Advanced Windows 8

Advanced Windows 8

Brent Williams, PhDbrent@kennesaw.eduwww.iteachcenter.org

Get These Slides: www.iteachcenter.org

Objectives• Continue From Windows 8 Intro• Unique Features• Group Policy• Monitoring & Troubleshooting• “Modern Apps”• Share Your Ideas & Knowledge • Questions • Thoughts on Next Class

Windows Software Assurance(Volume Licensing)

• Must have to get Enterprise 8 / 8.1• Provides Unique Utilities• Latest Product Versions• Support Calls to MS• Deployment Planning• Training

Windows InTune• Cloud Based Management• Security & Compliance Management• Software and Patch Distribution• Policy Management• Windows, iOS, Android • $6 per user per month

Intune vs. Software Assurance

Deployment Toolkit 2012• MDT (MDT 2013 for 8.1)

– Light Touch Install– Install on One Server or WS– Add Automated Installation Kit (free)

• MDT with System Center– Zero Touch Install

• DeploymentWorkbench is main tool– www.microsft.com/mdt

Installing Windows 8 from Flash

• Need an ISO of Windows 8– Get www.isodisk.com

• Get & Install Flash Creation Tool– www.Sourceforge.net/projects/unetbooti

n/

– http://pcsupport.about.com/od/windows-8/a/install-windows-8-usb.htm

• You will need a Win 8 Key to install!

Dual-Booting Windows 8– Install to a separate hard drive

suggested– Install to a VHD– Can be separate partition

• Get EasyBCD to Edit Boot Menu– www.Neosmart.net/easybcd

“Windows To Go” USB Bootable

• Part of 8/8.1 Enterprise• Fully Installed 8 Image on CERTIFIED

USB 3 Flash• Boot from Flash and Go!• Basics

– Build a PC with Windows 8– Sysprep & Generate Wim file (Dism)– Run Windows To Go on another PC

• With Flash Key Installed

“Storage Spaces”• A way to aggregate disk drives into

one storage pool• With redundancy if desired• Configured with Control Panel

The Cloud• Many Providers Competing

– Skydrive– Dropbox– Google Drive– Many, many more

• May or may not have Metro Client• Be Careful!

– Do Files Fully Sync Locally?– If Not, How Long to Download?

SkyDrive• Cloud Based Storage

– 7GB Free, More Cheap• Metro – assumes mobile device so

does not cache local copy of all• Metro SkyDrive Client can be “My

Computer”• Desktop – Download and install

client. All can be cached locally if you choose.

WiFi

• Manually disconnect and that net is dropped from auto-reconnect

• Disconnect from one by connecting to another, it moves higher in list

Remove All Pre-Installed Modern Apps

– Short Sequence of PowerShell Commands

– http://www.thewindowsclub.com/erase-default-preinstalled-modern-apps-windows-8

Add Restart / Shutdown Tile• Desktop, Right Click, New, Shortcut• In Location Type (pick one)

– For Restart: Shutdown /r /t 0– For Shutdown: Shutdown /s /t 0

• Finishing the dialog. Right-click, Properties, Change Icon.

• Right click and copy icon to– C:\users\{user}\appdata\local\microsoft\

windows\application shortcuts

Domain Join• Set DNS if necessary• System Control Panel• Change Settings

– Enter domain name, etc.• After Reboot

– READ Login Screen – Administrator login must include domain

• mydomain\administrator

RSAT• Download:

www.microsoft.com/downloads– Get the right version 8/8.1 32/64 bit

• Installs in about 10 minutes• Auto-installs in Tile in Metro!• Preferred way to manage domain

– Group Policy– AD

Working Environment• Login as Administrator• Create OU Structure• Create a User, Login with User• Metro Store

– Domain account must be linked to MS account

– Install WeatherChannel• Create dummy MS account and Outlook

Email

Working Environment 2• Metro Apps are in the User Profile,

AppData, LOCAL, Packages• Updates may be needed for each

user that logs in• Problems using Store? Updates

pending install

File/Folder Sharing/Security• Simple & Advanced Sharing• No “Shared” icon• Permission Unchanged• “Edit” button added

Group Policies & Preferences

Group Policy Central Store

• Not Needed with Server 2012 (8) or 2012R2 (8.1)

• Create Central Store– At a Windows 8 (8.1) Workstation

• Copy c:\%WINDIR%\PolicyDefinitions to Sysvol folder

– \sysvol\domain\Policies\...• Manage Domain Policies

– Gpmc.msc– Mmc

Group Policy• Use a Windows 8 PC to Edit Group

Policy– So you have the latest GPMC

• NEW POLICIES– 169 New Policies

• Get the Spreadsheet!• www.microsoft.com/downloads• Search for Group Policy

• Grouppolicy.biz

GP Example 1– Redirect Folders on Primary Computer

Only – Limit computers where redirection works for a

user. Requires Server 2012 Schema– Need computers distinguished name. Found in

AD Users and Computers, Computer, right click properties

• The primary computer is the one directly assigned to a user - such as their laptop, or a desktop in their cubicle - and therefore unlikely to change frequently.

GP Example 2• Turn off access to store

– User or Machine– System\Internet Communication

Management\Internet Communication settings

GP Example 3• Allow all trusted apps to install

– Must be on for side-loading apps– Machine– Windows Components\App Package

Deployment

GP Example 4• Prevent user from uninstalling

applications from start– User– Start Menu and Taskbar – About 20 from the bottom of a very long

list

• What’s the difference in ‘Start Menu’ and ‘Start’?

GP Example 5• Turn off picture password

– Machine– System\Logon

Other New Group Policy Examples

• Prevent user from uninstalling applications from

• Prevent changing lock screen image • Turn off Windows Location Provider

Other New Group Policy Examples

• Do not sync – Do not sync app settings – Do not sync passwords – Do not sync personalize – Do not sync other Windows settings – Do not sync desktop personalization – Do not sync browser settings – Do not sync on metered connections

Windows 8 Modern App Deployment

• Store Applications install• c:\users\<userName>\AppData\

Local directories• THIS IS NOT PART OF A ROAMING PROFILE

• If it’s not from the store, it’s side-loading

• ISSUE: RUP and Delete Cached Copy• http://support.microsoft.com/kb/2795607

Windows 8 Modern App Deployment with GP – P1

• User ONLY – not per machine. • Login must tie to MS account for Store apps• Use Configuration Manager 2012 SP1

– For in-house apps, you have two options for making Modern applications work. If you have an AD, you must make one group policy change. Change the “Allow all trusted apps to install” setting to enabled (Computer Configuration > Administrative Templates > Windows Components > App Package Deployment). This will allow you to load apps.

– Then use SCCM to side-load apps

More App Excitement• Apps need to be installed on each

device and logon session where the will be used

• Apps will need to updated on each device and user that logs on

• Microsoft Accounts can be linked to a maximum of 5 devices.

Part 2• Good Article:

http://superuser.com/questions/499340/install-a-windows-8-modern-ui-app-without-the-windows-store

• Required Reading: http://www.zdnet.com/the-enterprise-sideloading-story-on-windows-8-its-complicated-7000006742/

Monitoring Windows 8• Task Manager

– Excellent Redesign– Manage Services HERE

• Performance Monitor– Control Panel

• Performance and Tools• Advanced Tools

• Resource Monitor

Troubleshooting• System Restore

– System Control Panel• System Protection, System Restore

• Refresh Your PC– Reinstalls Windows – without disturbing apps or

user profile– Deletes User Installed Apps!

• RESET Your PC– Reinstalls Windows – removes all apps and files

DART – Diagnostic and Recovery Tools

• Assessment and Deployment Kit Must be Installed

• Part of MS Desktop Optimization Pack (MDOP)

• DART 8.0 SP1 Is Current Version• Essentially MS Ultimate Boot Disk

Troubleshooting Tools• Falcon Four Ultimate Boot• Ultimate Boot CD• Recover My Files• EasyBCD• Microsoft Fix It

– www.microsoft.com/fixit

Safe Mode?• No F8 Menu in Windows 8• Need Command Prompt (Win PE)

– Set• bcdedit /set {default} safeboot

minimal– Un-Do

• bcdedit /deletevalue {default} safeboot

• MSConfig useful for normal boot– See Boot tab

Windows 8 / IE 10• Spell checker• HTML 5 support• CSS3 support• Pan and zoom on touch devices• Different “Versions” Modern vs

Desktop• Modern allows pinning

Win 8 Return Start Button and Default to Desktop

– http://www.forbes.com/sites/jasonevangelho/2013/04/16/dont-wait-for-windows-8-1-get-its-two-best-features-right-now/

Windows 8.1• Start Button (sort of)• Direct to Desktop• New & Improved Apps• 3D Printer Support• Improved Search

• See http://technet.microsoft.com/en-us/windows/dn140266.aspx

Group Policy Start Deployment in 8.1

• Use Simple PowerShell script to capture layout details to XML file.

• File can be used in Group Policy to push Start

• See http://gpyall.com/archives/control-the-windows-8-1-start-screen-layout-with-group-policy/

Wrap-Up. Whew!

• Questions?• Email: brent@kennesaw.edu

• Comment Form• www.iteachcenter.org

– Evaluation at the top

Misc Notes

• Arrangement at– C:\users\{username}\appdata\local\

microsoft\windows\appsfolder.itemdata-ms

– Default is at: c:\users\default\appdata\local\microsoft\windows• Copy desired appsfolder.itemdata-ms here

• Start Screen Control – manage modern tiles– For Windows 8.1 See

http://gpyall.com/archives/control-the-windows-8-1-start-screen-layout-with-group-policy/

– For Windows 8 See http://blogs.technet.com/b/deploymentguys/archive/2012/10/26/start-screen-customization-with-mdt.aspx

– PowerShell cmdlet exports the start screen layout on a pre-configured PC as an XML file. This can then be delivered via a group policy to user PCs, ensuring a consistent tile layout. The resulting Start Screen Layout can be locked down, and tied to any sideloaded apps.

– Windows Store apps can be built into an image using standard deployment tools, or sideloaded via PowerShell and a sideloading key. With a common Start screen layout users will find tiles in consistent places, allowing them to quickly pick a new device; or start a new VDI session. Different users and groups can have different Start screen layouts, to go with different suites of tools, and you can also give some users customisation rights, while others are given a fixed layout that can’t be changed.

– Folder Sync with your server: If you don’t lock down devices appropriately, then as soon as a user connects their domain account to a Microsoft Account, they'll automatically be using the consumer SkyDrive service for storage. While a new Group Policy Object disables Windows 8.1's SkyDrive integration, you may want to take advantage of the new Work Folders synchronised storage to automatically sync users' files to your own servers.

– You need Server 2012 to get the most - Features like Branch Cache and DirectAccess depend on Windows Server 2012 (and on Windows Server 2012 R2 for the latest features), while others like the AppLocker application whitelist are controlled via Active Directory. With key features depending on Microsoft’s servers and services, Windows 8.1 Enterprise needs to be part of a Microsoft-centric network if you’re going to get the most from it.

– DirectAccess– AppLocker