Monitor and troubleshoot deployment

If you experience problems with deployment by using MDT, review the configuration settings for your deployment share. If you’re confident that everything is properly configured, then you can consider reviewing MDT logs. Each MDT script automatically generates logs.

Depending on the type of deployment you’re performing, after deployment, the log files are moved to either:

• %WINDIR%\SMSOSD
• %WINDIR%\TEMP\SMSOSD

For LTI deployments, the logs are moved to:

• %WINDIR%\TEMP\DeploymentLogs

Table 1-15 describes the available MDT logs.

TABLE 1-15 MDT logs

Exam Tip

The MDT log file format is designed to be read by CMTrace.

When you investigate the logs, you’ll want to identify any errors. There are numerous error codes with specific meanings. For example, error codes 5201, 5203, and 5205 all mean that a connection to the deployment share could not be made, and deployment cannot proceed.

Need More Review? Error Codes and Their Descriptions

To review further details about error codes with MDT, refer to the Microsoft website at https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshooting-reference#table-1-error-codes-and-their-description.

Need More Review? Troubleshooting Reference for MDT

To review further details about troubleshooting MDT, refer to the Microsoft website at https://docs.microsoft.com/troubleshoot/mem/configmgr/troubleshooting-reference.

Skill 1.4: Manage accounts, VPN connections, and certificates on Windows 10

Microsoft is developing modern authentication methods that rely less on the user’s ability to recall a password and place more reliance on technological advancements, such as multifactor authentication (MFA), device-based authentication, and authentication that supports biometric attributes. These all help secure privileged accounts in your environment. You must understand how Windows 10 offers support for modern authentication methods and how Azure Active Directory provides a secure identity and authentication platform for your modern environment.

When users connect to your workplace across the internet, it’s important that they can authenticate themselves and their devices to help ensure data privacy and security. Knowing how to implement and configure virtual private networks (VPNs) can help you achieve this crucial goal.

An increasingly common way in which devices can authenticate is the use of digital certificates. Managing aspects of a public key infrastructure (PKI), notably the management of certificates, plays a critical role in helping secure your infrastructure.

This skill covers how to:

• Secure privileged accounts on Windows 10
• Configure VPN client
• Configure and manage certificates on client devices

Secure privileged accounts on Windows 10

Authentication is the primary means through which you can secure privileged and standard user accounts. Windows 10 provides many security features that can help you secure authentication. And when considering cloud-based authentication to services such as Microsoft 365, Azure AD enables you to manage your cloud-based identities and access-management requirements.

Windows 10 security features

Many of the advancements relating to security derive from new technology becoming widely available on desktop devices, laptops, and smartphones. Windows 10 supports a variety of modern technologies that can be used by administrators to protect users’ identities and resources, including:

• Trusted Platform Module (TPM)
• Unified Extensible Firmware Interface (UEFI)
• Virtualization-based security
• Windows Biometric Framework
• Virtual smart cards
• MFA

Some of the security features built into Windows 10 that you should have an awareness of include:

• BitLocker A TPM Version 1.2 or higher works with BitLocker to store encryption keys. BitLocker helps protect against data theft and offline tampering by providing for whole-drive encryption. Requirements for BitLocker include:
  • A device installed with either Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education.
  • Optionally, a TPM. Using a TPM with BitLocker enables Windows to verify startup component integrity.

Note TPM Requirement

You don’t require a TPM in your computer to use BitLocker, but it does increase the security of the encryption keys. It’s also used to support other important security features in Windows 10.

• Device Health Attestation (DHA) With the increase in use of users’ personally owned devices to access corporate resources, such as email, it is important to ensure that Windows 10 devices connecting to your organization meet the security and compliance requirements of your organization. Device Health Attestation uses Measured Boot data to help perform this verification. To implement DHA, your Windows 10 devices must have TPM Version 2.0 or higher.
• Secure Boot When Secure Boot is enabled, you can only start the operating system by using an operating system loader that is signed using a digital certificate stored in the UEFI Secure Boot signature database. This helps prevent malicious code from loading during the Windows 10 start process.

Note Secure Boot

Secure boot is enabled by default in Windows 10.

• MFA This is a process that provides for user authentication based on using at least two factors, such as:
  • Something the user knows, such as a password
  • Something the user is, such as a biometric attribute (facial recognition, iris detection, or a fingerprint)
  • Something the user has, such as a device, like a cellphone, running the Microsoft Authenticator app
• Windows Biometric Framework Provides support for biometric devices, such as a fingerprint reader, a smartphone, or an illuminated infrared camera using Windows Hello. Organizations can implement secure, passwordless sign in for Azure AD and Microsoft accounts using a security key or Windows Hello when using standards-based FIDO2-compatible devices.
• Virtual Secure Mode This feature moves some sensitive elements of the operating system to trustlets that run in a Hyper-V container that parts of the Windows 10 operating system cannot access. This helps make the operating system more secure. Currently, this is only available in Windows 10 Enterprise edition.
• Virtual Smart Card This feature offers comparable security benefits in two-factor authentication to the protection provided by physical smart cards. Virtual smart cards require a compatible TPM (Version 1.2 or later).

Authentication methods

Now that organizations are moving toward Azure AD and cloud-based identity authentication, administrators can offer enhancements to their users, which both simplify the authentication process and offer increased security.

Traditional passwords can be forgotten, lost, stolen, and even compromised by hackers, malware, and social engineering. One policy that is quickly being adopted is to require that a user present a second authentication factor in addition to a password when they sign on.

Azure AD includes features, such as Azure Multifactor Authentication (Azure MFA) and Azure AD Self-Service Password Reset (SSPR), which allow administrators to protect their organizations and users with secure authentication methods.

Additional verification is needed before authentication is completed and may be obtained through the methods shown in Table 1-16.

TABLE 1-16 Authentication methods

Microsoft Authenticator APP

The Microsoft Authenticator app provides a quick and simple way to add additional levels of security to your Azure AD account.

Once a user has installed the Microsoft Authenticator app on their smartphone or tablet, the user can add multiple work or school Azure AD and Microsoft accounts. Each time the user accesses secured resources, they must access the Microsoft Authenticator app and perform one of the following options, depending on service configuration:

• Approve the request Users acknowledge the request by selecting Approve on their device.
• Retrieve a verification code Users enter the verification code from the app into the resource access page and then authentication is approved.

Exam Tip

To configure whether users are prompted to enter a verification code, or must approve an authentication request, the administrator must enable Mobile app code and/or Mobile app notification.

Users can download and install the Microsoft Authenticator app from the application store for their smartphone platforms.

Azure AD Password Protection

Azure AD Password Protection offers a method to reduce the risk posed by your users choosing commonly used and compromised passwords for their access passwords. Using the password protection feature, administrators can populate a custom banned list of up to 1,000 passwords that users will be blocked from using. Also, you can choose to use the global banned password list.

Passwords that are deemed too common are stored in what is called the global banned password list. Cybercriminals also use similar strategies in their attacks. Therefore, Microsoft does not publish the contents of this list publicly. Administrators can use either a global banned password list or create a custom banned password list, which can contain lists of vulnerable passwords, such as the organization’s products, variants of their brand names, and company-specific terms. These can be blocked before they become a real threat.

The Azure AD Password Protection minimum licensing requirements are shown in Table 1-17.

TABLE 1-17 Azure AD Password Protection licensing

To configure Azure AD Password Protection for cloud-based accounts, perform the following procedure:

1. Open the Azure Active Directory admin center (at https://aad.portal.azure.com) and sign in with a global administrator account.
2. Navigate to the Security section and select Authentication methods.
3. On the Authentication methods page, select Password protection.
4. Under Custom banned passwords, select Yes for the Enforce custom list option.
5. In the Custom banned password list displayed in Figure 1-15, enter a list of word strings. The words can have the following properties:

Figure 1-15 Azure AD Password protection

• Each word should be on a separate line.
  • The list can contain up to 1,000 word strings.
  • Words are case insensitive.
  • Common character substitutions (such as “o” and “0” or “a” and “@”) are automatically considered.
  • The minimum string length is four characters, and the maximum string length is 16 characters.

6. After you have added the word strings, select Save.

When users attempt to reset or update a password using a banned password, they see the following error message:

Click here to view code image

Choose A Password That’s More Difficult For People To Guess.

Azure AD Password Protection is also available for hybrid scenarios. To extend the banned password lists to your on-premises users, you need to install two components—one on your domain controllers and another on a member server, as follows:

• Azure AD Password Protection Proxy service Installed on a member server. Forwards password policy requests between your domain controllers and Azure AD.
• Azure AD Password Protection DC Agent & DLL Installed on your domain controllers. Receives user password validation requests, and processes them against the local domain password policy.

When users and administrators change, set, or reset passwords on-premises, they will be forced to comply with the same password policy as cloud-only users.

Note Azure AD Password Protection for Windows Server Active Directory

You can download the components required to configure Azure AD Password Protection for on-premises scenarios together with the full installation documentation at https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad.

Self-Service Password Reset

If you have ever worked in an IT service desk support function, you know that password-related issues are in the top three of all help desk calls. By implementing self-service password reset, you provide your users with the ability to reset their passwords, with no administrator intervention, whenever they need to.

Self-service password reset includes the following functionality:

• Password change Users know their password and want to change it to something new.
• Password reset A user can’t sign in and wants to reset the password.
• Account unlock A user can’t sign in because the account is locked out. If the user provides a password or passes more approved authentication methods, the account will be unlocked.

Once configured, a user can select the Can’t Access Your Account link on a cloud-based resource access page, or the user can visit the Password Reset Portal at https://aka.ms/sspr to reset the password.

Note Azure AD Self-Service Password Reset

You can review how Azure AD Self-Service Password Reset works in detail and how to implement a Password Reset Portal by viewing this Microsoft website: https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks.

Understand MFA

Traditional computer authentication is based on users providing a name and password. This allows an authentication authority to validate the exchange and grant access. Although password-based authentication is acceptable in many circumstances, Windows 10 provides for several additional, more secure methods for users to authenticate their devices, including multifactor authentication (also referred to as two-factor authentication).

MFA is based on the principle that users who want to authenticate must have two (or more) things with which to identify themselves. Specifically, they must have knowledge of something, they must be in possession of something, or they must be something. For example, a user might know a password, possess a security token (in the form of a digital certificate), and be able to prove who they are with biometrics, such as fingerprints.

Explore Biometrics

Biometrics, like a fingerprint, provides a more secure (and often more convenient) method—for both the user and administrator—to be identified and verified. Windows 10 includes native support for biometrics through the Windows Biometric Framework (WBF), and when used as part of a multifactor authentication plan, biometrics is increasingly replacing passwords in modern workplaces.

Biometric information is obtained from the individual and stored as a biometric sample, which is then securely saved in a template and mapped to a specific user. To capture a person’s fingerprint, you use a fingerprint reader (you “enroll” the user when configuring this). Also, you can use a person’s face, retina, or even the user’s voice. The Windows Biometric service can be extended to also include behavioral traits, such as the gait of a user while walking or the user’s typing rhythm.

Windows includes several Group Policy settings related to biometrics, as shown in Figure 1-16, that you can use to allow or block the use of biometrics from your devices. You can find Group Policy Objects here: Computer Configuration > Administrative Templates > Windows Components > Biometrics.

Figure 1-16 Biometrics Group Policy settings

Azure MFA

Azure MFA provides organizations with a highly scalable two-step verification solution, which can be used to safeguard access to data and applications and provide users with a simple sign-in process.

There are several methods you can use enable Azure MFA:

• Enabled by conditional access policy Conditional access policy is available for Azure MFA in the cloud if you have Azure AD premium licensing. It requires Azure AD P1 or P2 licensing.
• Enabled by Azure AD Identity Protection This method uses an Azure AD Identity Protection risk policy to enforce two-step verification for sign in to all cloud applications. It requires Azure AD P2 licensing.
• Enabled by changing user state This is the traditional method for requiring two-step verification. An administrator can configure Azure MFA so that users must perform two-step verification every time they sign in, and it overrides conditional access policies.

When enabling Azure MFA, users are required to configure their preferred authentication methods using the registration portal at https://aka.ms/mfasetup, as shown in Figure 1-17.

Figure 1-17 Configuring additional settings for security verification

Configure Azure MFA

To enable Azure MFA for a single cloud-based Azure AD user, you must configure the MFA Service Settings. Then you can create a conditional access policy by using this procedure:

1. Open the Azure Active Directory admin center (at https://aad.portal.azure.com) and sign in with a global administrator account.
2. On the Overview blade, under Manage, select Users.
3. On the menu bar, select Multi-Factor Authentication. A new browser windows opens.
4. On the multi-factor authentication page, select the service settings tab.
5. Under verification options, select all the boxes for Methods available to users (Call to phone, Text message to phone, Notification through mobile app, Verification code from mobile app or hardware token).
6. Select Save.

Create a Conditional Access Policy for MFA

Once MFA settings have been configured, you need to assign them to users by creating a conditional access policy:

1. In the Azure Active Directory admin center, under favorites, select Azure Active Directory.
2. Select Security, and then select Conditional Access.
3. Select New policy.
4. On the Conditional Access Policy blade, provide a name for your policy.
5. Under Assignments, select 0 users and groups selected.
6. Choose between including and excluding specific users, groups, directory roles, and all guest and external users. For example, select Directory roles; then, in the drop-down list, select Global administrator.

Note Don’t Lock Yourself Out

Creating restrictive policies in conditional access for the global administrator account requires caution. Ensure you don’t configure settings that result in you locking yourself out.

7. Under Cloud apps or actions, select the No cloud apps, actions, or authentication contexts selected link, and then choose the cloud apps or actions you want to protect with MFA. For example, select Microsoft Intune.
8. Under Conditions, select the 0 conditions selected link, and configure the required settings. For example, select High and Medium Sign-in risk.
9. Under Access controls, select the 0 controls selected link, ensure the Grant access radio button is selected, and select the check box for Require multi-factor authentication, as displayed in Figure 1-18.

Figure 1-18 Creating a conditional access policy to require MFA

10. Click Select.
11. Under Enable policy, toggle the setting to On.
12. Select Create.
13. The policy is validated, and it appears in the Conditional Access Policies blade as Enabled.

After you have enabled Azure MFA, you can test it to ensure that the conditional access policy works. Test logging in to a resource, such as the Microsoft Endpoint Manager admin center, with a user who has MFA enabled, and verify that the user is required to provide additional authentication to access the resources.

Note Azure MFA For Administrators

Microsoft offers basic Azure MFA features to Office 365 and Azure AD administrators for no extra cost. All other users require Azure AD premium licensing.

Configure Microsoft accounts

In addition to traditional local accounts and domain user accounts, Windows 10 supports several modern methods of signing in to a device. The sign-in methods employed by an organization provide a strong first-line defense against identity theft, and you need to understand how to configure and manage sign-in options within an environment. This section teaches you how to disable PIN or picture login, and you’ll learn how to configure Windows Hello for Business.

A Microsoft account provides you with an identity that you can use to securely sign in on multiple devices and access cloud services. Because the identity is the same on multiple devices, your personal settings can be synchronized between your Windows-based devices.

On a device for personal use, if Windows 10 detects an internet connection during the initial setup, you are prompted to specify your Microsoft account details. However, you can skip this step and create a local account instead. If the device is personally owned, but you want to use it for work or school, you can register your device on your work or school tenant after setup is complete.

Microsoft accounts are primarily for consumer use. Enterprise users can benefit by using their personal Microsoft accounts in the workplace, although there are no centralized methods provided by Microsoft to provision Microsoft accounts to users. After you connect your Microsoft account to Windows 10, you will have the following capabilities:

• You can access and share photos, documents, and other files from sites such as OneDrive, Outlook.com, Facebook, and Flickr.
• Integrated social media services providing contact information and status for your users’ friends and associates are automatically maintained from sites such as Outlook.com, Facebook, Twitter, and LinkedIn.
• You can download and install Microsoft Store apps.
• You benefit from app synchronization with Microsoft Store apps. After the user sign in, when an app is installed, any user-specific settings are automatically downloaded and applied.
• You can sync your app settings between devices that are linked to your Microsoft account.
• You can use single sign-in with credentials roaming across any devices running Windows 10, Windows 8.1, Windows 8, or Windows RT.

If Microsoft accounts are allowed in an enterprise environment, you should note that only the owner of the Microsoft account can change the password. A user can perform a password reset in the Microsoft account sign-in portal at https://account.microsoft.com.

You can sign up for a Microsoft account at https://signup.live.com. After you have created your Microsoft account, you can connect it to your device.