Certification-kb3 070-622 Supporting and Troubleshooting Applications on a Windows Vista client - Exam Notes

From JBKB

Jump to: navigation, search

070-622 Exam
070-622 Exam

Version: 1.2.1
Difficult level: n/a
Status: n/a

Contents

Introduction

This KB takes up some Exam Notes for 070-622 Supporting and Troubleshooting Applications on a Microsoft Windows Vista Client for Enterprise Support Technicians. All notes are written by John Bryntze 

Important! This is NOT a braindump or alike.

The 070-622 Exam objectives are the following:

  • Deploying Windows Vista
  • Managing Windows Vista Security
  • Managing and Maintaining Systems That Run Windows Vista
  • Configuring and Troubleshooting Networking
  • Supporting and Maintaining Desktop Applications

Deploying Windows Vista

Deploying Vista is one of the main areas of this certification. There are 3 phases: Plan, Build and Deploy

Plan

Minimum hardware requirement (Vista Capable)
CPU: 800MHz, RAM: 512MB, Graphic: DirectX 9-capable, Hard Disk: 20GB (15GB free), CD/DVD drive.
Should not use AERO.

Minimum hardware requirement (Vista Premium Ready)
CPU: 1GHz, RAM: 1GB, Graphic: DirectX 9-capable, WDDM driver, Pixel Shader 2.0 and 32 bits per pixel, Hard Disk: 40GB (15GB free), DVD drive, Audio output and Internet access capability.
Can use AERO.

Windows Vista Upgrade Advisor (WVUA) is a tool that runs only on 32-bit Windows XP and Vista (not on windows 9x/2000 or 64-bit version of XP) to generate status report over Vista ready system, devices and programs.
Windows Visa Upgrade Advisor is designed to use on single machines and is not designed for mass deployments, then use Windows Vista Hardware Assessment.

Image:Certification-kb3-WVHA.png
Windows Vista Hardware Assessment (WVHA) is a tool/wizard that uses WMI (or SNMP) to query machines over the network about their hardware and programs from one central point. Data is stored in a SQL database (local SQL express is possible) and from there create an Excel and Word report.

Application Compatibility Toolkit 5.0 (ACT) is a tool that collects information about the applications installed on the network. It is an important and critical process when doing the planning to migrate to Vista, will my applications work? better to know before deploying Vista out in the organization. 

For the exam you only need to know what this tool can do, not how to use it.

Image:Certification-kb3-ACT.png
Impressive database of different application, in this image the classic game Lands of Lore

Plan to migrate user data with the tools Windows Easy Transfer and User State Migration Tool

Windows Easy Transfer
Remember that this tool (Migwiz.exe) works on Windows 2000 (files only), Windows XP and Windows Vista and is used for migration of one or a few machines, for many machines use USMT. Plan what to migrate and where to migrate the data, it can be migrated to a CD/DVD/special USB cable/Network share/Removable storage such as an USB drive)
Image:Certification-kb3-Migwiz.png

User State Migration Tool (USMT)
USMT consist mainly of two exe files Scanstate (run to collect migration data from source machine) and Loadstate (run on target machine to apply migration data from Scanstate) that uses various xml files to decide what data should be migrated.
The most important XML files are the following:

  • MigApp.xml - Which Application User Profile data to migrate
  • MigSys.xml - System to migrate
  • MigUser.xml - which User data to migrate (not which users)

Since these tools can be used in script it is more useful for large migration instead of using Windows Easy Transfer.
Scanstate and Loadstate needs to be run as an local administrator in an elevated cmd with these possible command switches

  • /c - Scanstate continues even if a nonfatal error occurs
  • /all - Migrates all users
  • /v - Verbose loging with 16 different levels
  • /i - specifies XML files, example /i:miguser.xml
  • /ue - Users to not migrate (think User Exclude) /ue:*\* excludes ALL users except those specified in /ui
  • /ui - Users to migrate (think User Include)
  • /lac - specifies it is a none admin Local user accounts
  • /lae - Enables the account specified with /lac else the account is enabled on the target machine.

Scanstate example:
We want to migrate only user profile jbryntze in domain jbkb with the user data and application data specified in miguser.xml and migapp.xml to a folder usmt on the share named share on file server MyFileServer.
We use the following command in a cmd on the source machine:
Scanstate.exe \\MyFileServer\share\usmt /ue:*\* /ui:jbkb\jbryntze /i:miguser.xml /i:migapp.xml

Loadstate example:
We want to apply the profile jbryntze that we collected in the Scanstate example above to the target machine.
We use the following command in a cmd on the target machine:
Loadstate.exe \\MyFileServer\share\usmt /i:miguser.xml /i:migapp.xml 

For the exam you will need to know Scanstate & Loadstate and their common switches

Build

WIM (Windows IMaging Format) is a new image technology, like Ghost (.gho files) but works different.

  • File based (not really an image) together with XML metadata describing the file such as location/directory/permission.
  • Hardware independent, one image for all hardware, you will however need one WIM image per architecture (32 bit/64bit)
  • A WIM image can be modified with help of ImageX&Explorer.exe to add and remove files (imagex /mountrw c:\jbkb.wim 1 c:\mount-point)
  • Has similiar feature as Exchange server, single storage, meaning that if the WIM image contains the file JBKB.mpg that is 230MB in size in two location it is only saved once in the WIM file (XML metadata keeps track in which location this file exists)


Windows PE 2.0 - bootable light version of Windows (to replace booting with DOS floppies)
Commands you can run within WinPE that you need to know for the exam:

  • Drvload - add drivers
  • Wdscapture - capture a WIM image and upload to a WDS (Windows Deployment Services) server
  • Wpeutil - used to shutdown, reboot, disable network settings etc within the WinPE session.

WAIK (Windows Automate Installation Kit) includes following tools that can be copied into the WinPE.

  • Oscdimg - Creates a Windows PE ISO file to be burn to CD/DVD
  • BCDEdit - to modify boot options (no more boot.ini as in Windows XP and before)
  • PEimg - To view and modify Windows PE images.


Sysprep
Before to take a WIM image of your Master machine you need to remove all computer specific data such as computer SID, that can be done with Sysprep (found in C:\Windows\system32\sysprep\sysprep.exe). Sysprep can be run in command line mode: Sysprep.exe /oobe /generalize or in graphic mode
Image:Certification-kb3-SysPrep.png
SysPrep in Graphic

oobe - Out Of Box Experience, startup wizard configure your computer.
generalize - Removes all computer specific data

ImageX
Be sure to know ImageX, this is something Microsoft probably will test you on a lot on (plus is something that is good to know since it is a great tool) It is a command line tool that can capture(create) an image from a master machine and apply an image on the source machine.

To capture an image from a master machine the following command could be used:
imagex /capture C: jbkb.wim "JBKB standard Vista machine"

To apply the captured WIM image to the source machine the following command could be used:
imagex /apply jbkb.wim 1 Since you can have more then one image in a WIM file you need to specify which one, in the example above we used the first one (1) in jbkb.wim file.

Know that Windows System Image Manager (SIM) is a tool that comes in WAIK and is used to create unattended setup answer files in XML format.
SIM uses catalog (*.clg) files together with WIM files to show available configuration options for the answer file.

Know that Business Desktop Deployment 2007 (now Windows Deployment) BDD, is a collection of tools to deploy OS that needs WDS (Windows Deployment Services) that can be installed o.

Deploy

Know the different ways to deploy Windows Vista and when to chose which one (often depending of the size of company and infrastructure.)

  • Install Vista with DVD and answer file
  • Install Vista over a network share with answer file
  • Install Vista WDS, requires (important once in bold)
    • DHCP
    • WDS service, Windows server 2003 with SP1 or later.
    • Active Directory
    • PXE enabled target machines
  • SMS (used for large companies with complex network)

Exam test check

1. You have a computer within your organization that you would like to install Vista on with the following hardware specification:

  • 1,5GHz CPU
  • 768MB of RAM
  • Empty disk of 80GB
  • Graphic card DirectX 9-capable, WDDM driver, Pixel Shader 2.0 and 32 bits per pixel

Which component is not Vista Premium Ready?

CPU
Incorrect: 1.0GHz is needed so 1,5GHz is Vista Premium Ready capable
RAM
Correct: 768MB of RAM is not enough for Vista Premium Ready since it require 1,0 GB of RAM
Disk
Incorrect: 80GB of free disk is enough since Vista Premium Ready requires 40GB of disk (15GB free).
Graphic card
Incorrect: Vista Premium Ready requires Graphic card DirectX 9-capable, WDDM driver, Pixel Shader 2.0 and 32 bits per pixel.

2. You are an administrator for a company with over 1000 machines currently running Windows XP that needs to be evaluated if the hardware is Vista Ready. Which tool or procedure should you use to easiest get this information?

Use Windows Vista Upgrade Advisor
Incorrect: Even then this tool works, it needs to be run on each local machine, since we have over 1000 machines it is not manageable.
Create a login script that run msinfo32.exe >> \\server\share\vistahardware.txt with write permission for everyone on both share and NTFS level.
Incorrect: This procedure will not give us an report if the hardware is Vista Ready.
Use Windows Vista Hardware Assessment to create an Excel report over the hardware
Correct: This is the preferred method to verify many machines if they are Vista Ready.
Use Performance Monitor and add Counters for CPU, RAM and DISK and log the data to a central share.
Incorrect: This procedure will not give us an report if the hardware is Vista Ready.

3. You are using USMT to migrate user profiles in your company. You are about to run Scanstate.exe and need to filter out to only migrate user profile jbryntze from domain jbkb, which scanstate switches do you need to use to only migrate user profile jbryntze?

/ue:*\* /ui:jbkb\jbryntze
Correct: use the switched /ue and /ui
/user:jbkb\jbryntze
Incorrect: USMT doesn't support the switch /user
/ux:*\* /xi:jbkb\jbryntze
Incorrect: USMT doesn't support the switch /ux and /xi
/user:jbryntze /domain:jbkb
Incorrect: USMT doesn't support the switch /user and /domain

4. You are booting up on windows PE on a Master computer and have finished using ImageX to capture a WIM image, which command can you use to shutdown the master machine?

BCDEdit
Incorrect: BCDEdit is the new boot configuration tool in Vista, not to use to reboot.
Oscdimg
Incorrect: Oscdimg is used to create ISO files, not to use to reboot.
Loadstate
Incorrect: Loadstate is part of USMT to run after scanstate, not to use to reboot.
Wpeutil
Correct: Wpeutil is used within PE sessions to reboot (disable firewall, change keyboard layout etc)

5. You are an administrator at your company and you have just captured an image and appended it to an existing WIM file named jkbk.wim with ImageX on your master machine. You visit the source machine and boot up with Windows PE and want to apply the second image in the VIM file jkbk.wim with help of ImageX, what is the correct syntax?

imagex /restore jbkb.wim 2
Incorrect: To apply an VIM images the switch /apply needs to be used.
imagex /apply jbkb.wim 2
Correct: This command will apply the 2nd image of jbkb.vim.
imagex /restore jbkb.wim /n:2
Incorrect: To apply an VIM images the switch /apply needs to be used.
imagex /apply jbkb.wim /n:2
Incorrect: ImageX doesn't support the switch /n

Your score is 0 / 0


Managing Windows Vista Security

As in older versions of Windows there is still ACL/NTFS permission on the file system and share level.

Auditing still exists and work like before, the only new thing to know for the exam is that you can sub audit a category by running auditpol from cmd.
example: auditpol /set subcategory:"Registry" /failure:enable

Image:Certification-kb3-Auditpol.png
Enables auditing of failed Registry access requests to the Security Event log (if auditing was enabled in the registry)

EFS

Encrypting File System - EFS, is used to encrypt files and works more or less the same as in Windows XP.
EFS is used to encrypt separate files and folders in different from BitLocker that encrypt the whole volume. EFS can be used together bit BitLocker.

You cannot compress encrypted files and by design files with attribute system cannot be encrypted with EFS.

BitLocker

BitLocker is computer encryption (EFS is user encryption) and exists only on Vista Enterprise and Ultimate version (Ultimate version includes also BitLocker Drive Preparation Tool)
BitLocker needs 2 partition where the boot volume is at least 1,5GB, the rest of the disk space goes to C:.

Image:Certification-kb3-BitLocker-Needs.png
BitLocker complains that no TPM exists and only one NTFS partition.

Encrypts only system volume on NTFS file systems (aka C:, with Service Pack 1 you can encrypt alls disks) and protects the computer before it boots up.

Know the 2 way to use BitLocker
1. Trusted Platform Mobile (TPM) 1.2 Chip, store decryption key in TPM (Preferred option)
2. Store decryption key on USB flash drive (this option needs to be activated in Group Policy and is not enabled default)

If anything of the following changes, BitLocker will lock the drive and it will not be possible to read from it:

  • Disable TPM in BIOS
  • Clear TPM
  • The BitLocker-encrypted disk is moved to another computer
  • Changes in boot files
  • Boot without TMP, PIN, USB flash drive.

To recover from this you will need a 48-character recovery password.

UAC

UAC - User Account Control is a new feature in Windows Vista. 

Count on that it will be a lot of questions on the exam regarding UAC

Users with administrative privileges gets 2 access token when login on, standard user access token and administrators access token.
Users desktop shell (normally explorer.exe ) is always run as normal user access token and therefor all programs started from start menu and alike runs as standard user even if logged in as a user that is member of the administrators group.
UAC can elevate to administrative privileged if needed, an already administrator will only (default) be prompted for consent and a standard user will (default) be prompted for credentials.

UAC can be configured through policies, there are 9 UAC (* = very important, comments after important onces) settings:

  • User Account Control: Admin Approval Mode for Built-in Administrator account - Default set to not prompt anything for the build in administrator account. Remember that the Administrator account is disabled default, unless it was upgraded from Windows XP and it was the only administrator account in a none domain environment)
  • * User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Default (except in Vista Enterprise) this is set to just prompt the Administrator for consent, the other two settings are to ask for credentials or just automatic elevate without prompting.
  • * User Account Control: Behavior of the elevation prompt for standard users - Default this is set to ask for administrator credentials, the other setting is to deny access automatic (default only on Vista Enterprise)
  • User Account Control: Detect application installations and prompt for elevation
  • User Account Control: Only elevate executables that are signed and validated
  • User Account Control: Only elevate UIAccess applications that are installed in secure locations
  • * User Account Control: Run all administrators in Admin Approval Mode - Disable this disables UAC, enabled by default (important to know for the exam)
  • User Account Control: Switch to the secure desktop when prompting for elevation - The gray background that appears when UAC prompt shows up, this to prevent fake UAC prompts.
  • User Account Control: Virtualize file and registry write failures to per-user locations - This function is enabled default and help programs that is not designed for Vista to still run, for example programs that want to write to %windir%, %windir%\system32 and %ProgramFiles% that a standard user doesn't have write access to is solved by this policy that writes these requests to a virtual user location.

Image:Certification-kb3-UAC-VirtualStore.png
Path to Virtual directory used by UAC (profile name is jbryntze).

Exam test check

1. You are an administrator of a network and one of your users wants to encrypt her laptop in case of theft. You decide to use Vista feature BitLocker.
Her laptop has the following hardware and configuration:
Windows Vista Enterprise Edition
1,5GB of RAM
2GHz CPU
TPM 1.2 Chip
Single NTFS C: drive 200GB with 130GB data free
DVD burner on drive D:
Temporary a USB 2.0 Flash drive on drive E:
What is the problem for you to enable BitLocker on this laptop?

Need to run Windows Ultimate edition since Enterprise doesn't support BitLocker
Incorrect: Vista Enterprise do support BitLocker, Ultimate does have an extra tool, BitLocker Drive Preparation Tool, that could help us, but it is not the primary problem here since we run Enterprise.
Need to have 2 disk partitions where one is at least 1,5GB
Correct: BitLocker needs 2 partition for BitLocker to work and that it is at least 1,5GB
Need TMP 2.0 Chip, not TMP 1.2 Chip
Incorrect: TMP 1.2 Chip is enough.
Need USB version 3.0 for BitLocker to run.
Incorrect: Bitlocker doesn't need any USB as long as you have a TPM 1.2 Chip in the computer.

2. You sit in an office in Stockholm Sweden and work at the helpdesk in a company with offices all over the world and you are responsible for support in offices in Northern Europe. All clients in the Enterprise run Windows Vista Business edition. In a small office in Bergen, Norway, were all uses domain users that are local administrators you have been told that one machine might have UAC disabled, and the companies spoken policy is that UAC should always be enabled. How can you verify if the machine has UAC disabled?

Verify on the machine in Bergen that policy entry User Account Control: Run all administrators in Admin Approval Mode is set to Disable
Correct: If this setting is set to Disable, UAC is disabled for all users.
Verify on the machine in Bergen that policy entry User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode is set to Elevate without prompting.
Incorrect: Even then this would make UAC not so visible it would still be active.
Verify on the machine in Bergen that policy entry User Account Control: Switch to the secure desktop when prompting for elevation is set to Disable
Incorrect: This wouldn't disable UAC, just will disable Secure Desktop.
Verify on the machine in Bergen that policy entry User Account Control: Admin Approval Mode for Built-in Administrator account is set to Disable.
Incorrect: Default in most cases this setting is set to Disable, it affects on the local build in Administrator and the Bergen users has domain accounts.

Your score is 0 / 0


Managing and Maintaining Systems That Run Windows Vista

Group Policies

Multiply Local Group Policies In earlier versions of Windows you could only have one (or none in very old versions) Local Policy, but in Windows Vista you can have Multiple Local Group Policies.

Image:Certification-kb3-MLGP-Users.png

There is always only one Local Group Policy for the machine and then possibility to have a policy per local user and depending if the local user is member of the Local Administrator group or not:

  • Local Computer Policy - Apply for all user and the only policy to include computer configuration.
  • Non-Administrators Policy - For user that is not local administrator, includes only user configuration
  • Administrators - For user that is local administrator, includes only user configuration
  • Each local user - Cannot be used on local groups, but each local user can have their own group policy, includes only user configuration.

Image:Certification-kb3-MLGP-MMC.png

Example: On a Vista machine that is not member of a Domain has a non-administrator user named Emma and she can still have 3 Local Group Policies; Local Computer Policy, Non-Administrator Policy and an Emma User Policy.

Remember that if more Local and Domain Group Policies conflict the following order is used and the latest wins: Local Computer Policy (weakest), Non-Administrator/Administrator Policy, Local User Policy, Site Policy, Default Domain Policy and OU policy (the GPO on the OU closest to the object wins)


Local Policies is more useful and practical in a workgroup environment, in a domain environment there is no real use for Local Policies.

Administrative Templates

Vista still support older format of Administrative Templates - .adm - but uses .admx that has several advantages over earlier adm.
These are locally located in %windir%\PolicyDefinitions

Image:Certification-kb3-ADMX-path.png

Windows XP and earlier versions of Windows cannot read ADMX files (only ADM).

ADMX can separate languages into ADML files that are stored under each specific languages, for example if you have English and Swedish templates those ADML would be saved in:
%windir%\PolicyDefinitions\en-US (English US)
%windir%\PolicyDefinitions\sv-SV (Swedish)

Event Forwarding

See Vista-kb11 Collect Event Viewer data remotely for practice.
For the exam you will need to know how to configure Event Forwarding, both on the client that forwards the event viewer entries and the client recieving (Collecting/subscripting).
Event forwarding uses HTTP or HTTPS to transfer and it is important to know that even if using none secure HTTP the data is encrypted with SSP (Security Support Provider).
Works different in the following cases:

  • Domain or Workgroup mode
  • Subscription mode: pull or push

Only Windows Vista/Windows Server 2008 support to be Forwarders and Collectors.

On the forwarding machine in a domain do the following command line needs to be run:
winrm /quickconfig - /qc is the same

Image:Certification-kb3-Winrm-qc.png
winrm /quickconfig enables&starts WinRM service, starts listener and adds exception into the Windows Firewall.

net localgroup "Event Log Readers" computer1$@jbkb.local /add - adds the collection machine (computer1 in domain jbkb.local in this case) to the local group that has the rights to collect/read event logs on the machine. This can of course also be done in GUI.

On the Collecting machine in a domain do the following commands and settings are needed:
wecutil quick-config - qc is the same (notice taht contrary winrm there is - in quick-config)

Image:Certification-kb3-Wecutil-qc.png
wecutil quick-config enable&starts the Windows Event Collector Service and enables ForwardEvents Channel

Exam Tip: To easy remember which util to use on which machine; think that wecutil is shortening for Windows Event Collector Util and should then of course be run on the Collecting machine, then just remember that the other tool; winrm Windows Remote Management, is used on the remote machine (seen in the eyes of the collector).


Subscribing
Only because you have the rights to collect events doesn't mean you get any by default, you need to subscribe for those events you want to collect and that is done in the Event Viewer.

It is important to know how subscription of event works, since it effects the firewall settings, there are 3 different subscription modes:

  • Normal

Pull mode every 15 minutes, means that Collector contacts the Forwarder - forwarding machine needs to have firewall ports open

  • Minimize Bandwidth

Push mode every 6 hours, means that the Forwarder contacts the Collectors - collectors machines need to have firewall ports open.
This mode is preferable when collecting events over a WAN or other low bandwidth links.

  • Minimize Latency

Push mode at specified time, means that the Forwarder contacts the Collectors - collectors machines need to have firewall ports open.
This mode is preferable if events are needed instantly.

Exam test check

1. You are an administrator in a very small office (SOHO) in Duluth, Minnesota, that has 4 Vista Business Edition laptops in a workgroup and all 4 machines have the 4 users with the same password.
The 4 users and groups are the following:

  • Jason (Member of local Administrators group)
  • Sara (Member of Users group)
  • David (Member of Users group)
  • Linda (Member of Users & Event Log Readers group)

You want to enable policy: Local Computer Policy\Computer Configuration\Administrative Templates\System\Logon\Turn off Windows Startup Sound so that no sound is played when Windows Startups for everyone, which policy/policies should you create/change?

Change Local Computer Policy
Correct: The weakest policy but the only policy in a workgroup environment that has the computer configuration.
Create a policy for group Users and Administrators
Incorrect: You cannot create a local policy for other groups than Non-Administrators and Administrators and also those doesn't include the Computer Policies, only User policies and Turn off Windows Startup Sound only exists in computer configuration.
Create a policy for both Non-Administrators and Administrators
Incorrect: The Non-Administrator and Administrator local policy doesn't include the Computer Policies, only User policies and Turn off Windows Startup Sound only exists in computer configuration.
Change the Default Domain Policy
Incorrect: This is only valid and correct if the computers were in a domain, they are in a workgroup and no Default Domain Policy exists.

2. You are an administrator in an Office in Amsterdam, Holland, with 2 Windows Server 2008 domain controllers and 40 desktop clients running Windows Vista Business edition.
You are running Windows Vista Ultimate on a machine named Ams-001.JBKB.LOCAL.
You want to configure Event Forwarding to forward events from a client machine named Ams-023.JBKB.LOCAL and collect those event to your machine.
Following commands on the machine Ams-023.JBKB.LOCAL has been ran:
winrm /quickconfig
net localgroup "Event Log Readers" Ams-001$@JBKB.LOCAL /add

Which command should you run next on your machine Ams-001.JBKB.LOCAL to enable Event Forwarding?

wecutil /quickconfig
Incorrect: wecutil doesn't accept / for this switch and neither quickconfig -but does accept quick-config or qc
wecutil /quick-config
Incorrect: wecutil doesn't accept / for this switch
wecutil quickconfig
Incorrect: wecutil doesn't accept quickconfig - but does accept quick-config or qc
wecutil quick-config
Correct: This command will enable machine Ams-001.JBKB.LOCAL to start to subscribe for Event Forwarding.

Your score is 0 / 0


Configuring and Troubleshooting Networking

Know these tools:

  • PING - Uses ICMP to verify if a machine answers, Firewall can block ICMP
  • PathPing - Replaces tracert to find where in a route where a latency or routing problem occurs.
  • Telnet - Verify if a service answers, a mail server for example: telnet mail.jbkb.local 25

Know that Automatic Private Internet Protocol Addressing (APIPA) is assigned if a DHCP client cannot receive an IP address. APIPA addresses is in the range 169.254.0.0/16. Probably wont be so heavily tested on the exam but remember the IP range for the exam.

Exam test check

1. One of your users calls in and says she cannot reach the Intranet nor accessing the Exchange server with Outlook.
You visit her Vista Enterprise client machine and verify the IP-address in a cmd prompt with command ipconfig /all of the machine and gets the address: 169.254.0.1.
You have a Windows server 2008, DC01.jbkb.local, that acts as a DHCP server that leases addresses in the range 192.168.4.0/24, the server also has an IIS 7 web server that hosts your companies Intranet.
What should you do to help her browse the Intranet and connect Outlook?

Assign the IP-address 169.254.0.100 since the router probably has 169.254.0.1 and each IP-address needs to be unique.
Incorrect: 169.254.0.0./16 is the APIPA address range indicating the client is a DHCP client that didn't get a lease, the router is most likely not a DHCP client.
Open an elevated cmd and run PathPing command to diagnose the problem.
Incorrect: Since the client has a APIPA address a PathPing wont help us.
Use Telnet to connect to port 80 on the Intranet server DC01.jbkb.local to see if it replies and is up and running.
Incorrect: The client has an APIPA address and cannot be routed and since the Intranet is on another net (192.168.4.0/24) the client cannot connect.
Assign a free static IP address in the range 192.168.4.0/24 or try to bring up the DHCP server and then run ipconfig /release and after ipconfig /renew on the Vista client.
Correct: Most likely the problem is that the client didn't get a DHCP IP address lease and therefor got a APIPA IP address

Your score is 0 / 0


Supporting and Maintaining Desktop Applications

Know that Microsoft Support Diagnostic Tools is exactly JUST Microsoft's Support tool, can only be used by Microsoft and to use it you need a incident number and a passkey provided by Microsoft Support.
This tool sends configuration about the Vista system to Microsoft encrypted over the Internet (if the machine doesn't have Internet it can be saved onto a USB key and be sent from another computer with Internet Access).

Software Restriction Policies

Exam 070-622 is focused on troubleshooting Software Restriction Policies

Software Restriction Policies is nothing new, it came with Windows XP but has been improved in Windows Vista, the usages is the same to restrict what software that can run on a machine.

There are 3 default security levels:
Disallow: Block all applications except those explicit set as allow (unrestricted).
Unrestricted: Allow all applications except those you explicit block (disallow).
Basic User: Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.

The 4 ways to explicit define a Disallow/Unrestricted application is the following:

  1. Network Zones rule
  2. Path rule (Support wild cards, if multiply rules exist the most narrated "wins".)
  3. Hash rule (Vista supports for SHA256 hash rules)
  4. Certificate rule


Image:Certification-kb3-SSR-Rules.png
The 4 different Software Restriction Rules


For each of these rules you can apply an exception from the default security level:
Unrestricted: Can be used if default security level is set to Disallow
Disallow: Can be used if default security level is set to Unrestricted
Basic User: A new feature in Vista together with the UAC function is to force an application to run as a normal user.
This new feature applies to all the above 4 rules except Certificates and can be very useful for limiting an application to do system wide changes.


Image:Certification-kb3-SSR-Path-Rule.png
Example of a Path Rule to set c:\jbkb\adminstools\QoS.exe to run as Basic User


If multiply rules match a software the latest in the list take present:

  • Default rule (weakest)
  • Network Zone rule
  • Path rule
  • Hash rule
  • Certificate rule (strongest, always wins)


Example: If default rule is set Disallow and Path Rule for c:\jbkb\jbkb.exe is set to Unrestricted, then even default rule Disallow running c:\jbkb\jbkb.exe the Path Rule take presents and allow c:\jbkb\jbkb.exe to run.

My personal guess is that one or two exam question could be about conflicting rules and you need to find out which one "wins" (Certificate always wins and hash rule is second strongest and is more easy to implement)


To find in event viewer for blocked applications search for Event ID: 866
Application Event log shows only entries of applications that are blocked, if you want to see allowed (unrestricted) entries you will need to enable advanced logging by adding a string to the log file in the following registry key:
HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

If you lock yourself out by to restrict polices log on in Safe Mode (restart press F8 during bootup) and login as a local administrator, since Vista ignores Restriction Polices for local administrators in Safe Mode.

Exam test check

1. You work as an administrator in a small office in Chicago with 2 Windows Server 2008 domain controllers and 56 Vista Business clients. You have just implemented Software Restriction Policies in your office with the following configuration:
default security rule = Disallow
path rule - c:\jbkb\admintools\QoS.exe = Basic User
path rule - c:\jbkb\admintools\*.* = Unrestricted
You log on as a Local Administrator on a Vista machine with the Software Restriction Policy and try to run a file named QoS.exe in c:\jbkb\admintools that will change the network settings for all users on the machine.
The application starts but fails to configure the network settings. How can you change this to allow QoS.exe to run properly and still ensure high security?

Remove path rule for c:\jbkb\admintools\QoS.exe
Correct: Since we already specified that all files in c:\jbkb\admintools\*.* can run unrestricted we can remove the path rule that restrict QoS.exe to run as Basic User (runs as a normal user even if the logged in account is an administrator)
Change path rule for c:\jbkb\admintools\*.* to Basic User
Incorrect: This rule matter since it doesn't win over the more specific rule for QoS.exe that already runs as Basic User (runs as a normal user even if the logged in account is an administrator)
Upgrade all Vista Business machines to Vista Enterprise since Vista business doesn't support Software Restriction Polices.
Incorrect: Vista Business do support Software Restriction Polices so that is not a reason to upgrade.
Add a Network Zone rule for the zone of QoS.exe file and set it to Unrestricted
Incorrect: This is a valid rule but Path Rule wins over Network Zone rules, so QoS.exe would still run as Basic User (A Hash rule or Certificate Rule would win over File Path rule).

Your score is 0 / 0


Links

http://www.microsoft.com/learning/exams/70-622.mspx

128 Rating: 2.8/5 (58 votes cast)

Retrieved from "http://john.bryntze.net/jbkb/index.php?title=Certification-kb3_070-622_Supporting_and_Troubleshooting_Applications_on_a_Windows_Vista_client_-_Exam_Notes"
Personal tools