Exam Ref 70-697 Configuring Windows Devices: Manage Identity

  • 11/19/2015
Contents
×
  1. Objective 1.1: Support Windows Store and cloud apps
  2. Objective 1.2: Support authentication and authorization
  3. Answers
Identity is an important concept in Windows, and the Manage Identity objective domain will test your understanding of how identities are managed in Windows to provide users with a consistent and secure environment. You’ll also need to know how to support Windows Store and Office 365 apps, install apps into images, and support authentication and permissions mechanisms in Windows.

Objectives in this chapter:

  • Objective 1.1: Support Windows Store and cloud apps
  • Objective 1.2: Support authentication and authorization

Objective 1.1: Support Windows Store and cloud apps

This objective covers supporting and installing apps from a variety of sources, including Windows Store, Microsoft Office 365, and Windows Intune. You’ll see how to use a Microsoft account to synchronize app and Windows settings across multiple devices. You’ll also see how to install apps into Windows Imaging Format (WIM) images, and manage the installation and availability of apps, including sideloading and deep linking.

Integrate Microsoft account and personalization settings

Using a Microsoft account with Windows 10 is the simplest and quickest way for users to maintain a consistent environment across multiple devices. Windows 10 can use a Microsoft account to save Personalization settings to the cloud and synchronize those settings across devices including PCs, laptops, tablets, and smartphones. In Windows 10, you can associate a Microsoft account with two separate account types:

  • Local account A local account is stored in the local Security Account Manager (SAM) database on a Windows 10 computer.
  • Domain account A domain account is stored in the Active Directory Domain Services (AD DS) database on a domain controller. Domain accounts can be used to authenticate a user on Windows computers joined to the domain.

A Microsoft account can provide settings synchronization across local and domain accounts. For example, a user might associate his Microsoft account with a local account on his home computer and a domain account at work. With this configuration, the user can have settings like Internet Explorer favorites or app configuration settings remain consistent regardless of which computer he is signed in to.

Associating a Microsoft account with a local or domain account

You can associate a Microsoft account with a local or domain account from the Your Account page in the Settings app.

FIGURE 1-1

FIGURE 1-1 The Your Account page in the Settings app

To associate a Microsoft account with a local Windows account, complete the following steps:

  1. From the Desktop, click the Start button, and then click Settings.
  2. In the Settings app, click Accounts.
  3. In the left pane of the Accounts page, click Your Account.
  4. In the Your Account page, click Sign In With A Microsoft Account Instead.
  5. Enter your Microsoft account user name and password, and then click Signin.
  6. You will be asked to verify your identity to be able to associate the account.
  7. After verification, click Switch To Start Using Your Microsoft Account to sign in to Windows.

To associate a Microsoft account with a domain account, complete the following steps:

  1. When logged in with a domain account, from the Desktop, click the Start button, and then click Settings.
  2. In the Settings app, click Accounts.
  3. On the Accounts page, click Your Account.
  4. In the Your Account box, click Sign In With A Microsoft Account.
  5. On the Connect To A Microsoft Account On This PC page, select the PC settings you want to sync with the domain, and then click Next. The options are:

    • Start Screen
    • App Data
    • Appearance
    • Language Preferences
    • Desktop Personalization
    • Ease Of Access
    • Apps
    • Other Windows Settings
    • Passwords
    • Web Browser
  6. Enter your Microsoft account user name and password, and then click Next.
  7. You will be asked to verify your identity to continue associating the account.
  8. After verification, click Connect to associate your Microsoft account with your domain account.

Configuring Microsoft account synchronization settings

Users can change which items they opt to synchronize by using a Microsoft account. Users can access the options in the Settings app from the Sync Your Settings section of the Accounts page (see Figure 1-2).

FIGURE 1-2

FIGURE 1-2 The Sync Your Settings section in the Settings app

Configuring Microsoft account settings by using Group Policy

Network administrators can incorporate Microsoft accounts into the workplace to help users transfer what they’ve configured with their domain accounts between computers by using a Microsoft account. Network administrators can also disable the ability to associate Microsoft accounts by setting limitations in Group Policy. This section looks at the Group Policy options for controlling the association of Microsoft accounts.

The Group Policy setting used to disable Microsoft account use is named Accounts: Block Microsoft Accounts, and the setting is found in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options (see Figure 1-3). You can choose from three different settings:

  • The policy is disabled If you disable or do not configure this policy, users will be able to use Microsoft accounts with Windows.
  • Users can’t add Microsoft accounts If you select this option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. This is the preferred option if you need to limit the use of Microsoft accounts in your enterprise.
  • Users can’t add or log on with Microsoft accounts If you select this option, existing Microsoft account users will not be able to log on to Windows. Selecting this option might make it impossible for an existing administrator on this computer to log on and manage the system.
FIGURE 1-3

FIGURE 1-3 The Accounts: Block Microsoft Accounts Properties dialog box in Local Group Policy Editor

Install and manage software

While you can install apps using conventional methods, such as choosing Add/Remove Programs in Control Panel, or removable media, you can also perform cloud-based software installation by using Windows Store or Microsoft Office 365.

Installing apps by using Microsoft Office 365

Microsoft Office 365 is Microsoft Office in the cloud, accessible via a user-based paid subscription. Because it’s cloud-based, users can access the Microsoft Office products that are licensed to them on up to five compatible devices.

Office 365 updates are applied automatically. There’s no need for software maintenance tasks, such as installing updates or upgrading versions, so enterprise administrators don’t need to worry about updating devices manually. However, they’re still in control of updates and can decide how and when these will be provided to users. Administrators can also decide where users’ data should be stored: on the on-premises data servers of a company, in private cloud-based storage, in the public cloud, or a combination of these.

Office 365 is software as a service (SaaS). With SaaS, the user is provided a software product that they can use and consume, on demand. An organization might choose a SaaS product like Office 365 to reduce maintenance and installation workloads, reduce licensing costs, or simplify the organization software portfolio. SaaS products like Office 365 also offer the benefit of access to apps and saved documents from any location or computer, provided an Internet connection is available.

Configuring Office 365

You can obtain a free trial subscription to Office 365 Business Premium by visiting the following link: https://portal.office.com/Signup/Signup.aspx?OfferId=467eab54-127b-42d3-b046-3844b860bebf&dl=O365_BUSINESS_PREMIUM&culture=en-US&country=US&ali=1&alo=1&lc=1033#0. After signing up, you can perform the initial configuration steps on the Office 365 Admin Center page, pictured in Figure 1-4.

FIGURE 1-4

FIGURE 1-4 The Office 365 Admin Center page

After signing up, you can access the Office 365 Admin Center at https://portal.microsoftonline.com/admin/default.aspx.

Installing Office from the Office 365 Portal

You can configure several settings that control the ability to install Office apps from Office 365 Admin Center. From the User Software page under Service Settings in Office 365 Admin Center, you can select the applications that you will enable users to install, one of the options being Office And Skype For Business. If this option is selected, users can install Office on their computers by completing the following steps:

  1. Open a web browser and navigate to https://portal.microsoftonline.
  2. Sign in with the appropriate user name and password.
  3. From the Office 365 portal page, click Install Now.
  4. Click Run to start the installation, click Yes to continue, and click Next to start the wizard.
  5. Select No Thanks to not send updates to Microsoft, and then click Accept.
  6. Click Next on the Meet OneDrive page.
  7. Click Next to accept defaults, select No Thanks, and then click All Done.
Deploying Office

You can also deploy Office in the enterprise using methods other than the self-service method explained above. The Office Deployment tool enables you to configure information about which language(s) to download, which architecture to use, where the software deployment network share is located, how updates are applied after Office is installed, and which version of the software to install. Deployment methods include Group Policy, startup scripts, or Microsoft System Center Configuration Manager.

Managing software by using Office 365

You can manage all aspects of the Office 365 environment from Office 365 Admin Center. The admin center contains configuration and management pages for all the different features that affect Office app installation:

  • Dashboard This page provides a view of overall service health, including Office-related components. It also contains shortcuts to administrative tasks, such as Reset User Passwords and Add New Users.
  • Users From this page, you can add, remove, and edit user accounts that are part of the Office 365 environment. You can also configure Active Directory synchronization and configure authentication methods and requirements.
  • Domains From this page, you can manage and add domains used by Office 365.
  • Service Settings There are several pages available under the Service Settings menu, including Updates, User Software, Passwords, Rights Management, and Mobile.
  • Tools This page includes several important configuration and readiness tools for Office, including:

    • Office 365 health, readiness, and connectivity checks
    • Office 365 Best Practices Analyzer
    • Microsoft Connectivity Analyzer
Important Office 365 Features

There are other important features of Office 365 that you need to consider in preparation for the exam. While these topics are not covered in great detail, they might appear as supporting information for a scenario or question on the exam.

  • Click-to-Run You can configure a click-to-run installation of Office that enables a streamed installation process, which gives almost instant access to Office desktop applications, rather than the traditional installation method that requires the user to wait for the entire installation process to complete before using any Office applications.
  • Windows PowerShell You can use Windows PowerShell to manage Office 365. You need to be familiar with the common Office 365 management cmdlets. You can find out more about Office 365 management using Windows PowerShell here: https://technet.microsoft.com/en-us/library/dn568031.aspx.

Installing apps by using the Windows Store

The Windows Store is the standard source for Windows 10 apps, and the most common method for installing those apps. The Windows Store is installed by default on all Windows 10 computers.

FIGURE 1-5

FIGURE 1-5 The Windows Store

There are several aspects of the Windows Store that you need to be aware of for the exam:

  • The Windows Store is the primary repository and source for apps that are created and made available to the public, as a free trial or paid app.
  • Users must have a Microsoft account associated with their local or domain account in order to download any apps from the Windows Store.
  • Windows Store apps designed for Windows 10 are universal apps. They will function on Windows 10 computers, tablets, and mobile phones or smart devices, as well as Xbox.
  • Windows Store apps are limited to 10 devices per Microsoft account. A user can install an app on up to 10 devices that are associated with his or her Microsoft account.
  • Apps designed for non-public use—that is, for a specific organization—can be submitted through the Windows Store and be made available only to members of the organization.

To install a Windows Store app, open the Windows Store while logged in to Windows with a Microsoft account. You can navigate the Windows Store by browsing the categories provided at the top of the window, or by using the Search toolbar, also at the top of the window. After you’ve located the app you want to install, click Install on the app page. The app installs in the background, and you are notified when the installation is complete. Installed apps are available from the Start menu, by clicking All Apps, or by typing the name of the app in the Search field. You can also pin apps to the Start menu or taskbar to make them easier to access.

Disabling access to the Windows Store

By default, the Windows Store is accessible to all users who have a Microsoft account associated with their local or domain account. Access to the Windows Store can be disabled by using Group Policy. You might disable access for a number of reasons, including controlling apps that are available on certain computers, such as kiosk or terminal computers, satisfying legal or compliance-related requirements, or ensuring that only approved applications of your organization are installed on Windows computers.

To disable access to the Windows Store, open either the Local Group Policy Editor, or Group Policy Management on a domain controller for domain policy. Within Group Policy, navigate to the following location: Computer Configuration\Administrative Templates\Windows Components\App Package Deployment. Change the setting for Allow All Trusted Apps To Install to Disabled.

Sideload apps into offline and online images

Organizations sometimes create their own apps. These apps have the same characteristics as the apps you find in the Windows Store (which aren’t desktop apps). As noted earlier, enterprise administrators can make these apps available publicly if they want to go through the Windows Store certification process, or they can make them available to their enterprise users through a process known as sideloading.

Enabling sideloading in Windows 10

By default, the sideloading option in Windows 10 is disabled. To enable sideloading, you need to use a Group Policy setting. To configure Group Policy so that computers can accept and install sideloaded apps that you created for your organization, navigate to Computer Configuration/ Administrative Templates/ Windows Components/ App Package Deployment. Double-click Allow All Trusted Apps To Install. When this setting is enabled, any line of business (LOB) Windows Store app, signed by a Certification Authority (CA) that the computer trusts, can be installed.

FIGURE 1-6

FIGURE 1-6 Group Policy setting Allow All Trusted Apps To Install

Sideloading an app

After sideloading is enabled in Group Policy, you can sideload the app using the AppX Windows PowerShell module and the associated cmdlets. To manually sideload an app for the currently logged in user, perform the following steps from a Windows PowerShell prompt:

  1. Type Import-module appx. Press Enter.
  2. Type Add-appxpackage “path and name of the app” to add the app. Press Enter. Table 1-1 shows the available AppX cmdlets. If you need to add app dependencies, the command should look more like this: Add-appxpackage C:\MyApp.appx DependencyPath C:\appplus.appx.

Table 1-1 Cmdlets in the AppX module for Windows PowerShell

Cmdlet

Description

Add-AppxPackage

To add a signed app package to a single user account

Get-AppxLastError

To review the last error reported in the app package installation logs

Get-AppxLog

To review the app package installation log

Get-AppxPackage

To view a list of the app packages installed for a user profile

Get-AppxPackageManifest

To read the manifest of an app package

Remove-AppxPackage

To remove an app package from a user account

The app installs, and then is available to the user. This needs to be done for each user if multiple users share a single computer.

The AppX module for Windows PowerShell includes several cmdlets that you can use to install and manage LOB Windows Store apps.

If you want to sideload the apps to multiple computers, use Deployment Image Servicing and Management (DISM) cmdlets. You can use DISM commands to manage app packages in a Windows image. When you use DISM to provision app packages, those packages are added to a Windows image, and are installed for the desired users when they next log on to their computers.

You need to be familiar with the DISM syntax when servicing a Windows image, whether a computer is offline or online. Table 1-2 lists a few cmdlets to keep in mind.

Table 1-2 Cmdlets in the AppX module for Windows PowerShell

Cmdlet

Description

DISM.exe {/Image:<path_to_image_directory> | /Online} [dism_global_options] {servicing_option} [<servicing_argument>]

To service a Windows image with DISM

DISM.exe /Image:<path_to_image_directory> [/Get-ProvisionedAppxPackages | /Add-ProvisionedAppxPackage | /Remove-ProvisionedAppxPackage | /Set-ProvisionedAppxDataFile]

To service an app package (.appx or .appxbundle) for an offline image

DISM.exe /Online [/Get-ProvisionedAppxPackages | /Add-ProvisionedAppxPackage | /Remove-ProvisionedAppxPackage | /Set-ProvisionedAppxDataFile

To service an app package (.appx or .appxbundle) for a running operating system

Other command-line service options include /Get-ProvisionedAppxPackages, /FolderPath, /PackagePath, /LicensePath, and /Add-ProvisionedAppxPackage. Becoming familiar with these is very important because you’ll likely be tested on them. You can learn about all available commands and options at http://technet.microsoft.com/en-US/library/hh824882.aspx. Review this article and make sure that you can make sense of commands you might come across, perhaps one that looks like:

Dism /Online /Add-ProvisionedAppxPackage /FolderPath:C:\Test\Apps\MyUnpackedApp /
SkipLicense

Or it looks like this:

Dism /Image:C:\test\offline /Add-ProvisionedAppxPackage /FolderPath:c:\Test\AppsMyUnpackedApp /CustomDataPath:c:\Test\Apps\CustomData.xml

Sideload apps by using Microsoft Intune

You can use Microsoft Intune to sideload apps via the cloud and make them available to any authorized, compatible device that’s connected to the Internet. The following list outlines the high-level steps that you need to complete to sideload an app using Microsoft Intune.

  1. Add users and create groups, if applicable.
  2. Upload the app to Microsoft Intune.
  3. Choose the users, groups, computers, and devices that can download the app, and link them (user-to-device).
  4. For the self-service model in this example, choose how to deploy the app. It can be available, or available and required.
  5. Verify that the app is available in the Windows Intune Company Store, and use the Company Store to install the app on devices.

Adding a user and groups

You can add users and groups to assist you in deploying your app to the appropriate audience. In Figure 1-7, you can see the Groups page, where new users and groups can be added to Intune. If you are adding users to a group, the group must be created before the user can be added to the group.

FIGURE 1-7

FIGURE 1-7 The Microsoft Intune Groups page

Uploading an app to Microsoft Intune

You can upload an app from the Apps page of Microsoft Intune, as shown in Figure 1-8.

FIGURE 1-8

FIGURE 1-8 Uploading to the Microsoft Intune Apps page

To upload an app, complete the following steps:

  1. On the Apps page, click Add Apps.
  2. In the software setup window, select Windows app package as the software installer file type.
  3. Click Browse, locate the .appx or .appxbundle file to upload, and then click Open.
  4. Fill out the description information for the app.
  5. Specify the architecture requirements.
  6. Specify any rules to deal with previously installed apps.
  7. Click Upload to upload the app to Microsoft Intune.

Once uploaded, the app will be available within the administration console to assign to users or groups (see Figure 1-9).

FIGURE 1-9

FIGURE 1-9 Available apps on the Apps page in the Microsoft Intune console

Choosing the users who can install the app

You can choose the users to whom the app is made available by selecting Manage Deployment on the Apps page, as shown in Figure 1-9. When you start the Manage Deployment Wizard, you will be prompted to choose one or more groups to which the app is assigned, as in Figure 1-10. You can choose to assign the apps to users or computers. You need to also choose the Deployment Action for the app, although there is only one option available for each group type. For computer groups, you need to choose Required Install, and for user groups, you need to choose Available Install. Once you’ve chosen your options, you can click Finish to complete the group assignment process.

FIGURE 1-10

FIGURE 1-10 Choosing deployment groups

Installing the app from the Company Store

To install the app, your users will navigate to the Company Store page, and select the app from the Company Store page.

Deep link apps using Microsoft Intune

You can make Windows Store apps available to Windows RT users in your company portal by using Windows Intune as well as Configuration Manager. This section focuses on Windows Intune. You’ll follow the same basic process as you did when deploying an app via the Installed Software option, but this time you choose External Link in the Add Software Wizard. Before you begin, decide which Windows Store app you want to deploy. For this example, choose OneDrive for Business.

The first part of the process requires you to obtain the link to the app you want to add to your company portal. To obtain the link for OneDrive for Business, follow these steps:

  1. From the Start menu, type Store, and then click Store.
  2. Search for Word Mobile, and then click it to access the installation page.
  3. On the Word Mobile page, click Share.
  4. In the Share area, click Mail.
  5. The email contains the link. Send this link to yourself, copy the link, and paste it into Notepad, or otherwise make the link accessible for later.

The second part of the deep-linking process involves adding the app to Windows Intune:

  1. Log on to the Microsoft Intune Administrator console.
  2. Click the Apps tab, and then click Add Apps.
  3. Wait for the Microsoft Intune Software Publisher to install, and then enter your Microsoft Intune credentials.
  4. In the Microsoft Intune Software Publisher window, click Next.
  5. On the Software setup page, select External link, and then type the link you copied in step 5 of the previous task into the URL field, and then click Next.
  6. Carefully input the information to describe the software. What you input can be viewed by your employees. Click Next when finished.
  7. Verify that the information is correct, and then click Upload.
  8. After the upload is complete, click Close.

Objective summary

  • You can integrate users’ Microsoft accounts into your organization to enable synchronization of settings between multiple devices.
  • You can manage apps by using Office 365, DISM, and Microsoft Intune.
  • You can configure Group Policy to manage apps, manage access to the Windows Store, and enable sideloading.
  • You can sideload apps to enable LOB apps without making them available through the Windows Store.

Objective review

Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.

  1. Where can you configure a Group Policy that restricts the use of Microsoft accounts for a specific group of users in an Active Directory domain?

    1. In the Group Policy Management Editor window, by expanding Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ Security Options
    2. In the Group Policy Management Editor window, by expanding Computer Configuration/ Policies/ Windows Settings/ Security Settings/ Local Policies/ User Rights Assignment
    3. In the Local Group Policy Editor, by navigating to Computer Configuration/ Windows Settings/ Security Settings/ Local Policies/ Security Options
    4. In the Local Group Policy Editor, by navigating to Computer Configuration/ Windows Settings/ Security Settings/ Local Policies/ User Rights Assignment
  2. Where can users associate a Microsoft account with a domain account?

    1. Users can’t do this. Only administrators can perform this task in Active Directory Users And Computers on a domain controller.
    2. In the Settings app, on the Accounts page
    3. In the Group Policy Management Editor by expanding Computer Configuration/ Policies/ Windows Settings/ Local Policies/ Security
    4. In the Settings app, on the Personalization page.
  3. Which of the following can you manage in the Office 365 Admin Center?

    1. Active Directory synchronization
    2. Valid, expired, and assigned licenses
    3. User password, including resetting
    4. All of the above
    5. B and C only
  4. Which of the following tools and technologies can help you sideload LOB apps for computers in your organization?

    1. DISM
    2. Windows PowerShell
    3. Configuration Manager
    4. Microsoft Intune
    5. All of the above
    6. Only C and D
  5. Which Group Policy setting do you have to enable before you can sideload apps in Windows 10?

    1. None
    2. Allow All Trusted Apps To Install
    3. Allow Development Of Windows Store Apps
    4. Block Microsoft Accounts
  6. True or false: You can create a required installation for an app in Microsoft Intune, which will automatically install on devices.

    1. True
    2. False
  7. Which of the following describes the purpose of deep linking an app?

    1. To make specific Windows Store apps available through the company portal
    2. To force the installation of apps on Windows 10 computers
    3. To add LOB apps to the Windows Store
    4. None of the Above