70-411 Exam Cram - Configure File and Print Services

Configure file and disk encryption

Configure BitLocker encryption

  • The BitLocker feature is named 'BitLocker'. To enable full disk encryption you must also install 'EnhancedStorage'. To manage BitLocker, you must install the management tools, which can be included with the '-IncludeManagementTools' parameter
  • To reset the Lockout on a TPM, run tpm.msc and from the action pane select Reset TPM Lockout, you will need a password saved in a .tpm file or the password itself
  • To reset the password on a TPM, you can either use the TPM Management MMC snap-in or run Set-TPMOwnerAuth, using either of these options will not result in data loss
  • Manage-Bde is not supported on Windows Server 2012 (it may work, but is deprecated)

Configure the Network Unlock feature

  • BitLocker Network Unlock requires DHCP, UEFI DHCP drivers on clients, Windows Deployment Services and at least Windows 8/Windows Server 2012. Windows Server 2012 R2 and Windows 8.1 are not required, but are supported
  • BitLocker Network Unlock requires various Group Policy settings. Configure use of passwords for operating system drives is not required to be configured

Configure BitLocker policies

  • To add the DRA to the Default Domain Policy - In versions of Windows prior to Windows Server 2003 the following policy setting was used: Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\Encrypted Data Recovery Agents. The correct policy setting for Windows Server 2012 R2 is Computer Configuration\\Windows Settings\\Security Settings\\Public Key Policies\\Encrypting File System

Configure the EFS recovery agent

  • Logon as the Data Recovery Agent and export the certificate including the private key. You must do this as the account that is the Data Recovery Agent (DRA), which will be the built-in Administrator account or another specified account
  • EFS uses certificates to authenticate users, the certificates can be issued by a single computer or by a CA

Manage EFS and BitLocker certificates, including backup and restore

  • Always export EFS recovery certificates with the private key

Popular posts from this blog

Get local computer UUID/GUID using Windows Powershell

Use the following syntax to get the local computer's UUID/GUID using Windows Powershell: get-wmiobject Win32_ComputerSystemProduct  | Select-Object -ExpandProperty UUID Add -computername after the WMI class to find a remote computer's UUID, example: get-wmiobject Win32_ComputerSystemProduct -computername RANTPC | Select-Object -ExpandProperty UUID
Read more

gPLink and gPOptions

gPLink is a property for sites, domains and organisational units that contains a prioritised list of GPOs linked to the node. gPOptions is a property that contains all Block Policy Inheritance settings for the node. To manage GPO links on a node, you must have read and write access to the gPLink and gPOptions properties.
Read more

PSLoggedOn Getting Started on Windows Server 2008 R2

Image
PSLoggedOn is a tool I downloaded to allow me to find out which computers a user is currently logged on to. Getting it up and running wasn’t exactly easy. I’m running a Windows Server 2008 R2 test environment. The first error I encountered was: Error browing network: The list of servers for this workgroup is not currently available. Note: I kept the spelling mistake from the error message to make it easier to find via search engines. To get past this error, you have to enable and start the “Computer Browser” service. Then I started getting the error telling me that the Administrator is not logged on. That’s simply not true because I am logged onto another server (Name: ELARA): I turned the firewall OFF OFF OFF (It is a test network after all). I enabled Network Discovery and to do that I went on a service starting frenzy: DNS Client, Function Discovery Resource Publication, SSDP Discovery, and UPnP Device Host, Computer Browser After all that, I ran the script against the se
Read more