Finally! New Windows 10 Exams in Beta!

December 7, 2018 at 10:45 pm

Windows 10 has evolved (a lot) since those early releases. For example, the HomeGroup feature has bit the IT dust. Microsoft has responded (finally) by releasing two new certification exams in Beta in December 2018.

Windows 10 Certification

This means we will get new versions of the certification and the exams soon. Of course, I am also excited about the new, upcoming courses at CBT Nuggets. Once again, we will focus on Hands-On Labs to ensure that you get sandboxes for Windows 10 to experiment with all the new features and technologies. This time, we will also be offering checkpoint labs where you will be challenged to demonstrate your abilities with Windows 10 support.

Exam MD-100: Windows 10 (beta)

Deploy Windows (15-20%)

  • Deploy Windows 10
    • Configure language packs; migrate user data; perform a clean installation; perform an in-place upgrade (using tools such as MDT, WDS, ADK, etc.); select the appropriate Windows edition; troubleshoot activation issues
  • Perform post-installation configuration
    • Configure Edge and Internet Explorer; configure mobility settings; configure sign-in options; customize the Windows desktop

Manage Devices and Data (35-40%)

  • Manage local users, local groups, and devices
    • Manage devices in directories; manage local groups; manage local users
  • Configure data access and protection
    • Configure NTFS permissions; configure shared permissions
  • Configure devices by using local policies
    • Configure local registry; implement local policy; troubleshoot group policies on devices
  • Manage Windows security
    • Configure user account control (UAC); configure Windows Defender Firewall; implement encryption

Configure Connectivity (15-20%)

  • Configure networking
    • Configure client IP settings; configure mobile networking; configure VPN client; troubleshoot networking; configure Wi-Fi profiles
  • Configure remote connectivity
    • Configure remote management; enable PowerShell Remoting; configure remote desktop access

Maintain Windows (25-30%)

  • Configure system and data recovery
    • Perform file recovery (including OneDrive); recover Windows 10; troubleshoot startup/boot process
  • Manage updates
    • Check for updates; troubleshoot updates; validate and test updates; select the appropriate servicing channel; configure Windows update options
  • Monitor and manage Windows
    • Configure and analyze event logs; manage performance; manage Windows 10 environment

MD-101 Managing Modern Desktops (beta)

Deploy and Update Operating Systems (15-20%)

  • Plan and implement Windows 10 by using dynamic deployment
    • Evaluate and select appropriate deployment options; pilot deployment; manage and troubleshoot provisioning packages
  • Plan and implement Windows 10 by using Windows Autopilot
    • Evaluate and select appropriate deployment options; pilot deployment; create, validate, and assign deployment profile; extract device HW information to CSV file; import device HW information to cloud service; troubleshoot deployment
  • Upgrade devices to Windows 10
    • Identify upgrade and downgrade paths; manage in-place upgrades; configure a Windows analytics environment; perform Upgrade Readiness assessment; migrate user profiles
  • Manage updates
    • Configure Windows 10 delivery optimization; configure Windows Update for Business; deploy Windows updates; implement feature updates; monitor Windows 10 updates
  • Manage device authentication
    • Manage authentication policies; manage sign-on options; perform Azure AD join

Manage Policies and Profiles (35-40%)

  • Plan and implement co-management
    • Implement co-management precedence; migrate group policy to MDM policies; recommend a co-management strategy
  • Implement conditional access and compliance policies for devices
    • Implement conditional access policies; manage conditional access policies; plan conditional access policies; implement device compliance policies; manage device compliance policies; plan device compliance policies
  • Configure device profiles
    • Implement device profiles; manage device profiles; plan device profiles
  • Manage user profiles
    • Configure user profiles; configure Enterprise State Roaming in Azure AD; configure sync settings; implement Folder Redirection (including OneDrive)

Manage and Protect Devices (15-20%)

  • Manage Windows Defender
    • Implement and manage Windows Defender Application Guard; implement and manage Windows Defender Credential Guard; implement and manage Windows Defender Exploit Guard; implement Windows Defender Advanced Threat Protection; integrate Windows Defender Application Control; manage Windows Defender Antivirus
  • Manage Intune device enrollment and inventory
    • Configure enrollment settings; configure Intune automatic enrollment; enable device enrollment; enroll non-Windows devices; enroll Windows devices; generate custom device inventory reports; review device inventory
  • Monitor devices
    • Monitor device health (e.g., log analytics, Windows Analytics, or other cloud-based tools); monitor device security

Manage Apps and Data (25-30%)

  • Deploy and update applications
    • Assign apps to groups; Deploy apps by using Intune; deploy apps by using Microsoft Store for Business; deploy O365 ProPlus; enable sideloading of apps into images; gather Office readiness data; configure IE Enterprise mode; configure and implement assigned access or public devices
  • Implement Mobile Application Management (MAM)
    • Implement MAM policies; manage MAM policies; plan MAM; configure Windows Information Protection; implement Azure Information Protection templates; securing data by using Intune

70-742 Additional Notes – AD FS, WAP, and Preauthentication

September 18, 2017 at 11:07 am

When you are configuring AD FS and WAP you have two preauthentication methods and various types of preauthentication available. Here is a recap of when you would use the various methods and types:

  • AD FS preauthentication method
    • Type – Web and MSOFBA
      • WebApplication
      • Rich Office Client
      • SharePoint
      • Office Server
      • Custom WebApp
    • Type – HTTP Basic
      • Rich Client without HTTP Redirection
      • Exchange ActiveSync
      • Remote Desktop Gateway
    • Type – OAuth2
      • Application using OAuth2
      • Windows Store Apps
      • Custom Application
  • Pass-Through preauthentication method 
    • No authentication
    • Forward authentication
    • Anonymous website
    • Legacy application
    • Public website

70-742 Additional Notes – Restoring the Default GPOs

September 17, 2017 at 10:10 pm

70-742

You may find yourself in a situation where you need to restore the default domain policy or the default domain controllers policy to their original configurations. Thankfully – there is a tool for this – it is the aptly named dcgpofix.exe command line tool. This tools offers the following options:

  • /ignoreschema- this permits the command to run regardless of the AD scheme version in use
  • /target – permits you to specify exactly what object you want to restore
  • /? – permits the display of help on the command

70-742 Additional Notes – Federation Services Cmdlets for PowerShell

September 16, 2017 at 11:50 am

Be sure to run through these useful cmdlets for the management of Active Directory Federation Services. Remember, don’t go crazy with memorization here on cmdlets. Just remember the verb-noun syntax and review the list to see what is possible. Once again – don’t miss the READ MORE button in the blog post to see the complete list:

  • Add-​Adfs​Attribute​Store
    Adds an attribute store to the Federation Service.
  • Add-​Adfs​Certificate
    Adds a new certificate to AD FS for signing, decrypting, or securing communications.
  • Add-​Adfs​Claim​Description
    Adds a claim description to the Federation Service.
  • Add-​Adfs​Claims​Provider​Trust
    Adds a new claims provider trust to the Federation Service.
  • Add-​Adfs​Claims​Provider​Trusts​Group
    Creates a claims provider trust group based on metadata that contains multiple entities.
  • Add-​Adfs​Client
    Registers an OAuth 2.0 client with AD FS.
  • Add-​Adfs​Device​Registration​Upn​Suffix
    Adds a custom UPN suffix.
  • Add-​Adfs​Farm​Node
    Adds this computer to an existing federation server farm.
  • Add-​Adfs​Local​Claims​Provider​Trust
    Creates a local claims provider trust.
  • Add-​Adfs​Native​Client​Application
    Adds a native client application role to an application in AD FS.
  • Add-​Adfs​Non​Claims​Aware​Relying​Party​Trust
    Adds a relying party trust that represents a non-claims-aware web application or service to the Federation Service.
  • Add-​Adfs​Relying​Party​Trust
    Adds a new relying party trust to the Federation Service.
  • Add-​Adfs​Relying​Party​Trusts​Group
    Creates a relying party trusts group.
  • Add-​Adfs​Scope​Description
    Adds a scope description in AD FS.
  • Add-​Adfs​Server​Application
    Adds a server application role to an application in AD FS.
  • Add-​Adfs​Trusted​Federation​Partner
    Adds configuration settings for trusted federation partners in AD FS.
  • Add-​Adfs​Web​Api​Application
    Adds a Web API application role to an application in AD FS.
  • Add-​Adfs​Web​Application​Proxy​Relying​Party​Trust
    Adds a relying party trust for the Web Application Proxy.
  • Disable-​Adfs​Application​Group
    Disables an application group.

70-742 Additional Notes – Active Directory Rights Management Services (AD RMS)

September 14, 2017 at 9:32 pm

Active Directory Rights Management Services rights can be assigned to users in forests that have a federated trust in place via Active Directory Federation Services . This enables organizations to share rights-protected content without establishing another trust or building a separate Active Directory Rights Management Services infrastructure.

Active Directory Federation Services (AD FS) is a standards-based service that enables federation of identity by implementing claims-based authentication across forests. Claims-based authentication is the process of authenticating a user, based on a set of claims contained in a trusted token. The token is typically issued and signed by a trusted entity.

With AD FS, identity federation is established between two organizations by establishing trust between two security realms . An AD FS server on one side of the trust (ADFS-ACCOUNT) authenticates the user through Active Directory Domain Services and issues a token containing a series of claims about the user, including her identity. On the other side, an AD FS server (ADFS-RESOURCE) validates the token and issues a separate token that the local servers accept, enabling the user to access a requested resource. This process enables an organization to provide controlled access, to its resources or services, to a user that belongs to another security realm. Users do not have to directly authenticate to the federated environment and the organizations do not have to share user identities or passwords.

In order to benefit from identity federation, a service must accept federated identities, and AD RMS is one such service. In particular, AD RMS is designed to accept requests for licenses, from remote users through a single sign-on agent or Web single sign-on, and redirect the requests to the local federation server (ADFS-RESOURCE). This server requires the user to authenticate to ADFS-ACCOUNT, which authenticates the user via Active Directory and issues the corresponding security token. This token is presented to the single sign-on agent, which validates the token and provides the identity to the AD RMS server. Finally, the AD RMS server issues the requested licenses.

AD FS provides a very efficient way to deliver access to protected content to users in remote, independent organizations, including organizations that have not deployed AD RMS. It also uses infrastructure that can be used for other federation purposes, such as providing access to extranet sites and to SharePoint Server based sites.

Trusted User Domains (TUDs) allow you to configure an AD RMS cluster to manage requests for CLCs for users that have been issued RACs from a different AD RMS cluster. For example, if an organization has two separate Active Directory forests and each forest has its own AD RMS deployment, you’d configure Trusted User Domains so that clients from one forest are able to issue CLCs to clients with RACs issued from the other forest. TUDs can be one-way or bi-directional. When configuring TUDs, you must export the TUD from the partner before importing the TUD locally.

Trusted Publishing Domains (TPDs) allow the AD RMS cluster in one forest to issue end-user licenses to content published with licenses issued from an AD RMS cluster in another forest. You must export the TPD file and have it imported by the partner AD RMS cluster before the AD RMS cluster in the partner forest can issue end-user licenses to local AD RMS clients.