7/29/2019 70-680 Study Guide 1 v1.0

1/21

680 Study Guide

7/29/2019 70-680 Study Guide 1 v1.0

2/21

Contents Page

Installing

.........................................................................................................................................................................4

Version Support .........................................................................................................................................4

Minimum Specifications ............................................................................................................................4

Clean Installs...............................................................................................................................................4

Upgrading...................................................................................................................................................4

Dual Booting ..............................................................................................................................................5

Migration.....................................................................................................................................................5

Deployment

.........................................................................................................................................................................6

Windows SIM System Image Manager...................................................................................................6

Imaging.......................................................................................................................................................6

Unattended installs

.....................................................................................................................................................................6

Configuration.........................................................................................................................................................................8

Hardware ....................................................................................................................................................8

GPOs .........................................................................................................................................................8

Services ......................................................................................................................................................8

Booting........................................................................................................................................................8

Slmgr...........................................................................................................................................................8

Applications................................................................................................................................................9

Networking...................................................................................................................................................10

Services.....................................................................................................................................................10

IP ..............................................................................................................................................................10

Remote Control / Admin...........................................................................................................................10Firewall.....................................................................................................................................................11

Wireless.....................................................................................................................................................11

Resource Access

.......................................................................................................................................................................12

NTFS ........................................................................................................................................................12

Share Permissions.....................................................................................................................................12

Caching.....................................................................................................................................................12

Branch Caching (Page 427-431)...............................................................................................................12

EFS............................................................................................................................................................12

Printing......................................................................................................................................................12

Mobile Computing........................................................................................................................................14NAP...........................................................................................................................................................14

Offline Files..............................................................................................................................................14

Remote Desktop........................................................................................................................................14

Power management...................................................................................................................................14

Remote access...........................................................................................................................................14

Direct Access............................................................................................................................................14

Bit Locker.................................................................................................................................................14

Maintenance..................................................................................................................................................15

Windows Update.......................................................................................................................................15

Credentials Manager ................................................................................................................................15

IIS..............................................................................................................................................................15Certificate Manager..................................................................................................................................15

Auditing....................................................................................................................................................15

UAC..........................................................................................................................................................15

Monitoring................................................................................................................................................15

7/29/2019 70-680 Study Guide 1 v1.0

3/21

Disk...........................................................................................................................................................15

Backup & Recovery......................................................................................................................................17

Backup .....................................................................................................................................................17

System Protection.....................................................................................................................................17

Restore .....................................................................................................................................................17

Recovery...................................................................................................................................................17

Appendix.......................................................................................................................................................19

Certificates................................................................................................................................................19

EFS password Recovery...........................................................................................................................21

7/29/2019 70-680 Study Guide 1 v1.0

4/21

Installing

Version Support

Windows 7 comes in many flavours but primarily for the exam concentrate on the moreadvanced features supported within Ultimate and Enterprise (page 12 - 14)

o Home Basic

Meant for emerging markets and lacks Aero support and Media Centreo Home Premium

Meant forhome usermarket therefore full media centre support but noDomain capabilities

o Professional

Standard professional version but includes Media Centre, Remote desktop,XP Mode, Folder Redirection and Domain support

o Ultimate

Full package Including DirectAccess and BitLockero Enterprise

Full package forVolume licensing

Minimum Specifications

This is the minimum specification for both versions of Windows 7 (Page 15)

o 1Ghz or faster

o 1GB (32bit) or 2GB (64 bit) RAM

o 16GB (32 bit) or 20GB (64 bit) free HDD space

o DirectX 9 supported video adapter

4GB is the largest amount of memory supported with the 32 bit version

Clean Installs

Preferred over upgrades due to performance improvements (page 29)

o Check to make sure if booting from the DVD that BIOS has the correct boot order(page 35)

o If installing a 64 bit client from a 32 bit previous OS then you will need to boot from

the media and not install from inside the OS, then choose Custom(Advanced)(page 58)

o Partitions can be created during installation and can be created on un-partitioned

disk spaceo If not enough disk space is available look to shrink other partitions on the disk

o LoadDriver is used to install RAID drivers not supported by Windows 7 (page 42)

o Upgrading

Only Vista is capable of being upgraded to Windows 7

7/29/2019 70-680 Study Guide 1 v1.0

5/21

o Windows 7 Upgrade Advisor is the easiest way to identify if a machine is

capable of being upgraded (page 20)o To upgrade start with Windows Vista, insert DVD and choose the Upgrade option

o You may only upgrade Vista with Service Pack 1 or 2(http://windows.microsoft.com/en-US/windows7/help/upgrading-from-windows-vista-to-windows-7) choose step 2

o To upgrade Windows 7 to a different edition, i.e. from Professional to Ultimate the

easiest method is the Windows Anytime Upgrade (page 58)

Dual Booting

Allows the use of more than one OS on a single computero Windows does not support multiple OS on a single partition (page 59)

o To edit the boot sector use BCDEdit

Use the/Default switch to set the default OS(http://technet.microsoft.com/en-us/library/cc709667(WS.10).aspx)

o To replace a boot sector you will need to boot from the Windows 7 media and

choose Startup repair

(http://www.ehow.com/how_4836283_repair-mbr-windows.html)

o Migration

This is the process of moving over user and machine settings from a previous OS such asXP or Vista

o Windows Easy Transfer (page 44)

Used to move settings and files over on a single computer

Graphical interface makes it easiest to use

Make sure to use an administration account

o User State Migration Tool (USMT) (Page 55)

Command line Utility

Scanstate (run on the source computer)

This is the process of saving settings and files

When you have upgraded from XP or Vista to Windows 7 the old OSfiles will be in a folder with .OLD extension e.g. c:\windows.old

Understand all switch commands and .xml files belowo /Genmigxml Use to review what will be exported

o

/Nocompress/p Use to check how much space will betaken up on compressed profileso /Efs Use to migrate encrypted files

o Migdocs.xml Use for files stored off the root drive (good for

users who save info all over their drive)o Config.xml - Use to exclude files from migration

o Migapp.xml Use for custom application settings

o MigUser.xml Use to migrate all User files and folders

(http://technet.microsoft.com/en-us/library/dd560764(WS.10).aspx)

Loadstate (run on the destination computer)

Will not bring over the installed applications, these will need to be re-installed onto the new Windows 7 installation

/lac this will import accounts but they will be disabled, thereforebefore use will have to be enabled (use /lae to import fully enabled)

(http://technet.microsoft.com/en-us/library/cc749015(WS.10).aspx )

http://windows.microsoft.com/en-US/windows7/help/upgrading-from-windows-vista-to-windows-7http://technet.microsoft.com/en-us/library/cc749015(WS.10).aspxhttp://windows.microsoft.com/en-US/windows7/help/upgrading-from-windows-vista-to-windows-7http://technet.microsoft.com/en-us/library/cc749015(WS.10).aspx

7/29/2019 70-680 Study Guide 1 v1.0

6/21

Deployment

Windows SIM System Image Managero Graphical utility to create answer files for automated installs (page 66)

o Imaging

o ImageX Command line utility used to capture and deploy an image from inside

Windows PE (page 72)

Can be used to mount an image in order to modify it (page 66, 71-72)

Applying install.wim will force OOBE (Out Of Box Experience)

Switch commands

/Append allows you to add a volume to an existing image

/Mountrw allows you to update an image. Once mounted othercommands can be run as normal e.g. BCDEdit

/Split allows you to spread an image over media to small to take

entire image file (WIM file)http://technet.microsoft.com/en-us/library/cc749447(WS.10).aspx

o DISM Deployment XXXX

Command line utility that allows you to edit and modify an existing image(Page 66, 89-91)

Can be used to reset an altered image

Can be used to add services such as Telnet to an image

Can be used to remove games via setting InBoxGames to disabled

/Get-Drivers will show which drivers are contained within an image

/Add-Driverallows you to add a driver to an image easily

/Set-Edition allows you to change the version of windows in an image e.g.Windows 7 Professional to Windows 7 Ultimate

This is the primary tool for editing the Windows PE environmenthttp://technet.microsoft.com/en-us/library/dd744533(WS.10).aspx

o Windows PE

A minimal environment used to capture and deploy images

System must be started in WindowsPE in order to capture image

Drivers can be dynamically loaded via the DRVload utilityhttp://technet.microsoft.com/en-us/library/cc766390(WS.10).aspx

Image can only be deployed onto a created and formatted partitiono SysPrep (Page 71)

Used to remove machine specifics from an image file, for example SIDs,ready for duplication and re-deployment

/generalize to remove machine specific data

/oobe to ensure Out Of Box Experienceo VHD

Applying install.wim inside ImageX will force OOBE (Out Of BoxExperience) on next boot up

Fixed sized disks have the least impact on performanceo WDS Windows Deployment Service

Images need to be added to the WDS manager before you are able to

select and deploy them. (page 78, 94)

Unattended installs

o Use AutoUnattend.xml for a none-prompting install

http://technet.microsoft.com/en-us/library/cc749447(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc766390(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc749447(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc766390(WS.10).aspx

7/29/2019 70-680 Study Guide 1 v1.0

7/21

o This can be placed on a USB disk or network share if needed(http://support.microsoft.com/kb/933495)

http://support.microsoft.com/kb/933495http://support.microsoft.com/kb/933495

7/29/2019 70-680 Study Guide 1 v1.0

8/21

Configuration

Hardwareo To view all unsigned driver run Driverquery /si

o Hardware Assisted Virtualization in the computers BIOS must be enabled for

XP Mode to work

o To change the default actions for optical drives modify auto play settingso As display drivers are set at machine level in the local policy you would need to

modify the machine settings and not user settingso If hardware device wont start try troubleshoot from Devices and Printers

o To permanently set which applications open a certain file type use Control Panel /

Programs and Set Your Default Programs optiono Printing

32 and 64 bit drivers are different therefore you will need to install additionaldrivers for printer support for all equipment

o USB

Pnputil.exe i a allows you to add plug and play hardware (such as USBSticks)http://technet.microsoft.com/en-us/library/cc732408(WS.10).aspx

To ensure only approved USB sticks can be used you can set the followingGPO settings:

Enable prevent installation of devices not described by other policies

Enable Allow installation of devices that match these IDs (and thenenter those device IDs)

To prevent any new USB drives being used set Prevent installation ofRemovable media

GPOso Before you can prevent a specific hardware device from being installed first you

need to know it Class GUIDo Local Policy Settings

Set Folder Auditing to configure Object Access

Can be used to disable Control Panel access for users

User rights can be used to prevent shutdown of a computer

Can be used to prevent the name of the last user that was logged on beingdisplayed

Serviceso Application Identity

Needed to start both Bit Locker and to Enforce Application Control Policies(App Locker)

Bootingo Use BCDEdit to change the boot orderof OSs combined with the default switch

o VHDs can also be selected as a bootable OS using this tool

o Slmgro /dli will display Detailed Licensed information

http://technet.microsoft.com/en-us/library/cc732408(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc732408(WS.10).aspx

7/29/2019 70-680 Study Guide 1 v1.0

9/21

Applicationso App Locker (aka Application Control Policy)

Can be used to control which local groups can run an application

To control application version use a Publisher rule

To prevent the running of certain applications use executable ruleso MsiExec can be used in logon scripts to call .msi files for quiet installations. It can

also be used with .mst files to customize (transformed) the way an application isinstalled.

o ACT

To ensure an application SHIM is applied next time the application is runuse SDBInst

Use ACT to check for application compatibility with Windows 7o IE

Add a site to the Local intranet zone if you dont want the user to enterauthentication information

Check the Title bar for things like Working Off line

Compatibility View allows you to view web pages meant for older versions ofIE

Ratings are controlled inside ContentAdvisor

When in In Private browsing is on suggested sites wont appear, open upan new IE windows to see them

ActiveX controls can be prevent via the Security settings

You can Make IE the default web browser via the Programs Tab sheet,followed by Make Default

To reset IE select the Advanced sheet followed by Reset 3rd party toolbars are controlled via Manage add-ons

To prevent form based credential be filled in from previous users modify theAutoComplete settings

7/29/2019 70-680 Study Guide 1 v1.0

10/21

Networking

To join a machine to a Home Group set network location to home network (Page 199)

Serviceso Client for Microsoft Networks allows a machine to attach to resources on a

network (Page 161)

o IPo IP 4

CIDR Notation is used to describe the number of bits used for the networkID for example /27 uses 27 bits for the network ID and 5 bits for the Host ID(page 151-152)

Must be enabled in order to use IP v4 Addressingo IP 6

The loopback address for v6 is ::1

In order to ping with v6 add the -6 command e.g. ping hostname -6 A DNS record is AAAA

For ISATAP to be successful you must be running the IP Helper service

To view an IP v6 IP address either IPConfig or checking the networkconnection status details

o IPCONFIG

If it returns no information check that the network card is enabled

/all shows extra info such as MAC address, DHCP & DNS Serverso DHCP

Used to assign IP addresses automatically

If it fails and an APIPA address is seen (169.254.x.x) set a static IP addressfor connectivityo Name resolution

Host files can be used to preload IP address against Host name usefulwhen a machine has 2 addresses and you wish only 1 to be identified with aname

o Default gateways

Are exit points from a network and as such are often combined withFirewalls. Its often a good rule to follow that router / Firewall end with thelast address available e.g. 192.168.0.254

To prevent WAN capabilities delete the Default Gateway

Remote Control / Admino Powershell

New-PSSession allows you to connect to a machine and carry outadministration tasks

To auto load a new snap-in each time, create a new MMC console filehttp://technet.microsoft.com/en-us/library/dd347668.aspx

o Netsh (NetShell) - Used to run network configuration commands on another

computer and therefore is useful for running inside login scriptso WinRM

/quickconfig is used to quickly setup the rules on a target computer forremote management

o WinRS

7/29/2019 70-680 Study Guide 1 v1.0

11/21

Used to run command lines on remote machines

Firewall

Used to control access to a machine and which subnets can see a particular machine (orfrom which it will respond to)

o Outbound rules control which programs (e.g. FTP) or services (e.g. RPC) canaccess resources on other machines including resources on the internet

o Rules can be exported and you can set the system to log successful access via

Advanced Securityo Setup Advanced security rules to control protocols or services

o IPSec policy controlled by Connection Security Rules

o To record successful connections look to the firewalls Advanced Security

properties and set the appropriate log settings.

o Wirelesso

You can export your settings by saving the wireless network propertieso SSID broadcasts can be disabled so to attach to a network without broadcasts set

from the Networking and Sharing Centre, modify the appropriate networkconnection settings

o With multiple wireless networks, affinity to a single one can be set via the Network

and Sharing Centre (Page 165)o WPA2

WPA-Enterprise does not require a pre-shared key and instead uses aRADIUS Server(Page 450)

o Modes

Ad-hoc Allows 2 computers to easily and quickly join to each other

Infrastructure Attach to a WAP

7/29/2019 70-680 Study Guide 1 v1.0

12/21

Resource Access

NTFSo Permissions

Only available on NTFS formatted partitions

Modify will allow deletion of files (Page 192)

Write allows the adding of files to a folder but NOT deletion of fileso Disk Quotas can be set to limit disk usage by users (Page 116)

o Share Permissionso Default permissions are Everyone Read

o Share permissions are combined with NTFS permissions and the most restrictive

will apply. So if share permissions are open but the resource is still inaccessiblethen look at NTFS permissions (Page 205)

o Only apply when users are attached to a share, not in affect if the resource is

accessed from the local, physical machine

o Cachingo To ensure that files are automatically cached when attaching to a share modify

the propertiesof theshare to auto-cachehttp://technet.microsoft.com/en-us/library/cc755136.aspx

o Cached files can be encrypted to ensure security of data, both settings (offline files

and encryption) are set on the client side(Page 467)

o Branch Caching (Page 427-431)o On the clients ensure the Content Retrieval rules for the firewall are setup

correctlyo Make sure that you have firewall rules setup that will allow caching to work

o If experiencing performance problems try flushing the Cache so that clients will not

retrieve data from a particular machine

o EFSo Cipher

Command line utility to control access to encrypted files

Cipher Folder Name displays all files encrypted within that folder

To backup your Cipher certificates - Cipher /x

To create a new Cipher key Cipher /k /r creates a new recovery agent (which can be added from the local security

policy)http://articles.techrepublic.com.com/5100-10878_11-5030732.html

http://technet.microsoft.com/en-us/library/cc938948.aspx

o Set a Data Agent in Local Policy to ensure being able to decrypt EFS files

o Password recovery in a work group

You can either create a Password Reset Disk or re-import an exportedcertificate

o EFS Key recovery

If machines are on a single domain they will use the same recovery agent

certificate , so you can export it first from one machine and then importto another to recover EFS files

Printingo Access controlled through PrinterSecurity Permissions

http://articles.techrepublic.com.com/5100-10878_11-5030732.htmlhttp://articles.techrepublic.com.com/5100-10878_11-5030732.html

7/29/2019 70-680 Study Guide 1 v1.0

13/21

o Users need to have the print permission in orderto delete their own jobs, but not

others. However check to make sure if when having difficulties deleting theirown print jobs that creator/ownerhasthe Manage permission

7/29/2019 70-680 Study Guide 1 v1.0

14/21

Mobile Computing NAP

o To configure a NAP client first you will need to start the Protection agent service at

start-up followed by enabling the DHCP Quarantine Enforcement Client

o Offline Fileso Use transparent Caching to reduce bandwidth and forces machine to be on the

networkhttp://technet.microsoft.com/en-us/library/dd637828(WS.10).aspxo To check whether the file is an offline version use explorer

o Use SyncCenter to verify if you have an offline copy of a folder available to you on

your computer

o Remote Desktopo Remote assistance allows users to share their current desktop with administrators

if connecting from a home PC to a machine modify the Connect from anywheresettings on the host

o To access resources on the target machine configure the Local devices and

resources setting on the machine you are sitting at

o Power managemento Run powercfg from a command prompt to check why a machine may not be

entering hibernation mode

o Remote accesso VPN

Use Network and Sharing to setup a new connection followed by connectiontype e.g. Connect to workplace

To be able to use Smart Cards for authentication you must be using theEAP protocol

If once connected to a VPN internet browsing fails to work, disable Use

Default Gateway on remote network

Certificates

If the root certificate fails due to not being trusted then import rootcertificate into the computers Trusted ROOT Authorization store

o SSTP

Secure Sockets Tunnelling Protocol uses ports 80 (HTTP) and 443(HTTPS)

If you are having trust issues with certificates import the servers certificateto the Trusted Root Certification Authorities store

Direct Accesshttp://technet.microsoft.com/en-us/library/dd637827(WS.10).aspx

o A certificate must be installed to establish a connection

o Bit Lockero Used to protect, via encryption, data stored on local disks and removable media

o If the boot partition is encrypted and the recovery key is lost then you will need to

re-install the OSo It is not supported by XP so you will first need to disable it via a Windows 7

machine if enable on something like a USB pen drive.o Only supported by Ultimate and Enterprise editions of Windows 7

7/29/2019 70-680 Study Guide 1 v1.0

15/21

Maintenance Page file size can be set from System, Advanced System settings

To improve graphics performance modify the Visual Effects settings inPerformance Options

When using Readyboost you can restrict how much space is taken up via theUSB drives Properties

Windows Updateo To allow/disallow a user to manually change update settings can be set via Local

Group Policyo Windows Update will record the updates that have been applied

o To get a client to update run Wuauclt /detectnow (this will also ensure it appears

in the WSUS snap in)o Selecting Allow all users to install Updates will notify users when an update is

availableo Office updates can also be enable this can be done by selecting Get updates for

other Microsoft products

o You can remove an update via the Programs and features tool in Control Panelo The location that you received the update from is logged in windowupdate.log file

o Credentials Managero Extra credentials can be added to allow running as a different user

o Used to remove credentials that have been stored via the /savecred parameter

(Page 373)

o IISo To control access to a intranet website modify the NTFS file permissions to the

wwwroot folderand modify the authentication method used

o Certificate Managero Self Certified Certificates need to be stored in Trusted root (see appendix)

o Auditingo Set local policy forObject Access to track folder usage

o UACo Used to start applications at a higher privilege (even can be used as an

administrator)

o Monitoringo Reliability Monitorcan be used to view which Applications have been installed

recently and which Hardware has failed recentlyo

Resource monitorcan be used to view Network, CPU, Disk or Memory usage forindividual processeso Subscription events (setup on all client machines) can be used in the event of a

application failure to notify a central machine which can then run tasks based onset criteria

o Wecutil is an application that will set up Windows Event Collection. To quickly

set up add the qc switch

o Disko If you have no free space left but still need to create a partition you will first have to

shrink one of the other partitions in order to create more free spaceo If there is no free space next to the volume you wish to extend, due to another

partition being next to it, then you will need to backup that 2nd volume, delete it,extend the volume you need to then recreate (if wished) the 2nd volume andrestore the data

o To configure disk remotely, ifWinRM is enabled, then you can run a command line

utility such as Diskpart via WinRS

7/29/2019 70-680 Study Guide 1 v1.0

16/21

o Mount points can extend a drive without enough space onto another physical disk

o Dynamic Disks

To set up RAID 0 and or RAID 1 (not RAID 5) the disks must be dynamicand not basic disks

Dynamic disks, if moved between machine, will be seen as foreign disksand will need to be imported before they can be used

Mirrored disks preserve data in the case of a single disk failure and more

than one disk can be mirrored within a system

7/29/2019 70-680 Study Guide 1 v1.0

17/21

Backup & Recovery Backup

o To backup to a local disk make sure that it is connected properly (including

removable disks)o Disks need to be partitioned and formatted before they can be used for backup.

o Multiple system can be saved to an external HDD for safe keeping and to reduce

local disk usageo You can change the backup routine to include new disks by changing the setting in

Backup and Restoreo Automatic-Backup can be set to run via Task Schedulerin such a way so that

the task will not run if the machine is running on battery

o System Protectiono Snapshots

To remove unwanted snapshots run Disk Cleanup for System Restore andShadow Version copies

o Previous Versions

System Protection must be turned on before this feature is available. It can

be turned on by configuring the System Protection settings in SystemProperties

To view the space taken up by previous versions, check the SystemProtection settings in system

o Make sure you have sufficient space to perform backup, if not add an external

HDD or some other medium

o Restoreo System Restore points feature can be used to restore a file to a previous version

once a system restore point has been created

o It can also be used to restore a foldero If you have a system image and need to restore a single file then attach the VHD

from disk managemento To reduce the space taken up by system restore points run disk clean up

o Recoveryo Repair disks are created on CD/DVD disks therefore you will need the appropriate

hardware to create themo If system images have been created and now need to be used, boot from the

Windows 7 installation medium and choose System Image Recovery

o WindowsRE Boot via a WRE disk and restore system image quickly as long as you

have created a system image via backupo If an application is failing to uninstall, then as long as you have been saving

system images a quick method to restore to restore a system restore pointo Driver recovery

Forbad video drivers boot into safe mode and try RollBack driver

In order to roll back a driver you will need to be an Administrator (or runcommand as Administrator)

o Advanced Start-up options

LastKnownGood

If a faulty or corrupted service stops the system from booting (and nouser has logged on) then use LastKnownGood option

Repair Your Computer option can tell you if your RAM is causing aproblem by running Memory Diagnostics

7/29/2019 70-680 Study Guide 1 v1.0

18/21

7/29/2019 70-680 Study Guide 1 v1.0

19/21

Appendix

CertificatesIn cryptography and computer security, a self-signed certificate is an identity certificate that is signed by its owncreator. That is, the person that created the certificate also signed off on its legitimacy.In typical public key infrastructure (PKI) arrangements, that a particularpublic key certificate is valid (i.e., containscorrect information) is attested by a digital signature from a certificate authority (CA). Users, or their software ontheir behalf, check that the private key used to sign some certificate matches the public key in the CA's certificate.

Since CA certificates are often signed by other, "higher ranking," CAs, there must necessarily be a highest CA,which provides the ultimate in attestation authority in that particular PKI scheme.Obviously, the highest-ranking CA's certificate can't be attested by some other higher CA (there being none), and sothat certificate can only be "self-signed." Such certificates are also termed root certificates. Clearly, the lack ofmistakes or corruption in the issuance of such certificates is critical to the operation of its associated PKI; theyshould be, and generally are, issued with great care.In a web of trust certificate scheme there is no central CA, and so identity certificates for each user can be self-signed. In this case, however, it has additional signatures from other users which are evaluated to determinewhether a certificate should be accepted as correct. So, if users Bob, Carol, and Edward have signed Alice'scertificate, user David may decide to trust that the public key in the certificate is Alice's (all these worthies havingagreed by their signatures on that claim). But, if only user Bob has signed, David might (based on his knowledge ofBob) decide to take additional steps in evaluating Alice's certificate. On the other hand, Edward's signature alone onthe certificate may by itself be enough for David to trust that he has Alice's public key (Edward being known toDavid to be a reliably careful and trustworthy person). There is of course, a potentially difficult regression here, ashow can David know that Bob, Carol, or Edward have signed any certificate at all unless he knows their public keys(which of course came to him in some sort of certificate)? In the case of a small group of users who know oneanother in advance and can meet in person (e.g., a family), users can sign one another's certificates when theymeet as a group, but this solution does not scale to larger settings. This problem is solved by Fiat in X.509 PKIschemes as one believes (i.e., trusts) the root certificate by definition.[dubious discuss] The problem of trustingcertificates is real in both approaches, but less easily lost track of by users in a Web of Trust scheme.

Displayby Folder name Contents

Logicalstore

Personal Certificates associated with private keys to which you have access. These arethe certificates that have been issued to you or to the computer or service forwhich you are managing certificates.

Trusted RootCertificationAuthorities

Implicitly trusted certification authorities (CAs). Includes all of the certificates inthe Third-Party Root Certification Authorities store plus root certificates from yourorganization and Microsoft.If you are an administrator and want to add non-Microsoft CA certificates to thisstore for all computers in an Active Directory domain, you can use Group Policyto distribute trusted root certificates to your organization.

Enterprise Trust A container for certificate trust lists. A certificate trust list provides a mechanismfor trusting self-signed root certificates from other organizations and limiting thepurposes for which these certificates are trusted.

Intermediate

CertificationAuthorities

Certificates issued to subordinate CAs. If you are an administrator, you can use

Group Policy to distribute certificates to the Intermediate Certification Authoritiesstore.

Trusted People Certificates issued to people or end entities that are explicitly trusted. Most oftenthese are self-signed certificates or certificates explicitly trusted in an applicationsuch as Microsoft Outlook. If you are a domain administrator, you can use GroupPolicy to distribute certificates to the Trusted People store.

Other People Certificates issued to people or end entities that are implicitly trusted. Thesecertificates must be part of a trusted certification hierarchy. Most often these arecached certificates for services such as Encrypting File System (EFS), wherecertificates are used for creating authorization for decrypting an encrypted file.

Trusted Publishers Certificates from CAs that are trusted by software restriction policies. If you are a

domain administrator, you can use Group Policy to distribute certificates to theTrusted Publishers store.

DisallowedCertificates

These are certificates that you have explicitly decided not to trust either by usingsoftware restriction policies or by choosing not to trust a certificate when thedecision is presented to you in e-mail or a Web browser. If you are a domain

http://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Computer_securityhttp://en.wikipedia.org/wiki/Identity_certificatehttp://en.wikipedia.org/wiki/Public_key_infrastructurehttp://en.wikipedia.org/wiki/Public_key_certificatehttp://en.wikipedia.org/wiki/Digital_signaturehttp://en.wikipedia.org/wiki/Certificate_authorityhttp://en.wikipedia.org/wiki/Root_certificatehttp://en.wikipedia.org/wiki/Web_of_trusthttp://en.wikipedia.org/wiki/X.509http://en.wikipedia.org/wiki/Wikipedia:Disputed_statementhttp://en.wikipedia.org/wiki/Talk:Self-signed_certificate#Dubioushttp://en.wikipedia.org/wiki/Cryptographyhttp://en.wikipedia.org/wiki/Computer_securityhttp://en.wikipedia.org/wiki/Identity_certificatehttp://en.wikipedia.org/wiki/Public_key_infrastructurehttp://en.wikipedia.org/wiki/Public_key_certificatehttp://en.wikipedia.org/wiki/Digital_signaturehttp://en.wikipedia.org/wiki/Certificate_authorityhttp://en.wikipedia.org/wiki/Root_certificatehttp://en.wikipedia.org/wiki/Web_of_trusthttp://en.wikipedia.org/wiki/X.509http://en.wikipedia.org/wiki/Wikipedia:Disputed_statementhttp://en.wikipedia.org/wiki/Talk:Self-signed_certificate#Dubious

7/29/2019 70-680 Study Guide 1 v1.0

20/21

administrator, you can use Group Policy to distribute certificates to theDisallowed Certificates store.

Third-Party RootCertificationAuthorities

Trusted root certificates from CAs other than Microsoft and your organization.You cannot use Group Policy to distribute certificates to the Third-Party RootCertification Authorities store.

Certificate EnrolmentRequests

Pending or rejected certificate requests.

Active Directory UserObject

Certificates associated with your user object and published in AD DS.

Purpose Server AuthenticationCertificates that server programs use to authenticate themselves to clientcomputers.

Client Authentication Certificates that client programs use to authenticate themselves to servers.

Code Signing Certificates associated with key pairs used to sign active content.

Secure E-mail Certificates associated with key pairs used to sign e-mail messages.

Encrypting FileSystem

Certificates associated with key pairs that encrypt and decrypt the symmetric keyused for encrypting and decrypting data by EFS.

File Recovery Certificates associated with key pairs that encrypt and decrypt the symmetric keyused for recovering encrypted data by EFS.

7/29/2019 70-680 Study Guide 1 v1.0

21/21

EFS password Recovery

Recovering Access to Encrypted EFS DataIf you have encrypted some of your files by using the Encrypting File System (EFS), you have additional options torecover access to those encrypted files. The following provisions apply only to EFS encrypted files, and will notrecover access to saved credentials or certificates.

If you have previously exported the user's EFS private key from the user's account, you may import the key back

into the account and recover access to the encrypted files.

If you did not export the private key and you have defined a Data Recovery Agent (DRA) prior to encrypting thefiles, you may regain access to EFS files as the Data Recovery Agent. For additional information about how torecover data in this case, click the article number below to view the article in the Microsoft Knowledge Base:255742 (http://support.microsoft.com/kb/255742/EN-US/ ) Methods for Recovering Encrypted Data FilesIf you do not have the required items or information specified for the preceding recovery solutions, the data ispermanently encrypted, and cannot be recovered.

If your computer is not a member of a Windows 2000-based domain (it is a stand-alone server or a member of aMicrosoft Windows NT 4.0-based domain), your local, built-in Administrator account may be the designatedRecovery Agent for any users of your computer. To be able to recover encrypted information on a computer in thiscase, you must have backed up the Recovery Agent's private key before the loss of the key. For more informationabout using EFS and backing up and restoring the Recovery Agent's private key, see the following articles in theMicrosoft Knowledge Base:223316 (http://support.microsoft.com/kb/223316/EN-US/ ) Best Practices for Encrypting File System241201 (http://support.microsoft.com/kb/241201/EN-US/ ) HOW TO: Back Up Your Encrypting File System PrivateKey in Windows 2000

http://support.microsoft.com/kb/255742/EN-US/http://support.microsoft.com/kb/223316/EN-US/http://support.microsoft.com/kb/241201/EN-US/http://support.microsoft.com/kb/255742/EN-US/http://support.microsoft.com/kb/223316/EN-US/http://support.microsoft.com/kb/241201/EN-US/