Certification-kb3 070-622 Supporting and Troubleshooting Applications on a Windows Vista client - Exam Notes
Difficult level: n/a
This KB takes up some Exam Notes for 070-622 Supporting and Troubleshooting Applications on a Microsoft Windows Vista Client for Enterprise Support Technicians. All notes are written by John Bryntze
Important! This is NOT a braindump or alike.
The 070-622 Exam objectives are the following:
- Deploying Windows Vista
- Managing Windows Vista Security
- Managing and Maintaining Systems That Run Windows Vista
- Configuring and Troubleshooting Networking
- Supporting and Maintaining Desktop Applications
Deploying Windows Vista
Deploying Vista is one of the main areas of this certification. There are 3 phases: Plan, Build and Deploy
Minimum hardware requirement (Vista Capable)
CPU: 800MHz, RAM: 512MB, Graphic: DirectX 9-capable, Hard Disk: 20GB (15GB free), CD/DVD drive.
Should not use AERO.
Minimum hardware requirement (Vista Premium Ready)
CPU: 1GHz, RAM: 1GB, Graphic: DirectX 9-capable, WDDM driver, Pixel Shader 2.0 and 32 bits per pixel, Hard Disk: 40GB (15GB free), DVD drive, Audio output and Internet access capability.
Can use AERO.
Windows Vista Upgrade Advisor (WVUA) is a tool that runs only on 32-bit Windows XP and Vista (not on windows 9x/2000 or 64-bit version of XP) to generate status report over Vista ready system, devices and programs.
Windows Visa Upgrade Advisor is designed to use on single machines and is not designed for mass deployments, then use Windows Vista Hardware Assessment.
Windows Vista Hardware Assessment (WVHA) is a tool/wizard that uses WMI (or SNMP) to query machines over the network about their hardware and programs from one central point. Data is stored in a SQL database (local SQL express is possible) and from there create an Excel and Word report.
Application Compatibility Toolkit 5.0 (ACT) is a tool that collects information about the applications installed on the network. It is an important and critical process when doing the planning to migrate to Vista, will my applications work? better to know before deploying Vista out in the organization.
For the exam you only need to know what this tool can do, not how to use it.
Plan to migrate user data with the tools Windows Easy Transfer and User State Migration Tool
Windows Easy Transfer
Remember that this tool (Migwiz.exe) works on Windows 2000 (files only), Windows XP and Windows Vista and is used for migration of one or a few machines, for many machines use USMT. Plan what to migrate and where to migrate the data, it can be migrated to a CD/DVD/special USB cable/Network share/Removable storage such as an USB drive)
User State Migration Tool (USMT)
USMT consist mainly of two exe files Scanstate (run to collect migration data from source machine) and Loadstate (run on target machine to apply migration data from Scanstate) that uses various xml files to decide what data should be migrated.
The most important XML files are the following:
- MigApp.xml - Which Application User Profile data to migrate
- MigSys.xml - System to migrate
- MigUser.xml - which User data to migrate (not which users)
Since these tools can be used in script it is more useful for large migration instead of using Windows Easy Transfer.
Scanstate and Loadstate needs to be run as an local administrator in an elevated cmd with these possible command switches
- /c - Scanstate continues even if a nonfatal error occurs
- /all - Migrates all users
- /v - Verbose loging with 16 different levels
- /i - specifies XML files, example /i:miguser.xml
- /ue - Users to not migrate (think User Exclude) /ue:*\* excludes ALL users except those specified in /ui
- /ui - Users to migrate (think User Include)
- /lac - specifies it is a none admin Local user accounts
- /lae - Enables the account specified with /lac else the account is enabled on the target machine.
We want to migrate only user profile jbryntze in domain jbkb with the user data and application data specified in miguser.xml and migapp.xml to a folder usmt on the share named share on file server MyFileServer.
We use the following command in a cmd on the source machine:
Scanstate.exe \\MyFileServer\share\usmt /ue:*\* /ui:jbkb\jbryntze /i:miguser.xml /i:migapp.xml
We want to apply the profile jbryntze that we collected in the Scanstate example above to the target machine.
We use the following command in a cmd on the target machine:
Loadstate.exe \\MyFileServer\share\usmt /i:miguser.xml /i:migapp.xml
For the exam you will need to know Scanstate & Loadstate and their common switches
WIM (Windows IMaging Format) is a new image technology, like Ghost (.gho files) but works different.
- File based (not really an image) together with XML metadata describing the file such as location/directory/permission.
- Hardware independent, one image for all hardware, you will however need one WIM image per architecture (32 bit/64bit)
- A WIM image can be modified with help of ImageX&Explorer.exe to add and remove files (imagex /mountrw c:\jbkb.wim 1 c:\mount-point)
- Has similiar feature as Exchange server, single storage, meaning that if the WIM image contains the file JBKB.mpg that is 230MB in size in two location it is only saved once in the WIM file (XML metadata keeps track in which location this file exists)
Windows PE 2.0 - bootable light version of Windows (to replace booting with DOS floppies)
Commands you can run within WinPE that you need to know for the exam:
- Drvload - add drivers
- Wdscapture - capture a WIM image and upload to a WDS (Windows Deployment Services) server
- Wpeutil - used to shutdown, reboot, disable network settings etc within the WinPE session.
WAIK (Windows Automate Installation Kit) includes following tools that can be copied into the WinPE.
- Oscdimg - Creates a Windows PE ISO file to be burn to CD/DVD
- BCDEdit - to modify boot options (no more boot.ini as in Windows XP and before)
- PEimg - To view and modify Windows PE images.
Before to take a WIM image of your Master machine you need to remove all computer specific data such as computer SID, that can be done with Sysprep (found in C:\Windows\system32\sysprep\sysprep.exe). Sysprep can be run in command line mode: Sysprep.exe /oobe /generalize or in graphic mode
SysPrep in Graphic
oobe - Out Of Box Experience, startup wizard configure your computer.
generalize - Removes all computer specific data
Be sure to know ImageX, this is something Microsoft probably will test you on a lot on (plus is something that is good to know since it is a great tool) It is a command line tool that can capture(create) an image from a master machine and apply an image on the source machine.
To capture an image from a master machine the following command could be used:
imagex /capture C: jbkb.wim "JBKB standard Vista machine"
To apply the captured WIM image to the source machine the following command could be used:
imagex /apply jbkb.wim 1 Since you can have more then one image in a WIM file you need to specify which one, in the example above we used the first one (1) in jbkb.wim file.
Know that Windows System Image Manager (SIM) is a tool that comes in WAIK and is used to create unattended setup answer files in XML format.
SIM uses catalog (*.clg) files together with WIM files to show available configuration options for the answer file.
Know that Business Desktop Deployment 2007 (now Windows Deployment) BDD, is a collection of tools to deploy OS that needs WDS (Windows Deployment Services) that can be installed o.
Know the different ways to deploy Windows Vista and when to chose which one (often depending of the size of company and infrastructure.)
- Install Vista with DVD and answer file
- Install Vista over a network share with answer file
- Install Vista WDS, requires (important once in bold)
- WDS service, Windows server 2003 with SP1 or later.
- Active Directory
- PXE enabled target machines
- SMS (used for large companies with complex network)
Exam test check
Managing Windows Vista Security
As in older versions of Windows there is still ACL/NTFS permission on the file system and share level.
Auditing still exists and work like before, the only new thing to know for the exam is that you can sub audit a category by running auditpol from cmd.
example: auditpol /set subcategory:"Registry" /failure:enable
Enables auditing of failed Registry access requests to the Security Event log (if auditing was enabled in the registry)
Encrypting File System - EFS, is used to encrypt files and works more or less the same as in Windows XP.
EFS is used to encrypt separate files and folders in different from BitLocker that encrypt the whole volume. EFS can be used together bit BitLocker.
You cannot compress encrypted files and by design files with attribute system cannot be encrypted with EFS.
BitLocker is computer encryption (EFS is user encryption) and exists only on Vista Enterprise and Ultimate version (Ultimate version includes also BitLocker Drive Preparation Tool)
BitLocker needs 2 partition where the boot volume is at least 1,5GB, the rest of the disk space goes to C:.
BitLocker complains that no TPM exists and only one NTFS partition.
Encrypts only system volume on NTFS file systems (aka C:, with Service Pack 1 you can encrypt alls disks) and protects the computer before it boots up.
Know the 2 way to use BitLocker
1. Trusted Platform Mobile (TPM) 1.2 Chip, store decryption key in TPM (Preferred option)
2. Store decryption key on USB flash drive (this option needs to be activated in Group Policy and is not enabled default)
If anything of the following changes, BitLocker will lock the drive and it will not be possible to read from it:
- Disable TPM in BIOS
- Clear TPM
- The BitLocker-encrypted disk is moved to another computer
- Changes in boot files
- Boot without TMP, PIN, USB flash drive.
To recover from this you will need a 48-character recovery password.
UAC - User Account Control is a new feature in Windows Vista.
Count on that it will be a lot of questions on the exam regarding UAC
Users with administrative privileges gets 2 access token when login on, standard user access token and administrators access token.
Users desktop shell (normally explorer.exe ) is always run as normal user access token and therefor all programs started from start menu and alike runs as standard user even if logged in as a user that is member of the administrators group.
UAC can elevate to administrative privileged if needed, an already administrator will only (default) be prompted for consent and a standard user will (default) be prompted for credentials.
UAC can be configured through policies, there are 9 UAC (* = very important, comments after important onces) settings:
- User Account Control: Admin Approval Mode for Built-in Administrator account - Default set to not prompt anything for the build in administrator account. Remember that the Administrator account is disabled default, unless it was upgraded from Windows XP and it was the only administrator account in a none domain environment)
- * User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode - Default (except in Vista Enterprise) this is set to just prompt the Administrator for consent, the other two settings are to ask for credentials or just automatic elevate without prompting.
- * User Account Control: Behavior of the elevation prompt for standard users - Default this is set to ask for administrator credentials, the other setting is to deny access automatic (default only on Vista Enterprise)
- User Account Control: Detect application installations and prompt for elevation
- User Account Control: Only elevate executables that are signed and validated
- User Account Control: Only elevate UIAccess applications that are installed in secure locations
- * User Account Control: Run all administrators in Admin Approval Mode - Disable this disables UAC, enabled by default (important to know for the exam)
- User Account Control: Switch to the secure desktop when prompting for elevation - The gray background that appears when UAC prompt shows up, this to prevent fake UAC prompts.
- User Account Control: Virtualize file and registry write failures to per-user locations - This function is enabled default and help programs that is not designed for Vista to still run, for example programs that want to write to %windir%, %windir%\system32 and %ProgramFiles% that a standard user doesn't have write access to is solved by this policy that writes these requests to a virtual user location.
Exam test check
Managing and Maintaining Systems That Run Windows Vista
Multiply Local Group Policies
In earlier versions of Windows you could only have one (or none in very old versions) Local Policy, but in Windows Vista
you can have Multiple Local Group Policies.
- Local Computer Policy - Apply for all user and the only policy to include computer configuration.
- Non-Administrators Policy - For user that is not local administrator, includes only user configuration
- Administrators - For user that is local administrator, includes only user configuration
- Each local user - Cannot be used on local groups, but each local user can have their own group policy, includes only user configuration.
Example: On a Vista machine that is not member of a Domain has a non-administrator user named Emma and she can still have 3 Local Group Policies; Local Computer Policy, Non-Administrator Policy and an Emma User Policy.
Remember that if more Local and Domain Group Policies conflict the following order is used and the latest wins: Local Computer Policy (weakest), Non-Administrator/Administrator Policy, Local User Policy, Site Policy, Default Domain Policy and OU policy (the GPO on the OU closest to the object wins)
Local Policies is more useful and practical in a workgroup environment, in a domain environment there is no real use for Local Policies.
Vista still support older format of Administrative Templates - .adm - but uses .admx that has several advantages over earlier adm.
These are locally located in %windir%\PolicyDefinitions
Windows XP and earlier versions of Windows cannot read ADMX files (only ADM).
ADMX can separate languages into ADML files that are stored under each specific languages, for example if you have English and Swedish templates those ADML would be saved in:
%windir%\PolicyDefinitions\en-US (English US)
See Vista-kb11 Collect Event Viewer data remotely for practice.
For the exam you will need to know how to configure Event Forwarding, both on the client that forwards the event viewer entries and the client recieving (Collecting/subscripting).
Event forwarding uses HTTP or HTTPS to transfer and it is important to know that even if using none secure HTTP the data is encrypted with SSP (Security Support Provider).
Works different in the following cases:
- Domain or Workgroup mode
- Subscription mode: pull or push
Only Windows Vista/Windows Server 2008 support to be Forwarders and Collectors.
On the forwarding machine in a domain do the following command line needs to be run:
winrm /quickconfig - /qc is the same
net localgroup "Event Log Readers" firstname.lastname@example.org /add - adds the collection machine (computer1 in domain jbkb.local in this case) to the local group that has the rights to collect/read event logs on the machine. This can of course also be done in GUI.
On the Collecting machine in a domain do the following commands and settings are needed:
wecutil quick-config - qc is the same (notice taht contrary winrm there is - in quick-config)
Exam Tip: To easy remember which util to use on which machine; think that wecutil is shortening for Windows Event Collector Util and should then of course be run on the Collecting machine, then just remember that the other tool; winrm Windows Remote Management, is used on the remote machine (seen in the eyes of the collector).
Only because you have the rights to collect events doesn't mean you get any by default, you need to subscribe for those events you want to collect and that is done in the Event Viewer.
It is important to know how subscription of event works, since it effects the firewall settings, there are 3 different subscription modes:
Pull mode every 15 minutes, means that Collector contacts the Forwarder - forwarding machine needs to have firewall ports open
- Minimize Bandwidth
Push mode every 6 hours, means that the Forwarder contacts the Collectors - collectors machines need to have firewall ports open.
This mode is preferable when collecting events over a WAN or other low bandwidth links.
- Minimize Latency
Push mode at specified time, means that the Forwarder contacts the Collectors - collectors machines need to have firewall ports open.
This mode is preferable if events are needed instantly.
Exam test check
Configuring and Troubleshooting Networking
Know these tools:
- PING - Uses ICMP to verify if a machine answers, Firewall can block ICMP
- PathPing - Replaces tracert to find where in a route where a latency or routing problem occurs.
- Telnet - Verify if a service answers, a mail server for example: telnet mail.jbkb.local 25
Know that Automatic Private Internet Protocol Addressing (APIPA) is assigned if a DHCP client cannot receive an IP address. APIPA addresses is in the range 169.254.0.0/16. Probably wont be so heavily tested on the exam but remember the IP range for the exam.
Exam test check
Supporting and Maintaining Desktop Applications
Know that Microsoft Support Diagnostic Tools is exactly JUST Microsoft's Support tool, can only be used by Microsoft and to use it you need a incident number and a passkey provided by Microsoft Support.
This tool sends configuration about the Vista system to Microsoft encrypted over the Internet (if the machine doesn't have Internet it can be saved onto a USB key and be sent from another computer with Internet Access).
Software Restriction Policies
Exam 070-622 is focused on troubleshooting Software Restriction Policies
Software Restriction Policies is nothing new, it came with Windows XP but has been improved in Windows Vista,
the usages is the same to restrict what software that can run on a machine.
There are 3 default security levels:
Disallow: Block all applications except those explicit set as allow (unrestricted).
Unrestricted: Allow all applications except those you explicit block (disallow).
Basic User: Allows programs to execute as a user that does not have Administrator access rights, but can still access resources accessible by normal users.
The 4 ways to explicit define a Disallow/Unrestricted application is the following:
- Network Zones rule
- Path rule (Support wild cards, if multiply rules exist the most narrated "wins".)
- Hash rule (Vista supports for SHA256 hash rules)
- Certificate rule
For each of these rules you can apply an exception from the default security level:
Unrestricted: Can be used if default security level is set to Disallow
Disallow: Can be used if default security level is set to Unrestricted
Basic User: A new feature in Vista together with the UAC function is to force an application to run as a normal user.
This new feature applies to all the above 4 rules except Certificates and can be very useful for limiting an application to do system wide changes.
If multiply rules match a software the latest in the list take present:
- Default rule (weakest)
- Network Zone rule
- Path rule
- Hash rule
- Certificate rule (strongest, always wins)
Example: If default rule is set Disallow and Path Rule for c:\jbkb\jbkb.exe is set to Unrestricted, then even default rule Disallow running c:\jbkb\jbkb.exe the Path Rule take presents and allow c:\jbkb\jbkb.exe to run.
My personal guess is that one or two exam question could be about conflicting rules and you need to find out which one "wins" (Certificate always wins and hash rule is second strongest and is more easy to implement)
To find in event viewer for blocked applications search for Event ID: 866
Application Event log shows only entries of applications that are blocked, if you want to see allowed (unrestricted) entries you will need to enable advanced logging by adding a string to the log file in the following registry key:
If you lock yourself out by to restrict polices log on in Safe Mode (restart press F8 during bootup) and login as a local administrator, since Vista ignores Restriction Polices for local administrators in Safe Mode.
Exam test check