

Module Review and Takeaways


Review Questions
Question: A user has called the help desk and complained about not being able to access
some files. Help desk passed the call to you, and you have determined that the user was not
added to the correct group. After you added the user to the correct group, the user is still
unable to access the files. What other step is required?
Question: One department in your organization is using a new application that creates two
folders in the root of drive C. One folder is for the program executable files, whereas the
other folder is for program data. What files permissions do you need to configure for these
folders?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


10-1

Module 10
Configuring and Troubleshooting Resource Access for
Clients That Are Not Domain Members
Contents:
Module Overview

10-1

Lesson 1: Configuring Workplace Join

10-2

Lesson 2: Configuring and Troubleshooting Work Folders

10-7

Lesson 3: Configuring and Troubleshooting OneDrive Access

10-13

Lab: Configuring and Troubleshooting Resource Access for Clients That


Are Not Domain Members

10-19

Module Review and Takeaways

10-25

Module Overview

Users in most organizations often request access to organizational resources from devices other than the
computer in their office. Resources such as email have been available from outside the organization for
many years. Access to other resources such as files and applications is largely restricted from outside the
organization. The Windows Server 2012 R2 and Windows 8.1 operating systems include features to
access files and applications remotely.

Objectives
After completing this module, you will be able to:

Configure Workplace Join.

Configure and troubleshoot Work Folders.

Configure and troubleshoot Microsoft OneDrive access.

Lesson 1

Configuring Workplace Join

MCT USE ONLY. STUDENT USE PROHIBITED

10-2 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

Workplace Join is a new feature in Windows Server 2012 R2 that you can use to enhance security when
users access applications remotely. When you use Workplace Join, you can identify devices used to access
applications and ensure that applications are accessed only from known devices, such as a users home
computer or smartphone. It is also important to control the use of personal devices of users in the
workplace, known as the Bring Your Own Device (BYOD) scenario, which is becoming common in many
organizations. Understanding how Workplace Join works is essential in troubleshooting issues with access
to applications.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the BYOD trend.

Describe the Workplace Join feature.

Describe the Workplace Join process.

Perform a Workplace Join.

Identify troubleshooting considerations for Workplace Join.

Overview of BYOD
In the past, organizations had strict control on
the devices they allowed to access enterprise
resources. Devices such as smartphones were
standardized and needed approval for use on
corporate networks. Organizations restricted
devices to enforce security and to provide
standardized support for known devices.
BYOD is a new trend in enterprise organizations.
BYOD is a scenario where employees select a
device of their choosing and access enterprise
resources, such as applications. The device is
often owned and managed only by the employee.
Employees are often reimbursed for a portion of the device cost.

Allowing BYOD in the enterprise often results in employees that are more productive. Selecting a device
such as a smartphone is a very personal decision. Using a device that they are comfortable with makes
employees more productive and more satisfied with the device.

For an organization, allowing BYOD shifts some of the device-management costs to the employee. For
example, the employee now manages signing up and maintaining a service contract. However, there are
some challenges with BYOD:

Security for application access. When any device is allowed to access enterprise resources, it becomes
more difficult to secure access to the resources.

Security for enterprise data. When employees personal devices contain enterprise data, the security
of that data becomes a concern. Is it possible to wipe the data if the device is lost or after the
employee leaves the organization?

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-3

Support. It might be more difficult to provide support for multiple platforms. You need to ensure that
your help desk personnel are trained to work with all of the common device platforms rather than
just the corporate standard.

Overview of Workplace Join


Workplace Join addresses some of the security
concerns for application access by allowing
devices to be identified even if they are not
capable of being domain members. After a device
has been enabled for Workplace Join, an object
is created in Active Directory Domain Services
(AD DS) to represent that device. Computers that
are enabled for Workplace Join also are provided
with a certificate to use for authentication.

Claims-Aware Applications

The information about devices that are enabled


for Workplace Join can be used by a claims-aware
application as part of the authentication process for the application. A claims-aware application is
an application that uses Active Directory Federation Services (AD FS) for authentication. When a user
authenticates by AD FS, AD FS provides a list of information about the user, which includes claims. Claims
can include the user name, group membership, or other user properties.

An application must include the ability to support the use of claims. The application must also be
configured to trust a specific instance of AD FS. An application only trusts claims from specifically defined
AD FS servers.
Some common examples of claims-aware applications are Microsoft Office 365, Microsoft SharePoint
Server, and custom applications developed by using Windows Identity Foundation. All of these
applications can be configured to trust claims that AD FS provides for authentication.

A benefit of claims-based authentication is the ability to distribute responsibility for authentication and
providing claims. For example, an application in your organization could provide access to users from a
partner organization based on authentication that AD FS performs in the partner organization. This avoids
the need for users to have a second set of credentials. For example, when claims-based authentication is
used, users can authenticate to Office 365 by using the same user name and password that they use for
AD DS.

Device Registration

To perform a Workplace Join, devices contact the Device Registration Service. This service runs on an
AD FS server on the internal network. To expand support for Workplace Join outside a corporate network,
you use Web Application Proxy. Web Application Proxy installs in the perimeter network of your
organization and proxies Workplace Join requests to the AD FS server.
Note: Web Application Proxy is a new feature in Windows Server 2012 R2.
The following clients support the Workplace Join feature:

Windows 8.1 devices

iOS devices such as iPad and iPhone

Note: Support for Android devices is planned.

The Workplace Join Process


Regardless of the client type, the client must trust
the service communication certificate that is
configured for AD FS. In most cases, an AD FS
implementation is configured with a certificate
from a trusted third-party certification authority
(CA) to ensure that there are no trust issues when
performing a Workplace Join. If your organization
has decided to use an internally generated
certificate for AD FS, you must ensure that
external devices trust the certificate.

MCT USE ONLY. STUDENT USE PROHIBITED

10-4 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

The Workplace Join process requires clients to


perform a certificate revocation check on the
certificate that is used by the AD FS server or Web Application Proxy with which they are communicating.
If the certificate revocation check fails, the Workplace Join will also fail. Using a third-party CA avoids the
need to configure a certificate revocation list (CRL) distribution point for your internal CA that is accessible
from the Internet.

Workplace Join for Windows-Based Devices

During the Workplace Join process, you are prompted to provide your email address and password. The
required information is actually your user principal name (UPN) and not your email address. To simplify
this process, we strongly recommended that the UPN for users match their email address.
Windows devices automatically locate the server for Workplace Join based on the provided UPN. The
server used for Workplace Join is enterpriseregistration.upndomainname.com. You need to configure
Domain Name System (DNS) to properly resolve this record to the IP address of your AD FS server or
Web Application Proxy that is configured to support Workplace Join.
The certificate for the AD FS server and Web Application Proxy needs to include the
enterpriseregistration.upndomainname.com domain name. The configuration process is simpler if you
include this name in the certificate that is used during the installation of AD FS and Web Application
Proxy instead of changing the certificate after installation.

Workplace Join for iOS Devices

To perform a Workplace Join for an iOS device, you need to set up a configuration profile on the iOS
device. An iOS configuration profile is created by providing an XML file. For a Workplace Join, the XML file
is delivered by a website. This is referred to as over-the air profile delivery.
The website that is used by iOS devices to download the configuration profile is located on the AD FS
server where the Device Registration Service is enabled. An example of a URL that is used to configure an
iOS device is https://adfs.adatum.com/enrollmentserver/otaprofile.

On the website, you are prompted to sign in by using your email address as a user name. Similar to the
process for devices that run the Windows operating system, you should enter your UPN rather than your
email address. After signing in, you install the profile on the iOS device. If the iOS device requires a PIN to
unlock the device, you are prompted to enter the PIN before the profile is installed.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-5

Certificates on Devices

The Workplace Join process places a certificate on the device. The device uses this certificate to prove its
identity. This certificate is used to authenticate to the object that is created for the device in AD DS.

Performing a Workplace Join


This topic provides an overview of how to perform
a Workplace Join. To perform a Workplace Join,
use the following procedure:
1.

Run Windows PowerShell cmdlets to enable


device registration on the AD FS server. This
step is required to allow Workplace Join to be
performed on devices. You only need to do
this once.

2.

Enable device authentication in AD FS. This


step is required to allow AD FS to collect
device information from devices enabled with
the Workplace Join feature. You only need to
do this once.

3.

Access the Workplace settings from the Start screen on the client computer.

4.

In the Workplace settings, enter the email address/UPN of the user, and then click Join.

5.

When prompted, the user must authenticate. By default, the email address/UPN from the previous
screen displays. However, you can also enter credentials in the domain\user name format.

6.

Wait while the Workplace Join is performed.

7.

When Workplace Join is complete, you can verify that it was successful.

Note: The option to turn on device management enables a device to start by using
Windows Intune to manage the device. You must have Windows Intune configured to use this
option.
8.

In Active Directory Administrative Center, you can view the objects for devices enabled with the
Workplace Join feature in the RegisteredDevices organizational unit (OU).

9.

In the properties of the registered device, you can verify that the displayName attribute matches the
name of the computer that is registered.

10. Device attributes are available to claims-enabled applications.

Troubleshooting Considerations for Workplace Join


Some considerations for troubleshooting
Workplace Join include:

MCT USE ONLY. STUDENT USE PROHIBITED

10-6 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

Verify that
enterpriseregistration.upndomain.com
resolves to the correct IP address. It is possible
to configure the internal resolution and
external resolution separately. For internal
devices, the name should resolve to the IP
address of the AD FS server. For external
devices, the name should resolve to the IP
address of the Web Application Proxy in the
perimeter network.

Verify that the AD FS certificate is trusted and a CRL is accessible. You can use a web browser to
access enterprise registration.upndomain.com and view the certificate. The properties of the certificate
include the CRL distribution point location.

Workplace Join is per user on each device. If a device supports multiple user profiles, remember that
Workplace Join performed by one user is not valid for another user. On a shared device, each user
needs to perform a Workplace Join.

Ensure that the UPN entered during Workplace Join is correct. Many users might become confused
and use an email address that is different from their UPN, resulting in an authentication failure. We
recommend to have the UPN for users match their email address to avoid this issue.

Applications must support Workplace Join. Workplace Join is not a generic functionality that is
recognized by all applications. An application must be claims-aware and designed to use claims that
are related to Workplace Joined devices. For example, an application could differentiate between
Workplace Joined devices and non-Workplace Joined devices and restrict available information based
on this.

You can configure AD FS to allow authentication only from devices that have completed a Workplace
Join. For example, if you use AD FS for authentication to Office 365, access to Office 365 would be
possible only from the devices that are enabled with the Workplace Join feature.

Application authentication changes after Workplace Join. After Workplace Join, application
authentication caches on the device for seven days by default. Users are prompted for authentication
credentials only on their first attempt to access an application and then not again for seven days. If
credentials should cache for a shorter period, you must adjust the timeout on the AD FS server.

Check event logs on Workplace Join clients, the Web Application Proxy server, and the AD FS server
for clues as to why Workplace Join is failing. If all clients are experiencing errors, it is likely because of
a configuration problem on the servers. If only a single client is experiencing errors, it is most likely a
client configuration issue.

Use the Best Practices Analyzer for Web Application Proxy to identify potential configuration errors.
This is most beneficial when Workplace Join is working properly for internal devices but not external
devices.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-7

Lesson 2

Configuring and Troubleshooting Work Folders

Work Folders are a new feature in Windows Server 2012 R2 that you can use to synchronize data between
a file server and multiple devices. You can synchronize data to domain member computers, computers
that are not domain members, and smartphones. Understanding how Work Folders function enables you
to troubleshoot any synchronization problems that occur for users.

Lesson Objectives
After completing this lesson, you will be able to:

Describe Work Folders.

Connect devices to Work Folders.

Describe external connectivity to Work Folders.

Describe Work Folders policies.

Describe additional considerations for using Work Folders.

Overview of Work Folders


You can use Work Folders to synchronize user
data across various computers and devices. It
provides a unique set of features when compared
to other technologies, such as Offline Files or
OneDrive, that were included with older versions
of Windows operating systems. The two key
features of Work Folders are:

Files are stored on an internal file server


rather than in the cloud.

Multiple computers and devices synchronize


files from any location.

By using Work Folders, users always have access to the most current version of their files from anywhere.
For example, you can save a file to your Work Folder on your office computer. When you arrive home,
you can open the file from a copy that replicated to your home computer, which is configured to use
Work Folders. This is an improvement over Offline Files, which is relevant only for mobile computers that
are domain members.
Note: At RTM for Windows Server 2012 R2 and Windows 8.1, only Windows 8.1 was
supported as a Work Folders client. Additional Work Folders client support is expected for
Windows 8, Windows 7, and other device operating systems such as iOS.

Because Work Folders are in a file share, you can consider using Work Folders as a replacement for user
home folders. Work Folders provide a single location for personal files just like a home folder, but Work
Folders also provide the advantage of synchronization across devices. You can even provide users with a
mapped drive letter to their Work Folder if you have configured the share appropriately.

OneDrive and OneDrive for Business are services that function similar to Work Folders. OneDrive is hosted
in the cloud environment with limited configurability. OneDrive for Business can be hosted in the cloud or

in an on-premises SharePoint Server 2013 implementation, and it has greater configurability. Work
Folders is hosted internally, and you have complete control over the files, including backups and the
ability to provide file share-based access to the files. OneDrive and OneDrive for Business provide the
ability to share files and work on data as a team. Work Folders are only for individual data and do not
support sharing files between users.

Connecting Devices to Work Folders


To troubleshoot device connectivity, it is
important to understand how devices are
configured to connect to Work Folders. You
can use several different methods to configure
devices to use Work Folders.
Some of the methods are automated and require
no user input. Other mechanisms require varying
amounts of user input. In general, automated
mechanisms are preferred for larger environments
to reduce the amount of required configuration.

MCT USE ONLY. STUDENT USE PROHIBITED

10-8 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

Regardless of the method you use to configure


devices, users must be configured with sync access
to a specific sync share. The folder for the user is created in this sync share. When you assign a group with
sync access, each user in the group is given a folder on that server. You should not assign a user sync
access on multiple servers because the Work Folders client synchronizes only with a single server.

Auto Discovery

When you manually configure a device for Work Folders, you are prompted for an email address.
This email address is used to create a URL for accessing Work Folders. The domain name from the email
address prepends with workfolders to create the URL. For example, if you enter Sunil@adatum.com, the
URL that is used is https://workfolders.adatum.com. If this URL does not resolve to the server with Work
Folders installed, then auto discovery fails.
If your organization has multiple Work Folders servers, you can still use auto discovery. When the initial
Work Folders server authenticates a user, it looks up the msDS-SyncServerUrl attribute on the user
object and directs the client to the Work Folders server at that URL. You can also modify this attribute to
direct users to a new Work Folders server if you move Work Folders for a specific set of users.

URL Entry
If auto discovery fails during device configuration, you are prompted for a URL where Work Folders
are installed. This can be useful if you have multiple Work Folders servers and do not have the
msDS-SyncServerUrl attribute configured on the user object. This can also be useful if you have
not configured a DNS host record for workfolders in your domain.

Group Policy

You can use Group Policy to configure devices with the URL of a Work Folders server. When you use
Group Policy to configure the URL of a Work Folders server, users are not prompted for an email address
or a URL when they set up Work Folders on their device.
When you use Group Policy to configure Work Folders, you have the option to force automatic setup.
If you force automatic setup, users are not given the option to select where Work Folders data will be
stored on the local device. Work Folders data will be stored in the default location of
%USERPROFILE%\WorkFolders.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-9

You can force automatic setup for Work Folders by using a computer policy or a user policy. A user policy
takes effect for specified users on all devices that they access. A computer policy takes effect for all users
on that device.

External Connectivity to Work Folders


Work Folders use the Hypertext Transfer Protocol
Secure (HTTPS) protocol to transport data
between devices and the Work Folders server. The
HTTPS protocol is firewall-friendly and is allowed
over almost any Internet connection. To secure
external connectivity to Work Folders, you should
use a reverse proxy, such as Web Application
Proxy in Windows Server 2012 R2. All reverse
proxy servers increase security by isolating
connectivity from the Internet to your internal
network. Web Application Proxy has additional
features that further enhance security.

You can use Web Application Proxy to enhance the security of Web Folders by using AD FS. When you
integrate Web Folders authentication with AD FS, you can use the following additional benefits:

You can make Workplace Join mandatory for devices that access Work Folders. This restricts
connectivity to Work Folders to authorized devices.

You can implement multifactor authentication. AD FS has the ability to integrate multifactor
authentication as part of the authentication process.

Windows Azure Multi-Factor Authentication

If you choose to integrate Windows Azure Multi-Factor Authentication with AD FS, you can implement
the following methods for additional authentication:

Phone calls. When this method is used, you receive a call on your phone to confirm your
authentication. You press the # (pound) symbol to confirm after receiving the call.

Text messages. When this method is used, you receive a text message with a passcode. You respond
to the text message and include the passcode.

Mobile app. When this method is used, an authentication prompt appears in the mobile app that you
must acknowledge.

Auto Discovery

Auto discovery for external devices works the same as it does for internal devices. The device resolves the
workfolders host name in your domain and contacts it. This Work Folders server then directs users to the
URL that is specified in the msDS-SyncServerUrl attribute in their user object. If you have multiple Work
Folders servers, you must ensure that all URLs are available through the reverse proxy.

What Are Work Folders Policies?


Work Folders place enterprise data on
devices that an IT department might not directly
controlled. To ensure a minimum level of security,
you can configure policies for a sync share.
The two available policies are:

Encrypt Work Folders.

Automatically lock screen, and require a


password.

These policies are configured independently for


each sync share. If the policies do not apply as you
think they should, you should verify that policies
are configured appropriately on the sync share.

Encrypt Work Folders

MCT USE ONLY. STUDENT USE PROHIBITED

10-10 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

When you select to encrypt Work Folders, the data on the devices is encrypted by using Encrypting File
System (EFS). The data on the file server is not encrypted. This enhances security on devices that use
Work Folders and mitigates the risk of data being accessed if a device is lost or stolen. For example, it
is relatively easy to access files on a laptop computer by removing the drive and attaching it to another
computer. However, if the files are encrypted, then the data that was synchronized by Work Folders is not
accessible

Selective Wipe

Windows 8.1 supports the selective wipe of corporate data. This can be done by using integration with
Microsoft Exchange Server or Windows Intune. The wipe process does not remove all user data as many
other solutions do. Only organizational data is removed by a selective wipe. This is important for BYOD
scenarios where users have personal data on their device. When users leave your organization, it is simple
to remove only the organizational data from all of their devices.
Any application that is designed for selective wipe can use it. Work Folders is designed to work with
selective wipe. Selective wipe works by revoking access to data that is protected by EFS. Work Folders can
be wiped selectively only when you have chosen to encrypt Work Folders.

Lock Screen and Require a Password

When you select the policy to lock the screen and require a password, devices that use Work Folders lock
the screen after 15 minutes and require a password of at least six characters to unlock. Additionally, if
there are 10 unsuccessful sign-in attempts, the device is locked out. This level of security is essential when
organizational data synchronizes to a device. You should make users aware that this policy will be in place
after Work Folders is configured on their device.

The Automatically lock screen, and require a password policy can only be applied to computers when
the user who is subject to the policy is a local administrator on the device. Typically, this is not the case for
domain-joined laptop computers. If a user is not a local administrator, you will see the error: Sync
Stopped. Blocked by security policies.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-11

Other Considerations for Work Folders


In addition to how devices connect to Work
Folders, you should also be aware of server-side
configuration options that can affect devices and
the functionality of Work Folders. In particular,
you should be aware of how clients verify
certificates, how Work Folders applies policies
clients, and how files in Work Folders are
managed.

Certificates

Windows Server 2012 R2 uses the HTTPS protocol


for performing Work Folders communication.
HTTPS is a secure protocol that requires you to
install a certificate on the Work Folders server. Work Folders devices must trust this certificate. In most
cases, you should obtain a certificate from an external third-party CA so that it will be trusted
automatically. To have devices that trust an internally generated certificate, you will need to configure
those devices to trust the CA that has issued the certificates.
Note: In some cases, you might need to apply an operating system update to obtain the
most current list of trusted root CAs.

From a device, you can view the details of a certificate that is installed on a Work Folders server by
accessing it with a web browser. In the web browser, you have the option to view certificate details for a
site that you are connected to by using HTTPS. The steps for viewing the certificate vary depending on the
web browser that you use.
Details in the certificate that you can verify include:

Subject and subject alternative names. The fully qualified domain name (FQDN) that devices use to
communicate with the Work Folders server must be included in the certificate. If the Work Folders
server is the initial point of contact for auto discovery, the workfolders.domainname.com name also
needs to be included.

Issuing CA. You can verify which CA issued the certificate and whether that CA is trusted by the
device.

Certificate validity dates. Each certificate contains starting and ending dates that define when the
certificate is valid. If the certificate is not valid, the certificate must be renewed on the Work Folders
server or the Web Application Proxy.

File Management

Because Work Folders data is stored on a file server, all of the typical file management functions for a file
server can be performed on Work Folders data. Some of the tasks that can be performed on the file server
include:

Quotas. You can configure quotas on the Work Folder on the file share. When the quota is reached,
you can notify an administrator or prevent the user from saving additional files.

File screening. You can configure file screening to monitor or prevent storage of file types. File type
identification is based on file extension.

Classification and Right Management Services (RMS). You can configure the file server to perform
classification of files and apply RMS templates based on file classification. The RMS-protected files
synchronize to the devices.

Synchronization
If employees use Work Folders from within a virtual machine, be aware that the use of snapshots is not
supported. Reverting a virtual machine to a snapshot can cause synchronization errors. Restoring files
from backups is supported.

MCT USE ONLY. STUDENT USE PROHIBITED

10-12 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

It is unlikely that a user will change a file on two separate devices before replication occurs. However, this
might occur if a device is offline and not synchronizing. When a conflict occurs, the second file to replicate
to the Work Folders server has the name of the device it originated on appended to the file name. This
allows a user to easily identify any files where a replication conflict has occurred. When a replication
conflict occurs, the user must verify the contents of the files to determine which file to keep or what data
from each file should be merged together.

Troubleshooting Synchronization
If a user is unable to synchronize files in Work Folders, you should verify that:

Quotas or file screening is not preventing synchronization. To prevent this, consider configuring
quotas and file screening to provide notifications only.

The file size is less than 10 gigabytes (GB). Work Folders does not synchronize individual files larger
than 10 GB.

There is sufficient free space on the volume that contains the Work Folders data. If the Work Folders
data is stored on the system drive, it stops synchronizing when there is 5 GB of free space. If the Work
Folders data is stored on a data drive, it will take up all the space on the drive.

Note: You can review dedicated Work Folders event logs on client computers when
troubleshooting Work Folders configuration and synchronization.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-13

Lesson 3

Configuring and Troubleshooting OneDrive Access

OneDrive and OneDrive for Business are two different services that you can use to synchronize files.
OneDrive stores data in the cloud environment, whereas OneDrive for Business stores data in a specialized
SharePoint library. You can find the OneDrive for Business SharePoint library in Microsoft SharePoint
Online or in an on-premises implementation of SharePoint Server 2013. You need to be aware of how
each of these services work to understand which option is appropriate for your users and how to
troubleshoot the use of these services.

Lesson Objectives
After completing this lesson, you will be able to:

Describe OneDrive.

Describe OneDrive for Business.

Explain how to synchronize data by using the OneDrive for Business Windows Sync client.

Describe support for alternate clients.

Explain how to resolve synchronization errors in OneDrive for Business.

Explain how to select a BYOD file access solution.

Overview of OneDrive
OneDrive is a free consumer-oriented service for
synchronizing files to the cloud environment and
between devices. You are provided with 7 GB of
data storage at no charge, with an option to
purchase additional storage. You can use
OneDrive on your computers or smartphone.

OneDrive Desktop App


When the OneDrive desktop app is installed on
your computer, it creates a OneDrive favorite in
File Explorer. By default, all folders in OneDrive
are configured to synchronize, but you can select
only specific folders to synchronize. The default
location on a computer for OneDrive files is C:\Users\Username\OneDrive. When you add, modify, or
delete files in the OneDrive favorite, those changes replicate to OneDrive.
Note: Windows 8.1 includes the OneDrive desktop app.

The OneDrive desktop app also has an option that allows you to retrieve any file remotely from a
computer with the app installed. In the OneDrive desktop app settings, enable the Let me use OneDrive
to fetch any of my files on this PC setting.
The following operating systems support the OneDrive desktop app:

Windows 8

Windows 7

Windows Vista with Service Pack 2 (SP2) and the Platform Update for Windows Vista

Windows Server 2008 R2

Windows Server 2008 SP2 and the Platform Update for Windows Server 2008

Mac OS X 10.7 (Lion)

Mac OS X Mountain Lion

MCT USE ONLY. STUDENT USE PROHIBITED

10-14 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

You can share documents in OneDrive with other people. If you have Office 2013, you can collaborate
with other users and edit documents at the same time. Other versions of Microsoft Office do not have this
capability.

OneDrive Mobile Apps


OneDrive mobile apps are available for Windows Phone, iOS devices, and Android. The capabilities of
the app vary for each device type.

The OneDrive app for Windows Phone can be used on Windows Phone 7.5 and Windows Phone 8. It
provides the highest level of functionality with the ability to view and edit files. The OneDrive apps for iOS
and Android allow you to view and upload files, but do not automatically synchronize downloaded files.

Authentication

To sign in to OneDrive, you need to create a Microsoft account. This Microsoft account is created and
managed by each user individually. There is no option to manage Microsoft accounts as an organization.

By default, the OneDrive desktop app authenticates and signs in each time you sign in to your computer.
If this functionality is disabled and you forget to sign in, your files will not synchronize with OneDrive. You
are also unable to sign in to OneDrive and synchronize files if there are problems with your Internet
connectivity.

Overview of OneDrive for Business


OneDrive for Business is a feature that is available
in SharePoint Server 2013 or SharePoint Online in
Office 365. The data for each user is a personal
document library stored within SharePoint. This
product focuses on business users. Despite some
similar functions, OneDrive for Business is a
different product than OneDrive, which is oriented
toward consumers and individuals.

Document Library

OneDrive for Business is available in the My Site


for a user when the user logs on to SharePoint
Server 2013 or SharePoint Online. My Site is a
personal SharePoint site that can be created for each user. It is a special-purpose document library that
you can use like any other document library, with the ability to add, remove, check out, and check in files.
Because OneDrive for Business is a specialized document library, you should not customize the library
because this might affect synchronization.

Storage Capacity

In SharePoint Online, OneDrive for Business is limited to 25 GB by default, but you can purchase
additional space up to a maximum of 100 GB. For an on-premises installation of SharePoint Server 2013,
the system administrator determines the size of OneDrive for Business.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-15

Sharing Files

OneDrive for Business allows you to share files with users in your organization and outside your
organization. You can configure the sharing and permissions for individual files and folders in OneDrive
for Business. Documents that are shared with individual users appear in their Shared with Me view in
OneDrive for Business.

You can share a file with Everyone by placing it in the Shared with Everyone folder. Alternatively, you can
set the permissions on a file or folder. When a file is shared with Everyone, they need to search for the file
or you need to send an email notification that includes the URL for the file.
Note: Files that are shared with Everyone are also shared with users outside your
organization. Instead of Everyone, consider using the Everyone except external users permission
where appropriate.

OneDrive for Business Windows Sync Client


Rather than accessing a document through a
SharePoint document library, it might be useful
to have documents in OneDrive for Business that
synchronize locally for offline use. To do this, you
can use the OneDrive for Business Windows Sync
client. You can also configure this client to
synchronize data in other SharePoint document
libraries.

Supported Operating Systems


The OneDrive for Business Windows Sync client is
included as part of Office 2013. It is also available
as a free download from the Microsoft Download
Center. This client is supported on Windows 7, Windows 8, Windows Server 2008 R2, and Windows
Server 2012.

Accessing Synchronized Files

The OneDrive for Business Windows Sync client creates a synchronization relationship with OneDrive
for Business. Once configured, a folder is created on the local computer with the synchronized files. The
folder on the local computer is accessible from Favorites in File Explorer. The name of the favorite varies
depending on from where the data synchronizes:

OneDrive for Business. This favorite contains files that synchronize from OneDrive for Business in an
on-premises implementation of SharePoint Server 2013.

OneDrive@Company. This favorite contains files that synchronize from OneDrive for Business in
SharePoint Online.

SharePoint. This favorite contains files that synchronize from document libraries in team sites.

Synchronization Process

The OneDrive for Business Windows Sync client synchronizes data every 10 minutes. If the SharePoint
server is too busy to service synchronization requests, the client reschedules synchronization, and the user
is not informed. If synchronization to the server is slow, you should verify that the SharePoint server is not
overloaded.

Synchronization of Microsoft Word, Microsoft Office Excel, and Microsoft Office PowerPoint files are
differential. Only changed portions of these file types synchronize. When other file types change, the
entire file synchronizes.

Support for Alternate Clients


In addition to computers that run Windows
operating systems, you can access OneDrive for
Business from other operating systems or mobile
devices. You can download an app for iOS devices.
On Android devices, you can use the Office
Mobile for Office 365 app. Other devices can
access OneDrive for Business by using a web
browser.

App for iOS Devices


A OneDrive for Business app is available for iOS
devices, which enables you to access content in
OneDrive for Business by using an Mac iPhone
or iPad.
The OneDrive for Business app has the following functions:

MCT USE ONLY. STUDENT USE PROHIBITED

10-16 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

Offline viewing. The OneDrive for Business app does not automatically synchronize documents to the
iOS device. You must manually select to download specific documents for offline viewing. Edits to the
downloaded document do not synchronize back to OneDrive for Business.

Document editing. When you are online, you can edit documents by using Office Mobile or another
application. Saving the document saves the changes to OneDrive for Business.

Share documents and folders. You can share documents and folders with other users and configure
the permissions for those users.

Browser Support

Platforms that do not have an app for OneDrive for Business can access OneDrive for Business by using a
web browser that SharePoint Server 2013 supports. SharePoint Server 2013 supports the following web
browsers:

Windows Internet Explorer 8 and newer

Safari (newest released version)

Google Chrome (newest released version)

Mozilla Firefox (newest released version)

Plan browser support in SharePoint 2013


http://go.microsoft.com/fwlink/?LinkId=335919
The following mobile browsers are supported:

Internet Explorer Mobile for Windows Phone 7.5 or newer

Internet Explorer for Windows 7 or newer on tablet devices

Safari for iOS 5.0 or newer

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-17

Android Browser for Android 4.0 or newer

Mobile device browsers supported in SharePoint 2013


http://go.microsoft.com/fwlink/?LinkId=335920

Resolving Synchronization Errors in OneDrive for Business


Most of the time, the OneDrive for
Business Windows Sync client completes file
synchronization to OneDrive for Business
without any errors. When errors do occur,
they are often caused by the following issues:

The OneDrive for Business Windows Sync


client can synchronize a maximum of 20,000
files to OneDrive for Business. For other
SharePoint libraries, a maximum of 5,000 files
can be synchronized. Ensure that you are not
trying to synchronize more than the
supported number of files.

The OneDrive for Business Windows Sync client supports a maximum file size of approximately
2 GB for downloads. Ensure that all files that you try to synchronize are smaller than 2 GB.

The OneDrive for Business Windows Sync client supports a maximum data size of 250 megabytes
(MB) for uploading. This limit applies to any number of files added at a time. If you need to upload
more than 250 MB of data, add files in groups that are less than 250 MB.

For SharePoint libraries, the site administrator can configure whether SharePoint sites, files, and
folders can be made available offline. If they cannot be made available offline, an error generates
when you try to synchronize the library. If this occurs, contact the site administrator to verify that
permissions are configured correctly.

Files and folders cannot synchronize if they contain restricted characters. Restricted characters for file
names and folder are ~ # % & * : < > ? /\ {} |. If any file or folder contains restricted characters,
rename the file or folder.

Files are blocked from uploading if the file type is blocked in SharePoint. For example, media files
such as videos might be blocked. Verify that the file type you are uploading is not blocked.

Network connectivity errors might result in partially downloaded folders. If the download error is a
result of network connectivity problems, the error should be resolved when network connectivity is
fixed.

Note: If a folder is partially downloaded, do not delete the folder. If you attempt to delete
a partially downloaded folder, you will delete the folder and its contents from the server and all
other synchronized clients.

Synchronization conflicts occur when you edit a synchronized copy of the document while another
user edits an online version of the document. This occurs if you are using Office 2010 to edit the
synchronized version of the document. If you use Office 2013 applications, the changes merge in the
online version without a conflict. In general, you should use Office 2013 to edit synchronized
documents.

Selecting a BYOD File Access Solution


Microsoft provides several options for remote file
access with BYOD devices. The appropriate option
depends on the needs of your organization. To
accurately match the needs of your organization
with a solution, you need to understand the
differences between the available solutions.
The following table summarizes some differences
between the solutions.

Characteristic

OneDrive

OneDrive for Business

Work Folders

Consumer/personal

Yes

No

No

Individual work data

No

Yes

Yes

Share individual files

Yes

Yes

No

Team work data

No

Yes

No

Data location

Public cloud

SharePoint/Office 365

File server

Secured with Web


Application Proxy

No

On-premises

Yes

Option for multifactor


authentication

No

Yes

Yes

Option to require
Workplace Join

No

If using AD FS for
authentication

Yes

MCT USE ONLY. STUDENT USE PROHIBITED

10-18 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-19

Lab: Configuring and Troubleshooting Resource Access for


Clients That Are Not Domain Members
Scenario

A. Datum Corporation has recently implemented new technologies to support BYOD in the organization.
There are new implementations of Workplace Join, Work Folders, and OneDrive for Business. You were
the desktop support representative who was involved in the project that implemented these new
technologies.

Objectives
After completing this lab, you will be able to:

Troubleshoot Workplace Join.

Troubleshoot Work Folders.

Troubleshoot OneDrive for Business.

Implement Work Folders.

Lab Setup
Estimated Time: 75 minutes
Virtual machines: 20688D-LON-DC1, 20688D-LON-CL1, and 20688D-LON-CL4
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Adatum\Administrator

Password: Pa$$w0rd

Repeat steps 2 and 3 for 20688D-LON-CL1 and 20688D-LON-CL4. Do not sign in to


20688D-LON-CL1 and 20688D-LON-CL4 at this point.

Exercise 1: Troubleshooting Workplace Join


Scenario

The system administrators have created a new infrastructure by using Windows Server 2012 R2 to support
web-based applications. AD FS has been implemented with Web Application Proxy to provide protection
and authentication. One of the new features that this configuration provides is support for Workplace
Join. As a matter of policy, certificates for all external services are obtained from a trusted CA on the
Internet.
Initially, Workplace Join is being used for the Sales and Ordering application. This application needs to be
available for sales people while they are on the road. In the past, a simple reverse proxy protected the

MCT USE ONLY. STUDENT USE PROHIBITED

10-20 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

application, and it was accessible from any device. Now, Workplace Join is being used to enhance security
so that the application can be accessed only from known devices.

You need to review the implementation of Workplace Join and create a short orientation for the help desk
and other desktop support staff.
The main tasks for this exercise are as follows:
1.

Read the scenario.

2.

Create an orientation session about Workplace Join.

Task 1: Read the scenario

Read the scenario to identify how A. Datum Corporation has implemented Workplace Join.

Task 2: Create an orientation session about Workplace Join


1.

Workplace Join is required for accessing which application?

2.

How does Workplace Join enhance security for the application?

3.

Can desktop support perform a Workplace Join during initial device configuration?

4.

What information do users need to provide during Workplace Join?

5.

What issues are likely to prevent Workplace Join from completing properly?

6.

Which devices support Workplace Join?

Results: After completing this exercise, you should have created an outline that can be used for training
help desk and desktop support staff on the configuration of Workplace Join.

Exercise 2: Troubleshooting Work Folders


Scenario

A. Datum executives have been frustrated by using a virtual private network (VPN) to access their personal
data remotely. The VPN works most of the time, but occasionally, firewalls in some locations prevent their
laptops from signing in to the VPN. They also want their data to be available from their smartphones and
tablets, which do not have VPN functionality.
To provide the executives with access to personal data, you implemented Work Folders. At this time, there
is only a single Work Folders server, but the system has been designed to use auto discover and support
multiple Work Folders servers. The system also has been designed to use Windows Azure Multi-Factor
Authentication to enhance security from external locations.
To simplify access to Work Folders data in the office, executives have been given a mapped drive letter to
their

Work Folder. This folder replaces their existing home folders. Data from the home folders has been copied
into the Work Folder for each user.

You need to review the implementation of Workplace Join and create a short orientation for the help desk
and other desktop support staff.
The main tasks for this exercise are as follows:
1.

Read the scenario.

2.

Create an orientation session about Work Folders.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-21

Task 1: Read the scenario

Read the scenario to identify how A. Datum has implemented Work Folders.

Task 2: Create an orientation session about Work Folders


1.

Which group of users is using Work Folders first?

2.

How does home drive data synchronize with Work Folders?

3.

Which devices are supported for Work Folders?

4.

How do the executives connect to Work Folders?

5.

Which user property defines the URL used to access Work Folders?

6.

What happens if executives do not have their smartphones available during authentication?

Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on Work Folders configuration.

Exercise 3: Troubleshooting OneDrive for Business


Scenario

The Research department at A. Datum has been using an on-premises implementation of SharePoint
Server 2013 for document management. Some of the researchers are collaborating with researchers in
other organizations and need to have remote access to their files. In some cases, they need to share files
with users who are inside and outside the organization.

OneDrive for Business has been implemented to support external access to these files. Sharing of files in
OneDrive for Business is allowed, but other document libraries are not available for local synchronization.

After completing this exercise, you will have created an outline for training help desk and desktop support
staff on OneDrive for Business configuration.
The main tasks for this exercise are as follows:
1.

Read the scenario.

2.

Create an orientation session about OneDrive for Business.

Task 1: Read the scenario

Read the scenario to identify how A. Datum has implemented OneDrive for Business.

Task 2: Create an orientation session about OneDrive for Business


1.

Which users in A. Datum will be using OneDrive for Business?

2.

Where is OneDrive for Business data stored?

3.

What software is required for Windows 8.1 computers to synchronize files with OneDrive for
Business?

4.

Can non-Windows clients access OneDrive for Business?

5.

Are there file size limitations that the researchers should be aware of for synchronization?

Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on OneDrive for Business configuration.

Exercise 4: Implementing Work Folders


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

10-22 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

You are implementing Work Folders for the executives in your organization. The executive user accounts
are in the Managers OU and are members of the Managers group. You are configuring Work Folders on
LON-DC1 to support both domain-joined and devices that are not domain members.
The main tasks for this exercise are as follows:
1.

Install Work Folders on the server.

2.

Configure Work Folders on the server.

3.

Configure the certificate for Work Folders.

4.

Configure Group Policy for domain-joined clients.

5.

Configure Work Folders on a domain-joined client.

6.

Verify Work Folders encryption.

7.

Configure Domain Name System (DNS) for clients that are not domain members.

8.

Configure the user properties for Work Folders.

9.

Configure Work Folders on a computer that is not a domain member.

Task 1: Install Work Folders on the server


1.

On LON-DC1, in Server Manager, start the Add Roles and Features Wizard from the Manage menu.

2.

In the Add Roles and Features Wizard, select the following options:

3.

Role-based or feature-based installation

Select a server from the server pool

Server: LON-DC1.adatum.com

Server role: File and Storage Services\File and iSCSI Services\Work Folders

When the installation is complete, click Close.

Task 2: Configure Work Folders on the server


1.

On LON-DC1, in Server Manager, browse to File and Storage Services\Work Folders.

2.

On the Work Folders page, create a new sync share with the following settings:

3.

Server: LON-DC1

Local path: C:\ExecutiveWF

Structure for user folders: User alias

Sync share name: ExecutiveWF

Grant sync access to: Managers

Device policy: Encrypt Work Folders

Verify that members of the Managers group appear in the Users box.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-23

Task 3: Configure the certificate for Work Folders


1.

On LON-DC1, open a Windows PowerShell Command Prompt window.

2.

At the Windows PowerShell command prompt, type Get-ChildItem Path Cert:\localmachine


\my | fl, and then press Enter.

3.

Identify the certificate with the FriendlyName of Work Folders Certificate.

4.

Identify the value of the Thumbprint property for the Work Folders Certificate.

5.

On the Start screen, type cmd, and then press Enter.

6.

At the command prompt, type netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint
appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY, and then press
Enter.

Note: You can copy the thumbprint value from the Windows PowerShell command prompt
by selecting the value, right-clicking the selection, and then click Copy. To paste the thumbprint
value at the command prompt, right-click, and then click Paste.
7.

Close the Command Prompt window.

8.

Close the Windows PowerShell Command Prompt window.

Note: The certificate that was created in advance for this task contains the names
lon-dc1.adatum.com and workfolders.adatum.com.

Task 4: Configure Group Policy for domain-joined clients


1.

On LON-DC1, in Server Manager, open Group Policy Management from the Tools menu.

2.

In Group Policy Management, browse to the Managers OU in the Adatum.com domain, and then
click Create a GPO in this domain, and Link it here. Use the following setting:
o

Name: WorkFolders

3.

Edit the WorkFolders GPO, and then browse to User Configuration\Policies


\Administrative Templates\Windows Components\Work Folders.

4.

Edit Specify Work Folders settings and use the following settings:
o

Enabled

Work Folders URL: https://lon-dc1.adatum.com

Task 5: Configure Work Folders on a domain-joined client


1.

On LON-CL1, sign in as Adatum\Aidan with a password of Pa$$w0rd.

2.

On the Start screen, open Work Folders.

3.

Set up Work Folders with the following settings:

4.

Work Folders location: default

I accept these policies on my PC

Review the information in the Work Folders window.

Task 6: Verify Work Folders encryption


1.

On LON-CL1, open File Explorer, and then browse to Work Folders.

2.

Create a new text document named Test.

3.

Open the advanced properties of Test, and then verify that encryption is enabled.

Task 7: Configure Domain Name System (DNS) for clients that are not domain
members
1.

On LON-DC1, in Server Manager, open the DNS tool.

2.

In DNS Manager, browse to the Adatum.com forward lookup zone.

3.

In the Adatum.com zone, create a new alias record with the following settings:
o

Alias name: workfolders

Fully qualified domain name: lon-dc1.adatum.com

Task 8: Configure the user properties for Work Folders

MCT USE ONLY. STUDENT USE PROHIBITED

10-24 Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

1.

On LON-DC1, in Server Manager, open the Active Directory Administrative Center tool.

2.

In Active Directory Administrative Center, perform a global search for Aidan.

3.

In the search results, open the properties of Aidan Delaney.

4.

In the Extensions section, on the Attribute Editor tab, edit the msDS-SyncServerUrl attribute, and
then add the value https://lon-dc1.adatum.com.

Task 9: Configure Work Folders on a computer that is not a domain member


1.

On LON-CL4, sign in as Admin with a password of Pa$$w0rd.

2.

On the Start screen, open Work Folders.

3.

Set up Work Folders by using the following settings:

4.

Work email address: aidan@adatum.com

User name: Adatum\Aidan

Password: Pa$$w0rd

I accept these policies on my PC

Notice that a view of Work Folders has opened, and it contains the Test document that you created
earlier.

Results: After completing this exercise, you will have configured Work Folders for the A. Datum
executives.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1 and 20688D-LON-CL4.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 10-25

Module Review and Takeaways


Review Questions
Question: Your organization has an already working implementation of Work Folders that
uses auto discovery. A person has joined your organization. The user account for the new
person has been created, and he is attempting to access Work Folders. His attempts to access
Work Folders are failing. What are some likely sources of the problem?
Question: Your organization has implemented OneDrive for Business in SharePoint Online. A
user wants to share a document with a colleague outside the organization. Is this possible?
Question: Your organization has implemented OneDrive for Business in an on-premises
implementation of SharePoint Server 2013. Some users are reporting that they are getting
replication conflicts when they use the OneDrive for Business Windows Sync client. What is
the likely source of this problem?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


11-1

Module 11
Troubleshooting Applications
Contents:
Module Overview

11-1

Lesson 1: Troubleshooting Desktop App Installation Issues

11-2

Lesson 2: Troubleshooting Desktop Apps

11-9

Lab A: Troubleshooting Desktop Apps

11-15

Lesson 3: Managing Windows Store Apps

11-18

Lesson 4: Troubleshooting Internet Explorer

11-24

Lab B: Troubleshooting Windows Internet Explorer

11-31

Lesson 5: Implementing Client Hyper-V

11-34

Module Review and Takeaways

11-43

Module Overview

Users require apps for every task they perform, including editing documents, querying databases, and
generating reports. Supporting the installation and operation of apps is a critical part of the desktop
support role. Windows 8.1 supports the installation and use of two types of apps: Desktop apps, and
Windows Store apps. This module examines the issues, including application compatibility issues that
affect users abilities to install and run these two types of apps. This module also covers the ways in which
students can resolve Windows Internet Explorerrelated issues.

Objectives
After completing this module, you will be able to:

Troubleshoot desktop app installation.

Troubleshoot desktop app compatibility.

Manage Windows Store apps.

Troubleshoot Internet Explorer.

Implement Client Hyper-V.

Lesson 1

Troubleshooting Desktop App Installation Issues

MCT USE ONLY. STUDENT USE PROHIBITED

11-2 Troubleshooting Applications

Most large organizations automate application installation from a central location. However, desktop
support personnel are involved in application deployment during initial development of the deployment
process and during the troubleshooting of failed installations. Therefore, you must know how to identify
the reasons why a desktop app installation fails, and know how to resolve any issues that prevent
installation.

Lesson Objectives
After completing this lesson, you will be able to:

Describe desktop app deployment methods.

Discuss desktop app deployment issues.

Describe methods to identify desktop app dependencies.

Describe methods for resolving deployment issues.

Describe methods for troubleshooting Microsoft Windows Installer issues.

Describe how to use AppLocker to control apps.

Control desktop app installation with AppLocker policies.

Methods for Deploying Desktop Apps


Deploying desktop apps is a critical part of
supporting users. Generally, you should automate
the application deployment process. This
simplifies the process from the users perspective.
Methods for deploying desktop apps include:

Manual installation. This method requires that


the person installing the desktop appa user
or support personknows the location of the
setup files, and then initiates the installation.
This method of installation is suitable only
when you are installing desktop apps on a
small number of computers.

Group Policy. This method uses a Group Policy Object (GPO) to automate desktop app installation
from a network share. You can make desktop apps available for users to select, or you can configure
desktop apps so they install automatically for specific users, or on specific computers. To automate
the installation process completely, some desktop apps require you to create a transform file (.mst).

Microsoft System Center 2012 Configuration Manager. This method uses the application deployment
capabilities of Configuration Manager to automate desktop app installation from a network share.
The main benefits of using Configuration Manager versus deployment by using Group Policy are
increased flexibility and detailed reporting. You also can use Configuration Manager to distribute
application updates.

Windows Intune. Windows Intune provides an application deployment solution that organizations
can use to target remote users, including users who spend time on the road or use organizational
computers to work from home offices.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-3

Virtualized applications. With the RemoteApp feature in Windows Server 2012 R2, you can avoid
having apps installed on desktop computers. An icon on the user desktop opens a Remote Desktop
Protocol (RDP) session to a server that hosts the app. The app is remote-controlled in a window. This
simplifies updates, because you must update only a single central copy of the app. This method works
best with desktop apps that need to access data in a central location.

Inclusion in a Windows operating system image. Many organizations include common applications
in the base Windows operating system image that they deploy on desktop computers. With this
method, you can avoid having a specific deployment process for the desktop app. However, this
method also results in increased image maintenance over time as your organization releases updates
and new versions of the desktop app.

Discussion: Desktop App Deployment Issues


Desktop app deployment may fail for a variety
of reasons, including the configuration of the
deployment process or the configuration of the
computer on which you deploy the application.
By understanding the reasons behind the failure
of desktop app deployments, you can resolve the
issues preventing installation.
Question: What are some reasons that
application deployment or installation may
fail?

Identifying Desktop App Dependencies


Many applications require specific operating
system features to function properly. For example,
many applications require a specific version of
.NET Framework. Additionally, some applications
use the functionality of other applications to
function properly. For example, some financial
applications use Microsoft Excel to perform
calculations.
You can identify desktop app dependencies in
several ways, including:

Read documentation. Most vendors provide


installation documentation that clearly
defines desktop app requirements. By reading the documentation prior to attempting an installation,
you can ensure that all desktop app dependencies are in place.

Contact the vendor. If the vendor does not provide installation documentation that defines the
desktop app requirements, you can request them from the vendors application support department.

MCT USE ONLY. STUDENT USE PROHIBITED

11-4 Troubleshooting Applications

Investigate errors during installation. Most software performs checks during installation to verify that
the computer on which the software is installed meets all desktop app requirements. If a dependency
is not in place, then the desktop app generates an error to indicate which dependency is missing.

In most cases, software does not install at all if the desktop app dependencies are not in place.
Setup stops, and the software installation program generates an error that requests installation of all
prerequisites prior to another installation attempt. However, some desktop apps will install even if the
dependencies are not met. In those cases, the user encounters errors while operating the software, rather
than during installation.

Resolving Desktop App Deployment Issues


The ability to resolve desktop app deployment
issues depends on your understanding of the
cause behind the issue. Once you understand why
a desktop app is not deploying properly, you can
determine the correct methods to resolve the
issue.

Methods for Resolving Desktop App


Deployment Issues
The following are methods for resolving desktop
app deployment issues:

Run as Administrator. For desktop app


installations that do not properly elevate permissions to perform installation, you can elevate
permissions manually by right-clicking the installation file, and then clicking Run as Administrator.

Install the necessary dependencies. If you cannot install a desktop app because of missing
dependencies, then you must install the necessary dependencies. If the missing dependency affects
multiple computers, you need to determine the best way to deploy the missing dependency to all
computers. You may need to update the base image, which deploys with the dependency.

Note: You can enable features by using Programs and Features in Control Panel, or by
typing dism.exe at a command prompt. This command-line tool also enables features in images.

Application Compatibility Toolkit (ACT). ACT is a suite of tools that Microsoft provides to simplify the
installation and execution of older applications on newer versions of Windows operating systems.
One use for ACT is to generate an inventory of installed applications, and then evaluate whether
those applications experience issues when running on Windows 8.1. You typically would use ACT
during migration to a new operating system.

Correct configuration of AppLocker. If AppLocker is blocking legitimate desktop apps from installing,
then you must adjust the configuration of AppLocker rules.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-5

Troubleshooting Windows Installer Issues


Windows Installer is the service in Windows 8.1
that performs application installations. If the
application is packaged as an .msi file and is
accessible from the target computer, you can run
msiexec.exe from an elevated command prompt
to install a desktop app. For example, to install an
app from a shared folder, run the following
sample command from an elevated command
prompt:

Msiexec.exe /i \\lon-dc1\apps\app1.msi

During app installation, you may receive error messages, such as:

The Windows Installer Service could not be accessed.

Windows Installer Service could not be started.

Could not start the Windows Installer service on the Local Computer.

One source of Windows Installer issues is apps that do not complete installing or uninstalling. In some
cases, restarting the computer may force the operation to proceed. However, you may need to reinstall or
repair the app before you are able to remove it. In a worst-case scenario, you may need to remove an app
manually, including its registry entries.
To troubleshoot Windows Installer issues:
1.

Verify that Windows Installer is functioning by running msiexec at a command prompt.

2.

Verify that the Windows Installer service is configured to start manually, and that it starts without
errors.

3.

Update to the latest version of Windows Installer.

4.

Reregister Windows Installer by using the following commands:


Msiexec /unregister
Msiexec /register

In rare cases, another application that is running may be preventing the softwares installation or removal.
You can disable services and applications that start automatically to attempt to identify a problem
application.
Note: You can also use Windows Installer to update and repair installed desktop apps.

Using AppLocker to Control Apps


Todays organizations face a number of challenges
in controlling which apps run on client computers.
These challenges include controlling:

The packaged and custom apps that users can


access.

Which users are allowed to install new


software.

Which versions of apps are allowed to run,


and for which users.

Users who run unauthorized software can


experience a higher incidence of malware
infections and generate more help desk calls. However, it can be difficult for you to ensure that user
computers are running only approved, licensed software.

AppLocker Benefits

MCT USE ONLY. STUDENT USE PROHIBITED

11-6 Troubleshooting Applications

You can use AppLocker to specify exactly what is allowed to run on user PCs and devices. This allows users
to run the applications, installation programs, and scripts that they require to be productive, while still
providing the security, operational, and compliance benefits of application standardization.
AppLocker can be useful for organizations that want to:

Limit the number and types of files that are allowed to run, by preventing unlicensed software or
malware from running, and by restricting the ActiveX controls that are installed.

Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise and that users are running only the software and apps that the enterprise approves.

Reduce the possibility of information leaks from unauthorized software.

AppLocker Rules

You can prevent many problems in your work environment by controlling which apps a user can run.
AppLocker lets you do just this by creating rules that specify exactly which apps a user is allowed to run,
and can be configured to continue to function even when apps are updated.

Because AppLocker is an additional Group Policy mechanism, IT professionals and system administrators
need to be comfortable with Group Policy creation and deployment. This makes AppLocker ideal for
organizations that currently use Group Policy to manage their Windows 8.1 computers or have per-user
application installations.
To author AppLocker rules, there is a new AppLocker Microsoft Management Console (MMC) snap-in in
the Group Policy Management Console (GPMC). This snap-in offers an improvement to the process of
creating AppLocker rules. AppLocker provides several rule-specific wizards. You can use one wizard to
create a single rule and another wizard to generate rules automatically, based on your rule preferences
and the folder that you select. The four wizards that AppLocker offers administrators to author rules are:

Executable Rules.

Windows Installer Rules.

Script Rules.

Packaged app Rules.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-7

At the end of each wizard, you can review the list of analyzed files. You can then modify the list to remove
any file before rules are created for the remaining files. You can also receive useful statistics about how
often a file has been blocked, or test the AppLocker policy for a specific computer.

Demonstration: Controlling Desktop App Installation by Using AppLocker


Note: This is a practice session.
In this practice session, you will create a new Windows Installer rule.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1 and 20688D-LON-CL3.

Demonstration Steps
Create a new installer rule
1.

Sign in to LON-CL3 as Adatum\Administrator with the password Pa$$w0rd.

2.

On the Start screen, type gpedit.msc, and then press Enter.

3.

In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, and
then expand Security Settings.

4.

Expand Application Control Policies, and then double-click AppLocker.

5.

Click Windows Installer Rules, right-click Windows Installer Rules, click Create New Rule, and
then click Next.

6.

On the Permissions page, click Deny, and then click the Select button.

7.

In the Select User or Group dialog box, in the Enter the object names to select (examples) text
box, type Sales. Click Check Names, click OK, and then click Next.

8.

On the Conditions page, click Path, and then click Next.

9.

On the Path page, click Browse Files.

10. In the Open dialog box, in the File name text box, type \\lon-dc1\sales\XmlNotepad.msi, and then
click Open.
11. Click Next.
12. Click Next again, and then click Create.

13. When prompted to create default rules, click Yes.


14. Close Local Group Policy Editor.
Note: You will not perform the additional steps to enable this rule.

Completion steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

MCT USE ONLY. STUDENT USE PROHIBITED

11-8 Troubleshooting Applications

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-9

Lesson 2

Troubleshooting Desktop Apps

A desktop app operation issue is any instance in which the desktop app is not operating as a user expects.
Desktop support personnel should identify the source of an application operation issue, and then resolve
it. This lesson explores common desktop app operations issues and suggests mitigations for these issues.

Lesson Objectives
After completing this lesson, you will be able to:

Describe desktop app operation issues.

Describe how to identify desktop app errors.

Describe methods for resolving desktop app operation issues.

Describe the ACT.

Resolve a desktop app compatibility issue by using the ACT.

Issues Related to Desktop App Operations


A desktop app operation issue is any situation in
which a desktop app does not perform properly
from the users perspective. Some of the issues
that you or your users may encounter include:

Missing features. You can use many apps


to select which features to install. An apps
default installation options may not include
the features that all users require.

Incorrect configuration. An apps postinstallation default settings may not be


appropriate, so you must customize the apps
settings, such as the default locations for
saving files and folders, to fit your needs.

Poor performance. Apps may run slower than users expect. This can happen either when users
perform a specific task or during regular application use.

Errors. Any error that the app displays on-screen is a desktop app operation issue.

Incorrect database connection settings. Some desktop apps use a server database as a data store. If
you do not configure the connection to the database correctly, the app cannot function correctly.

App blocking by AppLocker. You can configure AppLocker to allow or block applications on Windows
8.1 devices. If AppLocker is blocking a legitimate desktop app, then you must try to resolve the issue.

Identifying Issues Related to Desktop App Operations


Issues with desktop app operations can impact
users ability to perform their jobs. You must
identify and troubleshoot these issues as quickly
and as accurately as possible.
Before you widely deploy a desktop app, you
should put it through a thorough testing process
that includes common user activities. Desktop
support staff often performs this testing. During
testing, the desktop app may not function as you
expect, which triggers the need for further
troubleshooting.

MCT USE ONLY. STUDENT USE PROHIBITED

11-10 Troubleshooting Applications

After you deploy a desktop app, users are the


most common source for information about issues with app operations, because they report their
computer-related issues to the help desk. When you investigate issues with desktop app operations, you
can use both on-screen error messages and event logs. In some cases, these messages and logs provide
enough information to resolve the issue. In other cases, you may need to perform more research.
Additional research may include:

Searching the vendor website.

Searching the Internet.

Contacting vendor support.

Resolving Issues Related to Desktop App Operations


Your success in resolving an issue with a desktop
app operation depends on your accuracy in
defining the issue, and then determining how
to resolve it. Some ways to resolve issues with
desktop app operations include:

Install a needed feature. If an app feature


that a user requires is missing, then you can
install it. Ultimately, you must determine if
other users require that feature, and if so,
determine the best way to accommodate
them. You might need to update the apps
installation process or update an operating
system image that contains the app.

Reconfigure an app. If you configure a desktop app incorrectly, you can reconfigure it so that it meets
the defined specifications. If multiple users require the reconfiguration, you need to determine the
best way to update multiple computers. You may decide to update Group Policy, update the app
deployment process, or update an operating system image that contains the app.

Repair or reinstall an app. If a desktop app is experiencing errors or is unable to start, repairing the
app may resolve the issue. Repairing an app updates the app files to the correct version, and rewrites
the required computer-specific registry entries. It does not, however, affect user-specific registry
entries. If an app repair does not resolve the problem, try reinstalling the app.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-11

Apply app updates. App updates resolve desktop app operation issues that the applications vendor
identifies. Installing app updates in a timely manner may prevent some issues with desktop app
operations from occurring in your environment, and may also resolve performance issues.

Upgrade the app to a newer version. Some issues with app operations require you to upgrade to
a newer version of the app. For example, to increase performance and access more memory, you
may need to upgrade an app to a 64-bit version. New features also are available in newer versions.
Depending on how you license the app, there may be a fee associated with obtaining a newer version
of an app.

Identify performance issues and bottlenecks. Performance issues that users report are typically
very vague. You need to accurately define the source of a performance issue by using tools such as
Performance Monitor. Improving performance may be dependent on hardware upgrades, or on users
running fewer applications simultaneously on the computer. You also may need to adjust users
performance expectations.

Reconfigure AppLocker rules. If AppLocker rules are preventing a legitimate desktop app from
running, you must reconfigure those rules to allow the desktop app to run by allowing the app path,
the publisher, or the hash value.

What Is the ACT?


The ACT is a set of tools that you can use to
perform an inventory of applications, analyze
compatibility of applications, and mitigate any
compatibility issues. Organizations typically use
ACT when planning a new operating system
deployment to ensure that all applications
function properly.
ACT includes features such as:

A database of known application


compatibility issues and resolutions.

The Compatibility Administrator, which


provides compatibility fixes (previously known as shims) that enable older applications to run on
newer Windows operating system versions.

The Setup Analysis Tool, which monitors an applications installation process and identifies issues that
relate to installation.

The Internet Explorer Compatibility Test Tool, which monitors web-based applications, and then
identifies issues that newer Internet Explorer versions may experience.

The Standard User Analyzer, which identifies any issues that relate to running an application as a
standard user.

The Update Compatibility Evaluator, which identifies any issues that relate to implementing new
Windows operating system updates.

Demonstration: Resolving a Desktop App Compatibility Issue by Using


the ACT
Note: This is a practice session.
In this practice session, you will:

Identify compatibility issues.

Create a compatibility fix.

Test the fix.

Preparation Steps

MCT USE ONLY. STUDENT USE PROHIBITED

11-12 Troubleshooting Applications

For this practice session, you need to use the available virtual machine environment. The required virtual
machines should still be running. If they are not, before you begin the practice session, you must
complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and then in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1 and 20688D-LON-CL3.

Demonstration Steps
Identify compatibility issues
1.

Sign in to LON-CL1 as Adatum\Alan with the password Pa$$w0rd.

2.

Click Desktop, and then on the taskbar, click File Explorer.

3.

Navigate to C:\Program Files (x86)\StockViewer and then double-click StockViewer.

4.

In the Permission denied dialog box, click OK.

5.

On the Stock Viewer toolbar, click Trends. In the Error dialog box, click OK.

6.

On the Tools menu, click Options. In the Unhandled exception has occurred dialog box, click
Continue.

7.

On the Tools menu, click Show Me a Star.

8.

In the Unsupported Version dialog box, click OK.

9.

Close Stock Viewer.

10. In File Explorer, right-click StockViewer, and then click Run as administrator.
11. In the User Account Control box, provide the following credentials, and then click Yes:
o

User name: Adatum\Administrator

Password: Pa$$w0rd

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-13

12. On the Stock Viewer toolbar, click Trends.


13. On the Tools menu, click Options, and then click OK.
14. On the Tools menu, click Show Me a Star, and then click OK.
15. Close Stock Viewer and then sign out of LON-CL1.

Create a compatibility fix


1.

Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2.

On the Start screen, beneath the desktop tile, click the down arrow.

3.

Click Compatibility Administrator (32-bit).

4.

In the Compatibility Administrator (32-bit) New Database (1) [Untitled_1] dialog box, rightclick New Database(1) [Untitled_1], and then click Rename.

5.

Type AdatumACT, and press Enter.

6.

In the Compatibility Administrator window, right-click AdatumACT [Untitled_1]*, click Create New,
and then click Application Fix.

7.

In the Create New Application Fix Wizard, in the Name of the program to be fixed field, type
StockViewer.

8.

Click Browse.

9.

In the Find Binary window, browse to C:\Program Files (x86)\StockViewer\StockViewer.exe, and


then click Open.

10. In the Create New Application Fix window, click Next.

11. On the Compatibility Modes page, select the Run this program in compatibility mode for check
box, click the drop-down list, and then click Windows XP.
12. In the Additional compatibility modes section, scroll down, select the RunAsAdmin check box, and
then click Next.
13. On the Compatibility Fixes page, click Next.
14. On the Matching Information page, click Finish.
15. In the Compatibility Administrator window, click Save.
16. In the Save Database window, browse to d:\labfiles\mod11\.
17. In the File name field, type AdatumACT, and then click Save.
18. Close the Compatibility Administrator window.
19. Sign out of LON-CL1.

Test the fix


1.

Sign in to LON-CL1 as Adatum\Alan with the password Pa$$w0rd.

2.

On the Start screen, type cmd, right-click Command Prompt, and then click Run as administrator.

3.

In the User Account Control dialog box, enter the following credentials, and then click Yes:
o

User name: Adatum\administrator

Password: Pa$$w0rd

4.

At the command prompt, type the following, and press Enter.


Sdbinst D:\labfiles\mod11\AdatumACT.sdb

5.

On the taskbar, click File Explorer.

6.

Navigate to C:\Program Files (x86)\StockViewer and then double-click StockViewer.

7.

In the User Account Control dialog box, enter the following credentials, and then click Yes:
o

User name: Adatum\administrator.

Password: Pa$$w0rd

8.

On the Stock Viewer toolbar, click Trends.

9.

On the Tools menu, click Options.

10. Click OK to close the message box.


11. On the Tools menu, click Show Me a Star.
12. Close the Stock Viewer application.

Completion steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-CL3 and 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

11-14 Troubleshooting Applications

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-15

Lab A: Troubleshooting Desktop Apps


Scenario

The help desk has passed you an incident record. You must resolve the problems documented on this
ticket, and then update the record with the resolution.

Objectives
After completing this lab, you will be able to:

Troubleshoot AppLocker policy application.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL3
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL3.

Exercise 1: Troubleshooting AppLocker Policy Application


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

11-16 Troubleshooting Applications

Your manager has come to you indicating that there are reports of staff in one department loading
programs that are unauthorized. Your manager indicates that the AppLocker policies in place should be
preventing this, and that you should investigate why this is happening.
Incident Record
Incident Reference Number: 723401
Date of Call
Time of Call
User
Status

October 21
13:22
Karin Lamb (Sales Department)
OPEN

Incident Details
Users are installing unauthorized apps in the Sales department.
Additional Information
Karin Lamb, one of the sales managers, has reported that users are installing unauthorized desktop
apps.
The AppLocker policies that are in place do not appear to be working.
You must determine why these policies are not being enforced.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723401.

2.

Discuss recommendations.

3.

Verify the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723401

Read the help desk incident record 723401 above.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-17

Task 3: Verify the problem


1.

Switch to LON-CL3.

2.

Sign in by using the following credentials:


o

User name: Adatum\Karin

Password: Pa$$w0rd

3.

Run \\lon-dc1\Sales\XmlNotepad.msi.

4.

When the installation starts, click Cancel. This shows that the AppLocker policy is not being enforced.

5.

Sign out.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of AppLocker and GPO application.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you should have successfully resolved the AppLocker policy
application problem.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Lesson 3

Managing Windows Store Apps

MCT USE ONLY. STUDENT USE PROHIBITED

11-18 Troubleshooting Applications

Windows Store apps do not consume much memory or make excessive processor demands. In addition,
Windows Store apps run in full-screen mode in the new Windows user interface (UI). It is important that
you know how to manage user access to the Windows Store, which enables you to control the installation
and use of these apps.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the Windows Store and Windows Store apps.

Explain how to manage and restrict access to the Windows Store.

Describe sideloading.

Explain how to configure assigned access to a Windows Store app.

Describe the process of using AppLocker to control Windows Store apps.

The Windows Store


The Windows Store provides a convenient, single
location from which users can browse, install, and
update apps. Many Windows Store apps are free,
and others are available for purchase. Users can
access the Windows Store from the Start screen
without having to navigate first to Control Panel.
Note: To access the Windows Store, users
must sign in by using a Microsoft account. Users
can create this account during the Windows 8.1
installation, or after installation.

Windows Store Apps

The design of the Windows Store enables users to access and install Windows Store apps. Windows Store
apps are not like desktop apps such as Microsoft Office 2013 applications. Rather, they are full-screen,
immersive apps that can run on a number of device types, including x86, x64, and ARM platforms.
Windows Store apps can communicate with one another and with the Windows 8.1 operating system,
so that it is easier to search for and share information such as photographs. When you install a Windows
Store app, users can see tiles, some of which update continuously with live app information or status.

Locating Windows Store Apps

When users connect to the Windows Store, the initial page they see is known as the landing page. This
page makes it easy to locate and receive information on apps. Windows Store divides apps into categories
such as Games, Entertainment, and Music & Videos.
Users also can use context-sensitive search by using the Windows 8.1 Search charm to search the
Windows Store for specific Windows Store apps. For example, if a user needs an app that provides videoediting capabilities, the user can tap or click the Search charm, type the search text string, and then click
Store. The Windows Store returns suitable apps from which the user can choose.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-19

Installing Windows Store Apps

Installing Windows Store apps is easy for users. A single click on the appropriate app in the Windows
Store app list is usually all that is needed to install the app. The app installs in the background, so the user
can continue browsing the Windows Store. After the app installs, a tile for the app appears on the users
Start screen.

Updating Windows Store Apps

Windows 8.1 checks the Windows Store daily for updates for installed Windows Store apps. When updates
for installed apps are available, Windows 8.1 updates the Store tile on the Start screen with a number
that indicates how many updates are available. When the user selects the Store tile and connects to the
Windows Store, the user can choose to update one, several, or all of their installed apps for which updates
are available.
Note: By default, Windows updates installed apps automatically, but users can change this
setting if they choose instead to update specific apps.

Installing Windows Store Apps on Multiple Devices

Many users have multiple devices, such as both desktop and laptop computers. Windows Store allows five
installs of a single app to enable users to run an app on all of their devices. If users attempt to install an
app on a sixth device, they are prompted to remove the app from another device.

Managing Access to the Windows Store


While it might be convenient to allow users search
for and install apps, this method poses potential
problems for system administrators who want to
control app installation, or impose a rigid desktop
standard on network-connected computers. For
this reason, you can use either domain-based or
local GPOs to control access to the Windows
Store.

Ensuring Users Have a Microsoft


Account
Although you can use a local or domain user
account to browse the Windows Store, to
download a Windows Store app, you must sign up for a Microsoft account.

Disabling the Store Application


To control access to the Store, you must perform the following procedure:
1.

From the Start screen, run gpedit.msc, and then load the Local Group Policy Editor.

2.

Under Local Computer Policy, expand User Configuration, expand Administrative Templates,
expand Windows Components, and then click Store.

3.

In the results pane, double-click Turn off the Store application.

4.

In the Turn off the Store application dialog box, click Enabled, and then click OK.

5.

Close all open windows.

MCT USE ONLY. STUDENT USE PROHIBITED

11-20 Troubleshooting Applications

When you disable the Windows Store, the following message displays when users attempt to access the
Store tile on the Start screen: Windows Store isnt available on this PC.
Note: You also can use domain-based GPOs to disable the Windows Store for specific
computers, users, or groups of users.

Controlling the Applications That Users Can Install


Windows 8.1 Enterprise also enables you to use AppLocker to help control which applications and files
users can run. These applications include executable files, scripts, Windows Installer files, dynamic-link
libraries (DLLs), and packaged apps and their installers.

Managing Updates

IT administrators have limited control over updates for installed Windows Store apps. It is not possible for
you to configure automatic app updates. You also cannot control which updates are available.
Note: You can use GPOs to download updates automatically, but users still must initiate
the installation process.

Sideloading Apps
Many larger organizations want to distribute to
client computers apps that are for internal use
only. These line-of-business (LOB) apps are not
available in Windows Store. Therefore, you must
provide another method for distributing and
installing these LOB apps. Sideloading provides
a mechanism for distributing LOB apps to your
client computers without using the Windows
Store.
To sideload apps, you can use the dism.exe
command-line tool, Windows Intune, System
Center 2012 R2 Configuration Manager, and
Windows PowerShell to add, list, and remove LOB apps. The following procedure uses GPOs and
Windows PowerShell.

Enabling Sideloading
To enable sideloading, you must perform the following procedure to configure the appropriate GPO
settings:
1.

Open the Local Group Policy Editor (gpedit.msc).

2.

Under Local Computer Policy, in the left pane, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click App Package
Deployment.

3.

In the results pane, double-click Allow all trusted apps to install.

4.

In the Allow all trusted apps to install dialog box, click Enabled, and then click OK.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-21

Installing LOB Apps

After you configure GPOs, you can install your apps, which are packaged in .appx files. To install a single
app for a user, perform the following steps:
1.

To install the package, at the Windows PowerShell command prompt, type the following command,
and then press Enter:
add-appxpackage H:\apps\apps1.appx

2.

To add a package to a Windows operating system image by using Dism.exe, perform one of the
following tasks:
o

Open an elevated command prompt, type the following command, and then press Enter:
DISM /Online /Add-ProvisionedAppxPackage /PackagePath:H:\apps\App1.appx
/SkipLicense

Alternatively, you can use Windows PowerShell:


o

At the Windows PowerShell command prompt, type the following command, and then press
Enter:
Add-AppxProvisionedPackage -Online -FolderPath H:\apps\Appx

Note: Your LOB apps must be signed digitally, and can only be installed on computers that
trust the certification authority (CA) that provided the apps signing certificates.

Removing Installed LOB Apps

If you need to remove a single installed app for the current user, at the Windows PowerShell command
prompt, type the following cmdlet, and then press Enter:
Remove-AppxPackage Package1

If you must remove a provisioned app (one that is available but not installed) and prevent its installation
for new users, run either of the following commands:
1.

At the Windows PowerShell command prompt, type the following command, and then press Enter:
Remove-AppxProvisionedPackage -Online -PackageName MyAppxPkg

2.

Alternatively, you can open an elevated command prompt, type the following command, and then
press Enter:
DISM.exe /Online /Remove-ProvisionedAppxPackage
/PackageName:microsoft.app1_1.0.0.0_neutral_en-us_ac4zc6fex2zjp

Note: You can use the preceding command to remove built-in apps.

Configuring Assigned Access to a Single Windows Store App


In some situations, you may want to lock
down a computer so that it can only run a single
Windows Store app. Typically, a computer that
you configure this way might be in a public area,
such as a library, kiosk, or coffee shop. In fact, it is
the user account that you are restricting rather
than the computer.
To restrict a user account to run a single Windows
Store app, perform the following procedure:
1.

From the Start screen, bring up the charms


menu, and then click Settings.

2.

Click Change PC settings.

3.

Click Accounts, and then click Other accounts.

4.

In the right pane, click Set up an account for assigned access.

5.

Click Choose an account, and then select the account that you want to restrict.

6.

Click Choose an app, and then select the installed app to which you want to restrict the account.

7.

Sign out from the computer to make the changes effective.

When the user signs in to the computer, they will only be able to access the assigned app.
Note: To sign in as another user when you are signed in as the restricted user, click the
Windows key five times rapidly. Once you are signed in as a non-restricted user, you can disable
the setting by configuring the account to Dont use assigned access.

Using AppLocker to Control Windows Store Apps


Users that run unauthorized apps can experience
a higher incidence of malicious software (also
called malware) infections, which generates more
help desk calls. Ensuring that user desktops are
running only approved, licensed software can be
difficult. Windows Vista addressed this issue by
supporting the software restriction policy, which
administrators used to define the list of
applications that users were allowed to run.

MCT USE ONLY. STUDENT USE PROHIBITED

11-22 Troubleshooting Applications

AppLocker builds upon this security layer,


providing you with the ability to control which
users can run designated desktop apps such as
executables (.exe files), scripts, Windows Installer files (.msi and .msp), and dynamic link-libraries (.dll). You
can use AppLocker to specify which Windows Store apps (.appx) users can install and use on their
computers.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-23

Configuring AppLocker

To enable AppLocker restrictions for the Windows Store apps, you must configure the appropriate GPO
settings by performing the following procedure:
1.

Open the Local Group Policy editor (gpedit.msc).

2.

Under Local Computer Policy in the left pane, expand Computer Configuration, expand Windows
Settings, expand Security Settings, expand Application Control Policies, expand AppLocker, and
then click Packaged app Rules.

3.

Right-click Packaged app Rules, and then click Create New Rule.

4.

Use the Create Packaged app Rules Wizard to configure the app restriction policy with the following
settings:
a.

Configure the permissions to allow or deny the app.

b.

Select an app publisher. You can select an installed app as a reference.

c.

Modify the rules specificity by making the rule apply to:


i.

Only the specific version of the app that you select.

ii.

Any apps from the publisher.

iii.

Any apps from any publisher.

d.

Define exceptions.

e.

Name the policy.

5.

Create the default rule. This default rule has a lower precedence, but enables all signed packaged
apps to run. To create the default rule, right-click Packaged app Rules, and then click Create
Default Rules.

6.

Choose the enforcement level. By default, policies are not enforced. To enforce policies, right-click the
AppLocker node, and then click Properties.

7.

In the AppLocker Properties dialog box, select the Configured check box adjacent to Packaged app
Rules. In the list, depending on your requirements select either Enforce rules or Audit only, and then
click OK.

Enabling Application Identity Service

You must also start the Application Identity service on all computers affected by your AppLocker policy.
This service identifies apps, and then processes the AppLocker policies against the identified apps. You can
enable this service by opening Services.msc, and then selecting the Application Identity service. Configure
the service for automatic startup, and then start the service manually. You can also start the service by
configuring the setting through a GPO.
Note: The only edition of Windows 8.1 that supports AppLocker is Windows 8.1 Enterprise.

Lesson 4

Troubleshooting Internet Explorer

MCT USE ONLY. STUDENT USE PROHIBITED

11-24 Troubleshooting Applications

You can use Internet Explorer 11 to access both intranet and Internet websites. It is becoming widely used
as a common interface to web-based applications. Consequently, it is important that you understand how
to troubleshoot Internet Explorer settings to ensure that these websites and applications are accessible to
your users.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the Compatibility View.

Describe Internet Explorer security zones.

Describe what add-ons do for Internet Explorer.

Describe how to troubleshoot common Internet Explorer issues.

Configure Internet Explorer.

Compatibility View
Internet Explorer 11 provides an automatic
Compatibility View. Whenever it detects a website
that uses older standards, Compatibility View
implements an earlier Internet Explorer engine
to display web pages. This can help to improve
compatibility with web applications designed for
earlier Internet Explorer versions.
If you cannot see the Compatibility View button
in the Internet Explorer Address bar, this means
that Internet Explorer 11 has detected that the
webpage has loaded correctly. You do not need
to activate Compatibility View.
The following list is of the main features in Compatibility View:

Internet websites display in Internet Explorer 11 Standards Mode by default. Use the Compatibility
View button to fix sites that render differently than expected.

Internet Explorer 11 remembers sites that have been set to Compatibility View so that the button only
needs to be pressed once for a site. After that, the site is always rendered in Compatibility View,
unless it is removed from the list.

Intranet websites display in Compatibility Mode by default. This means that internal websites created
for earlier Internet Explorer versions will work.

You can use Group Policy to set a list of websites to be rendered in Compatibility View.

Switching in and out of Compatibility View occurs without requiring that the user restart the Internet
Explorer browser.

The Compatibility View button only displays if it is not clearly stated how the website is to be rendered. In
other cases, such as viewing intranet sites or viewing sites with a <META> tag / HTTP header indicating

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-25

Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet Explorer 11 standards, the button is
hidden. When Compatibility View is activated, the page refreshes, depending on the computers speed.

Configuring Compatibility View


Use the Tools menu to enable and configure Compatibility View. For example, you can configure
Compatibility View so that all Intranet sites display in Compatibility View (the default), or you can
configure it so that all websites (internal or external), are viewed in Compatibility View.

Internet Explorer Security Zones


Internet Explorer 11 includes security zones that
allow you to control security settings for groups of
websites. Depending on the security zone in which
a website is included, Internet Explorer enables
you to use different security settings. For example,
some zones enable Protected Mode or do not
allow ActiveX controls.
The security zones in Internet Explorer 11 are:

Internet. This zone is the default zone for


all websites. It has medium-high security
settings, which enables users to perform most
tasks. However, users may receive prompts to
accept some riskier behaviors.

Intranet. This zone is only for websites that have a single label name. It has medium-low security
settings that allow most websites to run without any end-user prompts, because it assumes the sites
are trustworthy. Additionally, this zone does not use Protected Mode.

Trusted sites. This zone has no websites, by default. You must add sites manually to the Trusted
sites zone. This zone has medium security settings, which enables users to run most web-based
applications. It does not use Protected Mode. Typically, you use this zone for web-based applications
that are hosted externally.

Restricted sites. This zone has no websites, by default. You must add sites manually to the Restricted
sites zone. This zone has high security settings, and is suitable for browsing websites that you are
concerned may contain malware.

Other Internet Explorer settings that may be a concern for web-based applications include:

InPrivate Browsing. InPrivate Browsing helps protect data and privacy by preventing browsing history,
temporary Internet files, form data, cookies, usernames, and passwords from being stored or retained
locally by the browser. This leaves virtually no evidence of browsing or search history because the
browsing session does not store session data.

From the enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using Delete Browsing History to maintain privacy, because there are no logs kept or tracks made
during browsing. InPrivate Browsing is a proactive feature, because it enables you to control what is
tracked in a browsing session. Some users may use InPrivate Browsing in an attempt to conceal their
tracks when browsing to prohibited or non-work websites. However, you have full manageability
control, and you can use Group Policy to configure how InPrivate Browsing is used in your
organization.

MCT USE ONLY. STUDENT USE PROHIBITED

11-26 Troubleshooting Applications

Pop-up Blocker. The purpose of the Pop-up Blocker in Internet Explorer is to prevent unsolicited
advertisements from displaying. However, some web-based applications use these pop-ups, so you
may need to allow them for websites that are hosting a web-based application.

Advanced settings. Individual web-based applications may require unusual security settings that you
can adjust only in Advanced settings. For example, an externally hosted website may require the use
of an older version of Secure Sockets Layer (SSL).

Internet Explorer Add-ons


You can extend the functionality of Internet
Explorer by installing add-ons. One of the most
important uses of add-ons is displaying content
on webpages that Internet Explorer does not
understand natively. For example, add-ons may
help display non-HTML document formats or
video within a webpage.
You can use the Manage Add-ons function in
Internet Explorer to view the installed add-ons so
that you can disable them. If Internet Explorer is
experiencing performance problems, you can
disable add-ons that you think may be
responsible.

One of the most common causes of Internet Explorer performance issues is users installing toolbars.
Removing non-Microsoft toolbars often improves performance. However, some toolbars do not uninstall
properly. As a final option, you can reset Internet Explorer settings, which reverts Internet Explorer to its
default state.

To manage add-ons, from the Internet Explorer menu, click Tools, and then click Manage add-ons. In the
Manage Add-Ons dialog box, select the add-ons that you want to disable.

Troubleshooting Common Internet Explorer Issues


Most issues related to Internet Explorer and
security are easy to resolve. A key part of the
troubleshooting process for accessing websites
is identifying the following:

Which computers are affected? One


computer or all computers?

Which users are affected? One user or all


users?

Where are affected users located? Internal,


external, or both?

Which versions of Internet Explorer are


experiencing the problem?

Are both the desktop app and Windows Store app versions affected?

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-27

These questions help you isolate what is causing the problem: a firewall, server configuration, or Internet
Explorer configuration.

The following table lists some common ways that you can resolve problems related to accessing websites
and web-based applications.
Issue

Resolution

Users are unable to access a website.

Verify that there is proper network connectivity, and


that a firewall or proxy is not blocking the website.

Users are being prompted for credentials


when accessing an internal website
configured to use Windows authentication.

Verify that users are accessing the website by using a


single label domain name. Also, verify that users are
accessing the website from an internal, domain-joined
computer.

Users are unable to use a web-based


application because Internet Explorer security
or Protected Mode is blocking required
functionality.

If the web-based application is from a trusted source,


then add the website to Trusted sites. This disables
Protected Mode, and allows many web-based
applications to function properly.

A web-based application is not retaining


settings properly between screens or between
sessions.

Ensure that privacy settings allow the web-based


application to set cookies.

A web-based application is not opening new


windows that are required for proper
operation.

Ensure that Pop-Up Blocker allows the necessary


windows to open by adding the website to the list of
allowed sites.

Internet Explorer is running more slowly


than usual, and may be displaying unusual
information on webpages.

Disable any unauthorized add-ons that may be


malware.

Users are unable to view embedded content


in a website, such as audio or video.

Install the necessary add-on for Internet Explorer that


it requires to display the content.

Internet Explorer is experiencing unusual


problems authenticating to a website or
accessing website content.

Clear the Internet Explorer browsing history, including


temporary Internet files, cookies, and passwords.

Internet Explorer is not displaying updated


website content that you know has been
updated.

Clear the temporary Internet files, and then press the


F5 key to refresh page, or press the Ctrl+F5 keys to
force a refresh of a single website in the cache.

An older website is not displaying properly in


Internet Explorer 11.

Enable Compatibility View for the website. This may


also be required for some web-based applications.

When accessing a secure website with HTTPS,


users receive the error There is a problem
with the websites security certificate.

If the website is trusted, users can click Continue to


this website (not recommended). This error occurs
because the certificate installed on the server is not
trusted. This may result from expired certificates,
users accessing websites by using the wrong Domain
Name System (DNS) name, or by using self-signed
certificates. You can import a self-signed certificate on
the client computer to remove this error.

Issue

Resolution

Malware is installed as an add-on and you


cannot remove it.

Reset Internet Explorer settings. This can resolve


unexplained problems with Internet Explorer.
However, this also causes the loss of all
customizations (such as Favorites), and changes to
other configuration settings. If malware continues to
exist on the computer, Internet Explorer may be
infected again.

Note: There are two versions of Internet Explorer in Windows 8.1: the desktop version and
the Windows Store version. These versions behave differently, and in some cases, websites that
do not display correctly in one version of Internet Explorer 11 will work fine in the other. When
troubleshooting Internet Explorer 11 issues on Windows 8.1, consider verifying the problem exists
in both versions. This may help to identify the cause of the problem.

Demonstration: Configuring Internet Explorer


Note: This is a practice session.
In this practice session, you will:

Verify Compatibility View settings.

Delete browsing history.

Configure InPrivate Browsing.

View the Add-on management interface.

Download a file.

MCT USE ONLY. STUDENT USE PROHIBITED

11-28 Troubleshooting Applications

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
lab, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-29

Demonstration Steps
Verify Compatibility View settings
1.

Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2.

On the Start screen, click Desktop.

3.

On the desktop, on the taskbar, click the Internet Explorer icon.

4.

In Internet Explorer, right-click the star to the right of the home symbol, and then click Menu bar.

5.

On the menu bar, click Tools, and then click Compatibility View settings.

6.

View the available options, and then click Close.

Delete browsing history


1.

In the Internet Explorer Address bar, type http://LON-DC1, and then press Enter.

2.

Click the down arrow next to the Address bar to confirm that the address you typed in it is stored.

3.

In Internet Explorer, on the Tools menu, click Internet options.

4.

In the Internet Options dialog box, on the General tab, under Browsing history, click Delete.

5.

In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box
and then click Delete.

6.

Click OK to close the Internet Options dialog box.

7.

Click the down arrow next to the Address bar to confirm that there are no addresses stored in the
Address bar.
Note: Bing may appear as a favorite in this list. Disregard it.

Configure InPrivate Browsing


1.

In Internet Explorer, on the Tools menu, click InPrivate Browsing.

2.

In the Internet Explorer Address bar, type http://LON-DC1, and then press Enter.

3.

Confirm the address you entered is not stored by clicking on the down arrow next to the Address bar.

4.

Close the InPrivate Browsing window.

View the Add-on management interface


1.

In Internet Explorer, on the Tools menu, click Manage add-ons.

2.

In the Manage Add-ons window, in the Add-on types pane, click Search Providers.

3.

In the right pane, click Bing.

4.

In the Add-on types pane, click Accelerators.

5.

In the Add-on types pane, click Tracking Protection.

6.

Click Close to close the Manage Add-ons window.

Download a file
1.

In the Internet Explorer Address bar, type http://lon-dc1, and then press Enter.

2.

Click Download current projects.

3.

In the Internet Explorer dialog box, click Save.

4.

In the banner, click View downloads.

5.

In View Downloads Windows Internet Explorer, click Open.

6.

Verify that the file opens in Microsoft Excel.

7.

Close Excel.

8.

Close Internet Explorer, and then sign out of LON-CL1.

Completion steps

After you have completed the practice session, leave the virtual machines running for the next lab.

MCT USE ONLY. STUDENT USE PROHIBITED

11-30 Troubleshooting Applications

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-31

Lab B: Troubleshooting Windows Internet Explorer


Scenario
The help desk has passed an incident record to you for resolution. It relates to a user experiencing
problems with Intranet server access.

Objectives
After completing this lab, you will be able to:

Resolve an Internet Explorer problem.

Lab Setup
Estimated Time: 20 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. These should be running from the
preceding practice session. If they are not, before you begin the lab, you must complete the following
steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in by using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1.

Exercise 1: Resolving a Windows Internet Explorer Issue


Scenario

MCT USE ONLY. STUDENT USE PROHIBITED

11-32 Troubleshooting Applications

A user is being prompted for credentials when they access an intranet site. When the user attempts to
access the corporate intranet by using http://lon-dc1.adatum.com, he is prompted for credentials. By
entering his credentials and his password, he is authenticated successfully. He can use this form of access
as a short-term workaround, but he does not want to be prompted. No one else is having the issue. After
he authenticates, everything is fine.
Incident Record
Incident Reference Number: 723407
Date of Call
Time of Call
User
Status

October 25
08:32
Josh Bailey (Research Department)
OPEN

Incident Details
User is being prompted for security credentials when accessing the intranet site.

Additional Information
When the user attempts to access the corporate intranet by using http://LON-DC1.Adatum.com, he is
prompted for credentials.
I coached him through the process of entering his credentials as Adatum\Josh and his password. This
authenticates him successfully, and he can use this as a short-term workaround, but he does not want
to be prompted.
I asked him to check if other users in his department were having the same issue, and he told me that
they were not. He is the only user having this issue. After he authenticates, everything works fine.
When the issue is resolved, please configure the corporate intranet as his home page.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help desk Incident Record for incident 723407.

2.

Discuss recommendations.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help desk Incident Record for incident 723407

Read the help desk incident record 723407 above.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-33

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod11\Scenario2.vbs script.

4.

When the script has finished running, sign out.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of Internet Explorer and security settings.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After you have completed the exercise, you should have successfully resolved the Internet
Explorer authentication issue.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Lesson 5

Implementing Client Hyper-V

MCT USE ONLY. STUDENT USE PROHIBITED

11-34 Troubleshooting Applications

Hyper-V virtualization technology has been providing virtualized environments on Windows Server
computers since Windows Server 2008. Windows 8.1 is the first Windows client version to include Client
Hyper-V. Client Hyper-V is a feature in Windows 8.1 that enables the same core virtualization technology
that Windows Server 2012 R2 offers. . This lesson will introduce you to the Client Hyper-V functionality in
Windows 8.1, and to scenarios that may benefit from a virtual environment.

Lesson Objectives
After completing this lesson, you will be able to:

Describe Client Hyper-V.

Explain when to use Client Hyper-V.

Explain how to create virtual machines to support legacy desktop apps.

Explain how to troubleshoot Client Hyper-V issues.

Explain how to create virtual machines in Client Hyper-V.

Manage virtual machines in Client Hyper-V.

Overview of Client Hyper-V


Client Hyper-V is a feature that enables
virtualization within the Windows 8.1
environment, whereas Hyper-V is the primary
platform for infrastructure virtualization. Hyper-V
enables multiple, isolated operating systems to
run in individual virtual machines that share the
same physical platform.
At its most basic level, Hyper-V in Windows
operating systems provides the ability to share a
computers physical hardware with one or more
isolated operating systems that are running in
virtualized environments, otherwise known as
virtual machines.

Virtual machines are configured to share physical resources from the host machine, and represent those
virtualized resources as usable components to the virtual machines operating system. For example, one
computer with one network adapter may have five different virtual machines that are running in Hyper-V.
In each of those virtual machines, a virtualized network adapter is associated with the single physical
network adapter. This enables five virtual machines to have individual media access control (MAC)
addresses, be assigned individual IP addresses, and gain network access. Similar virtualization happens
with other hardware components, such as the processor, memory, and hard disks.

Client Hyper-V Functionality

Client Hyper-V uses the same virtualization engine as Hyper-V in Windows Server 2012 R2, and contains
the same core feature set. The primary scenario for Client Hyper-V is for developers and IT pros to create
new virtualized workloads, develop new Windows PowerShell automation, or even create new virtual

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-35

switch extensions. Client Hyper-V replaces the Virtual PC feature available previously in Windows 7, and
has some significant differences in functionality:

Compatibility with Hyper-V on Windows Server. Client Hyper-V supports the same standard
functionality as Hyper-V on Windows Server. You can import and export virtual machines and virtual
hard disks between Hyper-V and Client Hyper-V in most situations, without any requirement for
conversion or modification.

Support for 64-bit guest virtual machines. Client Hyper-V can provide both 32-bit and 64-bit
virtualized hardware environments for guest virtual machines. Virtual PC supports only 32-bit
virtualized hardware.

Note: Although Client Hyper-V can support 32-bit guest operating systems, you can
enable the Client Hyper-V feature only on 64-bit editions of Windows 8.1 Pro and Windows 8.1
Enterprise.

No application-level virtualization. In Windows 7, Windows XP Mode enables a user to run an


application in a virtualized Windows XP environment, while displaying it within the Windows 7
environment.

Note: The Client Hyper-V role on Windows 8.1 supports many of the features that are
available with Hyper-V on Windows Server 2012 R2, but does not support enterprise features
such as virtual machine migration. Client Hyper-V also does not support publishing applications
that are installed on the virtual machine guest to the host operating systems Start menu. This is a
feature that is present in Windows XP Mode feature in Windows 7, and which uses Virtual PC.

Client Hyper-V and Hyper-V Feature Comparison


The following table lists the features that differ between Client Hyper-V and Hyper-V.
Feature

Client Hyper-V
(Windows 8.1)

Hyper-V
(Windows Server 2012 R2)

Hyper-V Replica

Yes

Microsoft RemoteFX Graphics


virtualization

Yes

Single-root I/O virtualization (SR-IOV)

Yes

Virtual Fibre Channel

Yes

Virtual machine live migration

Yes

Sleep and hibernate for host and virtual


machines

Yes

Virtual wireless network adapters

Yes

Live storage move

Yes

Network virtualization
Up to 64 terabytes (TB) per virtual disk

Yes
Yes

Yes

Yes

Feature

Client Hyper-V
(Windows 8.1)

MCT USE ONLY. STUDENT USE PROHIBITED

11-36 Troubleshooting Applications

Hyper-V
(Windows Server 2012 R2)

Up to 1 TB of memory per virtual machine

Yes

Yes

Windows PowerShell automation

Yes

Yes

32 virtual processors per virtual machine

Yes

Yes

Hyper-V Management Tools

The primary tool for management within the Client Hyper-V environment is Hyper-V Manager. Hyper-V
Manager is a console that is based on the Microsoft Management Console (MMC). It provides complete
access to Client Hyper-V functionality in Windows 8.1. Hyper-V in Windows Server 2012 R2 also uses
Hyper-V Manager, so any experience in either Windows operating system will correspond directly to the
other.

The other graphical tool that installs with Client Hyper-V is the Virtual Machine Connection tool. You can
use Virtual Machine Connection to connect to a virtual machine by using an interface that is similar to
Remote Desktop Connection. Virtual Machine Connection does not require you to use a Hyper-V console
to connect to a virtual machine. You can use the Hyper-V Virtual Machine Connection to connect to local
virtual machines and virtual machines hosted on other computers that are running Hyper-V virtual
machines.
Note: Both Hyper-V Manager and the Virtual Machine Connection tool become available if
you select the Hyper-V GUI Management Tools option when activating the Hyper-V feature in
Windows 8.1.

The Hyper-V module for Windows PowerShell enables you to manage Client Hyper-V by using Windows
PowerShell cmdlets. The Hyper-V module can be useful for scripting Client Hyper-V management, or for
managing remote Client Hyper-V installations, especially when you are managing nondomain clients.
Note: You can view the entire list of Windows PowerShell cmdlets that relate to Hyper-V by
running the following cmdlet from a Windows PowerShell command-line interface:
Get-Command -Module Hyper-V

Client Hyper-V Requirements


To implement Client Hyper-V in Windows 8.1, your computer must meet the following requirements:

Memory. You must have at least 4 gigabytes (GB) of physical memory in your computer to support
Client Hyper-V.

The memory in your computer is dynamically allocated and unallocated as required by the virtual
machines. You can run several virtual machines on your Windows 8.1 host, if it meets this minimum
memory requirement. Depending on the specific requirements of your virtual machines, you might
need to install more physical memory.

Storage. Client Hyper-V supports the same storage migration capability that is included in Hyper-V
in Windows Server 2012 or Windows Server 2012 R2. This means that you can store your virtual
machines independently of the underlying storage. Additionally, you can move storage for your
virtual machines between local drives, to a USB drive, or to a remote file share without needing to
stop the virtual machine.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-37

Processor. Your computer must have an x64 processor that supports hardware-assisted virtualization
and Data Execution Prevention.
Additionally, Client Hyper-V requires a 64-bit processor architecture that supports second-level
address translation. Second-level address translation reduces the overhead incurred during the
virtual-to-physical address mapping process performed for virtual machines.

Scenarios for Implementing Client Hyper-V


Client Hyper-V and Hyper-V in Windows Server
2012 share the same underlying platform. This
enables your organization to utilize the Client
Hyper-V features in many different ways,
including the following:

Test lab. Using Client Hyper-V, you can build


a test lab infrastructure that is hosted entirely
on your laptop or desktop computer. After
you create and test the virtual machines on
your laptop, you can export them into
production.

Application testing. You can create a Client


Hyper-V virtual machine and use it as a preproduction environment for application testing. You
might be preparing to migrate your Windows client infrastructure to Windows 8.1, and require
testing of all LOB applications. You can employ a virtual machine that is running Windows 8.1 to test
the application, and then revert the virtual machine back to its default state, by using checkpoints of
the virtual machine to test more applications.
You can create several virtual machines, each with a different installed version of a Windows
operating system, to test a new application. For example, you could install Windows 8.1 on the first
virtual machine, install Windows 7 on the second, and install Windows XP on a third. You then could
configure each virtual machine with your testing specifications, and revert the machines after testing
is complete, so that the machines are ready for the next testing task immediately.

Move virtual machines from Hyper-V. If you encounter problems with a virtual machine in your
production Hyper-V environment on Windows Server 2012, you can copy that virtual machine from
your production environment, import it into Client Hyper-V, perform the required troubleshooting,
and then copy it back into the production environment.

Automatic save and resume. With Client Hyper-V, you can use Hyper-V virtualization, wireless
network adapters, and sleep states on your desktop computer. For example, if you run Client Hyper-V
on a laptop, and then close the lid, the virtual machines that are running go into a saved state, and
resume when the machine wakes.

Use a variety of management tools. Virtual machine tools that are created for Hyper-V in Windows
Server operating systems, such as System Center 2012 Virtual Machine Manager (VMM), Physical-toVirtual (P2V), and the Windows Sysinternals Disk2VHD tool, also work in Client Hyper-V.

Create a multi-machine test environment. Using virtual-machine networking, you can create a
multiple-machine environment for test, development, and demonstration that is secure and that does
not affect the production network.

You can mount and boot virtual hard disks from a USB storage drive. You can use these virtual hard
disks as a virtual machine by using Client Hyper-V when you use a computer that runs Windows 8.1
Pro or Windows 8.1 Enterprise.

Use preconfigured virtual hard disks to test new Microsoft software. Microsoft.com hosts a large
number of ready-to-use .vhd files that you can import into Hyper-V or Client Hyper-V. After you
import a file, the virtual hard disks provide a functional test version of the specific product for
evaluation. With these virtual hard disk files, there is no need to upgrade or configure operating
systems, or download and install applications; the file is ready to use the first time that you start up
your virtual machine.

Creating Virtual Machines to Support Legacy Desktop Apps


On a client computer, one of the most common
reasons to implement a virtualization strategy is to
support legacy apps, which are apps that do not
run correctly, or at all, in Windows 8.1. If you have
a legacy app that has functionality issues with
Windows 8.1, and if you have exhausted other
application compatibility mitigations such as
using ACT to create a fix, then you can consider
enabling Client Hyper-V and building a virtual
machine to support your legacy app.
To create a suitable virtual machine platform:
1.

Determine the appropriate operating system


to support the application.

2.

Determine suitable hardware configuration: memory, processor, and disk storage.

3.

Determine the apps requirements for network connectivity.

4.

Locate the operating system and app software.

5.

Build the virtual machine to support these requirements.

6.

Deploy the virtual machine to the appropriate users.

Users can now run their legacy app without having to maintain separate legacy hardware or older
operating systems.

Troubleshooting Client Hyper-V Issues


If you experience problems running virtual
machines with Client Hyper-V, consider the
following troubleshooting points.

The hypervisor does not run. The host


may not meet the appropriate hardware
requirements. Ensure that the computer
meets the processor, memory, and storage
requirements for Client Hyper-V. Also verify
that appropriate features, such as hardware
virtualization support, are enabled in the
BIOS. A common problem is lack of support
for second-level address translation.

MCT USE ONLY. STUDENT USE PROHIBITED

11-38 Troubleshooting Applications

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-39

Note: You can use the Systeminfo.exe command-line tool to determine many of these
factors. For example, if a suitable hypervisor is detected, this is reported.

If you fix your startup environment, perhaps by using the Startup Repair tool, it is possible that a
required setting in your Boot Configuration Data (BCD) store will be reset, with the result that the
hypervisor will not run. You can check for the presence of the appropriate setting by using the
following procedure:
a.

Open an elevated command prompt.

b.

Run bcdedit /enum.

c.

If an entry for hypervisorlaunchtype = Auto is present, you need to do nothing further.

d.

If this setting is missing, you must run bcdedit /set hypervisorlaunchtype auto and then restart
your computer.

A network installation of a virtual machine fails. The virtual machine may be using a network adapter
instead of a legacy network adapter. Alternatively, you did not connect the legacy network adapter to
the correct external network. Verify the network settings for the virtual machine.

Inability to move mouse cursor from the virtual machine window. Integration services are not
installed. As a temporary fix, press the Ctrl+Alt+Left Arrow keys. As a longer term solution, install the
integration services.

Creating Virtual Machines in Client Hyper-V


A virtual machine represents a physical computer
in a virtualization environment. Virtual computers
have components that are similar to physical
computers. However, virtual computers can use
only components that are part of a Client Hyper-V
virtualization infrastructure. Client Hyper-V can
present devices to a virtual machine in the
following two ways:

Emulated devices. Client Hyper-V presents an


emulated device to a virtual machine as if it is
actual hardware. Emulated devices present
standard and well-known functionalities that
are universal to all devices of that type. This means that almost any operating system supports them.
Emulated devices are available when a virtual machine starts, and a virtual machine can start from
them. These emulated devices include integrated device electronics (IDE) controllers or legacy
network adapters.

Hyper-V specific devices. Client Hyper-V does not present synthetic components to the virtual
machine as actual hardware. It presents them to the operating system on the virtual machine as
a functionality that the device driver can use. Newer operating systems such as Windows 8 and
Windows 8.1, support such functionality by default when running in virtual machines. For other
operating systems, you need to install integration services to support them. Synthetic devices are
not available during startup, and you cannot start a virtual computer from them.

Creating a virtual machine in Hyper-Manager is a wizard-based process that prompts you for necessary
information to create the virtual machine. When creating a virtual machine, you must specify several
virtual machine settings at the time of creation:

MCT USE ONLY. STUDENT USE PROHIBITED

11-40 Troubleshooting Applications

Virtual machine name. The name that you specify identifies the virtual machine in Hyper-V Manager,
and also is used in the naming of various virtual machinerelated files.

Virtual machine location. By default, a virtual machine is created and located on a computers system
drive. If your computer has multiple physical hard disks, you typically can increase the performance of
your virtual machine by placing it on a disk that is separate from the system disk. For computers with
solid-state drives (SSDs), this is not as effective.

Virtual machine generation. Before Client Hyper-V in Windows 8.1, Hyper-V only supported what
today is known as Generation 1 virtual machines. You now can create Generation 2 virtual machines,
which include support for secure boot, and which can be started either from a small computer system
interface (SCSI) virtual disk or by using a network adapter. If you want to use a Generation 2 virtual
machine, you must install at least Windows Server 2012 or a 64-bit version of Windows 8 or newer to
the virtual machine. After the virtual machine is created, you cannot change its generation.

Memory. The amount of memory that you specify will be assigned to a virtual machine from the
available physical memory on your Windows 8.1 computer. You also can configure a virtual machine
to use Dynamic Memory.

Network connection. Your virtual machine can have one or more virtual network adapters. By default,
a new virtual machine is created with a single network adapter that can be connected to a virtual
switch. You can create a virtual switch that will connect virtual machines to an external network
through a physical network adapter, or you can create a self-contained virtual switch to provide an
isolated network environment. Alternatively, you might choose not to connect a virtual machine to
any virtual switch.

Virtual hard-disk location. By default, a single virtual hard disk is created in the same directory that is
specified for the virtual machine location. You also might choose to use a preexisting virtual hard disk
that has been created. For example, many Microsoft products are available for trial purposes in
preconfigured .vhd files.

Operating system installation media. Unless you are attaching a virtual hard disk that already has
an installed operating system, you will need to install an operating system on your virtual machine.
You can specify an .iso image CD/DVD file to use as installation media, or you can attach a physical
CD/DVD drive from the host machine to the virtual machine, and then install the operating system
from that media.

Creating a Virtual Machine in Hyper-V Manager


To create a virtual machine name, perform the following procedure:
1.

Open Hyper-V Manager from the Start screen by typing Hyper-V Manager, and then press Enter.

2.

In Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.

3.

The New Virtual Machine Wizard appears. Click Next.

4.

On the Specify Name and Location page, in the Name field, type the name of your virtual machine.
Select where you want to store the virtual machine and its associated virtual hard disks, and then click
Next.

5.

On the Specify Generation page, select if you want to create a Generation 1 or Generation 2
virtual machine, and then click Next.

6.

On the Assign Memory page, in the Memory field, specify the amount of memory to assign the
virtual machine, select if you want to use Dynamic Memory, and then click Next.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-41

7.

On the Configure Networking page, in the Connection list, select the appropriate network switch,
and then click Next.

8.

On the Connect Virtual Hard Disk page, create a new virtual hard disk or use an existing virtual hard
disk file that you have created already, and then click Next.

9.

On the Installation Options page, select from where you want to install an operating system on the
virtual machine, and then click Next.

10. On the Completing the New Virtual Machine Wizard page, click Finish.

Creating a Virtual Machine in Windows PowerShell

If you want to create a new virtual machine by using Windows PowerShell, you can run the New-VM
cmdlet. You should be aware that the New-VM cmdlet has a limited set of options, but you can modify
and customize a virtual machine after you create it. You can create a new virtual machine by performing
the following procedure:
1.

On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then click Run as administrator. Click Yes in the User Account Control dialog box.

2.

In the Administrator: Windows PowerShell window, run the following cmdlet to create a Generation
1 virtual machine named Windows 8.1 with 4 GB of memory, with its files stored in C:\VMs folder,
with a 100 GB virtual hard disk named Disk1.vhdx, and connected to a virtual switch named Private:
New-VM Name Windows 8.1 Generation 1 MemoryStartupBytes 4GB Path C:\VMs
NewVHDPath C:\VMs\Windows 8.1\Disk1.vhdx -NewVHDSizeBytes 100GB SwitchName Private

Demonstration: Managing Virtual Machines in Client Hyper-V


Note: This is a practice session.
In this practice session, you will test Client Hyper-V by creating and configuring a virtual machine.

You do not require any virtual machines for this practice session. You must, however, configure your host
to boot from a virtual hard disk. As an alternative, if you have a laptop that is running Windows 8.1 and
that supports the Client Hyper-V feature, you can perform the demonstration on that machine.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On your host computer, click Start, and then click Restart.

2.

In the Choose an operating system window, click 20688D-LON-CL5.

At this point, Windows 8.1 starts from the .vhd file, and a brief system configuration will take place.
When startup completes, the Windows 8.1 Start screen displays.

Demonstration Steps
1.

On LON-CL5, sign in as Admin, with the password Pa$$w0rd.

2.

On LON-CL5, on the Start screen, type Control, click Control Panel, and then click Programs.

3.

Click Programs and Features, and then in the Programs and Features window, click Turn Windows
Features on or off.

4.

In the Windows Features window, select the Hyper-V check box, and then click OK.

5.

In the Windows completed the requested changes window, click Restart Now.

6.

When prompted during startup, click 20688D-LON-CL5.

7.

On LON-CL5, sign in as Admin with the password Pa$$w0rd.

8.

On LON-CL5, on the Start Screen, type Hyper-V, and then click Hyper-V Manager.

9.

In Hyper-V Manager, right-click LON-CL5, and then click Virtual Switch Manager.

MCT USE ONLY. STUDENT USE PROHIBITED

11-42 Troubleshooting Applications

10. In the Virtual Switch Manager window, in the Create virtual switch section, click Private, and then
click Create Virtual Switch.
11. In the Virtual Switch Properties section, in the Name field, type Private Network, and then
click OK.
12. In Hyper-V Manager, right-click LON-CL5, point to New, and then click Virtual Machine.
13. In the New Virtual Machine Wizard, click Next.

14. On the Specify Name and Location page, in the Name field, type Windows 8.1 Test, and then click
Next.
15. On the Specify Generation page, make sure Generation 1 is selected, and then click Next.
16. On the Assign Memory page, in the Startup memory field, type 1024, and then click Next.

17. On the Configure Networking page, in the Connection drop-down list box, click Private Network,
and then click Next.
18. On the Connect Virtual Hard Disk page, click Next.
19. On the Installation Options page, click Next.
20. On the Completing the New Virtual Machine Wizard page, click Finish.
21. In the Hyper-V Manager window, click LON-CL5.
22. In the Virtual Machines section, right-click Windows 8.1 Test, and then click Checkpoint. After a
few seconds, confirm that a new checkpoint displays in the Checkpoints section for Windows 8.1
Test.
23. Close Hyper-V Manager.

Completion steps
After you have completed the practice session, restart your computer:
1.

On your host computer, click Start, and then click Restart.

2.

In the Choose an operating system window, click Windows Server 2012 R2.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 11-43

Module Review and Takeaways


Review Questions
Question: Which Windows service must be running on the client computer in order to
enforce AppLocker Rules?
Question: What does Internet Explorer 11 display when the browser detects a website that
does not adhere to HTML5 or CSS3 standards?
Question: When would you deploy Client Hyper-V to a Windows client computer in a
corporate environment?

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


12-1

Module 12
Maintaining Windows 8.1
Contents:
Module Overview

12-1

Lesson 1: Managing Windows Activation

12-2

Lesson 2: Monitoring and Configuring Performance Options in


Windows 8.1

12-8

Lab: Maintaining Windows 8.1

12-21

Lesson 3: Protecting Windows 8.1 from Malware and Viruses

12-24

Lesson 4: Applying Application and Windows Updates

12-28

Module Review and Takeaways

12-40

Module Overview

Maintaining your computers running the Windows 8.1 operating system is important to ensure their
continued reliability and performance. Once you have activated Windows on your computers, you must
establish procedures to monitor their performance, protect them from malicious software, sometimes
called malware, and ensure that they remain up-to-date with the latest operating system updates and
security fixes. This module discusses how to provide for the ongoing maintenance of Windows 8.1
operating systems.

Objectives
After completing this module, you will be able to:

Manage Windows volume activation.

Monitor and configure performance options in Windows 8.1.

Protect Windows 8.1 from malicious software and viruses.

Update Windows 8.1.

Lesson 1

Managing Windows Activation

MCT USE ONLY. STUDENT USE PROHIBITED

12-2 Maintaining Windows 8.1

The Windows 8.1 operating system requires product activation. You must validate each Windows 8.1
license through an online activation service provided by Microsoft, by phone, through Key Management
Service (KMS), or through Active Directory Domain Services (AD DS). Activation helps provide protection
from software piracy, and it helps you to manage operating system and application instances within your
organization.

Lesson Objectives
After completing this lesson, you will be able to:

Describe activation.

Describe methods for volume activation with Windows 8.1.

Describe considerations for volume activation.

Explain how to troubleshoot volume activation.

What Is Activation?
All editions of Windows 8.1 require activation.
Activation confirms the status of a Windows
product and ensures that the product key has
not been compromised. The activation process
links the softwares product key to a particular
installation of that software on a device. If the
device hardware changes considerably, you must
activate the software again.

Unlike Windows 7, Windows 8.1 does not have


a grace period. You must activate Windows 8.1
immediately upon installation. Failure to activate
a Windows operating system prevents users from
completing customization. In earlier versions of the Windows operating system, activation and validation
occurred separately via the Windows Genuine Advantage program. This caused confusion for users who
thought the terms were interchangeable. In Windows 8.1, activation and validation occur simultaneously.
If you want to evaluate Windows 8.1, Microsoft provides a separate evaluation edition that is available as
an .iso image file to Microsoft partners, and to MSDN Microsoft Developer Network subscribers.
Windows 8.1 has three main methods for activation:

Retail. Any Windows 8.1 product purchased at a retail store comes with one unique product key that
you type in during product installation. You use the product key to complete activation after
installing the Windows 8.1 operating system.

OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 8.1. You can perform OEM activation by associating the Windows operating system to the
computer system BIOS.

Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization.
Volume customers set up volume licensing agreements with Microsoft. These agreements include
Windows upgrade benefits and other benefits related to value-added software and services.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-3

Microsoft Volume Licensing customers use Volume Activation Services to assist in activation tasks,
which consist of Active Directorybased activation, KMS, and multiple activation key (MAK) models.
You can view the Windows 8.1 activation status on the System properties page, or by running the
following command at a command prompt:
cscript C:\windows\system32\slmgr.vbs -dli

Methods for Windows 8.1 Volume Activation


Volume activation provides a simple, securityenhanced activation experience for enterprise
organizations, while addressing issues associated
with generic volume license keys (VLKs). Volume
activation enables administrators to manage and
protect product keys centrally. It also provides
several flexible deployment options that activate
enterprise computers, regardless of the
organizations size.

Volume Activation Keys

Volume Activation Services is a server role in


Windows Server 2012 and Windows Server 2012
R2. This role service enables you to activate Windows 7, Windows Server 2008, and newer Windows Server
and Windows client operating systems automatically, without having to contact Microsoft product
activation servers.
Enterprise environments use three main types of volume activation models: KMS, Active Directorybased
activation, and MAK activation. With Volume Activation Services, you can configure KMS and enable
Active Directorybased activation. You can use any or all of the options associated with these three
models, depending on your organizations needs and network infrastructure:

KMS. With KMS, organizations can perform local activation for computers in a management
environment without connecting to Microsoft individually. By default, the Enterprise editions of
Windows 8.1 and Windows Server 2012 R2 connect to a system that hosts the KMS service, which in
turn requests activation. KMS usage is targeted for managed environments where more than 25 client
computers, or more than five servers use KMS activation.

Active Directorybased activation. This is a role service that allows you to use AD DS to store
activation objects. This can greatly simplify the task of maintaining volume activation services for a
network. You can use Active Directorybased activation to activate only computers that are joined to
AD DS, and activation requests are processed during client computer startup. Any computer running
Windows 8, Windows Server 2012, or a newer Windows operating system with a generic VLK that
joins to the domain will activate automatically and without user interaction. Computers will stay
activated for as long as they remain members of the domain and maintain periodic contact with a
domain controller. Activation takes place after the licensing service starts.

MAK activation. MAK activation uses product keys that can activate only a specific number of
computers. If the use of volume licensing media is not controlled, excessive activations can result
in the depletion of the activation pool, and no further computers can be activated. You do not use
MAKs to install the Windows 8.1 operating system, but rather to activate it after installation. You can
use MAKs to activate any Windows 8.1 edition. MAK activation is not time-limited.

Note: You can use the Volume Activation Management Tool (VAMT) to automate and
centrally manage the volume and retail-activation process for Windows operating systems,
Microsoft Office software, and certain other Microsoft products. VAMT manages volume
activation by using MAK or KMS. VAMT is a standard Microsoft Management Console (MMC)
snap-in, and it is available as part of Windows Assessment and Deployment Toolkit (Windows
ADK).

Volume Activation Considerations


Whether you plan to implement KMS, Active
Directorybased activation, or MAK activation,
you must consider a few aspects, limitations, and
requirements. The following factors are applicable
for each of the three volume activation methods.

Active Directory-Based Activation


Considerations
When working with Active Directory-based
activation, consider the following:

You do not need an additional host server


with Active Directory-based activation. Your
existing domain controllers can support activation clients with the following limitations:

MCT USE ONLY. STUDENT USE PROHIBITED

12-4 Maintaining Windows 8.1

You cannot configure Active Directory-based activation on read-only domain controllers.

You cannot use Active Directory-based activation with non-Microsoft directory services.

The AD DS schema must be at the Windows Server 2012 or higher level to store activation
objects.

Domain controllers that run older versions of Windows Server can activate clients after the AD DS
schema has been extended to Windows Server 2012 or higher level.

Active Directorybased activation is forest-wide, and you only need to implement it once, even if the
forest contains multiple domains.

There are no threshold limits that must be met before computers can be activated by using
Active Directory-based activation.

KMS Activation Considerations


If you decide to implement KMS activation, consider the following:

Client computers that are not activated attempt to connect with the KMS host every two hours.

To stay activated, client computers must renew their activation by connecting to the KMS host at least
once every 180 days.

After activation, client computers attempt to renew their activation every seven days. After each
successful connection, the expiration extends to the full 180 days.

Client computers connect to the KMS host for activation by using anonymous remote procedure
calls (RPCs) over TCP/IP and by using default port 1688. You can configure this port information.
The connection is anonymous, enabling workgroup computers to communicate with the KMS host.
You might need to configure the firewall and the router network to pass communications for the
Transmission Control Protocol (TCP) port that will be used.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-5

MAK Activation Considerations


When choosing MAK activation, consider the following:

MAK activation is recommended for computers that rarely or never connect to the corporate network
and for environments where the number of physical computers that need activation does not meet
the KMS activation threshold.

You can use MAK to activate computers in one of two ways:


o

MAK Independent. MAK Independent activation requires that each computer connect
independently and activate with Microsoft over the Internet or by telephone. This method is best
suited for computers within an organization that do not have a connection to the corporate
network.

MAK Proxy. MAK Proxy activation enables a centralized activation request on behalf of multiple
computers with one connection to Microsoft. This method is suitable for environments where
security concerns restrict direct access to the Internet or to the corporate network.

Troubleshooting Volume Activation


Volume activation problems may be associated
with MAK activation, KMS activation, or Active
Directorybased activation. Depending on which
volume activation model you use, the steps you
take to troubleshoot a problem will vary.

Active DirectoryBased Activation


Troubleshooting
Use the following list to troubleshoot common
issues with Active Directorybased activation:

Verify the activation status. You can verify


activation status by looking for the Windows
is activated message in the System properties. You also can run the slmgr.vbs -dli command.

Ensure that computers can communicate with domain controllers. This includes network connectivity
and DNS name resolution.

Ensure that there is at least one activation object in AD DS, in the Configuration partition. If there are
two activation objectsone for client and one for server operating systemsyou can safely delete
the client object because the server object will activate both clients and servers.

Active Directorybased activation is available only for domain-joined computers. If you remove a
computer from the domain, activation will fail on the next activation attempt.

KMS Activation Troubleshooting


Use the following list to troubleshoot common issues with KMS activation:

Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.

Ensure that the KMS service (SRV) resource record is present in Domain Name System (DNS), and that
DNS does not restrict dynamic updates. If DNS restrictions are intentional, you will have to provide
the KMS host Write permission to the DNS database, or you will have to create the SRV records
manually.

Note: You can use the Nslookup.exe command-line tool to query these records.
How to verify that SRV DNS records have been created for a domain controller
http://go.microsoft.com/fwlink/?LinkId=335916

MCT USE ONLY. STUDENT USE PROHIBITED

12-6 Maintaining Windows 8.1

Ensure that firewalls and routers do not block TCP port 1688.

If your computer will not activate, verify that the minimum number of clients required for activation
have contacted the KMS host. Until the KMS host has a count of 25, it will not activate Windows
clients, including Windows 8.1.

Display the client Windows Application Event log for event numbers 12288, 12289, and 12290 for
possible troubleshooting information.

MAK Activation Troubleshooting


Use the following list to troubleshoot common issues with MAK activation:

Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command. Slmgr.vbs is the
Windows Software Licensing Management tool. You can use the following switches with slmgr.vbs:
Switch

Meaning

/ipk [product key]

Attempts to install a 55 product key. The product key provided by


the parameter is confirmed valid and applicable to the installed
operating system.
If not, an error is returned.
If the key is valid and applicable, the key is installed. If a key is
already installed, it is silently replaced.

/ato [activation ID]

For retail editions and volume systems with a KMS host key or a MAK
installed, /ato prompts Windows to attempt online activation.
For systems with a Generic Volume License Key installed, this
prompts an attempt at KMS activation. Systems that have been set to
suspend automatic KMS activation attempts (/stao) still attempt KMS
activation when /ato is run.
The parameter [Activation ID] expands /ato support to identify a
Windows edition installed on the computer.

/dli [activation ID]

Displays license information.


By default, /dli displays the license information for the installed
active Windows operating system edition. Specifying the [Activation
ID] parameter displays the license information for the specified
edition associated with that Activation ID.

/dlv [activation ID]

Displays detailed license information.


By default, /dlv displays the license information for the installed
operating system. Specifying the [Activation ID] parameter displays
the license information for the specified edition associated with that
Activation ID.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-7

Switch

Meaning

/xpr [activation ID]

Display the activation expiration date for the product. By default, this
refers to the current Windows operating system edition and is
primarily useful for KMS clients, because MAK and retail activation is
perpetual.
Specifying the [Activation ID] parameter displays the activation
expiration date of the specified edition associated with that
Activation ID.

/rearm

This option resets the activation timers. The /rearm process is also
called by sysprep /generalize.

You can locate further information about additional command-line switches for use with slmgr.vbs at
the following website.
Slmgr.vbs Options for Volume Activation
http://go.microsoft.com/fwlink/?LinkId=393028

If your computer will not activate over the Internet, ensure that an Internet connection is available
and that the computer is configured with the correct TCP/IP settings. You also might need to set a
proxy configuration from your web browser. If the computer cannot connect to the Internet, try
telephone activation.

If Internet and telephone activation both fail, you will need to contact the Microsoft Product
Activation Center.

Lesson 2

Monitoring and Configuring Performance Options in


Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

12-8 Maintaining Windows 8.1

A computer system that performs at a low efficiency level can cause problems in the work environment.
This can potentially reduce user productivity and consequently increase user frustration. Windows 8.1
helps you to determine the potential causes of poor performance, and then uses the appropriate tools to
help resolve the performance issues.

Lesson Objectives
After completing this lesson, you will be able to:

Describe performance considerations.

Describe how Windows 8.1 uses important system resources, such as memory and processor.

Explain how to identify important performance monitoring tools in Windows 8.1.

Explain why it is important to establish a performance baseline.

Use Performance Monitor.

Explain how to optimize memory in a Windows 8.1 computer.

Explain how to optimize disk throughput in a Windows 8.1 computer.

Performance Considerations
Decreased computer system performance is a
common source of user complaints. Performance
is a measure of how quickly a computer
completes application and system tasks.
Performance problems can occur when available
resources are lacking. Computers respond slowly
for several reasons, including disorganized files,
unnecessary software that consumes resources,
too many startup programs, or perhaps even
malware or a virus. Factors that can influence
computer system performance include:

Access speed of the physical hard disks.

Memory available for all running processes.

Fastest speed of the processor.

Maximum throughput of the network interfaces.

Resources that the individual applications consume.

Faulty or poor configuration of components, which leads to the unnecessary consumption of


resources.

Out-of-date or inappropriate drivers for system components and peripherals, including the graphics
subsystem.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-9

How Windows Uses Key System Components


The four main hardware components that you
should monitor in a Windows 8.1-based computer
are:

Processor

Disk

Memory

Network

Note: Although not considered a core


component, the graphics adapter and its driver
can have a significant impact on the performance of graphics-intensive apps. If your users intend
to run apps that are graphically demanding, ensure that you select a device with a powerful
graphics subsystem, and that you install the latest vendor-specific driver rather than relying on a
generic driver.

Understanding how the operating system utilizes these four key hardware components and how they
interact can help you better optimize computer workstation performance. When monitoring workstation
performance, you should consider:

The measurement of all key components in your users workstation.

The workstation role and its workload, to determine which hardware components are likely to restrict
performance.

The ability to increase workstation performance by adding power or reducing the number of
applications that the user is running.

Processor

One important factor in determining your computers overall processor capacity is processor speed.
Processor speed is determined by the number of operations that the processor performs over a specific
time period. Computers with multiple processors, or processors with multiple cores generally perform
processor-intensive tasks with greater efficiency, and as a result, are faster than single processor or singlecore processor computers.

Processor architecture is also important. 64-bit processors can access more memory and have a significant
positive effect on performance. This is true especially when applications running on your users
workstations require a large amount of memory.

Disk

Hard disks store programs and data. Consequently, the throughput of a workstations disk affects its
speed, especially when the workstation is performing disk-intensive tasks. Many hard disks have moving
parts, and it takes time to position the read/write heads over the appropriate disk sector to retrieve the
requested information.
Note: Most Windows 8.1 tablet devices use solid-state drives (SSDs), which have no moving
parts.

MCT USE ONLY. STUDENT USE PROHIBITED

12-10 Maintaining Windows 8.1

By selecting faster disks, and by using collections of disks to optimize access times (redundant array of
independent disks (RAID)), you can alleviate the potential for the disk subsystem to create a performance
bottleneck.

Windows 8.1 moves information on the disk into memory before it uses it. Therefore, if a surplus of
memory exists, the Windows 8.1 operating system creates a file cache for items recently written to, or read
from, disks. Installing additional memory in a workstation often improves the disk subsystem performance,
because accessing the cache is faster than moving the information into memory.
Finally, consider the type of work for which the device will be used. Different work profiles use disks in a
different way. For example, some applications read from a disk more frequently that they write to the disk
(read-intensive), and therefore good read performance is important; other applications are more writeintensive.
Note: SSDs have different read and write performance profiles. Determine the workload
profile, and then attempt to match the disks performance profile to optimize the devices
performance.

Memory

Programs and data load from disk into memory before the program manipulates the data. In workstations
that run multiple programs, or where datasets are very large, installing more memory can improve
workstation performance.
Windows 8.1 uses a memory model that does not reject excessive memory requests. Instead, Windows 8.1
manages them by using a process known as paging. During paging, Windows 8.1 moves the data and
programs in memory that processes are not currently using, to the paging file on the hard disk. This
frees up physical memory to satisfy the excessive memory requests. However, because a hard disk is
comparatively slow, it has a negative effect on workstation performance. By adding more memory, and by
using a 64-bit processor architecture that supports larger memory, you can reduce the need for paging.

Network

You can easily underestimate how a network that is performing poorly can affect workstation
performance, because it is not as easy to see or to measure as the other workstation components.
However, the network is a critical component for performance monitoring, because network devices store
so many of the application programs and data being processed.

Understanding Bottlenecks

A performance bottleneck occurs when a computer is unable to service the current requests for a specific
resource. The resource might be a key component, such as a disk, memory, processor, or network.
Alternatively, the shortage of a component within an application package also may cause a bottleneck.
By using performance-monitoring tools on a regular basis, and by comparing the results to your baseline
and to historical data, you can identify performance bottlenecks before they impact users.
Once you identify a bottleneck, you must decide how to remove it. Your options for removing a
bottleneck include:

Running fewer applications.

Adding additional resources to the computer.

A computer suffering from a severe resource shortage may stop processing user requests. This situation
requires immediate attention. However, if your computer experiences a bottleneck but still operates
within acceptable limits, you might decide to defer any changes until you resolve the situation, or until
you have an opportunity to take corrective action.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-11

Note: As you identify and resolve a performance problem that is affecting one system
component, another component may become affected. Therefore, performance monitoring is an
ongoing process.
Question: Which hardware components are most likely to restrict performance for a
Windows 8.1 computer?

Performance Monitoring Tools


Windows 8.1 provides a number of performance
monitoring tools that you can use to help identify
performance-related issues.

Task Manager
You can use the Performance tab in Task Manager
to help to identify performance problems. The
Performance tab displays a summary of CPU and
memory usage, and network statistics.

Generally, you might consider using Task


Manager when a performance-related problem
first becomes apparent. For example, you might
examine the running processes to determine if a particular program is using excessive CPU resources.
Always remember that Task Manager shows a snapshot of current resource consumption, and you may
need to examine historical data to determine the true picture about a server computers performance and
response under load.

Resource Monitor

Resource Monitor provides a snapshot of system performance. Because the four key system components
are processor, memory, disk, and network, Resource Monitor provides a summary of these four
components and a detailed tab for each. If a users computer is running slowly, you can use Resource
Monitor to view current activity in each of the four component areas. You can then make a determination
about which of the key components might be causing a performance bottleneck.
When the Resource Monitor first opens, the initial view is of the Overview tab. On the right side are
four graphs: CPU, Disk, Network, and Memory. You can examine these graphs, looking for excessive
peaks in CPU, Disk, Network, or Memory activity. In the main pane, you can examine details about
each component by expanding each components information list. Each process that is running on the
computer is listed, in addition to information about resource consumption for each process. For example,
the number of threads and the percentage of CPU capacity being used displays for each running process.
Having determined that a particular component usage is bottlenecked, use the appropriate component
tab to view more information.

Remember that a snapshot of current activity, which Resource Monitor provides, only tells a partial story.
For instance, you might see a peak in activity, which is not representative of average performance.

Performance Monitor

Performance Monitor is an MMC snap-in that you can use to obtain system performance information. You
can use this tool to analyze the performance effect that applications and services have on your computer,
and you can use it to obtain an overview of system performance or collect detailed information for
troubleshooting.

The Performance Monitor includes the following features:

Monitoring Tools

Data Collector Sets

Reports

Monitoring tools

MCT USE ONLY. STUDENT USE PROHIBITED

12-12 Maintaining Windows 8.1

Monitoring Tools contains the Performance Monitor, which provides a visual display of built-in Windows
performance counters, either in real time or as historical data. The Performance Monitor includes the
following features:

Multiple graph views

Custom views that you can export as data collector sets

Performance Monitor uses performance counters to measure the systems state or activity, while the
operating system or individual applications may include performance counters. Performance Monitor
requests the current value of performance counters at specified time intervals. You can add performance
counters to the Performance Monitor by dragging and dropping the counters, or by creating a custom
data collector set.
Performance Monitor features multiple graph views that enable you to have a visual review of
performance log data. You can create custom views in Performance Monitor that you can export as
data collector sets for use with performance and logging features.

Data collector sets


The data collector set is a custom set of performance counters, event traces, and system configuration
data.
After you create a combination of data collectors that describe useful system information, you can save
them as a data collector set, and then run and view the results.

A data collector set organizes multiple data collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in the Performance Monitor.
You can configure a data collector set to generate alerts when it reaches thresholds.

You also can configure a data collector set to run at a scheduled time, for a specific length of time, or
until it reaches a predefined size. For example, you can run the data collector set for 10 minutes every
hour during working hours to create a performance baseline. You also can set the data collector to restart
when set limits are reached, so that a separate file will be created for each interval.
You can use data collector sets and Performance Monitor tools to organize multiple data collection
points into a single component that you can use to review or log performance. Performance Monitor also
includes default data collector set templates to help system administrators begin the process of collecting
performance data that is specific to a server role or monitoring scenario.
In Performance Monitor, beneath the Data Collector Sets node, you can use the User Defined node to
create your own data collector sets. You can specify which specific objects and counters you want to
include in the set for monitoring. To help you select appropriate objects and counters, you are also
provided with templates to use for monitoring. These include:

System Diagnostics. Selects objects and counters that report the status of hardware resources,
system response time, and processes on the local computer, along with system information and
configuration data. The report provides guidance on ways to optimize the computers responsiveness.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-13

System Performance. Generates reports that detail the status of local hardware resources, system
response times, and processes.

WDAC Diagnostics. Enables you to trace debug information for Windows Data Access Components
(Windows DAC).

Note: It is not necessary for Performance Monitor to be still running for data to be
collected into a data collector set.

Reports

Use the Reports feature to view and generate reports from a set of counters that you create by using data
collector sets.

Sysinternals Tools

In addition to the built-in performance monitoring tools in Windows 8.1, you also can download and use
the Sysinternals suite of tools. You can use a number of these tools to monitor performance:

Contig. Enables you to defragment your frequently used files quickly.

DiskMon. Enables the computer to capture all hard disk activity, and acts like a software disk activity
light in the system tray.

PageDefrag. Enables you to defragment your paging files and registry hives.

Process Explorer. Enables you to determine which files, registry keys, and other objects processes have
open, which DLLs they have loaded, and more. This tool also displays who owns each process.

Process Monitor. Enables you to monitor file system, registry, process, thread, and dynamic-link
library (DLL) activity in real-time.

Sysinternals Suite
http://go.microsoft.com/fwlink/?LinkId=393007

Establishing a Performance Baseline


By calculating performance baselines for your
client computer environment, you can interpret
real-time monitoring information more accurately.
A baseline for a computers performance indicates
what your performance-monitoring statistics
look like during normal use. You can establish a
baseline by monitoring performance statistics over
a specific period. When an issue or symptom
occurs in real time, you can compare your
baseline statistics to your real-time statistics, and
then identify anomalies.
You can set up a baseline in Performance Monitor
to help you with the following tasks:

Evaluate your computers workload.

Monitor system resources.

Notice changes and trends in resource use.

Test configuration changes.

Diagnose problems.

MCT USE ONLY. STUDENT USE PROHIBITED

12-14 Maintaining Windows 8.1

By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a
baseline when you first configure the computer, at regular intervals of typical usage, and when you make
any changes to the computers hardware or software configuration. If you have appropriate baselines, you
can determine which resources are affecting your computers performance.

Demonstration: Using Performance Monitor


Note: This is a practice session.

Performance impacts can occur because of the number of counters being sampled and the frequency
with which sampling occurs. Therefore, it is important to test the number of counters and the frequency
of data collection. This helps you determine the right balance between your environments needs and the
provision of useful performance information. For the initial performance baseline, however, you should
use the highest number of counters possible and the highest frequency available. The following table
shows the commonly used performance counters.
Counter

Usage

LogicalDisk\% Free Space

This counter measures the percentage of free space on the


selected logical disk drive. Take note if this falls below 15
percent, because you risk running out of free space for the
operating system to use to store critical files. One solution is to
add more disk space.

PhysicalDisk\% Idle Time

This counter measures the percentage of time the disk was idle
during the sample interval. If this counter falls below 20 percent,
the disk system is saturated. You should consider replacing the
current disk system with a faster one.

PhysicalDisk\Avg. Disk Sec/Read

This counter measures the average time, in seconds, to read data


from the disk. If the number is larger than 25 milliseconds (ms),
that means the disk system is experiencing latency when it is
reading from the disk.

PhysicalDisk\Avg. Disk Sec/Write

This counter measures the average time, in seconds, it takes to


write data to the disk. If the number is larger than 25 ms, the
disk system experiences latency when it is writing to the disk.

PhysicalDisk\Avg. Disk Queue


Length

This counter indicates how many I/O operations are waiting for
the hard drive to become available. If the value is larger than
two times the number of spindles, it means that the disk itself
may be the bottleneck.

Note: If this counter indicates a possible bottleneck,


consider measuring the Avg. Disk Read Queue Length and Avg.
Disk Write Queue Length to try to determine whether read or
write operations are the cause.
Memory\Cache Bytes

This counter indicates the amount of memory that the filesystem cache is using. There may be a disk bottleneck if this
value is greater than 300 megabytes (MB).

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-15

Counter

Usage

Memory\% Committed Bytes in


Use

This counter measures the ratio of Committed Bytes to the


Commit Limit, or in other words, the amount of virtual memory
in use. If the number is greater than 80 percent, it indicates
insufficient memory.

Memory\Available Mbytes

This counter measures the amount of physical memory, in


megabytes, available for running processes. If this value is less
than 5 percent of the total physical random access memory
(RAM), that means there is insufficient memory, which can
increase paging activity.

Memory\Free System Page Table


Entries

This counter indicates the number of page table entries not


currently in use by the system. If the number is less than 5,000,
there may be a memory leak.

Memory\Pool Non-Paged Bytes

This counter measures the size, in bytes, of the nonpaged pool.


This is an area of system memory for objects that cannot be
written to disk, but instead must remain in physical memory as
long as they are allocated. If the value is greater than 175 MB (or
100 MB with a /3 gigabyte (GB) switch) there is a possible
memory leak.

Memory\Pool Paged Bytes

This counter measures the size, in bytes, of the paged pool. This
is an area of system memory for objects that can be written to
disk when they are not being used. There may be a memory leak
if this value is greater than 250 MB (or 170 MB with the /3 GB
switch).

Memory\Pages per Second

This counter measures the rate at which pages are read from, or
written to, the disk to resolve hard-page faults. If the value is
greater than 1,000 as a result of excessive paging, there may be
a memory leak.

Processor\% Processor Time

This counter measures the percentage of elapsed time that the


processor spends executing a non-idle thread. If the percentage
is greater than 85 percent, the processor is overwhelmed, and
the server may require a faster processor.

Processor\% User Time

This counter measures the percentage of elapsed time that the


processor spends in user mode. If this value is high, the server is
busy with the application.

Processor\% Interrupt Time

This counter measures the time that the processor spends


receiving and servicing hardware interruptions during specific
sample intervals. If the value is greater than 15 percent, this
counter indicates a possible hardware issue.

System\Processor Queue Length

This counter indicates the number of threads in the processor


queue. The server does not have enough processor power if the
value is more than two times the number of CPUs for an
extended period of time.

Network Interface\Bytes Total/Sec

This counter measures the rate at which bytes are sent and
received over each network adapter, including framing
characters. The network is saturated if you discover that more
than 70 percent of the interface is consumed.

Counter

Usage

MCT USE ONLY. STUDENT USE PROHIBITED

12-16 Maintaining Windows 8.1

Network Interface\Output Queue


Length

This counter measures the length of the output packet queue, in


packets. There is network saturation if the value is more than 2.

Process\Handle Count

This counter measures the total number of handles that a


process currently has open. This counter indicates a possible
handle leak if the number is greater than 10,000.

Process\Thread Count

This counter measures the number of threads currently active in


a process. There may be a thread leak if this number is more
than 500 between the minimum and maximum number of
threads.

Process\Private Bytes

This counter indicates the amount of memory that this process


has allocated that it cannot share with other processes. If the
value is greater than 250 between the minimum and maximum
number of threads, there may be a memory leak.

Practice Session
In this practice session, you will:

Open Performance Monitor.

Add new values to the chart.

Create a data collector set.

Examine a report.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Open Performance Monitor
1.

On LON-CL1, in Start, type cmd.exe, and then press Enter.

2.

At the command prompt, type perfmon, and then press Enter.

3.

In the Performance Monitor window, click the Performance Monitor node. Notice that only
% Processor Time is displayed by default.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-17

Add new values to the chart


1.

On the toolbar, click the plus (+) symbol to add an additional counter.

2.

In the Available counters area, expand PhysicalDisk, and then click % Idle Time.

3.

In the Instances of selected object box, click 1 C:, click Add, and then click OK.

4.

Right-click % Idle Time, and then click Properties.

5.

In the Color box, click green, and then click OK.

Create a data collector set


1.

In the left pane, expand Data Collector Sets, and then click User Defined.

2.

Right-click User Defined, point to New, and then click Data Collector Set.

3.

In the Name box, type CPU and Disk Activity, and then click Next.

4.

In the Template Data Collector Set box, click Basic, and then click Next. We recommend that you
use a template.

5.

Click Next to accept the default storage location for the data.

6.

Click Open properties for this data collector set, and then click Finish.

7.

In the CPU and Disk Activity Properties dialog box, on the General tab, you can configure general
information about the data collector set and the credentials that the data collector set uses when it is
running.

8.

Click the Directory tab. This tab lets you define information on how the collected data is stored.

9.

Click the Security tab. This tab lets you configure which users can change this data collector set.

10. Click the Schedule tab. This tab lets you define when the data collector set is active and collecting
data.

11. Click the Stop Condition tab. This tab lets you define when data collection is stopped, based on time
or data that is collected.
12. Click the Task tab. This tab lets you run a scheduled task when the data collector set stops. You can
use this to process the collected data.
13. Click Cancel. Notice that there are three kinds of logs in the right pane:
o

Performance Counter collects data that you can view in Performance Monitor.

Configuration records changes to registry keys.

Kernel Trace collects detailed information about system events and activities.

14. In the right pane, double-click Performance Counter. Notice that all Processor counters are
collected, by default.
15. Click Add.

16. In the Available counters area, click PhysicalDisk, click Add, and then click OK. All the counters for
the PhysicalDisk object are now added. Click OK.
17. In the left pane, right-click CPU and Disk Activity, and then click Start.

Examine a report
1.

Wait a few moments for the data collector set to stop automatically.

2.

Right-click CPU and Disk Activity, and then click Latest Report.

3.

Review the report, which shows the data that is collected by the data collector set.

4.

Close the Performance Monitor. Close the Command Prompt window.

Completion Steps

After you have completed the practice session, leave the virtual machines running for the lab.

Optimizing Memory Performance


Memory is arguably the resource that can make
the most positive impact on improving client
computer performance. Use the following
guidelines to help to optimize memory
performance in your Windows 8.1 computer.

Select a 64-bit Version of Windows 8.1


Using a 64-bit version of Windows 8.1 enables
your computer to use more memory than the
4-GB limitation imposed by 32-bit operating
systems. If your computer has more than 4 GB of
memory, or if you can add additional memory
beyond 4 GB, then select a 64-bit version of
Windows 8.1.

Avoid Shared Memory Video

MCT USE ONLY. STUDENT USE PROHIBITED

12-18 Maintaining Windows 8.1

Some video adapters use shared system memory. This means that the memory that would otherwise
be available for servicing applications is being used by the video adapter for display purposes. Some
computers come equipped with video adapters that use dedicated onboard memory for display purposes,
ensuring that more memory is available for applications.

Optimize Paging

For most single disk drive computers running Windows 8.1, it typically is adequate to leave the paging file
settings at the default values. However, you may gain a small performance benefit by following these
guidelines:

Create the paging file on a different physical disk than the operating system disk. Paging is a
disk-intensive task. If you distribute the disk load across all of your computers available disks, you
minimize the likelihood of performance bottlenecks affecting the disk subsystem. By optimizing
the disk subsystem, you can make the paging process as efficient as possible.

Configure a fixed-size paging file. A paging file that can grow on the disk might encompass
fragmented areas of the disk volume. By configuring a fixed-size paging file, you can ensure that
the paging file does not encompass fragmented areas.

Ensure that the disk volume is not fragmented when you create the paging file. If you want to create
a fixed-size paging file on a computer that already has a paging file, ensure that you do not create a
paging file that encompasses fragmented areas of the disk. Additionally, before you create a fixedsize paging file, you must configure the computer to use no paging, and then defragment the
volumes.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-19

When you configure the paging file, ensure that its size is sufficiently large. Recommendations specify
that an initial paging file should be equivalent to the amount of installed memory, and a maximum
paging file size that is equal to twice the initial value. Consequently, you should create a fixed-size
paging file that is equal to or twice the size of the physical memory.

Note: To access these paging options, from the Start screen, right-click This PC, and then
click Properties. Click Advanced system settings, and then under Performance, click Settings. Click
the Advanced tab, and then click Change.
Note: For computers with 2-GB of physical memory running 32-bit versions of
Windows 8.1, there is no particular benefit in configuring a paging file larger than 2 GB.
A number of Windows 8.1 tablets that are running on Intel Atom processors are equipped
with 2 GB of memory and run 32-bit versions of Windows 8.1.

Optimizing Disk Performance


Many hard disks have moving parts, and
are consequently slower than other storage
technologies. To optimize disk subsystem
throughput, consider the general points in
the following table.

Optimization
task

Why you might use it

Minimize the
frequency of
paging

Adding physical memory to a computer that is paging excessively reduces the load
on the disk subsystem.

Implement
faster disks

Disk speed is measured in revolutions per minute (rpm), and average seek times
are measured in milliseconds. Install disks 7200 rpm or faster, and select disks with
the lowest seek time.

Consider using
SSDs

SSDs use flash memory technology and have no moving parts. They can operate
faster than more traditional disks, but they are more expensive. Research the
specific vendor and model of disk carefully. Some disks provide higher write
performance, and some provide higher read performance.

Optimization
task
Defragment
volumes that
are used heavily

Why you might use it

MCT USE ONLY. STUDENT USE PROHIBITED

12-20 Maintaining Windows 8.1

You can use either the built-in disk Optimize Drives tool or another companys
tools, some of which support the defragmentation of files such as Hiberfil.sys and
Pagefile.sys. Note that the likelihood of disk volume fragmentation increases as the
disk volume becomes filled.
Note: Windows 8.1 optimizes drives automatically once a week.

Note: Try to avoid defragmenting SSDs. It most likely provides very little (if
any), performance benefit and increases disk usage. As discussed in Module 3,
some SSDs have a lifetime imposed by the number of writes performed on the disk.
Ensure that you
enable writecaching

You can use Device Manager to examine the properties of any installed disks, and
to verify that write-caching is enabled.

Distribute the
memory load
across all
available disks

If your computer has multiple physical disks, consider distributing disk-intensive


activities across these disks. For example, you can install the Windows operating
system and applications on one disk, the paging file on another disk, and your data
files on a third disk.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-21

Lab: Maintaining Windows 8.1


Scenario

A user reports performance-related issues with his computer. The help desk is unable to determine the
problem. You must investigate to ascertain which computer component the problem is affecting, and
then make recommendations about a solution or mitigation.

Objectives
After completing this lab, you will be able to:
Resolve a performance related problem.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. The required virtual machines
should already be running. If they are not, before you begin the lab, you must complete the following
steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Exercise 1: Troubleshooting a Performance Problem


Scenario
The help desk has passed you this ticket, which they have been unable to resolve. You must read the
details and develop a plan of action before attempting a resolution.
Incident Record
Incident Reference Number: 723499
Date of Call
Time of Call
User
Status

November 05
17:37
Carol Troup (Managers)
OPEN

Incident Record
Incident Details
Carols computer was performing well a few days ago, but recently she has complained that its
performance has degraded. Tasks such as loading Microsoft Office take much longer than they
used to.
Additional Information
The computer, LON-CL1, is running Windows 8.1 and has Microsoft Office 2013 installed.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Establish a performance baseline.

2.

Read the help desk Incident Record for incident 723499.

3.

Discuss recommendations.

4.

Simulate the problem.

5.

Attempt to resolve the problem.

Task 1: Establish a performance baseline


1.

On LON-CL1, open Performance Monitor.

2.

Create a user-defined Data Collector Set with the following properties:


o

Name: Adatum Baseline

Create manually (Advanced)

Performance counter

Sample interval: 1 second

Counters to include:

Memory > Pages/sec

Network Interface > Packets/sec

Physical Disk > % Disk Time

Physical Disk > Avg. Disk Queue Length

Processor > % Processor Time

System > Processor Queue Length

MCT USE ONLY. STUDENT USE PROHIBITED

12-22 Maintaining Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-23

3.

Start the data collector set, and then start the following programs:
o

Microsoft Word 2013

Microsoft Excel 2013

Microsoft PowerPoint 2013

4.

Close all Microsoft Office 2013 apps.

5.

In Performance Monitor, stop the Adatum Baseline data collector set.

6.

In Performance Monitor, locate Reports > User Defined > Adatum Baseline, and click the report
that has a name that begins with LON-CL1.

7.

Record the following values:


o

Memory Pages per second

Network Interface Packets per second

Physical Disk % Disk Time

Physical Disk Avg. Disk Queue Length

Processor % Processor Time

System Processor Queue Length

Task 2: Read the help desk Incident Record for incident 723499

Read the help desk Incident Record 723499.

Task 3: Discuss recommendations


1.

Read the Additional Information section of the Incident Record.

2.

Discuss your recommendations with other students.

Task 4: Simulate the problem


1.

Switch to LON-CL1.

2.

If necessary, sign in using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod12\Scenario.vbs script.

4.

The script starts to generate load.

Task 5: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of performance troubleshooting.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you should have identified the performance bottleneck.

To prepare for the next practice session

When you have finished the lab, leave the virtual machines running for the next practice session.

Lesson 3

Protecting Windows 8.1 from Malware and Viruses

MCT USE ONLY. STUDENT USE PROHIBITED

12-24 Maintaining Windows 8.1

Windows Defender helps to protect your computer from spyware and other forms of malware. In
Windows 8.1, Windows Defender integrates with Action Center to provide a consistent means of alerting
you when action is required. Windows Defender also provides an improved user experience when you are
scanning for spyware or manually checking for updates. Additionally, in Windows 8.1, Windows Defender
has less impact on overall system performance, even though it continues to deliver continuous, real-time
monitoring.

Lesson Objectives
After completing this lesson, you will be able to:

Explain the security threats posed by malware.

Explain how to use Windows Defender to help to protect against malware and virus threats.

Remove a virus from a Windows 8.1 computer with Windows Defender.

Common Security Threats Posed by Malware


By connecting your computer to other computers
in a network, you expose it to additional security
risks. This is especially true if you connect your
computer to the Internet.

One of the potential security risks is posed by


malware. Malware can introduce viruses, worms,
Trojan horses, rootkits, key loggers, adware,
spyware, and other forms of malicious software.
Malware is designed by attackers who want to
either disrupt normal operations on your network,
or who want to gain access to the data on your
network. Once malware has found a way into your
network, there is potentially no limit to the things that software can do, or the damage that a hacker can
inflict.

Mitigating These Threats

To protect your computers and your network infrastructure from the damage and disruption that malware
can cause, you must formulate a strategy to protect your computers. Implementing user policies, antimalware and antivirus software, encrypting network traffic, and other protective measures work together
to shield your computers and your network from security threats.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-25

Windows Defender in Windows 8.1


Windows Defender helps to protect your
computer from spyware, malware, and viruses.
Windows Defender is also Hyper-V aware,
meaning that it detects if Windows 8.1 is running
as a virtual machine. Windows Defender uses
definitions to determine if the software that it
detects is unwanted, and to alert you to potential
risks. To help keep definitions up to date,
Windows Defender installs new definitions
automatically as they are released.

In Windows Defender, you can run a quick, full, or


custom scan. If you suspect spyware has infected a
specific area of the computer, you can customize a scan by selecting specific drives and folders. You also
can configure the schedule that Windows Defender will use.
You can choose to have Windows Defender exclude processes in your scan. Though this can make the
scan complete faster, your computer will be less protected. When Windows Defender detects potential
spyware activity, it stops the activity, and then raises an alert.

Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Windows Defender behavior when a scan identifies unwanted software. You also are alerted if software
attempts to change important Windows settings.

To help prevent spyware and other unwanted software from running on the computer, turn on Windows
Defender real-time protection.

Using Windows Defender

Windows Defender includes automatic scanning options that provide on-demand scanning for malicious
software. The following table identifies scanning options.
Scanning
option

Description

Quick Scan

Checks the areas that malicious software (including viruses, spyware, and unwanted
software), are most likely to infect.

Full Scan

Checks all the files on your hard disk and all running programs.

Custom Scan

Enables users to scan specific drives and folders.

As a best practice, you should schedule a daily Quick Scan. At any time, if you suspect that spyware has
infected a computer, run a Full Scan.

When you run a scan, the progress displays on the Windows Defender Home page. When Windows
Defender detects a potentially harmful file, it moves the file to a quarantine area. It does not allow the
ile to run, or allow other processes to access it. After the scan is complete, you can choose to remove or
restore quarantined items, and maintain the Allowed list. The History page lists the quarantined items.
Click View details to see all items. Review each item, and individually remove or restore each. Alternatively,
if you want to remove all quarantined items, click Remove all.

Advanced scanning options


When you are scanning a computer, you can choose from six additional options:

MCT USE ONLY. STUDENT USE PROHIBITED

12-26 Maintaining Windows 8.1

Scan archive files. Scanning these locations might increase the time required to complete a scan, but
spyware and other unwanted software can install itself and attempt to hide in these locations.

Scan removable drives. Use this option to scan the contents of removable drives, such as USB flash
drives.

Create a system restore point. Use this option before applying actions to detected items. Because you
can set Windows Defender to remove detected items automatically, selecting this option allows you
to restore system settings.

Allow all users to view the full History results. Use this option to allow all users that sign into this
computer to see the scanning history. If you do not select this option, users will only see scan results
that relate to their files.

Remove quarantined files after <Time>. Use this option to remove quarantined files after a set period
of time. When you enable this option, the default period is one month, but you can set it from one
day to three months.

Send file samples automatically when further analysis is required. Use this option to send samples
automatically to Microsoft to help determine whether detected items are, in fact, malicious.

Demonstration: Removing Malicious Software with Windows Defender


Note: This is a practice session.
In this practice session, you will:

Perform a quick scan.

Test malware detection.

Examine the Windows Defender history.

Preparation Steps

For this practice session, you need to use the available virtual machine environment. These should already
be running from the lab, but if they are not, before you begin the practice session, you must complete the
following steps:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-27

Demonstration Steps
Perform a quick scan
1.

On LON-CL1, click Start.

2.

In Start, type Windows Defender, and then click Windows Defender.

3.

On the Windows Defender Home tab, verify that the Quick scan option is selected, and then click
Scan now.

4.

Review the results of the scan.

Test malware detection


1.

Click File Explorer.

2.

In the File Explorer address bar, type D:\Labfiles\Mod12\Malware, and then press Enter.

3.

In the Malware folder, double-click Sample.txt in Notepad. The Sample.txt file contains a text string
used to test malware detection.

4.

In Notepad, in the Sample.txt file, delete both instances of <remove> (including the angle brackets
and the blank line before and after the string of remaining text).

5.

In Notepad, click File, and then click Save.

6.

Close Notepad.

7.

Switch to Windows Defender.

8.

In Windows Defender, on the Home tab, click Custom, and then click Scan now.

9.

In the Windows Defender dialog box, select the Allfiles (D:) check box, and then click OK.

10. Verify that Windows Defender detects the potential malware in the text file. You may not receive a
notification. You can also verify that the D:\Labfiles\Mod12\Malware folder no longer contains the
Sample.txt file.
11. In Windows Defender, click the History tab.
12. Click Quarantined items, and then click View details.
13. Click Remove all.

Examine the Windows Defender history


1.

Click All detected items, and then click View details.

2.

Review the results. The suspect code was removed.

3.

Close all open windows.

Completion Steps

After you have completed the practice session, revert the virtual machines running in preparation for
the next module:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Lesson 4

Applying Application and Windows Updates

MCT USE ONLY. STUDENT USE PROHIBITED

12-28 Maintaining Windows 8.1

To keep computers that are running Windows 8.1 stable and protected, you must update them regularly
with the latest security updates and fixes. Windows Update enables you to download and install important
and recommended updates automatically, instead of visiting the Windows Update website. To utilize
Windows Update effectively, you must be aware of the configuration options that Windows Update has
available, and you must be able to guide users on how to configure these options.

Lesson Objectives
After completing this lesson, you will be able to:

Explain why application updates and Windows operating system updates are important.

Describe methods for applying updates.

Describe how you can use Windows Server Update Services (WSUS) to manage updates.

Explain how to configure Windows Update on Windows 8.1.

Describe how to manage updates.

Explain how to use Group Policy Objects (GPOs) to configure Windows Update settings.

Explain how to troubleshoot Windows Update issues.

Why Are Updates Important?


It is important to keep Windows 8.1 and
applications up-to-date. Consider the following
factors when determining an update strategy:

Updates may include security fixes to protect


against recent malware and other security
threats.

Updates may include functional changes


that enable compatibility with devices and
peripherals.

Updates may include corrections in software


behavior that help to eliminate functionality
problems with either Windows 8.1 or with the applications installed on the computer.

Consistency is important, and you can simplify the troubleshooting process by ensuring that all
computers are using the same version of software, and contain the same updates and fixes.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-29

Methods for Applying Application Updates and Windows Updates


You can apply both application updates and
Windows operating system updates in a number
of ways. For single computers and smaller
networks, you may decide to implement updates
on a reactive basis and by using a manual process
that requires either a local user or administrator to
initiate the updates manually.
For many computers in larger networks, the
reactive manual approach is too time-consuming.
Administrators of larger networks will most likely
opt to use an automated method for distributing
updates for Windows operating systems, devices,
and installed applications.
You can automate the update process in a number of ways, including using Windows Update and
Windows Intune.

Windows Update

Windows Update is a service that provides software updates that keep your computer up-to-date and
protected. On the Windows Update page, you can review the important and optional updates that are
available for your computer.

You can configure Windows Update to download and install updates for your computer automatically, or
you can decide to install updates manually. You must configure computers that are running Windows 8.1
to download and install updates automatically to ensure that the computer has the most up-to-date and
protected configuration possible. You can turn on Automatic Updates during the initial Windows 8.1
setup, or you can configure it later.

Windows Update downloads your computers updates in the background while you are online. If your
Internet connection is interrupted before an update downloads fully, the download process resumes when
the connection becomes available.
Note: By default, Windows 8.1 will download and install updates automatically.
Note: Windows Update also can update non-Microsoft software components.

System Center 2012 Configuration Manager

Microsoft System Center 2012 Configuration Manager performs many configuration managementbased
tasks in an enterprise, including update management. You can use Configuration Manager to incorporate
WSUS into your configuration management environment and to provide greater control over update
scheduling, deployment, and reporting. Configuration Manager also can be used to deploy non-Microsoft
updates.

Windows Intune

MCT USE ONLY. STUDENT USE PROHIBITED

12-30 Maintaining Windows 8.1

Windows Intune is a management tool. One feature of Windows Intune is central update management.
With Windows Intune, you can send out updates. These updates can include updates for both Windows
operating systems, and non-Microsoft updates for non-Microsoft apps. With Windows Intune, you can
perform the following tasks:

Approve and deploy updates after they have been tested, and not immediately after updates have
been released.

Approve different updates for different computer groups.

Approve updates manually or automatically, based on several criteria.

Uninstall updates.

Deploy both Microsoft updates and non-Microsoft updates in the same way.

Windows Intune also provides you with reports that inform you about which updates the clients require,
which updates are pending, and which updates are already installed.

Microsoft updates are made available through Windows Intune automatically, as soon as they are released
to Windows Update. However, with non-Microsoft updates, you must obtain and upload the updates to
Windows Intune cloud storage before you can approve and deploy them to client computers.

Using WSUS to Manage Updates


The WSUS role provides a central management
point for updates to your computers running the
Windows operating system. By using WSUS, you
can create a more efficient update environment in
your organization, and stay better informed of the
overall update status of the computers on your
network. This topic introduces you to WSUS, and
describes the key features of the WSUS server role.
WSUS is a server role included in the Windows
Server 2012 operating system that downloads
and distributes updates to Windows clients
and servers. WSUS can obtain updates that are
applicable to the Windows operating system, and common Microsoft programs such as the Microsoft
Office suite, and Microsoft SQL Server.

In the simplest configuration, a small organization can have a single WSUS server that downloads updates
from the Microsoft Update website. The WSUS server then distributes the updates to computers that are
configured to obtain automatic updates from the WSUS server. You must approve the updates before
clients can download them.
Larger organizations can create a hierarchy of WSUS servers. In this scenario, a single centralized WSUS
server obtains updates from Microsoft Update, and other WSUS servers obtain updates from the
centralized WSUS server.
You can organize computers into groups to simplify the approval of updates. For example, you can
configure a pilot group to be the first set of computers that you use for testing updates.

WSUS can generate reports to help monitor update installation. These reports can identify which
computers have not applied recently approved updates. Based on these reports, you can investigate why
updates are not being applied.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-31

The WSUS Update Management Process

The update management process allows you to manage and maintain WSUS and the updates retrieved by
WSUS. This process is a continuous cycle during which you can reassess and adjust the WSUS deployment
to meet changing needs. The four phases in the update management process are:

Assess

Identify

Evaluate and plan

Deploy

The assess phase

The goal of the assess phase is to set up a production environment that supports update management for
routine and emergency scenarios. The assess phase is an ongoing process that you use to determine the
most efficient topology for scaling the WSUS components. As your organization changes, you might
identify a need to add more WSUS servers in different locations.

The identify phase


During the identify phase, you identify new updates that are available, and determine whether they
are relevant to your organization. You have the option to configure WSUS to retrieve all updates
automatically, or to retrieve only specific types of updates. WSUS also identifies which updates are
relevant to registered computers.

The evaluate-and-plan phase

After you identify the relevant updates, you need to evaluate whether they work properly in your
environment. There is always the possibility that the specific combination of software in your environment
might have problems with an update.

To evaluate updates, you should have a test environment in which you can apply updates to verify
proper functionality. During this time, you might identify dependencies that are required for an update to
function properly, and you can plan any changes that you need to make. You can achieve this if you use
one or more computer groups for testing purposes. For example, you may have a computer group with
client computers that run all the operating systems and applications that are updated by using WSUS. You
can use another computer group for servers that run the different applications and operating systems that
are updated by WSUS. Before you deploy updates to the entire organization, you can push updates to
these computer groups, and then test them. Only after making sure they work as expected should you
move on to the deploy phase.

The deploy phase

After you have thoroughly tested an update and determined any dependencies, you can approve it
for deployment in the production network. Ideally, you should approve the update for a pilot group of
computers before approving the update for the entire organization. You also can configure WSUS to use
automatic updates. (Automatic updates are discussed in the next topic.)

Configuring Windows Update


The Automatic Updates feature of Windows
Update downloads and installs important updates,
including security and critical performance
updates. However, you must select recommended
and optional updates manually.
The time that it takes to install updates depends
on the configuration options that you select. Most
updates occur seamlessly, with the following
exceptions:

If an update requires a restart to complete


installation, you can schedule the restart for
a specific time.

When a software update is applied to an app that is in use, Windows 8.1 can save the apps data,
close the app, update the app, and then restart the app. Windows 8.1 might prompt the user to
accept Microsoft Software License Terms when the app restarts.

When you configure Windows Update, consider the following:

Use WSUS in a corporate environment.

Note: You can configure Windows 8.1 devices to use a WSUS server instead of defaulting
to Windows Update, either by using GPOs, or manually changing the settings of each individual
device. To use GPOs, configure the Specify intranet Microsoft update service location setting.
For more details, see the topic Configuring Update Settings with GPOs.

Use Configuration Manager for larger environments that have more than 100 systems.

Use the recommended settings to download and install updates automatically.

MCT USE ONLY. STUDENT USE PROHIBITED

12-32 Maintaining Windows 8.1

The recommended settings are set to download and install updates automatically at 03:00 daily. If the
computer is turned off, the installation will be done the next that the computer turns on. By using the
recommended settings, users do not have to search for critical updates or worry that critical fixes may be
missing from their computers.

Change Settings
From the Windows Update page, you also have access to the Change Settings features. On the Change
Settings page, you can select from four settings:

Install updates automatically (recommended)

Download updates but let me choose whether to install them

Check for updates but let me choose whether to download and install them

Never check for updates (not recommended)

Additionally, you can configure the following two options:

Give me recommended updates the same way I receive important updates

Give me updates for other Microsoft products when I update Windows

As a best practice, you should choose to have updates install automatically, so that Windows will install
important updates as they become available. However, if you do not want updates to install or download

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-33

automatically, you can select instead to be notified when updates apply to your computer, so that you can
download and install them yourself. For example, if you have a slow Internet connection or your work is
interrupted because of automatic updates, you can configure Windows to check for updates, but then
download and install them yourself later.

Managing Updates
Generally, applying updates does not create
problems with most computers. However,
occasionally, an installed update may conflict
with the unique combination of installed
hardware and software in one of your users
computers. This can result in a reliability problem.
When this occurs, you can use Windows Update
to review installed updates, and where necessary,
uninstall an update.

View Update History


To review your update history, on the Windows
Update page, click View update history. In the
Status column, you can ensure that all important updates installed successfully.

Uninstall Updates

If you need to remove an update that has been installed, from the View update history page, click
Installed Updates. You can then view all the installed updates, and where necessary, you can right-click an
update, and then click Uninstall.

Hide Updates

If the update attempts to reinstall at a later time, you can hide the update. To hide an update that you do
not want to install, from Windows Update, click the link for the available updates. Right-click the update
that you do not want to install, and then click Hide update.

Restore Hidden Updates

If you have resolved the underlying problem with the update you uninstalled, and you now want to
reinstall it, you first must unhide the update. From Windows Update, in the left pane, click Restore hidden
updates.

Configuring Update Settings with GPOs


Group Policy is an administrative tool that you use
to manage user settings and computer settings
over a network. You also can use Group Policy
settings to configure Windows Update.
In the Group Policy Management Editor,
navigate to Computer Configuration\Policies
\Administrative Templates\Windows Components
\Windows Update. From there, select the
appropriate policy setting:

Do not display Install Updates and Shut


Down option in Shut Down Windows
dialog box.
This policy setting allows you to manage whether the Install Updates and Shut Down option will
display in the Shut Down Windows dialog box.

MCT USE ONLY. STUDENT USE PROHIBITED

12-34 Maintaining Windows 8.1

If you enable this policy setting, Install Updates and Shut Down will not display as a choice in the
Shut Down Windows dialog box, even if updates are available for installation when the user selects
the Shut Down option in the Start menu.

If you disable or do not configure this policy setting, the Install Updates and Shut Down option will
be available in the Shut Down Windows dialog box if updates are available when the user selects
the Shut Down option in the Start menu.

Do not adjust default option to Install Updates and Shut Down in Shut Down Windows
dialog box.

You can use this policy setting to manage whether the Install Updates and Shut Down option is the
default choice in the Shut Down Windows dialog box.
If you enable this policy setting, the user's last shutdown choice (such as Hibernate, or Restart) is the
default option in the Shut Down Windows dialog box, regardless of whether the Install Updates
and Shut Down option is available in the What do you want the computer to do? list.

If you disable or do not configure this policy setting, the Install Updates and Shut Down option will
be the default option in the Shut Down Windows dialog box, if updates are available for installation
when the user selects the Shut Down option in the Start menu.

Enabling Windows Update Power Management to automatically wake up the system to install
scheduled updates.

This policy specifies whether the Windows Update will use the Windows Power Management features
to automatically wake up your system from hibernation if updates need to be installed.
Windows Update will wake up your system automatically only if you configure Windows Update to
install updates automatically. If the system is in hibernation when the scheduled install time occurs,
and there are updates to be applied, then Windows Update will use the Windows Power
Management feature to wake the system automatically to install the updates.

The system will not wake unless there are updates to be installed. If the system is on battery power,
when Windows Update wakes it up, it will not install updates, and the system will automatically return
to hibernation in two minutes.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-35

Configure Automatic Updates


This setting specifies whether the computer will receive security updates and other important
downloads through the Windows automatic updating service.

This setting lets you specify whether to enable automatic updates on your computer. If you enable
this service, you must select one of the four options in the Group Policy setting:
o

2 = Notify for download and notify for install

When Windows finds updates that apply to your computer, an icon displays in the status area,
with a message that updates are ready for download.

Clicking the icon or the message provides the option to select the specific updates that you want
to download. Windows then downloads your selected updates in the background.
When the download completes, the icon displays in the status area again, with notification that
the updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
o

3 = Auto download and notify for install

Windows finds updates that apply to your computer, and then downloads these updates in the
background, so that the user is not notified or interrupted during this process.
When the download completes, the icon displays in the status area, with notification that the
updates are ready for installation. Clicking the icon or message provides the option to select
which updates to install.
o

4 = Auto download and schedule the install


Specify the schedule by using the options in the Group Policy setting. If you do not specify a
schedule, the default schedule for all installations will be every day at 03:00.

If any of the updates require a restart to complete the installation, the Windows operating system
will restart the computer automatically. If a user is signed in to the computer when the Windows
operating system is ready to restart, the user will be notified and given the option to delay the
restart.
o

5 = Allow local admin to choose setting

With this option, the local administrators will be allowed to use the Automatic Updates control
panel to select a configuration option. For example, administrators can choose their own
scheduled installation time. Local administrators will not be allowed to disable Automatic
Updates configuration.

To use the Configure Automatic Updates setting, click Enabled, and then select one of the options
(2, 3, 4, or 5). If you select 4, you can set a recurring schedule. If you do not specify a schedule, all
installations will occur every day at 03:00.
If the status is set to Enabled, Windows recognizes when the computer is online, and then uses its
Internet connection to search Windows Update for updates that apply to your computer.
If the status is set to Disabled, you must manually download and install any updates that are
available on Windows Update.

If the status is set to Not Configured, use of Automatic Updates is not specified at the Group Policy
level. However, an administrator can still configure Automatic Updates through Control Panel.

Specify intranet Microsoft update service location

MCT USE ONLY. STUDENT USE PROHIBITED

12-36 Maintaining Windows 8.1

This setting specifies an intranet server to host updates from Microsoft Update. You can then use this
update service to update your networks computers automatically.
This setting lets you specify a server on your network to function as an internal update service. The
Automatic Updates client will search this service for updates that apply to the computers on your
network.
To use this setting, you must set two server name values:
o

The server from which the Automatic Updates client detects and downloads updates

The server to which updated workstations upload statistics.

You can set both values to be the same server.

If the status is set to Enabled, the Automatic Updates client connects to the specified intranet
location, instead of Windows Update, to search for and download updates. Enabling this setting
means that end users in your organization do not have to go through a firewall to get updates, and it
gives you the opportunity to test updates before deploying them.

If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy
or user preference, the Automatic Updates client connects directly to the Windows Update site on the
Internet.

Automatic Updates detection frequency

This policy specifies the hours that Windows will use to determine how long to wait before checking
for available updates. The exact wait time is determined by using the hours that you specify in this
policy, minus zero to twenty percent of the hours specified. For example, if you specify this policy for
a 20-hour detection frequency, then all clients to which this policy is applied will check for updates
anywhere between 16 and 20 hours.
If the status is set to Enabled, Windows will check for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows will check for available updates at the
default interval of 22 hours.

Allow non-administrators to receive update notifications


This policy setting allows you to control whether non-administrative users will receive update
notifications based on the Configure Automatic Updates policy setting.
If you enable this policy setting, Windows Update and Microsoft Update will include
non-administrators during the process of determining which signed-in user will receive update
notifications.

Non-administrative users will be able to install all optional, recommended, and important updates
for which they received a notification. Users will not see a User Account Control window and do not
require elevated permissions to install these updates, except in the case of updates that contain User
Interface, End User License Agreement, or Windows Update setting changes.
If you disable or do not configure this policy setting, then only administrative users will receive
update notifications. By default, this policy setting is disabled.

If the Configure Automatic Updates policy setting is disabled or not configured, then the Elevate
Non-Admin policy setting has no effect.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-37

Turn on Software Notifications


This policy setting allows you to control whether users can view detailed enhanced notification
messages about featured software from the Microsoft update service.

Enhanced notification messages convey the value of optional software, and promote its installation
and use. This policy setting is intended for use in loosely managed environments in which you allow
the end user access to the Microsoft update service.

If you enable this policy setting, a notification message will appear on the user's computer when
featured software is available. The user can click the notification to open the Windows Update
application and get more information about the software, or install it. The user also can click Close
this message or Show me later to defer the notification as appropriate. In Windows 8.1, this policy
setting will only control detailed notifications for optional applications.

If you disable or do not configure this policy setting, Windows 8.1 users will not be offered detailed
notification messages for optional applications. By default, this policy setting is disabled. If you are
not using the Microsoft update service, then the Software Notifications policy setting has no effect. If
the Configure Automatic Updates policy setting is disabled or is not configured, then the Software
Notifications policy setting has no effect.

Allow Automatic Updates immediate installation

This setting specifies whether Automatic Updates will automatically install certain updates that neither
interrupt Windows services, nor restart Windows. If the status is set to Enabled, Automatic Updates
will install these updates immediately once they are downloaded and ready to install.
If the status is set to Disabled, such updates will not be installed immediately. If the Configure
Automatic Updates policy is disabled, this policy has no effect.

Turn on recommended updates via Automatic Updates

This setting specifies whether Automatic Updates will deliver both important and recommended
updates from the Windows Update service. When this policy is enabled, Automatic Updates will install
recommended and important updates from Windows Update. When disabled or not configured,
Automatic Updates will continue to deliver important updates if it is already configured to do so.

No auto-restart with logged on users for Scheduled automatic updates installations

This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the
computer to be restarted by any user who is signed in, instead of causing the computer to restart
automatically.

If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a
scheduled installation, if a user is signed in to the computer. Instead, Automatic Updates will notify
the user to restart the computer.

Re-prompt for restart with scheduled installations

This setting specifies the amount of time for Automatic Updates to wait before prompting the user
again to restart and complete the update process.

If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after
the previous prompt for restart was postponed.
If the status is set to Disabled or Not Configured, the default interval is 10 minutes.

Delay Restart for scheduled installations

This setting specifies the amount of time for Automatic Updates to wait before proceeding with a
scheduled restart.

MCT USE ONLY. STUDENT USE PROHIBITED

12-38 Maintaining Windows 8.1

If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the
installation is finished.
If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.

Reschedule Automatic Updates scheduled installations


This setting specifies the amount of time for Automatic Updates to wait, following system startup,
before proceeding with a scheduled installation that was missed previously.
If the status is set to Enabled, a scheduled installation that did not take place earlier will occur the
specified number of minutes after the computer is next started.
If the status is set to Disabled, a missed scheduled installation will occur with the next scheduled
installation.

If the status is set to Not Configured, a missed scheduled installation will occur one minute after the
computer next starts.

Enable client-side targeting


This setting specifies the target group name or names that will be used to receive updates from an
intranet Microsoft update service.

If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft
Update service. The service uses this information to determine which updates must be deployed to
the computer.
If the intranet Microsoft update service supports multiple target groups, this policy can specify
multiple group names separated by semicolons. Otherwise, you must specify a single group.
If the status is set to Disabled or Not Configured, no target group information will be sent to the
intranet Microsoft update service.

Allow signed updates from an intranet Microsoft update service location


This policy setting allows you to manage whether Automatic Updates accepts updates signed by
entities other than Microsoft, when the update is listed on an intranet Microsoft update service
location.
If you enable this policy setting, Automatic Updates accepts updates received through an intranet
Microsoft update service location, if the updates are signed by a certificate found in the Trusted
Publishers certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft update
service location must be signed by Microsoft.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 12-39

Troubleshooting Windows Update Issues


On occasion, an update can introduce reliability or
performance problems after it has been applied to
a computer. In these situations, you must remove
the update that has caused the problem.

Uninstall Updates
The simplest way to remove a problematic
update is to uninstall it. From Control Panel, click
Windows Update, click View update history, and
then click Installed Updates. You can then rightclick the suspect update, and then click Uninstall.
Note: To ensure that the update is not
reapplied, you must hide it from the list of available updates.

Use System Restore

If you are unsure which update has caused a problem, you can use System Restore to restore the
computers configuration to an earlier point in time. This will, of course, potentially remove many updates.
You will then have to determine which updates to hide to prevent deployment, and which to allow to
install.
Note: If you choose to use Windows Intune or WSUS, you can deploy updates to test
computers prior to deploying them to your production environment. This can help to ensure that
the updates do not introduce functionality or reliability problems.

Module Review and Takeaways


Review Questions
Question: If you have problems with your computers performance, how can you create a
data collector set to analyze a performance problem?
Question: What is the benefit of configuring Windows Update by using Group Policy rather
than by using Control Panel?

MCT USE ONLY. STUDENT USE PROHIBITED

12-40 Maintaining Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED


13-1

Module 13
Recovering Windows 8.1
Contents:
Module Overview

13-1

Lesson 1: File Recovery in Windows 8.1

13-2

Lesson 2: Recovery Options in Windows 8.1

13-6

Lab A: Troubleshooting a Windows 8.1 Computer (1)

13-15

Lab B: Troubleshooting a Windows 8.1 Computer (2)

13-18

Module Review and Takeaways

13-21

Module Overview

Protecting the data on your computer systems from accidental loss or corruption is an important role for
administrators. To recover your computer from some types of problems, restoring system settings can be
easier than reinstalling the computers operating system and apps.
Windows 8.1 provides several tools that you can use to back up important data files and to recover a
computer. To support your users, it is important that you understand how to use these file backup and
system recovery tools.

Objectives
After completing this module, you will be able to:

Recover files in Windows 8.1.

Recover a computer running Windows 8.1.

Lesson 1

File Recovery in Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

13-2 Recovering Windows 8.1

Although you might implement a file-recovery strategy for user data that is stored on network file servers
or network-accessible storage devices, you must remember that users often save their work to local
storage. Consequently, you must be prepared to provide some method of local file recovery, so that if
these data files become corrupt or you delete them accidentally, you can recover them.

Lesson Objectives
After completing this lesson, you will be able to:

Explain the importance of providing a means of local file recovery.

Describe the File History feature in Windows 8.1.

Explain how to recover files by using File History.

The Importance of File Recovery


Although computers are generally reliable,
and most operating systems are robust and
recoverable, problems do occur. Sometimes
these problems can result in data loss.
A computer contains different types of data that
it stores in different locations. Computer data
types include operating system configuration
files, application program settings, user-related
settings, and users data files. Users data files can
include documents, images, and spreadsheets.

A computer that is running Windows 8.1 stores


these files in several locations, so you must ensure
that you protect all of the files. That way, if a computer problem occurs, no data is lost. You can help to
protect these data files and settings by performing regular backups, either by copying the files manually
to other media, or by using Windows 8.1 recovery tools.

What Is the File History Tool?


Windows 8.1 provides the File History tool,
which you can use to recover deleted files or
to revert a file to a previous version. With File
History, Windows 8.1 saves copies of your files
automatically to a removable local drive or to a
network shared folder.
Note: You can access the File History tool
from Control Panel by clicking System and
Security, and then clicking File History.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-3

Using File History

After you enable File History, it saves a copy of your files every hour to the designated location. Windows
8.1 then saves these versions indefinitely, by default. However, you can configure the save duration and
the length of time that Windows 8.1 will retain the versions.
File History backs up the following folders:

Contacts

Desktop

Favorites

Additionally, it backs up the following libraries:

Documents

Music

Pictures

Videos

Note: You cannot add top-level folders to this list, but you can define exceptions from this
list for files and data that you do not want to back up.

To recover files, you can click Restore personal files from within File History, and then select the file
from the folders or libraries in your backup. Alternatively, you can recover files directly from File Explorer.
Navigate to the folder that contained a deleted file, and then on the ribbon, click the History button. The
File History opens, and lists the recoverable files.
Note: You may need to expand the ribbon to view the History option.

Windows Backup

Windows 8.1 does not provide a graphical interface to the Windows Backup tool that was provided in
earlier versions of Windows, including Windows 8. However, if you wish, you can still use this backup tool
from the command line to perform backup and restore operations.
You can use the WBadmin start backup command to create a backup. The following command will back
up the entirety of drive C to drive D:
WBadmin start backup BackupTarget:D: -Include:C:

You can use the WBadmin start recovery command to restore a backup that you previously created. For
example, to recover backup from March 31, 2013, taken at 10:00 A.M., of volume E:, type:
WBadmin start recovery -version:03/31/2013-10:00 -itemType:Volume -items:e:

Note: Windows 8.1 does not include Windows 7 File Recovery features that were included
in Windows 8.

Demonstration: Recovering Files


Note: This is a practice session.
In this practice session, you will:

Create and edit a Microsoft Word document.

Enable and configure File History.

Test File History.

Preparation Steps

MCT USE ONLY. STUDENT USE PROHIBITED

13-4 Recovering Windows 8.1

For this practice session, you need to use the available virtual machine environment. Before you begin the
practice session, you must complete the following procedure:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Microsoft Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Create and edit a Microsoft Word document
1.

Switch to the LON-CL1.

2.

On the Start screen, click the Desktop tile.

3.

On the desktop, on the taskbar, click the File Explorer icon.

4.

In File Explorer, double-click Documents.

5.

In the documents folder, right-click an area of free space, point to New, and then click Microsoft
Word Document.

6.

Type Recovery file, and then press Enter.

7.

Double-click Recovery file.docx.

8.

If the Microsoft Office Activation Wizard appears, click Close.

9.

In the First things first Wizard, click Ask me later, and then click Accept.

10. Click Next three times, and then click All done.
11. In Word, type This is my file, and then press the Ctrl+S keys.
12. Close Word.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-5

Enable and configure File History


1.

Press the Windows key+C, and then click Settings.

2.

In Settings, click Control Panel.

3.

In Control Panel, click System and Security, and then click File History.

4.

In File History, click Turn on.

5.

In the File History window, click Advanced settings, review the options, and then click Cancel.

6.

Switch to File Explorer.

7.

In the navigation pane, click Allfiles (D:).

8.

In the details pane, double-click FileHistory.

9.

Double-click the Administrator@Adatum.com folder, which is the File History backup folder.

10. Double-click the LON-CL1 folder, and notice that it contains the backed-up files.

Test File History


1.

In the navigation pane, click Documents.

2.

In File Explorer, right-click Recovery file.docx, and then click Delete.

3.

In File Explorer, on the ribbon, click the Home tab, and then click History.

4.

In Documents File History, right-click Recovery file.docx, and then click Restore.

5.

In File Explorer, notice that the Word document has been recovered.

6.

Close all open windows.

Completion Steps

After you have completed the practice session, leave the virtual machines running for the next
practice session.

Lesson 2

Recovery Options in Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

13-6 Recovering Windows 8.1

When a users computer has functionality issues, or when it does not start correctly or does not start at all,
you must consider how best to recover the computer. Generally, you will want to select the least invasive
and least destructive means of recovery for a given situation. This lesson explores the recovery tools that
Windows 8.1provides, identifies when to use a particular tool, and discusses considerations for using each
recovery tool.

Lesson Objectives
After completing this lesson, you will be able to:

Describe the options available in Advanced options recovery.

Explain how and when to use System Restore.

Explain the process of creating and using a system image for recovery.

Explain how to refresh a PC.

Explain how to reset a PC.

Use various Windows 8.1 recovery options.

Advanced Options
If users experience a problem with their computer
that cannot be fixed easily, you might need to
consider using one of the several recovery tools
that Widows 8.1 provides. You can access the
following recovery tools from the Advanced
options menu in Windows 8.1:

System Restore

System Image Recovery

Startup Repair

Command Prompt

Startup Settings

You can access the Advanced options in one of two ways:


1.

If the computer is still running, then from Start:


a.

Press the Windows+C keys, and then click Settings.

b.

Click Change PC settings.

c.

Click Update and recovery.

d.

Click Recovery, and then in the details pane, under Advanced startup, click Restart now.

e.

When the computer has restarted, on the Choose an option page, click Troubleshoot, and then
click Advanced options. You can then select one of the options previously listed.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-7

2.

If the computer cannot start, then:


a.

Insert the Windows 8.1 product DVD (or other bootable media) and start the computer.

b.

When prompted to Press any key to boot from CD or DVD, press a key. Windows Recovery
Environment (Windows RE) starts.

c.

In Windows Setup, click Next, and then click Repair your computer.

d.

On the Choose an option page, click Troubleshoot, and then click Advanced options. You can
then select one of the options listed above.

Note: If you choose the second method to access Advanced options, the Startup Settings
option is unavailable.

Windows System Restore


The System Restore tool in Windows 8.1 rolls
back your computers configuration to a specified
point in time. When you use System Restore, you
choose a system restore point to apply. When you
perform a system restore, the following actions
occur:

The computers configuration is rolled back to


the specified point in time.

All updates applied since the system restore


point was created are removed.

All apps (both desktop and Windows Store


apps) and drivers installed after the selected system restore point are removed.

All apps and drivers installed before the selected restore point are restored to their state at that point.

The users personal files are not affected by the restore operation.

Using System Restore

Before you can use System Restore to recover a computer, you must enable System Restore. To enable
System Restore, perform the following procedure:
1.

From Start, click the Desktop tile, and then press Windows+C.

2.

Click Settings, and then click Control Panel.

3.

Click System and Security, and then click System.

4.

In System, click System protection.

5.

In System Properties, on the System Protection tab, click Configure.

6.

Click Turn on system protection, and then configure the amount of disk space to reserve for system
restore points.

You can initiate a system restore in two ways:


1.

If the computer starts successfully, complete the following process:

MCT USE ONLY. STUDENT USE PROHIBITED

13-8 Recovering Windows 8.1

a.

Click the Desktop tile, and then press Windows+C.

b.

Click Settings, and then click Control Panel.

c.

Click System and Security, and then click System.

d.

In System, click System protection.

e.

In System Properties, on the System Protection tab, click System Restore. System Restore starts.

f.

In the System Restore Wizard, click Next.

g.

Select the appropriate restore point.

Use the most recent restore point that you think will yield a successful restore. Doing so
minimizes any post-restoration work that you might have to undertake. If you are unsure of the
impact of selecting a particular restore point, click Scan for affected programs. System Restore
presents you with a summary of programs and drivers affected by the restoration process. This
can help you determine which programs and drivers you must restore manually after System
Restore completes.
h.
2.

At the Confirm your restore point page, click Finish.

If you cannot start your computer normally, use the following procedure:
a.

Insert the Windows 8.1 product DVD (or other bootable media), and start the computer.

b.

When prompted to Press any key to boot from CD or DVD, press a key. Windows RE starts.

c.

In Windows Setup, click Next, and then click Repair your computer.

d.

On the Choose an option page, click Troubleshoot, and then click Advanced options.

e.

On the Advanced options page, click System Restore.

f.

On the Choose a target operating system page, select the appropriate installation. Usually,
only a single operating system is installed, and normally, you would click Windows 8.1. System
Restore starts to scan for restore points.

g.

In the System Restore Wizard, click Next.

h.

Select the appropriate restore point.

i.

At the Once started, System Restore cannot be interrupted prompt, click Yes.

Note: As a safety precaution, you can undo any System Restore operation that you
perform. To revert a restore point, click Undo System Restore and follow the onscreen prompts.
This reverts the previously applied restore point.

Considerations

System restore provides you a convenient way to resolve computer functionality, startup, and
configuration problems without necessarily identifying the cause of the problem. However, System
Restore will roll back the entire configuration of a computer, irrespective of the nature of the problem.
Therefore, consider alternatives to using System Restore where possible. For example, to resolve a device
driver problem, consider using the driver rollback feature.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-9

Note: If you use System Restore to restore your computer to a previous point in time,
be aware that it is possible that connectivity to the computers domain might be affected.
Specifically, if the computers password has changed since the restore point was created,
your computer will be unable to sign in to the domain. In this instance, you must reset the
computers secure channel with the domain. You can do this by using the Windows PowerShell
Reset-MachineAccountPassword cmdlet.
You can also use Netdom and Active Directory Users and Computers.
Note: For additional information about System Restore, see Module 2: Troubleshooting
Startup Issues in this course.

System Image Recovery


The File History tool does not back up system files,
program files, files that are on file allocation table
(FAT) volumes, temporary files, and user profile
files. If you want to protect these file types, you
must use a system image.
A system image is an exact copy of a drive. By
default, a system image includes the drives
required for Windows operating systems to
run. It also includes Windows system files and
your system settings, programs, and files.
You can use a system image to restore the
contents of your computer if your hard drive or
computer stops working. When you restore your computer from a system image, it is a complete
restoration. You cannot choose individual items to restore, and all of your current programs, system
settings, and files are replaced with the contents of the system image.

Creating a System Image


To access System Image, click Recovery from the File History window. In the Advanced recovery tools
window, click Create a recovery drive.

Use the Recovery Drive Wizard to create your system image. You will need a removable drive, such as a
USB flash drive, to store the system image. Everything on the target drive is deleted when you initiate the
option to create a system image.

Using a System Image

If your computer does not start correctly or starts with significant problems, and you have a system image,
you can use it to recover your computer. To start the recovery process, start your computer from the
product DVD, and then when prompted, select Repair your computer.
Note: You also can access System Image Recovery from within Windows 8.1 by selecting
Update & recovery from Change PC settings. Click Recovery, and then, under Advanced startup,
click Restart now. When the computer has started into recovery mode, complete the following
instructions to apply a system image.

MCT USE ONLY. STUDENT USE PROHIBITED

13-10 Recovering Windows 8.1

Click Troubleshoot, click Advanced options, and then click System Image Recovery. Select the target
operating system to recover (there is usually only one to choose). The Re-image your computer wizard
starts and scans the computer for valid system images. At this point, insert the flash drive that you used to
store the system image, and then follow the onscreen instructions to recover your computer.

Considerations

Keep in mind that using a system image to recover your computer is destructive. Everything on the
target computer is erased as part of the reimaging process. If you can recover your computer using a less
destructive process, you should consider it. However, using a system image is convenient because you do
not have to consider what went wrong with the computer. You can just restore it in its entirety to the
point in time when you created the system image backup.
Note: You can choose the Refresh your PC option to recover a computer that does not
start correctly, without erasing the entire computer.

Refresh Your PC
Use the Refresh your PC option when your
computer has suffered significant configuration
problems or errors and is not running correctly.
If you suspect a driver issue, always attempt to
resolve that by using the less destructive options,
such as driver rollback, or by using System Restore
and choosing a recent restore point.
When you perform a refresh, the following takes
place:

Your files and personalization settings are


retained.

Your PC settings are reverted to installation defaults.

Apps from the Windows Store are retained.

Desktop apps are removed.

A list of these removed apps is saved on the computer desktop.

Using Refresh your PC


You can access the Refresh your PC in one of two ways:
1.

If the computer is still running, then from Start:


a.

Press the Windows+C keys, and then click Settings.

b.

Click Change PC settings.

c.

Click Update and recovery.

d.

Click Recovery, and then in the details pane, under Refresh your PC without affecting your
files, click Get started.

e.

At the Refresh your PC prompt, click Next.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-11

2.

f.

At the Apps youll need to install prompt, click Next.

g.

At the Ready to refresh your PC prompt, click Refresh. Your computer restarts and the Refresh
process begins.

If the computer cannot start, then:


a.

Insert the Windows 8.1 product DVD (or other bootable media), and start the computer.

b.

When prompted to Press any key to boot from CD or DVD, press a key. Windows RE starts.

c.

In Windows Setup, click Next, and then click Repair your computer.

d.

On the Choose an option page, click Troubleshoot, and then click Refresh your PC.

e.

On the Choose a target operating system page, click the target operating system. Typically,
only a single operating system is installed, so you would click Windows 8.1.

f.

On the Heres what will happen page, click Next.

g.

On the All ready to go page, click Refresh. The Refresh your PC process begins.

Considerations for Using Refresh your PC


Consider the following when you decide whether to use Refresh your PC as a recovery tool:

The Refresh your PC option is not as destructive as performing the Reset your PC option. However,
although your Windows Store apps, personal files, and personalization settings are retained, all your
desktop apps are removed, and all your computers configuration settings are reverted to their initial,
post-installation state.

You must reinstall any desktop apps and reapply any updates and configuration changes you made
since the computer was first installed with Windows 8.1.

Unlike when you use System Image Recovery, you do not need a backup to perform a refresh.

Reset Your PC
Use the Reset your PC option when you wish to
revert your computer to its post-installation
settings, or when you want to recycle your
computerperhaps to allow a different user to
use the computer. The Reset your PC option is
very destructive, and when you perform a reset,
the following takes place:
1.

All your personal files and all your apps


(desktop and Windows Store apps) are
removed.

2.

Your computers settings are reverted to their


original, installation defaults.

Using Reset your PC


You can access the Reset your PC option in one of two ways:
1.

If the computer is still running, then from Start:


a.

Press Windows+C, and then click Settings.

b.

Click Change PC settings.

c.

Click Update and recovery.

d.

Click Recovery, and then in the details pane, under Remove everything and reinstall
Windows, click Get started.

e.

At the Reset your PC prompt, click Next.

f.

On the Your PC has more than one drive page, click either:
i.

Only the drive where Windows is installed. This wipes the operating system drive and
retains the content of other drives.

ii.

All drives. This wipes all connected drives.


On the Do you want to fully clean your drive? page, click either:

g.

i.

Just remove my files. Use this option if you intend to continue using the computer after it
has been reset.

ii.

Fully clean the drive. Choose this option if you want the reset process to perform a lowlevel disk clean during the reset. This can take longer, but it is the recommended option if
you intend to give your computer to someone else.
On the Ready to reset your PC page, click Reset. The Reset your PC process begins.

h.
2.

MCT USE ONLY. STUDENT USE PROHIBITED

13-12 Recovering Windows 8.1

If the computer cannot start, then:


a.

Insert the Windows 8.1 product DVD (or other bootable media) and start the computer.

b.

When prompted to Press any key to boot from CD or DVD, press a key. Windows RE starts.

c.

In Windows Setup, click Next and then click Repair your computer.

d.

On the Choose an option page, click Troubleshoot and then click Reset your PC.

e.

On the Choose a target operating system page, click the target operating system. Usually, only
one operating system is installed, and so generally, you click Windows 8.1.

f.

On the Heres what will happen page, click Next.

g.

Optionally, if your computer has more than one drive, on the Your PC has more than one drive
page, click either:
i.

Only the drive where Windows is installed.

ii.

All drives.
On the Do you want to fully clean your drive? page, click either:

h.

i.

i.

Just remove my files.

ii.

Fully clean the drive.


On the All ready to go page, click Reset. The Reset your PC process begins.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-13

Considerations for Using Reset your PC


Consider the following when deciding whether to use Reset your PC as a recovery tool:
1.

All your Windows Store apps and desktop apps are removed.

2.

Your personal files, personalization settings, and all your computers configuration settings are
reverted to their initial, post-installation state.

3.

You must recover your personalization settings after the reset.

4.

You must reinstall any Windows Store and desktop apps, and then reapply any updates and
configuration changes you made since the computer was first installed with Windows 8.1.

5.

Unlike when you use System Image Recovery, you do not need a backup to perform a reset.

Demonstration: Exploring Recovery Options


Note: This is a practice session.
In this practice session, you will:

Initiate the Refresh your PC process.

Initiate the Reset your PC process.

Preparation Steps
For this practice session, you need to use the available virtual machine environment. These machines
should be running from the previous practice session. If they are not, before you begin the practice
session, you must complete the following procedure:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 through 4 for 20688D-LON-CL1.

Demonstration Steps
Initiate the Refresh your PC process
1.

Switch to LON-CL1.

2.

Click Start.

3.

On the Start screen, press the Windows+C keys, and then click Settings.

4.

In Settings, click Change PC settings.

5.

In PC settings, click Update and recovery.

6.

In Update and recovery, click Recovery, and then in the details pane, under Refresh your PC
without affecting your files, click Get started.

7.

At the Refresh your PC prompt, click Next.

8.

At the Apps youll need to reinstall prompt, click Next.

9.

At the Ready to refresh your PC prompt, click Refresh. Your computer restarts and the Refresh
process begins.
Note: Because this process takes an extended time, you will not complete it.

10. On the host computer, start Hyper-V Manager.


11. In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.
12. In Hyper-V Manager, click 20688D-LON-CL1, and then in the Actions pane, click Start.
13. In the Actions pane, click Connect. Wait until the virtual machine starts.
14. Sign in by using the following credentials:
o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Initiate the Reset your PC process


1.

Right-click Start, point to Shut down or sign out, and then click Restart.

2.

When prompted to Press any key to boot from CD or DVD, press a key.

3.

In Windows Setup, click Next, and then click Repair your computer.

4.

On the Choose an option page, click Troubleshoot, and then click Reset your PC.

5.

On the Choose a target operating system page, click Windows 8.1.

6.

On the Heres what will happen page, click Next.

7.

On the Your PC has more than one drive page, click All drives.

8.

On the Do you want to fully clean your drive? page, click Fully clean the drive.

9.

On the All ready to go page, click Reset. The Reset your PC process begins.

Note: Wait until the reset process has begun, and then revert your virtual machines in
preparation for the lab, by following the instructions above.

Completion Steps
After you have completed the practice session, revert the virtual machines in preparation for the lab:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

13-14 Recovering Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-15

Lab A: Troubleshooting a Windows 8.1 Computer (1)


Scenario

A user has reported a problem with his computer. The help desk has investigated the incident, and has
escalated the problem to you for resolution.
Note: The problem reported and its solution may have nothing to do with the content
discussed in this module.

Objectives
After completing this lab, you will be able to:

Recover a Windows 8.1 computer.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd

For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following procedure:
1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1.

Exercise 1: Recovering Files in Windows 8.1


Scenario
The help desk has passed you this ticket because they have been unable to resolve the issue. You must
read the details and develop a plan of action before you attempt to resolve the problem.
Incident Record
Incident Reference Number: 723623
Date of Call
Time of Call
User
Status

December 1
09:01
Josh Bailey (Research Department)
OPEN

Incident Details
Josh cannot sign into his computer using a domain account.
Additional Information
LON-CL1, Joshs computer, is domain-joined.
Josh has been using his laptop while working outside of the office, and he says he might have
reconfigured some network settings to connect to another network.
I cannot connect remotely to the device. It does not appear to be on the network at all.
The local account LON-CL1\ADMIN (password is Pa$$w0rd) allows Josh to sign in locally, but there is
no network function.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help-desk Incident Record for incident 723623.

2.

Update the Plan of Action section of the Incident Record.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help-desk Incident Record for incident 723623

Read the help-desk incident record 723623 above.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

MCT USE ONLY. STUDENT USE PROHIBITED

13-16 Recovering Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-17

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod13\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Attempt to resolve the problem by using your knowledge of the recovery techniques and tools in
Windows 8.1.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.

Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.

To prepare for the next exercise


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Lab B: Troubleshooting a Windows 8.1 Computer (2)


Scenario
A user has reported a problem with her computer. The help desk has investigated the incident, and has
escalated the problem to you for resolution.
Note: The problem reported and its solution may not correlate directly with the content
discussed in this module.

Objectives
After completing this lab, you will be able to:

Recover a Windows 8.1 computer.

Lab Setup
Estimated Time: 30 minutes
Virtual machines: 20688D-LON-DC1 and 20688D-LON-CL1
User name: Adatum\Administrator
Password: Pa$$w0rd
For this lab, you need to use the available virtual machine environment. Before you begin the lab, you
must complete the following procedure:

MCT USE ONLY. STUDENT USE PROHIBITED

13-18 Recovering Windows 8.1

1.

On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.

2.

In Hyper-V Manager, click 20688D-LON-DC1, and in the Actions pane, click Start.

3.

In the Actions pane, click Connect. Wait until the virtual machine starts.

4.

Sign in using the following credentials:

5.

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

Repeat steps 2 and 3 for 20688D-LON-CL1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-19

Exercise 1: Recovering a Windows 8.1 Computer


Scenario

The help desk has passed you this ticket that they have been unable to resolve. You must read the details
and develop a plan of action before you attempt to resolve the problem.
Incident Record
Incident Reference Number: 723625
Date of Call
Time of Call
User
Status

December 2
17:32
Arlene Huff (Sales Department)
OPEN

Incident Details
Arlene has been unable to access some media files that she has on a CD.
Additional Information
Arlene can use the disc on her colleagues machines, just not her own.
I remotely connected to Arlenes laptop, and the CD/DVD device is not showing in This PC, but the
CD device spins up physically when a disc is inserted. It appears that Windows just cannot see it.
I determined that a number of recent driver updates were applied to Arlenes computer.
Plan of Action

Resolution

The main tasks for this exercise are as follows:


1.

Read the help-desk Incident Record for incident 723625.

2.

Update the Plan of Action section of the Incident Record.

3.

Simulate the problem.

4.

Attempt to resolve the problem.

Task 1: Read the help-desk Incident Record for incident 723625

Read the help-desk incident record 723625.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record.

2.

Update the Plan of Action section of the Incident Record with your recommendations.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod13\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem

MCT USE ONLY. STUDENT USE PROHIBITED

13-20 Recovering Windows 8.1

1.

Attempt to resolve the problem by using your knowledge of troubleshooting Windows 8.1.

2.

Update the Resolution section of the Incident Record.

3.

If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment and begin again.

Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.

To complete the course


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 13-21

Module Review and Takeaways


Review Questions
Question: When you initiate Refresh your PC, what happens?
Question: How is a Refresh your PC operation different than when you perform a recovery
using System Image Recovery?

Course Evaluation
Your evaluation of this course will help Microsoft understand
the quality of your learning experience.
Please work with your training provider to access the course
evaluation form.
Microsoft will keep your answers to this survey private and
confidential and will use your responses to improve your
future learning experience. Your open and honest feedback
is valuable and appreciated.

MCT USE ONLY. STUDENT USE PROHIBITED

13-22 Recovering Windows 8.1

MCT USE ONLY. STUDENT USE PROHIBITED


L1-1

Module 1: Implementing a Troubleshooting Methodology

Lab: Troubleshooting Windows 8.1


Exercise 1: Developing a Plan of Action
Task 1: Read the help-desk Incident Record

Read help-desk Incident Record 701338 in the exercise scenario in the Student Handbook.

Task 2: Determine what questions you might ask the user

With the class, discuss the questions that you might ask the user so that you can develop a plan of
action, including:
o

Who was operating the computer when the problem first occurred?

Who else is operating the computer, and have they experienced similar problems?

Who has worked on this problem, or one like it, previously?

Who has the same problem on another computer?

When did this problem first occur, and has it occurred since?

When was an application last installed, updated, or removed from or on the computer?

When was new hardware last installed on the computer?

When were disk maintenance tasks last performed?

What does the help desk suspect might be the problem?

What steps have the help desk already taken to attempt resolution, if any?

What suggestions have the help desk received regarding a possible resolution?

How does the help desk think that the problem occurred?

Why does the help desk think that the problem occurred?

Task 3: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the exercise scenario in the Student
Handbook.

2.

Discuss your recommendations with other students:


a.

Attempt a remote connection to the users computer, but if necessary, visit the users computer.

b.

Update the video driver, and apply any other updates.

Task 4: Discuss the agreed plan of action

Discuss the agreed-upon plan with other students.

Results: After completing this exercise, you should have developed a plan of action for the resolution of
the users reported problem.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


L2-3

Module 2: Troubleshooting Startup Issues

Lab A: Troubleshooting Startup Issues


Exercise 1: Resolving a Startup Problem (1)
Task 1: Read the help desk Incident Record for Incident 722137

Read the help desk Incident Record 722137 in the student handbook exercise scenario.

Task 2: Update the Plan of Action section in the Incident Record


1.

Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.

2.

Update the Plan of Action section in the Incident Record with your recommendations:
a.

Visit the user, and view the error on his computer.

b.

Insert the Windows 8.1 product DVD, and restart the computer.

c.

Use Windows Recovery Environment (Windows RE) to recover the startup environment
automatically.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod02\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

2.

Stop 20688D-LON-CL1:
a.

In the Hyper-V client window, click Turn Off.

b.

In the confirmation dialog box, click Turn Off.

Start 20688D-LON-CL1:
o

In the Hyper-V client window, click Start.

3.

When prompted to Press any key to boot from CD or DVD, press the space bar. Notice that the
computer boots into Windows setup.

4.

In the Windows Setup Wizard, click Next.

5.

On the Install now page, click Repair your computer.

6.

On the Choose an option page, click Troubleshoot.

7.

On the Troubleshoot page, click Advanced options.

8.

On the Advanced options page, click Command Prompt.

9.

At the command prompt, type bootrec /rebuildbcd, and then press Enter.

10. When prompted, type Y, and then press Enter.

Troubleshooting Startup Issues

11. At the command prompt, type exit, and press Enter.


12. On the Choose an option page, click Continue.
13. Sign in by using the following credentials:
o

User name: Adatum\Administrator

Password: Pa$$w0rd

14. Update the Resolution section in the Incident Record:


o

Corrupted BCD resulted in startup failure.

Startup Repair failed.

Used bootrec /rebuildbcd to fix the problem.

Results: After completing this exercise, you should have resolved the startup problem.

Exercise 2: Resolving a Startup Problem (2)


Task 1: Read the help desk Incident Record for Incident 722140

Read the help desk Incident Record 722140 in the student handbook exercise scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section in the Incident Record in the student handbook exercise
scenario.

2.

Update the Plan of Action section in the Incident Record with your recommendations:
a.

Visit the user, and view the error on his computer.

b.

Insert the Windows 8.1 product DVD, and restart the computer.

c.

Use Windows RE to recover the startup environment automatically.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod02\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

2.

Stop 20688D-LON-CL1:
a.

In the Hyper-V client window, click Turn Off.

b.

In the confirmation dialog box, click Turn Off.

Start 20688D-LON-CL1:
o

In the Hyper-V client window, click Start.

MCT USE ONLY. STUDENT USE PROHIBITED

L2-4

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L2-5

3.

When prompted to Press any key to boot from CD or DVD, press the space bar. Notice that the
computer boots into Windows Setup.

4.

In the Windows Setup Wizard, click Next.

5.

On the Install now page, click Repair your computer.

6.

On the Choose an option page, click Troubleshoot.

7.

On the Troubleshoot page, click Advanced options.

8.

On the Advanced options page, click System Restore.

9.

On the System Restore page, click Windows 8.1 Enterprise.

10. In the System Restore Wizard, click Next.


11. On the Restore your computer to the state it was in before the selected event page, in the
unnamed drop-down list box, click Deployed to User, and then click Next.
12. On the Confirm your restore point page, click Finish.

13. In the Once started, System Restore cannot be interrupted. Do you want to continue? dialog
box, click Yes. Notice that the system restore process begins.
Note: System Restore can take an extended period of time.
14. When prompted, click Restart.

15. Once your computer has restarted, sign in as Adatum\administrator with the password Pa$$word.
16. Update the Resolution section in the Incident Record:
o

Corrupted driver issue.

Used System Restore to roll back to previous configuration.

Results: After completing this exercise, you should have successfully resolved a startup problem.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Troubleshooting Startup Issues

Lab B: Recovering BitLocker-Encrypted


Drives
Exercise 1: Recovering a BitLocker-Encrypted Drive
Task 1: Read the help desk Incident Record for Incident 722151

Read the help desk Incident Record 722151 in the student handbook exercise scenario.

Task 2: Read the Plan of Action section in the Incident Record

MCT USE ONLY. STUDENT USE PROHIBITED

L2-6

1.

Read the Additional Information section of the Incident Record. Update it with the recovery key you
recorded earlier.

2.

Read the Plan of Action section of the Incident Record.

Task 3: Verify the problem


1.

On LON-CL1, right-click Start, point to Shut down or sign out, and then click Restart.

2.

During the restart sequence, when the BitLocker Drive Encryption screen displays, in the Enter the
password to unlock this drive text box, type wrong password, and then press Enter. Notice that
you cannot access the computer with the password the user has provided.

Task 4: Attempt to resolve the problem


1.

On LON-CL1, on the BitLocker screen, press the Esc key.

2.

On the BitLocker recovery page, in the Enter the recovery key for this drive text box, type the
recovery key you recorded earlier, and then press Enter.

Note: You do not need to type the hyphens in the recovery key, because the Windows
operating system adds them.
3.

Update the Resolution section in the Incident Record:


o

Entered the recovery key, and was able to start Windows normally.

Results: After completing this exercise, you should have recovered a BitLocker-encrypted drive and
enabled the computer to startup.

Exercise 2: Creating a New BitLocker Password


Task 1: Create a new BitLocker password
1.

Sign in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

2.

At the Start screen, click the Desktop tile.

3.

On the taskbar, click the File Explorer icon.

4.

In the navigation pane, click This PC.

5.

Right-click Local Disk (C:), and then click Manage BitLocker.

6.

In BitLocker Drive Encryption, click Change password.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L2-7

7.

In the BitLocker Drive Encryption (C:) dialog box, click Reset a forgotten password.

8.

On the Create a password to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd2, and then click Finish.

9.

In the Your password has been changed dialog box, click OK.

10. On LON-CL1, right-click Start, point to Shut down or sign out, and then click Restart.

11. During the restart sequence, when the BitLocker screen displays, in the Enter the password to
unlock this drive box, type Pa$$w0rd2, and then press Enter. Notice that Windows starts normally.
Do not sign in.

Results: After you have completed this exercise, you should have created a new BitLocker password.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


L3-9

Module 3: Troubleshooting Hardware and Device Drivers

Lab: Troubleshooting Hardware and Device


Drivers
Exercise 1: Resolving Hardware Issues
Task 1: Read the help desk Incident Record for Incident 722201

Read the help desk incident record 722201 in the student handbook exercise scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
o

Visit the users computer and attempt to resolve the problem by trying driver rollback, if
necessary with Safe Mode.

Failing that, attempt System Restore.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod03\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1.

Note: On your host, in the 20688D-LON-CL1 on localhost Virtual Machine Connection


window, in the View menu, click Full Screen Mode.
2.

Sign in using the following credentials:


o

User name: Adatum\administrator

Password: Pa$$w0rd

Note: The computer mouse does not work. Trying to roll back the driver is unsuccessful.
Using Safe mode does not work. System Restore is the only means to resolve this driver issue.
3.

The mouse is not working. Type cmd.exe, and then press Enter.

4.

At the command prompt, type shutdown /r, and then press Enter.

5.

During the restart, when prompted to Press any key to boot from CD or DVD, press the space bar.
The computer boots into Windows Setup.

Troubleshooting Hardware and Device Drivers

6.

In the Windows Setup Wizard, click Next.

7.

On the Install now page, click Repair your computer.

8.

On the Choose an option page, click Troubleshoot.

9.

On the Troubleshoot page, click Advanced options.

10. On the Advanced options page, click System Restore.


11. On the System Restore page, click Windows 8.1.
12. In the System Restore Wizard, click Next.
13. On the Restore your computer to the state it was in before the selected event page, in the
unnamed list, click Deployed to User, and then click Next.
14. On the Confirm your restore point page, click Finish.
15. In the Once started, System Restore cannot be interrupted. Do you want to continue? dialog
box, click Yes. The system restore process begins.
Note: System Restore can take an extended period of time.
16. When prompted, click Restart.
17. After your computer restarts, sign in as Adatum\administrator with the password of Pa$$word.
18. The mouse is now functional.

Resolution
1.

Attempted to uninstall the mouse manually and restarted computer failed to resolve issue.

2.

Used msconfig.exe to access Safe Mode. Mouse not functional in Safe Mode.

3.

Booted into Windows Recovery Environment (Windows RE).

4.

Accessed System Restore to recover computer.

Note: When you have completed the exercise, change the virtual machine back from full
screen mode. In the 20688D-LON-CL1 on localhost window, click Restore Down.

Results: When you have completed this exercise, you should have resolved the hardware issue.

MCT USE ONLY. STUDENT USE PROHIBITED

L3-10

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L3-11

Exercise 2: Configuring Group Policy Settings to Control Device Installation


Task 1: Read the email from Ed Meadows
1.

Read the email in the Supporting Documentation section.

2.

Determine a plan of action.

3.

Answer the questions in the Group Policy Object (GPO) planning document:
o

How many GPOs do you envision using?

Answer: Answers will vary, but you could use two. The Default Domain Policy could support both
the all users restriction and the administrators nonrestriction. A new GPO could support the
Research Department requirements.
o

To which containers will you link these GPOs?

Answer: The Default Domain Policy is linked to the Adatum.com domain. You could link the new
GPO to the Research Department organization unit (OU).
o

How do you plan to configure the restriction for all users?

Answer: Configure the Default Domain Policy to enable printer installation by using the setting:
Allow non-administrators to install drivers for the setting for device setup classes.
o

How will you accommodate the requirement to support the Research Departments needs?

Answer: Either install the drivers into the driver store on each Research department computer, or
configure the Research GPO with permissions to install drivers of the GUID of the specified setup
class for mouse, printer, and keyboard. Use this setting: Allow installation of devices using drivers
that match these device setup classes.
o

How will you accommodate the administrators requirement?

Answer: Configure the Allow administrators to override Device Installation Restrictions policies
setting in the Default Domain Policy.

Results: After you have completed this exercise, you should have configured GPOs to control device
installation.

To prepare for the next practice session

When you have completed the lab, leave the virtual machines running for the next practice session.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


L4-13

Module 4: Troubleshooting Remote Computers

Lab: Troubleshooting Remote Computers


Exercise 1: Using Remote Desktop
Task 1: Verify the Windows Firewall settings on LON-CL1
1.

On LON-CL1, click Desktop.

2.

Press the Windows+C keys, click Settings, and then click Control Panel.

3.

In Control Panel, click System and Security.

4.

Under Windows Firewall, click Allow an app through Windows Firewall.

5.

In the Name list, locate Remote Desktop and select the Domain, Private, and Public check boxes,
and then click OK.

6.

In System and Security, click Allow remote access.

7.

In System Properties, under Remote Desktop, click Allow remote connections to this computer.

8.

Click Select Users, and then click Add.

9.

In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adam, click Check Names, and then click OK.

10. In the Remote Desktop Users dialog box, click OK.


11. In the System Properties dialog box, click OK.
12. Close all open windows.

13. Switch to the LON-CL3 virtual machine, and, if necessary, sign in as Adatum\Administrator with the
password Pa$$w0rd.
14. On the Start screen, type mstsc, and then press Enter.

15. In the Remote Desktop Connection dialog box, in the Computer text box, type LON-CL1, and then
click Show Options.
16. Click the Advanced tab.

17. Under Server authentication, in the If server authentication fails list, click Connect and dont
warn me.

Task 2: Establish a Remote Desktop Connection


1.

In the Remote Desktop Connection dialog box, click Connect.

2.

In the Windows Security dialog box, click Use another account.

3.

In the User name text box, type Adatum\Adam. In the Password text box, type Pa$$w0rd, and
then click OK.

4.

When prompted, click Yes to proceed with the sign in.

5.

Switch to LON-CL1.

6.

At the Remote Desktop Connection prompt, click OK.

7.

Switch to LON-CL3.

8.

Click the down arrow beneath the Desktop tile.

Troubleshooting Remote Computers

9.

Right-click This PC, and then click Properties.

10. Notice the computer name.


11. Close the Remote Desktop session.
12. In the Remote Desktop Connection dialog box, click OK.
13. Close all open windows.
14. Switch to LON-CL1.
15. Verify that you have been signed out.

MCT USE ONLY. STUDENT USE PROHIBITED

L4-14

Results: After completing this exercise, you should have successfully used Remote Desktop to manage a
remote computer.

Exercise 2: Using Remote Assistance


Task 1: Create a Microsoft Word 2013 document
1.

Sign in to LON-CL1 as Adatum\Adam using the password Pa$$w0rd.

2.

If necessary, click Start to return to the Start screen.

3.

On the Start screen, under the Desktop tile, click the down arrow.

4.

Click Word 2013.

5.

In the First things first dialog box, click Ask me later, and then click Accept.

6.

In the Welcome to your new Office Wizard, click Next three times, and then click All done.

7.

In Microsoft Word 2013, click Blank document.

8.

In the Document window, type This is my document.

9.

On the ribbon, click the File tab, and then click Save.

10. Click Save.


11. Click Computer.
12. Click Documents, and then click Save.

Task 2: Enable and then request Remote Assistance


1.

Click Start.

2.

On the Start screen, below the Desktop tile, click the down arrow.

3.

Right-click This PC, and then click Properties.

4.

In System, click Remote Settings.

5.

If prompted, in the User Account Control dialog box, in the User name text box, type
administrator.

6.

In the Password text box, type Pa$$w0rd, and then click Yes.

7.

Verify that the Allow Remote Assistance connections to this computer check box is selected, and
then click OK.

8.

Close System.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L4-15

9.

Click Start.

10. Type msra.exe, and then press Enter.


11. In the Windows Remote Assistance Wizard, click Invite someone you trust to help you.

12. On the How do you want to invite your trusted helper page, click Save this invitation as a file.

13. On the Save as page, in the File name field, type \\LON-dc1\Share\Adams-Invite, and then click
Save.
14. Write down the password.

Task 3: Provide remote assistance


1.

Switch to the LON-CL3.

2.

On the taskbar, click File Explorer, navigate to \\LON-DC1\share, and then double-click
Adams-Invite.msrcincident.

3.

In the Remote Assistance dialog box, in the Enter password box, type the password that you wrote
down in the previous task, and then click OK.

4.

Switch to the LON-CL1 virtual machine.

5.

In the Windows Remote Assistance dialog box, click Yes.

6.

Switch to the LON-CL3 virtual machine.

7.

On the Menu, click Request control.

8.

Switch to the LON-CL1 virtual machine.

9.

In the Windows Remote Assistance dialog box, click Yes.

10. Switch to the LON-CL3 virtual machine.


11. In Word, click the Review menu, and then select the text in the document window.
12. In the Menu, click New Comment, and then type This is how you place a comment in a
document.
13. Click the cursor elsewhere in the document window.
14. In the Windows Remote Assistance Helping Adam menu, click Chat.
15. In the Chat window, type Does that help?, and then press Enter.
16. Switch to the LON-CL1 virtual machine.
17. Observe the message, type Yes, thanks, and then press Enter.
18. In the Menu, click Stop sharing.
19. Close all open windows.
20. Discard the file changes, and then sign out from LON-CL1.
21. Switch to the LON-CL3 virtual machine.
22. Close all open windows, and then sign out from LON-CL3.

Results: After completing this exercise, you should have successfully used Remote Assistance to manage a
remote computer.

Troubleshooting Remote Computers

Exercise 3: Using Windows PowerShell Remoting


Task 1: Enable Windows PowerShell remoting
1.

Switch to LON-CL1.

2.

Sign in as Adatum\Administrator with the password Pa$$w0rd.

3.

On the Start screen, type Windows PowerShell.

4.

Right-click Windows PowerShell, and click Pin to Taskbar.

5.

Click the Desktop tile.

6.

On the taskbar, click the Windows PowerShell icon.

7.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Winrm quickconfig

8.

When prompted, press Y, and then press Enter, and then press Y, and then press Enter again.

9.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Enable-PSRemoting -Force

10. Switch to LON-CL3.


11. Repeat steps 2 through 9.

Task 2: Use Windows PowerShell remoting from LON-DC1


1.

Switch to LON-DC1.

2.

On the taskbar, click the Windows PowerShell icon.

3.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command ComputerName LON-CL1 ScriptBlock {Get-EventLog log system}

4.

At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession ComputerName LON-CL1

5.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Enter-PSSession $s

6.

At the Windows PowerShell prompt, type the following command, and then press Enter:
exit

7.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}

8.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}

9.

At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -ComputerName LON-CL1, LON-CL3 -ScriptBlock {Get-Culture}

MCT USE ONLY. STUDENT USE PROHIBITED

L4-16

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L4-17

10. At the Windows PowerShell prompt, type the following command, and then press Enter:
$s = New-PSWorkflowSession -ComputerName LON-CL1, LON-CL3

11. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c = Get-command}

12. At the Windows PowerShell prompt, type the following command, and then press Enter:
Invoke-Command -Session $s -ScriptBlock {$c.count}

Results: After completing this exercise, you should have successfully established a remoting session and
performed remote management of LON-DC1 with Windows PowerShell cmdlets.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Microsoft Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1 and 20688D-LON-CL3.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


L5-19

Module 5: Resolving Network Connectivity Issues

Lab: Resolving Network Connectivity Issues


Exercise 1: Resolving a Network Problem (1)
Task 1: Read the help desk Incident Record for incident 723012

Read the help desk incident record 723012 in the Student Handbook Exercise Scenario.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Discuss your recommendations with other students:


a.

Visit the users computer.

b.

Verify the problem by attempting to connect to the specific resource.

c.

Attempt to connect to the same resource from other computers in the Research department.

d.

Verify the network configuration on Colins client computer.

e.

The fact that others are being affected suggests a server-side problem.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod05\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1 and sign in as Adatum\administrator with the password Pa$$w0rd.

2.

In Start, type Windows PowerShell, and then press Enter.

3.

At the Windows PowerShell command prompt, type Get-NetIPAddress, and then press Enter.
Notice that the IPv4 address has the prefix 169.254.

4.

At the Windows PowerShell command prompt, type ipconfig /renew, and then press Enter. Notice
that this is unsuccessful.

5.

Switch to LON-DC1.

6.

In Server Manager, click Tools, and then click DHCP. Notice that the server is not available.

7.

Close DHCP.

8.

Click Start.

9.

Type services.msc, and then press Enter.

10. In the Services list, right-click DHCP Server, and then click Start.
11. In Server Manager, click Tools, and then click DHCP. The server is available.

Resolving Network Connectivity Issues

12. Switch to LON-CL1.


13. At the Windows PowerShell command prompt, type ipconfig /renew, and then press Enter. This is
successful.
14. Click File Explorer.
15. In the File Explorer address bar, type \\LON-DC1\Research, and press Enter.
16. Close File Explorer.
17. Update the Resolution section of the Incident Record with the following comments:
o

The client was unable to contact the dynamic host configuration protocol (DHCP) server to
obtain an IP configuration.

Restarted the DHCP service, and then renewed the IP configuration on the client.

Results: After completing this exercise, you should have resolved the network-related problem.

Exercise 2: Resolving a Network Problem (2)


Task 1: Read the help desk Incident Record for incident 723101

Read the help desk Incident Record 723101 in the Student Handbook Exercise Scenario.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Discuss your recommendations with other students:


a.

Visit the users computer.

b.

Verify the problem by attempting to connect to the network resources.

c.

Verify the network configuration on the client computer.

d.

Test name resolution on the client computer.

e.

The fact that Colin is the only affected user suggests a client-side problem.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod05\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

MCT USE ONLY. STUDENT USE PROHIBITED

L5-20

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L5-21

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1 and sign in as Adatum\administrator with the password Pa$$w0rd.

2.

In Start, type Windows PowerShell, and then press Enter.

3.

At the Windows PowerShell command prompt, type Get-DnsClientCache, and then press Enter.
Notice that records are returned.

4.

At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.

5.

At the command prompt, type test-connection lon-dc1, and then press Enter. Notice that this is
unsuccessful.

6.

At the command prompt, type Get-DnsClientCache | fl, and then press Enter. Notice that the wrong
IP address is returned for LON-DC1.

7.

At the Windows PowerShell command prompt, type nslookup LON-DC1, and then press Enter.
Notice that the correct record is returned from the Domain Name System (DNS) server.

8.

At the Windows PowerShell command prompt, type notepad C:\windows\system32\drivers


\etc\hosts, and then press Enter.

9.

Scroll to the end of the file, delete 172.16.0.1 lon-dc1, and then press Enter.

10. Click File, and then click Save.


11. Close Notepad.

12. At the Windows PowerShell command prompt, type Clear-DnsClientCache, and then press Enter.

13. At the Windows PowerShell command prompt, type test-connection lon-dc1, and then press Enter.
14. At the Windows PowerShell command prompt, type Get-DnsClientCache | fl, and then press Enter.
You can now see the correct record for LON-DC1 in the cache.

15. At the Windows PowerShell command prompt, type Resolve-Dnsname LON-DC1 | fl, and then press
Enter. This is successful.
16. Click File Explorer.

17. In the File Explorer address bar, type \\LON-DC1\Research, and then press Enter. The folder opens.
Note: You may be prompted to sign in. If so, sign in as Adatum\administrator with the
password Pa$$w0rd.
18. Close File Explorer.
19. Click Internet Explorer.
20. In the Windows Internet Explorer Address bar, type http://lon-dc1, and then press Enter. This
connection attempt is now successful.
21. Update the Resolution section of the Incident Record with the following comments:
o

The client had an incorrect entry in the hosts file. Since this entry is used to populate the DNS
resolver cache, the client could not resolve the host name LON-DC1.

Removed the entry, and the client was able to connect to resources.

Results: After completing this exercise, you will have resolved the network-related problem.

Resolving Network Connectivity Issues

Exercise 3: Troubleshooting a Wireless Network


Task 1: Read the help desk Incident Record for incident 723123

Read the help desk Incident Record 723123 in the Student Handbook Exercise Scenario.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Discuss your recommendations with other students:


How will you verify that these problems are occurring?

Answer: Attend the Cambridge location to attempt to reproduce the problem.


What do you suspect is causing these problems?

Answer: Answers will vary, but might include:

Interference from electronic devices can cause connection failures.

Clients may fail to connect because their computers are not configured with the appropriate
wireless settings.

Some wireless access points may be in the wrong place, enabling connections from the
parking lot.

How will you resolve these issues?

MCT USE ONLY. STUDENT USE PROHIBITED

L5-22

i.

Examine the location for sources of interference and where possible, move the wireless
access points from these areas.

ii.

Suggest implementing Group Policy Objects (GPOs) to configure appropriate wireless


settings.

iii.

Consider moving the wireless access points. In addition, consider the selected wireless
channel, antennas, use of wireless repeaters, and updating drivers and/or firmware. Also,
ensure certificate-based authentication and a high level of encryption is being used to help
to ensure security.

Results: After completing this exercise, you should have successfully developed a plan of action for the
resolution of these incidents.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Microsoft Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED


L6-23

Module 6: Troubleshooting Group Policy

Lab: Troubleshooting Group Policy


Exercise 1: Resolving Group Policy Application (1)
Task 1: Read the help desk Incident Record for incident 723151

Read the help desk incident record 723151 in the student handbook exercise scenario.

Task 2: Update the Plan of Action section


1.

Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Verify configuration for LON-LAB1, and ensure that LON-CL3 has the same configuration.

b.

Resultant Set of Policy (RSoP) from Group Policy Modeling will provide configuration information
for LON-LAB1.

Task 3: Attempt to resolve the problem


1.

On LON-CL3, if necessary, sign out.

2.

On LON-CL3, sign in by using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

3.

In Start, click the Desktop tile.

4.

Verify that the Desktop shortcut for the Research application is not present. It should display for any
account.

5.

Switch to the LON-DC1 computer.

6.

In Server Manager, click Tools, and then click Active Directory Users and Computers.

7.

In Active Directory Users and Computers, expand Adatum.com, and then click Computers.

8.

Right-click LON-CL3, and then click Move.

9.

In the Move window, expand Research, click Lab, and then click OK.

10. Close Active Directory Users and Computers.


11. Switch to LON-CL3.
12. Right-click Start, point to Shut down or sign out, and then click Restart.
13. On LON-CL3, sign in by using the following credentials:
o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

14. In Start, click Desktop.


15. Right-click Start, and then click Command Prompt.

Troubleshooting Group Policy

16. At the command prompt, type gpupdate /force, and then press Enter.
17. Right-click Start, point to Shut down or sign out, and then click Sign out.
18. On LON-CL3, sign in by using the following credentials:
o

User name: Chris

Password: Pa$$w0rd

Domain: Adatum

19. In Start, click Desktop.


20. Verify that the Desktop shortcut ResearchLabApp displays.
21. Sign out from LON-CL3.
22. Update the Resolution section of the Incident Record in the student handbook:
o

RSoP from Group Policy Modeling indicates that LON-LAB1 has a GPO named ResearchLabs
applied. ResearchLabs GPO is linked to Adatum.com/Research/Lab.

LON-CL3 is located in the Computers container and will not apply the ResearchLabs GPO.

Moved LON-CL3 computer account to the Adatum.com/Research/Lab organizational unit (OU)


and then restarted the computer.

Results: After completing this exercise, you will have successfully resolved Group Policy Object (GPO)
application issues.

Exercise 2: Resolving Group Policy Application (2)


Task 1: Read the help desk Incident Record for incident 723160

MCT USE ONLY. STUDENT USE PROHIBITED

L6-24

Read the help desk incident record 723160 in the student handbook exercise scenario.

Task 2: Update the Plan of Action section


1.

Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit the users computer and attempt to determine why the new policy is not being applied.

b.

Run gpupdate to see the error.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod06\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L6-25

Task 4: Attempt to resolve the problem


1.

Switch to the LON-CL1 computer.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

In Start, type cmd.exe, and then press Enter.

4.

At the command prompt, type gpupdate /force, and then press Enter. Notice that Group Policy fails
to update.

5.

Close the Command Prompt window, and then click Start.

6.

Type This PC, right-click This PC, and then click Properties.

7.

In the System Properties dialog box, in the Computer name, domain, and workgroup settings
area, click Change settings.

8.

In the System Properties dialog box, on the Computer Name tab, click Change.

9.

In the Computer Name/Domain Changes dialog box, click Workgroup.

10. In the Workgroup text box, type TEMP, and then click OK.
11. Click OK to acknowledge the warning.
12. Click OK to clear the welcome message.
13. Click OK to clear the message about restarting.
14. In the System Properties dialog box, on the Computer Name tab, click Change.
15. In the Computer Name/Domain Changes dialog box, click Domain.
16. In the Domain text box, type Adatum.com, and then click OK.
17. In the Windows Security window, sign in as Administrator with the password Pa$$w0rd.
18. Click OK to clear the welcome message.
19. Click OK to clear the message about restarting.
20. In the System Properties dialog box, click Close, and then click Restart Now.
21. Sign in by using the following credentials:
o

User name: Adatum\Adam

Password: Pa$$w0rd

22. Verify that you can refresh GPOs:


o

Right-click Start.

Click Command Prompt.

At the command prompt, type gpupdate /force, and then press Enter.

Troubleshooting Group Policy

23. Update the Resolution section of the Incident Record:

MCT USE ONLY. STUDENT USE PROHIBITED

L6-26

a.

Ran GPUpdate, and saw error related to processing for computer account.

b.

Group Policy event log indicated that account information could not be retrieved.

c.

The System event log had a NETLOGON error indicating that the computer password may be a
problem.

d.

Rejoined the domain and problem is resolved. The user was logging on with cached credentials.

Results: After completing this exercise, you will have successfully resolved GPO application issues.

To prepare for the next lab


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1 and 20688D-LON-CL3.

MCT USE ONLY. STUDENT USE PROHIBITED


L7-27

Module 7: Troubleshooting User Settings

Lab A: Troubleshooting Sign-in Problems


Exercise 1: Resolving Sign-in Problem 1
Task 1: Read the help desk Incident Record for incident 723411

Read the help desk incident record 723411 in the Student Handbook Exercise Scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit Alexs computer.

b.

Attempt to sign in using administrative credentials.

c.

Sign in as a local admin, and attempt resolution.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod07\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1.

2.

Attempt to sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Notice that you are unsuccessful.

4.

Sign in by using the following credentials:


o

User name: LON-CL1\Admin

Password: Pa$$w0rd

5.

Type This PC, right-click This PC, and then click Properties.

6.

In the System window, in the Computer name, domain, and workgroup settings area, click
Change settings.

7.

In the System Properties dialog box, on the Computer Name tab, click Change.

8.

In the Computer Name/Domain Changes dialog box, click Workgroup.

9.

In the Workgroup box, type TEMP, and then click OK.

10. Click OK to acknowledge the warning.

Troubleshooting User Settings

11. If prompted, in the Windows Security window, sign in as Administrator with the password
Pa$$w0rd.
12. Click OK to clear the welcome message.
13. Click OK to clear the message about restarting.
14. In the System Properties dialog box, on the Computer Name tab, click Change.
15. In the Computer Name/Domain Changes dialog box, click Domain.
16. In the Domain text box, type Adatum.com, and then click OK.
17. In the Windows Security window, sign in as Administrator with the password Pa$$w0rd.
18. Click OK to clear the welcome message.
19. Click OK to clear the message about restarting.
20. In the System Properties dialog box, click Close.
21. Click Restart Now.
22. Sign in using the following credentials:
o

User name: Adatum\Alex

Password: Pa$$w0rd

23. Notice that this time you are able to sign in.
24. Update the Resolution section of the Incident Record.
a.

Signed in as local admin.

b.

Rejoined the computer to the domain. This reset the computer account password and sign in was
successful.

Results: After you have completed this exercise, you should have resolved the sign-in problem.

Exercise 2: Resolving Sign-in Problem 2


Task 1: Read the help desk Incident Record for incident 723423

MCT USE ONLY. STUDENT USE PROHIBITED

L7-28

Read the help desk incident record 723423 in the Student Handbook Exercise Scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit the management subnet.

b.

Attempt local sign-in at Mr. Delaneys computer.

c.

Sign in using a local admin account to attempt resolution.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L7-29

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod07\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1.

2.

Attempt to sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Notice that you are unsuccessful.

4.

Sign in by using the following credentials:


o

User name: LON-CL1\Admin

Password: Pa$$w0rd

5.

Switch to LON-DC1.

6.

In Server Manager, click Tools, and then click Services.

7.

Double-click DNS Server.

8.

Click Start, and then click OK.

9.

Switch to LON-CL1.

10. Click Desktop.


11. On the desktop, right-click Start, point to Shut down or sign out, and then click Restart.
12. Sign in using the following credentials:
o

User name: Adatum\Alex

Password: Pa$$w0rd

13. Notice that you are now able to sign in.


14. Update the Resolution section of the Incident Record.
a.

Signed in as local admin.

b.

Switched to domain controller and restarted the Domain Name System (DNS) service, which had
stopped.

c.

Restarted Mr. Delaneys computer.

d.

Tested signing in as Mr. Delaney. This was successful.

e.

Lack of DNS service meant no domain controller could be located for sign-in.

Results: After you have completed this exercise, you should have resolved the sign-in problem

Troubleshooting User Settings

To prepare for the next lab


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

L7-30

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L7-31

Lab B: Troubleshooting the Application of


User Settings
Exercise 1: Resolving Folder Redirection Problem (1)
Task 1: Read the help-desk Incident Record for incident 723425

Read the help-desk incident record 723425 in the Student Handbook Exercise Scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit Boris workstation and sign in.

b.

Check the nature of the problem.

c.

Attempt to resolve the folder redirection issue:


i.

Check shared folders.

ii.

Check folder permissions.

iii.

Check the GPO configuration.

iv.

Check the GPO link and any filters.

Task 3: Create the Folder Redirection infrastructure and then simulate the problem
1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod07\Scenario3.vbs script. Wait until the script completes.

4.

On the desktop, double-click Administrative Tools.

5.

Double-click Group Policy Management.

6.

In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand


Adatum.com, and then right-click Adatum.com.

7.

Click Create a GPO in this domain, and Link it here.

8.

In the New GPO dialog box, in the Name text box, type Folder Redirection, and then click OK.

9.

Right-click Folder Redirection, and then click Edit.

10. In the Group Policy Management Editor, expand User Configuration, expand Policies, expand
Windows Settings, expand Folder Redirection, and then click Folder Redirection.
11. Right-click Documents, and then click Properties.

12. In the Documents Properties dialog box, in the Setting list, click Advanced Specify locations for
various user groups.
13. Click Add.

Troubleshooting User Settings

MCT USE ONLY. STUDENT USE PROHIBITED

L7-32

14. In the Specify Group and Location dialog box, in the Security Group Membership text box, type
Marketing.
15. Press the Tab key.
16. In the Target Folder Location list, click Create a folder for each user under the root path.
17. In the Root Path text box, type \\lon-dc1\Departments\Marketing, and then click OK.
18. In the Documents Properties dialog box, click OK.
19. In the Warning dialog box, click Yes.
20. Close the Group Policy Management Editor.
Note: You will configure only the Marketing department for this lab.
21. Right-click Start, and then click Command Prompt.
22. At the command prompt, type gpupdate /force, and then press Enter.
23. When prompted, press Y, and then press Enter to close the Command window and sign out.
24. Sign in as Adatum\Boris with the password Pa$$w0rd.
25. Click Desktop.
26. Right-click the desktop, and then click Personalize.
27. In the Personalization window, click Change desktop icons.
28. In the Desktop Icons Settings dialog box, select the Users Files check box, and then click OK.
29. Close the Personalization window.
30. On the desktop, double-click Boris Gresak.
31. Right-click Documents, and then click Properties. Notice that the folder is redirected, and then
click OK
32. Sign out.
33. Sign in by using the following credentials:
o

User name: Adatum\Administrator

Password: Pa$$w0rd

34. Run the D:\Labfiles\Mod07\Scenario3b.vbs script. Wait until the script completes.
35. Sign out.
36. Sign in by using the following credentials:
o

User name: Adatum\Boris

Password: Pa$$w0rd

37. Click Desktop.


38. On the desktop, double-click Boris Gresak.
39. Double-click Documents.
40. Right-click an area of free space, point to New, and then click Text Document. Press Enter.
41. Double-click New Text Document.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L7-33

42. In Notepad, type This is my file, and then close the file.
43. Click Save when prompted.
44. In the Address bar, click Boris Gresak.
45. Right-click Documents, and then click Properties. Click the Offline Files tab.
46. Verify that the folder is showing as offline and not synced.
47. Sign out.

Task 4: Attempt to resolve the problem


1.

Switch to LON-DC1.

2.

On the taskbar, click the File Explorer icon.

3.

In File Explorer, double-click Allfiles (E:).

4.

In Allfiles (E:), right-click Departments, and then click Properties.

5.

In the Departments Properties dialog box, click the Sharing tab.

6.

On the Sharing tab, click Advanced Sharing.

7.

In the Advanced Sharing dialog box, select the Share this folder check box.

8.

Click Permissions, click Full Control Allow, and then click OK twice.

9.

In the Departments Properties dialog box, click Close.

10. In File Explorer, double-click Departments, right-click Marketing, and then click Properties.
11. In the Marketing Properties dialog box, click the Security tab.
12. On the Security tab, click Edit.
13. In the Permissions for Marketing dialog box, click Add.

14. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object
names to select (examples) box, type Marketing, and then click OK.
15. In the Permissions for Marketing dialog box, select the Full control Allow check box, and then
click OK.
16. In the Error Applying Security dialog box, click Continue.
17. In the Marketing Properties dialog box, click OK.
18. Switch to LON-CL1.
19. Sign in by using the following credentials:
o

User name: Adatum\Boris

Password: Pa$$w0rd

20. Click Desktop.


21. On desktop, double-click Boris Gresak.
22. Right-click Documents, and then click Properties.

23. In the Properties dialog box, click the Offline Files tab. Notice that Files are showing as in sync, and
the folder is online. Note that it might take a few moments for the status to change.
24. Sign out.

Troubleshooting User Settings

25. Update the Resolution section of the Incident Record.

MCT USE ONLY. STUDENT USE PROHIBITED

L7-34

a.

The file share was lost, and the file permissions on the marketing folder were missing. This
prevented synchronization of Boriss files to the redirected folder.

b.

Added the shared folder for departments, and reset the file permissions for Marketing subfolder.

c.

Signed in, and the files synced to the server.

Results: After completing the exercise, you should have resolved the Folder Redirection problem
successfully.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED


L8-35

Module 8: Configuring and Troubleshooting Remote


Connectivity

Lab A: Configuring Network Access


Protection Client Settings
Exercise 1: Configuring and Verifying Network Access Protection (NAP)
Client Connectivity
Task 1: Read the help desk Incident Record for incident 723467

Read the help desk Incident Record 723467 in the Student Handbook exercise scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook exercise
scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit the users computer.

b.

Configure NAP client settings.

c.

Test NAP enforcement.

Task 3: Configure NAP client settings


1.

Switch to LON-CL1, and then sign in as Adatum\administrator with the password Pa$$w0rd.

2.

On the Start screen, type napclcfg.msc, and then press Enter.

3.

In NAPCLCFG [NAP Client Configuration (Local Computer)], in the navigation pane, click
Enforcement Clients.

4.

In the results pane, right-click DHCP Quarantine Enforcement Client, and then click Enable.

5.

Close the NAPCLCFG [NAP Client Configuration (Local Computer)] window.

6.

On the taskbar, click Start.

7.

On the Start screen, type services.msc, and then press Enter.

8.

In the Services console, in the results pane, double-click Network Access Protection Agent.

9.

In the Network Access Protection Agent Properties (Local Computer) dialog box, in the Startup
type list, click Automatic.

10. Click Start, and then click OK.


11. On the taskbar, click Start.
12. On the Start screen, type gpedit.msc, and then press Enter.
13. In the console tree, expand Local Computer Policy, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click Security Center.
14. Double-click Turn on Security Center (Domain PCs only), click Enabled, and then click OK.
15. Close the console window.
16. Right-click Start, and then click Network Connections.
17. In Network Connections, right-click London_Network, and then click Properties.

Configuring and Troubleshooting Remote Connectivity

18. In the London_Network Properties dialog box, double-click Internet Protocol Version 4
(TCP/IPv4).

MCT USE ONLY. STUDENT USE PROHIBITED

L8-36

19. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
20. Click Obtain DNS server address automatically, and then click OK.
21. In the London_Network Properties dialog box, click OK or Close.

Task 4: Test NAP


1.

On LON-CL1, right-click Start, and then click Command Prompt.

2.

At the command prompt, type the following command, and then press Enter:
Ipconfig

3.

Switch to Services.

4.

In the Services console, in the results pane, double-click Windows Firewall.

5.

In the Windows Firewall Properties (Local Computer) dialog box, in the Startup type list, click
Disabled.

6.

Click Stop, and then click OK.

7.

At the command prompt, type ipconfig /renew, and press Enter.

8.

In the notification area, click the Network Access Protection pop-up warning.

9.

Review the information in the Network Access Protection dialog box, and then click Close.

Note: Depending on the point at which your computer becomes noncompliant, you might
not receive a warning in the notification area. However, you may proceed.
10. At the command prompt, type the following command, and then press Enter:
Ipconfig

11. Notice that the computer has a subnet mask of 255.255.255.255 and a Domain Name System (DNS)
suffix of restricted.Adatum.com.

Results: After completing this exercise, you should have configured the client computer for NAP.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L8-37

Lab B: Configuring and Testing DirectAccess


Exercise 1: Configuring DirectAccess Client-Side Settings
Task 1: Read the help desk Incident Record for incident 723469

Read the help desk Incident Record 723469 in the Student Handbook exercise scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook exercise
scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit the users computer.

b.

Configure DirectAccess client settings.

c.

Move to the Internet to test access to intranet resources.

Task 3: Test a client on the internal network


1.

Start the 20688D-LON-CL3 virtual machine.

2.

Sign in by using the following credentials:


o

User name: Administrator

Password: Pa$$w0rd

Domain: Adatum

3.

On LON-CL3, click Desktop, right-click Start, and then click Command Prompt.

4.

At the command prompt, type gpupdate /force, and then press Enter.

5.

To verify that the correct GPO is being applied to the client, at the command prompt, type gpresult
/r, and then press Enter. You should see the DirectAccess Client Settings GPO listed under Applied
Group Policy Objects.

6.

On the taskbar, click the Internet Explorer icon.

7.

In Internet Explorer, in the Address bar, type http://LON-SVR1.adatum.com, and then press Enter.

8.

Verify that the Adatum Intranet page displays.

9.

Close Internet Explorer.

Task 4: Move the client to the Internet, and test compliance


1.

On LON-CL3, right-click Start, and then click Network Connections.

2.

Right-click London_Network, and then click Disable.

3.

Right-click Internet, and then click Properties.

4.

In the Internet Properties dialog box, double-click Internet Protocol Version 4 (TCP/IPv4).

Configuring and Troubleshooting Remote Connectivity

5.

Click Use the following IP address, and then change the network settings:
o

IP address: 131.107.0.50

Subnet mask: 255.255.0.0

Default gateway: 131.107.0.10

Preferred DNS server: 172.16.0.10

MCT USE ONLY. STUDENT USE PROHIBITED

L8-38

6.

Click OK and then either OK or Close.

7.

Right-click Internet, and then click Enable.

8.

On the desktop, on the taskbar, click the Internet Explorer icon.

9.

In Internet Explorer, in the Address bar, type http://LON-SVR1.adatum.com, and then press Enter.

10. Verify that the Adatum Intranet page displays.


11. Leave the Internet Explorer window open.
12. Switch to command prompt.
13. At the command prompt, type the following command, and then press Enter.
ipconfig
Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an IP-HTTPS
address.
14. At the command prompt, type the following, and then press Enter.
Netsh name show effectivepolicy

15. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for adatum.com
and Directaccess-NLS.Adatum.com.
16. At the command prompt, type the following command, and then press Enter.
Powershell

17. At the Windows PowerShell command prompt, type the following command, and then press Enter.
Get-DAClientExperienceConfiguration

Notice the DirectAccess client settings.


18. Switch to LON-RTR.
19. Switch to the Remote Access Management console.

20. In the console pane, click Remote Client Status. Notice that client is connected via IPHttps. In the
Connection Details pane, in the lower-right of the screen, note the use of Kerberos for the Machine
and the User.
Note: If no data is displayed, restart LON-CL3, sign in as Adatum\Administrator with the
password Pa$$w0rd. Then repeat steps 8 and 9 before continuing from step 18.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L8-39

21. Close all open windows.

Results: After completing this exercise, you should have configured the client-side settings for
DirectAccess and tested access to internal resources.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1, 20688D-LON-SVR1, 20688D-LON-RTR, and


20688D-LON-CL3.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED


L9-41

Module 9: Troubleshooting Resource Access within a


Domain

Lab: Troubleshooting Resource Access


within a Domain
Exercise 1: Resolving a Logon Script Problem
Task 1: Read the help desk Incident Record for Incident 723307

Read the help desk Incident Record 723307 in the Student Handbook Exercise scenario.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
scenario.

2.

Discuss your recommendations with other students:


a.

Determine which Group Policy is applying the script.

b.

Review the configuration of the Group Policy.

c.

Review Dana Birkbys account configuration, and compare it to Adam Barrs.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod09\Scenario.vbs script.

4.

Wait until the script completes.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1 and sign out.

2.

Sign back in to LON-CL1 as Adatum\Adam with the password of Pa$$w0rd.

3.

On the Start screen, click the Desktop tile.

4.

On the desktop, click the File Explorer icon.

5.

In File Explorer, verify the presence of a drive mapping for drive M to \\lon-dc1\Marketing.

6.

Sign out of LON-CL1.

7.

Sign back in to LON-CL1 as Adatum\Dana with the password of Pa$$w0rd.

8.

On the Start screen, click the Desktop icon.

9.

On the desktop, click the File Explorer icon.

10. In File Explorer, verify the lack of a drive mapping for drive M to \\lon-dc1\Marketing.
11. Sign out of LON-CL1.
12. Sign back in to LON-CL1 as Adatum\Administrator with the password Pa$$w0rd.

Troubleshooting Resource Access within a Domain

13. Click Desktop.


14. Double-click Administrative Tools.
15. Double-click Group Policy Management.
16. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then expand
Adatum.com.
17. Right-click Marketing, and then click Edit.
18. Expand User Configuration, expand Policies, expand Windows Settings, and then click Scripts
(Logon/Logoff).
19. In the details pane, double-click Logon.

MCT USE ONLY. STUDENT USE PROHIBITED

L9-42

20. In the Logon Properties dialog box, click the PowerShell Scripts tab. Verify the presence of a script,
and then click Cancel.
21. Close the Group Policy Management Editor.

22. You can see that the Marketing GPO is linked to the domain. In the Details pane, you can see that the
Marketing group has the necessary permissions to apply the policy.
23. Close Group Policy Management.
24. In Administrative Tools, double-click Active Directory Users and Computers.

25. In Active Directory Users and Computers, expand Adatum.com, click Marketing, and then doubleclick Dana Birkby.
26. In the Dana Birkby Properties dialog box, click the Member Of tab. Notice that Dana does not
belong to the Marketing group. Click Add.
27. In the Select Groups dialog box, type Marketing, and then click OK.
28. In the Dana Birkby Properties dialog box, click OK.
29. Close all open windows, and sign out.
30. Sign in as Adatum\Dana with the password Pa$$w0rd.
31. Click the Desktop tile, and on the desktop, click the File Explorer icon.
32. In File Explorer, verify the presence of the drive mapping to the Marketing folder.
33. Sign out.
34. Update the Resolution section of the Incident Record with the following comment:
o

The mapping for drive M is being scoped (by security group filtering) to the Marketing security
group. Dana was not a member of the Marketing security group. Adding her as a member of the
Marketing security group resolved the problem.

Results: After completing this exercise, you should have resolved a file access issue.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L9-43

Exercise 2: Resolving a File Permissions Issue


Task 1: Read the help desk Incident Record for Incident 723308

Read the help desk Incident Record 723308 in the Student Handbook Exercise scenario.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
scenario.

2.

Discuss your recommendations with other students:


a.

Review file system permissions, and verify effective permissions.

b.

Review Share permissions.

Task 3: Verify the problem


1.

Switch to LON-CL1.

2.

Sign in as Adatum\Allie with the password Pa$$w0rd.

3.

Click Desktop, and then click the File Explorer icon.

4.

In the address bar, type \\lon-dc1\Marketing and then press Enter.

Note: Theoretically, this mapping should not work as Allie is not in the Marketing group.
However, the mapping is successful.

Task 4: Attempt to resolve the problem


1.

Switch to LON-DC1.

2.

If necessary, click the Desktop tile.

3.

On the desktop, click the File Explorer icon.

4.

In File Explorer, navigate to drive E, right-click Marketing, and then click Properties.

5.

In the Marketing Properties dialog box, click the Sharing tab.

6.

On the Sharing tab, click Advanced Sharing.

7.

In the Advanced Sharing dialog box, click Permissions. Verify that the permissions are granted to
Everyone Full Control.

8.

Click Cancel, and then click Cancel again.

9.

In the Marketing Properties dialog box, click the Security tab.

10. On the Security tab, click Advanced, and then click the Effective Access tab.
11. On the Effective Access tab, click Select a user.

12. In the Select User, Computer, Service Account, or Group dialog box, type Allie, and then click OK.
13. Click View effective access.
14. Verify that Allie has Read permissions, and then click Cancel.
15. In the Marketing Properties dialog box, click Advanced.
16. In the Advanced Security Settings for Marketing dialog box, click Disable inheritance.

17. Click Convert inherited permissions into explicit permissions on this object, and then click OK.

Troubleshooting Resource Access within a Domain

18. Click Edit.


19. In the Permissions for Marketing dialog box, click Users, click Remove, and then click OK.
20. Click Advanced, and then click the Effective Access tab.
21. On the Effective Access tab, click Select a user.

MCT USE ONLY. STUDENT USE PROHIBITED

L9-44

22. In the Select User, Computer, Service Account, or Group dialog box, type Allie, and then click OK.
23. Click View effective access.
24. Verify that Allie has no permissions.
25. Click Select a user.
26. In the Select User, Computer, Service Account, or Group dialog box, type Adam, and then
click OK.
27. Click View effective access.
28. Verify that Adam has Full control permissions. Click OK, and then click Close.
29. Update the Resolution section of the Incident Record with the following comment:
o

The inherited permissions on E:\Marketing included the Users group having Read permissions.
This was removed.

Results: After completing this exercise, you should have resolved a file access issue.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

L10-45

Module 10: Configuring and Troubleshooting Resource


Access for Clients That Are Not Domain Members

Lab: Configuring and Troubleshooting


Resource Access for Clients That Are Not
Domain Members
Exercise 1: Troubleshooting Workplace Join
Task 1: Read the scenario

Read the scenario to identify how A. Datum Corporation has implemented Workplace Join.

Task 2: Create an orientation session about Workplace Join


1.

Workplace Join is required for accessing which application?

Answer: Workplace Join is required for access to the Sales and Ordering application. However, this
might expand to other applications in the future.
2.

How does Workplace Join enhance security for the application?

Answer: Workplace Join creates an object in AD DS for the device. This behaves similarly to a domain
member computer, and access can be restricted to domain member devices. This means that the
application cannot be accessed from random locations.
3.

Can desktop support perform a Workplace Join during initial device configuration?

Answer: No. If a single device is used by more than one user, each user must perform a Workplace
Join. Workplace Join uniquely identifies the combination of a user and a device. A certificate is placed
on the device for that user and device combination. The certificate is then used during authentication.
4.

What information do users need to provide during Workplace Join?

Answer: Users need to provide their user principal name (UPN) during Workplace Join. This UPN is
used to authenticate the user during the Workplace Join process. The domain portion of the UPN is
also used to identify the server that the device connects to for Workplace Join. The device connects to
deviceregistration.domainname.com.
5.

What issues are likely to prevent Workplace Join from completing properly?
Answer: Some of the common issues that might be encountered during Workplace Join include:
o

Users entering an incorrect UPN. Some users might be confused and enter their email address
instead.

Lack of network connectivity. If the device is having network connectivity problems, then
Workplace Join will fail.

Certificate trust issues. The certificates are from a trusted certification authority (CA) on the
Internet. So, this will not be a common issue. However, when new certificates are implemented,
some computers or devices might need updates to have the proper trusted root CA.

Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

6.

Which devices support Workplace Join?


Answer: At this time, Workplace Join can be performed for Windows 8.1 devices and iOS devices.

MCT USE ONLY. STUDENT USE PROHIBITED

L10-46

Results: After completing this exercise, you should have created an outline that can be used for training
help desk and desktop support staff on the configuration of Workplace Join.

Exercise 2: Troubleshooting Work Folders


Task 1: Read the scenario

Read the scenario to identify how A. Datum has implemented Work Folders.

Task 2: Create an orientation session about Work Folders


1.

Which group of users is using Work Folders first?


Answer: The executives are using Work Folders first because they have a defined need for it now.

2.

How does home drive data synchronize with Work Folders?

Answer: The home drive data does not synchronize with Work Folders. The home drive location
becomes the Work Folders. The mapped drive letter provided to executives for their home folder is
the server location that stores Work Folders data.
3.

Which devices are supported for Work Folders?


Answer: At this time, Work Folders are supported by Windows 8.1 computers and tablets. Clients
should be available soon for Windows 7, Windows 8, iOS, and Android.

4.

How do the executives connect to Work Folders?

Answer: Auto discovery has been configured for Work Folders. So, during initial configuration,
executives provide their email addresses. The domain portion of the email address is used to locate
the server at workfolders.domainname.com.
5.

Which user property defines the URL used to access Work Folders?

Answer: Each user account has an msDS-SyncServerURL attribute that defines the Work Folders
server for that user. This attribute must be configured manually when multiple Work Folders servers
are implemented and auto discovery is used.
6.

What happens if executives do not have their smartphones available during authentication?

Answer: If executives do not have their smartphones, they will not be able to authenticate. This is the
purpose of multifactor authentication. As an alternative access solution, executives could use the
virtual private network (VPN) and access their home drives.

Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on Work Folders configuration.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L10-47

Exercise 3: Troubleshooting OneDrive for Business


Task 1: Read the scenario

Read the scenario to identify how A. Datum has implemented Microsoft OneDrive for Business.

Task 2: Create an orientation session about OneDrive for Business


1.

Which users in A. Datum will be using OneDrive for Business?


Answer: The Research department in A. Datum Corporation will be the first to use OneDrive for
Business.

2.

Where is OneDrive for Business data stored?

Answer: OneDrive for Business stores data in a specialized document library within SharePoint Server
2013 or SharePoint Online. A. Datum has implemented OneDrive for Business as part of an onpremises installation of SharePoint Server 2013. This allows A. Datum to retain complete control over
its data, perform backups, and archive data.
3.

What software is required for Windows 8.1 computers to synchronize files with OneDrive for
Business?
Answer: The OneDrive for Business Windows Sync client can synchronize data to Windows
computers. The client supports Windows 7, Windows 8, Windows Server 2008 R2, and Windows
Server 2012.

4.

Can non-Windows clients access OneDrive for Business?

Answer: Yes. An app is available for iOS devices. In addition, any web browser that is supported by
SharePoint Server 2013 can access OneDrive for Business. In addition, to recent versions of Internet
Explorer, most major browsers such as Google Chrome, Safari, and Mozilla Firefox are supported.
5.

Are there file size limitations that the researchers should be aware of for synchronization?
Answer: There are several limitations that the researchers should be aware of:
o

The OneDrive for Business Windows Sync client supports a maximum of 20,000 files in OneDrive
for Business.

The maximum file size for downloads is 2 gigabytes (GB).

The maximum data size for uploads is 250 megabytes (MB).

Results: After completing this exercise, you will have created an outline for training help desk and
desktop support staff on OneDrive for Business configuration.

Exercise 4: Implementing Work Folders


Task 1: Install Work Folders on the server
1.

On LON-DC1, in Server Manager, click Manage, and then click Add Roles and Features.

2.

In the Add Roles and Features Wizard, on the Before you begin page, click Next.

3.

On the Select Installation Type page, click Role-based or feature-based installation, and then
click Next.

4.

On the Select destination server page, click Select a server from the server pool, click
LON-DC1.adatum.com, and then click Next.

Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

MCT USE ONLY. STUDENT USE PROHIBITED

L10-48

5.

On the Select server roles page, expand File and Storage Services (2 of 12 Installed), expand File
and iSCSI Services (1 of 11 Installed), and then select the Work Folders check box.

6.

In the dialog box, click Add Features.

7.

On the Select server roles page, click Next.

8.

On the Select features page, click Next.

9.

On the Confirmation page, click Install.

10. When the installation is complete, click Close.

Task 2: Configure Work Folders on the server


1.

On LON-DC1, in Server Manager, in the navigation pane, click File and Storage Services, and then
click Work Folders.

2.

On the Work Folders page, click To create a sync share for Work Folders, start the New Sync
Share Wizard.

3.

In the New Sync Share Wizard, on the Before you begin page, click Next.

4.

On the Select the server and path page, click LON-DC1.

5.

In the Enter a local path box, type C:\ExecutiveWF, and then click Next.

6.

In the dialog box, click OK to create the directory.

7.

On the Specify the structure for user folders page, click User alias, and then click Next.

8.

On the Enter the sync share name page, in the Name box, type ExecutiveWF, and then click Next.

9.

On the Grant sync access to groups page, click Add.

10. In the Select User or Group dialog box, in the Enter the object name to select box, type
Managers, and then click OK.
11. On the Grant sync access to groups page, click Next.

12. On the Device Policies page, clear the Automatically lock screen, and require a password check
box, select the Encrypt Work Folders check box, and then click Next.
13. On the Confirm selections page, read the summary, and then click Create.
14. After the sync share is created, click Close.

15. In Server Manager, on the Work Folders page, verify that the members of the Managers group are
listed in the Users box.

Task 3: Configure the certificate for Work Folders


1.

On LON-DC1, open a Windows PowerShell Command Prompt window.

2.

At the Windows PowerShell command prompt, type Get-ChildItem Path Cert:\localmachine


\my | fl, and then press Enter.

3.

Identify the certificate with the FriendlyName of Work Folders Certificate.

4.

Identify the value of the Thumbprint property for the Work Folders Certificate.

5.

On the Start screen, type cmd, and then press Enter.

6.

At the command prompt, type netsh http add sslcert ipport=0.0.0.0:443 certhash=thumbprint
appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY, and then press
Enter.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L10-49

Note: You can copy the thumbprint value from the Windows PowerShell command prompt
by selecting the value, right-clicking the selection, and then click Copy. To paste the thumbprint
value at the command prompt, right-click, and then click Paste.
7.

Close the Command Prompt window.

8.

Close the Windows PowerShell Command Prompt window.

Note: The certificate that was created in advance for this task contains the names londc1.adatum.com and workfolders.adatum.com.

Task 4: Configure Group Policy for domain-joined clients


1.

On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.

2.

In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand


Adatum.com, and then click Managers.

3.

Right-click Managers, and then click Create a GPO in this domain, and Link it here.

4.

In the New GPO dialog box, in the Name box, type WorkFolders, and click OK.

5.

Expand Managers, right-click WorkFolders, and then click Edit.

6.

In the Group Policy Management Editor, in the navigation pane, under User Configuration, expand
Policies, expand Administrative Templates, expand Windows Components, and then click Work
Folders.

7.

Double-click Specify Work Folders settings.

8.

In the Specify Work Folders settings dialog box, click Enabled.

9.

In the Work Folders URL box, type https://lon-dc1.adatum.com, and then click OK.

10. Close the Group Policy Management Editor.


11. Close Group Policy Management.

Task 5: Configure Work Folders on a domain-joined client


1.

On LON-CL1, sign in as Adatum\Aidan with a password of Pa$$w0rd.

2.

On the Start screen, type work, and then click Work Folders.

3.

On the Work Folders page, click Set up Work Folders.

4.

In the Confirm Work Folders location window, click Next.

5.

In the Accept security policies window, select the I accept these policies on my PC check box, and
then click Set up Work Folders.

6.

In the Setup finished window, click Close.

7.

Review the information in the Work Folders window.

8.

Close the Work Folders window.

Task 6: Verify Work Folders encryption


1.

On LON-CL1, open File Explorer, and then double-click Work Folders.

2.

Right-click in an open area, point to New, and click Text Document.

3.

Type Test, and then press Enter to rename the file.

Configuring and Troubleshooting Resource Access for Clients That Are Not Domain Members

MCT USE ONLY. STUDENT USE PROHIBITED

L10-50

4.

Right-click Test, and then click Properties.

5.

In the Test Properties dialog box, click Advanced.

6.

In the Advanced Attributes dialog box, verify that the Encrypt content to secure data check box is
selected, and then click OK.

7.

In the Test Properties dialog box, click OK.

8.

Close File Explorer.

Task 7: Configure Domain Name System (DNS) for clients that are not domain
members
1.

On LON-DC1, in Server Manager, click Tools, and then click DNS.

2.

In DNS Manager, expand LON-DC1, expand Forward Lookup Zones, and then click Adatum.com.

3.

Right-click Adatum.com, and then click New Alias (CNAME).

4.

In the New Resource Record dialog box, in the Alias name box, type workfolders.

5.

In the Fully qualified domain name (FQDN) for target host box, type lon-dc1.adatum.com, and
then click OK.

6.

Close DNS Manager.

Task 8: Configure the user properties for Work Folders


1.

On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.

2.

In Active Directory Administrative Center, in the Global Search box, type Aidan, and then press Enter.

3.

Right-click Aidan Delaney, and then click Properties.

4.

In the Aidan Delaney window, click Extensions, and then click the Attribute Editor tab.

5.

Scroll down, and then double-click the msDS-SyncServerUrl attribute.

6.

In the Multi-valued String Editor dialog box, in the Value to add box, type
https://lon-dc1.adatum.com, click Add, and then click OK.

7.

In the Aidan Delaney window, click OK.

8.

Close Active Directory Administrative Center.

Task 9: Configure Work Folders on a computer that is not a domain member


1.

On LON-CL4, sign in as Admin with a password of Pa$$w0rd.

2.

On the Start screen, type work, and then click Work Folders.

3.

In the Work Folders window, click Set up Work Folders.

4.

In the Enter work email window, in the Work email address box, type aidan@adatum.com, and
then click Next.

5.

When prompted, sign in as Adatum\Aidan with a password of Pa$$w0rd.

6.

In the Confirm Work Folders Location window, click Next.

7.

In the Accept security policies window, select the I accept these policies on my PC check box, and
then click Set up Work Folders.

8.

In the Setup finished window, click Close.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L10-51

9.

Notice that a view of Work Folders has opened, and it contains the Test document that you created
earlier.

10. Close all open Windows.

Results: After completing this exercise, you will have configured Work Folders for the A. Datum
executives.

To prepare for the next module


When you have finished the lab, revert the virtual machines to their initial state:
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1 and 20688D-LON-CL4.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

L11-53

Module 11: Troubleshooting Applications

Lab A: Troubleshooting Desktop Apps


Exercise 1: Troubleshooting AppLocker Policy Application
Task 1: Read the help desk Incident Record for incident 723401

Read the help desk incident record 723401 in the Student Handbook Exercise Scenario.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.

2.

Discuss your recommendations with other students:


a.

Visit users computer.

b.

Sign in as member of the Sales group and verify the application of the AppLocker restriction
policy.

c.

If policy is not applying, use Group Policy Object (GPO) troubleshooting techniques to determine
why.

d.

Assuming that the GPO is applying, then examine settings of AppLocker policy itself.

e.

Check for requirements of AppLocker enforcement:


i.

Application identity service running

ii.

Default rules applied

iii.

Enforcement enabled in AppLocker policy

Task 3: Verify the problem


1.

Switch to LON-CL3.

2.

Sign in by using the following credentials:


o

User name: Adatum\Karin

Password: Pa$$w0rd

3.

Click Desktop and then click File Explorer.

4.

In the Address bar, type \\lon-dc1\Sales\XmlNotepad.msi, and then press Enter.

5.

When installation starts, click Cancel. This shows that the AppLocker policy is not being enforced.

6.

Sign out.

Task 4: Attempt to resolve the problem


1.

On LON-CL3, sign in as Adatum\Administrator with the password Pa$$w0rd.

2.

Click Desktop.

3.

On the desktop, double-click Administrative Tools, and then double-click Group Policy
Management.

4.

In Group Policy Management, expand Forest: Adatum.com, expand Domains, expand


Adatum.com, expand Group Policy Objects, and then click Sales AppLocker Policy.

Troubleshooting Applications

MCT USE ONLY. STUDENT USE PROHIBITED

L11-54

5.

Right-click Sales AppLocker Policy, and then click Edit.

6.

In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand
Windows Settings, expand Security Settings, expand Application Control Policies, expand
AppLocker, and then click Windows Installer Rules.

7.

Right-click Windows Installer Rules, and then click Create Default Rules.

8.

In the details pane, double-click the Deny rule.

9.

In the Deny Properties dialog box, click the Path tab, click Browse Files.

10. In the File name box, type \\lon-dc1\sales, and then press Enter.
11. In the Open dialog box, double-click XmlNotepad.msi and then click OK.
12. In the navigation pane, right-click AppLocker, and then click Properties.
13. In the AppLocker Properties dialog box, under Windows Installer rules, select the Configured
check box, and then click OK.
14. In the navigation pane, click System Services.
15. Double-click Application Identity.

16. In the Application Identity Properties dialog box, select the Define this policy setting check box,
click Automatic, and then click OK.
17. Close the Group Policy Management Editor.
18. Close Group Policy Management.
19. On the desktop, in the Administrative Tools window, double-click Active Directory Users and
Computers.
20. In Active Directory Users and Computers, expand Adatum.com, and then click Computers.
21. Right-click LON-CL3, and then click Move.
22. In the Move dialog box, click Sales, and then click OK.
23. Right-click Start and then click Command Prompt.
24. At the command prompt, type gpupdate /force, and then press Enter.
25. At the command prompt, type shutdown /r, and then press Enter.
26. When LON-CL3 has restarted, sign in by using the following credentials:
o

User name: Adatum\Karin

Password: Pa$$w0rd

27. Click Desktop and then click File Explorer.


28. In the Address bar, type \\lon-dc1\Sales\XmlNotepad.msi, and then press Enter. Complete the
wizard by using the default values.
29. Note the error. You do not need to proceed further.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L11-55

30. Update the Resolution section of the Incident Record with the following comments:
o

Enabled Default Windows Installer rules.

Verified the installer path in the Deny rule.

Turned on AppLocker enforcement.

Configured policy to start the Application Identity service.

Moved a computer, LON-CL3, to Sales OU to test the policy.

Results: After completing this exercise, you should have successfully resolved the AppLocker policy
application problem.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL3, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Troubleshooting Applications

Lab B: Troubleshooting Windows Internet


Explorer
Exercise 1: Resolving a Windows Internet Explorer Issue
Task 1: Read the help desk Incident Record for incident 723407

Read the help desk incident record 723407 in the Student Handbook Exercise Scenario.

Task 2: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the student handbook exercise
scenario.

2.

Discuss your recommendations with other students:


a.

Visit the users computer and view the problem. This could probably be done remotely.

b.

Review the Internet Explorer configuration.

c.

Make the required changes.

d.

Change the home page.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod11\Scenario2.vbs script.

4.

When the script has finished running, sign out.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1 and sign in as Adatum\Josh with the password Pa$$w0rd.

2.

On the Start screen, click the Desktop tile.

3.

On the desktop, on the taskbar, click Internet Explorer.

4.

In the Internet Explorer window, in the Address bar, type http://lon-dc1.adatum.com, and then
press Enter.

5.

When prompted for credentials, click Cancel.

6.

In the Internet Explorer Address bar, type http://lon-dc1, and then press Enter.

7.

Right-click the star on the toolbar, and then click Menu bar.

8.

On the menu, click Tools, and then click Internet options.

9.

In the Internet Options dialog box, on the General page, click Use current.

10. Click the Security tab. You can see that the http://lon-dc1 is a Local intranet site.
11. In the Internet Options dialog box, click OK.
12. Close Internet Explorer.

MCT USE ONLY. STUDENT USE PROHIBITED

L11-56

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L11-57

13. Update the Resolution section of the Incident Record with the following three options to resolve the
problem:
a.

Instruct the user to use a single label URL to access the intranet site. This allows Internet Explorer
to recognize the site as an intranet site to which it can automatically pass the local workstation
credentials.

b.

Configure http://lon-dc1 as the home page.


OR

c.

Manually add http://lon-dc1.adatum.com to the Intranet sites list.

d.

Configure http://lon-dc1.adatum.com as the home page.


OR

e.

Manually add http://lon-dc1.adatum.com to trusted sites, and then configure trusted sites to
allow automatic logon with current user name and password.

f.

Configure http://lon-dc1.adatum.com as the home page.

Results: After you have completed the exercise, you should have successfully resolved the Internet
Explorer authentication issue.

To prepare for the next practice session


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

L12-59

Module 12: Maintaining Windows 8.1

Lab: Maintaining Windows 8.1


Exercise 1: Troubleshooting a Performance Problem
Task 1: Establish a performance baseline
1.

If necessary, sign in to LON-CL1 as Adatum\administrator with the password Pa$$w0rd.

2.

Switch to the Desktop, and then double-click Administrative Tools.

3.

Double-click Performance Monitor.

4.

In Performance Monitor, in the navigation pane, expand Data Collector Sets.

5.

Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.

6.

In the Create new Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name text box, type Adatum Baseline.

7.

Click Create manually (Advanced), and then click Next.

8.

On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.

9.

On the Which performance counters would you like to log? page, in the Sample interval field,
type 1, and then click Add.

10. In the Available counters list, expand Memory, click Pages/sec, and then click Add.

11. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
12. In the Available counters list, expand Physical Disk, click % Disk Time, and then click Add.
13. Under Physical Disk, click Avg. Disk Queue Length, and then click Add.
14. In the Available counters list, expand Processor, click % Processor Time, and then click Add.

15. In the Available counters list, expand System, click Processor Queue Length, click Add, and then
click OK.
16. On the Which performance counters would you like to log? page, click Next.
17. On the Where would you like the data to be saved? page, click Next.
18. On the Create the data collector set page, click Finish.

19. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start.
20. Click Start.
21. Click the Down Arrow, and then click Word 2013.
22. In Microsoft Word, in the Microsoft Office Activation Wizard, click Close.
23. Click Start.
24. Click the Down Arrow, and then click Excel 2013.
25. Click Start.
26. Click the Down Arrow, and then click PowerPoint 2013.
27. Close all open Microsoft Office 2013 apps, and then switch to Performance Monitor.
28. In the navigation pane, right-click Adatum Baseline, and then click Stop.

Maintaining Windows 8.1

29. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the report that has a name that begins with LON-CL1.
30. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
31. Record the following values:
o

Memory Pages per second

Network Interface Packets per second

Physical Disk % Disk Time

Physical Disk Avg. Disk Queue Length

Processor % Processor Time

System Processor Queue Length

Task 2: Read the help desk Incident Record for incident 723499

Read the help desk Incident Record 723499 in the Student Handbook Exercise Scenario.

Task 3: Discuss recommendations


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Discuss your recommendations with other students:


a.

Visit the users computer.

b.

Load Performance Monitor to collect performance data by using a data collector set.

c.

Compare with the baseline report generated in the test environment.

d.

Identify the bottlenecked resource, if any.

Task 4: Simulate the problem


1.

Switch to LON-CL1.

2.

If necessary, sign in using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod12\Scenario.vbs script.

4.

The script starts to generate load.

Task 5: Attempt to resolve the problem


1.

Switch to Performance Monitor.

2.

Under Data Collector Sets, click User Defined.

3.

Right-click Adatum Baseline, and then click Start.

4.

Click Start, type cmd.exe, and then press Enter.

5.

At the command prompt, type perfmon /res and then press Enter.

6.

In Resource Monitor, which components are under strain?

MCT USE ONLY. STUDENT USE PROHIBITED

L12-60

Answers will vary depending upon usage scenario and host configuration, although CPU and network
are likely to be heavily used.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L12-61

7.

After a few minutes, in the Windows Script Host prompt, click OK.

8.

Close the instance of C:\Windows\System32\cmd.exe that the script launched.

9.

Switch to Performance Monitor.

10. In the navigation pane, right-click Adatum Baseline, and then click Stop.

11. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click on the second report that has a name that begins with LON-CL1.
12. View the chart.
13. On the menu bar, click the drop-down arrow, and then click Report.
14. Record the component details:
o

Memory Pages per second

Network Interface Packets per second

Physical Disk % Disk Time

Physical Disk Avg. Disk Queue Length

Processor % Processor Time

System Processor Queue Length

15. In your opinion, which components are affected the most?

The script is affecting the CPU and network. The CPU is approaching 95 percent utilization, and the
System Processor Queue Length is 5.
16. Close all open windows and programs and return to the Start screen.
17. Update the Resolution section of the Incident Record with the following comment:
o

The user should either:

Run fewer programs simultaneously.

Get a computer with a faster CPU.

Results: After completing this exercise, you should have identified the performance bottleneck.

To prepare for the next practice session

When you have finished the lab, leave the virtual machines running for the next practice session.

MCT USE ONLY. STUDENT USE PROHIBITED

MCT USE ONLY. STUDENT USE PROHIBITED

L13-63

Module 13: Recovering Windows 8.1

Lab A: Troubleshooting a Windows 8.1


Computer (1)
Exercise 1: Recovering Files in Windows 8.1
Task 1: Read the help-desk Incident Record for incident 723623

Read the help-desk incident record 723623 in the Student Handbook Exercise Scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit the users computer.

b.

Attempt to reproduce the problem.

c.

It is not possible to sign in as Adatum\Administrator, so a local account must be used.

d.

Investigate network settings.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod13\Scenario1.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1, and if necessary, sign in as LON-CL1\Admin with the password Pa$$w0rd.

2.

On the Start screen, click the Desktop tile.

3.

Press the Windows+C keys, click Settings, and then click Control Panel.

4.

In Control Panel, click Network and Internet.

5.

In Network and Internet, click Network and Sharing Center.

6.

In Network and Sharing Center, click Change adapter settings.

7.

Right-click London_Network, and then click Enable.

8.

Right-click London_Network, and then click Properties.

9.

In the London_Network Properties dialog box, double-click Internet Protocol Version 4


(TCP/IPv4).

10. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click Obtain an IP address
automatically.
11. Click Obtain DNS server address automatically, and then click OK.

Recovering Windows 8.1

12. In the London_Network Properties dialog box, click OK.


13. Right-click Start, point to Shut down or sign out, and then click Restart.
14. Sign in as Adatum\Administrator with the password Pa$$w0rd.
15. Update the Resolution section of the record:
a.

The network settings were wrong, and the network adapter had become disabled.

b.

Enabled and reconfigured network settings.

c.

Restarted the computer.

d.

Signed in successfully as Adatum\Administrator.

MCT USE ONLY. STUDENT USE PROHIBITED

L13-64

Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.

To prepare for the next exercise


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

MCT USE ONLY. STUDENT USE PROHIBITED

Supporting Windows 8.1 L13-65

Lab B: Troubleshooting a Windows 8.1


Computer (2)
Exercise 1: Recovering a Windows 8.1 Computer
Task 1: Read the help-desk Incident Record for incident 723625

Read the help-desk incident record 723625 in the Student Handbook Exercise Scenario.

Task 2: Update the Plan of Action section of the Incident Record


1.

Read the Additional Information section of the Incident Record in the Student Handbook Exercise
Scenario.

2.

Update the Plan of Action section of the Incident Record with your recommendations:
a.

Visit the users computer.

b.

Attempt to reproduce the problem.

c.

Restart the computer and determine whether the CD/DVD drive is accessible before Windows
loads, which would suggest a driver problem.

d.

Investigate methods of rolling back the driver, if that is the problem.

e.

Alternatively, if a physical device failure has occurred, then replace the drive unit.

Task 3: Simulate the problem


1.

Switch to LON-CL1.

2.

Sign in by using the following credentials:


o

User name: Adatum\Administrator

Password: Pa$$w0rd

3.

Run the D:\Labfiles\Mod13\Scenario2.vbs script.

4.

Wait while LON-CL1 restarts.

Task 4: Attempt to resolve the problem


1.

Switch to LON-CL1, and if necessary, sign in as Adatum\Administrator with the password


Pa$$w0rd.

2.

Click the Desktop tile.

3.

Right-click Start, point to Shut down or sign out, and then click Restart.

4.

When prompted to Press any key to boot from CD or DVD, press a key.

5.

Wait while Windows Recovery Environment (Windows RE) starts.

6.

In Windows Setup, click Next, and then click Repair your computer.

7.

On the Choose an option page, click Troubleshoot, and then click Advanced options.

8.

On the Advanced options page, click System Restore.

9.

On the Choose a target operating system page, click Windows 8.1.

10. In the System Restore Wizard, click Next.


11. In the restore points list, click the cd-rom driver update restore point, and then click Next.

Recovering Windows 8.1

12. On the Confirm your restore point page, click Finish.


13. At the Once started, System Restore cannot be interrupted prompt, click Yes.
14. Update the Resolution section:

MCT USE ONLY. STUDENT USE PROHIBITED

L13-66

a.

Because the CD/DVD drive was accessible before Windows started, that suggests a driver issue.

b.

Driver rollback was unavailable, and uninstalling the driver did not work.

c.

The next least-invasive solution was to try System Restore, assuming there was a recent restore
point. I checked, and a restore point was created just prior to the driver update. I used that to
recover the computer.

Results: When you have completed this exercise, you should have recovered the Windows 8.1 computer.

To complete the course


When you have finished the lab, revert the virtual machines to their initial state.
1.

On the host computer, start Hyper-V Manager.

2.

In the Virtual Machines list, right-click 20688D-LON-CL1, and then click Revert.

3.

In the Revert Virtual Machine dialog box, click Revert.

4.

Repeat steps 2 and 3 for 20688D-LON-DC1.

Вам также может понравиться