20687C ENU TrainerHandbook

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T
20687C
Configuring Windows
8.1
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
ii Configuring Windows
8.1

Information in this document, including URL and other Internet Web site references, is subject to change
without notice. Unless otherwise noted, the example companies, organizations, products, domain names,
email addresses, logos, people, places, and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the
user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in
or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of
Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding
these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a
manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links
may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not
responsible for the contents of any linked site or any link contained in a linked site, or any changes or
updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the
inclusion of any link does not imply endorsement of Microsoft of the site or the products contained
therein.
2014 Microsoft Corporation. All rights reserved.
Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty
/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other trademarks are
property of their respective owners

Product Number: 20687C
Part Number: X19-17700
Released: 1/2014
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

MICROSOFT LICENSE TERMS
MICROSOFT INSTRUCTOR-LED COURSEWARE

These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its
affiliates) and you. Please read them. They apply to your use of the content accompanying this agreement which
includes the media on which you received it, if any. These license terms also apply to Trainer Content and any
updates and supplements for the Licensed Content unless other terms accompany those items. If so, those terms
apply.

BY ACCESSING, DOWNLOADING OR USING THE LICENSED CONTENT, YOU ACCEPT THESE TERMS.
IF YOU DO NOT ACCEPT THEM, DO NOT ACCESS, DOWNLOAD OR USE THE LICENSED CONTENT.

If you comply with these license terms, you have the rights below for each license you acquire.

1. DEFINITIONS.

a. Authorized Learning Center means a Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, or such other entity as Microsoft may designate from time to time.

b. Authorized Training Session means the instructor-led training class using Microsoft Instructor-Led
Courseware conducted by a Trainer at or through an Authorized Learning Center.

c. Classroom Device means one (1) dedicated, secure computer that an Authorized Learning Center owns
or controls that is located at an Authorized Learning Centers training facilities that meets or exceeds the
hardware level specified for the particular Microsoft Instructor-Led Courseware.

d. End User means an individual who is (i) duly enrolled in and attending an Authorized Training Session
or Private Training Session, (ii) an employee of a MPN Member, or (iii) a Microsoft full-time employee.

e. Licensed Content means the content accompanying this agreement which may include the Microsoft
Instructor-Led Courseware or Trainer Content.

f. Microsoft Certified Trainer or MCT means an individual who is (i) engaged to teach a training session
to End Users on behalf of an Authorized Learning Center or MPN Member, and (ii) currently certified as a
Microsoft Certified Trainer under the Microsoft Certification Program.

g. Microsoft Instructor-Led Courseware means the Microsoft-branded instructor-led training course that
educates IT professionals and developers on Microsoft technologies. A Microsoft Instructor-Led
Courseware title may be branded as MOC, Microsoft Dynamics or Microsoft Business Group courseware.

h. Microsoft IT Academy Program Member means an active member of the Microsoft IT Academy
Program.

i. Microsoft Learning Competency Member means an active member of the Microsoft Partner Network
program in good standing that currently holds the Learning Competency status.

j. MOC means the Official Microsoft Learning Product instructor-led courseware known as Microsoft
Official Course that educates IT professionals and developers on Microsoft technologies.

k. MPN Member means an active Microsoft Partner Network program member in good standing.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

l. Personal Device means one (1) personal computer, device, workstation or other digital electronic device
that you personally own or control that meets or exceeds the hardware level specified for the particular
Microsoft Instructor-Led Courseware.

m. Private Training Session means the instructor-led training classes provided by MPN Members for
corporate customers to teach a predefined learning objective using Microsoft Instructor-Led Courseware.
These classes are not advertised or promoted to the general public and class attendance is restricted to
individuals employed by or contracted by the corporate customer.

n. Trainer means (i) an academically accredited educator engaged by a Microsoft IT Academy Program
Member to teach an Authorized Training Session, and/or (ii) a MCT.

o. Trainer Content means the trainer version of the Microsoft Instructor-Led Courseware and additional
supplemental content designated solely for Trainers use to teach a training session using the Microsoft
Instructor-Led Courseware. Trainer Content may include Microsoft PowerPoint presentations, trainer
preparation guide, train the trainer materials, Microsoft One Note packs, classroom setup guide and Pre-
release course feedback form. To clarify, Trainer Content does not include any software, virtual hard
disks or virtual machines.

2. USE RIGHTS. The Licensed Content is licensed not sold. The Licensed Content is licensed on a one copy
per user basis, such that you must acquire a license for each individual that accesses or uses the Licensed
Content.

2.1 Below are five separate sets of use rights. Only one set of rights apply to you.

a. If you are a Microsoft IT Academy Program Member:
i. Each license acquired on behalf of yourself may only be used to review one (1) copy of the Microsoft
Instructor-Led Courseware in the form provided to you. If the Microsoft Instructor-Led Courseware is
in digital format, you may install one (1) copy on up to three (3) Personal Devices. You may not
install the Microsoft Instructor-Led Courseware on a device you do not own or control.
ii. For each license you acquire on behalf of an End User or Trainer, you may either:
1. distribute one (1) hard copy version of the Microsoft Instructor-Led Courseware to one (1) End
User who is enrolled in the Authorized Training Session, and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware being provided, or
2. provide one (1) End User with the unique redemption code and instructions on how they can
access one (1) digital version of the Microsoft Instructor-Led Courseware, or
3. provide one (1) Trainer with the unique redemption code and instructions on how they can
access one (1) Trainer Content,
provided you comply with the following:
iii. you will only provide access to the Licensed Content to those individuals who have acquired a valid
license to the Licensed Content,
iv. you will ensure each End User attending an Authorized Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized Training
Session,
v. you will ensure that each End User provided with the hard-copy version of the Microsoft Instructor-
Led Courseware will be presented with a copy of this agreement and each End User will agree that
their use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement
prior to providing them with the Microsoft Instructor-Led Courseware. Each individual will be required
to denote their acceptance of this agreement in a manner that is enforceable under local law prior to
their accessing the Microsoft Instructor-Led Courseware,
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

vii. you will only use qualified Trainers who have in-depth knowledge of and experience with the
Microsoft technology that is the subject of the Microsoft Instructor-Led Courseware being taught for
all your Authorized Training Sessions,
viii. you will only deliver a maximum of 15 hours of training per week for each Authorized Training
Session that uses a MOC title, and
ix. you acknowledge that Trainers that are not MCTs will not have access to all of the trainer resources
for the Microsoft Instructor-Led Courseware.

b. If you are a Microsoft Learning Competency Member:
User attending the Authorized Training Session and only immediately prior to the
commencement of the Authorized Training Session that is the subject matter of the Microsoft
Instructor-Led Courseware provided, or
2. provide one (1) End User attending the Authorized Training Session with the unique redemption
code and instructions on how they can access one (1) digital version of the Microsoft Instructor-
Led Courseware, or
3. you will provide one (1) Trainer with the unique redemption code and instructions on how they
can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Authorized Training Session has their own valid
licensed copy of the Microsoft Instructor-Led Courseware that is the subject of the Authorized
Training Session,
v. you will ensure that each End User provided with a hard-copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Authorized Training Session has their own valid
licensed copy of the Trainer Content that is the subject of the Authorized Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for your Authorized Training
Sessions,
viii. you will only use qualified MCTs who also hold the applicable Microsoft Certification credential that is
the subject of the MOC title being taught for all your Authorized Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

c. If you are a MPN Member:
User attending the Private Training Session, and only immediately prior to the commencement
of the Private Training Session that is the subject matter of the Microsoft Instructor-Led
Courseware being provided, or
2. provide one (1) End User who is attending the Private Training Session with the unique
redemption code and instructions on how they can access one (1) digital version of the
Microsoft Instructor-Led Courseware, or
3. you will provide one (1) Trainer who is teaching the Private Training Session with the unique
redemption code and instructions on how they can access one (1) Trainer Content,
iv. you will ensure that each End User attending an Private Training Session has their own valid licensed
copy of the Microsoft Instructor-Led Courseware that is the subject of the Private Training Session,
v. you will ensure that each End User provided with a hard copy version of the Microsoft Instructor-Led
Courseware will be presented with a copy of this agreement and each End User will agree that their
use of the Microsoft Instructor-Led Courseware will be subject to the terms in this agreement prior to
providing them with the Microsoft Instructor-Led Courseware. Each individual will be required to
denote their acceptance of this agreement in a manner that is enforceable under local law prior to
vi. you will ensure that each Trainer teaching an Private Training Session has their own valid licensed
copy of the Trainer Content that is the subject of the Private Training Session,
vii. you will only use qualified Trainers who hold the applicable Microsoft Certification credential that is
the subject of the Microsoft Instructor-Led Courseware being taught for all your Private Training
Sessions,
viii. you will only use qualified MCTs who hold the applicable Microsoft Certification credential that is the
subject of the MOC title being taught for all your Private Training Sessions using MOC,
ix. you will only provide access to the Microsoft Instructor-Led Courseware to End Users, and
x. you will only provide access to the Trainer Content to Trainers.

d. If you are an End User:
For each license you acquire, you may use the Microsoft Instructor-Led Courseware solely for your
personal training use. If the Microsoft Instructor-Led Courseware is in digital format, you may access the
Microsoft Instructor-Led Courseware online using the unique redemption code provided to you by the
training provider and install and use one (1) copy of the Microsoft Instructor-Led Courseware on up to
three (3) Personal Devices. You may also print one (1) copy of the Microsoft Instructor-Led Courseware.
You may not install the Microsoft Instructor-Led Courseware on a device you do not own or control.

e. If you are a Trainer.
i. For each license you acquire, you may install and use one (1) copy of the Trainer Content in the
form provided to you on one (1) Personal Device solely to prepare and deliver an Authorized
Training Session or Private Training Session, and install one (1) additional copy on another Personal
Device as a backup copy, which may be used only to reinstall the Trainer Content. You may not
install or use a copy of the Trainer Content on a device you do not own or control. You may also
print one (1) copy of the Trainer Content solely to prepare for and deliver an Authorized Training
Session or Private Training Session.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

ii. You may customize the written portions of the Trainer Content that are logically associated with
instruction of a training session in accordance with the most recent version of the MCT agreement.
If you elect to exercise the foregoing rights, you agree to comply with the following: (i)
customizations may only be used for teaching Authorized Training Sessions and Private Training
Sessions, and (ii) all customizations will comply with this agreement. For clarity, any use of
customize refers only to changing the order of slides and content, and/or not using all the slides or
content, it does not mean changing or modifying any slide or content.

2.2 Separation of Components. The Licensed Content is licensed as a single unit and you may not
separate their components and install them on different devices.

2.3 Redistribution of Licensed Content. Except as expressly provided in the use rights above, you may
not distribute any Licensed Content or any portion thereof (including any permitted modifications) to any
third parties without the express written permission of Microsoft.

2.4 Third Party Notices. The Licensed Content may include third party code tent that Microsoft, not the
third party, licenses to you under this agreement. Notices, if any, for the third party code ntent are included
for your information only.

2.5 Additional Terms. Some Licensed Content may contain components with additional terms,
conditions, and licenses regarding its use. Any non-conflicting terms in those conditions and licenses also
apply to your use of that respective component and supplements the terms described in this agreement.

3. LICENSED CONTENT BASED ON PRE-RELEASE TECHNOLOGY. If the Licensed Contents subject
matter is based on a pre-release version of Microsoft technology (Pre-release), then in addition to the
other provisions in this agreement, these terms also apply:

a. Pre-Release Licensed Content. This Licensed Content subject matter is on the Pre-release version of
the Microsoft technology. The technology may not work the way a final version of the technology will
and we may change the technology for the final version. We also may not release a final version.
Licensed Content based on the final version of the technology may not contain the same information as
the Licensed Content based on the Pre-release version. Microsoft is under no obligation to provide you
with any further content, including any Licensed Content based on the final version of the technology.

b. Feedback. If you agree to give feedback about the Licensed Content to Microsoft, either directly or
through its third party designee, you give to Microsoft without charge, the right to use, share and
commercialize your feedback in any way and for any purpose. You also give to third parties, without
charge, any patent rights needed for their products, technologies and services to use or interface with
any specific parts of a Microsoft technology, Microsoft product, or service that includes the feedback.
You will not give feedback that is subject to a license that requires Microsoft to license its technology,
technologies, or products to third parties because we include your feedback in them. These rights
survive this agreement.

c. Pre-release Term. If you are an Microsoft IT Academy Program Member, Microsoft Learning
Competency Member, MPN Member or Trainer, you will cease using all copies of the Licensed Content on
the Pre-release technology upon (i) the date which Microsoft informs you is the end date for using the
Licensed Content on the Pre-release technology, or (ii) sixty (60) days after the commercial release of the
technology that is the subject of the Licensed Content, whichever is earliest (Pre-release term).
Upon expiration or termination of the Pre-release term, you will irretrievably delete and destroy all copies
of the Licensed Content in your possession or under your control.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

4. SCOPE OF LICENSE. The Licensed Content is licensed, not sold. This agreement only gives you some
rights to use the Licensed Content. Microsoft reserves all other rights. Unless applicable law gives you more
rights despite this limitation, you may use the Licensed Content only as expressly permitted in this
agreement. In doing so, you must comply with any technical limitations in the Licensed Content that only
allows you to use it in certain ways. Except as expressly permitted in this agreement, you may not:
access or allow any individual to access the Licensed Content if they have not acquired a valid license
for the Licensed Content,
alter, remove or obscure any copyright or other protective notices (including watermarks), branding
or identifications contained in the Licensed Content,
modify or create a derivative work of any Licensed Content,
publicly display, or make the Licensed Content available for others to access or use,
copy, print, install, sell, publish, transmit, lend, adapt, reuse, link to or post, make available or
distribute the Licensed Content to any third party,
work around any technical limitations in the Licensed Content, or
reverse engineer, decompile, remove or otherwise thwart any protections or disassemble the
Licensed Content except and only to the extent that applicable law expressly permits, despite this
limitation.

5. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to
you in this agreement. The Licensed Content is protected by copyright and other intellectual property laws
and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the
Licensed Content.

6. EXPORT RESTRICTIONS. The Licensed Content is subject to United States export laws and regulations.
You must comply with all domestic and international export laws and regulations that apply to the Licensed
Content. These laws include restrictions on destinations, end users and end use. For additional information,
see www.microsoft.com/exporting.

7. SUPPORT SERVICES. Because the Licensed Content is as is, we may not provide support services for it.

8. TERMINATION. Without prejudice to any other rights, Microsoft may terminate this agreement if you fail
to comply with the terms and conditions of this agreement. Upon termination of this agreement for any
reason, you will immediately stop all use of and delete and destroy all copies of the Licensed Content in
your possession or under your control.

9. LINKS TO THIRD PARTY SITES. You may link to third party sites through the use of the Licensed
Content. The third party sites are not under the control of Microsoft, and Microsoft is not responsible for
the contents of any third party sites, any links contained in third party sites, or any changes or updates to
third party sites. Microsoft is not responsible for webcasting or any other form of transmission received
from any third party sites. Microsoft is providing these links to third party sites to you only as a
convenience, and the inclusion of any link does not imply an endorsement by Microsoft of the third party
site.

10. ENTIRE AGREEMENT. This agreement, and any additional terms for the Trainer Content, updates and
supplements are the entire agreement for the Licensed Content, updates and supplements.

11. APPLICABLE LAW.
a. United States. If you acquired the Licensed Content in the United States, Washington state law governs
the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws
principles. The laws of the state where you live govern all other claims, including claims under state
consumer protection laws, unfair competition laws, and in tort.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

b. Outside the United States. If you acquired the Licensed Content in any other country, the laws of that
country apply.

12. LEGAL EFFECT. This agreement describes certain legal rights. You may have other rights under the laws
of your country. You may also have rights with respect to the party from whom you acquired the Licensed
Content. This agreement does not change your rights under the laws of your country if the laws of your
country do not permit it to do so.

13. DISCLAIMER OF WARRANTY. THE LICENSED CONTENT IS LICENSED "AS-IS" AND "AS
AVAILABLE." YOU BEAR THE RISK OF USING IT. MICROSOFT AND ITS RESPECTIVE
AFFILIATES GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. YOU MAY
HAVE ADDITIONAL CONSUMER RIGHTS UNDER YOUR LOCAL LAWS WHICH THIS AGREEMENT
CANNOT CHANGE. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAWS, MICROSOFT AND
ITS RESPECTIVE AFFILIATES EXCLUDES ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

14. LIMITATION ON AND EXCLUSION OF REMEDIES AND DAMAGES. YOU CAN RECOVER FROM
MICROSOFT, ITS RESPECTIVE AFFILIATES AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP
TO US$5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL,
LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.

This limitation applies to
o anything related to the Licensed Content, services, content (including code) on third party Internet
sites or third-party programs; and
o claims for breach of contract, breach of warranty, guarantee or condition, strict liability, negligence,
or other tort to the extent permitted by applicable law.

It also applies even if Microsoft knew or should have known about the possibility of the damages. The
above limitation or exclusion may not apply to you because your country may not allow the exclusion or
limitation of incidental, consequential or other damages.

Please note: As this Licensed Content is distributed in Quebec, Canada, some of the clauses in this
agreement are provided below in French.

Remarque : Ce le contenu sous licence tant distribu au Qubec, Canada, certaines des clauses
dans ce contrat sont fournies ci-dessous en franais.

EXONRATION DE GARANTIE. Le contenu sous licence vis par une licence est offert tel quel . Toute
utilisation de ce contenu sous licence est votre seule risque et pril. Microsoft naccorde aucune autre garantie
expresse. Vous pouvez bnficier de droits additionnels en vertu du droit local sur la protection dues
consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties
implicites de qualit marchande, dadquation un usage particulier et dabsence de contrefaon sont exclues.

LIMITATION DES DOMMAGES-INTRTS ET EXCLUSION DE RESPONSABILIT POUR LES
DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages
directs uniquement hauteur de 5,00 $ US. Vous ne pouvez prtendre aucune indemnisation pour les autres
dommages, y compris les dommages spciaux, indirects ou accessoires et pertes de bnfices.
Cette limitation concerne:
tout ce qui est reli au le contenu sous licence, aux services ou au contenu (y compris le code)
figurant sur des sites Internet tiers ou dans des programmes tiers; et.
les rclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilit
stricte, de ngligence ou dune autre faute dans la limite autorise par la loi en vigueur.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Elle sapplique galement, mme si Microsoft connaissait ou devrait connatre lventualit dun tel dommage. Si
votre pays nautorise pas lexclusion ou la limitation de responsabilit pour les dommages indirects, accessoires
ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas votre
gard.

EFFET JURIDIQUE. Le prsent contrat dcrit certains droits juridiques. Vous pourriez avoir dautres droits
prvus par les lois de votre pays. Le prsent contrat ne modifie pas les droits que vous confrent les lois de votre
pays si celles-ci ne le permettent pas.

Revised July 2013
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 xi

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xii Configuring Windows
8.1
Acknowledgments
Microsoft Learning wants to acknowledge and thank the following for their contribution toward
developing this title. Their effort at various stages in the development has ensured that you have a good
classroom experience.
Slavko Kukrika Content Developer
Slavko Kukrika is Microsoft Certified Trainer (MCT) for more than 15 years. He holds many technical
certifications and he is honored to be one of the Microsoft Most Valuable Professionals (MVP). Slavko
specializes in Windows operating system, Active Directory and virtualization. He works with Windows 8
since it was first publicly available and he helped several mid-size customers to migrate to Windows 8.
Slavko regularly presents at technical conferences, and he is author of several Microsoft Official Courses.
In his private life, Slavko is the proud father of two sons and he tries to extend each day to at least 25
hours.
Jason Kellington Content Developer
Jason Kellington is a Microsoft Certified Trainer (MCT), Microsoft Certified IT Professional (MCITP), and a
Microsoft Certified Solutions Expert (MCSE), as well as a consultant, trainer and author. He has experience
working with a wide range of Microsoft technologies, focusing on the design and deployment of
enterprise network infrastructures. Jason works in several capacities with Microsoft, as a SME for Microsoft
Learning courseware titles, a senior technical writer for Microsoft IT Showcase, and an author for Microsoft
Press
.
Andrew Bettany Subject Matter Expert
Andrew Bettany is a published author, MVP (Windows ExpertIT Pro) and holds numerous Microsoft
certifications and has been a Microsoft trainer since 2005. Based in York, England he manages the
University of York IT Academy and often participates in worldwide conferences and events. Most recently
Andrew visited Haiti for the second time to deliver an intensive boot camp focusing on Windows
technologies to help the local community rebuild key IT skills following the earthquake in 2010.
Elias Mereb Technical Reviewer
Elias Mereb is a highly experienced infrastructure architect, consultant, trainer and international speaker.
He currently holds more than 30 Microsoft certifications including: MCP, MCSA: Security, MCTS, MCITP,
and MCT. He is also a six-time winner of Microsofts Most Valuable Professional (MVP) award in the
Windows Expert-IT Pro technical expertise and Charter Springboard Series Technical Experts Program
(STEP) Member. Elias has been invited several times to speak at TechEd North America, TechEd Europe &
Microsoft Management Summit (MMS). He has participated as a SME, trainer, Technical Writer and
Technical Reviewer in the design and development process of Microsofts certification exams and courses,
recently including the Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows
Server 2012 R2, Windows 7, Windows 8 and Windows 8.1 exams and courses for Microsoft Learning.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 xiii
Contents
Module 1: Windows 8.1 in an Enterprise Environment
Lesson 1: Managing Windows 8.1 in an Enterprise Environment 1-2
Lesson 2: Overview of Windows 8.1 1-7
Module 2: Installing and Deploying Windows 8.1
Lesson 1: Preparing to Install and Deploy Windows 8.1 2-2
Lesson 2: Installing Windows 8.1 2-12
Lab A: Installing Windows 8.1 2-24
Lesson 3: Customizing and Preparing a Windows 8.1 Image for
Deployment 2-27
Lab B: Customizing and Capturing a Windows 8.1 Image 2-39
Lesson 4: Volume Activation for Windows 8.1 2-44
Lab C: Deploying a Windows 8.1 Image 2-52
Module 3: Managing Profiles and User State in Windows 8.1
Lesson 1: Managing User Profiles 3-2
Lesson 2: Configuring User State Virtualization 3-8
Lab A: Configuring Profiles and User State Virtualization 3-21
Lesson 3: Migrating User State and Settings 3-27
Lab B: Migrating User State by Using USMT 3-34
Module 4: Tools Used for Configuring and Managing Windows 8.1
Lesson 1: Tools Used to Perform Local and Remote Management of
Windows 8.1 4-2
Lesson 2: Using Windows PowerShell to Configure and Manage
Windows 8.1 4-9
Lesson 3: Using Group Policy to Manage Windows 8.1 4-16
Lab: Using Management Tools to Configure Windows 8.1 Settings 4-22
Module 5: Managing Disks and Device Drivers
Lesson 1: Managing Disks, Partitions, and Volumes 5-2
Lesson 2: Maintaining Disks, Partitions, and Volumes 5-17
Lesson 3: Working with Virtual Hard Disks 5-24
Lab A: Managing Disks 5-29
Lesson 4: Installing and Configuring Device Drivers 5-34
Lab B: Configuring Device Drivers 5-47
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xiv Configuring Windows
8.1
Module 6: Configuring Network Connectivity
Lesson 1: Configuring IPv4 Network Connectivity 6-2
Lesson 3: Implementing Automatic IP Address Allocation 6-14
Lab A: Configuring a Network Connection 6-21
Lesson 4: Implementing Name Resolution 6-25
Lab B: Resolving Network Connectivity Issues 6-30
Lesson 5: Implementing Wireless Network Connectivity 6-33
Module 7: Configuring Resource Access for Domain-Joined and
Non-Domain Joined Devices
Lesson 1: Configuring Domain Access for Windows 8.1 Devices 7-2
Lesson 2: Configuring Resource Access for Non-Domain Devices 7-8
Lesson 3: Configuring Workplace Join 7-16
Lesson 4: Configuring Work Folders 7-21
Lab: Configuring Resource Access for Non-Domain Joined Devices 7-29
Module 8: Implementing Network Security
Lesson 1: Overview of Threats to Network Security 8-2
Lesson 2: Configuring Windows Firewall 8-8
Lab A: Configuring Inbound and Outbound Firewall Rules 8-17
Lesson 3: Securing Network Traffic by Using IPsec 8-20
Lab B: Configuring IPsec Rules 8-28
Lesson 4: Guarding Windows 8.1 Against Malware 8-30
Lab C: Configuring Malware Protection 8-33
Module 9: Configuring File Access and Printers on Windows
8.1 Clients
Lesson 1: Managing File Access 9-2
Lesson 2: Managing Shared Folders 9-16
Lesson 3: Configuring File Compression 9-25
Lab A: Configuring File Access 9-29
Lesson 4: Overview of SkyDrive 9-32
Lesson 5: Managing Printers 9-37
Lab B: Configuring Printers 9-41
Module 10: Securing Windows 8.1 Devices
Lesson 1: Authentication and Authorization in Windows 8.1 10-2
Lesson 2: Implementing Local Policies 10-11
Lab A: Implementing Local GPOs 10-20
Lesson 3: Securing Data with EFS and BitLocker 10-23
Lab B: Securing Data by Using BitLocker 10-45
Lesson 4: Configuring UAC 10-47
Lab C: Configuring and Testing UAC 10-54
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 xv
Module 11: Configuring Applications for Windows 8.1
Lesson 1: Application Deployment Options in Windows 8.1 11-2
Lesson 2: Managing Windows Store Apps 11-14
Lesson 3: Configuring Internet Explorer Settings 11-19
Lab A: Configuring Internet Explorer Security 11-29
Lesson 4: Configuring Application Restrictions 11-32
Lab B: Configuring AppLocker 11-40
Module 12: Optimizing and Maintaining Windows 8.1 Computers
Lesson 1: Optimizing Performance in Windows 8.1 12-2
Lab A: Optimizing Windows 8.1 Performance 12-10
Lesson 2: Managing the Reliability of Windows 8.1 12-14
Lesson 3: Managing Software Updates in Windows 8.1 12-19
Lab B: Maintaining Windows Updates 12-25
Module 13: Configuring Mobile Computing and Remote Access
Lesson 1: Configuring Mobile Computers and Device Settings 13-2
Lab A: Configuring a Power Plan 13-9
Lesson 2: Overview of DirectAccess 13-11
Lab B: Implementing DirectAccess by Using the Getting Started Wizard 13-22
Lesson 3: Configuring VPN Access 13-26
Lesson 4: Configuring Remote Desktop and Remote Assistance 13-35
Lab C: Implementing Remote Desktop 13-39
Module 14: Recovering Windows
8.1
Lesson 1: Backing Up and Restoring Files in Windows 8.1 14-2
Lesson 2: Recovery Options in Windows 8.1 14-5
Lab: Recovering Windows 8.1 14-18
Module 15: Configuring Client Hyper-V
Lesson 1: Overview of Client Hyper-V 15-2
Lesson 2: Creating Virtual Machines 15-6
Lesson 3: Managing Virtual Hard Disks 15-13
Lesson 4: Managing Checkpoints 15-19
Lab: Configuring Client Hyper-V 15-24
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xvi Configuring Windows
8.1
Lab Answer Keys
Module 2 Lab A: Installing Windows 8.1 L2-1
Module 2 Lab B: Customizing and Capturing a Windows 8.1 Image L2-5
Module 2 Lab C: Deploying a Windows 8.1 Image L2-13
Module 3 Lab A: Configuring Profiles and User State Virtualization L3-15
Module 3 Lab B: Migrating User State by Using USMT L3-25
Module 4 Lab: Using Management Tools to Configure
Windows 8.1 Settings L4-31
Module 5 Lab A: Managing Disks L5-37
Module 5 Lab B: Configuring Device Drivers L5-45
Module 6 Lab A: Configuring a Network Connection L6-47
Module 6 Lab B: Resolving Network Connectivity Issues L6-51
Module 7 Lab: Configuring Resource Access for Non-Domain Joined
Devices L7-55
Module 8 Lab A: Configuring Inbound and Outbound Firewall Rules L8-61
Module 8 Lab B: Configuring IPsec Rules L8-63
Module 8 Lab C: Configuring Malware Protection L8-65
Module 9 Lab A: Configuring File Access L9-67
Module 9 Lab B: Configuring Printers L9-70
Module 10 Lab A: Implementing Local GPOs L10-73
Module 10 Lab B: Securing Data by Using BitLocker L10-76
Module 10 Lab C: Configuring and Testing UAC L10-78
Module 11 Lab A: Configuring Internet Explorer Security L11-81
Module 11 Lab A: Configuring AppLocker L11-83
Module 12 Lab A: Optimizing Windows 8.1 Performance L12-85
Module 12 Lab B: Maintaining Windows Updates L12-89
Module 13 Lab A: Configuring a Power Plan L13-91
Module 13 Lab B: Implementing DirectAccess by Using the
Getting Started Wizard L13-92
Module 14 Lab: Recovering Windows 8.1 L14-99
Module 15 Lab: Configuring Client Hyper-V L15-107

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xvii
About This Course
This section provides a brief description of the course, audience, suggested prerequisites, and course
objectives.
Course Description
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices, users
and associated network and security resources. The networks with which these professionals typically work
are configured as a Windows Server domain-based environment with managed access to the Internet and
cloud services. The course is also intended for students who seek certification in the 70-687 Windows 8.1
Configuring exam. NOTE: This course is based on Windows 8.1 Enterprise Edition with domain services
provided by Windows Server 2012 R2.
Audience
This course is intended for IT professionals who administer and support Windows 8.1 PCs, devices, users,
and associated network and security resources. The networks with which these professionals typically work
are configured as Windows Server domain-based environments with managed access to the Internet and
cloud services. This course is also intended to provide foundation configuration skills for Enterprise
Desktop/Device Support Technicians (EDSTs) who provide Tier 2 support to users who run Windows
desktops and devices within a Windows domain environment in medium to large enterprise
organizations. Students who seek certification in the 70-687 Windows 8.1 Configuring exam will also
benefit from this course.
Student Prerequisites
This course requires that you meet the following prerequisites:
At least two years of experience in the IT field
Knowledge of networking fundamentals, including Transmission Control Protocol /Internet Protocol
(TCP/IP), User Datagram Protocol (UDP), and Domain Name System (DNS)
Knowledge of Microsoft Active Directory Domain Services (AD DS) principles and fundamentals of AD
DS management
Understanding of the certificate security and working knowledge of the fundamentals of Active
Directory Certificate Services (AD CS)
Understanding of Windows Server 2008 R2 or Windows Server 2012 fundamentals
Understanding of Microsoft Windows Client essentials; for example, working knowledge of Windows
XP, Windows Vista, Windows 7 and/or Windows 8
Basic understanding of Windows PowerShell syntax
Basic awareness of Windows deployment tools (Windows ADK components: Windows PE, Windows
SIM, VAMT, ImageX, USMT, and DISM concepts and fundamentals) but no actual prerequisite skills
with the specific tools are assumed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xviii About This Course
Course Objectives
After completing this course, students will be able to:
Describe solutions and features related to managing Windows 8.1 in an enterprise network
environment.
Determine requirements and perform the tasks for installing and deploying Windows 8.1.
Manage profiles and user state between Windows devices.
Determine the most appropriate management tools to configure Windows 8.1 settings.
Configure disks, partitions, volumes, and device drivers in a Windows 8.1 system.
Configure network connectivity.
Configure resource connectivity for both domain-joined and non-domain joined PCs and devices.
Implement Windows 8.1 technologies to secure network connections.
Configure file, folder, and printer access.
Implement tools and technologies that can help secure Windows 8.1 PCs and devices.
Configure and control desktop apps and Windows Store apps
Optimize and maintain Windows 8.1 PCs and devices.
Configure mobile computer settings and to enable remote access.
Determine how to recover Windows 8.1 from various failures.
Describe Hyper-V for Windows 8.1 and describe how to use it to support legacy applications.
Course Outline
The course outline is as follows:
Module 1, Windows 8.1 in an Enterprise Network Environment" describes solutions and features related
to managing Windows 8.1 in an enterprise network environment. Students will identify how to use
Windows 8.1 features and related solutions to support intranet, Internet, and non-domain joined
Windows 8.1 clients. They will also learn how to identify changes to the Windows 8.1 user interface and
perform customizations of the desktop and Start screen.
Module 2, Installing and Deploying Windows 8.1" describes how to identify hardware, software, and
infrastructure readiness for installing and deploying Windows 8.1, and also describes the different options
for installing Windows 8.1 on a computer. It also explains how students can customize a Windows 8.1
image file and deploy it using appropriate installation tools. This module also describes the methods
students can use to manage volume activation in Windows 8.1.
Module 3, Managing Profiles and User State in Windows 8.1" describes how to manage profiles and user
state between Windows devices. Students will learn about managing user accounts and profiles in
Windows 8.1, configuring User State Virtualization using Microsoft UE-V and Windows 8.1, and migrating
user state and settings when migrating to Windows 8.1.
Module 4, Tools Used for Configuring and Managing Windows 8.1 explains how to determine the most
appropriate management tools to configure Windows 8.1 settings. It describes tools used for local and
remote management of Windows 8.1, and the use of Group Policy and Windows PowerShell in managing
Windows 8.1 settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xix
Module 5, Managing Disks and Device Drivers" explains how to configure, partitions, volumes, and
device drivers in a Windows 8.1 system. It also explains how to manage virtual hard disks in the Windows
8.1 file system.
Module 6, Configuring Network Connectivity" provides an overview of common network security
threats, and how to mitigate them by configuring inbound and outbound firewall rules, connection
security rules, Windows Defender, and host-based virus and malware This module explains how to
configure network connectivity using IPv4 and IPv6. It also describes how to implement automatic IP
address allocation and name resolution.
Module 7, Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices" explains
how to configure resource connectivity for both domain-joined and non-domain joined devices. It also
explains how to configure workplace join for non-domain joined computers, and configure work folders.
Module 8, Implementing Network Security" explains how to secure network connections by
implementing Windows 8.1 technologies. It explains how to configure Windows firewall, Windows
SmartScreen, and Windows Defender. It also explains how to implement connection security rules to
secure network traffic.
Module 9, Configuring File, Folder, and Printer Access " explains how to manage secure file and folder
access, create and manage shared folders, and configure file and folder compression. It also explains how
to enable and configure SkyDrive access, and create and configure shared printers.
Module 10, Securing Windows 8.1 Devices" explains how to implement tools and technologies that can
help secure Windows 8.1 desktops. It describes methods used for authentication and authorization in
Windows 8.1. It also describes how to use local Group Policy objects to configure security and other
settings, and explains the use of file encryption methods and User Account Control.
Module 11, Configuring Applications for Windows 8.1" explains how to configure and control
applications in Windows 8.1. It describes application deployment methods, and explains how to install and
manage Windows Store apps. It also explains how to configure and secure Internet Explorer, and
configure application restrictions with AppLocker.
Module 12, Optimizing and Maintaining Windows 8.1 Computers" explains how to optimize and
maintain Windows 8.1 based computers. It also explains how to manage reliability, and configure and
manage software updates in Windows 8.1.
Module 13, Configuring Mobile Computing and Remote Access" explains how to configure Windows 8.1
settings that are applicable to mobile computing devices. It also describes DirectAccess, and how it can be
used to provide remote access. This module also explains how to enable and configure VPN access,
Remote Desktop, and Remote Assistance.
Module 14, Recovering Windows 8.1" explains how to recover Windows 8.1 from failures. It describes
how to provide for file and folder recovery, and identify when and how to recover Windows 8.1,
Module 15, Configuring Hyper-V" describes Hyper-V for Windows 8.1, and explains how to create and
configure virtual machines in Hyper-V for Windows 8.1. It also explains the use of virtual hard disks, and
the creation and implementation of virtual machine checkpoints.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xx About This Course
Course Materials
The following materials are included with your kit:
Course Handbook: a succinct classroom learning guide that provides the critical technical
information in a crisp, tightly-focused format, which is essential for an effective in-class learning
experience.
Lessons: guide you through the learning objectives and provide the key points that are critical to
the success of the in-class learning experience.
Labs: provide a real-world, hands-on platform for you to apply the knowledge and skills learned
in the module.
Module Reviews and Takeaways: provide on-the-job reference material to boost knowledge
and skills retention.
Lab Answer Keys: provide step-by-step lab solution guidance.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxi

Course Companion Content on the http://www.microsoft.com/learning/companionmoc Site:
searchable, easy-to-browse digital content with integrated premium online resources that supplement
the Course Handbook.
Modules: include companion content, such as questions and answers, detailed demo steps and
additional reading links, for each lesson. Additionally, they include Lab Review questions and
answers and Module Reviews and Takeaways sections, which contain the review questions and
answers, best practices, common issues and troubleshooting tips with answers, and real-world
issues and scenarios with answers.
Resources: include well-categorized additional resources that give you immediate access to the
most current premium content on TechNet, MSDN
, or Microsoft
Press
.
Student Course files on the http://www.microsoft.com/learning/companionmoc Site: includes the
Allfiles.exe, a self-extracting executable file that contains all required files for the labs and
demonstrations.
Course evaluation: at the end of the course, you will have the opportunity to complete an online
evaluation to provide feedback on the course, training facility, and instructor.
To provide additional comments or feedback on the course, send an email to
support@mscourseware.com. To inquire about the Microsoft Certification Program, send an
email to mcphelp@microsoft.com.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
xxii About This Course
Virtual Machine Environment
This section provides the information for setting up the classroom environment to support the business
scenario of the course.
Virtual Machine Configuration
In this course, you will use Microsoft Hyper-V
to perform the labs.

Important: At the end of each lab, you must close the virtual machine and must not save
any changes. To close a virtual machine (VM) without saving the changes, perform the
following steps:
1. On the virtual machine, on the Action menu, click Close.
2. In the Close dialog box, in the What do you want the virtual machine to do? list, click
Turn off and delete changes, and then click OK.
The following table shows the role of each virtual machine that is used in this course:
Virtual machine Role
20687C-LON-DC1 Domain controller in the Adatum.com domain
20687C-LON-CL1 Windows 8.1 computer in the Adatum.com domain
20687C-LON-CL2 Windows 8.1 computer in the Adatum.com domain
20687C-LON-CL3 Windows 7 computer in the Adatum.com domain
20687C-LON-CL4 Windows 8.1 computer for non-domain member scenarios
20687C-LON-REF1
Blank virtual machine used for the reference machine imaging and
capture scenario
20687C-LON-SVR1 AD FS server in the Adatum.com domain
20687C-LON-SVR2 Web server in the Adatum.com domain
Software Configuration
The following software is installed on each VM:
Windows Server 8.1
Windows 8.1 Client (Windows 8 Enterprise)
Microsoft Office 2010
On the server, possibly also Windows Automated Installation Kit (AIK)
Classroom Setup
Each classroom computer will have the same virtual machine configured in the same way.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
About This Course xxiii
Course Hardware Level
To ensure a satisfactory student experience, Microsoft Learning requires a minimum equipment
configuration for trainer and student computers in all Microsoft Certified Partner for Learning Solutions
(CPLS) classrooms in which Official Microsoft Learning Product courseware is taught.
Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V) processor
Dual 120 gigabyte (GB) hard disks 7200 RM Serial ATA (SATA) or better*
8 GB RAM
DVD drive
Network adapter
Super VGA (SVGA) 17-inch monitor
Microsoft Mouse or compatible pointing device
Sound card with amplified speakers
*Striped
In addition, the instructor computer must be connected to a projection display device that supports SVGA
1024 x 768 pixels, 16-bit colors.
Navigation in Windows Server 2012 R2 or Windows 8.1
If you are not familiar with the user interface in Windows Server 2012 R2 or Windows 8.1 then the
following information will help orient you to the new interface.
Sign in and Sign out replace Log in and Log out.
Administrative tools are found in the Tools menu of Server Manager.
Move your mouse to the lower right corner of the desktop to open a menu with:
Settings: This includes Control Panel and Power
Start menu: This provides access to some applications
Search: This allows you to search applications, settings, and files
You may also find the following shortcut keys useful:
Windows: Opens the Start menu
Windows+C: Opens the same menu as moving the mouse to the lower right corner
Windows+I: Opens Settings
Windows+R: Opens the Run window
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-1
Module 1
Windows 8.1 in an Enterprise Environment
Contents:
Module Overview 1-1
Lesson 1: Managing Windows 8.1 in an Enterprise Environment 1-2
Lesson 2: Overview of Windows 8.1 1-7
Module Review and Takeaways 1-14

Module Overview
Windows
client operating systems are essential to the functionality of almost every enterprise
environment. Most users perform the bulk of their computing tasks in the Windows client interface,
including editing documents, sending email, interacting with applications, and numerous other tasks.
Managing these clients, then, is an important task for enterprise information technology (IT)
administrators. You must manage Windows clients to ensure that operating systems and any applications
are operating properly. Providing adequate security measures, deploying new clients when required,
maintaining an inventory, and monitoring Windows clients in your environment are all essential tasks for
IT administrators. This module introduces you to Windows 8.1 and provides an overview of how you can
manage Windows 8.1 computers in your environment to meet common enterprise IT challenges.
Objectives
After completing this module, you will be able to:
Explain the different options for managing Windows 8.1 in an enterprise environment.
Describe Windows 8.1 and its UI.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1-2 Windows 8.1 in an Enterprise Environment

Lesson 1
Managing Windows 8.1 in an Enterprise Environment
Managing Windows clients in an enterprise environment can provide a variety of challenges. Windows
computers that come from outside your environment or that connect through the Internet to your
network are often outside the scope of many central configuration management tools. Moreover, even
central configuration management tools have limitations that provide challenges, depending on your
environment.
This lesson highlights some of the most common challenges facing administrators in the client
environment and the solutions that are available for Windows 8.1 devices.
Lesson Objectives
After completing this lesson, you will be able to:
Describe challenges of managing devices in todays enterprise environment.
Identify solutions for managing Windows 8.1 on an internal network.
Identify solutions for managing Internet-based Windows 8.1 devices.
Identify solutions for managing resource access for devices that are not domain-joined.
Explain how to manage Windows 8.1 devices by using enterprise management systems.
Challenges of Managing Devices in Todays Enterprise Environment
Managing devices in an enterprise environment
consists of many different challenges. Some of
these challenges center around the configuration
of the network environment, while others are
based on the type and configuration of clients in
the environment. Device management can be
placed into several different categories:
Network Configuration Challenges
Network configuration challenges primarily relate
to how a client is connected to the enterprise, or if
it is connected at all. Some examples of network
configuration challenges include:
Virtual private network (VPN) clients cannot connect to a network with the same functionality as
internal clients.
Clients that are not connected to a network do not have access to resources.
A remotely connected client does not have enough network bandwidth available to run applications
that are hosted on enterprise servers.
Client Configuration Challenges
Challenges related to client configuration typically involve not being able to enforce a configurations
standard, or being forced to perform the tedious task of manually configuring devices on an unplanned
basis:
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 1-3
Client computers that are not managed centrally might have different, potentially conflicting
configurations.
Centralized configuration management might not reach all clients in an enterprise network, and
typically cannot configure clients outside of an enterprise network.
Mobile devices that require specific configuration are left misconfigured or are unaccounted for.
Security and Privacy Challenges
When assessing security and privacy-related challenges, you should consider several scenarios:
Clients do not have consistent and current protection from malware and other malicious content.
Permissions and access to client settings might be different from client to client.
Users who bring their own devices and connect to an enterprise network could potentially
compromise enterprise security standards.
Resource Access Challenges
Users need access to resources on a network. Missing or misconfigured access to files and printers can
have a significant negative impact on business activity in an organization.
Access to files and shared folders differs from client to client.
Installed printers are not consistent from client to client.
Files stored on an enterprise network are not available when a client is disconnected.
Access to profile and user data differs from client to client.
User profile data gets corrupted.
Solutions for Managing Windows 8.1 on an Internal Network
The most robust management environment for a
Windows 8.1 client is when it is connected to an
internal network. You can use a number of server-
based configuration mechanisms to configure
Windows 8.1 clients.
Group Policy
You can configure Windows 8.1 devices effectively
by using centralized configuration management.
In the Active Directory
Domain Services (AD DS)

environment common to most Windows-based
networks, you can use Group Policy to provide
centralized configuration management for
Windows client computers. When a Windows 8.1 client joins an AD DS domain, you can use Group Policy
to specify configuration settings for a client computer, including UI elements, security settings, available
applications and features, and operating system functionality. You also can use Group Policy to distribute
common settings to client computers, such as mapped drives, printers, or environment variables.
You can set Group Policy to affect as narrow or broad a scope of client devices as you determine,
provided that the clients are connected to the domain where you implement the Group Policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
User Experience Virtualization
You can use Microsoft
User Experience Virtualization (UE-V) to provide consistent and synchronized user

settings configuration for Windows 8.1 computers. With UE-V, user profile information is stored remotely
for users and synchronizes to client computers when users log on and when users make changes to the
environment. UE-V enables a consistent user environment.
Solutions for Managing Internet-based Windows 8.1 Devices
Clients that connect from the Internet can provide
unique challenges for administrators. Windows 8.1
and Windows Server
2012 R2 provide several

options for enabling greater management control
of Windows 8.1 computers that are connected to
the Internet, but are not directly connected to
your internal network.
VPN
VPN connectivity has been a long-standing
connectivity option for Internet-based clients.
VPN enables a client to connect to an internal
network by using a VPN server, which typically is
located in a perimeter network. Through VPN, a client user authenticates to a network environment and
can gain access to network resources. VPN connections provide a very limited scope of management.
Common configuration management methods like Group Policy typically do not function over a VPN
connection.
DirectAccess
DirectAccess takes the concept of VPN and uses Windows Server 2012 R2 technology to enable an
Internet-based client to connect to a domain controller on an internal network, authenticate a client
computer account, and accept sign-ins from users as if the client computer is connected to the internal
network. Because the appropriate authentication has been performed, you can manage DirectAccess
clients by using Group Policy, and they appear to other enterprise management systems as if they were
connected to the internal network.
Solutions for Managing Resource Access for Non-Domain Devices
Windows 8.1 provides several features that enable
computers that are not joined to a domain to
function as you require. These devices are
becoming more common and important to the
overall client management process as
organizations adopt policies that enable users to
bring their own devices into the workplacea
scenario known as Bring Your Own Device (BYOD).
Workplace Join
Workplace Join enables a device to be neither
completely joined to a domain, nor be completely
isolated from it. With Workplace Join, users can
work on a device of their choosing and still have access to enterprise network resources. IT administrators
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 1-5
can control access to resources and provide a finer level of control over devices that register through
Workplace Join.
Work Folders
Work Folders enable users to synchronize their data from their user folder on a network to their own
device. When you implement Work Folders, locally created files also are synchronized back to a network
folder location. You can configure Work Folders to synchronize network files without having a client
joined to a domain. In versions prior to Windows 8.1 and before Work Folders were introduced, domain
membership was required for this type of synchronization, and the client had to be connected to a
corporate network to initialize synchronization.
Remote Business Data Removal
With Windows 8.1 and Windows Server 2012 R2, you can use remote business data removal to classify
and flag corporate files and to differentiate between these files and user files. With this classification, the
remote wipe of a Windows 8.1 device will not remove user-owned data when securing or removing
corporate data on the device.
Managing Windows 8.1 Devices by Using Enterprise Management Systems
In addition to the management capabilities native
to Windows 8.1 and Windows Server 2012 R2,
Microsoft also provides centralized configuration
management tools that you can use to provide
more comprehensive management of Windows
devices both inside and outside of your enterprise
network.
System Center 2012 R2 Configuration
Manager
Microsoft System Center 2012 R2 Configuration
Manager is an on-premises solution for managing
desktop computers and mobile devices. To
manage computers with Configuration Manager, you need to install the Configuration Manager agent.
Configuration Manager has the following capabilities:
Deploy applications. Configuration Manager enables you to deploy packaged applications to devices
in your environment.
Manage Endpoint Protection. Managing Microsoft System Center 2012 Endpoint Protection from
within Configuration Manager allows you to use a single console to manage desktop computers and
devices.
Deploy software updates. Configuration Manager uses the basic infrastructure of Windows
Server Update Services (WSUS) to provide software updates.
Deploy operating systems. Configuration Manager expands the capabilities of Windows Deployment
Services.
Inventory hardware and software. Configuration Manager includes hardware and software inventory
capabilities.
Track license compliance for software. You can use the Asset Intelligence and software metering
features in Configuration Manager to track license compliance.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Intune
Windows Intune
is a cloud service that you can use to secure and manage Windows client computers
and mobile devices. It uses a subscription-based model that does not require any on-premises
infrastructure to manage supported Windows client computers. Windows Intune can manage clients
irrespective of whether they are workgroup or domain members and without regard for their network
settings, as long as they are accessible over the Internet.
After you install Windows Intune client software, a computer account is created in Windows Intune, and
you now can manage that computer centrally. You can install the Windows Intune client in various ways,
such as by using Group Policy, by including it in a desktop image, or through the Windows Intune
company portal. An administrator also can deploy the client manually on a per-computer basis.
Windows Intune provides several benefits, including:
Updates. Windows Intune ensures that updates are installed on client computers. All updates through
Windows Update are available with Windows Intune, and you also can deploy other, non-Microsoft
updates by using Windows Intune.
Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which provides
real-time protection against malware such as viruses and spyware.
Software deployment. You can use Windows Intune for deploying software such as Windows client
operating systems or apps from Microsoft or third parties.
Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when
certain criteria is met.
Reporting. Windows Intune provides several reports, such as detected software on client computers,
client computer inventory, and update reports on company use of licenses.
Integrating Configuration Manager and Windows Intune
The Configuration Manager 2012 R2 console now includes interoperability features that enable
administrators to view all client devices irrespective of whether they are managed by Windows Intune or
Configuration Manager 2012 R2. This enables you to add any mobile devices that you manage with
Windows Intune into the Configuration Manager 2012 R2 console. You then can manage all the devices
through a single administrative tool.
If your company does not have System Center 2012 R2 Configuration Manager you can still use Windows
Intune to manage mobile devices and Windows client computers. However, if you already have
Configuration Manager 2012 R2 installed, Windows Intune enables you to extend the reach of your
management infrastructure to include mobile devices through cloud services. Configuration Manager
2012 R2 still has more client computer management features than Windows Intune. However,
Configuration Manager 2012 R2 only includes a limited set of mobile device management features
because it relies on Windows Intune for those tasks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 1-7

Lesson 2
Overview of Windows 8.1
Windows 8.1 is the latest version of the Windows client operating system. It includes the same core
functionality as Windows 8, along with several important enhancements and functionality improvements
that impact an enterprise environment.
This lesson introduces you to Windows 8.1, demonstrates changes to the UI, and shows you how to
customize the interface and other Windows 8.1 settings.
Lesson Objectives
Describe the user experience.
Describe the Windows desktop versus the Start screen.
Describe how to customize the Windows 8.1 UI.
Describe Start screen control.
Explain how to customize Windows 8.1 settings.
Describe Windows Store apps.
Overview of the User Experience
Windows 8.1 is designed for navigation and
functionality for touch-enabled devices, and for
devices that are equipped with a keyboard and
mouse. When you sign in to Windows 8.1, you are
presented with a series of interfaces:
1. Sign-in screen. At the sign-in screen, you
must click or swipe to the top of the screen to
access the credentials screen. From here, you
can provide your credentials to sign in to the
computer. These can be for a local user
account or a domain user account, provided
that the computer is joined to an AD DS
domain. You also can adjust Ease of Access features, change network connections, and shut down or
restart the computer.
2. Start screen. After signing in to Windows 8.1, you are presented with the Start screen. The Start screen
contains tiles that represent apps installed on the computer.
3. Desktop. By clicking on the Desktop tile from the Start screen, you can access the desktop, which
appears whenever you run desktop apps.
Important Windows 8.1 Navigation Shortcuts
You can access Windows 8.1 interface elements with several convenient touch gestures, mouse gestures,
and keyboard shortcuts:
Start screen. Click the Start button on the taskbar or press the Windows logo key on the keyboard.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Display Charms menu. Point to the upper-right or lower-right corner or press Windows logo key+C
on the keyboard.
Get commands and shortcut menus. On the Start screen or in Windows Store apps, right-click the
screen or press Windows logo key+Z. You also can swipe up from the bottom of the screen to access
these commands and menus on a touch-screen device.
Switch between recently used apps. Point to the upper-left corner with the mouse and then click or
swipe in from the left on a touch-screen device.
Close an app. With Windows Store open, move the mouse to the top of the screen, click, and then
pull down. You also can swipe down from the top on a touch-screen device or press Alt+F4 on the
keyboard.
Display the Quick Link menu. Right-click the Start button or press Windows logo key+X on the
keyboard to display a menu of commonly used shortcuts to Windows interface components such as
the Shutdown menu, Task Manager, Command Prompt, and Control Panel.
Other Touch-Enabled Gestures
You can navigate the Windows 8.1 interface by using the following gestures on touch-screen devices:
Pinch to zoom. You can pinch to zoom. You can reverse the pinching gesture to zoom out in many
apps and on the Start screen.
Press, hold, drag and drop. You can use this gesture to move interface elements around in Windows
Store apps or to move and edit tiles on the Start Screen.
Other Keyboard Shortcuts
The following keyboard shortcuts provide access to other Windows 8.1 interface components:
Windows logo key+D. Display and hide the desktop.
Windows logo key+E. Open File Explorer.
Windows logo key+F. Open the Search charm to search files.
Windows logo key+H. Open the Share charm.
Windows logo key+I. Open the Settings charm.
Windows logo key+J. Switch between the main app and a snapped app.
Windows logo key+K. Open the Devices charm.
Windows logo key+L. Lock the computer or switch users.
Windows logo key+O. Lock the screen orientation for accelerometer-enabled devices.
Windows logo key+P. Choose a presentation mode for multiple monitors.
Windows logo key+Q. Open the Search charm to search for apps.
Windows logo key+R. Open the Run dialog box.
Windows logo key+W. Open the Search charm to search settings.
Windows logo key+Spacebar. Switch input language and keyboard layout.
Windows logo key+Tab. Cycle through Windows Store apps.
Windows logo key+Page Up or Page Down. Move the Start screen and apps to the next monitor.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 1-9

For more information on the keyboard shortcuts in Windows 8.1, refer to:
Microsoft Accessibility: Keyboard Shortcuts
http://go.microsoft.com/fwlink/?LinkId=356124&clcid=0x409
Windows Desktop vs. the Start Screen
Windows 8.1 supports the following two app
types:
Desktop apps. These run in the context of the
desktop in the same way they did in previous
versions of Windows operating systems.
Windows Store apps. These are full-screen,
touch-optimized apps that run in the context
of the Start screen.
The Windows desktop has been the traditional
starting point in Windows client operating
systems for almost 20 years. In Windows 8 and
Windows 8.1, the Start screen provides a new startup experience for the end user. The Start screen
contains tiles, which represent apps that are installed on the computer. These tiles can be static, or they
can provide live information from the application. For example, the tile for a weather app might provide
the current temperature in your area. The Start screen is designed to provide quick access to commonly
used apps on your computer.
Starting Windows 8.1 to the Desktop
If your organization does not use any Windows Store apps, or if it has the majority of its applications
hosted in the desktop environment, you might want to start Windows 8.1 computers to the desktop
rather than the Start screen. To configure a Windows 8.1 computer to start to the desktop, use the
following procedure:
1. On the desktop, right-click the taskbar, and then click Properties.
2. On the Navigation tab, in the Start screen section, select the Go to the desktop instead of Start
when I sign in check box.
Demonstration: Customizing the Windows 8.1 UI
In this demonstration, you will see how to customize the Windows 8.1 UI.
Demonstration Steps
1. Sign in to LON-CL1 as Adatum\Adam with password Pa$$w0rd.
2. Open and close the Photos app.
3. Change the size of the Photos tile to Wide.
4. Move the Photos app.
5. Unpin the Photos app from the Start screen.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. Open the Applications screen by clicking the down arrow at the bottom of the Start screen.
7. Pin the Calculator tile to the Start screen.
8. Open the desktop.
9. Open the Quick Links menu, and then open Command Prompt.
10. Configure Windows 8.1 to start to the desktop instead of the Start screen.
Overview of Start Screen Control
Windows 8.1 enables you to control the layout of
the Start screen by using the Windows
PowerShell
command-line interface and Group

Policy in AD DS. You can use this functionality to
configure a Windows 8.1 computer with a Start
screen that is representative of what your end
users should have, export the configuration to an
XML file, and then use Group Policy to enforce the
Start screen layout for your users.
Configuring Start Screen Control
To configure Start screen control, follow this
procedure:
1. Configure the Start screen layout on a Windows 8.1 computer.
2. Run the Export-StartLayout Windows PowerShell cmdlet and specify the output file. For example,
Export-StartLayout -path C:\path\StartLayout.xml -As XML.
3. Store the StartLayout.xml file in a network location where users have read permission.
4. Edit the local policy on a Windows 8.1 computer or create or edit a Group Policy Object (GPO) with
an appropriate Group Policy setting to specify the location of the StartLayout.xml file:
o Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar
\Start Screen Layout
o User Configuration\Policies\Administrative Templates\Start Menu and Taskbar
\Start Screen Layout
5. Link the GPO in the Group Policy Management Console if you use Group Policy.
Note: When you use Start screen control to set the layout of the Windows 8.1 Start screen,
users cannot customize or make changes to the Start screen.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 1-11
Customizing Windows 8.1 Settings
Windows 8.1 has a large number of computer
settings that you can configure to provide the
optimal interface for your users. You can
configure most of the Windows 8.1 settings in one
of two locations: the PC Settings screen, or
Control Panel.
PC Settings
The PC Settings screen contains configuration
options that you can apply to the Windows Start
screen interface. It also provides a touch-screen
optimized configuration interface for Windows 8.1
settings that you can configure elsewhere in
Windows 8.1. You can access the PC Settings screen by opening the Charms menu, clicking Settings, and
then clicking PC Settings at the bottom of the menu .The following settings are available within the PC
Settings screen:
Activate Windows. You can activate your version of Windows 8.1 from this screen.
PC & devices. The PC & devices screen contains a large number of configuration settings for the look
and feel of Windows 8.1, such as: lock screen view; display resolution and orientation; and mouse,
touchpad, and other input device behavior. It also contains sections for adding and removing
peripheral devices, such as printers.
Accounts. You can configure both local and Microsoft-based accounts from this screen, including
sign-in options like account picture and picture passwords.
SkyDrive. You can view and configure your online storage space from SkyDrive
from this screen.

Search & apps. You can use this screen to control your search experience in Windows 8.1 and the
default settings for tasks such as notifications and default apps.
Privacy. You can control the behavior of devices like cameras and location-based behavior from this
screen.
Network. You can use the Network screen to manipulate network settings and connect to new
networks.
Time & language. You can use this screen to configure local and regional settings for time and
language display and input.
Ease of Access. The Ease of Access screen contains settings that enable the customization of input and
display methods.
Update & recovery. The Update & recovery screen presents options for updating your computer,
recovering previous versions of files, or enabling advanced recovery modes for Windows 8.1.
Demonstration: Customizing Windows 8.1 Settings
In this demonstration, you will see how to customize Windows 8.1 settings.
Demonstration Steps
1. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
2. Open the Change PC Settings screen.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Open the PC & devices screen.
4. Add the Weather app to the Lock screen display options.
5. Open the Accounts screen, and then view available options.
6. Open the Search & apps screen.
7. Configure the Recent apps list to display 10 apps.
Understanding Windows Store Apps
Windows Store provides a convenient, single
location for you to access and download apps.
You can access the Windows Store from the Start
screen without navigating to Control Panel.
Note: To access the store, users must sign in
to Windows 8.1 by using a Microsoft account.
Users can create this account during the
Windows 8.1 installation, or they can define it
after installation.
Windows Store Apps
Windows Store enables users to access and install Windows Store apps. These apps are not like desktop
applications such as Microsoft Office 2010. Rather, they are full-screen apps that can run on a number of
device types, including x86, x64, and ARM platforms. However, not all Windows Store apps are compatible
with all platforms.
These apps can communicate with one another and with Windows 8 so that it is easier to search for and
share information such as photographs.
When an app is installed, from the Start screen, users can see live tiles that constantly update with live
information from the installed apps.
Locating Apps
When users connect to the Windows Store, the landing pagethat is, the initial page users see when
accessing the Windows Storeis designed to make apps easy to locate. Apps are divided into categories
such as Games, Entertainment, Music & Videos, and others.
Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For
example, if a user is interested in an app that provides video-editing capabilities, he or she can bring up
the Search charm, type in a search string, and then click Store. The Windows Store returns suitable apps
from which the user can make a selection.
Installing Apps
A single tap or click on the appropriate app in the listing should be sufficient to install the app. The app
installs in the background so that a user can continue to browse the Windows Store. After the app is
installed, a tile for the app appears on the users Start screen.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 1-13

Updating Apps
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update for
an installed app is available, the Windows operating system updates the Store tile in the Start screen to
display an indication that updates are available. When a user selects the Store tile and connects to the
Windows Store, the user can choose to update one, several, or all of the installed apps for which updates
are available.
Installing Apps on Multiple Devices
Many users have multiple devices, such as desktop and laptop computers. Windows Store allows five
installations of a single app to enable users to run the app on all of their devices. If users attempt to install
an app on a sixth device, they are prompted to remove the app from another device.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Module Review and Takeaways
Review Question
Question: What is the advantage of implementing both Windows Intune and System Center
2012 R2 Configuration Manager?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-1
Module 2
Installing and Deploying Windows 8.1
Contents:
Module Overview 2-1
Lesson 1: Preparing to Install and Deploy Windows 8.1 2-2
Lesson 2: Installing Windows 8.1 2-12
Lab A: Installing Windows 8.1 2-24
Lesson 3: Customizing and Preparing a Windows 8.1 Image for Deployment 2-27
Lab B: Customizing and Capturing a Windows 8.1 Image 2-39
Lesson 4: Volume Activation for Windows 8.1 2-44
Lab C: Deploying a Windows 8.1 Image 2-52

Module Overview
The Windows 8.1 operating system builds on the core functionality of Windows 8 and Windows 7 to
provide a stable client experience across many device form factors and processor architectures. In this
module, you will learn about the features available in different Windows 8.1 editions. This module
introduces planning considerations and hardware requirements for Windows 8.1 installation. You also will
learn about the importance of device driver compatibility and application compatibility during
installation.
This module describes how you can perform a clean installation of Windows 8.1. It also describes how you
can upgrade or migrate to Windows 8.1 and the upgrade paths that are supported. You will learn about
the tools and technologies that you can use to customize an installation. You also will learn about
Windows 8.1 activation and the different activation options.
Objectives
Prepare to install and deploy Windows 8.1.
Install Windows 8.1.
Customize and prepare a Windows 8.1 image for deployment.
Describe volume activation for Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2-2 Installing and Deploying Windows 8.1
Lesson 1
Preparing to Install and Deploy Windows 8.1
Before you install Windows 8.1 on a computer, you must ensure that the hardware and software on that
computer is compatible with it. As you prepare for the installation, you must understand the minimum
hardware requirements and the installation methods that you can use.
In this lesson, you will learn about the planning process for a successful Windows 8.1 installation and
deployment. You will learn how to identify problematic devices, drivers, and apps, and you will determine
methods for mitigating compatibility issues. By doing so, you can minimize or eradicate the problems you
might face during or after installation.
Lesson Objectives
Describe how to plan for a Windows 8.1 installation.
Identify considerations for deploying Windows 8.1 in an enterprise environment.
Identify hardware requirements for installing Windows 8.1.
Describe how to determine device driver compatibility.
Describe common application compatibility issues.
Describe methods for mitigating common application compatibility issues.
Planning for a Windows 8.1 Installation
You can install Windows 8.1 as an upgrade to an
existing and supported Windows operating
system, such as Windows 7 or Windows 8. You
also can install it on a new computer that does
not have an operating system. When you are
planning for a Windows 8.1 installation, you
should consider the following factors:
Windows 8.1 is available in three editions:
Windows 8.1, Windows 8.1 Pro, and
Windows 8.1 Enterprise. You should select the
edition that includes features that you need
while minimizing licensing costs.
You can perform a clean Windows 8.1 installation or upgrade an existing operating system. An
upgrade retains files, apps, and settings from the operating system that you upgraded. A clean
installation includes only default settings and apps from the Windows 8.1 installation. You also can
perform a clean installation and load the saved user settings from the previous environment.
All Windows 8.1 editions are available in 32-bit or 64-bit versions. Both versions include the same
features, but 64-bit versions support more memory and provide better security because they require
digitally signed device drivers.
Verify that your computer and devices are compatible with Windows 8.1 and that device drivers for
all components are available.
Verify that apps that you plan to use are compatible with Windows 8.1 and that they are supported
on that platform.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-3
You can deploy Windows 8.1 by using different methods. You should select a deployment method
based on the existing environment and the number of computers that you must deploy. The
deployment methods you can use include the following:
o Running setup from DVD media.
o Performing an installation from a network share.
o Using Windows Deployment Services (DS).
o Using software deployment solutions such as Microsoft System Center 2012 R2 Configuration
Manager (Configuration Manager).
Windows 8.1 Editions
Windows 8.1 is available in three separate editions:
Windows 8.1. This edition contains only the key operating system features. It can run apps such as the
Microsoft Office System, and it is appropriate for use in home environments, which do not require
features such as BitLocker
Drive Encryption and DirectAccess. From a planning perspective, it is

important to note that you cannot join computers running this edition of Windows 8.1 to a Microsoft
Active Directory
Domain Services (AD DS) domain. Also important to note is that you can activate
this edition of Windows 8.1 only with a retail license key.
Windows 8.1 Pro. This edition includes features such as BitLocker, Client Hyper-V
, Domain Join,
Group Policy, and Native Boot from virtual hard disk. This edition of Windows 8.1 is suitable for small-
and medium-sized businesses that do not require technologies such as AppLocker
, BranchCache
,
DirectAccess, and Windows To Go to meet business objectives. You can use Windows 8.1 Pro with
retail license keys and with volume licensing options such as multiple activation keys (MAKs) and Key
Management Service (KMS) keys.
Windows 8.1 Enterprise. This is the edition of Windows 8.1 that you are most likely to deploy in large
business environments. This edition includes all the features that are available in the Windows 8.1
operating system, from being able to join an AD DS domain, to edition-specific features such as
AppLocker, BranchCache, DirectAccess, Windows To Go, and the ability to sideload Windows Store
apps. You can activate Windows 8.1 Enterprise only by using a volume license key.
The following table represents the key features available in each edition of Windows 8.1.
Feature Windows 8.1 Windows 8.1 Pro
Windows 8.1
Enterprise
Maximum physical CPU 1 2 2
Maximum memory (x86) 4 GB 4 GB 4 GB
Maximum memory (x64) 128 GB 512 GB 512 GB
Workplace Join X X X
Work Folders X X X
Remote Desktop Client only X X
Domain Join X X
Group Policy X X

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Feature Windows 8.1
Windows 8.1
Pro
Windows 8.1
Enterprise
Boot from virtual hard disk X X
BitLocker and BitLocker To
Go
X X
Encrypting File System X X
Client Hyper-V Only on x64 Only on x64
AppLocker X
BranchCache X
DirectAccess X
Windows To Go X
Understanding Windows RT
The Windows RT operating system is designed to run apps built on the Windows RT platform, and it is
available only as a preinstalled operating system on tablets and similar devices with ARM processors. ARM
provides a lightweight form factor with excellent battery life specifically for mobile devices. Windows RT is
preloaded with touch-optimized versions of Microsoft Office apps and is otherwise limited to running
Windows Store apps. Devices running Windows RT cannot be members of AD DS domains, but they can
use Workplace Join and Work Folders.
Advantages of 64-bit Windows 8.1 Versions
Each Windows 8.1 edition is available in 32-bit and 64-bit versions. The 64-bit versions of Windows 8.1 are
designed to work with computers that utilize the 64-bit processor architecture. Although the 64-bit
versions are similar in features to their 32-bit counterparts, there are several advantages to using a 64-bit
version of Windows 8.1, including the following:
Improved performance. 64-bit processors can process more data for each clock cycle, and therefore,
you can scale your apps to run faster. However, to benefit from this improved processor capacity, you
must install a 64-bit edition of the operating system.
Enhanced memory. A 64-bit operating system can use random access memory (RAM) more
efficiently, and it can address memory above 4 gigabytes (GB). This is unlike all 32-bit operating
systems, including all 32-bit editions of Windows 8.1, which are limited to 4 GB of addressable
memory.
Improved device support. Although 64-bit processors have been available for some time, in the past,
it was difficult to obtain third-party drivers for commonly used devices such as printers, scanners, and
other common office equipment. Since the release of the 64-bit versions of Windows 7, the
availability of drivers for these devices has improved greatly. Because Windows 8.1 is built on the
same kernel as Windows 7, most of the drivers that work with Windows 7 also work with Windows 8
and Windows 8.1.
Improved security. The architecture of 64-bit processors enables a more secure operating system
environment through Kernel Patch Protection, mandatory kernel-mode driver signing, and Data
Execution Prevention.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-5
Support for the Client Hyper-V feature. This feature is supported only in the 64-bit versions of
Windows 8.1. Client Hyper-V requires 64-bit processor architecture that supports second level address
translation (SLAT).
The 64-bit versions of Windows 8.1 do not support the 16-bit Windows on Windows environment. If your
organization requires older versions of 16-bit apps, they will not run natively on 64-bit versions of
Windows 8.1. One solution is to run the app within a virtual environment by using Client Hyper-V.
Choosing Windows 8.1 Versions for Installation
In most cases, a computer will run the version of Windows 8.1 that corresponds to its processor
architecture. A computer with a 32-bit processor will run the 32-bit version of Windows 8.1, and a
computer with a 64-bit processor will run the 64-bit version of Windows 8.1. You can use the following list
to determine which version of Windows 8.1 you should install on a computer:
You can install 64-bit versions of Windows 8.1 only on computers with 64-bit processor architectures.
You can install 32-bit versions of Windows 8.1 on computers with 32-bit or 64-bit processor
architectures. When you install a 32-bit version of Windows 8.1 on a 64-bit processor architecture, the
operating system does not take advantage of any 64-bit processor architecture features or
functionality.
32-bit drivers will not work on 64-bit versions of Windows 8.1. If you have hardware that is supported
by 32-bit drivers only, you must use a 32-bit version of Windows 8.1, regardless of the computers
processor architecture.
You can install 32-bit versions of Windows 8.1 on 64-bit architecture computers to support older
16-bit versions of apps or for testing purposes.
Question: Can you use Microsoft Office 2013 on Windows RT?
Considerations for Deploying Windows 8.1 in the Enterprise Environment
You must consider several important differences if
you are considering Windows 8.1 deployment for
several computers in a small company versus
deployment in an enterprise environment. In a
small company, you can use Windows Setup and
deploy Windows 8.1 individually on each
computer. However, such an approach is not
appropriate for an enterprise environment that
already has AD DS and infrastructures in place for
management, updating, and deployment. In an
enterprise environment, Windows 8.1 is deployed
on several client computers at once. Deployment
solutions such as Windows DS, Microsoft Deployment Toolkit (MDT), or Configuration Manager typically
are used, and a high level of automation is necessary. You can use Windows DS to deploy Windows 8.1 to
multiple client computers at once by using multicast. You also can use Configuration Manager to deploy
Windows 8.1 without any user interaction. This type of deployment is called zero-touch installation (ZTI).
Because you typically use Windows 8.1 to upgrade an existing environment, users already have their
accounts and settings. You need to preserve user state during the deployment, which means that you
must perform either an upgrade or a migration. In an enterprise environment, you usually would use
migration because it provides a clean and standardized environment, and it removes all the legacy files
that might exist on computers. You also can control what is migrated from a previous environment. In
many cases, enterprises use Folder Redirection and roaming profiles (both technologies are referred to as
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
user state virtualization), which means that user state is not stored locally, and you do not need to migrate
it at all. In such cases, when users sign in to a Windows 8.1 computer, their settings will be applied, and
they will have access to their documents.
The default Windows 8.1 installation image often is customized to include specific requirements for an
enterprise. For example, apps that are used on all clients, such as Microsoft Office 2013, are included in
the installation image, in addition to language packs, additional device drivers, and updates. Apps that are
used in an enterprise must be verified for compatibility with Windows 8.1, and when a customized
installation image is built, it must pass extensive testing. All these factors and the large number of clients
to which Windows 8.1 must be deployed make Windows 8.1 deployment in an enterprise environment a
lengthy project that requires extensive planning, preparation, and testing.
Question: Why do enterprises not use the default Windows 8.1 DVD media to perform
installations?
Hardware Requirements for Installing Windows 8.1
Windows 8.1 can run on older computer
configurations, and many computers in
enterprises today can meet the minimum
hardware requirements easily. The Windows 8.1
kernel has been refined and improved from
Windows 7, and in many cases, you might see
general performance improvements on a
computer in several different areas.
Windows 8.1 installation might be successful if
some of the minimum recommended hardware
requirements are not met. However, user
experience and operating system performance
might be compromised if the computer does not meet or exceed recommended specifications. The
following list outlines the minimum recommended hardware requirements for Windows 8.1:
1 gigahertz (GHz) or faster processor.
1 GB RAM (32-bit) or 2 GB RAM (64-bit).
16 GB available hard disk space (32-bit) or 20 GB available hard disk space (64-bit).
A DirectX 9 graphics device with a device driver that supports Windows Display Driver Model
(WDDM) 1.0 or newer.
In addition to these hardware requirements, Windows 8.1 includes several features that require a specific
hardware configuration before they will install or run correctly. These features are as follows:
The Windows 8.1 secured boot process requires a pre-boot environment that is based on Unified
Extensible Firmware Interface (UEFI). The secured boot process takes advantage of UEFI to prevent
starting unknown or potentially unwanted operating system boot loaders between the systems BIOS
start and the Windows 8.1 operating system start. The secure boot process is not mandatory for
Windows 8.1, but it greatly increases the integrity of the boot process.
Client Hyper-V requires a 64-bit processor architecture that supports SLAT. SLAT reduces the
overhead incurred during the virtual-to-physical address mapping process performed for virtual
machines.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-7
The BitLocker and Virtual Smart Card features require a computer that supports Trusted Platform
Module (TPM) to provide the most seamless and secure experience. TPM allows the storage of
BitLocker encryption keys and Virtual Smart Cards within a microcontroller on a computers
motherboard.
Miracast is a Windows 8.1 feature that you can use to share your display with a Miracast-enabled
display or projector over a wireless connection. This feature requires a display adapter that supports
Miracast and uses a device driver that is designed for Windows 8.1.
To use touch and gestures as an input method, a tablet or monitor must support multitouch. If your
device does not support such input, you can still use a mouse and keyboard.
Windows Store apps require a minimum of 1366 x 768 screen resolution for the Snap feature. This
feature enables you to use Windows 8.1 apps side by side, making the app viewable while you use
other Windows Store apps. You cannot use Windows Store apps with resolution that is lower than
1024 x 768 because you will receive an error message if you start it in such a configuration.
Windows 8.1 includes support for three-dimensional (3-D) printing, but you should have a supported
3-D printer device to be able to use 3-D printing.
Question: Do you have to create a virtual machine with at least 1 GB of memory if you want
to install Windows 8.1 Pro on that virtual machine?
Determining Device Driver Compatibility
Besides minimum hardware requirements, you
also must determine the compatibility of other
computer hardware. You should check devices
such as printers, wireless keyboards, and wireless
mice to ensure that they are compatible with
Windows 8.1 and that they have functioning
device drivers for Windows 8.1.
Importance of Device Drivers
A device driver is a component that the Windows
operating system uses to communicate with a
device. It contains device-specific code that
enables the Windows operating system to use the
device. Device drivers are critical for system stability, and without them, the Windows operating system
cannot communicate with devices. However, other devices and computer hardware components also
must have loaded drivers. Critical system components such as hard drive controllers, chipsets, graphics
adapters, and network adapters must have drivers to function properly. If the specific driver for a device is
not found, the Windows operating system can use a more generic driver for a compatible device, if it is
present.
Windows 8.1 includes device drivers for tens of thousands of devices, and you can add additional drivers
during or after a Windows 8.1 operating system installation.
Note: All device drivers that are included with Windows 8.1 are digitally signed, and
Windows 8.1 requires all device drivers and other kernel components to be digitally signed. You
can disable this requirement, but we strongly discourage it.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
A digital signature does not change the driver functionalityit only confirms that the device driver was
not modified. Remember that 64-bit versions of Windows 8.1 require 64-bit drivers, and they cannot use
32-bit drivers (and vice versa).
Checking Hardware Compatibility
The Windows 8.1 setup process automatically checks the installation computer for device and driver
compatibility. However, when an organization deploys multiple installations of Windows 8.1 at once, it is a
best practice to ensure that the hardware for those computers is compatible with Windows 8.1.
Confirming hardware compatibility enables a smoother installation process.
Windows Compatibility Center for Windows 8.1
The Windows Compatibility Center for Windows 8.1 website provides information about Windows 8.1
program and device compatibility. The website contains a catalog of programs and devices, and pertinent
compatibility information, including:
Device maker and model
Links to more information about the device
Compatibility status
Available driver versions (32-bit or 64-bit)
The Windows Compatibility Center for Windows 8.1 website also enables community interaction, where
users can provide feedback for devices to confirm compatibility.
Windows Compatibility Center
Question: Can you use a device driver from a 64-bit version of Windows 8 with a 32-bit
version of Windows 8.1?
Common Application Compatibility Issues
An application written for a specific operating
system can cause problems for several reasons
when you install it on a computer with a different
operating system. Generally, applications and
hardware that work on Windows 7 will continue
to work on Windows 8.1. To troubleshoot and
address any compatibility issues effectively, it is
important to be aware of the general areas that
typically cause the most issues.
Setup and Installation of Applications
During application setup and installation, an app
might try to copy files and shortcuts to folders
that existed in a previous Windows operating system, but no longer exist in Windows 8.1. This can prevent
the app from installing properly or even installing at all.
UAC
User Account Control (UAC) adds security to the Windows operating system by controlling administrator-
level access to a computer and by restricting most users to run as standard users. When users attempt to
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-9
launch an app that requires administrative permissions, the system prompts them to confirm their consent
to do so.
UAC also limits the context in which a process executes to minimize the ability of users to inadvertently
expose their computer to viruses or other malware. This change affects any application installer or update
that requires administrator permissions to run, that performs unnecessary administrator checks or actions,
or that attempts to write to a non-virtualized registry location.
However, UAC might cause the following compatibility issues:
Custom installers, uninstallers, and updaters might not be detected and elevated to run as
administrator.
Standard user apps that require administrative privileges to perform their tasks might fail or might
not make this task available to standard users.
Apps that attempt to perform tasks for which the current user does not have the necessary
permissions might fail. How the failure manifests itself depends on how the app was written.
Control Panel apps that perform administrative tasks and make global changes might not function
properly and might fail.
Dynamic-link library (DLL) apps that run by using RunDLL32.exe might not function properly if they
perform global operations.
Standard user apps writing to global locations will be redirected to per-user locations through
virtualization.
WRP
Windows Resource Protection (WRP) protects Windows resources such as files, folders, and registry keys in
a read-only state. This affects specific files, folders, and registry keys only. WRP limits updates to protected
resources to the trusted operating system installers, such as Windows Servicing. This enables better
protection for components and apps that ship with the operating system from the impact of other apps
and administrators. However, WRP might cause the following compatibility issues:
Application installers that attempt to replace, modify, or delete operating system files or registry keys
that WRP protects might fail with an error message that indicates that the resource cannot be
updated. This is because access to these resources is denied.
Applications that attempt to write new registry keys or values to protected registry keys might fail
with an error message that indicates that the change failed because access was denied.
Applications that attempt to write to protected resources might fail if they rely on registry keys or
values.
64-Bit Architecture
All Windows 8.1 editions are available as 32-bit and 64-bit versions. The 64-bit version of Windows 8.1
can run all 32-bit apps with the help of the Windows 32-bit on Windows 64-bit subsystem. Considerations
for the 64-bit Windows 8.1 include:
Apps or components that use 16-bit executable files, 16-bit installers, or 32-bit kernel drivers will fail
to start or will function improperly on a 64-bit version of Windows 8.1.
Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer manually adds a driver
by editing the registry, the system will not load this driver, and this can cause a system failure.
Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer manually adds a
driver by editing the registry, the system will not load the driver during load time if it is not signed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
WFP
Windows Filtering Platform (WFP) is an application programming interface (API) that enables developers
to create code that interacts with the filtering that occurs at several layers in the networking stack and
throughout the operating system. If you are using a previous version of this API in your environment, you
might experience failures when running security-class apps, such as network scanning, antivirus programs,
or firewall apps.
Operating System Version Changes
The operating system version number changes with each operating system release. For Windows 7, the
internal version number is 6.1; for Windows 8, the internal version is 6.2; for Windows 8.1, the internal
version is 6.3. The GetVersion function returns this value when it is queried by an app. This change affects
any app or application installer that specifically checks for the operating system version, and this change
might prevent the installation from occurring or the app from running.
Kernel-Mode Drivers
Kernel-mode drivers must support the Windows 8.1 operating system or be redesigned to follow the
User-Mode Driver Framework (UMDF). UMDF is a device driver development platform that the Windows
operating system uses.
Deprecated components
Windows 8.1 does not include several deprecated APIs and DLLs that were available in the legacy
Windows XP and Windows Vista operating systems. Windows 8.1 also uses credential provider framework
and service isolation, which was not available in legacy Windows operating systems. Apps that use
deprecated APIs, DLLs, old credential providers, or do not support service isolation will have compatibility
issues on Windows 8.1. Some of these apps will have reduced functionality, and some might fail to start.
Understanding Application Compatibility
http://go.microsoft.com/fwlink/?LinkID=378172&clcid=0x409
Question: Can you run a program that was developed for Windows XP on Windows 8.1?
Methods for Mitigating Common Application Compatibility Issues
You can use the Application Compatibility Toolkit
(ACT) to determine if your applications are
compatible with Windows 8.1. ACT also helps you
determine how an update to a new version will
affect your applications. You can use ACT features
to:
Verify the compatibility of your application,
device, and computer with a new version of
the Windows operating system.
Verify the compatibility of a Windows update.
Become involved in the ACT community and
share your risk assessment with other ACT users.
Test your web applications and websites for compatibility with new releases and security updates to
Internet Explorer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-11
Mitigating an application compatibility issue typically depends on various factors, such as the type of
application and the current support for an application.
Mitigation Methods
Some of the more common mitigation methods include the following:
Modifying the configuration of an existing application. Compatibility issues might require a
modification to an application configuration, such as moving files to different folders, modifying
registry entries, or changing file or folder permissions. You can use tools such as Compatibility
Administrator to detect and create application fixes, called shims, to address compatibility issues.
Contact software vendors for information about any additional compatibility solutions.
Applying updates or service packs to an application. Updates or service packs might be available to
address many compatibility issues, and they help an application to run on a new operating system
environment. After applying an update or service pack, additional application tests can ensure that
compatibility issues have been mitigated.
Upgrading an application to a compatible version. If a newer, compatible version of an application
exists, the best long-term mitigation is to upgrade to the newer version. By using this approach, you
must consider both the cost of the upgrade and any potential problems that might arise with having
two different versions of an application.
Modifying the security configuration. If your compatibility issues appear to be permissions-related, a
short-term solution is to modify the security configuration of an application. By using this approach,
you must conduct a full risk analysis and gain consensus from your organizations security team
regarding the modifications. For example, you can mitigate Internet Explorer Protected Mode by
adding a site to the trusted site list.
Running an application in a virtualized environment. If all other methods are unavailable, you might
be able to run an application in an older version of the Windows operating system by using
virtualization tools such as Client Hyper-V.
Using application compatibility features. You can mitigate application issues, such as operating
system versioning, by running an application in compatibility mode. You can access this mode by
right-clicking the shortcut or .exe file, and then selecting compatibility mode from the Compatibility
tab.
Selecting another application that performs the same business function. If another compatible
application is available, consider switching to it. When using this approach, you must consider both
the cost of the application and the cost of employee support and training.
Download Windows Assessment and Deployment Toolkit (Windows ADK)
Application Compatibility Toolkit (ACT) Technical Reference
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Installing Windows 8.1
Although you can perform a Windows 8.1 installation by using a number of different methods, the image-
based nature of the installation process and the desired resulta properly functioning Windows 8.1
computerremain consistent, regardless of the method. Determining which method to use and how to
best implement that method are important parts of the planning process for a Windows 8.1 installation.
This lesson will help you analyze the reasons behind using certain methods, and it will help you
understand how you can implement those methods. Also, this lesson will introduce you to Windows To
Go and native boot virtual hard disk methods.
Lesson Objectives
Explain the options for installing Windows 8.1.
Describe the methods for performing a clean installation.
Explain how to upgrade to Windows 8.1.
Identify the supported Windows 8.1 upgrade paths.
Explain how to migrate to Windows 8.1.
Describe Windows To Go.
Explain how to boot from a native boot virtual hard disk.
Options for Installing Windows 8.1
You can install Windows 8.1 in a number of
different ways, including the following:
Clean installation. A clean installation of
Windows 8.1 occurs when the hard disk on
which you are installing the Windows
operating system contains no previous
Windows installation, or when you erase the
disk prior to installation. To perform a clean
installation on a computer without an
operating system, start the computer directly
from the DVD. If the computer already has an
operating system, run Setup.exe to start the
installation. You can run Setup.exe from the following sources:
o DVD
o Network share
o USB drive
You also can use an image to perform a clean installation.
Note: If you perform a clean installation on a hard disk partition that contains a Windows
operating system, the existing Windows files are moved to a \Windows.old directory. This
includes files in the Users and Program Files folders and the Windows directory.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-13
Upgrade installation. Perform an upgrade, which also is known as an in-place upgrade, when you
want to replace an existing version of Windows with Windows 8.1, and you need to retain all user
applications, files, and settings. To perform an in-place upgrade to Windows 8.1, run the Windows 8.1
Setup.exe installation program, and then click Upgrade. You can run Setup.exe from the product DVD
or from a network share. During an in-place upgrade, the Windows 8.1 installation program
automatically retains all user settings, data, hardware device settings, apps, and other configuration
information. Always back up all of your important data before performing an upgrade.
Migration. You perform a migration when you have a computer that is already running Windows 7,
and you need to move files and settings from your old operating system (the source computer) to the
Windows 8.1 computer (the destination computer). Perform a migration by doing the following:
o Back up user settings and data
o Perform a clean installation
o Reinstall the apps
o Restore user settings and data
There are two migration scenarios: side-by-side, and wipe-and-load, which also is called refresh. In side-by-
side migration, the source computer and the destination computer are two different computers. In wipe-
and-load migration, the target computer and the source computer are the same. To perform wipe-and-
load migration, you perform a clean installation of Windows 8.1 on a computer that already has an
operating system by running the Windows 8.1 installation program, and then clicking Custom (advanced).
You can perform an automated installation when you use any of the above installation methods in
combination with an automation tool, such as MDT, to make the installation more seamless or to remove
repetitive tasks from the installation process. Automated installations can take many forms, including
pushing premade images to computers by using an enterprise-level tool, such as MDT, Windows DS, and
Windows ADK, or even by creating an answer file manually to provide information directly to the
installation process.
Question: What is the main difference between a clean installation of Windows 8.1 and
migration to Windows 8.1?
Methods for Performing a Clean Installation
The most common form of deployment in
medium-sized and large environments is a clean
installation. Clean installations involve deploying
an operating system to new hardware that has no
existing operating system, or wiping an existing
operating system and installing a new operating
system. Compared to performing an upgrade, a
clean installation has some benefits and
drawbacks, which are outlined in the following
table.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Benefits Drawbacks
Clean installation Can be automated
Quickest form of
deployment
Supported in all
scenarios
Existing applications are
not retained
Must use a special
procedure to retain user
state data
Upgrade Existing data and
applications are
retained
Difficult to automate
Only supported in certain
scenarios

You can perform a clean deployment of the Windows 8.1 operating system by using the following
methods:
Install from DVD. To use this method, the computer you are installing on must have a connected
optical drive. You can use the installation media provided with a retail copy of the operating system
or a copy of the installation media that is obtained from the Microsoft volume licensing service and
then written to optical media. You can use a customized image with optical media, but the size of the
image is constrained by the maximum amount of data that can be stored on a DVD. This installation
method also is slower than installing from a USB device.
Install from USB. Retail versions of Windows 8.1 are available in this form. The drawback of this
method is that one USB device can install the operating system only on one computer at a time. You
can use customized images for this installation method. Installation from a USB device is quicker than
an installation from a DVD, but it requires you to modify BIOS or UEFI settings on the target
computer to allow boot from USB. You can perform an unattended installation if an unattended
installation file is located on the USB device.
Install from Windows DS. To use this method, you must deploy Windows DS and Dynamic Host
Configuration Protocol on Windows-based servers on the LAN. Another requirement is that target
computers must have a Pre-Boot Execution Environment (PXE) network card, or you must configure a
boot device to allow network communication. You can use this installation method with an
unattended installation file configured on a Windows DS server, with multiple operating system
images, and to deploy Windows 8.1 to multiple computers at once by using multicast.
Perform an image-based installation. You can use the Windows Preinstallation Environment (PE) to
start a computer and then use Deployment Image Servicing and Management (DISM) to apply the
Windows 8.1 image. You also can use deployment solutions such as MDT and Configuration Manager
to automatically deploy Windows 8.1 and apps across networks. By using MDT and Configuration
Manager, you can configure light-touch installation (LTI) and ZTI. During the deployment, LTI requires
minimal user interaction, whereas ZTI requires no user interaction.
Install from a shared network folder. This method involves starting the computer by using
Windows PE and connecting to a copy of the installation files stored on a shared network folder. This
method is no longer commonly used because other methods are more efficient, such as installation
from USB devices, Windows DS, MDT, or Configuration Manager.
The method that you use to perform a clean installation depends on your organizations business
requirements. An organization performing a small number of Windows 8.1 deployments that do not
require substantial customization should use either the installation from DVD or installation from USB
method. An organization that performs a large number of Windows 8.1 deployments should consider
using MDT or Configuration Manager.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-15
Question: What happens with user settings, data, and installed apps if you perform a clean
installation of Windows 8.1 on a computer that has Windows 7 installed?
Upgrading to Windows 8.1
When you perform an upgrade installation of
Windows 8.1, it replaces the existing version of the
Windows operating system, but it retains user
settings and applications. When you use this
method, you directly upgrade computers that run
older versions of the Windows operating system
to Windows 8.1. The Windows 8.1 installation
program runs with minimal user interaction, and it
automatically retains all user settings, data,
hardware device settings, applications, and other
configuration information. You also can specify
additional settings by using unattended-setup
answer files. All previously installed applications remain installed. You typically perform an upgrade when
you do not want to reinstall all of your applications. Additionally, consider performing an upgrade when
you:
Are upgrading from a recent version of the Windows operating system that has compatible
applications.
Do not have the storage space to store your user state.
Are not replacing existing computer hardware.
Plan to upgrade the Windows operating system on a few computers only.
Evaluating an Upgrade Scenario
In any potential upgrade scenario, there might be certain variables that favor an upgrade. However, there
also are disadvantages.
Advantages Disadvantages
Retains user settings, application settings, and
files with no additional effort
Preserves installed applications and typically
does not require reinstallation of the
applications
Does not require additional storage space for
migration files
Impacts user productivity minimally and
preserves user settings and data
Provides a more simple setup process

Does not take advantage of the opportunity to
start fresh with standardized reference
configurations
Preserved applications might not work correctly
after upgrading from an earlier version of the
Windows operating system
Remnant files or settings from an in-place
upgrade might contribute to performance and
security issues
Does not allow Windows operating system
edition changes
Can be done only on supported operating
systems
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Data Retention in a Windows 8.1 Upgrade
When you run an upgrade, Windows Setup automatically detects existing operating systems and their
potential for upgrade. Depending on the version of the operating system, you might see the following
options for retaining data from the previous version of the Windows operating system:
Windows settings. Windows settings, such as your desktop background or Internet favorites and
history, will be kept. Windows Setup does not move all settings.
Personal files. Anything that you save in the User folder is considered a personal file, such as the
Documents and Desktop folders.
Desktop apps. Some apps are compatible with Windows 8.1, and they will operate properly when you
install Windows 8.1. However, you may have to install some desktop apps after Windows 8.1 finishes
installing, so be sure to find the installation discs and installers for desktop apps that you want to
keep.
Nothing. Deletes everything and replaces your current version with a copy of Windows 8.1. Your
personal files will be moved to a Windows.old folder.
Upgrade Considerations
The following considerations might be critical in determining whether you choose to upgrade:
Amount of interaction. An upgrade does not require significant user interaction. You can use an
answer file to further minimize user interaction and effort when performing an upgrade.
State of user data. An upgrade does not require reinstallation of apps or any of the user settings, data,
hardware device settings, or other configuration information. However, you might have to reinstall
some apps after you perform an upgrade.
Note: You can perform an upgrade only if you run Setup.exe from the existing Windows
installation. You cannot perform an upgrade if you start a computer from Windows installation
media.
Question: Can you upgrade Windows 7 Pro to Windows 8.1 Pro if you start a computer from
Windows 8.1 DVD installation media?
Supported Windows 8.1 Upgrade Paths
Performing an upgrade to Windows 8.1 can save
time and enable you to retain user and computers
settings from a previous version of the Windows
operating system. However, the version of the
Windows operating system from which you are
upgrading will dictate what options are available
for the upgrade process.
Windows 8.1 Upgrade Paths
The following table lists operating systems and
upgrade path restrictions for upgrading to
Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-17
Upgrading to
Windows 8.1
Keep Windows settings,
personal files, and apps
Keep Windows
settings and personal
files (data and system
settings)
Keep personal files
only (data only)
Windows XP SP3 Yes
Windows Vista SP2 Yes Yes
Windows 7 Yes Yes
Windows 8 Yes Yes
Windows 8.1 Yes Yes
Note: You cannot preserve Windows settings and apps if you perform a cross-language
installation of Windows 8.1.
Upgrade Paths for Windows Operating System Editions
You cannot upgrade previous versions of the Windows operating system that do not have the same
features as the edition of Windows 8.1 that you are installing. The following table lists upgrade
possibilities based on the editions of Windows 7 and Windows 8.1.
Windows 7 edition Windows 8.1 Windows 8.1 Pro Windows 8.1 Enterprise
Enterprise Yes
Ultimate Yes
Professional Yes Yes
Home Premium Yes Yes
Home Basic Yes Yes
Starter Yes Yes

Even though an upgrade path is supported, it does not necessarily mean that you should perform an
upgrade installation by following that path. You should evaluate considerations for both upgrades and
migrations.
Windows 8 and Windows 8.1 upgrade paths
Question: Can you upgrade the 32-bit version of Windows 8 Pro to the 64-bit version of
Windows 8.1 Pro?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Migrating to Windows 8.1
When you install Windows 8.1 by using a
migration scenario, you first must perform a clean
installation of Windows 8.1, followed by the
migration of user settings and data from the older
version of the Windows operating system to
Windows 8.1. Depending on your business
environment, you can use two migration
scenarios: side-by-side migration and in-place
migration. In a migration scenario known as a
refresh computer scenario or in-place migration,
the source computer and the destination
computer are the same, whereas in a side-by-side
migration scenario, the source computer and the destination computer are different. Both migration
scenarios require a clean installation of Windows 8.1. When you migrate previous configurations from an
old operating system, you are moving files and settings to a clean installation of a Windows 8.1 operating
system.
Evaluating a Migration Scenario
In any potential upgrade scenario, there might be certain variables that favor a migration. However, there
also are disadvantages.
Advantages Disadvantages
Offers the opportunity to clean up
existing workstations and to create more
stable and secure desktop environments.
It takes advantage of the opportunity for
a fresh start, which is a significant
advantage when creating a managed
environment.
Avoids the performance degradation
issues associated with an in-place
upgrade scenario because there are no
remnant files and settings.
Allows for the installation of any edition
without concern for what edition was
running previously.
Provides the opportunity to reconfigure
hardware-level settings, such as disk
partitioning, before installation.
Prevents the migration of viruses,
spyware, and other malicious software to
the new installation of the Windows
operating system. Security settings can
be hardened by using Group Policy and
security templates.
Requires the use of migration tools, such
as Windows Easy Transfer or the User
State Migration Tool (USMT), to save and
restore user settings and data.
Requires the reinstallation of
applications.
Requires storage space for the user
settings and files to be migrated.
Might have an impact on user
productivity because of the
reconfiguration of applications and
settings.

Steps for Performing a Migration
Typical steps in a migration scenario include:
1. Back up a computers entire hard disk.
2. Save user settings and data for migration.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-19
3. Perform a clean installation of Windows 8.1.
4. Reinstall applications.
5. Restore user settings and data.
Migration Scenarios
When planning a migration, you have to determine how you will move existing data to the newly
deployed operating system. The method that you use depends on the tools and resources that you have
available. In enterprise environments, you can use Configuration Manager to automate the migration
process. Migration strategies also depend on whether users will be moving to new computers, or whether
they will use existing computers with a new operating system. You can perform the following types of
migration:
Side-by-side migration. In a side-by-side migration, data and settings are moved from the original
operating system on one computer to the destination operating system on another computer. In
most automated side-by-side migrations, migration data is transmitted across a network. You also can
transfer migration data by using removable storage devices, although this is only practical when the
migration is performed manually.
Wipe-and-load migration. In a wipe-and-load migration, migration data is captured and moved to a
location off of the computer, usually a network shared folder. After this, the source operating system
is wiped from the host. The destination operating system replaces the source operating system and
the migration data is then restored from the safe location.
Operating system refresh. This migration type is similar to a wipe-and-load migration. However, in
this type of migration, the source and destination operating systems are the same. You might perform
this type of migration when upgrading to a new operating system service pack, or if the original
operating system deployment suffers some type of corruption that makes a refresh operation more
practical than an attempt to resolve the fault manually.
Choosing When to Perform a Migration
Perform a migration when you:
Want a standardized environment for all users who are running a Windows operating system. A
migration takes advantage of a clean installation. A clean installation ensures that all of your systems
begin with the same configuration and that all applications, files, and settings are reset. With a
migration, you also can ensure that you retain user settings and data.
Have storage space to store the user state. Typically, you will need storage space to store the user
state when performing migration. USMT introduces hard-link migration, in which case you do not
need extra storage space. This is only applicable to wipe-and-load migrations.
Plan to keep existing computer hardware. If you do not plan to replace existing computers, you still
can perform a migration by performing a wipe-and-load migration.
Windows 8.1 also includes built-in functions that allow a refresh of the operating system. These are called
Reset your PC and Refresh your PC. PC refresh keeps all personal data and Windows Store apps, but you
must reinstall other software. PC reset returns the operating system to its original state, removing any
installed applications, settings, and user data. PC refresh and PC reset must be performed locally. If you
wanted to perform an operating system refresh across multiple computers, you would automate the task
with Configuration Manager.
Question: You have a user who wants to upgrade a Windows XP computer to Windows 8.1.
The computer meets all of the hardware requirements for Windows 8.1. The user wants to
retain all of the existing user settings and applications. The user has no time-related
requirements and can be without the computer while you install Windows 8.1. How should
you perform the Windows 8.1 installation?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is Windows To Go?
Windows To Go is a special deployment option
that is available in the Windows 8.1 Enterprise
edition. You can use Windows To Go to deploy
the Windows 8.1 Enterprise edition to a specially
prepared USB storage device. You then can use
this USB storage device to start any compatible
computer. When a Windows To Go device is
started on a new computer, the boot process
detects the computers hardware and installs
appropriate drivers. When the same Windows To
Go device is used to start the same computer
again, the appropriate drivers are loaded
automatically and Windows To Go starts normally. Windows To Go can store the hardware configurations
of multiple computers.
Windows To Go Restrictions
Windows To Go functions in a way that is very similar to a traditional Windows 8.1 desktop deployment,
but with the following restrictions:
By default, sleep and hibernation are disabled in Windows To Go. Though it is possible to enable this
functionality by configuring Group Policy, this can lead to data corruption.
Fixed internal disks on the host computer are offline. This is a security measure to ensure that third
parties do not gain access to files on the host computers file system by booting computers using
Windows To Go.
BitLocker uses a boot password rather than a TPM password because the Windows To Go device will
be used across multiple computers.
Windows Recovery Environment (RE) and push-button reset are disabled.
Only Windows 8.1 Enterprise edition is licensed to be installed on Windows To Go devices.
A USB storage device prepared with an x86 version of Windows To Go can be used with a computer
with an x86 or an x64 processor.
A computer prepared with an x64 version of Windows To Go only can be used with a computer that
has an x64-compatible processor.
Windows RT devices cannot be used with Windows To Go.
The Windows Store is disabled by default in Windows To Go.
The USB storage device with the Windows To Go deployment can be removed from the computer for
up to 60 seconds. If the USB device is not reconnected in that time, the computer will restart.
Windows To Go Requirements
Windows To Go only works with specific USB storage devices that are certified by Microsoft. One of the
requirements for Windows To Go is that the operating system recognizes the USB device as a fixed disk.
You create Windows To Go devices by using the Windows To Go Wizard. This wizard only is available on
computers that are running the Enterprise edition of Windows 8.1. You can start a computer from a
Windows To Go device if it is connected to a USB 2.0 or USB 3.0 port.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-21

Comparing Windows To Go and Traditional Windows 8.1 Deployments
Windows To Go and traditional deployments differ in several ways, and both methods have their benefits
and drawbacks. Some of the key differences are as follows:
To use Windows To Go, you must configure the computer to boot from a USB device. Enabling boot
from USB poses a security risk because it can allow access to a computers volumes if technologies
such as BitLocker are not in use. Organizations should be wary of allowing non-administrative users to
boot from USB devices.
In a traditional deployment, BitLocker can be configured to use TPM. Windows To Go does not have
this security and only allows BitLocker to use a passphrase. The Windows To Go boot environment
might be modified by malicious software.
On Windows To Go, the Windows Store is disabled by default. You can change this by editing the
Allow Store to install apps on the Windows To Go workspaces policy setting, located in the
Computer Configuration\Administrative Templates\Windows Components\Store node of the Group
Policy Management Editor. Windows Store is enabled by default on a traditionally deployed
computer running Windows 8.1.
Sleep and hibernation are disabled by default in Windows To Go and enabled on traditionally
deployed Windows 8.1 systems. If a user accidentally leaves his or her Windows To Go device in a
running computer, the computer will not shut down.
In a traditional installation, data is stored locally on hard disks. In Windows To Go, data is stored on a
USB device. USB devices are more likely to fail, which means that local data is more likely to be lost.
Users also are more likely to misplace a USB device than a portable computer.
Windows To Go allows users to take their apps and data with them. As long as they have compatible
hardware, they can access their apps and data.
Windows To Go assists information technology (IT) departments that want to allow users to use their
own devices, but also want to ensure that only securely managed operating systems can interact with
sensitive services on a network.
Note: A computer must be compatible with Windows 8.1 if you want to use it with
Windows To Go.
Windows To Go feature overview
Question: When would you use Windows To Go in your company?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Booting from a Native Boot Virtual Hard Disk
You can configure Windows 8.1 Pro and
Enterprise editions for native boot from a virtual
hard disk, which can have a .vhd or .vhdx
extension. You can configure a computer to start
from a single virtual hard disk or from different
virtual hard disks. Booting from a virtual hard disk
is advantageous compared to configuring
traditional dual boot because it is not necessary to
create a new volume when deploying an
additional operating system. You can configure a
computer to boot between multiple virtual hard
disk files stored on the same volume.
Planning for Virtual Hard Disk with Native Boot
Configuring a virtual hard disk with native boot includes creating and preparing the virtual hard disk,
installing or applying the Windows image, adding the virtual hard disk native boot option to the startup
menu, and restarting the computer. You can create a virtual hard disk by using Disk Management or
Diskpart.exe. Deploy Windows images by using Dism.exe, and add the boot option by using Bcdboot.exe.
Some of the main points to consider when planning for virtual hard disk with native boot are volume size,
deployment options, and operating systems that can be used for native boot.
Volume size
You must configure a virtual hard disk to have a smaller maximum size than the volume that hosts the
virtual hard disk. For example, if you have a 200 GB volume and a virtual hard disk that represents a 500
GB volume, the computer will be unable to boot, even if the virtual hard disk only consumes 100 GB of
the possible 500 GB. Multiple virtual hard disk files can reside on the same volume, although it is
necessary to keep volume size restrictions in mind when placing more than one virtual hard disk on a
volume. For example, you can create a 15 GB virtual hard disk, create a simple volume, and format it by
running the following commands:
diskpart
create vdisk file=C:\windows81.vhdx maximum=15000 type=fixed
select vdisk file=C:\windows81.vhdx
attach vdisk
create partition primary
assign letter=F
format quick
exit
Deployment options
You can deploy a virtual hard disk to a new computer in a preconfigured state, with apps already installed
and operating system settings already configured. You can copy a prepared virtual hard disk file to a new
computer and then configure the computer to boot from that virtual hard disk. You also can configure
Windows DS to deploy virtual hard disks as operating system images, just as you can configure
Windows DS to deploy operating system images in .wim file format. You can apply the first image from
the Install.wim file by running the following command:
Dism /Apply-Image /ImageFile:Install.wim /Index:1 /ApplyDir:F:\
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-23
Operating system
Computers that run Windows 8.1 Pro and Enterprise editions can use native boot from virtual hard disk.
After an image is applied to a virtual hard disk, you can add the native boot from virtual hard disk option
by running the following commands:
cd F:\Windows\System32
bcdboot F:\Windows
After you run these commands, the option for native boot is added to the startup menu, and you can
select it after you restart the computer.
Deploy Windows on a virtual hard disk with native boot
Question: Do you need to enable the Client Hyper-V feature if you want to use native boot
from a virtual hard disk that contains Windows 8.1 Pro?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Installing Windows 8.1
Scenario
A. Datum Corporation is considering the use of Windows 8.1 as its client operating system. You have been
provided with a testing environment and asked to install Windows 8.1 to evaluate the new environment.
For the initial installation on a single computer, you will use default Windows 8.1 DVD media.
Objectives
After completing this lab, you will be able to:
Plan to install Windows 8.1.
Perform a clean installation of Windows 8.1.
Lab Setup
Estimated Time: 40 minutes
Virtual machine: 20687C-LON-REF1
User name: Adatum\Administrator
Password: Pa$$w0rd
Only LON-REF1 is used for this lab. You do not need to sign in to any virtual machine to perform this lab.
Exercise 1: Planning to Install Windows 8.1
Scenario
Prior to installing Windows 8.1, establish an installation plan by reading the request.
A. Datum Wireless Network Requirements
Document reference: HD-02-05-13
Document author Holly Dickson
Date Dec 2, 2013
Requirements Overview
A. Datum Corporation wants to create a test environment for a new app that was developed internally.
Ideally, we would like to be able to test the app on several different operating systems, but we have
been provided with only one system. We have been told that Windows 8.1 supports the same
virtualization as the servers in our production environment with Hyper-V, so maybe we could do it that
way? We also need to be able to create Windows To Go UFD media.
The computer that we have been given has a quad-core, 2 gigahertz (GHz) processor and 4 gigabytes
(GB) of RAM. The processor supports Intel VT. It also has a 320 GB hard drive and a 512-megabyte (MB)
graphics processing unit (GPU).
The computer should be prepared for the Development team as soon as possible.

The main tasks for this exercise are as follows:
1. Determine whether the customers computers meet the minimum requirements for Windows 8.1.
2. Select the appropriate Windows operating system edition to install on LON-REF1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-25
Task 1: Determine whether the customers computers meet the minimum
requirements for Windows 8.1
Answer the following questions:
Questions
1. Does the customers computer meet the
minimum system requirements for
Windows 8.1 in the following areas:
a. Processor
b. RAM
c. Hard-disk space
d. GPU

requirements for the following features:
Client Hyper-V

Task 2: Select the appropriate Windows operating system edition to install on
LON-REF1
Given the hardware that you are using and the features that you require, which edition and version of
Windows 8.1 should you install on LON-REF1?

Results: After completing this exercise, you should have evaluated the installation environment, and then
selected the appropriate Windows operating system edition to install.
Exercise 2: Performing a Clean Installation of Windows 8.1
Scenario
You have confirmed that LON-REF1 meets the installation requirements for Windows 8.1. Your next step is
to install the Windows 8.1 operating system on LON-REF1 and to confirm the success of the installation.
1. Attach the Windows 8.1 DVD image file to LON-REF1.
2. Install Windows 8.1 on LON-REF1.
3. Confirm the successful installation of Windows 8.1 on LON-REF1.
Task 1: Attach the Windows 8.1 DVD image file to LON-REF1
1. Open the Hyper-V Manager console on the host computer, and then open the Settings page for
20687C-LON-REF1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2. On the Settings page, click DVD Drive, and then attach the image file located at
D:\Program Files\Microsoft Learning\20687\Drives\Win81Ent_Eval.iso.
Task 2: Install Windows 8.1 on LON-REF1
1. Start the 20687C-LON-REF1 virtual machine. When the Windows Setup screen appears, select the
appropriate regional settings, and then click Next.
2. Perform the installation of Windows 8.1 by using the following information:
o Installation type: Custom
o Location: Drive 0
o PC name: LON-REF1
o Settings: Express settings
o Account: Local account
o User name: User
o Password: Pa$$w0rd
Task 3: Confirm the successful installation of Windows 8.1 on LON-REF1
1. Confirm that the Windows 8.1 Start screen appears. Open System properties, and verify that:
o Windows 8.1 Enterprise Evaluation is installed
o The computer name is LON-REF1
o The computer is a member of a workgroup
2. Sign out.

Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.
To prepare for the next lab
When you are finished with the lab, revert all virtual machines back to their initial state:
1. On the host computer, start Hyper-V Manager.
2. In the Virtual Machines list, right-click 20687C-LON-REF1, and then click Revert.
3. In the Revert Virtual Machine dialog box, click Revert.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-27
Lesson 3
Customizing and Preparing a Windows 8.1 Image for
Deployment
The Windows 8.1 installation process is designed to be as fast and efficient as possible. However, installing
Windows 8.1 on multiple computers can be a time-consuming process if you do it manually on each
computer.
To expedite Windows 8.1 installation on multiple computers, or to standardize the Windows 8.1
installation process, Windows 8.1 deployment can be customized and automated. This lesson will
introduce you to the various tools and technologies that you can use to manage and automate
installation of Windows 8.1.
Lesson Objectives
Describe the Windows image file format.
Describe tools for performing an image-based installation.
Explain the image-based installation process.
Describe how to use answer files to automate an installation process.
Build an answer file by using Windows System Image Manager (SIM).
Explain how to prepare a reference installation by using the System Preparation Tool (Sysprep).
Describe Windows PE.
Create bootable Windows PE media.
Explain how to use DISM to capture and apply an installation image.
Explain how to modify and maintain Windows images.
The Windows Image File Format
The Windows Image File Format is a public, file-
based disk image format that was developed by
Microsoft. Windows image files are compressed
packages that can contain several related files. All
Windows 8.1 installations use the .wim file format.
When installing Windows 8.1, you apply an image
to the hard disk. This process occurs at a file level
instead of at a hard-disk sector level.
Windows Image File Structure
A Windows image file structure contains up to six
types of resources:
Header. Defines the Windows image file content, such as memory, location of key resources
(metadata resource, lookup table, and XML data), and Windows image file attributes (version, size,
and compression type).
File Resource. A series of packages that contain captured data, such as source files.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Metadata Resource. Stores information on how captured data is organized in the Windows image file,
including directory structure and file attributes. There is one metadata resource for each image in a
Windows image file.
Lookup Table. Contains the memory location of resource files in the Windows image file.
XML Data. Contains additional miscellaneous data about the Windows image, such as directory and
file counts, total bytes, creation and modification times, and description information.
Integrity Table. Contains security hash information that is used to verify the integrity of the image
during an apply operation. This is created when you set the /check switch during a capture
operation.
Benefits of the .wim File Format
The .wim file format addresses many challenges that can be experienced with other imaging formats. The
benefits of the .wim file format include the following:
A single .wim file can address many hardware configurations. The .wim file format does not require
the destination hardware to match the source hardware. This helps you reduce the number of images
tremendously, and you have the advantage of only having one image to address the many hardware
configurations.
A Windows image file can store multiple images in a single file. This is useful because you can store
images with or without core apps in a single image file. Another benefit is that you can mark one of
the images as bootable, which allows you to start a machine from a disk image that a .wim file
contains.
The .wim file format enables compression and single instancing. This reduces the size of image files
significantly. Single instancing is a technique that enables multiple images to share a single copy of
files that are common between the instances.
The .wim file format enables you to service an image offline. You can add or remove certain
operating system elements, files, updates, and drivers without creating a new image. For example, to
add an update to a Windows XP image, you must deploy and start the master image, install the
update, and then generalize and capture the image again. With Windows 8.1, you can mount an
image file and then perform an integrated installation of the update (also known as a slipstreamed
installation) into the image file without needing to deploy or recapture the master image.
The .wim file format enables you to install an image on a partition that is smaller, equal to, or larger
than the original partition that was captured, as long as the target partition has sufficient space to
store the image content. This is different from sector-based image formats that require you to deploy
a disk image to a partition that is the same size or larger than the source disk.
Windows 8.1 includes the DISM tool, Dism.exe, which you can use for capturing, managing, and
deploying Windows image files. It also includes the DISM Windows PowerShell module with cmdlets
for managing Windows image files. Developers can use an API for the .wim file format, called
WIMGAPI, to work with Windows image files.
The .wim file format allows for nondestructive image deployment. Nondestructive image deployment
means that you can leave data on the volume where you apply the image because, when the image is
applied, it does not delete the disks existing contents.
The .wim file format enables you to start Windows PE from a Windows image file. The Windows 8.1
setup process uses Windows PE. The Windows image file is loaded into a RAM disk and is run directly
from memory.
Windows image file format
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-29
Windows image file format white paper
Question: Why is the size of a single Windows image file that contains images of
Windows 8.1 and Windows 8.1 Pro considerably smaller than the combined size of two
Windows image files, where one contains a Windows 8.1 image and the other contains a
Windows 8.1 Pro image?
Tools for Performing an Image-Based Installation
You can use several tools and technologies to
perform an image-based installation of
Windows 8.1. The following list describes these
tools and where to use them in deployment
situations:
Windows Setup (Setup.exe). This is the
program that installs the Windows operating
system or upgrades previous versions of the
Windows operating system. Windows Setup
supports both interactive installations and
unattended installations.
Answer file. This is an XML file that stores the
answers for a series of GUI dialog boxes. The answer file for Windows Setup commonly is called
Unattend.xml. You can create and modify this answer file by using Windows SIM. The Oobe.xml
answer file is used to customize Windows Welcome, which starts after Windows Setup and during the
first system startup.
Catalog. This binary file (.clg) contains the state of the settings and packages in a Windows image.
The catalog file is not required for a Windows operating system deployment, and it is not included on
the Windows 8.1 DVD media. The catalog file is required if you want to create an answer file by using
Windows SIM, and it can be created by using this tool.
Windows ADK is a collection of tools and documentation that you can use to automate the
deployment of Windows operating systems and to assess deployed systems. Windows ADK tools are
used in most Windows deployment scenarios and include the following:
o Windows SIM. You can use this tool to create unattended installation answer files and distribution
shares, or to modify the files that a configuration set contains.
o Windows PE. This is a minimal 32-bit or 64-bit operating system with limited services, which is
built on the Windows 8.1 kernel. You can use Windows PE for capturing Windows images,
installing or deploying Windows, and for troubleshooting the deployment. Windows PE provides
read and write access to Windows file systems and supports a range of hardware drivers,
including network connectivity, which makes it useful for system recovery. You can run
Windows PE from a CD or DVD, USB flash drive (UFD), or on a network by using PXE.
Windows ADK includes several tools that you can use to build and configure Windows PE.
o USMT. You can use this tool to migrate user settings and data files from a previous Windows
operating system to Windows 8.1.
o DISM. You can use this tool to service and manage Windows images, and also to apply updates,
drivers, and language packs to a Windows image, offline or online.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Sysprep. Sysprep prepares a Windows image for disk imaging, system testing, or delivery to a
customer. You can use Sysprep to remove any system-specific data from a Windows image, such as
the security identifier (SID). After removing unique system information from an image, you can
capture that Windows image and then use it for deployment on multiple computers. You also can use
Sysprep to configure a Windows operating system to start the out-of-box experience (OOBE) the next
time you start the system. Sysprep is available in all Windows operating systems since Windows Vista.
DiskPart. This is a command-line tool for hard disk configuration.
Windows DS. Windows DS is a server-based deployment solution that enables an administrator to set
up new client computers over a network without having to visit each client. Windows DS is a server
role that you can configure for Windows Server 2012 or Windows Server 2012 R2.
Virtual hard disk. The Microsoft .vhd file format and the new .vhdx file format are publicly available
format specifications that specify a virtual hard disk encapsulated in a single file, which is capable of
hosting native file systems and supporting standard disk operations. You can deploy Windows 8.1 to
.vhd or .vhdx files and start a computer from such files.
Deployment walkthroughs
Question: Can you set up Windows DS on a Windows 8.1 computer?
The Image-Based Installation Process
Windows Setup for Windows 8.1 uses an
Install.wim file to deploy the default Windows 8.1
installation. You can use the same .wim file or
create and deploy a custom Windows 8.1
installation image. The image-based installation
process consists of the following high-level steps:
1. Build an answer file. By default, a
Windows 8.1 installation requires some user
interaction. For example, you might have to
enter a product key, select an installation
type, and specify where you want to install
the Windows operating system. You can use
an answer file to configure all of these and many more Windows settings that are applied during
installation. For example, you can configure how to partition and format a hard drive, networking
configuration, computer name, whether the computer should be joined to the domain, and other
customizations. Additionally, an answer file can contain all of the settings required for an unattended
installation, in which case you will not be prompted during an installation. You can use Windows SIM
to create an answer file, although the answer file is an XML document that you can create and
customize by using any text editor.
2. Build a reference installation. A reference computer has a customized installation of Windows 8.1 that
you plan to duplicate on one or more destination computers. You can create a reference installation
by using Windows 8.1 installation media and an answer file. After the installation, you can perform
additional customizations. For example, you can install apps that are required on all destination
computers. After you configure a reference installation, you must generalize it by using Sysprep.
3. Create bootable Windows PE media. You can create a Windows PE environment by using the
CopyPE.cmd script, customizing it, and writing it to bootable media such as Universal Disk Format,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-31
CD, or DVD by using the MakeWinPEMedia.cmd script. Windows PE enables you to start a computer
for purposes of deployment and recovery. Windows PE starts a computer directly from memory,
enabling you to remove the Windows PE media after the computer starts. After you start a computer
in Windows PE, you can use the DISM tool to capture, modify, and apply file-based disk images.
4. Capture an installation image. You can capture an image of your reference computer by using
Windows PE and the DISM tool. You can store the image that you capture locally on removable
media or on a network share.
5. Modify an installation image. Optionally, you can use DISM or the Windows PowerShell command-
line interface to modify Windows images when required. If additional drivers or Windows features are
required, or if image configuration requirements changes, you can use DISM to modify an image
offline by mounting it to an empty folder and injecting drivers and updates or by modifying the
operating system settings. You can modify the .wim file without having to deploy the Windows 8.1
image first.
6. Deploy an installation image. After you have an image of your reference installation, you can deploy
the image to destination computers. You can use the DiskPart tool to format the hard drive and copy
the image from the network share. Use DISM to apply the image to the destination computer. For
high-volume deployments, you can store an image of the new installation to your distribution share
and deploy the image to destination computers by using deployment tools such as Windows DS,
MDT, or Configuration Manager.
Question: Can you create a customized Windows 8.1 installation image only by using tools
that are included in Windows 8.1?
Using Answer Files to Automate an Installation Process
An answer file is an XML file that contains
information that is passed to the Windows Setup
process. For example, an answer file can contain
information on how to partition disks, the location
of the Windows image to install, and the product
key to apply. It also can contain values that apply
to the Windows installation, such as the names of
user accounts, display settings, and Internet
Explorer favorites. The answer file for Windows
Setup typically is named Unattend.xml.
Using an Answer File
Use an answer file to customize Windows
installations so that the versions of Windows operating systems deployed to each destination computer
are configured in the same way. The two types of Windows installations are attended and unattended:
In attended installations, you respond to Windows Setup prompts, selecting options such as the
partition to which you want to install and the Windows image to install.
In unattended installations, which offer many additional options, you automate this process to avoid
installation prompts.
Before beginning your deployment process, identify all the requirements of your environment. Consider
the following possible requirements:
Hard drive partitions
Computer name and domain membership
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Support for BitLocker or a recovery solution
Additional out-of-box drivers
Support for multilingual configurations
Other post-installation modifications to Windows, such as installing additional apps
What Is in an Answer File?
Settings in an answer file are organized into two sections: components and packages.
Components
The components section of an answer file contains all the component settings that Windows applies
during Windows Setup. You can configure components in different configuration passes: windowsPE,
offlineServicing, generalize, specialize, auditSystem, auditUser, and oobeSystem. Each configuration pass
represents a different phase of Windows Setup, and not all phases happen during Windows installation.
For example, generalize, auditSystem, and auditUser do not happen during Windows Setup. Settings can
be applied during one or more passes. If a setting can be applied in more than one configuration pass,
you can choose the pass in which to apply the setting.
Packages
Microsoft uses packages to distribute software updates, service packs, and language packs. Packages also
can comprise Windows features. You can configure packages so that you add them to a Windows image,
remove them from a Windows image, or change the settings for features within a package. You can either
enable or disable features in Windows. If you enable a Windows feature, the resources, executable files,
and settings for that feature are available to users on the system. If you disable a Windows feature, the
package resources are not available, but the Windows operating system does not remove the resources
from the system. Some Windows features might require that you install other features before you can
enable the installed version of the Windows operating system. You must validate your answer file and
then add any required packages. For example, you can disable the Windows Media Player feature to
prevent end users from running it. However, disabling the package does not remove those resources from
the Windows image. The Windows operating system applies packages in an answer file to the Windows
image during the offlineServicing configuration pass.
Creating an Answer File
While you can create an answer file manually by entering the appropriate XML code into the
Unattend.xml file, you typically create it by using the component of Windows ADK called Windows SIM.
Windows SIM requires a catalog of the Windows image before you can use it to create an answer file.
Windows 8.1 does not include a catalog file for the Windows images in Install.wim, but Windows SIM can
create the catalog dynamically. Answer files that Windows SIM creates are associated with a particular
Windows image. This enables you to validate the settings in an answer file to the settings available in the
Windows image. However, because you can use any answer file to install a Windows image, if there are
settings in the answer file for components that do not exist in the Windows image, then Windows ignores
those settings.
Note: An answer file can include destructive actions like deleting disk content and
formatting disk partitions. If you want Windows Setup to use an answer file automatically, and if
the answer file includes settings in the windowsPE and offlineServicing configuration passes, you
must rename the answer file Autounattend.xml.
Understanding answer files
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-33
Methods for running Windows Setup
Question: What must you do before you can create an answer file for a Windows 8.1
installation?
Demonstration: Building an Answer File by Using Windows SIM
In this demonstration, you will see how to build an answer file by using Windows SIM.
Demonstration Steps
1. In the Components section of Windows SIM, add the following components, and then configure their
properties with following values in the answer file:
o amd64_Microsoft-Windows-Setup\DiskConfiguration\Disk
o DiskID: 0
o WillWipeDisk: True
o amd64_Microsoft-Windows-Setup\DiskConfiguration\Disk\CreatePartitons\CreatePartition
o Extend: True
o Order: 1
o Type: Primary
o amd64_Microsoft-Windows-Setup_neutral\ImageInstall\OSImage\InstallTo
o DiskID: 0
o PartitionID: 1
o amd64_Microsoft-Windows-Setup_neutral\UserData
o AcceptEULA: True
o Organization: Adatum
2. You can configure the property values by using the following process:
a. Expand the component referenced in the table in the Components section.
b. Right-click the component, and then click the appropriate Add Setting to Pass choice.
c. In the Answer File pane, locate and then click the added component.
d. In the corresponding Properties pane, double-click the setting, and then set the value.
3. Save the answer file on the desktop. Open the answer file in Internet Explorer, and then verify that the
settings that you configured in Windows SIM are saved in the answer file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Preparing a Reference Installation by Using Sysprep
The Sysprep tool prepares an installation of the
Windows operating system for duplication,
auditing, and end-user delivery. Duplication
enables you to capture a customized Windows
image that you can reuse throughout an
organization. The Sysprep tool is part of a
Windows installation, and you can find it in the
C:\Windows\System32\Sysprep folder.
Sysprep Tasks
You can use Sysprep to:
Remove system-specific data from the
Windows operating system, which is known as generalizing the computer.
Uninstall computer-specific drivers.
Configure the Windows operating system to start OOBE or in audit mode.
Add an answer file to an existing installation.
Note: Only use Sysprep to configure reference Windows installations. Remember that
Sysprep can delete existing system configurations. Do not use Sysprep to reconfigure an existing
Windows installation that is deployed already.
Sysprep Command-Line Options
Sysprep tool uses the following syntax:
sysprep.exe [/oobe | /audit] [/generalize] [/reboot | /shutdown | /quit] [/quiet]
[/unattend:answerfile] [/mode:<mode>]
In Windows 8.1, the /mode:vm command-line option for Sysprep generalizes a virtual hard disk. You can
use this parameter if you will deploy the virtual hard disk on the same virtualization platform.
Note: You can run virtual machine mode only from inside a virtual machine.
Common command-line options available for Sysprep
Sysprep technical reference
Question: Why should you not run Sysprep on a Windows 8.1 computer that is deployed
and being used already?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-35
What Is Windows PE?
Windows PE is the core deployment foundation
for Windows 8.1. Windows PE is a compact,
special-purpose Windows operating system that
prepares and initiates a computer for Windows
Setup, maintenance, or imaging tasks, and it
recovers operating systems such as Windows 8.1.
With Windows PE, you can start a subset of
Windows 8.1 from a network or removable media,
which provides network and other resources
necessary to install and troubleshoot Windows 8.1.
Windows PE is not a general-purpose operating
system, but you can use it to start a computer that
has no functional operating system installed, and it can act as a replacement for startup disks. Windows PE
is designed to make customized Windows 8.1 deployments simpler by addressing the following tasks:
Installing Windows 8.1. Windows PE runs every time you install Windows 8.1. The graphical tools that
collect configuration information during the setup phase are running within Windows PE.
Troubleshooting. Windows PE is useful for automatic and manual troubleshooting. For example, if
Windows 8.1 fails to start because of a corrupted system file, Windows PE can start automatically and
launch Windows RE.
Recovery. OEMs and IT pros can use Windows PE to build customized, automated solutions for
recovering and rebuilding computers that run Windows 8.1.
Benefits of Windows PE
Microsoft developed Windows PE as the primary tool for starting computers that do not have a functional
operating system. After a computer starts in Windows PE, you can prepare it for Windows installation and
then initiate Windows Setup from a network or local source. You also can service an existing Windows
installation or recover data. Because Windows PE is based on the Windows 8.1 kernel, it provides the
following capabilities:
Native support for the NTFS 5.x file system, including dynamic volume creation and management.
Native support for TCP/IP networking and file sharing. Windows PE can connect to network shares
onlyyou cannot share folders in Windows PE.
Native support for 32-bit or 64-bit Windows device drivers.
Native support for a subset of the Win32 API.
Optional support for Windows Management Instrumentation (WMI), Microsoft Data Access
Component, and HTML Application.
Ability to start from a number of media types, including CD, DVD, UFD, and a Remote Installation
Services server.
Windows PE offline sessions are supported.
Windows PE images can be serviced offline.
Windows PE includes all Hyper-V drivers, except display drivers. This enables Windows PE to run in a
hypervisor. Supported features include mass storage, mouse integration, and network adapters.
Windows PE is available as part of Windows ADK. You can create a custom Windows PE environment by
running the CopyPE.cmd script. After that, you can customize the environment. For example, you can add
support for Windows PowerShell, database connectivity, or scripting. You also can copy additional drivers
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
and programs to Windows PE. You can write a customized Windows PE environment to bootable media
by running the MakeWinPEMedia.cmd script.
Windows PE overview
Question: What are some of the tasks in which you can use Windows PE for
troubleshooting?
Question: How you can customize Windows PE?
Demonstration: Creating Bootable Windows PE Media
In this demonstration, you will see how to create bootable Windows PE media.
Demonstration Steps
1. Open the Deployment and Imaging Tools Environment.
2. Use CopyPE.cmd to copy the base amd64 Windows PE files to C:\winpe.
3. Use DISM to view the properties of the Windows PE image, and then mount the image file located at
c:\winpe\media\sources\boot.wim to C:\winpe\mount folder.
4. Use File Explorer to verify that that there are three subfolders in C:\winpe\mount folder. Create
subfolder with your name.
5. Use DISM to dismount and commit the image.
6. Use File Explorer to verify that that there are no subfolders in the C:\winpe\mount folder.
7. Create an .iso file from the image to be copied to a CD or DVD.
Using DISM to Capture and Apply an Installation Image
Windows 8.1 installation media includes default
Windows installation images, which are contained
in the Install.wim file. You can use Windows Setup
to deploy the default images, but you also can use
it to deploy custom images when you provide an
answer file.
If you need to create a custom Windows 8.1
imagefor example, from the reference
installationyou can capture the image by using
Dism.exe. Dism.exe is a command-line tool that is
included in Windows 8.1, and it also is available as
part of Windows ADK. DISM is the main tool for
managing Windows image files, which includes operations such as creating, mounting, updating, and
applying the image.
Note: In the past, the ImageX tool often was used for creating, mounting, and applying
Windows image files. This tool is still available as part of the Windows ADK, but it is deprecated
since Windows 8. All of its functionality is included in DISM, and you should avoid using ImageX.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-37
Although you can create an image that includes a single folder or folder hierarchy, you often will create
an image of the entire volume. You cannot add files that are opened exclusively by any process in the
image, and because of that, you cannot capture an image of the running operating system. You will need
to restart the computer to another operating system, such as Windows PE, before you can capture the
image of the Windows 8.1 installation. When capturing the image, you can specify additional options,
such as the file types to exclude from the image and the compression type to usecompression type can
be defined only when capturing the first image in the Windows image file. You can capture the content of
the volume C: to the file D:\Custom.wim by running the following command:
Dism /Capture-Image /ImageFile:D:\Custom.wim /CaptureDir:C:\ /Name:"Captured Windows 8.1
installation"
You cannot create and format a volume by using DISM, which means that the volume already must be
created and formatted before you can apply the image to it. For example, you can create and format a
volume by using Dism.exe. After the volume is prepared, you can deploy the first Windows image
contained in file D:\Custom.wim to volume C: by running the following command:
Dism /apply-image /imagefile:D:\Custom.wim /index:1 /ApplyDir:C:\
Besides capturing and applying Windows images, you can use DISM to service and manage Windows
images.
DISM technical reference
Question: What must you do before you can capture an image of a Windows 8.1 computer
by using Dism.exe?
Modifying and Maintaining Windows Images
DISM is a command-line tool that combines
separate Windows platform technologies into a
single, cohesive tool for servicing Windows
images. By using DISM, IT pros can view
components of an applied or mounted operating
system image and add or remove packages,
software updates, and drivers. You can use DISM
to service Windows images offline before
deployment or to prepare a Windows PE image.
Some of the most common tasks that you can
perform by using DISM include:
Mount, unmount, and commit modifications
Apply updates, drivers, and language packs
Add, remove, and enumerate packages and drivers
Enable or disable Windows features
Apply changes based on the offlineServicing section of an answer file
Configure international settings
Upgrade a Windows image to a different edition
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Prepare and customize Windows PE images
Service online and offline Windows images
DISM Command-Line Options
DISM has two main sets of commands: imaging commands, and servicing commands.
Imaging commands
Imaging commands enable image management tasks such as mounting an image file or enumerating
images in a file. You can use the following syntax for imaging commands:
Dism.exe [dism_global_options] {servicing_option} [<servicing_argument>]
Servicing commands
Servicing commands enable tasks that involve modifying a Windows image, such as injecting drivers,
adding packages, and modifying Windows configurations. You can use the following syntax for servicing
commands:
Dism.exe {/Image:<path_to_image> | /Online} [dism_global_options] {servicing_option}
[<servicing_argument>]
DISM command-line options
You also can manage Windows image files by using Windows PowerShell cmdlets. You can get a list of
available DISM cmdlets by running the following cmdlet:
Get-Command Module dism
Question: Can you use Dism.exe to modify only Windows install images in a .wim file?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-39
Lab B: Customizing and Capturing a Windows 8.1 Image
Scenario
You have been asked to modify the answer file that is being used for the A. Datum Windows 8.1
installation process. A. Datum is deploying a test group of Windows 8.1 computers, and it would like to
have a standard installation that requires no user input as part of the setup process.
Your task is to create a new answer file that automates the installation accordingly. Use it to test an
installation of Windows 8.1 on LON-REF1.
Objectives
1. Create an answer file and perform an unattended Windows 8.1 installation.
2. View Windows image information and capture a Windows 8.1 image.
Lab Setup
Virtual machine: 20687C-LON-DC1, 20687C-LON-CL1, and 20687C-LON-REF1
Password: Pa$$w0rd
Start the 20687C-LON-DC1 and 20687C-LON-CL1 virtual machines, and sign in as
Adatum\Administrator with password Pa$$w0rd.
Exercise 1: Creating an Answer File and Performing an Unattended
Windows 8.1 Installation
Scenario
In this exercise, you have been asked to configure an answer file to use with Windows 8.1 installations at
A. Datum. To modify this answer file, you have been given the following information by your IT
administrator to assist you in the process.
Component Property Value
amd64_Microsoft-Windows-International-Core-
WinPE_neutral
InputLocale
SystemLocale
UILanguage
UserLocale
en-US
en-US
en-US
en-US
WinPE_neutral\SetupUILanguage
UILanguage en-US
amd64_Microsoft-Windows-Setup_neutral
\DiskConfiguration\Disk
DiskID
WillWipeDisk
0
True
\DiskConfiguration\Disk\Create Partitions\CreatePartition
Extend
Order
Type
True
1
Primary

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

\DiskConfiguration\Disk\ModifyPartitions
\ModifyPartition
Active
Format
Order
PartitionID
True
NTFS
1
1
\ImageInstall\OSImage\InstallFrom\Metadata
Key
Value
/IMAGE/NAME
Windows 8.1
Enterprise
Evaluation
\ImageInstall\OSImage\InstallTo
DiskID
PartitionID
0
1
amd64_Microsoft-Windows-Setup_neutral\UserData AcceptEULA
FullName
Organization
True
Adatum User
Adatum
amd64_Microsoft-Windows-Shell-Setup_neutral\OOBE SkipMachineOOBE
SkipUserOOBE
True
True
amd64_Microsoft-Windows-Shell-Setup_neutral
\UserAccounts\LocalAccounts\LocalAccount
Description
DisplayName
Group
Name
Local Admin
Administrator
Administrators
Administrator
\UserAccounts\LocalAccounts\LocalAccount\Password
Value Pa$$w0rd

1. Mount a virtual floppy drive on LON-CL1.
2. Create an answer file.
3. Save the answer file and remove the diskette drive.
4. Configure LON-REF1 and start the Windows 8.1 unattended installation.
Task 1: Mount a virtual floppy drive on LON-CL1
1. Use the Hyper-V Manager console on the host computer to open the Settings page for
20687C-LON-CL1.
2. In Settings, click Diskette Drive, and then attach the virtual floppy drive named Lab2BEx1.vfd found
at D:\Program Files\Microsoft Learning\20687\Drives.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-41
Task 2: Create an answer file
In the Components section of Windows SIM, modify the appropriate parameters in the preceding
table by using the following process:
a. Expand the component referenced in the table in the Components section.
e. Right-click the component, and then click the appropriate Add Setting to Pass choice.
f. In the Answer File section, locate and then click the added component.
g. In the corresponding Properties page, double-click the setting, and then set the value.
Task 3: Save the answer file and remove the diskette drive
1. Save the answer file to A:\Autounattend.xml.
2. Open the Settings page for 20687C-LON-CL1 in Hyper-V Manager.
3. Configure the Diskette Drive to None.
Task 4: Configure LON-REF1 and start the Windows 8.1 unattended installation
1. In Hyper-V Manager, open the Settings page for 20687C-LON-REF1.
2. In Settings, click Diskette Drive, and then attach Lab2BEx1.vfd found at D:\Program Files
\Microsoft Learning\20687\Drives.
3. In Settings, click DVD Drive, and then attach the DVD image file found at D:\Program Files
\Microsoft Learning\20687\Drives\Win81Ent_Eval.iso.
4. Start 20687C-LON-REF1, and then begin Windows Setup. Confirm that you are not prompted for any
information during installation. While Windows 8.1 is installing, continue with the next exercise.
Note: During installation LON-REF1 will restart two times. Do not press any key to start it
from DVD.

Results: After completing this exercise, you should have modified an unattended answer file to use for
automating the Windows 8.1 installation process.
Exercise 2: Viewing Install.wim Information and Capturing a Windows 8.1
Image
Scenario
One of your tasks is to capture a Windows 8.1 image. Before performing the task, you need to view the
content of the existing Windows image file and explore the benefits of using the .wim file format.
1. View the information of the Windows 8.1 image in the Install.wim file.
2. Capturing an image.
3. Modifying an offline image.
4. Capturing Windows 8.1 image.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: View the information of the Windows 8.1 image in the Install.wim file
1. Add Windows 8.1 DVD media to LON-CL1 by attaching the DVD image file found at
D:\Program Files\Microsoft Learning\20687\Drives\Win81Ent_Eval.iso.
2. Use File Explorer to view the properties of the Install.wim file in the Sources folder on the DVD drive.
3. Use Dism.exe with the Get-ImageInfo parameter to view the content of the Install.wim file.
4. Use Dism.exe with the Get-WimInfo parameter to view the information about the first image in the
Install.wim file.
Task 2: Capturing an image
1. Use Dism.exe with the Capture-Image parameter to capture the content of the C:\Windows\Inf
folder to a file named C:\image.wim, and then name the image First image.
2. Use File Explorer to view the properties of the C:\Windows\Inf folder.
3. View the size of the C:\image.wim file, and then consider the benefits of Windows image
compression.
4. Use Dism.exe with the Append-Image parameter to add the content of C:\Windows\Inf folder as
second image to C:\image.wim file and name the image Second Image.
5. View the size of C:\image.wim, and then consider the benefits of single instancing when multiple
images in the same .wim file have the same files.
6. Use Dism.exe with the Get-ImageInfo parameter to view which images are contained in the
C:\image.wim file.
Task 3: Modifying an offline image
1. Use File Explorer to view the properties of the C:\image.wim file, including its size and date of last
modification.
2. Create a folder named C:\mount and use Dism.exe with the Mount-Wim parameter to mount the
second image in the C:\Image.wim file to the C:\mount folder.
3. Use File Explorer to view the properties of the C:\mount folder.
4. Create a subfolder named Folder1, and then delete three files in the C:\mount folder.
5. Use Dism.exe with the Unmount-Wim and Commit parameters to unmount the image.
6. View the properties of C:\image.wim.
7. Use Dism.exe with the Get-WimInfo parameter to view and compare the properties of the second
and first image in the C:\image.wim file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-43
Task 4: Capturing Windows 8.1 image
1. Sign in to LON-REF1 as user Admin with the password Pa$$w0rd. Verify that Windows 8.1 is
installed.
2. Add Windows PE media to LON-REF1 by attaching the DVD image file found at
D:\Program Files\Microsoft Learning\20687\Drives\WindowsPE.iso.
3. On LON-REF1, run Sysprep.exe as an Administrator to generalize the computer.
4. Start LON-REF1 from DVD media.
5. On LON-REF1, use Adatum\Administrator credentials to connect the G: drive to \\lon-cl1\share.
6. Use Dism.exe with the Capture-Image parameter to capture the C: drive to the G:\Win81.wim file
and name the image CustomImage.
Note: You can continue with the lecture while the capture is in progress.
Results: After completing this exercise, you should have viewed Windows image information and
captured a Windows 8.1 image.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Volume Activation for Windows 8.1
Product activation is a requirement of the Windows 8.1 operating system. It requires validation for each
Windows 8.1 license through an online activation service at Microsoft, by phone, through KMS, or
through AD DS. Activation enhances protection from software piracy, and it helps you to manage
operating system and application instances within an environment. This lesson describes how activation
works and the volume activation models to consider for an effective Windows 8.1 desktop deployment.
Lesson Objectives
Describe activation.
Describe volume activation technologies.
Describe how KMS activation works.
Describe how Active Directory-based activation works.
Describe tools to manage activation.
Explain how to troubleshoot volume activation.
What Is Activation?
All editions of Windows 8.1 require activation.
Activation confirms the status of a Windows
product and ensures that the product key has not
been compromised. The activation process links
the softwares product key to a particular
installation of that software on a device. If the
device hardware changes considerably, you need
to activate the software again. Activation assures
software integrity and provides you access to
Microsoft support and a full range of updates.
Activation also is necessary if you want to comply
with licensing requirements.
Unlike Windows 7, Windows 8.1 does not have a grace period. You must activate Windows 8.1
immediately upon installation. Failure to activate a Windows operating system will prevent users from
completing customization. In earlier versions of the Windows operating system, activation and validation
by using the Windows Genuine Advantage tool occurred separately. This caused confusion for users who
thought the terms were interchangeable. In Windows 8, activation and validation occur at the same time.
If you wish to evaluate Windows 8.1, Microsoft provides a separate evaluation edition that is available as
an ISO image file to MSDN subscribers and Microsoft partners.
There are three main methods for activation:
Retail. Any Windows 8.1 product purchased at a retail store comes with one unique product key that
you type in during product installation. Use the product key to complete activation after installing the
operating system.
OEM. OEM system builders typically sell computer systems that include a customized build of
Windows 8.1. You can perform OEM activation by associating the operating system to the computer
system BIOS.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-45
Microsoft Volume Licensing (volume activation). Microsoft Volume Licensing is a series of software
licensing programs that are tailored to the size and purchasing methods of your organization.
Volume customers set up volume licensing agreements with Microsoft. These agreements include
Windows upgrade benefits and other benefits related to value-added software and services. Microsoft
Volume Licensing customers use Volume Activation Services to assist in activation tasks, which consist
of Active Directory-based activation, KMS, and MAK models.
You can view the Windows 8.1 activation status on the System properties page or by running the
following command:
cscript C:\windows\system32\slmgr.vbs -dli
Question: What is activation?
Volume Activation Technologies
Volume activation provides a simple, security-
enhanced activation experience for enterprise
organizations, while addressing issues associated
with generic volume license keys (VLKs). Volume
activation provides administrators the ability to
manage and protect product keys centrally, and it
also provides several flexible deployment options
that activate enterprise computers, regardless of
the organizations size.
Volume Activation Keys
Three main types of volume activation models are
used in enterprise environments. You can use any
or all of the options associated with these models, depending on your organizations needs and network
infrastructure:
Volume Activation Services is a server role in Windows Server 2012 and Windows Server 2012 R2. This
role service enables you to activate Windows 7, Windows Server 2008, and newer Windows operating
systems automatically, without having to contact Microsoft product activation servers. With Volume
Activation Services, you can configure KMS and enable Active Directory-based activation:
o KMS allows organizations to perform local activation for computers in a management
environment without connecting to Microsoft individually. By default, Windows 8.1 and
Windows Server 2012 R2 volume editions connect to a system that hosts the KMS service, which
in turn requests activation. KMS usage is targeted for managed environments where more than
25 client computers or more than five servers use KMS activation.
o Active Directory-based activation is a role service that allows you to use AD DS to store activation
objects, which can greatly simplify the task of maintaining volume activation services for a
network. You can use Active Directory-based activation to activate only AD DS-joined computers,
and activation requests are processed during client computer startup. Any computer running
Windows 8, Windows Server 2012, or a newer Windows operating system with a generic VLK that
is joined to the domain will activate automatically and without user interaction. Computers will
stay activated as long as they remain members of the domain and maintain periodic contact with
a domain controller. Activation takes place after the licensing service starts.
MAK activation uses product keys that can activate only a specific number of computers. If the use of
volume licensing media is not controlled, excessive activations can be tried and after the depletion of
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
the activation pool no further computers can be activated. You do not use MAKs to install
Windows 8.1, but rather to activate it after installation. You can use MAKs to activate any
Windows 8.1 edition.
Plan for volume activation
Licensing and volume activation
Question: How can you determine if Windows 8.1 is activated? How you can activate
Windows 8.1?
How KMS Activation Works
With KMS, organizations can perform local
activations for computers in a managed
environment without connecting to Microsoft
individually. You can enable KMS functionality on
a physical or virtual system that runs Windows 7,
Windows Server 2008, or a newer Windows
operating system.
Windows 8, Windows Server 2012, and newer
Windows operating systems include KMS. After
you initialize KMS, the KMS activation
infrastructure is self-maintaining. The KMS service
does not require dedicated computers and can be
cohosted with other services. A single KMS host can support several thousand KMS clients. Most
organizations probably will be able to operate with just two KMS hosts for their entire infrastructureone
main KMS host, and a backup host for redundancy.
Implementing KMS Activation
To enable KMS functionality, you install a KMS key on the KMS host and then activate it by using an
online web service at Microsoft. Start the Command Prompt window and then run the following
command:
cscript C:\windows\system32\slmgr.vbs -ipk <KmsKey>
You then can activate the KMS host by using online or phone activation.
During installation, a KMS host automatically attempts to publish its existence in service (SRV) resource
record locations within the Domain Name System (DNS). This provides the ability for both domain
members and stand-alone computers to activate against the KMS infrastructure. Client computers locate
the KMS host dynamically by using the SRV records found in DNS or the connection information specified
in the registry. Client computers then use information obtained from the KMS host to activate.
KMS Activation Considerations
If you decide to implement KMS activation, consider the following:
Client computers that are not activated attempt to connect with the KMS host every two hours.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-47
To stay activated, client computers must renew their activation by connecting to the KMS host at least
once every 180 days.
After activation, client computers attempt to renew their activation every seven days. After each
successful connection, the expiration extends to the full 180 days.
Client computers connect to the KMS host for activation by using anonymous remote procedure calls
(RPCs) over TCP/IP and by using default port 1688. You can configure this port information. The
connection is anonymous, enabling workgroup computers to communicate with the KMS host. You
might need to configure the firewall and the router network to pass communications for the TCP port
that will be used.
To use KMS activation with Windows 8, Windows Server 2012, or newer Windows operating systems, the
computer must contain a Windows marker in the BIOS, and must have a qualifying operating system
license, which often is obtained through OEMs as part of a new computer purchase.
Volume activation overview
Question: Can a Windows 8.1 computer be a KMS host?
How Active Directory-Based Activation Works
Active Directory-based activation simplifies the
process of activating clients that are running
Windows 8, Windows Server 2012, or newer
Windows operating systems. If you implement
Active Directory-based activation, your Windows
operating system is activated automatically when
you join the computer to the domain, as long as a
generic VLK is used on the computer. This
activation method requires that the AD DS
schema is extended to at least the
Windows Server 2012 level.
You cannot edit activation objects directly in
AD DS. However, an administrator can use advanced AD DS tools to view each activation object.
Administrators also can configure security access control lists for activation objects to restrict access as
needed, and if necessary, they can delete activation objects. On a local client, a user with read/write
permission for the activation object can use a command prompt to perform these functions.
Main Considerations
Many organizations have complex volume licensing infrastructures to support KMS and Microsoft Office
installations. To add Active Directory-based activation to these environments, administrators must assess
their current implementations and determine what role Active Directory-based activation will play in their
environment. Some considerations include how to upgrade operating systems and applications to
versions that support Active Directory-based activation. For environments that will run only Windows 8,
Windows Server 2012 and newer Windows operating systems, Active Directory-based activation is a
suitable option for activating all clients and servers, and you might be able to remove any KMS hosts. If an
environment will continue to contain older volume-licensed operating systems and applications,
administrators need a KMS host to maintain activation status in addition to enabling Active Directory-
based activation.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Planning considerations when working with Active Directory-based activation include the following:
You do not need an additional host server with Active Directory-based activation. Your existing
domain controllers can support activation clients with the following limitations:
o You cannot configure Active Directory-based activation on read-only domain controllers.
o You cannot use Active Directory-based activation with non-Microsoft directory services.
o The AD DS schema must be at the Windows Server 2012 or higher level to store activation
objects.
o Domain controllers that run older versions of Windows Server can activate clients after the AD DS
schema has been extended to Windows Server 2012 or higher level.
Active Directory-based activation is forest-wide, and you only need to implement it once, even if the
forest contains multiple domains.
There are no threshold limits that must be met before computers can be activated by using
Active Directory-based activation.
Volume Activation Process
In an environment that uses Active Directory-based activation, the volume activation process takes place
in the following steps:
1. An enterprise administrator installs the Active Directory-based activation role service on a domain
controller. After that, the administrator activates the KMS host key with Microsoft-hosted activation
services. Administrators can complete this installation from any computer that has a VAMT console.
2. When a domain-joined computer that is running Windows 8, Windows Server 2012, or a newer
Windows operating system with a generic VLK starts, the licensing service on the client automatically
queries the domain controller for licensing information. Lightweight Directory Access Protocol (LDAP)
is used for the authentication.
Note: You cannot use Active Directory-based activation to license computers that are not
members of the domain.
3. If a valid activation object is found, then the activation will continue silently and will not require user
intervention. For Active Directory-based activation, the same renewal guidelines are applicable as for
KMS activation.
4. If volume licensing information is not found in AD DS, computers that are running Windows 8,
Windows Server 2012, or a newer Windows operating system will try to find a KMS host and try
activation by using the KMS activation process.
Active Directory-based activation overview
Active Directory-based activation versus KMS
Question: What type of connection is established between a Windows 8.1 computer and a
Windows Server 2012 R2 domain controller when Active Directory-based activation is
performed?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-49
Tools to Manage Activation
If you need to manage activation on a
Windows 8.1 computer on a network, you
probably will use VAMT. If VAMT is not deployed
in your environment, you can still use Slmgr.vbs as
the software licensing configuration tool.
Slmgr.vbs is part of Windows 8.1, and you can use
it for viewing activation information, installing
product keys, activating Windows operating
systems, and performing additional actions. You
can get a list of all available actions by running
slmgr -?. Slui.exe also is available in Windows 8.1,
but its functionality is reduced in Windows 8.1.
You can use it only for changing product keys, activating Windows 8.1, or displaying a list of telephone
numbers for activation.
VAMT
You can use VAMT to automate and centrally manage the volume and retail-activation process of
Windows operating systems, Microsoft Office software, and certain other Microsoft products. VAMT
manages volume activation by using MAK or KMS. VAMT is a standard Microsoft Management Console
(MMC) snap-in, and it is available as part of Windows ADK. You can install VAMT on a computer that is
running Windows 7, Windows Server 2008, or a newer version of the Windows operating system. You can
use VAMT to manage and specify a group of computers to activate based on the following:
AD DS
Workgroup names
IP addresses
LDAP queries
Note: VAMT cannot be used to manage volume activation for legacy Windows XP or
Windows Server 2003 operating systems. However, you can still manage Microsoft Office 2010 or
Microsoft Office 2013 on those two operating systems by using VAMT.
VAMT provides a single console for managing activations and for performing other activation-related
tasks, such as the following:
Adding and removing computers. VAMT can discover computers in a local environment by querying
AD DS and workgroups, by the computer name or IP address, or by using LDAP.
Discovering products. VAMT can discover Windows operating systems, Microsoft Office programs,
and other products installed on client computers. It uses a Microsoft SQL Server database for storing
discovery information and activation data.
Monitoring activation status. You can use VAMT to gather product activation information such as the
last five characters of a product key. You also can determine a product edition and whether the
product has a licensed, grace, or unlicensed licensing state.
Managing product keys. You can store multiple product keys and use VAMT to install these keys for
remote client products. You also can determine the number of activations remaining for MAKs.
Managing activation data. VAMT uses an SQL database to store activation data, and it can export this
data to other VAMT hosts or to an archive in XML format.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Reporting on volume licensing. VAMT can provide the licensing status of every computer in the
database.
Performing proxy authentication. If you are on a network that requires a user name and password to
reach the Internet, VAMT enables you to sign in and perform proxy activation.
Deploying Active Directory-based activation. VAMT can online-activate or proxy-activate an Active
Directory-based activation object. When Active Directory-based activation is deployed, any new
qualifying machines joined to the domain are activated automatically.
VAMT technical reference
Volume Activation Services
You can use the Volume Activation Services server role to issue and manage Microsoft software volume
licenses in a simplified, automated manner, and to install and activate a KMS host key, and to configure
KMS. After this service is installed, you can use it to issue, monitor, and manage volume licenses for
Microsoft products that support volume activation based on computer account information in AD DS. You
can configure Active Directory-based activation and KMS activation when installing the Volume Activation
Services server role. This server role also includes the Volume Activation Tools console, which you can use
to activate and manage one or more volume activation license keys in AD DS or on a KMS host.
Question: What is the main benefit that VAMT provides for an environment without direct
Internet connectivity?
Troubleshooting Volume Activation
The steps you take to troubleshoot volume
activation are dependent on whether the problem
is associated with MAK activation or KMS
activation.
MAK Activation Troubleshooting
Use the following list to troubleshoot common
issues with MAK activation:
Verify the activation status. You can verify
activation status by looking for the Windows
is activated message in the System
properties. You also can run the slmgr.vbs -
dli command.
If your computer will not activate over the Internet, ensure that an Internet connection is available
and that the computer is configured with the correct TCP/IP settings. You also might need to set a
proxy configuration from your browser. If the computer cannot connect to the Internet, try telephone
activation.
If Internet and telephone activation both fail, you will need to contact the Microsoft Product
Activation Center.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-51
KMS Activation Troubleshooting
Use the following list to troubleshoot common issues with KMS activation:
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that the KMS SRV record is present in DNS and that DNS does not restrict dynamic updates. If
DNS restrictions are intentional, you will have to provide the KMS host write permission to the DNS
database, or you will have to create the SRV records manually.
Ensure that firewalls and routers do not block TCP port 1688.
If your computer will not activate, verify that the KMS host is contacted by the minimum number of
clients required for activation. Until the KMS host has a count of 25, it will not activate Windows
clients, including Windows 8.1.
Display the client Windows Application event log for event numbers 12288, 12289, and 12290 for
possible troubleshooting information.
Active Directory-Based Activation Troubleshooting
Use the following list to troubleshoot common issues with Active Directory-based activation:
Verify the activation status. You can verify activation status by looking for the Windows is activated
message in the System properties. You also can run the slmgr.vbs -dli command.
Ensure that computers can communicate with domain controllers. This includes network connectivity
and DNS name resolution.
Ensure that there is at least one activation object in the AD DS configuration partition. If there are two
activation objectsone for client and one for server operating systemsthe client object can be
safely deleted because the server object will activate both clients and servers.
Active Directory-based activation is available only for domain-joined computers. If you remove a
computer from the domain, activation will fail on the next activation attempt.
Volume activation troubleshooting
Question: Will the user be notified immediately if a Windows 8.1 computer cannot
reactivate by using a KMS host?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab C: Deploying a Windows 8.1 Image
Scenario
A. Datum has captured a reference Windows 8.1 image. You have been asked to perform the offline
update of the image by injecting the driver and enabling the Telnet Client feature. You also will deploy
the updated image and test the changes.
Objectives
Perform offline servicing and deploy a Windows 8.1 image.
Virtual machine: 20687C-LON-DC1, 20687C-LON-CL1, and 20687C-LON-REF1
Password: Pa$$w0rd
Exercise 1: Performing Offline Servicing and Deploying a Windows 8.1
Image
Scenario
Students will mount a Windows 8.1 image and perform offline servicing of the image by injecting the
driver. They then will unmount the image and apply it to the LON-REF1 computer.
1. Perform offline servicing of the Windows image.
2. Use Deployment Image Servicing and Management (DISM) to deploy a Windows image.
Task 1: Perform offline servicing of the Windows image
1. Sign in to LON-CL1 as Adatum\Administrator.
2. Use File Explorer to verify that the C:\Mount folder is empty.
3. Use Dism.exe to mount the image E:\labfiles\mod02\share\Win81.wim in the C:\Mount folder by
using image index 1.
Note: If image Win81.wim is not yet captured or you didnt capture it in Lab B, you can use
E:\labfiles\mod02\sources\install.wim instead.
4. Use the dir command to view driver packages in the mounted Windows 8.1 image.
5. Use Dism.exe to inject the driver C:\Labfiles\drivers\dc3dh.inf into the mounted image.
6. Use the dir command to confirm that the folder for the driver package has been created in the
C:\mount\Windows\System32\DriverStore\FileRepository folder.
7. Use Dism.exe with the Get-Features parameter to list the Windows 8.1 features and their states in
the mounted image.
8. Use Dism.exe to enable the Telnet Client feature in the mounted image.
9. Use Dism.exe with the Unmount-Wim parameter to unmount the image and commit the changes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 2-53
Task 2: Use Deployment Image Servicing and Management (DISM) to deploy a
Windows image
1. On LON-REF1, use Diskpart to clean Disk 0.
2. Create a primary partition on the disk, format it with the NTFS file system, and then assign drive letter
C to the volume.
3. Use Dism.exe to apply the image win81.wim, located on drive G to volume C.
4. Use the dir command to verify that the Windows 8.1 image has been applied to drive C.

Results: After completing this exercise, you should have updated a Windows 8.1 installation image.
Prepare for the next module
When you are finished the lab, revert all virtual machines back to their initial state:
1. On the host computer, start Hyper-V
Manager.
2. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Revert.
3. In the Revert Virtual Machines dialog box, click Revert.
4. Repeat steps 2 to 3 for 20687C-LON-DC1 and 20687C-LON-REF1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Review Questions
Question: Can you use the Client Hyper-V feature on 32-bit versions of Windows 8.1 Enterprise?
Question: One of your users has been promoted to a new position and has been given a new
computer. The user needs the new apps that the job requires. The user also needs to have the
documents and settings from the old Windows 7 computer transferred to the new computer.
How should you perform the Windows 8.1 installation?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-1
Module 3
Managing Profiles and User State in Windows 8.1
Contents:
Module Overview 3-1
Lesson 1: Managing User Profiles 3-2
Lesson 2: Configuring User State Virtualization 3-8
Lab A: Configuring Profiles and User State Virtualization 3-21
Lesson 3: Migrating User State and Settings 3-27
Lab B: Migrating User State by Using USMT 3-34

Module Overview
User profiles store user settings and data. For users working on a single computer, profiles can be stored
locally. However, for users who roam between multiple computers, the user profile, or at least some parts
of it, should be available on the network. This module describes the different user profile types. It also
describes Microsoft User Experience Virtualization (UE-V), which you can use to synchronize settings
between computers without using roaming user profiles. The operating system itself provides user
profiles, whereas UE-V is a separate product that is part of the Microsoft Desktop Optimization Pack. In
this module, you will learn about UE-V features and how to deploy UE-V and configure it on your
network. You also will learn how to migrate user state and settings to computers running Windows 8.1
operating systems.
Objectives
Manage user profiles.
Configure User State Virtualization.
Migrate user state and settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3-2 Managing Profiles and User State in Windows 8.1
Lesson 1
Managing User Profiles
A user who signs in to the Windows operating system must have his or her user profile, which stores user
settings such as the desktop theme, data such as the files stored in the Documents folder, screen saver
settings, and desktop icons. This lesson introduces each user profile type, explains how to configure user
profiles, and explains when to use a user profile type. It also describes how you can use Group Policy for
managing user profiles and the differences between roaming user profiles and redirected folders.
Lesson Objectives
Describe user profiles in Windows 8.1.
Describe user profile types.
Explain how to manage user profiles by using Group Policy.
Configure roaming user profiles and Folder Redirection.
Explain how to use the Primary Computer setting to control profiles.
User Profiles in Windows 8.1
For security reasons, Windows 8.1 requires that
each user who signs in has a user profile. A user
profile is created when a user signs in for the first
time. The initial user profile is based on the
default user profile, and it is used for all
subsequent sign-ins. User profiles contain details
of the user environment, such as Start screen
settings, desktop settings, user documents, Start
screen tiles and their layout, and the user hive of
the registry. By default, the user profile is stored
on the same drive as the Windows operating
system in the Users folder. The user profile is used
only when the user signs in to the same computer, but you can change the location and the user profile
type.
Elements in a User Profile
A user profile contains the following elements:
User part of the registry. User profiles contain the NTuser.dat file, which is the user part of the
registry. When the user signs in, this file is loaded by the system, and it is mapped to the
HKEY_CURRENT_USER registry subtree. NTuser.dat contains user settings such as desktop
background and screen saver settings.
Set of folders. For each user who signs in, a separate subfolder with his or her name is created in the
Users folder. This folder is a container for applications, user settings, and data that are organized in
various subfolders, such as AppData, Desktop, Downloads, and Documents.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-3
Advantages of User Profiles
User profiles provide the following advantages:
User settings are persistent. With user profiles, users have the same settings as when they signed out
the last time.
If multiple users are sharing the same computer, individual users have their own customized
environment when they sign in.
Settings in the user profile are unique to each user. When users change settings in their user profiles,
this does not affect other users whose profiles are on the same computer.
Customizing the Start screen
Customize the Default User Profile by Using CopyProfile
Question: By default, where is the local user profile stored in Windows 8.1?
User Profile Types
Windows 8.1 requires each user to have a user
profile. User profiles are created during a users
first sign-in and are stored in the Users folder.
User profiles are created based on the content in
the default profile in the Users folder. There are
three different types of user profiles:
Local. Available only on a single computer.
Roaming. Can roam between domain-joined
computers.
Mandatory. Special type of preconfigured
user profile that does not store user changes
between sign-ins.
Local User Profiles
When a user signs in to a computer for the first time, the operating system automatically creates a local
user profile that will be used for all subsequent sign-ins to the same computer. The local user profile is
used only when a user signs in to the computer where the profile was created, and it is useful when a user
is using a single computer. If a user roams between multiple computers, then by default, separate local
user profiles will be created on each computer. This means that modifications and documents that the
user created on one computer will not be used or available on other computers. Therefore, local profiles
should be avoided if a user signs in to multiple devices.
Roaming User Profiles
In a domain environment, administrators can configure a user with a roaming user profile by configuring
his or her profile path. With roaming user profiles, user settings and data are stored on a network location
and locally on the computer where the user signs in. When a user signs in, the local copy of the user
profile is compared to the copy that is stored on the network location, and only new files are copied
locally. The user can change settings and create data files, which are stored in the local user profile copy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
When the user signs out, these changes are copied to the network location. If users roam between
multiple computers, their documents and settings will follow them.
If a user profile contains a lot of data, or if the user stores large files on the desktop, then the process of
signing in to the computer might take a long time. If a user signs in to multiple computers at the same
time, changes performed on one computer will override changes performed on a second computer
because user profile changes are copied to the network location only when the user signs out. Some parts
of the user profile, such as Temporary Internet Files or AppData\Local, are never copied to the network
location, even if roaming user profiles are used.
Mandatory User Profiles
A mandatory user profile is a type of roaming user profile that administrators can configure users with.
With mandatory user profiles, user changes are stored in the local copy of the user profile, but are not
preserved after a user signs out from the computer. When the user signs in again, the mandatory user
profile is downloaded from the network location, and it overrides the local user profile copy. The two
types of mandatory user profiles are normal mandatory profiles and super-mandatory profiles.
Administrators can configure users with mandatory user profiles first by configuring them with roaming
user profiles and then by renaming the NTuser.dat file in their profiles to NTuser.man. The .man extension
causes user modifications to the profile to be discarded at the next sign-in and user profiles to behave as
read-only.
Super-Mandatory User Profiles
User profiles become super-mandatory when the administrator adds the .man extension to a users
roaming user profile folder name. For example, if a roaming user profile is stored in the
\\Server\Profiles\User1.V2 folder, the administrator can add the .man extension to the folder and store the
roaming user profile at \\Server\Profiles\User1.man.V2. Mandatory and super-mandatory user profiles
behave similarly; both do not preserve user modifications. If a user is configured with a super-mandatory
profile, he or she will not be able to sign in if the network copy of the profile is not available. In such
cases, users with a normal mandatory profile would still be able to sign in, and they would get temporary
profiles, which could be against company policy.
Question: When would you configure users with roaming user profiles?
Managing User Profiles by Using Group Policy
You can use Group Policy to manage user
environments centrally, including many of the
user profile settings. Group Policy includes many
user profilerelated settings that can be
configured for users and computers. Some of the
user profile settings that can be configured by
using Group Policy include:
Limit the size of a user profile
Exclude user profile directories from roaming
Prevent users from sharing files in their
profiles
Set roaming profile paths for users
Prevent roaming profile changes from propagating to a server
Set the schedule for a background upload of a roaming user registry file
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-5
Folder Redirection is a Group Policy setting that is most often used for configuring user profiles.
Administrators can use Folder Redirection to redirect individual folders from a user profile to a new
location. For example, an administrator can redirect the Documents folder from a local or roaming user
profile to a separate network location. The contents of a redirected folder are available from any
computer on the network and are not copied to the computer on which a user signs in, as with roaming
user profiles. Folder Redirection also provides users with access to the same configuration and data on
multiple domain computers without copying user profiles locally, as with roaming user profiles. You can
configure Folder Redirection by modifying Policies/Windows Settings/Folder Redirection settings in the
User Configuration part of the Group Policy.
Redirected folders are stored only on a network share, and users access them transparently in the same
way as when they are stored in a local user profile. The Offline Files feature, which is enabled by default
when redirected folders are used, provides users with access to content in redirected folders even if there
is no network connectivity. The administrator configures Folder Redirection by using user settings in
Group Policy, and by doing so, can redirect individual folders in a user profile. In Windows 8.1, an
administrator can redirect 13 folders in user profiles, including Desktop, Start Menu, and Documents.
Administrators can redirect predefined folders and folders in a user profile only. For each user with
redirected folders, a new subfolder with the users sign-in name will be created, and folders can be
redirected to the same location or to a different location based on user group membership.
When you configure Folder Redirection, you can configure what will happen if Folder Redirection is no
longer effective. Options are to leave the redirected content on the network location or to move the
content to the original location to a users profile. Folder Redirection can redirect many parts of a user
profile, but settings stored in NTuser.dat cannot be redirected. Because of this, some administrators use
roaming user profiles together with Folder Redirection.
Folder Redirection provides several advantages:
Contents of redirected folders are available from any computer in the domain.
Contents of redirected folders are not copied to local computers, which minimizes network traffic
during user sign-in.
Administrators can set quotas (limiting disk space) and permissions on redirected folders. By doing so,
administrators can control how much space a user can utilize and whether the user can modify
contents of that part of the folderfor example, Desktop.
Redirected folders are stored on network locations (network shares) and not on local computers. If a
local hard drive fails, users can still access data in redirected folders from a different computer.
Contents of redirected folders can be backed up centrally because they are not stored locally on user
computers. If Shadow Copies for Shared Folders is configured on a network location, users can access
previous versions of their redirected files.
Folder Redirection Overview
Question: What is the main difference between roaming user profiles and redirected
folders?
Demonstration: Configuring Roaming User Profiles and Folder Redirection
In this demonstration, you will see how to configure roaming user profiles and Folder Redirection.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration Steps
1. On LON-DC1, in Active Directory Users and Computers, show the Profile Path property of user Adam
Barr, who is located in the Marketing organizational unit (OU).
2. On LON-DC1, in the Group Policy Management Console (GPMC), show how the Documents folder is
redirected to \\LON-DC1\Redirected in the Folder Redirection Group Policy.
3. On LON-DC1, verify that the Profiles and Redirected folders are empty.
4. Sign in to LON-CL1 as Adatum\Adam.
5. On Adam Barrs desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and
then add the This PC icon.
6. In Notepad, create a file with your name, and then save it in the Documents library.
7. Verify that the file is stored in the \\LON-DC1\redirected\Adam\Documents folder, and that it is not
stored inside the Adam local profile.
8. Sign out of LON-CL1.
9. On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles folder
contains the Adam Barr roaming user profile (Adam.V2), whereas the Redirected folder contains the
Adam redirected Documents folder.
11. Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local
Disk (C:) shortcut.
12. Verify that you can access the file transparently with your name that you created in Notepad.
Using the Primary Computer Setting to Control Profiles
When an administrator configures users with
roaming user profiles and Folder Redirection,
these settings apply to users irrespective of the
domain computer they sign in to. But, sometimes
you might want to restrict roaming user profiles
and Folder Redirection to be available only when
a user signs in to specific computers. This could be
because you do not want a user to leave any
personal or company data when he or she signs
out, or you do not want to roam the users
settings and data between 32-bit and 64-bit client
computers. For computers running Windows 8.1
in domain environments, you can apply this restriction by using the Primary Computer feature. By using
the Primary Computer feature, an administrator can specify a list of computers, known as primary
computers, for each domain user. Folder Redirection, roaming user profiles, or both features are used only
when a user signs in to a computer on his or her primary computer list.
To use the Primary Computer feature, the Microsoft Active Directory
Domain Services (AD DS) schema

must be extended to at least the Windows Server 2012 level. A Windows Server 2012 domain controller is
not required, but the AD DS schema must be extended. The Primary Computer feature will work only
when a user signs in to a Windows 8, Windows Server 2012, or a newer Windows operating system
because older versions of Windows operating systems will ignore the Primary Computer setting. The
Group Policy settings that configure the Primary Computer feature require Windows 8, Windows
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-7
Server 2012, or a newer operating system. Older clients and servers will not understand these settings, so
they will simply ignore the settings.
An administrator can configure the primary computers list for a user in one of two ways:
By configuring the msDS-Primary Computer user attribute, for example, in Active Directory
Administrative Center.
By running the Set-ADUser Windows PowerShell
cmdlet.
After configuring the list of primary computers for a user, an administrator also should enable the
Redirect folders on primary computers only and Download roaming profiles on primary computers
only Group Policy settings.
Deploy Primary Computers for Folder Redirection and roaming user profiles
Question: Do you need Windows Server 2012 or newer domain controllers in your network
to limit where Folder Redirection and roaming user profiles will be available?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Configuring User State Virtualization
UE-V is an enterprise-scale user state virtualization solution that synchronizes application and operating
system settings across many devices in a domain environment. It requires an agent on each client device,
and it stores configuration data on a shared folder. An administrator can use Group Policy to configure
UE-V settings and control which application settings will synchronize. Before you can use UE-V, you first
must first deploy the UE-V agent to each computer on which you want to use UE-V for settings
synchronization. You also must create and share the folder for the settings storage location. If you want to
synchronize more than just default settings, you also must create custom settings location templates,
store them to the settings template catalog, and configure clients with the settings template catalog
location.
Lesson Objectives
Describe UE-V.
Explain how UE-V works.
Explain how UE-V synchronizes settings.
Compare roaming user profiles, Microsoft account, and UE-V.
Explain how to prepare the environment for deploying UE-V.
Explain how to deploy UE-V.
Explain how to manage UE-V by using Group Policy.
Explain how to create and edit UE-V templates.
Overview of UE-V
For users who are working on multiple computers,
you can use roaming user profiles and Folder
Redirection to make their settings and data
available on every domain computer that they
sign in to. An administrator can configure a user's
primary computers list to control which
computers will use Folder Redirection and
roaming user profiles. However, roaming user
profiles and Folder Redirection include all user
profile settings and data.
UE-V is an enterprise solution that enables
synchronization of operating system settings,
desktop apps settings, and Windows Store apps settings between computers in the same AD DS domain
environment. Administrators can precisely control to which computers settings will roam, and which
settings will roam. In contrast to roaming user profiles where everything in the profile roams, with UE-V,
nothing roams unless specifically enabled. UE-V provides several default settings location templates that
define where each application stores its settings. Administrators can create additional settings location
templates, and UE-V will synchronize only those settings that are defined and enabled in the settings
location templates.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-9
Note: For Windows Store apps, you only can control if UE-V will synchronize its settings or
not. You cannot control which Windows Store app settings will be synchronized.
UE-V stores settings on network location as soon as a user closes an application, and those settings can
synchronize on other computers without the user having to sign out. Computers periodically synchronize
their settings with a network location, and if computers have permanent connectivity to a network
location, you can configure them to use those settings immediately.
Note: If a user links a Microsoft account with his or her domain account, UE-V only
synchronize settings for desktop apps. Users can synchronize other settings such as operating
system settings and the settings of Windows Store apps by using Microsoft SkyDrive
.
UE-V synchronizes settings between apps on different platforms, as long as they are stored in the same
location. Regardless of how an app is deployed, UE-V can synchronize settings between locally installed
apps on one computer, Microsoft Application Virtualization (App-V) apps on another computer, and
RemoteApp programs on another Remote Desktop Session Host computer. UE-V also can synchronize
settings between Windows Store apps and between physical and virtual computers, such as the virtual
desktops used in Virtual Desktop Infrastructure (VDI) implementations.
Note: UE-V is not part of the Windows operating system. It is available as a part of
Microsoft Desktop Optimization Pack, which is available to customers with an appropriate
agreement with Microsoft. Before you can use UE-V, you must install the UE-V agent on each
computer on which you want to synchronize settings by using UE-V.
Note: UE-V can synchronize settings only, not user data. To make user data available from
multiple domain computers, use Folder Redirection.
You can use UE-V to synchronize operating system settings, apps settings, and Windows Store apps
settings between computers that are running supported operating systems and are members of the
AD DS domain. The following table lists the operating systems and system requirements for using UE-V.
Operating system Edition Architecture Microsoft .NET Framework
Windows 7 Service
Pack 1 (SP1)
Ultimate,
Enterprise, or
Professional
32-bit or 64-bit .NET Framework 4 or newer

Windows Server
2008 R2 SP1
Standard,
Enterprise, Data
Center, or Web
Server
64-bit .NET Framework 4 or newer
Windows 8 and
Windows 8.1
Pro or Enterprise 32-bit or 64-bit .NET Framework 4.5
Windows
Server 2012 and
Windows
Server 2012 R2
Standard or
Datacenter
64-bit .NET Framework 4.5

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Besides the requirements for supported operating systems, there are no additional RAM requirements for
UE-V. Administrator user rights are required for installing the UE-V agent, and you must restart the
computer to make the UE-V agent operational.
UE-V Windows PowerShell Prerequisites
You must install .NET Framework 4 or newer and Windows PowerShell 3.0 or newer before you can install
the UE-V agent. A default installation of Windows 8 or Windows 8.1 meets those requirements. However,
on Windows 7 SP1, you first need to install Windows PowerShell 3.0 before you can install the UE-V agent.
Computer Clock Synchronization
UE-V compares local time on a client computer with the time stamp of the stored settings on a network
location to decide if settings synchronization is required. Because of that, computer clocks on UE-V client
computers should be synchronized, which is the default behavior in an AD DS environment. If computer
clocks are not synchronized, older settings can overwrite newer settings, or newer settings might not be
stored to the network location.
Question: Can you synchronize user documents between computers by using UE-V?
How UE-V Works
To better understand the workings of UE-V, you
should be familiar with its high-level architecture
and the components that enable synchronization
of settings between computers. The following
sections describe the elements that are part of a
standard UE-V deployment.
UE-V Agent
You must install the UE-V agent on every
computer that will synchronize settings. The UE-V
agent monitors changes to settings and
synchronizes them between computers. It stores
settings on a network location called the settings
storage location, and it periodically synchronizes the local cache with the settings storage location. When
you start an app, the UE-V agent applies settings from the local cache, and when you close an app, the
UE-V agent stores the app settings to the settings storage location. This means that app settings are
available for synchronization as soon as you close an app. However, remember that when you start an
app, by default, settings from the local cache are used, not settings from the setting storage location on
the network. In an environment where a computer has permanent network connectivity, you can modify
this behavior and always use the settings from the settings storage location on the network. Operating
system settings are applied at sign-in, when a computer is unlocked, or when a user connects remotely to
a computer. The UE-V agent saves settings when a user signs out, when a computer is locked, or when a
remote session is disconnected.
Settings Storage Location
A settings storage location is the network location where the UE-V agent stores the settings that are
synchronized. Administrators can specify this location during UE-V agent installation, in AD DS as a user's
home folder, or by using Group Policy. The settings storage location can be on any file share where users
have read and write access. The UE-V agent verifies the location and creates a hidden system folder
named SettingsPackages into which it stores settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-11
Settings Location Template
A settings location template is an XML file that specifies the settings locations where values are stored on a
computer, not the settings values. Only settings defined in the settings location templates are captured
and applied on UE-V client computers. Several settings location templates such as Microsoft Office 2010,
Microsoft Office 2007, Windows Internet Explorer 8, Windows Internet Explorer 9, Internet Explorer 10,
and desktop settings are included with UE-V. Administrators can create additional settings location
templates by using UE-V Generator.
Settings Template Catalog
A settings template catalog is a folder that stores settings location templates. This usually is a shared
folder, although a settings template catalog also can be a local folder. By default, a UE-V agent reads new
or updated settings location templates from this folder once per day. This is done by a scheduled task
named Template Auto Update, which runs daily at 3:30 A.M., and it applies the changes (modified, added,
or removed templates) to the UE-V agent. If only the default settings location templates are used, then
the settings template catalog is not used.
Settings Packages
Desktop app settings, Windows settings, and Windows Store app settings are stored in settings packages,
which are created by a UE-V agent in the settings storage location. A settings package is a collection of
settings that are defined in the settings location templates. A UE-V agent that is running on one computer
reads and writes to a settings storage location independently of UE-V agents that are running on other
computers. The most recent settings and values are applied when the next UE-V agent synchronizes with
the settings storage location.
UE-V Generator
UE-V includes several operating system and application settings location templates. When you need to
synchronize settings of additional applications, you can use the UE-V Generator to create additional,
custom settings location templates. UE-V Generator monitors the registry (the HKEY_CURRENT_USER
registry subtree) and file system (the AppData\Roaming and AppData\Local folders in user profiles) to
discover where application settings are stored. Administrators can modify a generated template and
include it in the settings template catalog. You also can use the UE-V Generator for editing existing
templates or for validating templates that were created in another XML editor.
Question: How often is the settings template catalog checked for changes?
How UE-V Synchronizes Settings
When you sign in to a Windows operating system,
UE-V synchronizes settings from a network
settings storage location with the local cache.
After that, the local cache is synchronized
periodically with the settings storage location
every 30 minutes by default. Synchronization is
triggered by a scheduled task named Sync
Controller Application, which is created when you
install a UE-V agent. You also can trigger
synchronization manually by using Company
Settings Center, which is installed automatically
during a UE-V agent installation.
When you start an app, UE-V applies settings to the app from the local cache. App settings are saved to a
network settings storage location when the app is closed. This means that a user does not have to sign
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
out and then sign in to another computer to synchronize app settings, like when roaming user profiles are
used. When using UE-V to synchronize settings, the user can be signed in to multiple computers at the
same time. When you configure app settings and close an app, the app settings are written to the settings
storage location in a settings package. When the user starts the application on another computer, the UE-
V agent reads and applies app settings from the local cache on that computer. If the local cache has not
yet synchronized with the settings storage location, you can wait for synchronization to occur, trigger
synchronization manually, or modify the UE-V configuration to always use the settings from the settings
storage location on the network. The user experience with UE-V is similar to having app settings roam
with a user.
Note: If computers have permanent connections to a settings storage location, you can
configure the UE-V agent to always apply the settings from the network settings storage location.
You can do so by setting the synchronization method (SyncMethod) to none, for example, when
installing a UE-V agent or by running the Set-UevConfiguration cmdlet.
Desktop background and Ease of Access settings are applied when a user signs in, when a computer is
locked, or when a remote connection is established. To optimize the sign-in experience, these settings are
not synchronized by default. You can enable desktop background and Ease of Access settings by using
Company Settings Center, Group Policy, the Windows PowerShell cmdlet Enable-UevTemplate, or
Windows Management Instrumentation (WMI). Like synchronizing app settings, a user does not have to
sign out to store Windows settings to the settings storage location. The UE-V agent saves settings when a
user signs out, when a computer is locked, or when a remote connection is disconnected.
Users sometimes accidentally modify settings. UE-V provides the capability to restore application or
operating system settings to the initial values that were on a computer before the first UE-V
synchronization of settings. UE-V can restore settings on a per-application or per-operating system
setting basis. The settings are restored the next time a user starts the application or when a user signs in
to an operating system. You can restore settings only by using Windows PowerShell or WMIthere is no
graphical interface for it. UE-V provides the Restore-UevUserSetting Windows PowerShell cmdlet, which
you can use to restore user settings for an application or a group of Windows settings.
Question: Does a user have to sign out to synchronize application settings when using
UE-V?
Comparing Roaming User Profiles, Microsoft Account, and UE-V
When you want to synchronize settings between
the different computers that a user signs in to, you
can use different solutions such as roaming user
profiles, Microsoft account, or UE-V. Microsoft
account is the only solution that can synchronize
settings even if computers are not domain-joined,
but it requires Internet connectivity because it
stores settings in the cloud. You can synchronize
Windows Store apps configurations only when
signing in by using Microsoft account or if UE-V is
used. When a user has Microsoft account linked to
his or her domain account, UE-V will synchronize
desktop app settings only. You can use Microsoft account and SkyDrive synchronization to synchronize
other settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-13
Note: Microsoft account provides you with a unified identity, which you can use for
accessing Microsoft and non-Microsoft cloud services. You can link your domain or workgroup
account with your Microsoft account, and you can also use it for transparent access to Microsoft
Store, SkyDrive or for signing in to Windows 8.1.
Roaming user profiles can synchronize only the entire profile, including the settings and data that are
stored in the profile. You cannot control which settings you want to synchronize, but in Windows 8 and
Windows 8.1, you can control which computers you want to synchronize settings on by configuring the
Primary Computer user Active Directory attribute. Roaming user profiles are copied to a file server only
when users sign out, and they are not synchronized periodically. When you configure Folder Redirection,
redirected folders are exempt from this copying.
If you use UE-V, to be able to synchronize settings, you must install a UE-V agent on the computer. UE-V
can synchronize only those settings which are defined in settings location templates, and it is the only
solution that can synchronize settings between physical and virtual applications. UE-V also is the only
solution that applies settings periodically, and not only when the user signs in. UE-V is not included in the
operating system, and it must be obtained and licensed separately. On the other hand, roaming user
profiles is a feature of domain-joined computers that run any version of the Windows operating system.
Microsoft account is freely available, and you can use it to sign in on any computer that runs Windows 8
or Windows 8.1.
Question: Can you use Microsoft account to synchronize settings between computers that
are running Windows 7 and computers that are running Windows 8.1?
Preparing the Environment for Deploying UE-V
Before deploying UE-V, you first should prepare
the environment for the deployment. This includes
the following steps:
1. Configure the settings storage location where
UE-V will store settings packages, which are
the settings that will be synchronized
between computers. This can be either the
user home directory, if you have it configured
in AD DS, or the network share that is
available from each computer. If the user
home directory is to be used as the settings
storage location, you should ensure that the
user has the home folder configured and that it is set on the Profile page of the user properties in
Active Directory Users and Computers. If a network share is to be used as the settings storage
location, you should create and share the folder with the permissions shown in the following tables.
Account Share permissions
Administrators Full Control
Security group of UE-V users Full Control

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Account NTFS permissions Apply to
Administrators Full Control This folder, subfolders,
and files
Creator/owner Full Control Subfolders and files only
Security group of UE-V
users
List Folder/Read Data,
Create Folders/Append Data
This folder only

You can configure the UE-V agent with the settings storage location by using an installation
parameter, a Windows PowerShell cmdlet, or Group Policy settings. If users have a home directory
defined and you configure a network share as the settings storage location, UE-V will store settings
packages on a network share, and not in the user home directory.
2. Configure the settings template catalog. The settings template catalog is not required, and it will be
used only if you want to use UE-V to synchronize additional application settings in addition to the
ones that are provided by default. The settings template catalog is a network share where custom
settings location templates are stored. If your UE-V deployment will use the settings template catalog,
you should create and share a folder with the permissions shown in the following tables.
Account Share permissions
Everyone No permissions
Domain computers Read permission
Administrators Read/write permission

Account NTFS permissions Apply to
Creator/owner Full Control This folder, subfolders,
and files
Domain computers List Folder Contents and
Read
This folder, subfolders,
and files
Everyone No Permissions
Administrators Full Control

You can configure the UE-V agent with the settings template catalog location by using an installation
parameter, a Windows PowerShell cmdlet, or Group Policy settings.
3. Add UE-V Group Policy administrative templates. You can configure UE-V by using Group Policy, but
before doing so, you must add UE-V administrative templates, which are .admx and .adml files, to the
appropriate location. This could be either the local %SystemRoot%\PolicyDefinitions folder on each
computer from where you will configure Group Policy, or the central store on the domain controller,
%SystemRoot%\SYSVOL\domain\Policies\PolicyDefinitions, if your domain environment is configured

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-15
to use it. After you copy UE-V Group Policy administrative templates to this location, the Microsoft User
Experience Virtualization node appears under Policies\Administrative Templates
\Windows Components in the Computer Configuration and User Configuration parts of Group Policy
settings.
Microsoft Desktop Optimization Pack Administrative templates download page
Question: What must you do before you can use Group Policy to configure UE-V?
Deploying UE-V
You must install the UE-V agent on each
computer that will use UE-V to synchronize
settings. The UE-V installation file supports various
command-line parameters such as
SettingStoragePath,
SettingsTemplateCatalogPath, and
SyncMethod, which you can use for initial UE-V
configuration. All command-line parameters are
documented in the UE-V administrator's guide on
the Microsoft TechNet website.
You can deploy the UE-V agent by using almost
any software or operating system deployment
tool, such as manual installation or Group Policy, or by including it in the standard desktop image. The
following table lists various deployment methods and when to use them.
Method Use this method when
Group Policy You deployed software already by using Group Policy.
You want to deploy the UE-V agent to existing computers.
You want to deploy the UE-V agent after operating system
images are deployed.
You are configuring the UE-V agent by using Group Policy and
not by using command-line options.
Computers have high-speed, persistent connections to the
shared folder containing the installation files.
Microsoft Deployment Toolkit
2012
You use the Microsoft Deployment Toolkit (MDT) for operating
system deployment.
You want to deploy the UE-V agent as part of an operating
system deployment.
Windows Intune You used Windows Intune already for client management.
You want to deploy the UE-V agent without requiring
additional infrastructure.
You have computers in multiple locations with limited
connectivity between locations.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Method
Use this method when
Microsoft System Center 2012 R2
Configuration Manager
You used System Center 2012 R2 Configuration Manager
already for application and operating system deployment.
You want to use one deployment tool to deploy the UE-V agent
to existing computers and during operating system
deployment.
Computers have high-speed, persistent connections to the
distribution points where the UE-V agent installation files are
located.
You want to manage and maintain your applications
deployment centrally.
Scripted installation You want to script the installation as part of an operating
system installation, and you are not using MDT or System
Center 2012 R2 Configuration Manager.
You want to deploy the UE-V agent by using a third-party
Electronic Software Distribution system.
Computers might not have high-speed, persistent connections
to the enterprise network, and installation from local media is
required.

After the UE-V agent is installed, you must restart the computer to make the UE-V agent operational.
After the installation, a new service named User Experience Virtualization is installed. Also, the following
six scheduled tasks are added:
Collect CEIP data
Monitor Application Settings
Sync Controller Application
Synchronize Settings at Logoff
Template Auto Update
Upload CEIP data
These tasks periodically synchronize the local cache with the settings storage location, check for updates
in the UE-V settings location templates, and upload data if you joined the Customer Experience
Improvement Program (CEIP). UE-V agent installation also installs the Company Settings Center, which
you can use to control what settings UE-V should synchronize, to manually trigger the synchronization,
and to view the synchronization status of UE-V.
UE-V Administrator's Guide
Question: Where can users see UE-V synchronization status and manually trigger UE-V
synchronization?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-17
Managing UE-V by Using Group Policy
You can manage the UE-V agent by using Group
Policy. By default, Group Policy does not include
settings related to UE-V, so you must first
download and install UE-V ADMX templates. You
can download the templates from the Microsoft
Download Center and copy them to the local
PolicyDefinitions folder or the central Group
Policy store. The .admx file must be placed in the
PolicyDefinitions folder. The .adml file must be
placed in the PolicyDefinitions\en-US folder.
After you install the UE-V Group Policy ADMX
files, the Microsoft User Experience Virtualization
node appears under Policies\Administrative Templates\Windows Components in the Group Policy
Management Editor window. You can configure some UE-V Group Policy settings only for computers,
some only for users, and some for both. The following table lists the policy settings that you can configure
for UE-V.
Policy setting name Target Policy setting description
Use User Experience
Virtualization (UE-V)
Computers and
Users
This policy setting allows you to enable or disable
UE-V.
Settings storage path Computers and
Users
This policy setting configures where the user settings
will be stored.
Settings template
catalog path
Computers Only This policy setting configures where custom settings
location templates are stored. This policy setting also
configures whether the catalog will be used to
replace the default Microsoft templates that are
installed with the UE-V agent.
Do not use the Sync
Provider
Computers and
Users
This policy setting allows you to configure whether
UE-V will use the Sync Provider feature. This policy
setting also allows you to enable notification to
occur when the import of user settings is delayed.
Synchronization
timeout
Computers and
Users
This policy setting configures the number of
milliseconds that the computer waits before a
timeout when retrieving user settings from the
remote settings location. If the remote storage
location is unavailable, the application launch is
delayed by that many milliseconds.
Package size warning
threshold
Computers and
Users
This policy setting allows you to configure the UE-V
agent to report when a settings package file size
reaches a defined threshold.
First Use Notification Computers Only This policy setting enables a notification in the
system tray that appears when the User Experience
Virtualization (UE-V) Agent runs for the first time.
Tray Icon Computers Only This policy setting enables the User Experience
Virtualization (UE-V) tray icon.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Policy setting name Target Policy setting description
Do not synchronize
Windows 8 Apps
Computers and
Users
This policy setting defines whether the User
Experience Virtualization (UE-V) Agent synchronizes
settings for Windows Store apps.
Roam Applications
settings
Users Only This is a multiple policy setting to configure the
roaming of user settings of each individual
application.
Roam Windows settings Users Only This policy setting configures the roaming of
Windows settings.

UE-V settings that can be configured in different places have the following order of precedence:
1. User-targeted settings managed by Group Policy
2. Computer-targeted settings managed by Group Policy
3. Configuration settings defined by the current user who is using Windows PowerShell or WMI
4. Configuration settings defined for the computer that is using Windows PowerShell or WMI
This means that if the same UE-V settings are configured in multiple places, configuration in the user part
of Group Policy has precedence over configuration in the computer part of Group Policy. Group Policy
has precedence over locally configured settings.
Question: When will a UE-V setting that is configured through Group Policy be effective on
a UE-V client?
Creating and Editing UE-V Templates
UE-V only synchronizes settings that are defined
in the locations specified by the settings location
templates. Settings location templates are .xml
files that specifyfor each applicationwhere in
the registry and where on the file system it stores
its settings. UE-V includes several predefined
settings location templates, and administrators
can create additional templates for third-party
applications. Not all application settings can safely
roam between computers. Settings that
synchronize by using UE-V should meet the
following criteria:
Settings must be stored in an accessible location. UE-V can synchronize settings only in the
HKEY_CURRENT_USER registry subtree and the AppData\Roaming or AppData\Local folders in a
user profile. If an application stores its settings in other locations, you cannot synchronize its settings
by using UE-V.
Settings should not be specific to a particular computer. Some settings such as network configuration
are relevant only for a certain computer and should not be synchronized with other computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-19

Settings must be synchronized without the risk of corrupting data. For example, if settings are stored
in a database file, these settings should not be synchronized by using UE-V. You should consider
some other solution, such as storing the database file with configuration settings on a network
location.
When you install a UE-V agent, it includes settings location templates for operating system settings and
common Microsoft applications. You can view the list of registered settings location templates by running
the Get-UevTemplate cmdlet. These templates are stored in the Microsoft User Experience
Virtualization\Templates folder and include the desktop apps and Windows settings in the following table.
Application category or Windows settings Description
Microsoft Office 2007 Applications from the Microsoft Office 2007
family
Microsoft Office 2010 Applications from the Microsoft Office 2010
family
Browser options (Windows Internet Explorer 8,
Windows Internet Explorer 9, and Internet
Explorer 10)
Favorites, home page, tabs, and toolbars
Windows accessories Calculator, Notepad, WordPad
Desktop background Currently active desktop background
Ease of Access Accessibility and input settings, Magnifier,
Narrator, and on-screen keyboard
Desktop settings Start menu and taskbar settings, folder options,
default desktop icons, additional clocks, and
region and language settings

Microsoft Office 2013 uses its own synchronization mechanism and is not synchronized by UE-V.
UE-V also synchronizes Windows Store app settings. Settings location templates are not used for Windows
Store apps, because they synchronize only the settings that were configured to synchronize by the app
developer. You can run the Windows PowerShell cmdlet Get-UevConfiguration to view the list of
Windows Store apps for which settings are synchronized.
If you want to synchronize app settings that are not covered by default settings location templates, then
you must create additional settings location templates. If the settings location template for your app has
been developed already, you can obtain it online.
TechNet Gallery - resources for IT professionals
You also can use UE-V Generator to create custom settings location templates and store them in a
settings template catalog. You do not need to copy the default settings location templates to the settings
template catalog. To provide UE-V with a custom settings location template, you must perform the
following steps:
1. Install the UE-V Generator. The UE-V Generator is a part of UE-V, and it is used for creating and
editing custom settings location templates. The UE-V Generator monitors an app to discover and
capture the locations where the app stores its settings. The monitored app must be a traditional
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
desktop app because UE-V Generator does not create templates for virtualized applications,
applications offered through Remote Desktop Services, Java applications, and Windows Store apps.
UE-V Generator requires .NET Framework 4 or newer.
2. Create a custom settings location template by using the UE-V Generator. You can do this by running
UE-V Generator and pointing it to the application for which you want to create the settings location
template. UE-V Generator will start the application and monitor the registry and file system to
discover the locations where the application stores its settings. UE-V Generator monitors the
HKEY_CURRENT_USER registry subtree and the AppData\Roaming and AppData\Local folders in a
user profile. After the application opens, you can close it and UE-V Generator will capture the
locations that it accessed. You can review the locations, edit the template, and store it as a settings
location template .xml file.
3. Deploy the custom settings location template to the catalog. Because the settings template catalog is
a network share, you simply can copy the .xml file that was created by UE-V Generator to that
network share. Each UE-V client computer has a Template Auto Update scheduled task that runs once
daily and updates settings location templates on a client. You can force the UE-V agent to apply
custom settings location templates from a catalog immediately by running
ApplySettingsTemplateCatalog.exe or by using the Windows PowerShell cmdlet Register-
UevTemplate.
To enable UE-V to use custom settings location templates, you also must create a settings template
catalog on a file server and configure the settings template catalog path for the UE-V agentall of which
you can perform as part of UE-V environment preparation.
Question: How can you use UE-V to synchronize the settings of third-party applications?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-21
Lab A: Configuring Profiles and User State Virtualization
Scenario
The marketing department at A. Datum Corporation has many users who often use different computers.
You have been asked to evaluate different solutions that would enable user settings and data to roam
with users when they use one of the computers on which UE-V is installed, and from which UE-V will
synchronize settings.
Objectives
Configure roaming user profiles and Folder Redirection.
Implement and configure UE-V.
Lab Setup
Virtual machines: 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-CL1, and 20687C-LON-CL2
Password: Pa$$w0rd
Start 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-CL1, and 20687C-LON-CL2. Sign in as
Adatum\Administrator with Pa$$w0rd as password to LON-DC1 and LON-SVR1, but to not sign in to
LON-CL1 and LON-CL2.
Exercise 1: Configuring Roaming User Profiles and Folder Redirection
Scenario
As you evaluate different solutions, the first step is to explore user data and settings solutions that are
provided by Windows 8.1. You plan to implement roaming user profiles and Folder Redirection. Because
user profile content should be available only on approved computers, you also will implement Primary
Computer settings.
1. Create folders for roaming user profiles and Folder Redirection.
2. Configure roaming user profiles.
3. Configure Folder Redirection.
4. Verify roaming user profiles and Folder Redirection.
5. Configure primary computers for user Adam Barr.
6. Verify Primary Computer setting for user Adam Barr.
Task 1: Create folders for roaming user profiles and Folder Redirection
1. On LON-DC1, open File Explorer, and on drive C, create a folder named Profiles. Grant Domain
Users Full Control permissions to the folder, and then share it with Full Control permissions for
Everyone.
2. On drive C, create a folder named Redirected. Grant Domain Users Full Control permissions to the
folder, and then share it with Full Control permissions for Everyone.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Configure roaming user profiles
Configure Adam Barr, which is located in the Marketing OU, with Profile settings that point to
\\LON-DC1\Profiles\%username%.
Task 3: Configure Folder Redirection
1. Create a Group Policy Object named Folder Redirection, and then link it to Marketing.
2. Configure the Folder Redirection group policy setting to redirect the Documents folder to \\LON-
DC1\Redirected.
Task 4: Verify roaming user profiles and Folder Redirection
1. On LON-DC1, verify that the Profiles and Redirected folders are empty.
3. On Adams desktop, create a folder named Presentations, add a shortcut to Local Disk (C:), and
then add the This PC icon.
4. In Notepad, create a file with your name, and then save it in the Documents library.
5. Verify that file is stored in the \\LON-DC1\redirected\adam\Documents folder and is not stored
inside the adam local profile.
6. Sign out from LON-CL1.
7. On LON-DC1, verify that the Profiles and Redirected folders are no longer empty. The Profiles
folder contains the adam roaming user profile (Adam.V2), whereas the Redirected folder contains the
adam redirected Documents folder.
9. Verify that the This PC icon is on the desktop, in addition to the Presentations folder and the Local
Disk (C:) shortcut.
10. Verify that you can access the file with your name transparently in Notepad.
Task 5: Configure primary computers for user Adam Barr
1. Copy the value of the distinguishedName attribute of LON-CL1 to the msDS-PrimaryComputer
attribute of Adam Barr.
2. Add the value of the distinguishedName attribute of LON-CL2 to the msDS-PrimaryComputer
attribute of Adam Barr.
3. Enable the Computer Configuration\Policies\Administrative Templates\System\User Profiles\
Download roaming profiles on primary computers only setting and the User Configuration
\Policies\Administrative Templates\System\Folder Redirection\Redirect folders on primary
computers only setting in Default Domain Policy.
Task 6: Verify Primary Computer setting for user Adam Barr
1. Switch to LON-SVR1, and then update Group Policy.
2. Sign out of LON-SVR1.
3. Sign in to LON-SVR1 as Adatum\Adam, and then verify that the This PC icon, Presentations folder,
and the Local Disk (C:) shortcut are not on the desktop. Also, verify in Notepad that the file with
your name is not available in the Documents library. Sign out of LON-SVR1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-23
4. On LON-DC1, edit the value of the msDS-PrimaryComputer attribute of Adam Barr and replace
LON-CL2 with LON-SVR1.
5. Sign in to LON-SVR1 as Adatum\Adam and verify that the Presentations folder is on the desktop, in
addition to the Local Disk (C:) shortcut and the Computer icon. Also verify in Notepad that the file
with your name is available in the Documents library. Because you configured LON-SVR1 as Adam
Barrs Primary Computer, redirected folders are now available.

Results: After completing this exercise, you should have configured roaming user profiles and Folder
Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
Exercise 2: Implementing and Configuring UE-V
Scenario
You have demonstrated to your management the benefits of roaming user profiles, Folder Redirection,
and Primary Computer settings. Because A. Datum has an enterprise agreement with Microsoft and access
to the Microsoft Desktop Optimization Pack, you have been asked to implement a pilot deployment of
UE-V. You will demonstrate how UE-V can synchronize additional apps. Based on the results of your
demonstration, management will decide whether to deploy UE-V in production.
1. Prepare the environment for deploying Microsoft User Experience Virtualization (UE-V).
2. Configure UE-V Group Policy settings.
3. Install UE-V agents.
4. Configure UE-V to synchronize settings immediately.
5. Use UE-V to synchronize settings.
6. Restore app settings.
7. Create UE-V settings location template.
8. Using UE-V to synchronize custom app settings.
Task 1: Prepare the environment for deploying Microsoft User Experience
1. On LON-DC1, create a folder named UEVdata. Grant Domain Users Full Control permissions to the
2. On LON-DC1, create a folder named UEVTemplates. Grant Domain Users Full Control permissions
to the folder, and then share it with Full Control permissions for Everyone.
Task 2: Configure UE-V Group Policy settings
1. On LON-DC1, verify that there is no Microsoft User Experience Virtualization node available in Group
Policy Object under User Configuration\Policies\Administrative Templates
\Windows Components.
2. Copy the UserExperienceVirtualization.admx file from E:\Labfiles\Mod03 to the
C:\Windows\PolicyDefinitions folder, and then copy the UserExperienceVirtualization.adml file
to the C:\Windows\PolicyDefinitions\en-US folder.
3. Create a Group Policy named UE-V, and then link it to the Adatum.com domain.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. In UE-V Group Policy, under User Configuration\Policies\Administrative Templates
\Windows Components\ Microsoft User Experience Virtualization, enable the Settings storage
path setting, and then configure it to point to \\LON-DC1\UEVData\%username%.
5. In UE-V Group Policy, under Computer Configuration\Policies\Administrative Templates
\Windows Components\Microsoft User Experience Virtualization, enable the Settings template
catalog path setting, and then configure it to point to \\LON-DC1\UEVTemplates.
Task 3: Install UE-V agents
2. Install the UE-V agent by running AgentSetup.exe in the E:\Labfiles\Mod03 folder. Restart
LON-CL1 after completing the installation.
4. Install the UE-V agent by running the following command:
E:\Labfiles\Mod03\AgentSetup.exe SyncMethod=None
Task 4: Configure UE-V to synchronize settings immediately
1. On LON-DC1, verify that the C:\UEVdata folder is empty.
2. Sign in to LON-CL1 and LON-CL2 as Adatum\Brad with password Pa$$w0rd.
3. On LON-CL1, use the Get-UevConfiguration cmdlet to verify that UE-V configuration is effective.
You will see that values for SettingsStoragePath and SettingsTemplateCatalogPath are configured
as you set them in Group Policy. You also will see that current SyncMethod is set to SyncProvider.
4. On LON-CL2, run Calculator and choose the Date calculation view. Close Calculator.
5. On LON-CL1, run Calculator and verify that it is not extended with options for date calculation.
6. On LON-CL1, synchronize UE-V settings by using Company Settings Center.
7. On LON-CL1, run Calculator and verify that it is extended with options for date calculation.
8. On LON-CL1, use the Set-UevConfiguration cmdlet with the SyncMethod parameter to disable use
of local cache.
Task 5: Use UE-V to synchronize settings
1. On LON-CL2, run WordPad, and then clear the Ruler and Status bar check boxes on the View tab.
Close WordPad.
2. Create a shortcut to Local Disk (C:) on the desktop.
3. In Notepad, select Font Size 20, type your name, and then save the file in the Documents library.
Close Notepad.
4. On LON-DC1, verify that the UEVdata folder now has a brad subfolder.
5. On the View tab, click Hidden items. Double-click the brad folder and verify that it contains a
SettingsPackages subfolder.
6. Double-click the SettingsPackages folder, and then verify that it contains multiple subfolders for the
applications and Windows settings that are synchronized by UE-V.
7. Sign in to LON-CL1 as Adatum\Brad with password Pa$$w0rd. Run Calculator, and then verify that
is extended with options for date calculation, as you configured it on LON-CL2. On the View menu,
click Programmer, click Unit Conversion, and then close Calculator.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-25
8. On LON-CL1, run WordPad, and then verify that the Ruler and Status bar check boxes are not
selected, exactly as you configured it on LON-CL2. Close WordPad.
9. On LON-CL1, verify that shortcut to Local Disk (C:) is not present on the desktop.
Note: Contents of the desktop are not synchronized by UE-V. Instead, you should use
Folder Redirection or roaming user profiles to do so.
10. Verify in Notepad that File Size 20 is configured, but that the file with your name is not available in
the Documents library.
Task 6: Restore app settings
1. On LON-CL1, run Calculator, and then verify that it is in Programmer view and extended with Unit
Conversion. Close Calculator.
2. Use the Get-UevTemplate cmdlet to view which settings location template is used for Calculator.
3. Use the Restore-UevUserSetting cmdlet to restore initial Calculator settings.
4. Run Calculator, and then verify that is in default, Standard mode, in which it was before the first UE-
V synchronization.
5. Sign out of LON-CL1 and LON-CL2.
Task 7: Create UE-V settings location template
2. Install UE-V Generator by running ToolsSetup.exe in the E:\Labfiles\Mod03 folder.
3. Run Microsoft User Experience Virtualization Generator. Click Create a settings location
template and point to C:\Program files (x86)\Remote Desktop Connection Manager
\RDCMan.exe.
4. In Remote Desktop Connection Manager, modify one of the available Options and then close
Remote Desktop Connection Manager.
5. Include nonstandard File locations in the settings location template and save the settings location
template to \\LON-DC1\UEVTemplates\RDCMan.xml.
Task 8: Using UE-V to synchronize custom app settings
1. On LON-CL1, use the Get-UevTemplate cmdlet to verify that no settings location template that
contains string rdc is registered.
2. Use the Register-UevTemplate cmdlet to register the \\LON-DC1\UEVTemplates\RDCMan.xml
settings location template.
3. Use the Get-UevTemplate cmdlet to verify that the Remote-Desktop-RDCMan-v-2-2 settings
location template is registered.
4. Sign in to LON-CL2 as Adatum\Administrator and use the Register-UevTemplate cmdlet to
register the \\LON-DC1\UEVTemplates\RDCMan.xml settings location template.
5. On LON-CL1, run Remote Desktop Connection Manager, configure Auto save interval to 3
Minute(s), and then close Remote Desktop Connection Manager.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. On LON-CL2, run Remote Desktop Connection Manager, and then verify that Auto save interval
is selected and configured to 3 Minute(s).

Results: After completing this exercise, you should have successfully implemented and configured UE-V
for synchronizing apps and Windows settings.
Prepare for the next lab
When you finish the lab, revert the virtual machines back to their initial state. To do this, complete the
following steps:
2. In the Virtual Machines list, right-click 20687C-LON-DC1, and then click Revert.
4. Repeat steps 2 through 3 for 20687C-LON-CL1, 20687C-LON-CL2, and 20687C-LON-SVR1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-27
Lesson 3
Migrating User State and Settings
Many users spend a significant amount of time configuring their Windows-based environment. They
might customize items such as desktop wallpaper, the appearance of user interface elements, or other
operating system and application components. This grouping of specific settings is referred to as user
state. User state is an important part of the migration process when you replace a computer, or when you
install a new operating system on a computer. This lesson introduces you to user state migration and also
to the tools and methods you can use in planning and implementing a user state migration in a Windows-
based environment.
Lesson Objectives
Describe the tools for migrating user data and settings.
Explain how to migrate user settings by using Windows Easy Transfer.
Explain how to migrate user settings and data by using the User State Migration Tool (USMT).
Explain how to capture user state by using ScanState.
Explain how to restore user state by using LoadState.
Tools for Migrating User Data and Settings
A user state migration captures all of the custom
settings on a group of existing computers, known
as source computers, and restores these settings
on a group of newly deployed computers, known
as destination computers. Typically, you would
perform a user state migration during or after the
deployment of a new operating system. A user
state migration enables users to be more
productive because they do not have to spend
time reconfiguring settings or looking for personal
data after a deployment.
User State Migration Elements
User state migration includes the following elements:
User preferences. These include user profile features, web browser settings, and mail settings.
Consider which user accounts, operating system settings, and user preferences you want to migrate
or standardize:
o User accounts. Computers might have settings related to domain and local user accounts. You
must determine whether local user accounts should be migrated. You also should consider if you
must enable the accounts on the destination computers and how you will deal with password
requirements.
o Operating system settings. Identify which operating system settings to migrate and to what
extent you want to create a new standard environment on the destination computers. Operating
system settings can include appearance, mouse actions such as single-click or double-click,
keyboard settings, Internet settings, email account settings, dial-up connections, accessibility
settings, and fonts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
User data. This includes data that is stored on local hard drives. Typically, critical data is stored on file
servers. However, users sometimes store data on local hard drives.
Application settings. These include application-specific configuration settings, preferences, and data
files. User state migration does not include migration of actual applications. Determine and locate the
application settings that you want to migrate. You can acquire this information when you are testing
new applications for compatibility with a new operating system. You should consider whether the
destination version of an application is newer than the source version and where the specific
application settings are stored. Settings might be stored in the registry, .ini files, or in text or binary
files. To determine the location of an application setting, review the applications documentation or
relevant websites.
Windows 8.1 provides two options for performing user state migration: Windows Easy Transfer and USMT.
Windows Easy Transfer
Windows 8.1 includes the Windows Easy Transfer tool, which provides a wizard-based process for
migrating user data and files from one Windows-based computer to another. Windows Easy Transfer can
transfer the data from a source computer to a number of different intermediary media types, and then it
can restore that data on a destination computer. Windows Easy Transfer is used primarily by end users,
and it is designed to perform migrations with a small number of computers. The Windows Easy Transfer
process cannot be automated, and it is not an appropriate solution if you need to migrate data for a large
number of users.
Note: This tool is deprecated and has reduced functionality compared to Windows Easy
Transfer in Windows 8. However, it is still a part of Windows 8.1, and it can be used in Windows
8.1.
USMT
USMT is a set of command-line tools that gives administrators more control over user data migrations.
You can use USMT in large environments where you need to migrate the data of multiple users on
multiple machines. The command-line interface for USMT helps administrators incorporate USMT into
enterprise environments and automated processes. USMT uses tools to capture and store user data in the
first phase of the migration, and then restore the data to another operating system from the captured
data. USMT is included in the Windows Assessment and Deployment Kit (ADK) for Windows 8.1.
Question: You have been asked to upgrade 10 computers in a small branch office from
Windows 7 to Windows 8.1. You also have been asked to perform a clean installation of
Windows 8.1 and to show the local manager how to migrate user files and other data after
installing Windows 8.1. The manager will perform the Windows 8.1 installation and user state
migration for the rest of the computers. Which tool should you demonstrate to the
manager?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-29
Migrating User Settings by Using Windows Easy Transfer
Windows Easy Transfer is deprecated in Windows
8.1. The tool is still available and you can use it for
gathering and transferring data and settings from
previous Windows operating systems, but you
cannot use it to transfer data and settings
between Windows 8.1 computers. If you have
used Windows Easy Transfer in the past, you will
notice that in Windows 8.1, you can transfer the
data only by using removable media, local
storage, and network shares. You can no longer
use a network connection or an Easy Transfer
cable for transferring data. If you need to transfer
data between Windows 8.1 computers, you should use SkyDrive to synchronize settings among devices.
You can use the Windows Easy Transfer tool when you need to migrate settings and data for a limited
number of users and you do not need to customize and automate the migration process. You can use
Windows Easy Transfer to transfer user accounts and settings, files and folders, email settings, contacts
and messages, application settings, Internet settings, and favorites. You cannot use Windows Easy Transfer
to transfer installed apps or advanced configurations such as custom registry keys. Apps must be installed
already on a Windows 8.1 computer before you can transfer the app settings by using Windows Easy
Transfer. You can use Windows Easy Transfer to transfer data and settings to Windows 8.1 only from
Windows 8, Windows RT, or Windows 7 source computers.
Question: Can you use Windows Easy Transfer to migrate user settings and data between
two Windows 8.1 computers?
Migrating User Settings and Data by Using USMT
You can use USMT in many user state migration
scenarios. USMT offers a comprehensive set of
features and capabilities that enables you to
address your environments migration needs.
Benefits of USMT
USMT provides the following benefits to
organizations that deploy Windows operating
systems:
It safely migrates user accounts, operating
system settings, and application settings. It is
customizable and highly scriptable, which
increases automation in large-deployment scenarios.
It reduces the cost of deploying Windows operating systems by preserving user states. This reduces
the time needed for users to become familiar with new operating systems, and this reduces the time
required to customize desktops and locate missing files and settings.
It reduces end-user downtime, which reduces help desk calls and increases employee satisfaction with
the migration experience.
It minimizes migration storage by using hard-link migration. For use in the computer refresh scenario,
hard-link migration stores are saved locally on the computer that is being refreshed. It drastically
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
improves migration performance, significantly reduces hard-disk utilization, reduces deployment
costs, and enables entirely new migration scenarios. Hard-link migration store differs from other
migration store types in that hard links are used to keep files stored on a source computer during the
migration. Keeping files in place on a source computer eliminates the redundant work of duplicating
files to an external storage location, which enables performance benefits and reduces disk utilization.
It can perform migration from alternate locations (offline migration). This enables you to collect data
from offline Windows operating systems by using the ScanState tool in the Windows Preinstallation
Environment. In addition, USMT supports migrations from previous operating system installations
contained in Windows.old directories.
Components of USMT
The following list defines the USMT components:
ScanState. This tool scans a source computer, collects the files and settings, and then creates a store.
ScanState does not modify the source computer. By default, it compresses the files and saves them as
a migration store. ScanState copies files into a temporary location and then to the migration store.
LoadState. This tool migrates files and settings, one at a time, from the store to a temporary location
on the destination computer. Files are decompressed, and decrypted if necessary, during this process.
LoadState then transfers files to their correct locations, deletes their temporary copies, and begins
migrating more files. Compression improves performance by reducing network bandwidth usage and the
space required for the store. You can turn off compression with the /nocompress option.
USMTUtils. This tool can perform several functions related to compression, encryption, and validation
of a migration store. USMTUtils also can manage USMT files manually in the event of a corrupted
data store or a locked hard-link store.
Migration XML files. These are the XML files that USMT uses for migrations. They include the
MigApp.xml, MigUser.xml, or MigDocs.xml files, and any custom .xml files that you create:
o MigApp.xml. This file contains rules for migrating application settings.
o MigDocs.xml. This file contains rules for the MigXmlHelper.GenerateDocPatterns helper function,
which can find user documents on a computer automatically without creating extensive custom
migration .xml files.
o MigUser.xml. This file contains rules for migrating user profiles and data.
Config.xml. To exclude data from a migration, you can create and modify the Config.xml file by using
the /genconfig option with the ScanState tool. This optional file has a different format from the
migration .xml files because it does not contain migration rules. The Config.xml file lists the elements
that can be migrated. Specify migrate=no for the elements that you want to exclude from the
migration. You also can use this file to control some migration options for USMT.
Component manifests. The component-manifest files control which operating system settings are
migrated and how they are migrated, and you cannot modify them. If you want to exclude certain
operating system settings, you need to create and modify a Config.xml file.
USMT internal files. All other files included with USMT are for USMT internal use, and you should not
modify these files.
Question: Do you need to install Windows ADK on the source computer from which you
plan to migrate user settings?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-31
Capturing User State by Using ScanState
ScanState is a tool that is included in USMT. When
you use USMT to migrate user settings and data,
the first step in the migration process is to collect
files and settings from the source computer that
has the ScanState tool.
Collect Files and Settings from the
Source Computer
To collect files and settings from the source
computer:
1. Close all applications on the source computer.
2. Run the ScanState tool on the source
computer to collect files and settings. Specify all of the .xml files that you want ScanState to use.
Understanding User State
USMT controls what data to migrate by using migration .xml filesMigApp.xml, MigDocs.xml, and
MigUser.xmland any custom .xml files that you create. The user state consists of several components:
user data, operating system elements, and supported applications settings.
User Data
ScanState uses rules in the MigUser.xml file to collect everything in a users profile. ScanState then
performs a file extensionbased search on most of the system for other user data.
By default, USMT migrates the following user data and access control lists (ACLs) by using the
MigUser.xml file:
Folders from each user profile. USMT migrates everything in a users profile, including My Documents,
My Video, My Music, My Pictures, Desktop files, Start menu, Quick Launch settings, and Favorites.
Folders from the All Users and Public profiles. USMT also migrates the following from the All Users
profile or the Public profile: Shared Documents, Shared Video, Shared Music, Shared Desktop files,
Shared Pictures, Shared Start menu, and Shared Favorites.
File types. The ScanState tool searches the fixed drives and collects and migrates files that have any of
the following file name extensions: .accdb, .ch3, .csv, .dif, .doc*, .dot*, .dqy, .iqy, .mcw, .mdb*, .mpp,
.one*, .oqy, .or6, .pot*, .ppa, .pps*, .ppt*, .pre, .pst, .pub, .qdf, .qel, .qph, .qsd, .rqy, .rtf, .scd, .sh3, .slk,
.txt, .vl*, .vsd, .wk*, .wpd, .wps, .wq1, .wri, .xl*, .xla, .xlb, .xls*.
ACL. USMT migrates the ACL for specified files and folders from source computers.
The following data does not migrate by using the MigUser.xml file:
Files outside of a user profile that do not match one of the file name extensions in the MigUser.xml
file.
ACLs for folders outside of a user profile.
Operating System Elements
By default, USMT migrates most standard operating system features to destination computers. Some
settings such as fonts are not available for an offline migration until after the destination computer is
restarted.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Supported Applications Settings
We recommend installing all applications on a destination computer before restoring the user state to
ensure that migrated settings are preserved. The versions of installed applications must match the
application version on the source computer. USMT only migrates the settings that were used or changed
by a user. If an application setting on the source computer was not used, it will not migrate.
Creating and Using a Custom XML File
Config.xml is an optional USMT file that you can create by using the /genconfig option with the
ScanState tool. To include all of the default elements without changing the default store-creation or
profile-migration behaviors, you do not need to create a Config.xml file.
However, if you are satisfied with the default migration behavior defined in the MigApp.xml, MigUser.xml,
and MigDocs.xml files, but you want to exclude certain elements, you can create and modify the
Config.xml file and leave the other .xml files unchanged. For example, you must create and modify the
Config.xml file to exclude any of the operating system settings that are migrated. You must create and
modify this file to change any of the default store-creation or profile-migration behaviors.
The Config.xml file has a different format compared to other migration .xml files because it does not
contain any migration rules. It only contains a list of the operating system features, applications, and user
documents that can be migrated, in addition to user-profile and error-control policies. For this reason,
excluding features by using the Config.xml file is easier than modifying migration .xml files because you
do not need to be familiar with the migration rules and syntax. However, you cannot use wildcard
characters in this file.
How to include files and settings
Example of ScanState Syntax
The following syntax provides an example of how you can configure ScanState to scan a source computer.
Scanstate \\LON-SRV1\DesktopMigration /i:migapp.xml /i:miguser.xml /config:config.xml /o
/ui:DBService /ue:Adatum\Don
What USMT Does Not Migrate
USMT does not migrate the following settings:
Application settings. USMT does not migrate settings from older versions of an application. It also
does not migrate application settings and some operating system settings when a local account is
created.
Installed applications. USMT does not migrate installed applications. You have to reinstall all
applications on a destination computer before restoring application settings.
Operating system settings. USMT does not migrate the following operating system settings:
o Mapped network drives, local printers, hardware-related settings, drivers, passwords, application
binary files, synchronization files, dynamic-link library files, or other executable files.
o Shared folder permissions.
o Files and settings that are migrating between operating systems with different languages.
o Customized icons for shortcuts.
o Taskbar settings when a source computer is running Windows XP.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-33
What does USMT migrate?
Question: Why would you use additional XML configuration files with ScanState.exe?
Restoring User State by Using LoadState
You can use the LoadState tool to restore files and
settings from a migration store to a destination
computer. Remember that you can restore only
the settings and data that were captured on the
source computer. Similar to ScanState, the
LoadState tool supports many parameters, and
you can use them in any order. You can consult
documentation to view the parameters that
ScanState supports.
LoadState syntax
http://go.microsoft.com/fwlink/?LinkId=3782
30&clcid=0x409
Prepare and Restore Files and Settings on the Destination Computer
To prepare a destination computer:
1. Install an operating system on the destination computer.
2. Install all applications that were on the source computer.
To restore files and settings on a destination computer:
1. Run the LoadState tool on the destination computer. Specify the same set of .xml files that you
specified when you used the ScanState tool. However, you do not have to specify the Config.xml file
unless you want to exclude some files and settings that you migrated to the store.
2. Sign out after running the LoadState tool. Some settings, such as fonts, wallpaper, and screen saver,
will not take effect until the next time the user signs in.
LoadState Syntax Example
The following syntax provides an example of how to configure LoadState to migrate user states to a
destination computer:
Loadstate \\LON-SRV1\DesktopMigration /i:migapp.xml /i:miguser.xml /ue:Adatum\Don
/ui:DBService /lac:Pa$$w0rd /lae
Question: How can you ensure that user data is safe during a migration?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Migrating User State by Using USMT
Scenario
You have been asked to implement the upgrade of 10 new computers that are being deployed to the
Research department at A. Datum. Max Stevens, the IT manager from the Research department, has sent
you an email outlining the requirements for the upgrade.
Objectives
Create and customize USMT XML files.
Capture and restore user state to a target computer.
Lab Setup
Virtual machines: LON-DC1, LON-CL1, and LON-CL3
Password: Pa$$w0rd
Start the virtual machines LON-DC1, LON-CL1 and LON-CL3 if they are not running already. You do not
need to sign in to any computer.
Exercise 1: Creating and Customizing USMT XML Files
Scenario
Supporting Documentation
Email from Max Stevens:
Ed Meadows
From: Max Stevens [Max@adatum.com]
Sent: 10 January 2014 08:01
To: Ed@adatum.com
Subject: User State Migration for the new Windows 8.1 computers in the Research department
Hi Ed,
We have 10 new Windows 8.1 computers that are being deployed within the Research department. We
need to ensure that no user data stored on the old computers is lost in the migration, and that all user
data is migrated to the new computers. What I want you to do is use USMT to help with the user state
migration. Here are some additional things to consider:
The old computers have Windows 7 installed.
All computers have Microsoft Office 2010 installed.
The contents of the Shared Video, Shared Music, and Shared Pictures folders should not be migrated
from Windows 7 to the new Windows 8.1 computers.
We have a custom folder named ResearchApps that has to be migrated from all the old computers to
the new Windows 8.1 computers.
All domain profiles that are on each existing computer should be migrated to the new systems.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-35
You can use \\LON-DC1\Data as a location to store the data store during the migration. The data
store should be compressed to minimize space. Because there is no confidential information on these
specific computers, we do not need the migration store to be encrypted.
Thanks,
Max
Your user state migration information states that several operating system features should not be
migrated. You also have to migrate an additional folder from the old computers to the new Windows 8.1
computers. Your first task is to create the custom XML files that address these requirements.
1. Read the supporting documentation.
2. Create a Config.xml file.
3. Modify a custom migration XML file.
Task 1: Read the supporting documentation
Read the supporting documentation provided in the lab scenario.
Task 2: Create a Config.xml file
1. Sign in to LON-CL3 as Adatum\Don with password Pa$$w0rd.
2. Verify that Don has black desktop and that the Computer and Don Funk folders are shown on the
desktop.
3. Create a new text document named your name on the desktop.
4. Sign out and sign in to LON-CL3 as Adatum\Administrator with password Pa$$w0rd.
5. Open a command prompt, and then map a network drive located on LON-DC1 by using the
following command:
Net Use F: \\LON-DC1\USMT
6. Change to drive F, and then create a Config.xml file by using the following command.
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
7. At the command prompt, type notepad config.xml to view the Config.xml file.
8. Modify the XML code to exclude the following from the migration:
o Shared Video
o Shared Music
o Shared Pictures
Note: For each of the folders, look for component displayname, and then change the
migrate attribute to no.
Task 3: Modify a custom migration XML file
1. At a command prompt, type notepad folders.xml, and then press Enter.
2. Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder
named ResearchApps to the new workstation.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Change the variable <Foldername> to ResearchApps. The entire line should read as follows:
<pattern type= File>C:\ResearchApps\* [*]</pattern>
4. Verify that there is a C:\ResearchApps folder on the disk and that it contains multiple files.
5. Create a new text document with your name in the C:\ResearchApps folder.

Results: After completing this exercise, you should have created and customized XML files to use with the
User State Migration Tool (USMT).
Exercise 2: Capturing and Restoring User State to a Target Computer
Scenario
Now that you have the required custom XML files, you can perform the USMT migration task. Use USMT
to capture the current user state on LON-CL3 by using ScanState and the custom migration files. Then,
restore the user state to LON-CL1 and confirm the migration.
1. Capture user state on the source computer.
2. Restore user state on the destination computer.
3. Verify the user state migration.
Task 1: Capture user state on the source computer
1. On LON-CL3, switch to the command prompt.
2. Verify that the \\LON-DC1\Data shared folder is empty.
3. Capture user state by using the following command:
F:\Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
/config:config.xml /o /efs:copyraw
4. Verify that the \\LON-DC1\Data shared folder stores the USMT.MIG captured user state.
Task 2: Restore user state on the destination computer
2. Verify that C:\Users does not contain a subfolder with name Ed or Don.
3. Verify that there is no ResearchApps folder on drive C.
4. Open the Command Prompt window, and then map network drive F to \\LON-DC1\USMT. Use the
following command.
5. Change to drive F, and then restore user state on the destination computer by using the following
command.
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
6. Verify that the C:\Users folder contains subfolders named Ed and Don.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 3-37
Task 3: Verify the user state migration
2. Verify that the Computer and Don Funk folders, in addition to a text document with your name are
located on the desktop.
3. Verify that the C:\ResearchApps folder with all its content has migrated successfully, including the
file with your name.

Results: After completing this exercise, you should have captured and restored user states by using USMT.
4. Repeat the steps for 20687C-LON-CL1 and 20687C-LON-CL3.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Review Questions
Question: After you created a user account in AD DS, you noticed that the domain user does not
have a user profile yet. Why?
Question: Can you use UE-V to synchronize application settings for a user who is already
configured with Folder Redirection?
Question: You have been asked to retain user settings for 200 users who are having their
Windows 7 desktop computers replaced with new Windows 8.1 computers. Which tool should
you use to migrate user settings?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-1
Module 4
Tools Used for Configuring and Managing Windows 8.1
Contents:
Module Overview 4-1
Lesson 1: Tools Used to Perform Local and Remote Management of
Windows 8.1 4-2
Lesson 2: Using Windows PowerShell to Configure and Manage Windows 8.1 4-9
Lesson 3: Using Group Policy to Manage Windows 8.1 4-16
Lab: Using Management Tools to Configure Windows 8.1 Settings 4-22

Module Overview
The Windows
8.1 operating system provides several methods to configure operating system components
while signed in locally or connected remotely. This module describes the primary management tools in
Windows 8.1 and the scenarios for using them.
Objectives
Identify the tools used to perform local and remote management of Windows 8.1.
Use Windows PowerShell
to configure and manage Windows 8.1.

Use Group Policy to manage Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4-2 Tools Used for Configuring and Managing Windows 8.1

Lesson 1
Tools Used to Perform Local and Remote Management of
Windows 8.1
This lesson describes Windows 8.1 management tools and how to use them. To simplify remote
management of computers that are running Windows 8.1, you can use many of the administrative tools to
connect to a remote computer. However, you need to configure Windows 8.1 properly to allow remote
administration. You also can use Remote Desktop and Windows Remote Assistance for remote
administration on computers that run Windows 8.1. This lesson also describes Remote Server
Administration Tools (RSAT), which is a collection of server administration tools that you can install on
computers that run Windows 8.1.
Lesson Objectives
Describe Windows 8.1 administrative tools.
Explain how to create custom Microsoft
Management Console (MMC) configurations.

Describe the functionality of Windows PowerShell.
Describe remote management in Windows 8.1.
Describe RSAT in Windows 8.1.
Windows 8.1 Administrative Tools
Windows 8.1 contains many administrative tools
that you can use to configure and manage a
Windows 8.1 computer. The Administrative Tools
item in the Control Panel provides access to the
key tools you can use to manage Windows 8.1.
The following tools are included in the
Administrative Tools item in the Control Panel:
Component Services. Use to configure
Microsoft Component Services (COM+) and
Distributed Component Object Model
(DCOM) applications. In most cases, you do
not use this tool unless a vendor directs you
to do so to resolve an application issue.
Computer Management. Contains a number of commonly used tools in a single console: Task
Scheduler, Event Viewer, Shared Folders, Local Users and Groups, Performance, Device Manager, Disk
Management, Services, and WMI Control.
Defragment and optimize your drives. Use to defragment hard disks to increase overall disk
performance. Normally, you do not need to run this tool because defragmentation is scheduled once
per week by default.
Disk Cleanup. Use to scan your hard disks for temporary files and other files that can be removed
without impacting the performance of Windows 8.1 or your apps. You can use this tool to free up
disk space quickly without removing data or apps.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-3
Event Viewer. Use to view and search event logs to diagnose and troubleshoot app, service, and
operating system issues.
iSCSI Initiator. Use to connect Windows 8.1 to an Internet SCSI (iSCSI) target and use the iSCSI target
as storage.
Local Security Policy. Use to configure local security settings in Windows 8.1. In most cases, you will
use Group Policy to configure computers that run Windows 8.1 instead of the local security settings.
ODBC Data Sources (32-bit). Use to configure Open Database Connectivity (ODBC) connection to
data sources for 32-bit apps.
ODBC Data Sources (64-bit). Use to configure ODBC connections to data sources for 64-bit apps.
Performance Monitor. Use to view real-time performance data, and to record and view historical
performance and configuration data.
Print Management. Use to configure local printers and remote print servers in a single console.
Resource Monitor. Use to view real-time CPU, memory, hard disk, and network resource utilization.
Services. Use to configure the startup type for services and the credentials that are used by services.
System Configuration. Use to control the startup process for Windows 8.1 by disabling programs or
services that run at startup. You also can set some boot options, such as the default operating system
on a multiboot system.
System Information. Use to view information about the hardware and software configuration of a
computer that runs Windows 8.1. The information that is displayed includes drivers, startup programs,
and hardware resources.
Task Scheduler. Use to create scheduled tasks. You also can review the scheduled tasks created during
the installation of Windows 8.1.
Windows Firewall with Advanced Security. Use to create and manage rules for Windows Firewall.
Windows Memory Diagnostic. Use to identify problems with physical memory.
Windows PowerShell (x86). Use to open a command prompt in the Windows PowerShell
command-line interface (CLI) that you can use to manage Windows 8.1.
Windows PowerShell ISE. Use to simplify the development of Windows PowerShell scripts. This tool
provides color-coded error checking as you enter Windows PowerShell Integrated Scripting
Environment (ISE) commands. Windows PowerShell ISE also provides a list of available parameters for
cmdlets.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating Custom Management Console Configurations
The MMC is an environment for loading snap-ins
that provides administrative functionality. The
MMC provides the basic framework for building
an administrative tool, and snap-ins provide the
specific functionality that is required to perform
an administrative tasks. Most of the administrative
tools in Windows 8.1 are snap-ins that are loaded
into the MMC. The Computer Management
administrative tool is a combination of multiple
snap-ins that are loaded into the MMC.
The snap-ins for managing Windows 8.1 are
included as part of a Windows 8.1 installation.
Snap-ins for managing specific apps typically are included as part of an installation for that app. For
example, the snap-in for managing Microsoft Exchange Server 2010 is installed as an option from the
Exchange 2010 installation media.
Not all snap-ins have a corresponding administrative tool. To use a snap-in that is not part of an existing
administrative tool, you need to create a custom management console that includes the snap-in. Snap-ins
that are not part of an administrative tool include:
Certificates. Use this snap-in to manage certificates for users and the local computer.
NAP Client Configuration. Use this snap-in to manage the client for Network Access Protection (NAP)
to ensure computer health before network access is granted.
Resultant Set of Policy. Use this snap-in to view reports on Group Policy application.
You also can create customized MMC configurations with snap-ins that you commonly use. Customized
MMC configurations increase your productivity by eliminating the need to open multiple administrative
tools. After you create a custom management console, you can save it as a .msc file. Once the .msc file is
saved, you can reuse it later or share it with other administrators.
Creating a Custom Management Console
To create a custom management console, perform the following procedure:
1. From the Start screen, type MMC, and then click the mmc tile or press Enter.
2. From the MMC window, click File, and then click Add/Remove Snap-in.
3. Choose one or more snap-ins from the list of available snap-ins, and then click OK.
4. When you close the console window, click Yes when prompted to save the custom management
console, and then save the file to a convenient location.
After these steps are complete, you can double-click the saved console app to open the MMC with the
snap-ins that you specified in step 3 already loaded.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-5
Overview of Windows PowerShell
Windows PowerShell is an integrated shell
environment that enables scriptable, flexible, and
comprehensive management of Windows 8.1.
Windows PowerShell has several important
characteristics that make it ideal for both local
and remote management of one or more
Windows 8.1 computers:
Windows operating system integration.
Windows PowerShell 1.0 was introduced as an
installable option for Windows Vista
and as a
feature for Windows Server
2008. Windows
PowerShell 2.0 was part of Windows 7 and
Windows Server 2008 R2. Windows PowerShell 3.0 is part of Windows 8 and Windows Server 2012.
Windows PowerShell 4.0, the most recent version, is part of Windows 8.1 and Windows
Server 2012 R2. So, for every Windows operating system version since Windows 7 and Windows
Server 2008 R2, Windows PowerShell is supported natively.
Remote management capability. You can use Windows PowerShell to manage remote computers,
provided that remote management is enabled and the user who is performing the remote
management has the proper authorization.
Script-based execution. You can use Windows PowerShell scripts to build automation and complex
logic into management tasks.
Windows PowerShells main functionality is provided by commands. These come in many varieties:
cmdlets (pronounced command-lets), functions, workflows, and more. These commands are building
blocks, designed to be pieced together to implement complex and customized processes and procedures.
Windows PowerShell provides a CLI that you can use to enter cmdlets interactively. However, Windows
PowerShell is not restricted to the command-line. For example, the Active Directory
Administrative
Center in Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 is a GUI that uses
Windows PowerShell to perform all of its tasks.
This architecture and the ability to use Windows PowerShell directly as a CLI, or to use it through a GUI
that embeds the shell, is intended to help increase consistency and coverage for administrative
capabilities. For example, an administrator might rely completely on a GUI app to perform tasks. However,
if the administrator must perform some task or implement some process that the GUI does not explicitly
support, the administrator instead can use the shell directly. When correctly implemented, this
architecture helps ensure that anything that can be done in the GUI also can be done in the CLI, with the
CLI offering the additional ability to customize processes and procedures.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Overview of Remote Management
Many of the tools that you use to manage a local
computer that is running Windows 8.1 also can be
used to remotely manage a computer that is
running Windows 8.1. By using Remote
management of Windows 8.1, you can manage
computers that are running Windows 8.1 without
physically accessing the computer or interrupting
a user who is already signed in and working.
Administrative tools perform remote management
of Windows 8.1 through remote procedure calls
(RPCs) or by using Windows Remote Management
(WinRM). The method used varies based on the
administrative tools and is not configurable. By default, remote management is not enabled on computers
that are running Windows 8.1. You need to allow remote access to computers that are running
Windows 8.1. The method for allowing remote access is different for RPC and WinRM. In a domain
environment, you typically configure remote management settings by using Group Policy.
RPC
Remote management by using RPC requires the RPC and RPC endpoint mapper services to be running.
These two services are configured to start automatically. You also need to configure Windows Firewall to
allow remote management. There are predefined rules in Windows Firewall that you can enable to allow
remote management for specific parts of Windows 8.1, such as:
Event logs
Scheduled tasks
Services
Volumes
Window Firewall
WinRM
WinRM is a web service that provides remote management access to Windows 8.1. Remote management
by using WinRM requires you to start the Windows Remote Management (WS-Management) service and
to configure a listener. By default, this service is configured as a manual startup type. You also need to
configure a listener for WinRM. A WinRM listener configures the web service to listen on a specific port.
The default port for WinRM is 5985.
In most cases, you will want to configure WinRM with the default configuration that is expected by apps.
To configure WinRM manually with the default configuration, run winrm /quickconfig. The
/quickconfig option configures the service to start automatically, creates a listener on port 5985, and
configures Windows Firewall to allow remote communication on port 5985.
In large organizations, manually configuring WinRM on each computer is not feasible because it is too
time-consuming. Instead, you can use Group Policy to perform all of the necessary actions.
Remote Desktop
Remote Desktop allows you to connect to a remote computer and have the desktop of that remote
computer displayed locally. When you connect, you sign in just as you would if you were sitting in front of
the computer. This allows you to sign in and run apps just as a user would for troubleshooting.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-7
Some organizations also provide remote access for users by using Remote Desktop and the Remote
Desktop Gateway on Windows Server 2012 R2. This allows users to control their own desktop computer
remotely and have access to all of their data and apps.
When users connect remotely, you can allow the redirection of printers and local drives. Printer redirection
allows you to print from an app on a remote computer and have it print on a local printer. Drive
redirection allows you to save files from a remote computer on a local computer.
By default, Remote Desktop is not enabled. You can enable and configure Remote Desktop in the System
Properties or by using Group Policy. Any necessary firewall rules for Windows Firewall are configured
when you enable Remote Desktop.
By default, local Administrators are allowed to connect remotely, but you can add any users or groups
that are required. When you add users or groups, they are made members of the Remote Desktop Users
local group that has rights to connect by using Remote Desktop.
Windows Remote Assistance
When you use Remote Desktop, you need to sign in to the remote computer. This creates a session for
your user account and disconnects a user that is signed in. You cannot view what the user is doing. You
can use Windows Remote Assistance to view the desktop of a computer when a user is signed in, and see
what the user sees. You also can request to take control of the mouse and keyboard to perform
troubleshooting. The ability to connect to an existing user session is useful for troubleshooting problems
that might be related to user-specific configurations, such as permissions or settings in the user profile.
You can offer remote assistance to a user on a remote computer, or a user on a remote computer can
request assistance. When you offer remote assistance, you connect to a remote computer by name or IP
address, and the user is prompted to allow remote assistance. When users request remote assistance, they
can generate an invitation file that you open to connect, or you can use Easy Connect. Easy Connect
requires you to enter a 12-character password that is selected by the user. Easy Connect works over the
Internet if Peer Name Resolution Protocol is allowed through all firewalls.
By default, Windows Remote Assistance is not enabled. You enable Windows Remote Assistance in the
System Properties. There are no permissions to configure for Windows Remote Assistance because it is
allowed based on the currently signed-in user who is allowing it.
Overview of RSAT
RSAT is a collection of server administration tools
that can be installed on a computer that is
running Windows 8.1. RSAT includes Server
Manager, MMC snap-ins, Windows PowerShell
providers, and command-line tools for managing
Windows Server 2012 R2, Windows Server 2012,
and some Windows Server 2003 roles and
features.
RSAT for Windows 8.1 includes management tools
for the following Windows roles and features:
Active Directory Certificate Services (AD CS)
Active Directory Domain Services (AD DS)
BitLocker
Drive Encryption
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Dynamic Host Configuration Protocol (DHCP) Server
DirectAccess
Domain Name System (DNS) Server
Failover clustering
File and Storage Services
IP Address Management
NIC Teaming
Network Load Balancing
Remote Desktop Services
Simple Mail Transfer Protocol (SMTP) server
Windows System Resource Manager
Windows Server Update Services
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-9

Lesson 2
Using Windows PowerShell to Configure and Manage
Windows 8.1
You can use Windows PowerShell for system administration as an alternative to more complex scripting
languages such as Microsoft Visual Basic
, Scripting Edition (VBScript). You can perform relatively complex

administrative tasks by using scripts or the Windows PowerShell pipeline. To simplify creating and editing
scripts, you can use Windows PowerShell ISE. You also can perform remote administration by using
Windows PowerShell. This module will introduce you to the important concepts of Windows PowerShell
and explain how to use Windows PowerShell for local and remote management of Windows 8.1
computers.
Lesson Objectives
Describe Windows PowerShell.
Identify the new features in Windows PowerShell 4.0.
Describe Windows PowerShell ISE.
Use Windows PowerShell ISE.
Use Windows PowerShell scripts to manage Windows 8.1.
Describe Windows PowerShell remoting.
Use Windows PowerShell remoting.
Overview of Windows PowerShell
Windows PowerShell is a command-line shell that
is designed for system administration. You can
use Windows PowerShell to run individual cmdlets
that perform actions or scripts that use cmdlets.
Using Windows PowerShell is much simpler than
other scripting languages such as VBScript.
Windows PowerShell uses Windows PowerShell
drives to provide access to data stores. These
drives present data in a format similar to a file
system. Some common Windows PowerShell
drives are as follows:
The C: drive is the local file system C: drive.
The cert: drive is the local certificate store.
The Env: drive contains environmental variables that are stored in memory.
The HKCU: drive is the HKEY_CURRENT_USER portion of the registry.
The HKLM: drive is the HKEY_LOCAL_MACHINE portion of the registry.
The Variable: drive contains the variables that are stored in memory.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Cmdlets
Cmdlets use a naming convention of a verb or action, followed by a noun or a subject. For example, to
retrieve a list of services, you would use the Get-Service cmdlet. This standardization helps you to more
easily learn how to accomplish administrative tasks.
Some common cmdlet verbs are:
Get retrieves data.
Set establishes or modifies data.
New creates a new object.
Each cmdlet has options called parameters. Some parameters are required, and some parameters are
optional. The parameters vary for each cmdlet.
The following example shows how to start the Application Identity service by using the Name parameter.
Start-Service Name Application Identity
Note: The cmdlets that are available for use on a computer system varies depending on the
version of Windows PowerShell that has been installed and the snap-ins with cmdlets that have
been installed.
Compatibility with Command-Line Tools
You can run batch files and executable files at a Windows PowerShell command prompt. For example, you
can run Ipconfig.exe at a Windows PowerShell command prompt, and it behaves exactly the same as if
you ran it from a command prompt. This allows you to start using Windows PowerShell as your default
command-line environment for administration.
In some cases, commands or options for commands contain reserved words or characters for
Windows PowerShell. In such a case, you can enclose the command in single quotation marks to prevent
Windows PowerShell from evaluating the reserved word or combination of words. You also can use the
grave accent (`) character to prevent the evaluation of a single character.
In rare cases, an executable file does not run correctly at a Windows PowerShell command prompt. You
should test batch files to ensure that they work properly at a Windows PowerShell command prompt.
Key Features in Windows PowerShell 4.0
Windows PowerShell 4.0 includes several new
features that improve Windows PowerShell
functionality and enable greater management
capability for Windows 8.1 PCs. Windows
PowerShell 4.0 is backward compatible with
previous versions of Windows PowerShell and
includes several new features, such as:
Windows PowerShell Desired State
Configuration. This features enables you to
deploy and manage configuration data for
the Windows environment and software
services. With Desired State Configuration,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-11
you can create a variable containing configuration data, and pass that variable to the Start-
DscConfiguration cmdlet to carry out the configuration.
Save-Help cmdlet. The Save-Help cmdlet enables you to save help for installed modules present on
remote computers.
The new default setting for execution policy in Windows Server 2012 R2 is RemoteSigned.
Support for Windows PowerShell Workflow debugging and remote script debugging.
Windows PowerShell Workflow will reconnect to managed node automatically s after an unexpected
crash or restart.
You can disconnect from and connect to an existing sessions in Windows PowerShell Web Access.
You can open multiple Windows PowerShell Web Access windows in a single browser session.
For more information, see the following webpage on the Microsoft TechNet website.
What's New in Windows PowerShell
What Is Windows PowerShell ISE?
You can create Windows PowerShell scripts by
using a simple text editor. However, you can
reduce the amount of troubleshooting that you
perform for your scripts if you use Windows
PowerShell ISE. Windows PowerShell ISE provides
additional features that make it easier to create
scripts:
Windows PowerShell ISE provides color
coding of cmdlets, parameters, and variables.
This helps you visually identify syntax errors as
you are typing or editing a script.
Microsoft IntelliSense
provides suggestions
as you type. When you type a cmdlet or parameter, IntelliSense provides similar information to that
provided by tab completion. This helps you minimize typographical errors and speeds up the entry of
the script.
Line numbers and column numbers are displayed. This simplifies troubleshooting because error
messages display the line number and column number where the error occurred.
Ability to run selective code. You can select a specific portion of a script to run just those lines. This
allows you to test parts of a script as you create it.
Debugging tools. You can set break points in a script and then query variable values to identify why
errors are occurring, or you confirm that the values are correct.
A command toolbar. This provides a list of cmdlets and parameters that are available for those
cmdlets. In some cases, this prevents the need to view help documentation for a cmdlet.
Multiple tabs for multiple scripts. You can have multiple scripts open at the same time, each
contained on its own tab. This allows you to move content from one script to another.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Using Windows PowerShell ISE
In this demonstration, you will see how to:
Prepare the computer to run scripts.
Open and review a script.
Modify and test a script.
Run a script from the Windows PowerShell command prompt.
Demonstration Steps
Prepare the computer to run scripts
1. On LON-CL1, open the Administrative Tools, and then open Windows PowerShell ISE.
2. In Windows PowerShell ISE, at the Windows PowerShell command prompt, use the Get-
ExecutionPolicy cmdlet to view the current execution policy for scripts.
Open and review a script
1. In Windows PowerShell ISE, open E:\Labfiles\Mod04\Services.ps1.
2. Read the script, and then explain what the script is doing. Note the following:
o Comments are green
o Variables are red
o Cmdlets are bright blue
o Text in quotation marks is dark red
Modify and test a script
1. Select line 3 in the script, and then run the selection.
2. In the Console pane, view the contents of the $services variable.
3. Run the script, and then read the output. Notice that it does not have multiple colors.
4. At the end of line 14, type ForegroundColor $color.
5. Run the script, and then read the output. Notice that running services are green and services that are
not running are red.
6. On line 16, type Write-Host A total of $services.count services were evaluated
7. Run the script.
8. In the Commands pane, build a Write-Host command with the following options:
a. BackgroundColor: Gray
b. ForegroundColor: Black
c. Object: Script execution is complete
9. Copy the command, and then paste it on line 17 of the script.
10. Run the script.
11. Save the script.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-13

Run a script from the Windows PowerShell command prompt
1. Open a Windows PowerShell command prompt.
2. At the Windows PowerShell command prompt, type Set-Location E:\Labfiles\Mod04, and then
press Enter.
3. Type .\Services.ps1, and then press Enter.
Using Windows PowerShell Scripts
You can accomplish several tasks by using a
pipeline and multiple cmdlets. There might be
times where you need to run multiple cmdlets,
make choices, wait for tasks to complete, or run
the same code repeatedly. In these cases, you can
use a Windows PowerShell script to put all of the
steps together. A script is a text-based file that
includes at least one Windows PowerShell
command and is saved with a .ps1 extension. You
can create scripts to take input from the
command line, thereby enabling you to customize
how a script executes.
Execution Policy
By default, the execution policy does not allow Windows PowerShell scripts to be executed automatically.
This safeguards a computer by preventing unattended scripts from running without an administrators
knowledge. There are five execution policies that you can set, which include:
Restricted. This is the default policy for Windows 8.1. It does not allow configuration files to load, nor
does it allow scripts to be run. The Restricted execution policy is perfect for any computer on which
you do not run scripts, or on which you run scripts only rarely. Keep in mind that you could open the
shell manually with a less restrictive execution policy.
AllSigned. This policy requires that a trusted publisher sign all scripts and configuration files,
including scripts that are created on your local computer. This execution policy is useful for
environments where you do not want to run any script unless it has a trusted digital signature. This
policy needs additional effort because it requires you to digitally sign every script that you write, and
then resign each script every time that you make any changes to it.
RemoteSigned. This policy requires that a trusted publisher sign all scripts and configuration files
downloaded from the Internet. This execution policy is useful because it assumes that local scripts are
ones that you create yourself and that you trust them. It does not require those scripts to be signed.
Scripts that are downloaded from the Internet or received through email, however, are not trusted
unless they carry an intact, trusted digital signature. You could still run those scripts by running the
shell under a lesser execution policy, for example, or even by signing the script yourself. However,
those are additional steps that you have to take, so it is unlikely that you would be able to run such a
script accidentally or unknowingly.
Unrestricted. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, you are warned about potential dangers and must give permission for
the script to run. The Unrestricted execution policy typically is not appropriate for production
environments because it provides little protection against accidentally or unknowingly running
untrusted scripts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Bypass. This policy loads all configuration files and runs all scripts. If you run a script that was
downloaded from the Internet, the script will run without any warnings. This execution policy typically
is not appropriate for production environments because it provides no protection against accidentally
or unknowingly running untrusted scripts.
You can view the execution policy for a computer by using the Get-ExecutionPolicy cmdlet. To configure
the execution policy, you must open an elevated Windows PowerShell command prompt and then run
the Set-ExecutionPolicy cmdlet. After you configure the execution policy, you can run a script by typing
the entire name of the script.
Running a Script
When you run a script, you cannot provide just the name of the scriptyou need to provide the path to
the script as well. If the file is not in the current directory, you can provide a complete path, such as
C:\scripts\Myscript.ps1. You also can specify a relative path such as .\Myscript.ps1, which runs the script
from the current directory.
The following script displays a list of files on drive C that have been modified in the last seven days.
$date=(Get-Date).AddDays(-7)
Get-ChildItem C:\ -Recurse | Where-Object {$_.LastWriteTime gt $date}
The first line of this script gets the date seven days prior to the current date and puts it in a variable
named $date. The second line of the script obtains a list of all of the files on drive C and uses Where-
Object to filter the list of files to include only those that have a LastWriteTime that is greater than the
value of $date.
Overview of Windows PowerShell Remoting
You use Windows PowerShell to connect to
computers remotely and run scripts or query
information. Some cmdlets use the
ComputerName parameter to specify a remote
computer that should be contacted. When you
use the ComputerName parameter, you can
provide a single computer name, a comma-
separated list, or a variable that contains multiple
computer names. You need to review the
documentation for a cmdlet to determine whether
it supports using the ComputerName parameter.
This example shows how to query a list of
processes from a remote computer.
Get-Process ComputerName LON-DC1.adatum.com
Windows PowerShell Remoting
You can use Windows PowerShell remoting to run cmdlets or scripts on remote computers, regardless of
whether the cmdlets support the ComputerName parameter. You also can use Windows PowerShell
remoting to create a remote session at a Windows PowerShell command prompt or in Windows
PowerShell ISE.
To enable Windows PowerShell remoting, you need to use the Enable-PSRemoting cmdlet. The Enable-
PSRemoting cmdlet configures WinRM if it is not already configured and configures all of the necessary
permissions. You also can use Group Policy to enable Windows PowerShell remoting.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-15
This example shows how to retrieve a directory listing from a remote computer.
Invoke-Command ComputerName LON-DC1.adatum.com ScriptBlock {Get-ChildItem C:\}
This example shows how to run a script on a remote computer.
Invoke-Command ComputerName LON-DC1.adatum.com FilePath E:\Scripts\MyScript.ps1
Note: When you run a script on a remote computer, the script does not need to exist on
the remote computer. The script is copied from the local computer to the remote computer.
This example shows how to create a remote session at a Windows PowerShell command prompt.
Enter-PSSession ComputerName LON-DC1.adatum.com
Demonstration: Using Windows PowerShell Remoting
In this demonstration, you will see how to enable Windows PowerShell remoting on a client computer and
how to use Windows PowerShell remoting in several basic scenarios.
Demonstration Steps
1. Ensure that you are signed in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
2. Ensure that you have the correct execution policy in place by runnning the command
Set-ExecutionPolicy RemoteSigned.
3. Enable Windows PowerShell remoting.
4. Open a one-to-one connection to LON-DC1.
5. Get a list of processes that are running on LON-DC1.
6. Close the LON-DC1 connection.
7. Get a list of the most recent 10 Security event log entries from LON-CL1 and LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Lesson 3
Using Group Policy to Manage Windows 8.1
Group Policy is an effective way to manage the configuration of Windows 8.1 computers. You can
configure thousands of settings and enforce them on desktop computers. In addition to Group Policy
settings, you can use Group Policy Preferences to configure the user environment with options such as
printers and drive mappings. To ensure that you can implement Group Policy for your organization, you
need to understand how Group Policy Objects (GPOs) are processed. You also should be aware of the
tools that you can use to troubleshoot application of Group Policy.
Lesson Objectives
Describe GPOs and Group Policy settings.
Describe how to configure Group Policy settings.
Describe Group Policy Preferences.
Describe how to configure GPOs in a domain environment.
Configure domain-based GPOs.
Determine how GPOs are processed and applied.
What Are GPOs and Group Policy Settings?
Group Policy is a system for applying
configuration settings to Windows clients and
servers. You create GPOs that contain Group
Policy settings. Domain-joined Windows 8.1
computers download and apply the settings in
GPOs.
GPOs
A GPO is an object that contains one or more
policy settings that apply configuration setting for
users, computers, or both. GPOs in AD DS are
stored in the SYSVOL share on domain controllers,
and you can manage them by using the Group
Policy Management Console (GPMC). Within the GPMC, you can open and edit a GPO by using the Group
Policy Management Editor window. GPOs are logically linked to AD DS containers to apply settings to the
objects in those containers.
Note: GPOs can be linked to AD DS sites, domains, and organizational units (OUs). GPOs
cannot be linked to the default Computers or Users containers.
Group Policy Settings
A Group Policy setting is the most specific component of Group Policy. It defines a specific configuration
change to apply to an object (a computer, a user, or both) within AD DS. Group Policy has thousands of
configurable settings. These settings can affect nearly every area of the computing environment. Not all
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-17
settings can be applied to all older versions of Windows Server and Windows operating systems. Each new
version introduces new settings and capabilities that only apply to that specific version. If a computer has
a Group Policy setting applied that it cannot process, it simply ignores it.
Most policy settings have three states:
Not Configured. The GPO will not modify the existing configuration of the particular setting for the
user or computer.
Enabled. The policy setting will be applied.
Disabled. The policy setting is specifically reversed.
By default, most settings are set to Not Configured.
Note: Some settings are multivalued or have text string values. These typically are used to
provide specific configuration details to applications or operating system components. For
example, a setting might provide the URL of the home page for Internet Explorer
or for blocked
applications.
The effect of the configuration change depends on the policy setting. For example, if you enable the
Prohibit Access to Control Panel policy setting, users will be unable to open Control Panel. If you
disable the policy setting, you ensure that users can open Control Panel. Notice the double negative in
this policy setting: you disable a policy setting that prevents an action, thereby allowing the action.
Group Policy Settings Structure
There are two distinct areas of Group Policy settings:
User settings. These are settings that modify the HKey_Current_User hive of the registry.
Computer settings. These are settings that modify the HKEY_Local_Machine hive of the registry.
User and computer settings each have three areas of configuration, as described in the following table.
Section Description
Software settings Contains software settings that can be deployed to either the user or the
computer. Software that is deployed or published to a user is specific to
that user. Software that is deployed to a computer is available to all users
of that computer.
settings
Contains script settings and security settings for both user and computer,
and Internet Explorer maintenance for the user configuration.
Administrative templates Contains hundreds of settings that modify the registry to control various
aspects of the user and computer environment. New administrative
templates might be created by Microsoft or other vendors. You can add
these new templates to the GPMC. For example, Microsoft has Office
2010 templates that are available for download that you can add to the
GPMC.
Group Policy Management Editor
The Group Policy Management Editor window displays the individual Group Policy settings that are
available in a GPO. These are displayed in an organized hierarchy that begins with the division between
computer settings and user settings, and then expands to show the Computer Configuration node and
the User Configuration node. All Group Policy settings and preferences are configured in the Group Policy
Management Editor window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Group Policy Preferences
In addition to the Group Policy sections shown in the preceding table, a Preferences node is present
under both the Computer Configuration and User Configuration nodes in the Group Policy Management
Editor window. Preferences provide even more capabilities with which to configure the environment.
Group Policy Preferences are discussed later in this module.
Demonstration: Configuring Group Policy Settings
Edit the local GPO to restrict the use of registry editing tools.
Edit the local GPO to allow administrators to use registry editing tools.
Demonstration Steps
Edit the local GPO to restrict the use of registry editing tools
1. On LON-CL1, open the Local Group Policy Editor.
2. In User Configuration\ Administrative Templates\System, configure the Prevent access to
registry editing tools policy setting as Enabled.
3. Attempt to run Regedit.exe, and then review the error message.
Edit the local GPO to allow administrators to use registry editing tools
1. Open the Microsoft Management Console, add the Group Policy Object Editor snap-in, and then
select the Administrators GPO. In the Browse for a Group Policy Object window, click the Users tab,
click Administrators, and then click OK.
2. In User Configuration\ Administrative Templates\System, configure the Prevent access to
registry editing tools policy setting as Disabled.
3. Run Regedit.exe, and then verify that it starts successfully.
Overview of Group Policy Preferences
Group Policy Preferences are a set of Group Policy
extensions that expand the range of configurable
settings in a GPO. Like Group Policy settings,
Group Policy Preferences are available for both
users and computers. However, unlike Group
Policy settings, preferences are not enforced.
Users can change the configurations that are
applied. Also, by default, Group Policy Preferences
remain even when the GPO that contains the
preferences is no longer applicable.
Some of the more common uses for Group Policy
Preferences are:
Map network drives for users
Configure desktop shortcuts for users or computers
Set environment variables
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-19
Install printers
Set power options
Configure Start menus
Configure data sources (ODBC connections)
Configure Internet options
Schedule tasks
Many of the tasks that you can perform by using Group Policy Preferences would have otherwise required
scripting to perform. In some cases, Group Policy Preferences can be used in place of logon scripts.
Targeting
You can use targeting for individual Group Policy Preferences in a GPO. By using targeting, you can
specify the criteria that must be met for a Group Policy preference to be applied. Security group
membership is a commonly used criteria for targeting. For example, you can map drive M to the
marketing share only for users who are members of the Marketing security group.
Other criteria for targeting include:
IP address range
Operating system
Computer name
A battery is preset
AD DS site
Note: Group Policy Preferences are not present in local GPOs.
Configuring GPOs in a Domain Environment
You can use Group Policy in an AD DS
environment to provide centralized configuration
management. Domain-based GPOs are created
and linked to objects within an AD DS
infrastructure. The computers and users that are
within those objects then are affected by the
settings in the GPO, depending on how the
application of GPO is configured. Domain-based
GPOs have several characteristics that do not
apply to local GPOs policy objects.
GPO Storage
AD DS GPOs are stored as two components: a
Group Policy container and a Group Policy template.
The Group Policy container is an AD DS object that is stored in the Group Policy Objects container in the
AD DS database. The Group Policy container defines basic attributes of a GPO, but it does not contain any
of the settings. The settings are contained in the Group Policy template, a collection of files that are stored
in the SYSVOL of each domain controller in the %SystemRoot%\SYSVOL\Domain\Policies\ path.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
This method of storage means that domain-based GPOs are stored and synchronized across all domain
controllers in the domain.
GPO Linking
AD DS GPOs can be applied to an AD DS infrastructure by linking the GPO. A GPO can be linked to an
AD DS site, an AD DS domain, or to an AD DS OU. This enables you to apply GPO settings to specific
computers within an AD DS structure, or to the entire domain.
GPO Inheritance
GPO settings are inherited from parent objects in AD DS so that GPOs applied at a higher level are passed
down to computers and users in child objects in AD DS. This behavior ensures that settings applied at a
high levellike the domainare applied to all computers. In special cases, inheritance can be modified or
blocked to provide a very specific configuration environment for certain computers or users.
GPO Application
By default, AD DS GPOs apply to all users and computers within the parent object where the GPO is
linked. This application can be modified by filtering the application of GPOs by Windows Management
Instrumentation (WMI) filters or security groups.
Demonstration: Configuring Domain-Based GPOs
Use the GPMC to create a new GPO.
Configure domain-based Group Policy settings.
Demonstration Steps
Use the GPMC to create a new GPO
1. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd.
2. Open the Group Policy Management Console.
3. Create a new GPO called Desktop.
Configure domain-based Group Policy settings
1. Open the new Desktop policy for editing.
2. In Computer Configuration, prevent the last logon name from displaying, and then prevent Windows
Installer from running.
3. In User Configuration, remove the Search link from the Start menu, and then hide the display settings
tab.
4. Close all open windows.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-21
Group Policy Processing
GPOs are applied in a consistent order that allows
you to predict which settings are effective when
there are conflicting settings in GPOs that apply to
a user or computer. GPOs that are applied later in
the process of applying GPOs overwrite any
conflicting policy settings that were applied
earlier.
GPOs are applied in the following order:
1. Local GPOs. Each operating system that is
running Windows 2000 or newer potentially
has a local Group Policy configured already.
2. Site GPOs. Policies that are linked to sites are processed next.
3. Domain GPOs. Policies that are linked to the domain are processed next. There often are multiple
polices at the domain level. These policies are processed in order of preference.
4. OU GPOs. Policies linked to OUs are processed next. These policies contain settings that are unique to
the objects in that OU. For example, Sales users might have special required settings. You can link a
policy to the Sales OU to deliver those settings.
5. Child OU policies. Any policies that are linked to child OUs are processed last.
Objects in the containers receive the cumulative effect of all polices in their processing order. In the case
of a conflict between settings, the last policy applied takes effect. For example, a domain-level policy
might restrict access to registry editing tools, but you could configure an OU-level policy and link it to the
Information Technology (IT) OU to reverse that policy. Because the OU-level policy is applied later in the
process, access to registry tools would be available to users in the IT OU.
If multiple policies are applied at the same level, an administrator can assign a preference value to control
the order of processing. The default preference order is the order in which the policies were linked.
You also can disable the user or computer configuration of a particular GPO. If one section of a policy is
known to be empty, then you should disable the empty section to speed up policy processing. For
example, if you have a policy that only delivers user desktop configuration, you could disable the
computer side of the policy.
Options for Modifying Group Policy Processing
You can modify the default processing of GPOs by using:
Security filtering. You can use security filtering to specify specific users, computers, or groups that are
able or not able to process a GPO. For example, you could specify that members of the Technical
Support group have special security settings.
Enforcement. You can use enforcement to ensure that settings in a specific GPO apply regardless of
any lower-level GPOs that would normally override this GPO. For example, you could specify
standardized security settings at the domain level.
Block inheritance. You can use block inheritance to prevent settings from a higher-level OU from
being inherited by a lower-level OU. For example, settings applied at the domain level could be
blocked from impacting users in the IT OU.
Note: When a link is enforced and a lower-level OU blocks inheritance, the settings in the
enforced GPO are applied.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Using Management Tools to Configure Windows 8.1
Settings
Scenario
You have been asked to configure the Windows 8.1 computers in A. Datum Corporations London
location. There are 100 computers used by internal departments that have varying configuration
requirements:
Computers on the machine floor require that Windows Updates be disabled. These computers are not
updated until the equipment manufacturer verifies that the updates are compatible with the
applications that run on the equipment.
Computers on the machine floor should not allow remote management. This is done to ensure that
changes are not made remotely that might impact the equipment.
All computers not on the machine floor should be managed remotely.
Remote Desktop should be allowed on all computers that are not on the machine floor.
Windows PowerShell remoting should be enabled for all computers that are not on the machine
floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop
computers.
You should implement these configuration settings and then test the configuration with LON-CL1, a
computer on the machine floor, and LON-CL2, a computer in the Finance department.
Objectives
Plan the management of Windows 8.1 computers.
Manage Windows 8.1 by using Group Policy.
Implement Windows PowerShell remoting.
Lab Setup
Virtual machines: 20687C-LON-DC1, 20687C-LON-CL1, 20687C-LON-CL2
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. Before you begin the lab, you must
complete the following steps:
1. On the host computer, click Start, point to Administrative Tools, and then click Hyper-V Manager.
2. In Hyper-V
Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.

3. In the Actions pane, click Connect. Wait until the virtual machine starts.
4. Sign in by using the following credentials:
o User name: Adatum\Administrator
5. Repeat steps 2 to 4 for 20687C-LON-CL1 and 20687C-LON-CL2.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-23
Exercise 1: Planning Management of Windows 8.1 Computers
Scenario
You need to determine the best way to manage computers that are running Windows 8.1 for A. Datum
Corporation. There are 100 internal computers that are used by various departments. Some departments
have different needs than others:
Computers on the machine floor require that Windows Updates be disabled. These computers are not
updated until the equipment manufacturer verifies that the updates are compatible with the apps
that run the equipment.
Computers on the machine floor should not allow remote management. This is done to ensure that
changes are not made remotely that might impact the equipment.
All computers not on the machine floor should be managed remotely.
Remote Desktop should be allowed on all computers that are not on the machine floor.
Windows PowerShell remoting should be enabled for all computers that are not on the machine
floor.
Servers and domain controllers should not be affected by configurations that are applied to desktop
computers.
The main task for this exercise is as follows:
1. Plan the management of Windows 8.1 computers.
Task 1: Plan the management of Windows 8.1 computers
1. What tool will you use to apply the configuration changes to domain-joined computers?
2. Are there any OU structure requirements to meet the management needs on the internal network?
3. Could you use security filtering as an alternative to a new OU structure?

Results: After completing this exercise, you will have planned the management of Windows
8.1
computers.
Exercise 2: Managing Windows 8.1 by Using Group Policy
Scenario
After completing your plan, you need to begin implementing it. The implementation process includes
setting up GPOs and OUs to allow for the separate management of client computers and machine floor
computers.
You will create two OUs, named MachineFloor and CorpComputers. Computers from the machine floor
will be placed into the MachineFloor OU, and the rest of the Windows 8.1 computers will be placed into
the CorpComputers OU.
1. Create an OU structure for managing computers.
2. Configure Group Policy for computers on the machine floor.
3. Verify the application of Windows Update settings to LON-CL2.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. Configure Group Policy for other client computers.
5. Verify that remote administration is functional.
Task 1: Create an OU structure for managing computers
1. On LON-DC1, open Active Directory Administrative Center.
2. In the Adatum.com domain, create a new OU named MachineFloor.
3. In the Adatum.com domain, create a new OU named CorpComputers.
4. Move LON-CL1 from the Computers container to the CorpComputers OU.
5. Move LON-CL2 from the Computers container to the MachineFloor OU.
6. Restart LON-CL1 and LON-CL2, and then log on to both as Adatum\Administrator with password
Pa$$w0rd.
Task 2: Configure Group Policy for computers on the machine floor
1. On LON-DC1, open the Group Policy Management console.
2. Block inheritance at the MachineFloor OU.
3. Create a new GPO named MachineFloor, and then link it to the MachineFloor OU.
4. Edit the MachineFloor GPO and browse to Computer Configuration\Policies
\Administrative Templates\Windows Components\Windows Update.
5. Disable the Configure Automatic Updates setting.
Task 3: Verify the application of Windows Update settings to LON-CL2
1. On LON-CL2, open Windows PowerShell, and then run gpupdate.
2. Run gpresult /h C:\results.htm.
3. Open C:\results.htm.
4. In Internet Explorer, read the Summary and verify that Inheritance is blocking all non-enforced
GPOs linked above Adatum.com/MachineFloor.
5. In Computer Details\Settings, verify that Configure Automatic Updates is Disabled.
Task 4: Configure Group Policy for other client computers
1. On LON-DC1, in Group Policy Management, create a new GPO named CorpComputers, and then
link it to the CorpComputers OU.
2. Edit the CorpComputers GPO, and then browse to Computer Configuration\Policies
\Administrative Templates\Windows Components\Windows Update.
3. Enable the Configure Automatic Updates setting.
4. Browse to Computer Configuration\Windows Settings\Security Settings\Windows Firewall with
Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
5. Create a new inbound rule:
o Predefined: COM+ Remote Administration
o Allow the connection
o Leave other settings with default values
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-25

o Predefined: Remote Event Log Management
o Leave other settings with default values
Task 5: Verify that remote administration is functional
1. On LON-DC1, open Computer Management.
2. In Computer Management, connect to LON-CL1, and then verify that you can access Event Viewer.
3. Connect to LON-CL2. This connection fails because remote management has not been configured for
the computers in the MachineFloor OU.

Results: After completing this exercise, you should have implemented an OU structure and GPO structure
to support remote management of computers.
Exercise 3: Implementing Windows PowerShell Remoting
Scenario
As part of implementing your management plan for Windows 8.1, you need to configure Windows
PowerShell remoting for all computers except those on the machine floor. You need to configure a GPO
that is linked to the domain to configure Windows PowerShell remoting and test the functionality of your
configuration.
1. Configure Windows PowerShell remoting manually.
2. Configure Windows PowerShell remoting by using Group Policy.
3. Verify the configuration of Windows PowerShell remoting.
Task 1: Configure Windows PowerShell remoting manually
1. On LON-DC1, open Windows PowerShell, and then run Enable-PSRemoting.
2. On LON-CL1, open Windows PowerShell, and then run Get-ADUser. This command is not recognized
because the cmdlets for AD DS administration are not installed on LON-CL1.
3. At the Windows PowerShell command prompt, create a remote session by running
Enter-PSSession ComputerName LON-DC1.
4. Run Get-ADUser and use the filter *.
5. Exit the remote session.
Task 2: Configure Windows PowerShell remoting by using Group Policy
1. On LON-DC1, open Group Policy Management.
2. Create a new GPO named Enable PS Remoting, and then link it to Adatum.com.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Edit the Enable PS Remoting GPO, and then browse to Computer Configuration\Policies
\Administrative Templates\Windows Components\Windows Remote Management
(WinRM)\WinRM Service.
4. Enable the setting Allow remote server management through WinRM.
o IPv4 filter: *
o IPv6 filter: *
5. Browse to Computer Configuration\Policies\Windows Settings\Security Settings
\System Services.
6. Configure the Windows Remote Management (WS-Management) service to start automatically.
7. Browse to Computer Configuration\Policies\Windows Settings\Security Settings\Windows
Firewall with Advanced Security\Windows Firewall with Advanced Security\Inbound Rules.
o Predefined: Windows Remote Management
9. Close the Group Policy Management Editor window.
Task 3: Verify the configuration of Windows PowerShell remoting
2. Run Get-Service Winrm to verify that the WinRM service is now running.
3. On LON-DC1, open Windows PowerShell, and then run Get-Service Winrm ComputerName LON-
CL1.
4. To view the execution policy on LON-CL1, run Invoke-Command ComputerName LON-CL1 {Get-
ExecutionPolicy}.
5. To update the execution policy on LON-CL1, run Invoke-Command ComputerName LON-CL1
{Set-ExecutionPolicy AllSigned}.

Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the
Adatum.com domain.
To prepare for the next module
following steps:
Manager.
4. Repeat steps 2 through 3 for 20687C-LON-CL1 and 20687C-LON-CL2.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 4-27

Review Questions
Question: Recently, your organization has added Windows 8.1 computers to the network.
You have tried to connect to a remote computer that is running Windows 8.1 by using Event
Viewer, but you cannot connect. You know that the remote computer is turned on. Why is
this problem occurring, and how can you resolve it?
Question: One of the server administrators is complaining that you need to use Remote
Desktop and connect to a domain controller to manage user accounts. What alternative can
you use to administer user accounts from a computer that is running Windows 8.1?
Question: You have configured a public-use computer in the lobby for visiting clients. This
computer is not part of the AD DS domain. How can you secure this computer to prevent
visiting clients from making changes to it and still allow administrators to have full access?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-1
Module 5
Managing Disks and Device Drivers
Contents:
Module Overview 5-1
Lesson 1: Managing Disks, Partitions, and Volumes 5-2
Lesson 2: Maintaining Disks, Partitions, and Volumes 5-17
Lesson 3: Working with Virtual Hard Disks 5-24
Lab A: Managing Disks 5-29
Lesson 4: Installing and Configuring Device Drivers 5-34
Lab B: Configuring Device Drivers 5-47

Module Overview
The Windows
8.1 operating system simplifies common tasks for information technology (IT) professionals
who manage and deploy desktops and laptops, devices, or virtual environments. It also helps IT
professionals take advantage of the tools and skills similar to those that they use in Windows 7 and
Windows 8.
Although most computers that are running Windows 8.1 have a single physical disk that is configured as a
single volume, this is not always the case. For example, there might be times when you want to have
multiple operating systems on a single computer, or you might want to have virtual memory on a
different volume. Therefore, it is important that you understand how to create and manage simple,
spanned, and striped volumes. You also may be interested in implementing the Storage Spaces feature. In
addition to traditional storage, you can use Windows 8.1 to create and access virtual hard disks from
within the operating system installed on a physical computer. To help maintain and optimize file system
performance, you must be familiar with file system fragmentation and the tools that you can use to
defragment a volume. Additionally, a good understanding of disk quotas is helpful if you are managing
available disk space on installed volumes.
To ensure that previously installed devices continue to work in Windows 8.1, Microsoft
is working to
make device drivers available directly from Windows Update or from device manufacturer websites.
Objectives
Manage disks, partitions, and volumes.
Maintain disks, partitions, and volumes.
Explain how to use virtual hard disks.
Install and configure device drivers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5-2 Managing Disks and Device Drivers
Lesson 1
Managing Disks, Partitions, and Volumes
Before you can use a disk in Windows 8.1, you must prepare it for use. You must partition the disk by
using the master boot record (MBR) partitioning scheme or the GUID partition table (GPT) partitioning
scheme. After partitioning the disk, you must create and format one or more volumes before an operating
system can use the disk.
You can use disk management tools to perform disk-related tasks, such as creating and formatting
partitions and volumes, assigning drive letters, and resizing disks.
Lesson Objectives
Compare MBR and GPT disks.
Describe the tools available for managing disks.
Convert a basic disk to a dynamic disk.
Describe a simple volume.
Create a simple volume.
Describe mirrored, spanned, and striped volumes.
Create spanned and striped volumes.
Describe the purpose of resizing volumes.
Resize a volume.
Describe Storage Spaces.
Comparing MBR and GPT Disks
MBR Disks
The MBR contains the partition table for a disk
and a small amount of executable code called the
master boot code. A bootable hard disk that
contains an MBR is known as an MBR disk. The
MBR is created when a disk is partitioned initially,
and it is located on the first sector of the hard
disk. The MBR contains a four-partition entry table
that describes the size and location of a disk
partition by using 32-bit logical block addressing
(LBA) fields. Most Windows 8.1 platforms, such as
32-bit and 64-bit versions that are running on motherboards with BIOS firmware, require an MBR-
partitioned system disk and are not bootable with a larger capacity disk. Newer Unified Extensible
Firmware Interface (UEFI)enabled motherboards can read MBR and the newer GPT disks discussed later.
Note: Disk partitioning is the process of dividing a physical disks storage into manageable
pieces to support the operating system requirements.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-3
How MBR-Based Disks Work
The MBR is stored at a consistent location on a physical disk, enabling a computers BIOS to reference it.
During the startup process, a computer examines the MBR to determine which partition is active on the
installed disks. The active partition contains the operating system startup files.
Note: You can install the rest of an operating system on another partition or disk. In
Windows 8.1, when you boot to an MBR disk, the active partition must contain the boot sector,
Windows Boot Manager, and related files.
Features of MBR-Based Disks
The MBR partition scheme has been around for a long time, and it supports both current and early
desktop operating systems, such as the MS-DOS
and Microsoft Windows NT
Server 4.0 operating

systems. Consequently, the MBR partition scheme is supported widely. However, the MBR partition
scheme imposes certain restrictions, including:
Four partitions on each disk. MBR-based disks are limited to four partitions. All of these can be
primary partitions, or one can be an extended partition with logical volumes inside. You can configure
the extended partition to contain multiple volumes.
A 2 terabyte (TB) maximum partition size. A partition cannot be larger than 2 TB.
No redundancy provided. The MBR is a single point of failure, and if it becomes corrupted or incurs
damage, it can render an operating system unbootable.
MBR disks can be either basic or dynamic disk types. Dynamic disks support additional options that are
not available on a basic disk, including volumes that are able to span multiple disks and fault tolerant
volumes.
GPT Disks
GPT disks contain an array of partition entries that describe the start and end LBA of each partition on a
disk. Each GPT partition has a unique GUID and partition-content type. Also, each LBA that the partition
table describes is 64 bits in length. The UEFI specifies the GPT format, but it is not exclusive to UEFI
systems. Both 32-bit and 64-bit Windows operating systems support GPT for data disks on BIOS systems.
However, they cannot boot from them. 64-bit Windows operating systems support GPT for boot disks on
UEFI systems.
Features of GPT Disks
GPT-based disks address the limitations of MBR-based disks and provide support for the following:
128 partitions per disk. This is a vast improvement over MBR-based disks.
18 exabyte volume size. This is a theoretical maximum because hard-disk hardware that can support
such vast volume sizes is not yet available.
Redundancy. Cyclic redundancy check duplicates and protects the GPT.
You can implement GPT-based disks on Windows Server
2008 and newer versions, Windows Vista
,
Windows 7, Windows 8, and Windows 8.1. You cannot use the GPT partition style on removable disks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
GPT Architecture
A GPT-partitioned disk defines the following sectors:
Sector 0 contains a legacy protective MBR, which contains one primary partition that covers the entire
disk:
o The protective MBR protects GPT disks from previously released MBR disk tools, such as MS-DOS
Fdisk or Windows NT Disk Administrator.
o These tools view a GPT disk as having a single encompassing (possibly unrecognized) partition by
interpreting the protected MBR, rather than mistaking the disk for one that is not partitioned.
o Legacy software that does not know about GPT interprets only the protected MBR when it
accesses a GPT disk.
Sector 1 contains a partition table header. The partition table header contains the unique disk GUID,
the number of partition entries (usually 128), and pointers to the partition table.
The partition table starts at sector 2. Each partition entry contains a unique partition GUID, the
partition offset, length, type (also a GUID), attributes, and a 36-character name.
The following table describes the partitions that Windows 8.1 creates when you install it on a GPT disk.
Partition Type Size Description
A EFI system partition
(ESP)
100 megabytes
(MB)
Contains the Windows Boot Manager, the
files that booting an operating system
requires, the platform tools that run
before an operating system boot, or the
files that the Windows Boot Manager
must access before operating a system
boot.
The ESP must be the first partition on the
disk because it is impossible to span
volumes when the ESP is logically
between what you are attempting to
span.
B Microsoft Reserved
(MSR) partition
128 MB Reserved for Windows components.
This partition is hidden in Disk
Management and does not receive a drive
letter.
Usage example: When you convert a basic
GPT disk to dynamic, the system
decreases the size of the MSR partition
and uses that space to create the Logical
Disk Manager (LDM) Metadata partition.
C Operating system Remaining disk Contains the operating system and is the
size of the remaining disk.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-5
Disk Management Tools
You can use the following tools to manage disks
and the volumes or partitions that they contain on
Windows 8.1:
Disk Management. A GUI for managing disks
and volumes, both basic and dynamic, locally
or on remote computers. After you select the
remote computer that you want to manage,
you can perform the same tasks that you
typically perform when you use a local
computer.
DiskPart. A scriptable command-line tool with
functionality that is similar to Disk
Management, which also includes advanced features. You can create scripts to automate disk-related
tasks, such as creating volumes or converting disks to dynamic. This tool always runs locally.
Note: The Storage module cmdlets contained in the Windows PowerShell

4.0 command-
line interface replace DiskPart.
Windows PowerShell 4.0. Windows PowerShell is a scripting language that is used to accomplish
many tasks in the Windows environment. Starting with Windows PowerShell 3.0, disk management
commands have been added for use as stand-alone commands or as part of a script.
Note: Windows 8.1 does not support remote connections in workgroups. Both the local
computer and the remote computer must be in a domain to use Disk Management to manage a
disk remotely.
Note: Do not use disk-editing tools such as DskProbe.exe to make changes to GPT disks.
Any change that you make renders the checksums invalid, which may cause the disk to become
inaccessible. To make changes to GPT disks, use Windows PowerShell, DiskPart, or Disk
Management.
With either tool, you can initialize disks, create volumes, and format a volume file system. Additional
common tasks include moving disks between computers, changing disks between basic and dynamic
types, and changing the partition style of disks. You can perform most disk-related tasks without
restarting a system or interrupting users, and most configuration changes take effect immediately.
Disk Management
Using the Disk Management snap-in to the Microsoft Management Console (MMC), administrators
quickly can manage standard, fault tolerant volume sets, and can confirm the health of each volume. Disk
Management in Windows 8.1 provides the same features with which you may be familiar from previous
versions, including:
Simpler partition creation. When you right-click a volume, you can choose whether to create a basic,
spanned, or striped partition directly from the menu.
Disk conversion options. When you try to add more than four partitions to a basic disk, you are
prompted to convert the disk to dynamic or to the GPT partition style. You also can convert basic
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
disks to dynamic disks without incurring data loss. However, converting a dynamic disk to basic is not
possible without first deleting all of the volumes.
Extend and shrink partitions. You can extend and shrink partitions directly from the Windows
interface.
To open Disk Management, use this procedure:
1. In the Start screen, type disk. This will display the Everywhere search screen.
2. Type diskmgmt.msc in the search box, and then click diskmgmt in the results list.
DiskPart
Using DiskPart, you can manage fixed disks and volumes by using scripts or direct input from the
command line. At the command prompt, type DiskPart, and then enter commands at the DiskPart
command prompt. The following are common DiskPart actions:
To view a list of DiskPart commands, at the DiskPart command prompt, type commands.
To create a DiskPart script in a text file and then run the script, type a script similar to DiskPart /s
testscript.txt.
To create a log file of the DiskPart session, type DiskPart /s testscript.txt > logfile.txt.
The following table shows several DiskPart commands that you will use frequently in this scenario.
Command Description
list disk Displays a list of disks and related information, including disk size, the
amount of available free space on the disks, whether the disks are basic
or dynamic, and whether the disks use the MBR or GPT partition style.
The disks marked with an asterisk (*) are the ones against which the
commands will execute.
select disk
<disknumber>
Selects the specified diskwhere <disknumber> is the disk numberand
gives it focus.
convert gpt Converts an empty, basic disk with the MBR partition style Sto a basic
disk with the GPT partition style.

For additional information about DiskPart commands, start Disk Management, and then open the Help
Topics from the Help menu.
Note: You can abbreviate many, but not all of the DiskPart commands. For example, use
SEL instead of SELECT and PART instead of PARTITION.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-7
Windows PowerShell 4.0
Prior to Windows 8, if you wanted to script disk management tasks, you would have to make calls to
Windows Management Instrumentation (WMI) objects or include DiskPart in your scripts. Windows
PowerShell 3.0 and 4.0 now includes commands for natively managing disks. The following table details
some Windows PowerShell commands.
Command Description Additional parameters
Get-Disk Returns information on all
disks or disks that you
specify with a filter.
-FriendlyName returns information about disks
that have the specified friendly name.
-Number returns information about a specific
disk.
Clear-Disk Cleans a disk by removing
all partition information.
-ZeroOutEntireDisk writes zeros to all sectors of
a disk.
Initialize-Disk Prepares a disk for use. By
default, it creates a GPT
partition.
-PartitionStyle<PartitionStyle> Specifies the
type of the partition, either MBR or GPT.
Set-Disk Updates a physical disk with
the specified attributes.
-PartitionStyle<PartitionStyle> Specifies the
type of the partition, either MBR or GPT. You can
use this to convert a disk that previously was
initialized.
Get-Volume Returns information on all
of a systems volumes, or
those volumes that you
specify with a filter.
-DriveLetter <Char> Gets information about the
specified drive letter.
-FileSystemLabel<String> returns information
on NTFS file systems or Resilient File System
(ReFS) volumes.

For more information, see:
Storage Cmdlets in Windows PowerShell
Converting to Dynamic Disk
When you add a new hard disk to a computer and
then start Disk Management, a wizard guides you
through the initialization process, during which
you select whether to have an MBR or a GPT
partition style. Although you can change between
partition styles at a later time, some disk
conversions require you to reformat the drive.
You should carefully consider the disk type and
partition style that is most appropriate for your
situation. Before you change the partition style,
remember that you:
Must be a member of the Backup Operators
or Administrators group.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Must back up the entire contents of the hard disk before making a change, which is true for any
major change that you make to disk contents.
Must ensure that disks are online before you can initialize them or create new partitions or volumes.
To bring a disk online or take it offline in Disk Management, right-click the disk name, and then click
the appropriate action.
Can convert only from GPT to MBR if the disk does not contain any volumes or partitions.
Should use Event Viewer to check the system log for disk-related messages.
All MBR disks are configured initially as basic disks, which then can be converted to dynamic disks.
Dynamic disks can be useful when fault tolerance or spanning of disks is required.
Dynamic disks support the following features:
Ability to be extended.
Creation of simple, spanned, striped, mirrored, and redundant array of independent disks (RAID)-5
volumes.
Repair mirrored or RAID-5 volumes.
Reactivating missing or offline disks.
Note: In a multiboot scenario, if you are in one operating system, and you convert a basic
MBR disk that contains an alternate operating system to a dynamic MBR disk, you will not be
able to boot in the alternate operating system.
What Is a Simple Volume?
By far the most commonly used disk arrangement
is a simple volume. This volume is a contiguous,
unallocated area of a physical hard disk that you
format to create a file system. You then can assign
a drive letter to it or mount it in an existing
volume by using a volume mount point.
Simple Volume Characteristics
A simple volume is a dynamic volume that
encompasses available free space from a single,
basic, or dynamic hard-disk drive. It is a portion of
a physical disk that functions as though it were a
physically separate unit. A simple volume can
consist of a single region on a disk or multiple regions of the same disk that are linked together. Simple
volumes have the following characteristics:
Not fault tolerant. Disk failure leads to volume failure.
Volume I/O performance is the same as disk I/O performance.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-9
Simple Volume Scenarios
The following table contains example scenarios for disks and volumes.
Scenario Description
Business desktop
computer with
one disk
Most business users require a basic disk and one basic volume for
storage, but do not require a computer with volumes that span
multiple disks or that provide fault-tolerance. This is the best choice
for those who require simplicity and ease of use.
Business desktop
computer with
one disk and
more than one
volume
If small business users want to upgrade their operating systems and
reduce the impact on their business data, they must store an
operating system in a separate location from business data.
This scenario requires a basic disk with two or more basic volumes.
Users can install an operating system on the first volume, creating a
boot volume or system volume, and use the second volume to store
data.
When a new version of an operating system is released, users can
reformat the boot or system volume, and then install the new
operating system. The business data, located on the second volume,
remains untouched.

A simple volume may provide better performance than striped data-layout schemes. For example, when
serving multiple, lengthy, sequential streams, performance is best when a single disk services each stream.
Also, workloads that are composed of small, random requests do not always result in performance
benefits when you move them from a simple to a striped data layout.
The emergence of solid-state drives (SSDs), which offer extremely fast data transfer rates, offer the
Windows 8.1 user another decision related to storing data. SSDs currently are more expensive and have
smaller capacities compared to traditional magnetic hard disk drives (HDDs). This combination of
performance, size, and cost is an acceptable compromise when used in small form factor devices;
however, a desktop PC may benefit from a combination of an SSD for Windows system files and a large
capacity HDD for business data.
Demonstration: Creating a Simple Volume
This demonstration shows how to create a simple volume. First, you create a volume by using the Disk
Management snap-in, and then you will use Windows PowerShell.
Demonstration Steps
Using Disk Management
2. Open the Start screen, and then start Disk Management.
3. Create a new simple volume on Disk 2.
4. Complete the New Simple Volume Wizard by using the following settings:
Use 5103 MB to create the volume.
Name the volume Simple1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Using Windows PowerShell
1. Start Windows PowerShell as administrator.
2. At the Windows PowerShell command prompt, run the following commands:
o Get-Disk -Number 3
o New-Partition Size 5350879232
o Format-Volume -Confirm:$false
o FileSystem NTFS NewFileSystemLabel Simple2
o Get-Partition (Note the partition number you just created on disk 3, as you will use that in the
next step)
o Set-Partition -DiskNumber 3 -PartitionNumber x -NewDriveLetter G
3. In File Explorer, verify that the volumes that you created are visible.
Question: In what circumstances will you use less than all of the available space on a new
volumes disk?
What Are Mirrored, Spanned, and Striped Volumes?
A mirrored volume presents two disks to the
operating systems as a single logical volume. A
mirrored volume always consists of exactly two
disks. Each disk has an identical copy of the data
that is on the logical volume.
A spanned volume joins areas of unallocated
space on at least two, and at most 32 disks, into a
single logical disk. Similar to a spanned volume, a
striped volume also requires two or more disks.
However, striped volumes map stripes of data
cyclically across the disks.
Basic disks support only primary partitions,
extended partitions, and logical drives. To use mirrored, spanned, or striped volumes, you must convert
the disks to dynamic volumes as described previously. Dynamic disks use a database to track information
about the disks dynamic volumes and about the computers other dynamic disks. Because each dynamic
disk on a computer stores a replica of the dynamic disk database, the Windows operating system can
repair a corrupted database on one dynamic disk by using the database on another dynamic disk.
Characteristics of Mirrored Volumes
A mirrored volume also is known as a RAID-1 volume. A striped volume combines equal-sized areas of
unallocated space from multiple disks. You use a mirrored volume when you wish to provide redundancy
for your system partition. Both spanned volumes and striped volumes require a Windows operating
system to be running to recognize the volumetherefore, neither of those solutions can be used to
provide protection against disk failures for a system partition.
When creating a mirrored volume, the disk for the shadow volume must be at least the same size as the
volume being mirrored. Once the mirror is established, you cannot resize the mirrored volume.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-11
There are two main benefits of using mirrored volumes. Recovering from a disk failure is very quick as
there is no data to rebuild. Additionally, read operations have a slight performance boost because you can
read from both disks simultaneously.
Also, there are two main disadvantages of using mirrored volumes. Write operations are slightly slower as
every write needs to be written to both disks. Also, using mirrored volumes is the least efficient use of
space compared to other RAID configurations.
Characteristics of Spanned Volumes
A spanned volume gives users the option to gather noncontiguous free space from one or many disks
into the same volume. A spanned volume does not provide any fault tolerance. Additionally, because the
areas that you combine are not necessarily equally distributed across the participating disks, there is no
performance benefit to implementing spanned volumes. I/O performance is comparable to simple
volumes.
You can create a spanned volume by extending a simple volume to an area of unallocated space on a
second disk, or you can designate multiple disks during the volume-creation process. The benefits of
using spanned volumes include uncomplicated capacity planning and straightforward performance
analysis.
If you create a new spanned volume, you must define the same properties as when you create a simple
volume in terms of size, file system, and drive letter. Also, you must define how much space to allocate to
the spanned volume from each physical disk.
You can create spanned volumes on dynamic disks only. If you attempt to create a spanned volume on
basic disks, the Windows operating system prompts you to convert the disk to dynamic after you have
defined the volumes properties and confirmed the choices.
It is possible to shrink a spanned volume. However, it is not possible to remove an area from a specific
disk. For example, if a spanned volume consists of three 100 MB partitions on each of three disks, you
cannot delete the third element. Depending on the space consumption on the volume, you can reduce
the volumes total size.
Note: When you shrink a spanned volume, no data loss occurs. However, the number of
disks involved may decrease. If the spanned volume resides on a single disk, the spanned volume
is converted to a simple volume. If there are empty dynamic disks that result from shrinking a
spanned volume, the empty dynamic disks are converted to basic disks.
If you install additional hard disks, it is possible to extend the spanned volume to include areas of
unallocated space on the new disks, as long as the total number of disks does not exceed the 32-disk limit
for spanned volumes.
Characteristics of Striped Volumes
A striped volume also is known as a RAID-0 volume. A striped volume combines equal-sized areas of
unallocated space from multiple disks.
You should create a striped volume when you want to improve the I/O performance of a computer.
Striped volumes provide for higher throughput by distributing I/O across all disks configured as part of
the set. The more physical disks that you combine, preferably across several disk controllers, the faster the
potential throughput. For most workloads, a striped data layout provides better performance than simple
or spanned volumes, as long as you select the striped unit appropriately based on workload and storage
hardware characteristics. The overall storage load is balanced across all physical drives.
Striped volumes also are well suited for isolating the paging file. By creating a volume where Pagefile.sys
is the only file on the entire volume, the paging file is less likely to become fragmented, which helps
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
improve performance. Redundancy is not required for the paging file normally. Striped volumes provide a
better solution than RAID-5 for paging file isolation. This is because the paging file activity is write-
intensive, and RAID-5 is better suited for read performance than write performance.
Because no capacity is allocated for redundant data, RAID-0 does not provide data-recovery mechanisms
such as those in RAID-1 and RAID-5. The failure of any disk results in data loss on a larger scale than it
would on a simple volume because it disrupts the entire file system that spreads across multiple physical
disks. The more disks that you combine in RAID-0, the less reliable the volume becomes.
When you create a striped volume, you will define the file system, drive letter, and other standard volume
properties. Additionally, you must define the disks from which to allocate free space. The allocated space
from each disk must be identical in size.
It is possible to delete a striped volume, but it is not possible to extend or to shrink the volume.
Configuration Changes
There are times when you may want to upgrade or in some way alter the configuration of computer
hardware or software. For example:
When the addition of functionality adds value to an organization.
When a fault in software, hardware, or the combined architecture results in app(s) failing to run.
When a change in the functionality or role of a device or workstation occurs.
There are other forms of volume management with different types of fault tolerance and recovery that are
available. These include using RAID-1 or RAID-5 volumes, hardware mirroring, and disk duplexing. You
could consider using these forms of volume management in your enterprise if the standard Windows 8.1
tools are not sufficient for your needs.
Question: How will the emergence of solid-state drives (SSDs) in enterprise workstations,
devices, and enterprise storage arrays change the storage landscape?
Demonstration: Creating Spanned and Striped Volumes
In this demonstration, you will see how to create spanned and striped volumes.
Demonstration Steps
Creating a spanned volume
1. If necessary, sign in to LON-CL2 as Adatum\Administrator.
3. Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
4. Complete the New Spanned Volume Wizard by using defaults, except for the following information:
o Use 2000 MB from Disk 2
o Name the volume SpanVol
o Select the Perform a quick format check box
5. Read the Disk Management warning, and then click Yes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-13
Creating a striped volume
1. Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard.
2. Complete the New Striped Volume Wizard by using the defaults, except for the following
information:
o Use 2000 MB from each disk.
o Name the volume StripedVol
o Select the Perform a quick format check box
Question: What is the advantage of using striped volumes, and conversely what is the major
disadvantage?
Purpose of Resizing a Volume
Windows 8.1 allows you to resize a volume by
using the Shrink Volume or Extend Volume
options within the provided disk tools. You can
shrink existing volumes to allow space to create
additional, unallocated space to use for data or
apps on a new volume. On the new volume, you
can:
Install another operating system, and then
perform a dual-boot.
Save data separate from the operating
system.
To perform a shrink operation, ensure that the disk either is formatted with NTFS or unformatted and that
you are part of the Backup Operator or Administrators group. When you shrink a volume, contiguous free
space relocates to the end of the volume. There is no need to reformat the disk, but to ensure that the
maximum amount of space is available, make sure you perform the following tasks before shrinking:
Defragment the disk. This rearranges the disk sector so that unused space is at the end of the disk.
Reduce shadow copy disk space consumption. Shadow copies can consume a large amount of space
because they maintain a record of changes so that previous versions of files can be restored.
Ensure that no page files are stored on the volume that you are shrinking.
When you shrink a volume, unmovable files, for example, a page file or the shadow-copy storage area, do
not relocate automatically. It is not possible to decrease the allocated space beyond the point where the
unmovable files are located. If you need to shrink a partition further, move the page file to another disk,
delete the stored shadow copies, shrink the volume, and then move the page file back to the disk.
To view shadow copy storage information, use the Volume Shadow Copy Service administrative
command-line tool. Start an elevated command prompt from the Administrative menu by pressing the
Windows logo key+X, clicking Command Prompt (Admin), and then typing vssadmin list
shadowstorage. If configured, the used, allocated, and maximum shadow copy storage space is listed for
each volume.
Defragmentation in Windows 8.1 improves on previous versions of the Windows operating system. You
now can optimally replace some files that you could not relocate in Windows Vista or earlier versions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Note: Please note that you may destroy or lose data if you shrink a raw partition, meaning
a partition that does not have a file system, but does contain data. Remember to make a backup
prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Here are a few ways in which you can
increase the size of a simple volume:
Extend the simple volume on the same disk. The volume remains a simple volume.
Extend a simple volume to include unallocated space on other disks on the same computer. This
creates a spanned volume.
Demonstration: Resizing a Volume
This demonstration shows how to shrink a volume with the DiskPart tool. Then, the Disk Management tool
is used to extend a simple volume.
Demonstration Steps
Using DiskPart
2. Start DiskPart.
3. At the DiskPart command prompt, run the following commands:
o list volume (note the volume number associated with Simple2)
o select volume <n> (where n is the volume number noted)
o shrink desired=50
4. Compare the size of the Simple2 volume with the size previously reported.
Using Disk Management
2. Click the spanned volume on Disk 3.
3. Start the Extend Volume Wizard, and then extend the spanned volume with 50 MB from Disk 3.
Question: When might you need to reduce the system partitions size?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-15
Overview of Storage Spaces
Storage Spaces is a new feature built into both
Windows 8.1 and Windows Server 2012 R2 that
you can use to add additional storage to your
system and to pool storage devices in a resilient
arrangement.
The operating system manages all disks added to
a storage pool, and you can configure these disks
to ensure that the data stored in a pool is
protected from data loss.
You create a storage pool by adding drives to a
system. You then configure Storage Spaces to use
some or all of the available pooled space and
define the drive resiliency, name, and size.
Storage Spaces offers the types of resiliency listed in the following table.
Type Resiliency description
Simple (none) No mirroring. All data is lost if a drive fails.
Two-way mirror All files stored in the pool are maintained on at
least two different physical drives, mirroring your
data.
Three-way mirror Similar to a two-way mirror, but stored on three
drives.
Parity At least three drives are used to store the data
and parity bit. This is the most efficient storage
option, but also, potentially the poorest
performance as the parity information needs to
be calculated.
Note: Notice the change to modern and familiar terminology when discussing types of disk
redundancy compared to the traditional RAID-0, RAID-1, and RAID-5 nomenclature seen earlier
in the module.
The Storage Spaces feature allows the addition of disparate disk types, such as internal/external, USB
drives, Serial ATA, and other types. During the addition of the storage, a drive is formatted and configured
as a new storage pool.
Note: Ensure that you have made a backup or removed any data before adding a drive, as
Windows 8.1 will format any drive that is added to a storage pool as part of the configuration.
After you configure a storage space, you can modify the storage space name and size and even delete the
space completely, which will return the space back to the storage pool.
Note: Deleting a storage space will permanently delete all the files that it contains. Ensure
that you move or back up any data before deleting a storage space.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: Discuss scenarios when you would use Storage Spaces in a client workstation
environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-17
Lesson 2
Maintaining Disks, Partitions, and Volumes
When you first create a volume, you typically create new files and folders on a volumes available free
space in contiguous blocks. This provides an optimized file system environment. As the volume becomes
full, the availability of contiguous blocks diminishes. This can lead to suboptimal performance. This lesson
explores file system fragmentation and the tools that you can use to reduce fragmentation. You also will
see how Windows 8.1 automatically checks and fixes most file system issues and how you can configure
disk quotas to monitor and control how disks are filled.
Lesson Objectives
Describe file system fragmentation.
Explain how to defragment a disk on a Windows 8.1 client computer.
Describe how to check for disk errors.
Describe disk quotas and how they manage storage.
Configure disk maintenance tasks.
What Is Disk Fragmentation?
Fragmentation of a file system occurs over time as
you save, change, and delete files. Initially, the
Windows I/O manager saves files in contiguous
areas on a given volume. This is efficient for the
physical disk as the read/write heads are able to
access these contiguous blocks most quickly.
As the volume fills with data and other files,
contiguous areas of free space become harder to
find. File deletion also causes fragmentation of
available free space. Additionally, when you
extend and save a file, such as editing a document
or spreadsheet, there may not be contiguous free
space following the existing file blocks. This forces the I/O manager to save the remainder of the file in a
noncontiguous area. Over time, contiguous free space becomes harder to find, leading to fragmentation
of newly stored content. The incidence and extent of fragmentation varies depending on available disk
capacity, disk consumption, and usage patterns.
Although NTFS is more efficient at handling disk fragmentation than earlier file systems, this
fragmentation still presents a potential performance problem. Combined hardware and software advances
in the Windows operating system help to mitigate the impact of fragmentation and deliver better
responsiveness.
Question: How does the increasing storage capacity of HDDs affect file fragmentation?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Defragmenting a Disk
When you optimize a disk, files are relocated
optimally. This ability to relocate files is beneficial
when you are shrinking a volume because it lets
the system free up space that you can later
reclaim.
Windows 8.1 defragments drives automatically on
a scheduled basis, running weekly in the
background to rearrange data and reunite
fragmented files. You can check the status of a
defragmentation or perform a manual
optimization at any time by launching the
Optimize Drives tool.
To optimize a volume or drive manually, or to change the automatic optimization schedule, right-click a
volume in File Explorer, click Properties, click the Tools tab, and then click Optimize. You then can perform
the following tasks:
Change settings, which allows you to:
o Enable or disable the automated optimization.
o Specify the automated optimization frequency.
o Set a notification for three consecutive missed optimization runs.
o Select which volumes that you want to optimize.
Analyze the disk to determine whether it requires optimization.
Launch a manual optimization.
You also can start the optimization process by launching Defragment and Optimize Drives from the
Administrative Tools section within Control Panel\System and Security.
To verify that a disk requires defragmentation, in the Optimize Drives tool, select the disk that you want to
defragment, and then click Analyze. After Windows finishes analyzing the disk, check the percentage of
fragmentation on the disk in the Current status column. If the number is high, you should defragment the
disk. The Optimize Drives tool might take from several minutes to a few hours to finish defragmenting,
depending on the size and degree of fragmentation of the disk or USB device, such as an external hard
drive. You can use the computer during the defragmentation process, although disk access may be slower
and the defragmentation may take longer.
You can configure and run disk defragmentation from an elevated command prompt by using the defrag
command-line tool. Use Defrag /? at the command prompt for available options.
You can minimize file system fragmentation:
Partition the disk so that you isolate static files from those that are created and deleted frequently,
such as some user-profile files and temporary Internet files.
Use the Disk Cleanup feature (Cleanmgr.exe) to free disk space that is being consumed by each users
preferences for console files that the profile is saving.
Use the Optimize Drives tool to help reduce the impact of disk fragmentation on disk volumes,
including USB drives. The Optimize Drives tool rearranges fragmented data so that disks and drives
can work more efficiently.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-19
Newer drives such as SSDs do not need to be defragmented in the same way as HDDs because files are
not accessed mechanically. If a SSD or USB flash drive becomes fragmented, only a small amount of
performance benefit will be gained by optimizing the drive because all files are accessed at equal high
speed, regardless of the location or level of fragmentation. Due to the volume of read/write operations
that are required during the optimization process, SSDs should not be defragmented.
Note: Defragmenting an SSD or a USB flash drive can decrease the life span of a drive
significantly.
Checking for Disk Errors
Earlier versions of the Windows operating system
include automatic scheduling for several disk
maintenance activities. Windows 8.1 introduces
new feature enhancements to NTFS, including
self-healing abilities that provides online
corruption scanning, and repair capabilities to
resolve many NTFS issues. At 3 A.M. local time,
Windows 8.1 automatically performs a scan of
hard drives by using the improved Check Disk tool
(Chkdsk), which fixes file errors and NTFS
inconsistencies within volumes on a disk. In an
enterprise environment, if preferred, you could
use Group Policy to schedule this task to take place during lunchtime or other periods of low activity.
Unlike previous versions of Chkdsk, Windows can now repair a volume while the Windows operating
system is still running. Windows can take the volume offline temporarily while it carries out repairs. For all
boot and system drive repairs, the Windows operating system cannot be running, and these actions will
be performed at the next system restart.
Note: The computer or device must be connected to AC power during the 3 A.M.
automated maintenance window for this procedure to take place. Alternatively, if the
maintenance window is missed, the task is carried over until the next time that AC power is
connected and the operating system is idle.
In addition to automatic scanning, you can manage disk health manually by using the Chkdsk command
from an elevated command prompt or within Windows PowerShell with one of the following commands.
Command Description
/? Displays the available command options.
volume Specifies the drive letter (followed by a colon), mount point, or volume
name.
Filename The FAT file system or FAT32 only: specifies the files to check for
fragmentation.
/F Fixes errors on a disk.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Command Description
/V On FAT or FAT32: displays the full path and name of every file on a disk.
On NTFS: displays cleanup messages, if any.
/R Locates bad sectors and recovers readable information. Implies /F when
/scan is not specified.
/L:size NTFS only: changes the log file size to the specified number of kilobytes
(KB). If size is not specified, displays the current size.
/X Forces the volume to dismount first if necessary. All opened handles to
the volume would then be invalid. Implies /F.
/I NTFS only: performs a less vigorous check of index entries.
/C NTFS only: skips checking of cycles within the folder structure.
/B NTFS only: re-evaluates bad clusters on the volume. Implies /R.
/scan NTFS only: runs an online scan on the volume.
/forceofflinefix NTFS only: bypass all online repair; all defects found
are queued for offline repair (i.e. Chkdsk /spotfix). Must be used with
/scan.
/perf NTFS only: uses more system resources to complete a scan as fast as
possible. This may have a negative performance impact on other tasks
that are running on a system. Must be used with /scan.
/spotfix NTFS only: runs spot fixing on a volume.
/sdcleanup NTFS only: garbage collect unneeded security descriptor data. Implies /F.
/offlinescanandfix Runs an offline scan and fix on a volume.

Question: In addition to the automatic scheduled maintenance that Windows performs,
what other options could be considered to prevent unexpected data loss?
What Are Disk Quotas?
It is important to manage the storage space that
Windows 8.1 computers consume locally. With
ever-increasing demands on available storage,
you must consider methods that can help you
manage these demands. A disk quota is a way for
you to limit each persons use of disk space on a
volume. Using disk quotas, you can track and
restrict disk consumption. You can enable quotas
on any NTFS-formatted volume, including local
volumes, Storage pools, and removable storage.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-21
You can use quotas to track disk space consumption and to determine who is consuming available space.
By default, disk quotas are disabled and users are not prevented from writing to disk volumes unless this
requirement is specified.
Note: The Administrator user account is exempt from any warnings or disk space
limitations.
There are several different methods available to the user for managing disk quotas:
Disk properties. From the File Explorer window, view the properties of a selected disk or volume. You can
use the Quota tab to enable and manage quotas on individual drives. You can use the GUI to configure
the same settings that are available to the disk quota Group Policy Object (GPO). Additionally, you can
manage and view individual quota entries. When you manage individual quota settings, you can perform
the following tasks:
Create a new quota entry. You can configure settings that override the default values for specific
users.
Delete a quota entry. You can remove a quota entry that was previously created and allow the default
settings to apply to the user.
Export and import. You can export settings that are configured on a specific volume, and you can
import the settings on another volume for ease of management.
Over time, the amount of available disk space inevitably becomes less. Therefore, you should ensure that
you have a contingency plan to increase storage capacity.
Fsutil. You can manage quotas by using the fsutil quota command from an elevated command prompt
or from within Windows PowerShell with one of the following commands:
Disable <volumePath> Disables quota tracking on the specified volume.
Enforce <volumePath> Enforces quota usage on the specified volume.
Modify <volumePath> <Threshold> <Limit> <UserName>. Modifies an existing quota or creates a
new quota entry on the specified volume.
Query <volumePath> Lists existing quotas on the specified volume.
Track <volumePath> Tracks disk usage on the specified volume.
Violations. Queries the application and system logs for quota violations.
Group Policy. In either a local or domain-based GPO, you can add the Administrative Templates, System,
and Disk Quotas section. The policy settings available within this GPO are:
Enable disk quotas
Enforce disk quota limit
Specify default quota limit and warning level
Log event when quota limit is exceeded
Log event when quota warning level is exceeded
Apply policy to removable media
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Note: Quotas are tracked separately for each volume. When restricting disk space
limits, each user shares the same limit per volume. By contrast, Windows Server 2012 and
newer versions allow administrators more detailed restrictions, including the ability to set
different limits for each user.
Question: Will quota management be useful in your organization?
Demonstration: Configuring Disk Maintenance Tasks
This demonstration shows how to configure drive defragmentation, check a volume for errors, and create
a disk quota.
Demonstration Steps
Configure drive defragmentation
2. Analyze drive I: and then defragment the drive.
3. Open an administrative Windows PowerShell window, and then run the following command on
drive l:
o Defrag I: /A
4. Defragment drive I: by typing the following command:
o Defrag I: /H /U /V
5. View the verbose results of the operation.
Check a volume for errors
1. Open an administrative Windows PowerShell window, and then run the following command on
drive l:
o Chkdsk /scan I:
2. If the tool finds errors, you can attempt to repair them by typing the following command on drive l:
o Chkdsk /spotfix I:
Create a disk quota
1. Open File Explorer, and then navigate to This PC.
2. Open the StripedVol (I:) Properties.
3. Click the Quota tab, and then enable quotas with the following settings:
o Deny disk space to users exceeding quota limit
o Limit disk space to 6 MB
o Set warning level to 4 MB
o Log event when a user exceeds their warning level
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-23
5. Open an administrative command prompt, and then run the following commands on drive l:
o fsutil file createnew 2mb-file 2097152
o fsutil file createnew 1kb-file 1024
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Working with Virtual Hard Disks
With virtual hard disks, you can present a portion of a hard drive as an independent hard drive to the
Windows 8.1 operating system. Virtual hard disks generally are associated with virtual machines.
Beginning with Windows 7, Windows operating systems can mount virtual hard disks directly. In this
lesson, you will learn what a virtual hard disk is and how to mount one in Windows 8.1.
Lesson Objectives
Describe the tools used to create, delete, and mount virtual hard disks in Windows 8.1.
Manage virtual hard disk files in the Windows 8.1 file system.
Virtual Hard Disks in Windows 8.1
Windows 8.1 fully supports virtual hard disks. The
virtual hard disk (.vhd) file format specifies a
virtual hard disk, which is encapsulated in a single
file and is capable of hosting native file systems
and supporting standard disk operations.
Virtual hard disks are not used solely with virtual
machine environments such as with Client Hyper-
V
, which is discussed later in this course. You can

use virtual hard disks in any scenario where a
physical hard disk might be used. If you plan on
using a virtual hard disk in place of a physical disk,
consider the following advantages and
disadvantages.
Advantages of Using Virtual Hard Disks
Portability. VHD files may be easier to move between systems, particularly when shared storage is
used.
Backup. A VHD file represents a single file for backup purposes.
Disadvantages of Using Virtual Hard Disks
Performance. In high I/O scenarios, the additional overhead of using a virtual hard disk can affect
performance.
Physical failures. A VHD file does not protect against cluster failure on the underlying physical disks.
Some of the usage scenarios for virtual hard disks include:
Multiboot. Windows 7 and Windows 8.1 support native boot from virtual hard disk. This can allow
you to start a system from multiple VHD files to support different applications without the need to
install them in the same operating system.
Managing desktop image deployment. You can use virtual hard disks as reference images for either
physical or virtual machines to ensure each system starts with a common image.
Physical disk virtualization. You can use virtual hard disks in conjunction with underlying storage that
is configured for resiliency.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-25
Supporting Virtual Disk Formats
Windows 8.1 supports both virtual disk formats: .vhd and .vhdx. The .vhdx format has a metadata
structure that is aimed at reducing data corruption and improving alignment on large sector disks. Virtual
hard disks are limited to 2 TB of storage, whereas the new .vhdx format is suitable for virtual disks up to a
supported maximum size of 64 TB.
For more information on the .vhdx format, go to:
Hyper-V Virtual Hard Disk Format Overview
You can configure virtual hard disks as three types: fixed, dynamically expanding, or differencing.
Fixed size
A fixed-size virtual hard disk is allocated its maximum size when you create a virtual disk. The fixed size
disk type is the recommended type of virtual disk in the following scenarios:
When using the .vhd format.
When I/O performance is required to be as high as possible. Because the file is not dynamically
expanded as data is created within it or copied to the virtual disk, fixed-size virtual disks typically are
only 6 percent slower than the underlying physical drive.
When a dynamically expanding disk increases in size, the host physical drive could run out of space
and cause write operations to fail. The use of fixed virtual disks ensures that this does not happen
because the full drive size has already been committed to the virtual disk.
The file data will not become inconsistent due to a lack of storage space or power loss. Dynamically
expanding virtual disks depend on multiple write operations to expand the file. The internal-block
allocation information can become inconsistent if all I/O operations to the virtual disk file and the
host volume are not complete and persisted on the physical disk. This can happen if the computer
suddenly loses power.
Dynamically expanding
The size of a dynamically expanding virtual hard disk starts off very small in size and grows as large as the
data that is written to it. As more data is written to a dynamically expanding virtual hard disk, the file
increases to the configured maximum size. For example, a 50 gigabyte (GB) dynamically expanding virtual
hard disk that has 10 GB of data files copied to it will occupy approximately 10 GB space on the physical
hard drive and can accommodate a further 40 GB of data. With the improvements in the .vhdx format, the
dynamically expanding disk type is recommended when creating .vhdx drives.
Note: The .vhdx format is not backward compatible with Windows 7.
Differencing disk
A differencing disk tracks the changes made from another virtual disk. Creating a parent/child relationship
between virtual disks can save significant disk space. Because this disk type lets you use the contents of a
base disk (parent) without making changes to the base disk, all changes are made to the differencing
(child) disk. You should configure base disks as read-only to prevent changes being made to them. All
changes made when using the virtual machine then are written to the differencing disk. A differencing
disk must be a dynamically expanding disk.
Note: You can create differencing disks only by using DiskPart or Windows PowerShell.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Managing VHD files in the Windows 8.1 File System
Virtual disks are supported fully by Windows 8.1,
and you should understand the tools that are
available to create, mount, and delete virtual
disks.
Several methods are available for managing
virtual disks in Windows 8.1, which are using Disk
Management, DiskPart, and by using Windows
PowerShell 4.0.
Disk Management
The Disk Management snap-in for the MMC
provides a familiar GUI where a user can create,
attach, and detach virtual disks within a Windows operating system.
After you create a new virtual disk, a new disk appears in the console, and you need to initialize this disk
so that the Windows operating system can manage the drive. After it is initialized, you can treat the drive
like any other drive. For example, you can format it, assign a drive letter to it, or the system can create a
mount point and use the drive. After a virtual disk is allocated a drive letter, it is mounted and you can
access the drive by using File Explorer to carry out normal activitiesit behaves just like a physical drive.
Note: A virtual disk appears in the Disk Management console with a light blue drive icon to
indicate to the user that it is a virtual disk.
If you wish to remove a virtual hard disk from your system, for example, to make it portable or to connect
it to a virtual machine, you first must return to Disk Management to detach the disk. While a virtual disk is
online and managed by Disk Management, it is not possible to delete the virtual disk from within File
Explorer, as the file is marked as an open file by the system. If the virtual disk is external to the system, for
example, if it resides on a USB drive, disconnecting the USB drive without first detaching the virtual disk
can corrupt the .vhd file and make it unusable.
Note: Take care when placing virtual hard disks on portable drivesthey can become
corrupted easily if they are in use when you disconnect the portable drive.
Managing VHD Files by Using DiskPart
Although Disk Management allows users the ability to configure virtual disks from a GUI, there are some
limitations, such as the inability to create differencing virtual disks. To access more powerful options,
consider using DiskPart and Windows PowerShell, which provide more control of virtual disks from the
command-line and with cmdlets.
To create a virtual hard disk by using DiskPart, you use the create vdisk command at the DiskPart
command prompt. You can create and manage virtual disks by using one of the following commands
within DiskPart:
Create vdisk
Detach vdisk
Expand vdisk
Select vdisk
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-27
The following table shows the available options that the create vdisk command supports.
Option Description
file=<filename> Specifies the complete path and filesaname of the virtual disk
file. The file may be on a network share.
maximum=<n> The maximum amount of space that the virtual disk exposes, in
megabytes.
type=<fixed|expandable> The fixed option specifies a fixed-size virtual disk file. The
expandable option specifies a virtual disk file that resizes to
accommodate the allocated data. The default option is fixed.
sd=<sddl string> Specifies a security descriptor in the security descriptor
definition language (SDDL) format. By default, the security
descriptor is taken from the parent directory.
parent=<filename> Path to a parent virtual disk file to create a differencing disk.
With the parent parameter, you should not specify maximum
because the differencing disk gets the size from its parent. Also,
do not specify type, because only expandable differencing
disks can be created.
source=<filename> Path to an existing virtual disk file to be used to prepopulate the
new virtual disk file. When source is specified, data from the
input virtual disk file is copied block for block from the input
virtual disk file to the created virtual disk file. Be aware that this
does not establish a parent/child relationship.
noerr For scripting only. When DiskPart encounters an error, it
continues to process commands as if the error did not occur.

To create a differencing virtual disk from an existing parent virtual disk you would use the following
command:
CREATE VDISK FILE=i:\newdiffdisk.vhdx PARENT=i:\parentdisk.vhdx
To mount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the
VHD file, and then use the attach vdisk command. The following table shows the available options that
the select vdisk command supports.
Option Description
file = <filename> Specifies the complete path and file name of the virtual disk file. The file may
be on a network share.
noerr For scripting only. When DiskPart encounters an error, it continues to process
commands as if the error did not occur.

The following table shows the available options that the attach vdisk command supports.
Option Description
readonly Attaches the virtual disk as read-only. Any write operation will return an I/O
device error.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Option Description
sd=<sddl string> Specifies a security descriptor in the SDDL format. By default, the security
descriptor allows access like any physical disk.
usefilesd Specifies that the security descriptor on the virtual file itself should be used on the
virtual disk. If not specified, the disk will not have an explicit security descriptor
unless specified with sd=<sddl string>.

To unmount a virtual disk by using DiskPart, you first must use the select vdisk command to specify the
virtual hard disk file, and then use the detach vdisk command. The detach vdisk command only supports
the noerr option.
Managing VHD files by Using Windows PowerShell 4.0
Windows PowerShell 4.0 and 3.0 contain native disk management cmdlets that you can use to script or
manage virtual disks in an enterprise environment.
Windows PowerShell includes commands that you can use to manipulate existing disk image files, which
can be .iso, .vhd, or .vhdx files. You can use the following commands with existing disk image files.
Cmdlet Description
Dismount-DiskImage Dismounts a disk image (virtual hard disk or ISO image) so that it
can no longer be accessed as a disk.
Get-DiskImage Returns information about one or more disk images (virtual hard
disk or ISO image) for the specific location.
Mount-DiskImage Mounts a disk image (virtual hard disk or ISO image), making it
appear as a normal disk.
Note: Use the VirtualDisk cmdlet within Windows PowerShell to manage the virtual disks
found in Storage Spaces.
To mount an existing .iso, .vhd, or .vhdx file, you use the following command:
Mount-DiskImage ImagePath <Path>\<FileName>
Note: To view all the cmdlets available in the Storage module for Windows PowerShell, run
the following cmdlet:
Get-Command Module Storage
To view the cmdlets for working with disk images, run the following cmdlet:
Get-Command Module Storage *DiskImage*
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-29
Lab A: Managing Disks
Scenario
A. Datum Corporation has purchased additional hard drives for the laptop computers used by the
Marketing department. You need to modify the hard drive configuration manually. Due to application
requirements, you need to create several simple partitions, a spanned partition, and a striped partition.
The laptop computers are shared and require that you place a quota on the spanned drive. For certain
instances, you plan to use virtual hard drives.
Objectives
After you complete this lab, you will be able to:
Create and manage volumes in Windows 8.1.
Create disk quotas to manage volume usage.
Manage virtual hard disks.
Lab Setup
Virtual machines: 20687C-LON-DC1, 20687C-LON-CL2
User names: Adatum\Administrator and Adatum\Alan
Password: Pa$$w0rd
2. In Hyper-V Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.
o Domain: Adatum
5. Repeat steps 2 to 4 for 20687C-LON-CL2.
Exercise 1: Creating Volumes
Scenario
A. Datum Corporation has purchased additional hard drives for the laptop computers used by the
Marketing department. To ensure that the new disks can be used for storing corporate Microsoft Office
PowerPoint
presentations and media, you need to create and manage the volumes on the newly
installed hard disks.
1. Create a simple volume by using Disk Management.
2. Create a simple volume by using Windows PowerShell
4.0.
3. Resize a simple volume by using Disk Management.
4. Resize a simple volume by using Windows PowerShell version 4.0.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5. Create a spanned volume by using Disk Management.
6. Create a striped volume by using Disk Management.
Task 1: Create a simple volume by using Disk Management
2. Start Disk Management.
3. Create a new simple volume on Disk 2.
4. Complete the New Simple Volume Wizard by using the following settings:
o Volume Size: 5103 MB
o Name the volume Simple1
5. Close Disk Management and any open windows.
Task 2: Create a simple volume by using Windows PowerShell 4.0
1. Start Windows PowerShell as administrator.
2. At the Windows PowerShell command prompt, run the following commands:
o Get-Disk -Number 3 | New-Partition Size (5GB) | Format-Volume -Confirm:$false
FileSystem NTFS NewFileSystemLabel Simple2
o Get-Partition (Note the partition number you just created on Disk 3. You will use that in the next
step.)
o Set-Partition -DiskNumber 3 -PartitionNumber x -NewDriveLetter H , (where x is the results
of the previous step.)
3. Minimize the Windows PowerShell Command Prompt window.
4. In File Explorer, verify that the volume that you created are visible.
5. Close File Explorer and then minimize the PowerShell command prompt window.
Task 3: Resize a simple volume by using Disk Management
2. Start the Extend Volume Wizard, and then extend Simple1 with 500 MB from Disk 2.
3. Close Disk Management.
Task 4: Resize a simple volume by using Windows PowerShell version 4.0
1. Restore the Windows PowerShell Command Prompt window.
2. At the Windows PowerShell command prompt, run the Get-Partition command.
3. Note the disk number, partition number, and size for the H: drive.
4. At the Windows PowerShell command prompt, run the following command, and then substitute the
DiskNumber and PartitionNumber information with the information you recorded in the previous
step:
o Resize-Partition -DiskNumber 3 PartitionNumber 1 Size (5.5GB)
5. At the Windows PowerShell command prompt, run the Get-Partition command.
7. Minimize the Windows PowerShell Command Prompt window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-31
Task 5: Create a spanned volume by using Disk Management
2. Right-click the unallocated space on Disk 2, and then start the New Spanned Volume Wizard.
3. Complete the New Spanned Volume Wizard by using defaults, except for the following information:
o Name the volume SpannedVol
o Select the Perform a quick format check box.
4. Read the Disk Management warning, and then click Yes.
Task 6: Create a striped volume by using Disk Management
1. Right-click the unallocated space on Disk 2, and then start the New Striped Volume Wizard.
2. Complete the New Striped Volume Wizard by using defaults, except for the following information:
o Use 2000 MB from each disk.
o Name the volume StripedVol.
o Select the Perform a quick format check box.

Results: After completing this exercise, you should have created several volumes on a client computer.
Exercise 2: Configuring Disk Quotas
Scenario
In this exercise, you will configure a disk quota on one of the new volumes. You will enforce a quota limit,
and then sign in as a standard user to test the quota limit.
1. Create disk quotas on a volume.
2. Create test files.
3. Test the disk quota.
4. Review quota alerts and logging.
Task 1: Create disk quotas on a volume
1. On LON-CL2, open File Explorer, and then navigate to This PC.
3. Click the Quota tab, and then enable quotas with the following settings:
o Deny disk space to users exceeding quota limit
o Limit disk space to 6 MB
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
o Set warning level to 4 MB
o Log event when a user exceeds their warning level
Task 2: Create test files
1. Open a Command Prompt window, and then run the following commands on the I: drive:
o fsutil file createnew 2mb-file 2097152
o fsutil file createnew 1kb-file 1024
Task 3: Test the disk quota
1. Sign in to LON-CL2 as Adatum\Alan.
2. Open File Explorer to the StripedVol (I:) drive.
3. Create a new folder called Alans files.
4. Copy the 1kb-file and 2mb-file files to Alans files.
5. Make a copy of the 2mb-file.
6. Make another copy of 2mb-file.
7. Review the message that appears when you make the second copy, and then click Cancel.
Task 4: Review quota alerts and logging
2. Open File Explorer, and then navigate to This PC.
4. Click the Quota tab, and then open the Quota Entries.
5. Review the entries for Alan Steiner in the Quota Entries for StripedVol (I:) dialog box, and then
close all open windows.
6. Open the Event Viewer, and then look for events with an Event ID of 36.
7. Review the event or events found, and then close all open windows.

Results: After completing this exercise, you should have created and tested a disk quota.
Exercise 3: Managing Virtual Hard Disks
Scenario
In this exercise, you will create, mount, and then delete a virtual hard disk
1. Create a virtual hard disk.
2. Mount the VHD file, browse to the VHD file, and create files on the drive.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-33
3. Remove a mounted VHD file.
Task 1: Create a virtual hard disk
3. Complete the Create and Attach Virtual Hard Disk Wizard by using the following settings:
o Name the volume I:\DemoDisk.VHDX.
o Use 100 MB as the disk size
o Use .vhdx format
o Dynamically expanding disk type
4. Open an Administrative Command Prompt window, and then open DiskPart.
5. Create a virtual hard drive by using the following settings:
o Name the VHD file I:\virtualdisk2.vhdx
o Use 1048 MB as the disk size
o Use .vhdx format
o Dynamically expanding disk type
Task 2: Mount the VHD file, browse to the VHD file, and create files on the drive
1. Using the Virtual Hard Disk I:\DemoDisk.VHDX created previously, bring the disk online, and then
format the unallocated space, naming the drive SimpleVHD1.
2. In File Explorer, verify that a new drive named SimpleVHD1 has been created.
3. Create a new folder named Test on the new drive.
4. Create a new Notepad document named Test.txt, and then save it on the new drive.
5. Using the Virtual Hard Disk I:\virtualdisk2.vhdx created previously, bring the disk online, and then
format the unallocated space, naming the drive SimpleVHD2.
6. In File Explorer, verify that a new drive named SimpleVHD1 has been created.
7. Create a new folder named Test on the new drive.
8. Open the Test folder, and then create a new Notepad document named Test.txt.
Task 3: Remove a mounted VHD file
3. Detach the virtual disk SimpleVHD1.
4. Open an Administrative Command Prompt window, and then open DiskPart.
5. Detach the mounted virtual disk I:\virtualdisk2.vhdx.

Results: After completing this exercise, you should have created, mounted and then deleted a VHD file.
When you have finished the lab, leave the virtual machines running as they are needed for the next lab.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Installing and Configuring Device Drivers
Devices have changed from being single-function peripherals to complex, multifunction devices with a
large amount of local storage and the ability to run many apps. They have evolved from a single type of
connection, such as USB 1.0, to multi-transport devices that support USB 3.0, Bluetooth, and Wi-Fi. Newer
connection methods such as near field communication and Miracast wireless display capabilities are
emerging technologies that have built-in support within Windows 8.1.
Many of todays devices often are integrated and sold with services that are delivered over the Internet.
Internet delivery has simplified the delivery mechanism, which means that a computers ability to
recognize and use devices has expanded to cover several possibilities. Microsoft constantly expands the
list of devices and peripherals that are being tested for compatibility with Windows 8.1.
The device experience in Windows 8.1 is designed on existing connectivity protocols and driver models to
maximize compatibility with existing devices. You can use the following areas in Windows 8.1 to manage
devices:
The Devices and Printers control panel item gives users a single location to find and manage all the
devices that connect to a Windows 8.1based computer, and it provides quick access to device status,
product information, and key functions such as faxing and scanning. This enhances and simplifies the
customer experience with a Windows 8.1connected device.
Device Manager is used to view and update hardware settings and driver software for devices such as
internal hard drives, network cards, sound cards, video or graphics cards, memory, processors, and
other internal computer components.
Building on the Plug and Play concept, seamless user experiences begin with the ability to effortlessly
connect devices to a Windows 8.1 device. Up-to-date and newly released drivers are retrieved
automatically from Windows Update, and when appropriate, users are given an option to download and
install additional applications for the device. These components all help reduce support calls and increase
customer satisfaction.
Lesson Objectives
Describe device drivers in Windows 8.1.
Describe the process for installing devices and drivers.
Describe the process for installing drivers into the Driver Store.
Describe the device driver management tools.
Describe the options for updating drivers.
Describe how to manage signed drivers.
Discuss options for recovering from a driver issue.
Manage drivers on a Windows 8.1 computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-35
Overview of Device Drivers in Windows 8.1
A driver is a small software application that the
operating system uses to communicate with
hardware or devices. Generally, they are specific to
an operating system or a family of operating
systems. Without drivers, the hardware that you
connect to a computer does not work properly.
Windows supports most devices without needing
additional downloads. With Windows 8.1,
additional drivers and device support are available
online through Windows Update. If the Windows
operating system does not have a required driver,
look for it on the disc that came with the
hardware or device, or on the manufacturer's website.
32-Bit and 64-Bit Drivers
Windows 8.1 is available in 32-bit and 64-bit versions. Drivers that were developed for the 32-bit version
do not work with the 64-bit version, and the vice versa. You must make sure that you obtain appropriate
device drivers before you install Windows 8.1.
Driver Signing
The device drivers that are included with Windows 8.1 have a Microsoft digital signature that indicates
whether a particular driver or file has met a certain level of testing, is stable and reliable, and has not been
altered since it was digitally signed. Windows 8.1 checks for a drivers digital signature during installation
and prompts the user if no signature is available.
Note: The signature file is stored as a .cat file in the same location as the driver file.
Driver Store and Driver Packages
The driver store is the driver repository in Windows 8.1. A driver package is a set of files that make up a
driver. It includes the .inf file, any files that the .inf file references, and the .cat file that contains the digital
signature for the device driver. You can preload the driver store with drivers for commonly used
peripheral devices. The driver store is located in %SystemRoot%\System32\DriverStore.
Installing a driver is a two-stage process. First, you install the driver package into the driver store. You
must use administrator credentials to install the driver package into the driver store. The second step is to
attach the device and install the driver. A standard user can perform this second step.
During hardware installation, if the appropriate driver is not available, Windows 8.1 uses Windows Error
Reporting to report an unknown device. This enables OEMs to work with Microsoft to provide additional
information to users, such as a statement of nonsupport for a particular device, or a link to a website with
additional support information.
In Windows 8.1, the Device Metadata Retrieval Client provides an end-to-end process for defining and
distributing device metadata packages. These packages contain device-experience XML documents that
represent a devices properties and functions, together with applications and services that support the
device. Through these XML documents, the Devices and Printers control panel category page, and Device
Stage, users are presented with an interface that is specific to the device, which the device maker defines.
Windows 8.1 uses WMIS to discover, index, and match device metadata packages to specific devices that
are connected to a computer. Device makers also can distribute device metadata packages directly to a
computer through their own setup applications.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Note: You can use the Pnputil.exe tool to add a driver to the Windows 8.1 driver store
manually.
Installing Devices and Drivers
Windows operating systems have supported Plug
and Play for device and driver installation since
the Microsoft Windows 95 operating system.
When you install a new device, typically
Windows 8.1 recognizes and configures it. To
support Plug and Play, devices contain
configuration and driver information. Each Plug
and Play device must:
Be uniquely identified.
State the services it provides and resources
that it requires.
Identify the driver that supports it.
Allow software to configure it.
Windows 8.1 reads this information when a device is attached to the computer and then completes the
configuration so that the device works properly with the other installed devices. When properly
implemented, Plug and Play provides automatic configuration of PC hardware and devices. The driver
architecture for Windows supports comprehensive, operating systemcontrolled Plug and Play. Plug and
Play technologies are defined for Institute of Electrical and Electronics Engineers 1394 (IEEE 1394),
Peripheral Component Interconnect (PCI) cards, PC Card/CardBus, USB, SCSI, Advanced Technology
Attachment (ATA), Industry Standard Architecture (ISA), LPT, and Component Object Model (COM). You
can use Device Manager to install device drivers manually that are not compliant with Plug and Play.
Windows 8.1 introduces several improvements to the way that users can discover and use the devices that
their computers host and which connect to their computers. Windows 8.1 can detect nearby devices in
the home, automatically making them available for use. Windows 8.1 also can install a Windows 8.1
device app automatically from the Windows Store, when users connect their device for the first time. The
Windows 8.1 device apps that are companions to a device or PC have the ability to leverage the full range
of functionality of that device or PC.
Improved End-User Experience
The success of a driver installation depends on several factors. Two key factors are whether a device is
supported by a driver package that is included with a Windows operating system, available on Windows
Update, or available from the Windows Store, and whether the user has media with the driver package
that the vendor provides. Windows 8.1 includes several features that help an administrator make device
driver installation more straightforward for users:
Staging driver packages in the protected Driver Store. A standard user without any special privileges
or permissions can install a driver package that is in the Driver Store.
Configuring client computers to search a specified list of folders automatically when a new device
attaches to the computer. A network share can host these folders. When a device driver is accessible
in this manner, the Windows operating system does not need to prompt the user to insert media.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-37
Rebooting the system is rarely necessary when installing Plug and Play devices or software
applications. This is true because of the following reasons:
o The Plug and Play Manager installs and configures drivers for Plug and Play devices when the
operating system is running.
o Applications can use side-by-side components instead of replacing shared, in-use dynamic-link
libraries (DLLs).
These features improve the user experience and reduce help-desk support costs because standard users
can install approved driver packages without requiring additional permissions or administrator assistance.
These features also help increase computer security by ensuring that standard users only can install driver
packages that you authorize and trust.
Driver Detection Process
When a user inserts a device, the Windows operating system detects it and then signals the Plug and Play
service to make the device operational. Plug and Play queries the device for identification strings and
searches the driver store for a driver package that matches the identification strings. If a matching
package is found, Plug and Play copies the device driver files from the driver store to their operational
locations, typically %SystemRoot%\System32\Drivers, and then updates the registry as needed. Finally,
Plug and Play starts the newly installed device driver.
If a matching package is not found in the driver store, the Windows operating system searches for a
matching driver package by looking in the following locations:
Folders specified by the DevicePath registry entry.
The Windows Update website.
Media or a manufacturers website that is provided after the system prompts the user.
A Windows operating system also checks that the driver package has a valid digital signature. If the driver
package is signed by a certificate that is valid but is not found in the trusted publisher store, the Windows
operating system prompts the user for confirmation.
Staging device driver packages in this manner provides significant benefits. After a driver package is
staged successfully, any user who logs on to that computer can install the drivers by simply plugging in an
appropriate device.
Non-Plug and Play Devices
Devices that are not compatible with Plug and Play are becoming increasingly rare as manufacturers stop
producing them in favor of Plug and Play devices. The term non-Plug and Play typically applies to older
pieces of equipment with devices that require manual configuration of hardware settings before use. To
view non-Plug and Play devices, in Device Manager, click the View menu, click Show hidden devices, and
then expand Non-Plug and Play Drivers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Staging Drivers in the Driver Store
Typically, standard users cannot install device
drivers. However, you can use the Plug and Play
utility (Pnputil.exe) to stage drivers to the driver
store. After the signed driver package is in the
driver store, a Windows operating system
considers the package trusted.
Note: Run the pnputil.exe tool from an
elevated command prompt. The tool cannot
invoke the User Account Control dialog box. If
you attempt to use the pnputil.exe tool from a
command prompt that is not running as administrator, the commands fail.
To add a driver, use the -a parameter to specify the path and name of the driver, for example, pnputil -a
<PathToDriver>/<Driver>.inf. The Windows operating system validates that the signature attached to
the package is valid, the files are unmodified, and the file thumbprints match the signature.
After adding a driver, note the assigned number. Drivers are renamed oem*.inf during the addition. This is
to ensure unique naming. For example, the file MyDriver1.inf may be renamed oem0.inf. You can view the
published name by using the -e parameter, for example, pnputil -e.
Typically, you do not need to uninstall a Plug and Play device. Just disconnect or unplug the device so
that the Windows operating system does not load or use the driver.
The following table lists the options available with pnputil.exe.
Option Description
-a <PathToDriver>/<Driver>.inf Add the driver package specified by
<PathToDriver>/<Driver>.inf to the Driver Store.
-a <PathToDriver>/*.inf Add all the driver packages in the path specified.
-I a <PathToDriver>/<Driver>.inf Add and install the driver package specified by
<PathToDriver>/<Driver>.inf to the driver store.
-e Enumerate all third-party driver packages.
-d OEM<#>.inf Delete the driver package specified by OEM<#>.inf.
-f -d OEM<#>.inf Force the deletion of the driver package specified by
OEM<#>.inf.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-39
Device Driver Management Tools
There are several areas in Windows 8.1 from which
you can manage devices and their related drivers:
Windows 8.1 device apps
Device Manager
Devices and Printers
Device Stage
The Pnputil tool run from an elevated
command prompt or Windows PowerShell
Windows 8.1 Apps
Windows 8.1 introduces the Windows 8.1 device apps, which build on the Plug and Play experience from
Windows 7. Using these apps, device manufacturers can deliver an app that is paired with their device and
is downloaded automatically to the user the first time the device is connected. Providing a Windows 8.1
device app gives hardware developers a unique opportunity to highlight device functionality.
Device Manager
Device Manager helps you install and update the drivers for hardware devices, change the hardware
settings for those devices, and troubleshoot problems. You can perform the following tasks in Device
Manager:
View a list of installed devices. View all devices that are installed currently based on their type, by
their connection to the computer, or by the resources they use. This device list is recreated after every
system restart or dynamic change.
Uninstall a device. Uninstall the device driver and remove the driver software from the computer.
Enable or disable devices. If you want a device to remain attached to a computer without being
enabled, you can disable the device instead of uninstalling it. Disable is different from uninstall
because only the drivers are disabled, and the hardware configuration is not changed.
Troubleshoot devices. Determine whether the hardware on a computer is working properly. If a
device is not operating correctly, it may be listed as an Unknown Device with a yellow question mark
(?) next to it.
Update device drivers. If you have an updated driver for a device, you can use Device Manager to
apply the updated driver.
Roll back drivers. If you experience system problems after updating a driver, you can roll back to a
previous driver. Using this feature, you can reinstall the last device driver that was functioning before
the installation of the current device driver.
You can use Device Manager to manage devices on a local computer only. On a remote computer, Device
Manager works in read-only mode. This means that you can view but not change that computers
hardware configuration. Device Manager is accessible in the Hardware and Sound category in Control
Panel.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
View the Status of a Device
The status of a device shows whether a device has drivers installed and whether the Windows operating
system is able to communicate with the device. To view the status of a device, follow this procedure in
Device Manager:
1. Right-click the device, and then click Properties.
2. On the General tab, the Device status area shows a description of the current status.
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices, storage volumes, and internal
network adapters. To view hidden devices in Device Manager, click View, and then click Show hidden
devices.
Devices and Printers
The Hardware and Sound category in Control Panel provides an additional place to manage devices, such
as Devices and Printers. Wizards guide you through the setup process, which reduces complex
configuration tasks. Windows 8.1 recognizes new devices and automatically attempts to download and
install any drivers that are required for a device.
After a device is connected, it appears in the Devices and Printers control panel category page. Devices
that display in this location usually are external ones that you connect to or disconnect from a computer
through a port or network connection. These devices include, but are not limited to, the following:
Portable devices, such as mobile phones, music players, and digital cameras.
All devices plugged into a USB port on a computer, such as flash drives, webcams, keyboards, and
mice.
All printers, whether they are connected by USB cable, the network, or wirelessly.
Bluetooth and wireless devices.
The computer itself.
Network-enabled scanners or media extenders.
Internal card readers.
Monitors and other displays.
Devices and Printers do not include the following:
Devices such as internal hard drives, disc drives, sound cards, video or graphics cards, memory,
processors, and other internal computer components.
Speakers that are connected to a computer with conventional speaker wires.
Older devices, such as mice and keyboards that connect to a computer through a PS/2 or serial port.
In Devices and Printers, a multifunction printer shows and can be managed as one device instead of
individual printer, scanner, or fax devices. In Device Manager, each individual component of a
multifunction printer is displayed and managed separately.
PC Settings
A new option with Windows 8.1 is PC settings. To access PC settings, you click the Settings charm from the
bottom right corner of the Start screen, and then click Change PC settings. In the left pane, you can click
PC and devices and then click Devices and then add devices or remove already installed devices, or you
can search for recommended apps for the device.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-41
Device Stage
Device Stage provides users with a new way to access devices and advanced options for managing them.
Devices in use are shown with a photorealistic icon. This icon can include quick access to common device
tasks and status indicators that let users quickly discern battery status, device synchronization status,
remaining storage capacity, and other information. Device makers can customize this experience to
highlight device capabilities and branding, and they can include links to product manuals, additional
applications, community information and help, or additional products and services.
The entire Device Stage experience remains current. Graphics, task definitions, status information, and
links to websites are distributed to computers by using WMIS.
For a list of device-stage experiences, go to:
Windows 8.1 device experience
Options for Updating Drivers
A newer version of a device driver often adds
functionality and fixes problems that were
discovered in earlier versions, and you can resolve
many hardware problems by installing updated
device drivers. Also, device driver updates often
help resolve security problems and improve
performance.
Dynamic Update is a feature that works with
Windows Update to download any critical fixes
and device drivers that are required during the
setup process. Dynamic Update downloads new
drivers for devices that are connected to a
computer and are required to run Setup. This feature updates the required setup files and improves the
Windows 8.1 process.
Dynamic Update downloads the following types of files:
Critical updates. Dynamic Update replaces files from the Windows 8.1 operating system DVD that
require critical fixes or updates. Dynamic Update also replaces DLLs that setup requires. The only files
that are downloaded are those that replace existing files. No new files are downloaded.
Device drivers. Dynamic Update only downloads drivers that are not included on an operating system
installation CD or DVD. Dynamic Update does not update existing drivers, but you can obtain these
by connecting to Windows Update after setup is complete.
When updated device drivers are required, Microsoft tries to ensure that you can get them directly from
Windows Update or from device manufacturer websites. Look up Windows Update first to update drivers
after they are installed. If an updated device driver is not available through Windows Update, find the
latest version of a device driver by any of the following methods:
Visit the computer manufacturers website for an updated driver.
Visit the hardware manufacturers website.
Search the Internet by using the device name.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Note: Exercise care and caution when searching the Internet for device drivers because
malware and viruses frequently masquerade on driver download websites. Wherever possible,
only download drivers from Microsoft or a manufacturers website.
You can perform manual device updates in Device Manager. To update a device driver manually, follow
this procedure in Device Manager:
1. Double-click the type of device you want to update.
2. Right-click the device, and then click Update Driver Software.
3. Follow the instructions in the Update Driver Software Wizard.
Windows 8.1 also includes several enhancements to the upgrade experience, including a load driver
feature. If an upgrade is blocked due to incompatible or missing drivers that are required for the system
to start, you can use this feature to load a new or updated driver from the Compatibility Report and
continue with the upgrade.
Managing Signed Drivers
Because device drivers run with system-level
privileges and can access anything on a computer,
it is critical to trust device drivers that are installed.
Trust, in this context, includes two main principles:
Authenticity. A guarantee that the package
came from its claimed source.
Integrity. An assurance that the package is
completely intact and has not been modified
after its release.
Administrators and end users who install
Windows-based software can use digital
signatures to verify that a legitimate publisher has provided the software package. It is an electronic
security mark that indicates the publisher of the software and if someone has changed the driver
packages original contents. If a publisher signs a driver, you can be confident that the driver comes from
that publisher and has not been altered.
A digital signature uses an organization's digital certificate to encrypt specific details about the package.
The encrypted information in a digital signature includes a thumbprint for each file that is included with
the package. A special cryptographic algorithm referred to as a hash algorithm generates this thumbprint.
The algorithm generates a code that only that files contents can create. Changing a single bit in the file
changes the thumbprint. After the thumbprints are generated, they are combined together into a catalog
and then encrypted.
Note: 64-bit versions of Windows 8.1 require that all drivers be digitally signed.
If your organization has a Software Publishing Certificate, you can use that to add your own digital
signature to drivers that you have tested and that you trust. If you experience stability problems after you
install a new hardware device, an unsigned device driver might be the cause.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-43
Note: To disable the enforcement of driver signatures, access the Advanced Boot Options
menu and select Disable driver signature enforcement. The procedure for accessing the
Advanced Boot Options menu is described in the next topic.
Signature Verification Tool
You can use Sigverif.exe to check if unsigned device drivers are in the system area of a computer.
Sigverif.exe writes the results of a scan to a log file that includes the system file, the signature file, and the
signature files publisher. The log file shows any unsigned device drivers as unsigned. You then can choose
whether to remove the unsigned drivers.
To remove an unsigned device driver, follow this procedure:
1. Run sigverif to scan for unsigned drivers, and then review the resulting log file.
2. Create a temporary folder for the storage of unsigned drivers.
3. Manually move any unsigned drivers from %SystemRoot%\System32\Drivers into the temporary
folder.
4. Disable or uninstall the associated hardware devices.
5. Restart the computer.
If this resolves the problem, try to obtain a signed driver from the hardware vendor, or replace the
hardware with a device that is compatible with Windows 8.1.
You can obtain a basic list of signed and unsigned device drivers at a command prompt by running the
driverquery command with the /si switch.
Note: Some hardware vendors use their own digital signatures, so drivers can have a valid
digital signature even if Microsoft has not tested them. The Sigverif report lists the vendors for
each signed driver. This can help you identify problem drivers that were issued by particular
vendors.
Benefits of Signing and Staging Driver Packages
Because device driver software runs as a part of an operating system, it is critical that only known and
authorized device drivers are permitted to run. Signing and staging device driver packages on client
computers provide the following benefits:
Improved security. You can allow standard users to install approved device drivers without
compromising computer security or requiring help-desk assistance.
Reduced support costs. Users only can install devices that your organization has tested and is
prepared to support. Therefore, you maintain the security of computers as you simultaneously reduce
the demands on the help desk.
Better user experience. A driver package that is staged in driver store works automatically when the
user plugs in a device. Alternatively, driver packages placed on a shared network folder can be
discovered whenever an operating system detects a new hardware device. In both cases, a user is not
prompted before installation.
Configuring the Certificate Store to Support an Unknown Certification Authority
On each computer, the Windows operating system maintains a store for digital certificates. As the
computer administrator, you can add certificates from trusted publishers. If a package is received for
which a matching certificate cannot be found, a Windows operating system requires confirmation that the
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
publisher is trusted. By placing a certificate in a certificate store, you inform a Windows operating system
that packages that are signed by a certificate are trusted.
You can use Group Policy to deploy certificates to client computers. By using Group Policy, you can install
a certificate automatically to all managed computers in a domain, organizational unit, or site.
Discussion: Options for Recovering from a Driver Issue
You can use driver rollback to recover from a
device problem if your computer can start
successfully, using safe mode if necessary. This is
most useful in cases where a device driver update
has created a problem. Driver rollback
reconfigures a device to use a previously installed
driver, overwriting a more recent driver.
To roll back a driver, restart the computer, using
safe mode if necessary. Accessing safe mode has
changed in Windows 8.1. Perform the following
procedure to access safe mode:
1. Hold down the Shift key, and then press F8
during startup. This starts the recovery mode.
2. On the recovery page, click See advanced repair options, click Troubleshoot, and then click
Advanced options.
3. From the Advanced options menu, click Windows Startup Settings, and then click Restart.
4. On the subsequent restart, you can access the Advanced Boot Options menu. You then select Safe
Mode from the list.
Alternatively, you can use the Msconfig.exe tool to enable safe mode for the next restart from within
Windows 8.1.
Note: To ensure that the function keys operate properly, you should use full-screen mode
when using safe mode.
After you have started a computer successfully in safe mode, as an administrative user, follow this
procedure to roll back a device driver:
1. Open Device Manager.
2. Right-click the device to rollback, and then click Properties.
3. In the Properties dialog box, click the Drivers tab, and then click Roll Back Driver.
4. In the Driver Package rollback dialog box, click Yes.
Note: Rolling back a driver can cause the loss of new functionality and can reintroduce
problems that the newer version addressed.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-45
Note: The Roll Back Driver button is available only if a previous version of the driver was
installed. If the current driver for the device is the only one that was ever installed on the
computer, then the Roll Back Driver button is not available.
System Restore
In rare cases, after you install a device or update a driver for a device, the computer may not start. This
problem may occur in the following situations:
The new device or the driver causes conflicts with other drivers that are installed on the computer.
A hardware-specific issue occurs.
The driver that is installed is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer problem. If you are
unable to recover a computer by using a driver rollback, consider using System Restore.
You can use System Restore when you want to retain all new data and changes to existing files, but still
perform a restoration of the system from when it was running well. Windows 8.1 lets you return a
computer to the way it was at a previous point in time, without deleting any personal files. System Restore
is reversible because an undo restore point is created before the restore operations are completed. During
the restoration, a list of files appears that shows applications that will be removed or added.
To restore a computer to a previous configuration by using System Restore, you can use:
Safe mode.
Windows Recovery Environment.
At the Start screen, type recovery in the Everywhere search screen, select Recovery, and then select
Open System Restore.
Last Known Good Configuration
Even the earliest versions of the Windows NT operating system provided the Last Known Good
Configuration startup option as a way of rolling a system back to a previous configuration. In
Windows 8.1, some startup-related configuration and device-related configuration information is stored
in the registry database, specifically, the HKLM\SYSTEM hive. A series of control sets are stored beneath
this registry hive, most notably CurrentControlSet and LastKnownGood. The latter is located in the
HKLM\SYSTEM\Select node.
When you make a device configuration change to a computer, the change is stored in the
CurrentControlSet key in the appropriate registry folder and value. After you restart a computer and
successfully sign in, the Windows operating system synchronizes the CurrentControlSet key and the
LastKnownGood key.
However, if, after a device configuration change, you experience a startup problem but do not sign in, the
two control sets are out of synchronization, and the LastKnownGood key contains the previous
configuration set.
To use the Last Known Good Configuration startup option, restart the computer without logging on, and
then press F8 during the boot sequence to access the Advanced Boot Options menu. Select Last Known
Good Configuration (advanced) from the list.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
If you have a hardware problem, the cause could be hardware or a device driver. Fortunately, the process
to update device drivers to newer versions is straightforward. Alternatively, you can roll back device
drivers to older versions or reinstall them. Troubleshooting hardware problems often starts by
troubleshooting device drivers. To identify a device driver problem, answer the following questions:
Did you recently upgrade a device driver or other software related to the hardware? If so, roll back
the device driver to the previous version.
Are you experiencing occasional problems, or is the device not compatible with the current version of
the Windows operating system? If so, upgrade the device driver.
Did the hardware suddenly stop working? If so, upgrade the device driver. If that does not solve the
problem, reinstall the device driver. If the problem continues, try troubleshooting the hardware
problem.
Demonstration: Managing Drivers
This demonstration shows how to update a device driver and then roll back that driver update. You also
will install a driver into the Driver Store. This demonstration requires two machine restarts.
Demonstration Steps
Update a device driver
2. Start Device Manager.
3. Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced
PS/2 Keyboard (101/102 Key) driver.
4. Restart the computer when prompted.
Roll back a device driver
3. Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver.
7. Verify that you have successfully rolled back the Standard PS/2 Keyboard driver.
8. Close Device Manager.
Install a driver into the Driver Store
1. Open an elevated command prompt.
2. Use pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files\driver
\point64\point64.inf to install a driver into the Driver Store.
3. Check the list of installed OEM drivers by typing the pnputil e command, and then press Enter.
Question: If your computer does not start normally due to a device driver issue, what
options are there for performing a driver roll back?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-47
Lab B: Configuring Device Drivers
Scenario
A. Datum recently purchased new laptop computers for the Sales department. The Sales manager has
reported an error with one of the laptop drivers that is causing problems. You have identified the issue
and determined that you need to install an updated driver. Also, you must ensure that members of the
Sales department are able to roll back the driver if it causes errors.
Objectives
After you complete this lab, you will be able to:
Install and configure a new driver.
Manage device drivers.
Lab Setup
User names: Adatum\Administrator
Password: Pa$$w0rd
2. Verify that the following virtual machines are running:
o 20687C-LON-DC1
o 20687C-LON-CL2
Exercise 1: Installing Device DriversInstalling Device DriversInstalling
Device Drivers
Scenario
By default, standard users cannot install device drivers. When you know certain plug and play devices will
be used in your environment, you can preload the device drivers so that users can use the devices.
1. Install a device driver into the protected store.
Task 1: Install a device driver into the protected store
2. Open an elevated command prompt.
3. At the command prompt, type pnputil a E:\Labfiles\Mod03\Intellipoint\ipoint\setup64\files
\driver\point64\point64.inf, and then press Enter.
4. Check the list of installed OEM drivers by typing pnputil e, and then press Enter.

Results: After completing this exercise, you should have installed a driver into the protected Driver Store.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Managing Device Drivers
Scenario
Several A. Datum users in the Sales department would like to update a poorly performing wireless
network device driver on their new laptop computers. You have been asked to demonstrate to these
users how they update a device driver and also how they can roll back a device driver if the updated does
not provide acceptable performance gains.
1. Install a device driver.
2. Roll back a device driver.
Task 1: Install a device driver
2. Expand Keyboards, and then update the Standard PS/2 Keyboard driver to the PC/AT Enhanced
PS/2 Keyboard (101/102 Key) driver.
Task 2: Roll back a device driver
3. Expand Keyboards, and then roll back the PC/AT Enhanced PS/2 Keyboard (101/102 Key) driver.
7. Verify that you have successfully rolled back the Standard PS/2 Keyboard driver.
8. Close Device Manager.

Results: After completing this exercise, you should have installed and rolled back a device driver.
When you have finished the lab, revert all virtual machines back to their initial state:
4. Repeat steps 2 to 3 for 20687C-LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 5-49
Common Issues and Troubleshooting Tips
Common Issue Troubleshooting Tip
Configuring disk quotas on multiple
volumes

Exceeding the quota allowance
If you have a hardware problem, the
hardware or a device driver may be causing
it. Troubleshooting hardware problems
often starts by troubleshooting device
drivers.

Review Questions
Question: You are implementing 64-bit Windows 8.1 and need to partition the disk to
support 25 volumes, some of which will be larger than 2 terabytes (TB). Can you implement
this configuration by using a single hard disk?
Question: You have created a volume on a newly installed hard disk by using DiskPart. Now,
you want to continue using DiskPart to perform the following tasks:
Format the volume for NTFS.
Assign the next available drive letter.
Assign a volume label of sales-data.
What two commands must you use for these tasks?
Question: You recently upgraded to Windows 8.1 and are experiencing occasional problems
with the shortcut keys on your keyboard. Describe the first action you might take to the
resolve the issue, and then list the steps to perform the action.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
The following table lists some of the tools that are available for managing hard disks and devices.
Tool Used for Where to find it
Defrag.exe Performing disk defragmentation tasks
from the command-line.
Command prompt
Device Manager Viewing and updating hardware
settings and driver software for devices,
such as internal hard drives, disc drives,
sound cards, video or graphics cards,
memory, processors, and other internal
computer components.
Devmgmt.msc
or
Embedded in Computer
Management
Windows 8.1 device
apps
Helps users interact with devices and
use the full functionality of devices.
Start screen
or
Taskbar
Devices and Printers Provides users a single location to find
and manage all the devices connected
to their Windows 8.1based computers.
Also, provides quick access to device
status, product information, and key
functions such as faxing and scanning
to enhance and simplify the customer
experience with a Windows 8.1
connected device.
Control Panel
The Optimize Drives
tool
Rearranging fragmented data so that
disks and drives can work more
efficiently.
In File Explorer, right-click a
volume, click Properties, click the
Tools tab, and then click Optimize.
Disk Management Managing disks and volumes, both
basic and dynamic, locally or on remote
computers.
Diskmgmt.msc
DiskPart Managing disks, volumes, and partitions
from the command-line or from the
Windows Preinstallation Environment.
At a command prompt, type
DiskPart.
Fsutil.exe Performing tasks that are related to FAT
and NTFS, such as managing reparse
points, managing sparse files, or
dismounting a volume.
Elevated command prompt
Pnputil.exe Adding drivers to and managing drivers
in the protected device store.
Elevated command prompt

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-1
Module 6
Configuring Network Connectivity
Contents:
Module Overview 6-1
Lesson 3: Implementing Automatic IP Address Allocation 6-14
Lab A: Configuring a Network Connection 6-21
Lesson 4: Implementing Name Resolution 6-25
Lab B: Resolving Network Connectivity Issues 6-30
Lesson 5: Implementing Wireless Network Connectivity 6-33

Module Overview
Network connectivity is essential in todays business environment. An increasing number of computer
users want to connect their computers to a network. These users might be part of a business network
infrastructure, a home office, or they might need to share files and access the Internet.
The Windows
8.1 operating system provides enhanced networking functionality compared with earlier
Windows client operating systems, and it provides support for newer technologies. By default,
Windows 8.1 implements both TCP/Internet Protocol version 4 (IPv4) and TCP/Internet Protocol version 6
(IPv6). Understanding IPv4, IPv6, and the operating systems access capabilities will help you configure
and troubleshoot Windows 8.1 networking features.
Objectives
Describe how to configure IPv4 network connectivity.
Describe how to configure IPv6 network connectivity.
Implement automatic IP address allocation.
Implement name resolution.
Implement wireless network connectivity.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6-2 Configuring Network Connectivity
Lesson 1
Configuring IPv4 Network Connectivity
IPv4 uses a specific addressing scheme and name-resolution mechanism to transmit data between
connected nodes. To connect and configure computers that are running Windows 8.1 to a network, you
must understand the concepts of the IPv4 addressing scheme.
Lesson Objectives
Describe the use of IPv4 in network connectivity.
Describe how to define network IDs with subnet masks.
Describe the purpose of the default gateway.
Describe public and private IPv4 addresses.
Configure a network connection with an IPv4 address.
Describe how to verify IPv4 network connectivity.
Network Connectivity Using IPv4
To troubleshoot network connectivity problems,
you must be familiar with IPv4 addresses and how
they work. Communication between computers
can happen only if they can identify each other on
the network. When you assign a unique IPv4
address to each networked computer, the IPv4
address identifies the computer to the other
computers on the network. That IPv4 address,
combined with the subnet mask also identifies the
computers location on the network, much like the
combination of a number and a street name
identify the location of a house.
Overview of Connecting With Another Network Host
In a typical situation, communication starts with a request to connect to another host by its computer
name. However, to communicate, the requesting host needs to know the media access control (MAC)
address of the network interface of the receiving host. Conversely, the receiving host needs to know the
MAC address of the sender. Once discovered, that MAC information is cached locally. A MAC address is a
hard-coded, unique identifier assigned to network interfaces by the manufacturers of network adapters.
Before the requesting host can find the MAC address of the receiving host, a number of steps occur. A
high-level overview of these steps is:
1. A request is sent from a host to connect to Server1.
2. The name Server1 must be resolved to an IPv4 address. There are a number of methods to
accomplish this.
3. Once the sender knows the IPv4 address of the recipient, the IPv4 address is determined to be either
remote or on the local subnet. The subnet mask is used for this purpose.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-3
4. If local, an Address Resolution Protocol (ARP) request is broadcast on the local subnet. If remote, an
ARP request is sent to the default gateway and routed to the correct subnet.
5. The host that owns that IPv4 address will respond with its MAC address and a request for the MAC
address of the sender.
6. Once MAC addresses are exchanged, IPv4 communication negotiation can occur, and IP data packets
can be exchanged.
Components of an IPv4 Address
IPv4 uses 32-bit addresses. If you view the address in its binary format, it has 32 characters, as the
following example shows:
11000000101010000000000111001000
IPv4 divides the address into four octets, as the following example shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary representation of the address typically shows it in
decimal form. For example:
192.168.1.200
In conjunction with a subnet mask, the address identifies:
The computers unique identity, which is the host ID.
The subnet on which the computer resides, which is the network ID.
This enables a networked computer to communicate with other networked computers in a routed
environment.
IPv4 Address Classes
The Internet Assigned Numbers Authority (IANA) organizes IPv4 addresses into classes, and a networks
number of hosts determines the required class of addresses. Class A through Class E are the names that
IANA has specified for IPv4 address classes.
Classes A, B, and C are IP addresses that you can assign to host computers as unique IP addresses, whereas
you can use Class D for multicasting. Additionally, IANA reserves Class E for experimental use.
Defining Network IDs Using Subnet Masks
A subnet mask specifies which parts of an IPv4
address are the network ID and which parts are
the host ID. A subnet mask has four octets, similar
to an IPv4 address.
Simple IPv4 Networks
In simple IPv4 networks, the subnet mask defines
full octets as part of the network and host IDs. A
255 represents an octet that is part of the network
ID, and a 0 represents an octet that is part of the
host ID. Class A, B, and C networks use default
subnet masks. The following table lists the
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
characteristics of each IP address class.
Class First octet Default subnet mask
Number of
networks
Number of hosts
per network
A 1 to 127 255.0.0.0 126 16,777,214
B 128 to 191 255.255.0.0 16,384 65,534
C 192 to 223 255.255.255.0 2,097,152 254
Complex IPv4 Networks
In complex networks, subnet masks might not be simple combinations of 255 and 0. Rather, you might
subdivide one octet with some bits that are for the network ID and some for the host ID. If you do not use
an octet for subnetting, this is known as classless addressing, or Classless Interdomain Routing (CIDR). You
either use more or less of the octet, and this type of subnetting uses a different notation, which the
following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many leftmost subnet bits are set to 1 in the mask. This notation style is called
CIDR. This subnet mask in binary notation would look like this:
11111111.11111111.11110000.00000000
The first 20 bits are set to 1 and indicate the subnet ID and the last 12 zero placeholders represent how
many bits are used to identify the host.
For more information, see Planning Supernetting and Classless Interdomain Routing (CIDR)
on the Microsoft TechNet website.
What Is a Subnet?
A subnet is a network segment, and single or multiple routers separate the subnet from the rest of the
network. When your Internet service provider (ISP) assigns a network to a Class A, B, or C address range,
you often must subdivide the range to match the networks physical layout. Subdividing enables you to
break a large network into smaller, logical subnets.
When you subdivide a network into subnets, you must create a unique ID for each subnet, which you
derive from the main network ID. To create subnets, you must allocate some of the bits in the host ID to
the network ID. By doing so, you can create more networks.
By using subnets, you can:
Use a single Class A, B, or C network across multiple physical locations.
Reduce network congestion by segmenting traffic and reducing broadcasts on each segment.
Overcome the limitations of current technologies, such as exceeding the maximum number of hosts
that each segment can have.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-5
Configuring Connectivity to Other Subnets
A default gateway is a device on a TCP/IP
internetwork, usually a router, which forwards IP
packets to other subnets. A router connects
groups of subnets to create an intranet. In an
intranet, any given subnet might have several
routers that connect it to other local and remote
subnets. You must configure one of the routers as
the default gateway for local hosts so that the
local hosts can communicate with hosts on
remote networks.
When a host delivers an IPv4 packet, it performs
an internal calculation by using the subnet mask
to determine whether the destination host is on the same network or on a remote network. If the
destination host is on the same network, the local host delivers the packet. If the destination host is on a
different network, the host transmits the packet to a router for delivery.
Note: The host determines the MAC address of the router for delivery, and the initiating
host addresses the router explicitly, at the media access layer.
When a host on the network uses IPv4 to transmit a packet to a destination subnet, IPv4 consults the
internal routing table to determine the appropriate router to ensure that the packet reaches the
destination subnet. If the routing table does not contain any routing information about the destination
subnet, IPv4 forwards the packet to the default gateway. The host assumes that the default gateway
contains the required routing information.
In most cases, you can use a Dynamic Host Configuration Protocol (DHCP) server to assign the default
gateway automatically to a DHCP client. This is more straightforward than manually assigning a default
gateway on each host.
Public vs. Private IPv4 Addresses
Devices and hosts that connect directly to the
Internet require a public IPv4 address. However,
hosts and devices that do not connect directly to
the Internet do not require a public IPv4 address.
Public IPv4 Addresses
Public IPv4 addresses, which IANA assigns, must
be unique. Usually, your ISP allocates you one or
more public addresses from its address pool. The
number of addresses that your ISP allocates to
you depends upon how many devices and hosts
that you have to connect to the Internet.
Private IPv4 Addresses
The pool of IPv4 addresses is becoming smaller, so IANA is reluctant to allocate superfluous IPv4
addresses. Technologies such as network address translation (NAT) enable administrators to use a
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
relatively small number of public IPv4 addresses, and at the same time, enable local hosts to connect to
remote hosts and services on the Internet.
IANA defines the following address ranges as private. Internet-based routers do not forward packets
originating from, or destined to, these ranges.
Class Mask Range
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255

In todays network environments, it is most common for organizations to have one or more public,
routable IP addresses from an ISP assigned to the external interfaces of their firewall appliance, and to
then use the designated private IP subnets internally.
Note: Request For Comments (RFC) 3330 defines these private address ranges.
Question: Which of the following is not a private IP address?
a. 171.16.16.254
b. 192.16.18.5
c. 192.168.1.1
d. 10.255.255.254
Demonstration: Configuring an IPv4 Address
You can configure IPv4 settings on a Windows 8.1 computer by using the Network and Sharing Center,
the Netsh command-line tool, or the Windows PowerShell
command-line interface.
To configure IPv4 by using Netsh, you can use the following example:
Netsh interface ipv4 set address name="Local Area Connection" source=static
addr=172.16.16.3 mask=255.255.255.0 gateway=172.16.16.1
The following table describes some of the Windows PowerShell cmdlets that you can use to view and
configure IPv4 settings.
Cmdlet Description of IPv4 configuration uses
Set-NetIPAddress Modifies an existing IP address and sets the
subnet mask
Set-NetIPInterface Enables or disables DHCP for an interface
Set-NetRoute Modifies routing table entries, including the
default gateway (0.0.0.0)
Set-DNSClientServerAddresses Configures the Domain Name System (DNS)
server that is used for an interface
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-7
Demonstration
This demonstration shows how to configure an IPv4 address manually by using the Network and Sharing
Center.
Demonstration Steps
View the current network connection configuration
1. Sign in to LON-CL1 as administrator.
2. Open a Command Prompt window, and then use ipconfig /all to view the current IPv4 configuration.
This displays the configuration for all network connections on the computer.
View the IPv4 configuration
1. In Network and Sharing Center, view the Ethernet Status. This window shows the same configuration
information for this adapter as the IPConfig command.
2. View the IPv4 configuration for Ethernet. You can configure the IP address, subnet mask, default
gateway, and DNS servers in this window.
3. View the Advanced settings. In the Advanced TCP/IP Settings window, you can configure additional
settings, such as additional IP addresses, DNS settings, and Windows Internet Name Service (WINS)
servers for NetBIOS name resolution.
Question: When might you need to change a computers IPv4 address?
Verifying IPv4 Network Connectivity
One of the first steps in troubleshooting
connection issues is verifying connectivity at the
IPv4 level. For example, if a user cannot connect
to the Internet or shared network drives, you
should ensure that basic IPv4 connectivity exists
between the client computer and the network
resource. There are a number of tools you can use
to verify IPv4 connectivity, including:
IPConfig
Ping
Tracert
Windows PowerShell cmdlets
IPConfig
IPConfig is a command-line tool that is used to display basic IPv4 configurations. IPConfig supports a
number of parameters including:
All. Displays all the TCP/IP configuration information for all network adapters.
Release. Sends a DHCPRELEASE message to the DHCP server which will release the current DHCP
configuration of all network adapters or a specific network adapter.
Renew. Renews the DHCP configuration for all network adapters or a specific network adapter that
are configured to use DHCP.
When you run IPConfig without any parameters, it will display the current IP address, subnet mask, and
default gateway.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Ping
Ping is a command-line tool used to verify connectivity to another computer by sending four Internet
Control Message Protocol (ICMP) Echo Request messages. The receiving computer will respond with a
reply to each request along with the round-trip time of the packets. Ping has a number of parameters
including:
-t. Specifies that ping continues sending echo request messages to the destination until interrupted
by pressing CTRL+BREAK.
-a. Specifies that reverse name resolution is performed on the destination IP address. If this is
successful, ping displays the corresponding host name.
Note: Most Internet sites and firewalls block ICMP traffic. This makes the Ping tool less
useful outside of your own LAN.
Tracert
Tracert is a command-line tool used to display the routing path and measuring the delays of packets
while in transit. This can help determine incorrect entries in routing tables that are affecting the routing of
IP traffic.
Windows PowerShell Cmdlets
There are many cmdlets available for the configuration and testing of IPv4. The following table describes
some of the common cmdlets:
Cmdlet Description
Get-NetIPAddress Gets information about IP address configuration
Get-NetIPv4Protocol Gets information about the IPv4 Protocol configuration
Get-NetRoute Gets the IP routing table
New-NetIPAddress Creates an IP address and the configuration properties of that IP address
New-NetRoute Creates an entry in the IP routing table
Remove-NetIPAddress Deletes an IP address and the configuration properties of that IP address
Remove-NetRoute Deletes an entry or entries (IP routes) from the IP routing table
Set-NetIPAddress Modifies IP address configuration properties of an existing IP address
Set-NetRoute Modifies an entry or entries in the IP routing table
Test-connection Runs similar connectivity tests to that used by the ping command
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-9
Lesson 2
Configuring IPv6 Network Connectivity
Though most networks to which you connect Windows 8.1based computers currently provide IPv4
support, many also support IPv6. To connect computers that are running Windows 8.1 to IPv6-based
networks, you must understand the IPv6 addressing scheme and the differences between IPv4 and IPv6.
Lesson Objectives
Describe the benefits of implementing IPv6.
Describe how Windows 8.1 supports IPv6.
Describe IPv6 addresses.
Describe the connection process using IPv6
Benefits of Implementing IPv6
The IPv6 protocol provides the following benefits:
Large address space. A 32-bit address space
can have 2^32 or 4,294,967,296 possible
addresses; and a 128-bit address space can
have 2^128 or
340,282,366,920,938,463,463,374,607,431,768,
211,456 (or 3.4x10^38 or 340 undecillion)
possible addresses.
Hierarchical addressing and routing
infrastructure. The IPv6 address space is more
efficient for routers, which means that even
though there are many more addresses,
routers can process data much more efficiently because of address optimization.
Stateless and stateful address configuration. IPv6 has autoconfiguration capability without DHCP, and
it can discover router information so that hosts can access the Internet. This is a stateless address
configuration. A stateful address configuration is when you use the Dynamic Host Configuration
Protocol version 6 (DHCPv6) protocol. Stateful configuration has two additional configuration levels:
one in which DHCP provides all the information, including the IP address and configuration settings,
and another in which DHCP provides just configuration settings.
Required support for Internet Protocol security (IPsec). The IPv6 standards require support for the
Authentication Header (AH) and Encapsulating Security Payload (ESP) headers that IPsec defines.
Although IPsec does not define support for its specific authentication methods and cryptographic
algorithms, IPsec is defined from the start as the way to protect IPv6 packets.
Note: IPsec provides for authentication and optionally, encryption for communications
between hosts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Restored end-to-end communication. The global addressing model for IPv6 traffic means that
translation between different types of addresses is not necessary, such as the translation done by NAT
devices for IPv4 traffic. This simplifies communication because you do not need to use NAT devices
for peer-to-peer applications, such as video conferencing.
Prioritized delivery. IPv6 contains a field in the packet that lets network devices determine that the
packet should be processed at a specified rate. This enables traffic prioritization. For example, when
you are streaming video traffic, it is critical that the packets arrive in a timely manner. You can set this
field to ensure that network devices determine that the packet delivery is time-sensitive.
Support for single-subnet environments. IPv6 has much better support of automatic configuration
and operation on networks consisting of a single subnet. You can use this to create temporary, ad-
hoc networks through which you can connect and share information.
Extensibility. IPv6 has been designed so that you can extend it with less constraint than IPv4.
For more information, see TCP/IP v4 and v6 on the Microsoft TechNet website.
IPv6 in Windows 8.1
Windows 8.1 uses IPv6 by default, and includes
several features that support IPv6.
Windows 8.1 Dual Stack
Both IPv6 and IPv4 are supported in a dual stack
configuration. The dual IP stack provides a shared
transport and framing layer, shared filtering for
firewalls and IPsec, and consistent performance,
security, and support for both IPv6 and IPv4.
These features help reduce maintenance costs.
When you connect to a new network that
advertises IPv6 routability, Windows 8.1 tests IPv6
connectivity, and it will only use IPv6 if IPv6
connectivity is actually functioning. Windows 8.1 also supports a functionality called address sorting. This
functionality helps the Windows 8.1 operating system determine which protocol to use when applications
that support both IPv4 and IPv6 and addresses are configured for both protocol stacks.
DirectAccess Use of IPv6
DirectAccess enables remote users to access a corporate network anytime they have an Internet
connection because it does not require a virtual private network (VPN). DirectAccess provides a flexible
corporate network infrastructure to help you remotely manage and update user PCs on and off a network.
DirectAccess makes the end-user experience of accessing corporate resources over an Internet connection
nearly indistinguishable from the experience of accessing these resources from a computer at work.
DirectAccess uses IPv6 to provide globally routable IP addresses for remote access clients.
Windows Services Can Use IPv6
Windows 8.1 services such as file sharing and remote access use IPv6 features such as IPsec. This includes
VPN Reconnect, which uses Internet Key Exchange version 2, an authentication component of IPv6.
The Windows 8.1 operating system supports remote troubleshooting capabilities such as Windows
Remote Assistance and Remote Desktop. Remote Desktop enables administrators to connect to multiple
Windows Server
sessions for remote administration purposes. You can use IPv6 addresses to make
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-11
remote desktop connections. Windows Remote Assistance and Remote Desktop uses the Remote Desktop
Protocol to enable users to access files on their office computer from another computer, such as one
located at their home.
IPv6 Addresses
The most obvious, distinguishing feature of IPv6 is
its use of much larger addresses. IPv4 addresses
are expressed in four groups of decimal numbers,
such as 192.168.1.1. Each grouping of numbers
represents a binary octet. In binary, the preceding
number is as follows:
11000000.10101000.00000001.00000001 (4
octets = 32 bits)
The size of an address in IPv6 is four times larger
than an IPv4 address. IPv6 addresses are
expressed in hexadecimal, as the following
example shows:
2001:DB8::2F3B:2AA:FF:FE28:9C5A
This might seem complex for end users, but the assumption is that users will rely on DNS names to resolve
hosts, meaning they rarely will type IPv6 addresses manually. The IPv6 address in hexadecimal also is
easier to convert to binary. This simplifies working with subnets and in calculating hosts and networks.
IPv6 Address Types
IPv6 address types are similar to IPv4 address types. The IPv6 address types are:
Unicast. An IPv6 unicast address is equivalent to an IPv4 unicast address. You can use this address
type for one-to-one communication between hosts. Each IPv6 host has multiple unicast addresses.
There are three types of unicast addresses:
o Global unicast addresses. These are equivalent to public IPv4 addresses. They are globally
routable and reachable on the IPv6 portion of the Internet.
o Link-local addresses. Hosts use link-local addresses when communicating with neighboring hosts
on the same link. For example, on a single-link IPv6 network with no router, hosts communicate
by using link-local addresses.
Link-local addresses are local-use unicast addresses with the following properties:
IPv6 link-local addresses are equivalent to IPv4 Automatic Private IP Addressing (APIPA)
addresses.
Link-local addresses always begin with FE80.
o Unique local unicast addresses. Unique local addresses provide an equivalent to the private IPv4
address space for organizations without the overlap in address space when organizations
combine.
Multicast. An IPv6 multicast is equivalent to an IPv4 multicast address. You use this address type for
one-to-many communication between computers that you define as using the same multicast
address.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Anycast. An anycast address is an IPv6 unicast address that is assigned to multiple computers. When
IPv6 addresses communicate to an anycast address, only the closest host responds. You typically use
this address type for locating services or the nearest router.
In IPv4, you typically assign a single host with a single unicast address. However, in IPv6, you can assign
multiple unicast addresses to each host. To verify communication processes on a network, you must know
for what purposes IPv6 uses each of these addresses.
Interface Identifiers
The last 64-bits of an IPv6 address are the interface identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses interface identifiers rather than MAC addresses to identify
hosts uniquely.
For more information, see IPv6 Address Types on the Microsoft TechNet website.
Network Connectivity Using IPv6
The connection process for IPv6 is similar to IPv4
in that names must still be resolved to addresses
and MAC addresses must be discovered. However,
the underlying protocols and methods used for
IPv6 are different.
Neighbor Discovery Protocol
The Neighbor Discovery protocol gathers and
maintains information about routes and hosts on
the local link. It performs many of the tasks that
ARP provides in IPv4, including what is described
in the following table.
Task Description
Router discovery IPv6 hosts can locate default routers on the link automatically by
using the following two ICMPv6 messages:
o Router solicitation. When it is first coming online, an IPv6 host
multicasts a router solicitation message.
o Router advertisement. Each router on the active link that hears
the solicitation message will respond with a router
advertisement message that contains the address of the router.
Prefix discovery Router advertisement messages carry IPv6 prefix information that
represents which IPv6 prefixes are reachable on the local link. Because
multiple prefixes might be available on the same link, a router
message might contain multiple prefixes. Once an IPv6 host is aware
of which prefixes are reachable on the local link, they can
communicate directly with hosts on the local link without going
through the router.
Address autoconfiguration IPv6 hosts can configure themselves with an address automatically
based on the prefix learned from the router prefix discovery. This
allows the host to perform stateless configuration.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-13
Task Description
Address resolution Address resolution functions much like router discovery. The
ICMPv6 protocol uses two message types:
o Neighbor solicitation. The sender requests the MAC address of a
neighbor node on the local link.
o Neighbor advertisement. The recipient responds with its MAC
address.
Next-hop determination Next-hop determination is a process for using the local routing table
to determine whether to send the packet to a router, or send it on the
local link. A routing table is present on each IPv6 host and stores
information about network prefixes and whether they can be reached
directly or indirectly.
Duplicate address detection When a host first comes online on the link, it broadcasts neighbor
solicitation messages for its own IPv6 address to determine if that
address is already in use on the link. If the host receives a response, it
will know not to use that address.

The first step in establishing communication is still name resolution, as in IPv4. For example, if an IPv6 host
wants to communicate with a host named Server1, it must first resolve that name to an IPv6 address. In
DNS, host names are mapped to IPv6 addresses by AAAA resource records. When the DNS server returns
the IPv6 address of the host, the prefix of the IPv6 address is used to determine whether the destination
host is local or remote. If the destination is on the local link, then the next-hop address is the direct
address of the recipient on the local link. If the destination is not on the local link, then the next-hop
address of the packet is the router.
For more information, see How IPv6 Works: IPv6 Routing on the Microsoft TechNet
website.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Implementing Automatic IP Address Allocation
Windows 8.1 enables both the IPv4 and IPv6 protocols to obtain configuration automatically. This means
that you can efficiently deploy IP-based computers that are running Windows 8.1.
Lesson Objectives
Describe the autoconfiguration process for IPv4.
Describe the autoconfiguration process for IPv6.
Configure a Windows 8.1 computer to obtain an IPv4 configuration automatically.
Describe the process with which to troubleshoot and resolve IPv4 autoconfiguration problems,
Automatic IPv4 Configuration
It is important that you know how to assign static
IP addresses manually and be able to support
computers that use DHCP to assign IP addresses
dynamically.
Static Configuration
You can configure static IPv4 configuration
manually for each of your networks computers.
When you perform IPv4 configuration, you must
configure the:
IPv4 address
Subnet mask
Default gateway
DNS server
Static configuration requires that you visit each computer and input the IPv4 configuration. This method
of computer management is time-consuming if your network has more than 10 to 12 computers.
Additionally, making a large number of manual configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign IPv4 configurations automatically for a large numbers of computers
without having to assign each one individually. The DHCP service receives requests for IPv4 configuration
from computers that you configure to obtain an IPv4 address automatically. It also assigns IPv4
information from scopes that you define for each of your networks subnets. The DHCP service identifies
the subnet from which the request originated and assigns IP configuration from the relevant scope.
DHCP helps simplify the IP configuration process, but you must be aware that if you use DHCP to assign
IPv4 information and the service is business-critical, you must do the following:
Include resilience into your DHCP service design so that the failure of a single server does not prevent
the service from functioning.
Configure the scopes on the DHCP server carefully. If you make a mistake, it can affect the whole
network, and it can prevent communication.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-15
IPv4 Alternate Configuration
If you use a laptop to connect to multiple networks, such as at work and at home, each network might
require a different IP configuration. Windows 8.1 supports the use of APIPA and an alternate static IP
address for this scenario.
When you configure Windows 8.1 computers to obtain IPv4 addresses from DHCP, use the Alternate
Configuration tab to control the behavior if a DHCP server is not available. By default, Windows 8.1 uses
APIPA to assign itself an IP address automatically from the 169.254.0.0 to 169.254.255.255 address range.
This enables you to use a DHCP server at work and the APIPA address range at home without
reconfiguring IP settings. Additionally, this is useful for troubleshooting DHCP. If the computer has an
address from the APIPA range, it is an indication that the computer cannot communicate with a DHCP
server.
Automatic IPv6 Configuration
An IPv6 host can proceed through several states
as it goes through the autoconfiguration process,
and there are several ways to assign an IPv6
address and other configuration settings. Based
on how the router is set up, a client might use a
stateless configuration with no DHCPv6 service or
a stateful configuration with a DHCPv6 server
involved, to either assign an IP address and other
configuration settings, or just assign other
configuration settings. The other configuration
settings can include DNS servers and domain
names.
Autoconfigured Address States
Autoconfigured addresses are in one or more of the following states:
Tentative. Verification occurs to determine if the address is unique. Duplicate address detection
performs verification by using Neighbor Discovery protocol. A node cannot receive unicast traffic to a
tentative address.
Valid. The address has been verified as unique and can send and receive unicast traffic.
Preferred. The address enables a node to send and receive unicast traffic.
Deprecated. The address is valid but its use is discouraged for new communication.
Invalid. The address no longer allows a node to send or receive unicast traffic.
Types of Autoconfiguration
Types of autoconfiguration include:
Stateless. Address configuration is based only on the receipt of router advertisement messages.
Stateful. Configuration is based on the use of a stateful address configuration protocol, such as
DHCPv6, to obtain addresses and other configuration options:
o A host uses stateful address configuration when it receives instructions to do so in router
advertisement messages.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

o A host also uses a stateful address configuration protocol when there are no routers present on
the local link.
o Both. Configuration is based on the receipt of router advertisement messages and DHCPv6.
Why Use Stateful Configuration?
By using stateful configuration, organizations can control how IPv6 addresses are assigned by using
DHCPv6.
If there are any specific scope options that you need to configure, such as the IPv6 addresses of DNS
servers, then a DHCPv6 server is necessary.
Communication with DHCP Server
When IPv6 attempts to communicate with a DHCP server, it uses multicast IPv6 addresses to communicate
with the DHCP server. This is different from IPv4, which uses broadcast IPv4 addresses.
When a host obtains an IPv6 address from a DHCPv6 server, the following occurs:
The client sends a solicitation message to locate DHCPv6 servers.
The server sends an advertisement message to indicate that it offers IPv6 addresses and configuration
options.
The client sends a request message to a specific DHCPv6 server to request configuration information.
The selected server sends a reply message to the client that contains the address and configuration
settings.
When a client requests configuration information only, the following occurs:
o The client sends an information-request message.
o A DHCPv6 server sends a reply message to the client with the requested configuration settings.
Note: DHCPv6 is a service that provides stateful autoconfiguration of IPv6 hosts. It can
configure IPv6 hosts automatically with an IPv6 address and other configuration information such
as DNS servers. This is equivalent to DHCPv4 for IPv4 networks.
Demonstration: Configuring a Windows 8.1 Computer to Obtain an IPv4
Configuration Automatically
This demonstration shows how to configure a Windows 8.1 computer to obtain an IPv4 address
automatically.
Demonstration Steps
View the current IPv4 configuration
Sign in to LON-CL1 as administrator, and then verify the current IPv4 configuration.
Reconfigure the IPv4 configuration
1. Open the Ethernet properties, and then view the IPv4 settings for the selected network connection.
2. Modify the connection to obtain an IPv4 configuration automatically.
3. Verify these changes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-17
Resolving Client-Side IPv4 Autoconfiguration Issues
IPConfig is the primary client-side DHCP
troubleshooting tool.
Using IPConfig
If the computer is experiencing connectivity
problems, you can use IPConfig to determine the
computers IP address.
If the address is in the range 169.254.0.1 to
169.254.255.254, the computer is using an APIPA
address. This might indicate a DHCP-related
problem. From the client computer, open an
elevated command prompt, and then use the
IPConfig options in the following table to diagnose the problem.
Note: An elevated command prompt provides a context for running command-line tools
and programs with administrative rights. To open an elevated command prompt, right-click the
Command Prompt shortcut, and then click Run as administrator, providing administrative
credentials if prompted.
Option Description
/all This option displays all IP address configuration information.
If the computer uses DHCP, verify the DHCP Server Option in the output.
This indicates the server from which the client is attempting to obtain an
address. Also, verify the Lease Obtained and Lease Expires values to
determine when the client last obtained an address.
/release It sometimes is necessary to force the computer to release an IP address.
/renew This option forces the client computer to renew its DHCP lease. This is useful
when you think that the DHCP-related issue is resolved, and you want to
obtain a new lease without restarting the computer.
/release6 The IPv6 version of the /release command.
/renew6 The IPv6 version of the /renew command.
Note: You can use the IPConfig /release6 and /renew6 options to perform these same
tasks on IPv6-configured computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The following are some troubleshooting examples.
Problem Solution
The DHCP client does not have an IP address
configured or indicates that its IP address is
0.0.0.0.
Verify that the client computer has a valid and
functioning network connection. First, check that
related client hardware (cables and network
adapters) are working properly at the client end
by using basic network and hardware
troubleshooting steps.
If the client hardware appears to be prepared and
functioning properly, check that the DHCP server
is available on the network by pinging it from
another computer on the same network as the
affected DHCP client.
The DHCP client appears to have assigned itself
an IP address automatically that is incorrect for
the current network.
First, use the ping command to test connectivity
from the client to the server. To force ping to use
IPv6, use the -6 parameter. An example is the
command ping -6 Server1.Adatum.com. Your
next step is to either verify or manually attempt to
renew the client lease. Depending on your
network requirements, it might be necessary to
disable IP autoconfiguration at the client. You can
learn more about IP autoconfiguration and how it
works prior to making this decision.
The DHCP client appears to be missing some
network configuration details or is unable to
perform related tasks, such as resolving names.
For DHCP clients, verify that the most commonly
used and supported options have been
configured at the server, scope, client, or class
level of options assignment.
The DHCP client appears to have incorrect or
incomplete options, such as an incorrect or
missing router (default gateway), configured for
the subnet on which it is located.
Change the IP address list for the router (default
gateway) option at the applicable DHCP scope
and server. If you configure the router option as a
Server Option at the affected DHCP server,
remove it there and set the correct value in the
Scope Options node for the applicable DHCP
scope that services the client.
In rare instances, you might have to configure the
DHCP client to use a specialized list of routers that
is different from other scope clients. In such cases,
you can add a reservation and then configure the
router option list specifically for the reserved
client.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-19

Problem
Solution
Many DHCP clients are unable to get IP addresses
from the DHCP server.
A DHCP server can only service requests for a
scope that has a network ID that is the same as the
network ID of its IP address.
Completing the following steps might correct this
problem:
1. Configure a BOOTP/DHCP relay agent on the
client subnetthat is, the same physical
network segment. The relay agent can be
located on the router itself; on a computer
that is running Microsoft Windows NT
Server
and the DHCP relay agent component; on a
computer that is running Windows 2000
Server with the Routing and Remote Access
Service enabled and configured as a DHCP
relay agent; or on a computer that is running a
Windows Server 2003 operating system with
the Routing and Remote Access Service
enabled and configured as a DHCP relay
agent.
2. At the DHCP server, do the following:
o Configure a scope to match the network
address on the other side of the router
where the affected clients are located.
o In the scope, make sure that the subnet mask
is correct for the remote subnet.
o Use a default gateway on the network
connection of the DHCP server in such a
way that it is not using the same IP address
as the router that supports the remote
subnet where the clients are located.
o Do not include this scope, which is the one
for the remote subnet, in superscopes
configured for use on the same local subnet
or segment where the DHCP server resides.
Make sure there is only one logical route between
the DHCP server and the remote subnet clients.
Many DHCP clients are unable to get IP addresses
from the DHCP server.
Ensure that you do not configure multiple DHCP
servers on the same LAN with overlapping scopes.
You might want to rule out the possibility that one
of the DHCP servers in question is a computer that
is running Small Business Server
(SBS). On a
computer that is running Windows SBS, the DHCP
Server service automatically stops when it detects
another DHCP server on the LAN.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Problem Solution
The DHCP client appears to be affected by
another problem not described previously.
Search the Microsoft website for updated
technical information that might relate to the
problem you observed. If necessary, you can
obtain information and instructions that pertain to
your current problem or issue.

Test a TCP/IP configuration by using the ping command
Verify, release, or renew a client address lease
Configure TCP/IP for automatic addressing
Disable automatic address configuration
Manage Options and classes
Assigning options
DHCP Best Practices
Using superscopes
Configuring scopes
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-21
Lab A: Configuring a Network Connection
Scenario
A. Datum Corporation is introducing new laptop computers for some of its managers. You need to test
how the IPv4 configuration will behave when the managers are away from the office and a DHCP server is
unavailable.
Objectives
Enable automatic IPv4 configuration.
Configure IPv4 manually.
Lab Setup
Virtual machines: 20687C-LON-DC1 and 20687C-LON-CL1
Password: Pa$$w0rd
2. In Hyper-V

Exercise 1: Enabling Automatic IPv4 Configuration
Scenario
You need to determine how the Windows 8.1 client operating system currently receives its IPv4 address.
You need to provide an automated way for client computers to receive IPv4 configuration. You will
configure a Windows 8.1 client to receive IPv4 configuration from a DHCP server and then verify the
configuration.
1. Verify the current IPv4 configuration.
2. Configure the computer to obtain an IPv4 address automatically.
3. Verify the new IPv4 configuration.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Verify the current IPv4 configuration
2. Open a Command Prompt window, and then run the command ipconfig /all.
o What is the current IPv4 address?
o What is the subnet mask?
o To which IPv4 network does this host belong?
o Is DHCP enabled?
Task 2: Configure the computer to obtain an IPv4 address automatically
1. Use Network Connections to view the properties of Ethernet.
2. Modify TCP/IPv4 to:
o Obtain an IP address automatically.
o Obtain a DNS server address automatically.
Task 3: Verify the new IPv4 configuration
In the Ethernet Status window, view the Details.
o Is DHCP enabled?
o When does the DHCP lease expire?

Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4
configuration automatically from a DHCP server.
Exercise 2: Configuring IPv4 Manually
Scenario
As the network administrator, you need to test various scenarios for assigning IPv4 addresses to client
computers. You will deactivate the current DHCP scope and renew that address on the Windows 8.1 client
operating system to see what address is assigned. You will configure an alternate address to be assigned
when DHCP is not available. Finally, you will assign a static IPv4 address to the Windows 8.1 client
operating system.
1. Deactivate the DHCP scope.
2. Obtain a new IPv4 address.
3. Configure an alternate IPv4 address.
4. Configure a static IPv4 address.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-23
Task 1: Deactivate the DHCP scope
2. Use the DHCP management console to deactivate the IPv4 scope named A Datum Scope:
a. In Server Manager, open the DHCP management console.
b. Deactivate the [172.16.0.0] A Datum Scope.
c. Close the DHCP window.
Task 2: Obtain a new IPv4 address
Note: This process can take some minutes to complete.
1. On LON-CL1, at the command prompt, run the command ipconfig /release.
2. Run the command ipconfig /renew.
3. Run the command ipconfig /all.
o What kind of address is this?
Task 3: Configure an alternate IPv4 address
1. In the TCP/IPv4 properties for Ethernet, use the Alternate Configuration tab to configure the
following:
o IP address: 172.16.16.10
o Subnet mask: 255.255.0.0
o Preferred DNS server: 172.16.0.10
o Do not validate settings
2. At the command prompt, type ipconfig /release, and then press Enter.
3. At the command prompt, type ipconfig /renew, and then press Enter.
4. At the command prompt, type ipconfig /all, and then press Enter:
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 4: Configure a static IPv4 address
1. In the Ethernet Status window, view the Properties.
2. In the properties for TCP/IPv4 for Ethernet, configure the following:
o IP address: 172.16.16.10

Results: After completing this exercise, you should have tested various scenarios for dynamic IP address
assignment and then configured a static IP address.
When you have finished the lab, leave the virtual machines running, as they are needed for the next lab.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-25
Lesson 4
Implementing Name Resolution
Computers can communicate over a network by using a name in place of an IP address. Name resolution
is used to find an IP address that corresponds to a name, such as a host name. This lesson focuses on
different types of computer names and the methods to resolve them.
Lesson Objectives
Describe the types of names used by IPv4 computers.
Describe the methods for resolving computer names into IP addresses.
Describe the tools you can use to resolve name resolution issues.
Types of Computer Names
Name resolution is the process of converting
computer names to IP addresses. Name resolution
is an essential part of computer networking
because it is easier for users to remember names
than abstract numbers, such as an IPv4 address.
The application developer determines an
applications name. In Windows operating
systems, applications can request network services
through Winsock, Winsock Kernel, or NetBIOS. If
an application requests network services through
Windows Sockets or Winsock Kernel, it uses host
names. If an application requests services through
NetBIOS, it uses a NetBIOS name.
Note: NetBIOS is a session management protocol that was used in older versions of
Microsoft server operating systems. Windows 8.1 provides support for NetBIOS.
Host Name
A host name is a user-friendly name that is associated with a hosts IP address and identifies it as a TCP/IP
host. A host name can be no more than 255 characters in length and must contain alphanumeric
characters, periods, and hyphens.
A host name is an alias or a fully qualified domain name (FQDN).
An alias is a single name associated with an IP address.
The host name combines an alias with a domain name to create the FQDN.
The elements of the name include periods as separators. Applications use the structured FQDN on the
Internet.
An example of an FQDN is payroll.contoso.com.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
NetBIOS Name
Applications use the 16-character NetBIOS name to identify a NetBIOS resource on a network. A NetBIOS
name represents a single computer or a group of computers. NetBIOS uses the first 15 characters for a
specific computers name and the final sixteenth character to identify a resource or service on that
computer. An example of a NetBIOS name is NYC-SVR2[20h].
Windows supports a number of different methods for resolving computer names, such as DNS, WINS, and
the host name resolution-process.
Methods for Resolving Computer Names
Many current apps, including Internet apps, use
Windows Sockets to access network services.
Newer apps that are designed for Windows 8.1
use Winsock Kernel. Older applications use
NetBIOS.
Name Resolution Process
DNS is the Microsoft standard for resolving host
names to IP addresses. Applications also use DNS
to do the following:
Locate domain controllers and global catalog
servers. This is used when you log on to
Active Directory
Domain Services (AD DS).

Resolve IP addresses to host names. This is useful when a log file contains only a hosts IP address.
Locate a mail server for email delivery. This is used for the delivery of all Internet email.
WINS provides a centralized database for registering dynamic mappings of a networks NetBIOS names.
Support is retained for WINS to provide backward compatibility.
While you can use WINS, you also can resolve NetBIOS names by using the following:
Broadcast messages. Broadcast messages do not work well on large networks because routers do not
propagate broadcasts.
Lmhosts file on all computers. Using an Lmhosts file for NetBIOS name resolution is a
high-maintenance solution because you must maintain the file manually on all computers.
Host-Name Resolution Process
When an application specifies a host name and uses Windows Sockets, TCP/IP uses the DNS resolver
cache, DNS, and Link-Local Multicast Name Resolution when it attempts to resolve the host name. The
Hosts file is loaded into the DNS resolver cache. If NetBIOS over TCP/IP is enabled, TCP/IP also uses
NetBIOS name resolution methods when resolving single-label, unqualified host names.
Depending on the configuration, Windows 8.1 resolves host names by performing the following actions:
1. Checking whether the host name is the same as the local host name.
2. Searching the DNS resolver cache.
3. Searching the Hosts file.
4. Sending a DNS request to its configured DNS servers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-27
Windows resolves hosts names that are single-label, unqualified names by performing the following
actions:
1. Converting the host name to a NetBIOS name and checking the local NetBIOS name cache.
2. Sending a DNS request to its configured WINS servers.
3. Broadcasting as many as three NetBIOS name query request messages on the subnet that is directly
attached.
4. Searching the Lmhosts file.
Note: Windows 8.1 can use Link-Local Multicast Name Resolution for networks that do not
have a DNS server. For example, if a Windows 8.1 computer must resolve a single-label name, it
first will try to petition a DNS server. If there is no DNS server or no response from the DNS
server, Windows 8.1 will use. If this is unsuccessful, Windows 8.1 will attempt resolution by using
the NetBIOS methods explained above.
Note: You can exert control over the precise order used to resolve names. For example, if
you disable NetBIOS over TCP/IP, none of the NetBIOS name-resolution methods are attempted.
GlobalNames Zone
GlobalNames Zone is a feature in Windows Server 2008 and newer versions. GlobalNames Zone provides
single-label name resolution for large enterprise networks that do not deploy WINS. Some networks
might require the ability to resolve static, global records with the single-label names that WINS currently
provides. These single-label names refer to well-known and widely used servers with statically assigned IP
addresses. A GlobalNames Zone is created manually and is not available for dynamic registration of
records. GlobalNames Zone is intended to help your customers migrate to DNS for all name resolution.
The DNS Server role in Windows Server 2008 and newer versions supports the GlobalNames Zone feature.
GlobalNames Zone is intended to assist in the migration from WINS. However, it is not a replacement for
WINS. GlobalNames Zone is not intended to support the single-label name resolution of records that are
registered in WINS dynamically and those that are not managed by IT administrators typically. Support for
these dynamically registered records is not scalable, especially for larger customers with multiple domains
and forests.
The recommended GlobalNames Zone deployment is to use an AD DSintegrated zone, named
GlobalNames, which is distributed globally.
Instead of using GlobalNames Zone, you can choose to configure DNS and WINS integration. Do this by
configuring the DNS zone properties to perform WINS-lookups for NetBIOS-compliant names. The
advantage of this approach is that you can configure client computers to only use a single name service
(DNS) and still be able to resolve NetBIOS-compliant names.
Understanding DNS Client Settings
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools Used to Resolve Name Resolution Issues
Windows 8.1 includes a number of tools that you
can use to diagnose name-resolution problems,
including:
Event Viewer
Windows Network Diagnostics
IPConfig
Ping
NSlookup
Windows PowerShell
Microsoft Message Analyzer
Event Viewer
Event logs are files that record significant events on a computer, such as when a process encounters an
error. IP conflicts will be reflected in the System log and might prevent services form starting. When these
events occur, a Windows operating system records the event in an appropriate event log. You can use
Event Viewer to read the log. When you troubleshoot errors in Windows 8.1, view the events in the event
logs to try and determine the cause of the problem.
Event Viewer enables you to access the Application, Security, Setup, and System logs under the Windows
Logs node. When you select a log and then select an event, a preview pane under the event list contains
details of the specified event. To help diagnose network problems, look for errors or warnings in the
System log related to network services.
Windows Network Diagnostics
Use Windows Network Diagnostics to diagnose and correct networking problems. In the event of a
Windows 8.1 networking problem, the Diagnose Connection Problems option helps diagnose and repair
the problem. A possible description of the problem and a potential remedy are presented. The solution
might require manual intervention from the user.
IPConfig
IPConfig displays the current TCP/IP network configuration. Additionally, you can use IPConfig to refresh
DHCP and DNS settings as discussed in the previous Windows Network Diagnostics topic. For example,
you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP computer. Ping sends and receives Internet
Control Message Protocol (ICMP) echo request messages and displays the receipt of corresponding echo
reply messages. Ping is the primary TCP/IP command used to troubleshoot connectivity. Ping is more
useful on an internal network because firewalls on the Internet commonly block ICMP requests.
NSlookup
NSlookup displays information that you can use to diagnose a DNS infrastructure. You can use NSlookup
to confirm connection to a DNS server and that the required records exist. You can use NSlookup in the
following two modes:
Interactive. To use NSlookup in interactive mode, type NSlookup at the command prompt and press
Enter. By default, NSlookup will query against the local DNS server. Interactive mode provides many
options for NSlookup, such as setting a specific DNS server to be queried. You can view the available
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-29
options by typing Help at the interactive command prompt. A common use for NSlookup in
interactive mode is to query for a specific type of record. For example, to query for Mail Exchanger
MX records from the interactive mode command prompt, you would type set q=mx and press Enter,
and then type the name of the domain you are looking for and press Enter again. The query will
return only the MX records for that domain.
Noninteractive. The noninteractive mode is useful for quick lookups of names. For example, to
discover the IP address of a computer named Server1 in the Contoso.com domain, you can type the
query NSlookup Server1.Contoso.com directly at the command prompt, and the local DNS server
will respond with a reply to the query.
Windows PowerShell
You also can use Windows PowerShell cmdlets for configuring and troubleshooting network settings. The
following table lists some of these cmdlets and their purposes.
Cmdlet Purpose
Clear-DnsClientCache Similar to the IPConfig /flushdns command, this cmdlet clears
a clients resolver cache.
Get-DnsClient Retrieves configuration details specific to the different network
interfaces on a specified computer.
Get-DnsClientCache Similar to the IPConfig /displaydns command, this cmdlet
retrieves the contents of the local DNS client cache.
Get-DnsClientGlobalSetting Retrieves global DNS client settings like the suffix search list.
Get-DnsClientServerAddress Gets one or more DNS server IP addresses associated with the
interfaces on a computer.
Register-DnsClient Registers all of the IP addresses on a computer onto the
configured DNS server.
Set-DnsClient Sets the interface-specific DNS client configurations on a
computer.
Set-DnsClientGlobalSetting Configures global DNS client settings like the suffix search list.
Set-DnsClientServerAddress Configures one or more DNS server IP addresses associated
with the interfaces on a computer.
Microsoft Message Analyzer
Microsoft Message Analyzer is the replacement for Network Monitor, which Microsoft last released as
version 3.4. The Microsoft Message Analyzer provides more capabilities than Network Monitor for
determining network issues. It can capture, display, and analyze live network traffic in multiple viewing
formats such as grids, charts, and timeline views. It also allows you to import, aggregate, and analyze data
from log and trace files.
Key capabilities include:
Integrated event and message capture at different system levels and endpoints
Parsing and validation of protocol messages and sequences
Automatic re-assembly of packets and the ability to render the payloads
Microsoft Message Analyzer Operating Guide
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Resolving Network Connectivity Issues
Scenario
An intern has been unsuccessful in attempts to resolve a network connectivity problem on a Windows 8.1
computer. The changes made to the computer have not been documented. You need to restore network
connectivity for the computer.
Objectives
Create a simulated network connectivity problem.
Resolve a network connectivity problem.
Lab Setup
Estimated Time: 30 to 60 minutes
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment.
Exercise 1: Creating a Simulated Network Connectivity Problem
Scenario
Windows 8.1 clients are experiencing issues when connecting to network resources. As the network
administrator, you must resolve these issues by performing troubleshooting steps to identify and resolve
the issues.
1. Verify connectivity to LON-DC1.
2. Simulate the problem.
3. Test connectivity to LON-DC1.
4. Gather information about the problem.
Task 1: Verify connectivity to LON-DC1
On LON-CL1, map the drive letter P to \\LON-DC1\Data.
Task 2: Simulate the problem
1. In the properties of Local Area Connection, disable the IPv6 protocol.
2. Run the file E:\LabFiles\Mod06\ Mod6-Script.bat.
Task 3: Test connectivity to LON-DC1
Access drive letter P by using File Explorer. Are you able to access the mapped drive P?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-31
Task 4: Gather information about the problem
Use the techniques and tools from this module to determine the following information:
o What IP address is the computer using?
o What subnet mask is the computer using?
o What network should the computer be on?

Results: After completing this exercise, you should have created a connectivity problem between LON-
CL1 and LON-DC1.
Exercise 2: Resolving a Network Connectivity Problem
Scenario
You must use troubleshooting tools and techniques to resolve and test the resolution of the connectivity
issue.
1. Resolve the first problem.
2. Test the resolution.
3. Resolve the DNS problem.
Task 1: Resolve the first problem
Use the tools and techniques from this module to resolve the problem.
Task 2: Test the resolution
1. Access drive letter P by using File Explorer. Are you able to access mapped drive P?
2. Open a Command Prompt window, and at the command prompt, run the following commands :
o ping lon-dc1
o ping 172.16.0.10
o ipconfig /all
What DNS servers is the computer using?
Task 3: Resolve the DNS problem
Use the tools and techniques from this module to resolve the problem.

Results: After completing this exercise, you should have resolved the connectivity problem between LON-
CL1 and LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
When you have finished the lab, revert the virtual machines to their initial state.
Manager.
4. Repeat steps 2 and 3 for 20687C-LON-DC1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-33
Lesson 5
Implementing Wireless Network Connectivity
An increasing number of devices use wireless connections as the main method for accessing corporate
intranets and the Internet. Also, many users have come to expect a wireless infrastructure in a corporate
workplace. As a result, a strong knowledge of wireless connectivity is a requirement for todays
networking environment. This lesson discusses the various wireless standards and the configuration and
support of Windows 8.1 wireless clients.
Lesson Objectives
Describe wireless network technologies.
Describe Windows 8.1 support for wireless broadband.
Explain how to configure wireless network settings.
Describe considerations for improving wireless signal strength.
Explain how to resolve wireless network connection issues.
Wireless Network Technologies
Wireless networking uses radio waves to connect
wireless devices to other network devices. Wireless
networks generally consist of wireless network
devices, wireless access points (WAPs), and
wireless bridges that conform to 802.11x wireless
standards.
Wireless Network Topologies
There are two types of wireless topologies:
Infrastructure. Infrastructure wireless networks
consist of wireless LANs and cellular networks.
They require the use of a device like a WAP to
allow communication between client wireless devices. Infrastructure wireless networks are managed
centrally.
Ad hoc. Ad hoc networks can connect wireless devices dynamically in a peer-to-peer configuration
without the use of any infrastructure devices.
802.11x Wireless Standards
The 802.11 standard has been evolving since 1997. There have been many improvements in transmission
speed and security of the 802.11 technology since then. Each new standard is designated by a letter of the
alphabet, as described in the following table.
Specification Description
802.11a This is the first extension to the original 802.11 specification. It provides up to 54
megabits per second (Mbps) and operates in the 5 gigahertz (GHz) range. It is not
compatible with 802.11b.
802.11b This specification provides 11 Mbps and operates in the 2.4 GHz range.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Specification Description
802.11e This specification defines Quality of Service and multimedia support.
802.11g This specification is used for transmission over short distances at speeds up to 54 Mbps.
It is backward-compatible with 802.11b, and operates in the 2.4 GHz range.
802.11n This specification adds multiple-input and multiple-output, thereby providing increased
data throughput at speeds up to 100 Mbps. It vastly improves speed over previous
specifications, and it supports both 2.4GHz and 5 GHz ranges.
802.11ac This specification builds on 802.11n to attain data rates of 433 Mbps. 802.11ac operates
only in the 5 GHz frequency range.
Wireless Security
Wireless security has been the biggest consideration by organizations planning a wireless implementation.
Because wireless traffic travels across open airwaves, it is susceptible to interception by attackers. Several
security technologies have been employed to address these concerns. Most Wi-Fi devices support
multiple security standards. The following table describes the current security methods available for
wireless networks:
Security method Description
Wired Equivalent Privacy
(WEP)
WEP is the oldest form of wireless security. Some devices support different
versions:
WEP 64-bit key
WEP 128-bit key
WEP 256-bit key
The security issues surrounding WEP are well-documented, and WEP should
no longer be used unless it is the only alternative.
Wi-Fi Protected Access
(WPA)
Developed to replace WEP, WPA has two variations:
WPA-Personal. WPA-Personal was designed for home and small business
networks and is easier to implement than WPA-Enterprise. It involves
providing a security password, and it uses a technology called Temporal
Key Integrity Protocol. The password and the network service set identifier
(SSID) are used to generate constantly changing encryption keys for each
wireless client.
WPA-Enterprise. WPA-Enterprise is designed for corporate networks. It
involves the use of a RADIUS server for authentication.
WPA2 This is an improved version of WPA that has become the Wi-Fi security
standard. WPA2 employs Advanced Encryption Standard (AES), which
employs larger encryption key sizes.

The security methods that are supported by a given wireless device depend on the vendor and the age of
the device. All modern wireless devices should support WPA2.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-35
Windows 8.1 Support for Wireless Broadband
Mobile broadband is the term used to describe a
wireless wide area network that provides wireless
Internet access by using mobile devices from any
location where cellular service is available. This
ability requires a mobile broadband subscription
to a data service from a provider. In previous
versions of Windows operating systems, custom
drivers were required along with a mobile data
card, which might be in the form of a PC Card,
USB dongle, or an internal laptop module.
Microsoft has worked with broadband providers
and hardware vendors to design a new mobile
broadband driver that is supported by certified broadband devices and is built into Windows 8 and
Windows 8.1, making the broadband connection experience as simple as plugging in a device.
Broadband Management
Most mobile broadband devices came with some type of connection management software that had to
be installed on the PC and configured by the end user. Depending on the provider, this software might be
difficult for an end user to configure, and it sometimes interfered with Windows internal connection
management functions. In Windows 8 and Windows 8.1, you can use the network settings to manage
individual Wi-Fi, broadband, or Bluetooth devices to turn them off or on. You do not have to install extra
software. Windows 8.1 also supports airplane mode, which allows all radio devices to be disabled at once.
Windows 8.1 also gives priority to available preferred Wi-Fi networks over broadband connections by
default. When you are out of range of a preferred Wi-Fi network, the broadband connection is restored
automatically.
Many data plans have limits on how much data you can use before extra charges come into play. To track
data usage, each individual wireless network provides information on the current amount of data that you
have used. You have the ability to reset the counter when you choose, so you can track data usage the
way you wantfor example, on a monthly basis or even by session.
Plan Purchase
If you already have a subscription to a data plan with a provider, you just need to plug in your device. If
you want to purchase a subscription, you can go to the Networks Settings pane, and click Connect next to
an advertised providers icon. This will direct you to the providers website where you can purchase a data
plan. After purchasing your plan, your PC can be provisioned automatically for that providers network. In
the background, the Windows operating system uses an access point name database to gather
information to provision your system to connect to the providers network.
Broadband Tethering
Windows 8.1 supports broadband tethering for up to 10 devices. Now, any computer or device can use a
broadband-enabled Windows 8.1 device as a wireless hotspot. To set up tethering, you only have to share
the network connection from the Network item in Control Panel. Once shared, a network name and
password are required. The password must be eight characters long.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Wireless Network Settings
The first time you connect to a wireless network,
you must provide a Windows operating system
with the correct information to make a successful
connection. There are a number of ways to
connect to existing wireless networks in
Windows 8 or Windows 8.1.
Connecting to a Wireless Network from
Control Panel
The method of connecting from Control Panel has
not significantly changed from Windows 7. To
connect to a wireless network from Control Panel,
perform the following procedure:
1. In Control Panel, view by icons and open the Network and Sharing Center.
2. In the Network and Sharing Center window, click Set up a new connection or network.
3. In the Set up a Connection or Network window, click Manually connect to a wireless network, and
then click Next. This option will only appear if a wireless device is installed.
4. In the Manually connect to a wireless network window, enter the following details:
a. Network name. A friendly name to identify the network.
b. Security type. WEP, WPA-Personal, WPA-Enterprise, WPA2-Personal, or WPA2-Enterprise.
c. Encryption key. Temporal Key Integrity Protocol or AES.
d. Security key. The password configured for the wireless network.
5. You also have the option to Start the connection automatically and Connect even if the network
is not broadcasting.
After the initial configuration of the network, you can open the properties to change settings or to further
configure the wireless network to:
Connect automatically when in range.
Connect to a more preferred network if available.
Connect even if the network is not broadcasting its name (SSID).
Connecting to a Wireless Network from the Network Settings Pane
In Windows 8 or Windows 8.1, you can use the Network Settings pane from the Start screen settings to
configure wireless network settings by performing the following procedure:
1. Access the Charms bar, and then click Settings.
2. Click the wireless network Available icon. If no wireless networks are in range, the icon will say
Unavailable. The Networks pane will appear with a list of available wireless networks.
3. Click the name of the wireless network you want to connect to, and then click Connect.
4. Enter the password for your wireless network.
5. Choose whether you want to share your files with others on the network.
Windows will remember the settings and automatically reconnect when you are in range. If you need to
change the configuration, you can right-click the wireless network name in the Network pane and then
click View connection properties.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-37
Considerations for Improving Wireless Signal Strength
When you design your wireless network, you can
take a number of steps to optimize the wireless
signal strength in your environment. A poorly
designed wireless network will cause frustration
and result in multiple help desk calls. By following
best practices for wireless networking, you can
provide your users with a better wireless
experience. The first step is to analyze the
requirements for the wireless network. Two major
considerations are:
What is the size and design of the physical
area for which you need wireless coverage?
What channel or frequency does you wireless network operate in?
Considerations for the Physical Environment
The building layout and construction material can significantly affect signal interference. Buildings with a
lot of brick or steel construction pose issues with signal availability. When placing WAPs, you should avoid
physical obstructions as much as possible. Even objects such as metal cabinets can cause signal blockage.
Try to avoid placing WAPs near reflective surfaces. Signals can bounce off mirrors and windows, thereby
reducing signal range. Avoid installing WAPs close to electrical equipment such as motors and fluorescent
lights. Consider using Wi-Fi repeaters to extend the range of the WAP to provide better coverage.
Considerations for the Wireless Channel and Frequency
Interference can come from other networks. If you are in a small area with many competing wireless
networks, such as in large office buildings, you might be able to get better performance by changing the
Wi-Fi channel. WAPs operate on specific channels and usually come preconfigured for a certain channel.
There are non-Microsoft tools available that you can use to analyze your environment and see which
channels are the most populated by other wireless networks. Choose the channel with the least traffic for
your network. The 2.4 GHz frequency and the 5 GHz frequency support different channels.
Other considerations to improve your wireless environment include:
Update your firmware to the latest versions for both WAPs and client network adapters.
On Windows 8.1, you can adjust the Advanced Power Options for the wireless network adapter to use
maximum power.
Consider using Wi-Fi repeaters to extend the range of the WAP to provide better coverage.
Consider upgrading the antenna of the WAP, and consider the use of hi-gain and omnidirectional
antennas to increase signal distance and coverage.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Resolving Wireless Network Connection Issues
A wireless connection might fail for many reasons.
The following table describes some of the
common issues, and the methods you can use to
resolve these issues.
Issue Resolution
Wireless adapters are not
enabled on the laptop
Laptops that have built-in wireless adapters have a physical switch that
can enable or disable the wireless adapter. Each vendor will be different,
but make sure that the wireless adapter is enabled.
Security type or
passwords are incorrectly
configured
Make sure that the wireless password is entered correctly. In smaller
wireless networks, this information can be found on the administration
page of the wireless router.
Drivers are corrupted or
outdated
Make sure that the wireless adapter has the proper drivers. You might
have to go to the vendor site to obtain the latest version of drivers.
Firmware updates are
missing
As with drivers, make sure the wireless adapter firmware is current. You
might have to go to the vendor site to obtain the latest version.
Wireless connection
settings are incorrectly
configured
Make sure the correct SSID is configured. Make sure the wireless adapter
is configured to use the proper encryption protocol, such as WPA or
WPA2.
Hardware issues Make sure that the wireless adapter is supported by the Windows
operating system. You can perform this check at the Windows
Compatibility Center.

Windows Compatibility Center
You also can use the Windows automated troubleshooter in Windows 8.1. Right-click the network icon in
the notification area of your taskbar, and then click Troubleshoot problems.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 6-39
Windows 8.1 host cannot connect to a
Microsoft SharePoint
2010 site.

Windows 8.1 host cannot access the
database server.

Windows 8.1 host cannot connect to the
Internet.

DNS server is not resolving FQDNs
correctly.

Review Questions
Question: After starting her computer, Amy notices that she is unable to access her normal
resources. What tool can she use to determine if she has a valid IP address?
Question: When transmitting accounts receivable updates to a billing partner in China, Amy
notices that the files are being transmitted slowly. What tool can she use to determine the
network path and latency of the network?
Question: Amy notices that she cannot access normal enterprise websites. She knows that she
has a valid IP address but wants to troubleshoot the DNS access of her computer. What tool must
she use?
Question: What is the IPv6 equivalent of an IPv4 APIPA address?
Question: You are troubleshooting a network-related problem, and you suspect a name-
resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do you
do that?
Question: You are troubleshooting a network-related problem. The IP address of the host you
are troubleshooting is 169.254.16.17. What is a possible cause of the problem?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tools
You can use the following tools to troubleshoot network connectivity issues.
Tool Description
Network and Sharing Center The Network and Sharing Center informs you about your network
and verifies whether your computer can access the Internet
successfully. Then, it summarizes this information in the form of a
network map.
Netsh.exe Netsh.exe is a command-line tool that you can use to configure
network properties.
Pathping.exe Pathping.exe is a command-line tool that combines the
functionality of Ping and Tracert, which you can use to
troubleshoot network latency and provide information about
path data.
NSlookup.exe NSlookup.exe is a command-line tool that you can use to test and
troubleshoot DNS and name-resolution issues.
IPConfig.exe IPConfig.exe is a general IP configuration and troubleshooting
tool.
Ping.exe Ping.exe is a basic command-line tool that you can use for
verifying IP connectivity.
Tracert.exe Tracert.exe is similar to Pathping, which provides information
about network routes.
Windows PowerShell Windows PowerShell is a command-line shell and scripting
language that provides cmdlets to view and configure network
settings.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-1
Module 7
Configuring Resource Access for Domain-Joined and
Non-Domain Joined Devices
Contents:
Module Overview 7-1
Lesson 1: Configuring Domain Access for Windows 8.1 Devices 7-2
Lesson 2: Configuring Resource Access for Non-Domain Devices 7-8
Lesson 3: Configuring Workplace Join 7-16
Lesson 4: Configuring Work Folders 7-21
Lab: Configuring Resource Access for Non-Domain Joined Devices 7-29

Module Overview
Before you can start working on a computer with the Windows
8.1 operating system, you first must sign

in. Signing in to a computer is a mandatory step, and based on your computer membership, you can sign
in with a local account, a domain account, or a Microsoft
account. In an Active Directory
Domain
Services (AD DS) environment, you typically would use a domain account exclusively because it has many
benefits. But in todays world, users are not restricted to using company-owned computers only. They
commonly use their own devices for accessing company data. Windows 8.1 and Windows Server
2012 R2
have several new features such as Workplace Join, Work Folders, and Remote Business Data Removal that
are useful in such Bring Your Own Device (BYOD) scenarios. In this module, you will learn about the
benefits of domain accounts and Windows 8.1 features that are useful when administrators need to
control resource access for non-domain devices. You also will learn how to configure and use Workplace
Join and Work Folders.
Objectives
Configure domain access for Windows 8.1 devices.
Configure resource access for non-domain devices.
Configure the Workplace Join feature in Windows 8.1.
Configure the Work Folders feature in Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7-2 Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices
Lesson 1
Configuring Domain Access for Windows 8.1 Devices
A domain environment offers many advantages over workgroups, but it also has some specific
requirements. One of the requirements of a domain environment is that a device must be joined to the
domain before you can sign in to the device with a domain account. When you use a domain account,
you can access resources such as network shares and printers without entering your credentials again.
Single sign-on (SSO) provides you transparent access to domain resources. Windows 8 and newer versions
enable you to connect your Windows account with your Microsoft account and transparently access
cloud-based services, such as SkyDrive
and Outlook.com.
Lesson Objectives
Compare the features of local accounts and domain accounts.
Describe the benefits of a domain-based environment.
Describe the methods for adding a computer to a domain.
Add a computer to a domain.
Explain how to use a Microsoft account in Windows 8.1.
Local Accounts vs. Domain Accounts
When you want to sign in, you have to present
some form of authentication. You typically sign in
by providing a user name and a password,
although you can use other forms of
authentication, such as a picture password or a
smart card. Authentication is the process that
confirms your identity and provides you with
credentials after the authentication is successful.
Windows 8.1 stores a list of local users in the part
of the registry called the Security Accounts
Manager database. If a Windows 8.1 computer is a
member of a workgroup, only local users can sign
in. If a Windows 8.1 computer is a member of an AD DS domain, you can sign in either as a local user or
as a domain user. A list of domain users is stored in AD DS, and authentication is performed by one of the
domain controllers, which is a Windows-based server that has the AD DS role service installed. After users
authenticate and they are allowed to log on locally, their logon process is provided with user credentials,
also called a security token, and the Start screen or desktop is displayed.
When you sign in as a local user, you are authenticated by the computer to which you sign in. If you sign
in as a domain user, you are authenticated by a domain controller, which is trusted by the computer on
which you entered your credentials, because the computer is a domain member. If you sign in to a
Windows 8.1 computer as a local user and want to access a shared folder on a file server, there is an
immediate problem: the server does not trust the credentials you presented to it because you have been
authenticated by an unknown or untrusted computer. A file server only trusts its own identity store, its
own Security Accounts Manager, or AD DS if the file server is a domain member. Therefore, if you want to
access a file server, you must be signed in as a domain user, or the file server must have your user account
in its local Security Accounts Manager. If your local user name and password are identical on the file
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-3
server and the Windows 8.1 computer, the authentication process that occurs is transparent. This type of
authentication is called pass-through authentication. If, however, the logon names or passwords do not
match, you will be prompted to enter credentials that are valid for the file server that you attempt to
access.
The challenges of using local accounts are solved by centralizing the account store and making sure that
this store is trusted by all computers. AD DS provides a centralized account store that is trusted by all
computers that are domain members. If you sign in with a domain account, you can access other domain
computers, without providing your user name and password again, by using SSO.
Question: Can you create a domain account on a Windows 8.1 computer?
Benefits of a Domain-Based Environment
A Windows 8.1 computer can be a workgroup
member or a member of a domain. If a computer
is a workgroup member, you can sign in only by
using a local account. In a workgroup, each user
must have a local user account on each computer
to which he or she needs to gain access. For
example, if five users are using five computers in a
workgroup, and each user needs access to
resources on all five computers, you would need
to create 25 user accounts. When a change is
made to a user account in a workgroup, such as
when a user changes their password, you must
make the change to all the accounts for that user on every computer in the workgroup so that the user
continues to have access to all necessary resources.
You can set up a workgroup easily, and no server infrastructure is required for that. But when you need to
manage more than just a few computers, you should not use a workgroup environment. A domain-based
environment has significant advantages. It provides centralized authentication services and management
for all domain-joined computers and domain users. If you need to set up a domain-based environment,
you must use Windows servers as domain controllers, and you also need additional infrastructure such as
Domain Name System (DNS) servers. A domain-based environment provides many benefits when you
need to manage more than a few computers and users. The following sections describe some of the
benefits that are provided by a domain-based environment.
Better Scalability
Domains are more scalable and can store and use billions of objects, such as domain users and computer
accounts. The key component of a Windows-based domain is AD DS. In AD DS, computers, similar to
users and groups, have accounts in the domain and are security principals. This means that computer
accounts have security IDs (SIDs, can belong to groups, and can be given or denied access to resources.
All security principal accounts are treated as AD DS objects, and along with other objects are stored in the
AD DS database. The database resides on a domain controller. Domains can have any number of domain
controllers, and the AD DS database is replicated to all domain controllers in the domain. To provide
redundancy and fault tolerance, even the smallest domains should have at least two domain controllers.
Central Administration
An AD DS database is stored on every domain controller. Any domain controller can perform
authentication, and you can modify domain objects on any writable domain controller. Consider a
scenario where, as an administrator, you connect to a domain controller and modify an AD DS object by
creating, modifying, or deleting domain users. You can perform these changes on any domain controller,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
and the changes to the AD DS database are replicated automatically from the domain controller on which
you performed the change to all other domain controllers.
Delegation of Control
In a domain environment, you can control permissions for every object in AD DS. Every AD DS object has
associated security settings, and by modifying the security of AD DS objects, you can delegate control in a
domain environment. For example, you can allow members of the Help Desk group to reset user account
passwords or site administrators to manage only AD DS objects at their site. You can delegate control at
different levels. For example, you can delegate permissions for the whole domain, for an organizational
unit (OU), or for a single computer account and can be specific, up to a property level.
Better Control and Event Logging
A domain environment allows you to be very specific and to control which computers or folders a specific
account can access and to log its actions. This is something that cannot be done in a workgroup. SSO
enables you to enter credentials only once and then access resources on different domain computers
without entering credentials again. Actions that you perform, such as printing a document or reading a
document from a file share can be logged on the system where the action happened and then forwarded
to a single location.
Managing the Environment by Using Domain-Based GPOs
In a domain environment, you can use domain-based Group Policy Object (GPO) policies and preferences
that you can apply to many users and computers at once. You can use a GPO to set any setting that is
applicable to a user or computer, such as ensuring that computers get important security updates or that
users get mapped drives and printers prepopulated on their devices.
Question: How can you enable help desk employees to reset user passwords in a domain
environment? Which tool should you use?
Methods Used to Add a Computer to a Domain
When a computer joins a domain, it delegates the
task of authenticating users to the domain. When
a user logs on to a computer with a domain
account, the user is authenticated by a domain
controller rather than the local Security Accounts
Manager. In other words, the computer now trusts
another authority to validate a user's identity.
Trust between a domain member computer and
its domain is established when you join the
computer to the domain. Because all domain
member computers trust the domain, they also
trust each account that is authenticated by that
domain. This allows users with a domain account to access resources on all domain computers with a
single account, and by entering their credentials only once, because a domain environment provides the
SSO capability.
Before you can add a computer to a domain, several conditions must be met:
A domain must exist before you can add a computer to it. If you add a computer to a workgroup, a
new workgroup is created when you add the first computer to it. But before you can add a computer
to a domain, the AD DS domain must already exist and at least one domain controller must be
reachable.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-5
The computer must be able to locate the domain controller. A DNS server typically is used to resolve
and locate a domain controller, which means that the computer must have the correct TCP/IP
settings.
You must have local administrator permissions for the computer. Only members of the local
Administrators group can add a computer to a domain.
You must have permissions to create a computer account in the domain, or a computer account must
be created already, and you must have permissions to modify that account.
There are several different ways to add a computer to a domain. First, you can create a computer account
in a domain, which is called prestaging a computer account, and then add the computer to a domain. You
also can add a computer to a domain, and a computer account is created automatically during that step.
Prestaging a computer account has two benefits. You can control the part of the AD DS domain in which
a computer object is created, and you can delegate control of who has permissions to add that computer
to a domain. If you add a computer to a domain and create its account in the same step, all computer
accounts are created in the same location of AD DS. By default, new computer accounts are created in the
Computers container.
Note: You can change the default AD DS location where new computer accounts are
created by using the redircmp.exe command.
As an administrator, you can prestage a computer account by using Active Directory tools such as Active
Directory Users and Computers or Active Directory Administrative Center, which are installed on a domain
controller by default. You can add a computer to a domain by configuring the computers System
Properties dialog box or by using the Windows PowerShell
command-line interface.
Use the following cmdlet to add a computer to a domain by using Windows PowerShell.
Add-Computer -Credential adatum\administrator -DomainName adatum.com
When you use the Add-Computer cmdlet, you also can specify the AD DS location where the computer
account should be created. For example, you could use the following cmdlet.
Add-Computer -Credential adatum\administrator -DomainName adatum.com -OUPath
"OU=NewComputerOU,DC=adatum,DC=com"
After you add a computer to the domain, you should restart it. You can restart a computer by using the
Restart-Computer cmdlet or the Power options on the Settings charm.
Question: Can a local administrator add a Windows 8.1 computer to a domain?
Demonstration: Adding a Computer to a Domain
In this demonstration, you will see how you can add a computer to a domain by modifying its system
properties and by using Windows PowerShell.
Demonstration Steps
Join a computer to a domain by using the UI
1. On LON-DC1, use Active Directory Users and Computers to verify that the LON-CL1 computer
account is not present in the Computers container.
2. Sign in to LON-CL1 as Admin with password Pa$$w0rd.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Navigate to the System Properties Computer Name tab, and then join LON-CL1 to the
Adatum.com domain by using the adatum\administrator credentials.
4. Restart LON-CL1.
account is created in the Computers container.
Join a computer to a domain by using Windows PowerShell
1. Sign in to LON-CL2 as admin with password Pa$$w0rd.
2. Open Windows PowerShell with Administrator credentials.
3. Type the following command.
Add-Computer -Credential adatum\administrator -DomainName adatum.com -OUPath
"OU=NewComputerOU,DC=adatum,DC=com"
4. Restart LON-CL2.
account is created in the NewComputerOU organizational unit.
Using a Microsoft Account in Windows 8.1
Microsoft account, known as Windows Live
ID or
Microsoft Passport in earlier versions, provides
you with a unified identity, which you can use for
authenticating to Microsoft and other cloud-
based services. You can use this account
regardless of where you are, or what organization
you might be part of. Your Microsoft account is
made up of an email address and a password that
you use to sign in to different services. You
already have a Microsoft account if you sign in to
services such as SkyDrive, Xbox LIVE
,
Outlook.com, or Windows Phone
. Even if you
have a Microsoft account, you can sign up for a new one.
Note: All Microsoft account credentials are passed back to the Microsoft authentication
server through a Secure Sockets Layer (SSL) connection by using the Hypertext Transfer Protocol
Secure (HTTPS) protocol.
Windows 8.1 is highly integrated with Microsoft account functionality. You can sign in to Windows 8.1 as
a local user or a domain user, but you also can sign in by using a Microsoft account if your computer has
Internet connectivity and the account is associated with either a local or a domain account. When you use
a Microsoft account, you can synchronize some of the Windows 8.1 settings between devices. You can
control these settings in the PC Settings app. To access the PC Settings app, click the Settings charm, and
then click Change PC settings at the bottom of the Settings charm. In the PC Settings app, you can set
your account picture and desktop background, among other settings. After you set up Windows once,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-7
your settings will be synchronized between every computer you sign in to by using your Microsoft
account.
When you connect a Microsoft account with your local or domain account, you can access Microsoft
cloud services such as SkyDrive, and the Mail and Calendar apps. You can browse the Windows Store even
if you do not have a Microsoft account, but to download and install an app from a Windows Store app,
you must sign up for a Microsoft account.
Note: Your domain account or Group Policy settings might not allow you to connect a
Microsoft account or sync some settings.
You can disconnect your Microsoft account from your account whenever you want. To do so,
click Change PC settings on the Settings charm, click Accounts, and then click Disconnect your
Microsoft account.
Signing Up for a Microsoft Account
You also can use your Microsoft account to access Windows Intune
, Microsoft Office 365
, Windows
Azure
, and other Microsoft cloud services. You can create a new Microsoft account at Outlook.com, or
you can use an address that you already have as your Microsoft account. To sign up for a Microsoft
account at the Microsoft account sign-up webpage, perform the following procedure:
1. Go to the Microsoft account sign-up webpage (http://go.microsoft.com/fwlink/?LinkID=291262).
2. To use your own email address for your Microsoft account, enter it. If your email provider supports
Post Office Protocol version 3, you can even manage your existing address in Windows Live Hotmail

or Outlook.com. If you want to create a Hotmail account, click Sign up now, and then create a new
email address for your Microsoft account.
3. Provide the rest of the information, and then read the Microsoft service agreement and the privacy
statement. If you agree to the terms, click I accept.
4. If you used an existing email address to sign up, you will need to verify it to prove that it is yours.
Question: Can you sign in to a Windows 8.1 computer by using a Microsoft account if the
computer does not have Internet connectivity?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Configuring Resource Access for Non-Domain Devices
Domain-joined devices trust an AD DS domain. You can sign in to such devices by using domain
credentials, and you can access domain resources without entering your credentials again. Non-domain
devices are not trusted by domain controllers, and you do not have SSO benefits when you want to access
domain resources from such devices. The Open Mobile Device Management protocol enables you to
enroll and manage Windows 8.1 devices regardless of their domain membership. Because Windows 8.1
mobile devices can have different form factors and are not necessarily domain-joined, it is important to
ensure that locally stored data is secure and that you can remotely wipe company data if the device is lost
or stolen. Workplace Join is one of the new Windows 8.1 features that provide this capability, but you can
manage non-domain Windows 8.1 devices also by using Windows Intune or Microsoft System Center
2012 R2 Configuration Manager.
Lesson Objectives
Describe the challenges of managing non domain devices.
Explain how to manage data and settings on non-domain joined devices.
Describe the features of Open Mobile Alliance device management.
Describe the security features for non-domain joined devices.
Explain the purpose of the Remote Business Data Removal feature.
Describe how to manage non-domain joined devices by using Windows Intune and Configuration
Manager.
Challenges of Managing Non-Domain Joined Devices
In the past, users could use only computers that
were connected to a companys LAN to access
company data. But with the evolution of mobile
technology and changing business demands,
users today expect to be able to work at any
location and have access to all their work
resources. Wireless access is available almost
everywhere, and traditional desktops and laptop
computers often are replaced with new types of
devices, such as convertible laptops, tablets, and
smart phones. Users often use their own devices
for accessing company data, and a BYOD scenario
is common. Therefore, users still expect to use company apps and data on their devices. Having local
copies of company data on user devices is a challenge for an Information Technology (IT) department
because care must be taken that the data and access to it complies with company policy.
All these changes and the rapid adoption of new types of devices are changing the standards-based
approach to managing a companys infrastructure. When a device is domain-joined, a company can
control it because the device has an account in AD DS. Authentication is performed by a domain
controller, company policies can be enforced by Group Policy, and products such as Configuration
Manager can be used for collecting device inventories and managing devices. When a device is not
domain-joined, company has limited or no control over it because authentication is performed locally and
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-9
the domain has no knowledge of who is using the device. Domain accounts cannot sign in to a device and
cannot be used for managing a device or deploying apps. You also cannot apply domain Group Policy to
devices that are not domain-joined.
Question: Your company uses a client/server-based accounting app that cannot be installed
on the third-party operating system that is running on a users device. How can the user still
use the company accounting app from his device?
Managing Data and Settings on Non-Domain Joined Devices
With the consumerization of IT, people often use
their own devices for accessing company
resources. Such BYOD initiatives often are
encouraged by a company. Windows 8.1 and
Windows Server 2012 R2 include several features
that make using devices that are not company-
owned easier and more secure. These features
include:
Windows To Go. Windows To Go is a
Windows 8.1 Enterprise feature that enables
you to install Windows 8.1 on the USB flash
media and start the device from that USB
flash media . You can customize and domain-join Windows To Go to provide the same environment
as when Windows 8.1 is installed locally. You can start your device with Windows To Go and work
from a company-approved environment while personal data on the device remains intact.
Virtual Desktop Infrastructure (VDI). VDI is implemented in the Windows Server 2012 R2 Remote
Desktop Services role. VDI hosts multiple virtual desktops, which can be Windows 8.1 virtual
machines, to which you can connect from any device and have an experience similar to using a local
installation of Windows 8.1. You can use company apps and access company data from a virtual
desktop, but you must have network connectivity from your device to a virtual desktop.
Workplace Join. Traditionally, devices either could be joined to a domain or be a workgroup member.
You could access company resources from domain-joined devices, but you could not access them
from a workgroup device without entering domain credentials. Workplace Join was introduced in
Windows 8.1 and requires that a domain has at least one Windows Server 2012 R2 member server..
When you join a device to a workplace, you get a certificate to access company resources, such as
internal websites and business apps. You also can allow apps and services on your device to be
enabled for Workplace Join by an IT administrator.
Open MDM protocol. You can use this protocol to manage mobile devices after they are enrolled into
the management system. Microsoft implemented Open MDM support in Windows 8.1, and you can
use it for managing tablets and other BYOD devices with third-party mobile device management
products. The Open MDM protocol supports capabilities such as inventory collection, settings
management, application management, certificate provisioning, Wi-Fi, virtual private network (VPN)
profile management, and data protection.
Web Application Proxy. You can use Web Application Proxy for publishing web applications from a
company network to an external network. This enables users who are connected to an external
network to access and use a companys web applications from any device. Web Application Proxy also
enables Workplace Join for devices that are not connected to a company network.
Work Folders. You can use Work Folders to synchronize data from a companys Windows
Server 2012 R2 file server to your device. Work Folders functionality is similar to Offline Files, which
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
means that you can access and modify Work Folders content without network connectivity and
changes will synchronize back when network connectivity is restored. You can access Work Folders
from an external network if Web Application Proxy is implemented and domain membership is not
requiredthe device can be enabled for Workplace Join.
Remote Business Data Removal. In a BYOD scenario, users access company data from devices that
also contain their personal data. One of the Remote Business Data Removal features is to treat
company data differently than personal data. An administrator can configure company data to be
encrypted on a device, and if a user leaves the company, company data stored on the device
automatically becomes inaccessible or is removed completely, while personal data is left intact.
Question: How does the Remote Business Data Removal feature enable you to comply with
a company security policy?
Overview of Open Mobile Alliance Device Management
The Device Management Working Group is part
of the Open Mobile Alliance (OMA), and it
specifies the protocols and mechanisms for
managing mobile devices, services access, and
software on various devices. The OMA has
developed a client/server protocol that you can
use to deliver configuration and management
commands from a device management server to
the devices that it manages. Before you can
manage a device, you first must enroll it in the
management system. A device presents its
features to a management server as a hierarchical
device management tree named the DM Tree, and the management of a device feature consists of the
management of the DM Tree.
Microsoft is a member of the OMA, and it has implemented the Open MDM protocol in Windows 8.1.
Open MDM is a client/server protocol that you can use to manage mobile devices that are already
enrolled in a management service. It does not require a domain environment, but you first must assign
the device to the management server, and the device must trust the managed server before the device
can be managed. Open MDM uses the HTTPS protocol between the server and the managed devices,
which means that a public key infrastructure (PKI) must be in place. Features that can be managed by
Open MDM depend on the implementation and on the device features. Open MDM supports the
following features:
Inventory collection
Settings management
Application management
Certificate provisioning
Wi-Fi and VPN profile management
Data protection
The Windows 8.1 Workplace Join feature is implemented by using the Open MDM protocol. You also can
manage Windows 8.1 devices by using mobile device management products such as MobileIron or
AirWatch.
For more information, see the OMA device management working group website.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-11
Device Management
[MS-MDM]: Mobile Device Management Protocol
Question: Which Windows 8.1 feature is based on the Open MDM protocol? How can you
benefit from the Open MDM implementation in Windows 8.1?
Security Features for Non-Domain Joined Devices
Windows 8.1 includes various security features
that you can use in a domain or non-domain
environment. Some security features are new or
improved in Windows 8.1 and can be especially
beneficial on non-domain joined devices. These
security features include:
Mandatory sign-in. Before users can start
working on a Windows 8.1 device, they first
must sign in. Sign-in is mandatory and by
signing in, users prove their identity. Based on
the sign-in, users get different permissions
and access to data. You can sign in to
Windows 8.1 by using a local account, a Microsoft account, or a domain account.
Biometrics. You can authenticate users in all Windows 8.1 editions by using biometrics such as a
fingerprint. You also can use biometric authentication when you are signed in already, such as when
you want to establish a remote access connection, authenticate in a User Account Control dialog box,
or access Windows Store apps, their features, a certificate release, and more.
Pervasive device encryption. By default, Windows RT and Windows 8 encrypt all locally stored data on
a device. A similar feature is included in all Windows 8.1 editions, and it can be further enhanced with
additional BitLocker
Drive Encryption protection in the Pro and Enterprise editions. Windows 8.1
supports Encrypted Hard Drives, which are hard drives that are self-encrypting at a hardware level
and perform full disk hardware encryption.
Malware resistance. Windows 8.1 includes Windows Defender, which is an antivirus and antimalware
solution. Windows Defender scans for thumbprints of known malicious software (also called malware),
but it also includes network behavior monitoring, which detects unusual and suspicious behavior and
stops the execution of unknown malware. Internet Explorer
11 uses Windows Defender to scan

downloaded content (for example, ActiveX
controls) before potentially harmful content is run.

Assigned access. Assigned access is included in all Windows 8.1 editions and in Windows RT 8.1. By
configuring assigned access, you can enable a single Windows Store app experience on a device. Such
a restricted and locked-down environment was previously known as the kiosk mode, and you can use
assigned access to limit user accounts to a single app that you select. You can sign out of assigned
access by quickly pressing the Windows logo key five times. You can use assigned access only with
standard user accounts.
Remote Business Data Removal. When you access company data from Windows 8.1 and a local copy
of the data is stored on a device, you can configure such data as company data, encrypt it, and then
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
remotely wipe it if the device is lost or stolen. The Remote Business Data Removal feature can remove
the local copy of company data while user data on the device remains intact. Work Folders support
this feature, and you can implement this in other client apps. If you want to wipe data remotely or
make it inaccessible, the device must be managed by Windows Intune, Configuration Manager, or a
similar product.
Internet Explorer 11. Internet Explorer 11 is included in Windows 8.1 and it provides many
improvements, such as faster webpage loads, side-by-side browsing, enhanced pinned site
notifications, and synchronization of app settings such as favorites and tabs across all your
Windows 8.1 devices. Internet Explorer 11 also uses an antimalware app on your device to scan
downloaded content before it is run.
Remote Business Data Removal
The Remote Business Data Removal feature
enables you to selectively wipe data on a device
without user interaction. In the past, you could
wipe all the data on a managed device and set it
into its initial state. Windows 8.1 can differentiate
between company and personal data and can
prevent access to company data or wipe it on a
device while personal data is left intact. If you
want to benefit from the feature, local apps on a
Windows 8.1 device must support the Remote
Business Data Removal feature, and the device
must be managed by Windows Intune or
Configuration Manager.
Windows 8.1 includes Work Folders, which can be used with the Remote Business Data Removal feature.
When you use Work Folders, a local copy of the files is stored on the device, and you can configure device
policies to protect the local copy of the files by encrypting them and to require a password on the device.
But in BYOD scenarios, devices can use different form factors, and with an increase in device mobility,
devices can sometimes be lost or stolen. You typically want to remove company data from such devices
and from all other user devices if a user leaves the company.
Note: The Work Folders feature only can store company data safely on a user device by
encrypting it, but it cannot wipe the company data remotely.
If a user device is lost or stolen, the user can initiate a remote wipe for his or her device from Windows
Intune Company Portal if the device is managed by Windows Intune. An administrator can initiate a
remote wipe for any managed device from the Windows Intune Administrator Console or from the
Configuration Manager console.
For more information, refer to:
Protecting Corporate Data on Mobile Devices by using Configuration Manager and Windows
Intune
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-13
For more information about data removal by using Windows Intune, see to the following webpage at the
Windows Intune Help website.
What Happens if You Remove or Reset a Device Using the Company Portal
Question: Can you use Remote Business Data Removal to wipe company data selectively and
remotely from a lost Windows 8 device that is managed by Windows Intune?
Managing Non-Domain Joined Devices by Using Windows Intune and
Configuration Manager
In a domain environment, you can manage
computers centrally by using Group Policies.
Managing non-domain joined computers and
devices is challenging because they are not listed
in AD DS and domain settings do not apply to
them. You can manage non-domain joined
devices by using different solutions, including
Windows Intune and Configuration Manager.
Windows Intune
Windows Intune is a cloud-based system for
securing, managing, and monitoring devices that
are running Windows and operating systems that
are not based on Windows. You can use Windows Intune to manage domain-joined devices and devices
that are not domain members. This makes Windows Intune well suited to:
Manage devices in remote locations that are not part of the domain.
Manage devices that are out of the office for extended periods of time.
Manage devices that are purchased by users but used to access company resources.
Windows Intune does not require any on-premises infrastructure to manage supported devices and only
requires Internet connectivity. After you configure a device to be managed by Windows Intune, the
devices account is created in Windows Intune, and you can now manage that device centrally.
Benefits of Windows Intune
Windows Intune provides several benefits, including:
Updates. Windows Intune ensures that updates are installed on client computers. All updates through
Windows Update are available with Windows Intune, and you also can deploy other, non-Microsoft
updates by using Windows Intune. You can control which updates are approved for installation on
specific computers. You can approve updates manually or create automatic approval rules. These
rules approve updates automatically when they become available, based on the product that they
update and the update classification. You also can review updates that clients require and generate
update reports.
Endpoint Protection. Windows Intune includes Windows Intune Endpoint Protection, which provides
real-time protection against malware such as viruses and spyware. Endpoint Protection also can scan
files and running programs periodically to mitigate detected threats and provide you with
notifications. Endpoint Protection replaces Windows Defender, which is included in Windows 8.1 by
default, but does not provide central management.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Software deployment. You can use Windows Intune for deploying software on Windows devices and
devices that are not based on Windows. You can add software by uploading it to Windows Intune,
configuring its properties, and then deploying it to target devices or user groups.
Monitoring and alerting. Windows Intune can monitor client computers and raise an alert when
certain criteria is met, such as when event log is full, free disk space is low, or a Microsoft Office app is
using a large amount of memory. Alerts display in the Windows Intune administrator console, and
you also can configure them to be sent to a specified email recipient.
Reporting. Windows Intune provides several reports, such as detected software on client computers,
client computer inventory, and update reports on a companys use of licenses. You can generate and
view reports based on a set of report criteria, such as update classification, update status, device
group, or available disk space.
For more information, refer to:
Enable users to work anywhere on the device of their choice
System Center 2012 R2 Configuration Manager
Configuration Manager is an on-premises solution for managing computers and devices. You can use it to
manage domain-joined devices and devices that are not domain members. Configuration Manager
includes Windows Intune connector, which enables you to manage Windows Intune clients in the
Configuration Manager console to provide an integrated solution.
Benefits of System Center 2012 R2 Configuration Manager
Configuration Manager provides many benefits, including:
Deploy applications. You can target applications to users rather than devices, and Configuration
Manager determines the best way to deliver that application to the user from a specific device
whether the device is mobile, a remote desktop, or a PC. You can track and monitor application
deployment.
Manage Endpoint Protection. Managing Microsoft System Center 2012 R2 Endpoint Protection from
within Configuration Manager allows you to use a single console to manage PCs and devices.
Deploy software updates. Configuration Manager uses the basic infrastructure of Windows
Server Update Services (WSUS) to provide software updates. Without Configuration Manager, WSUS
is limited to distributing software updates from Microsoft. Configuration Manager extends the
capabilities of WSUS to include third-party product updates.
Inventory hardware and software. Configuration Manager includes hardware and software inventory
capabilities. You can use the inventory to identify which PCs in your organization are capable of
running specific software or operating systems.
Track license compliance for software. You can use the Asset Intelligence and software metering
features in Configuration Manager to track license compliance. In Asset Intelligence, you import
licensing information and correlate it with the software inventory. Software metering tracks when
applications are used.
For more information, see System Center 2012 R2 on the Microsoft website.
System Center 2012 R2 Configuration Manager
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-15
Question: What must you first do before you can manage a Windows 8.1 device by using
Windows Intune?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Configuring Workplace Join
When a device is domain-joined, you can access company resources without entering credentials each
time. You can get a similar experience from a device that is enabled for Workplace Join, but without
requiring that it is a domain member. Workplace Join provides an SSO experience when accessing internal
company websites and company apps. Users with domain accounts can implement Workplace Join on
their devices if their company has the appropriate infrastructure in place.
Lesson Objectives
Describe the purpose and benefits of the Workplace Join feature.
Describe the scenarios for using Workplace Join.
Describe the components of the Workplace Join feature.
Explain how to register and enroll devices.
Enroll devices to the Workplace Join feature.
Overview of Workplace Join
Traditionally, if users want to access data
transparently from their devices, the devices must
be joined to the domain. If the devices are not
domain-joined, users can use them to access
company data, but they have to enter their
domain credentials each time they want to access
company resources. Windows 8.1 introduces the
Workplace Join feature, which enables users to
access internal company websites and company
apps from devices that are enabled for Workplace
Join, without entering user credentials each time.
Workplace Join also enables administrators to
have some control over the devices, such as controlling the web apps that users can access from devices
that are enabled for Workplace Join.
The Workplace Join feature is especially useful when users use their own devices to access company data.
Many organizations implement BYOD scenarios. If you enable Workplace Join, you can register and enroll
your devices in the company network. After you enroll a device, the device is associated with your user
account in the company directory, the device object is created in AD DS, and the user certificate is
installed on the device. The device object in AD DS establishes a link between the user and the device.
Further communication with company resources that support claims-based authentication from a device
enabled for Workplace Join includes information about the device and the user. When an app is
configured properly, you do not need to enter credentials again. After the device is enabled for
Workplace Join, it is used as a second form of authentication. If multiple users use the same device, each
user can enable a device for Workplace Join independently. Administrators can configure apps that users
can access from a device enabled for Workplace Join without entering credentials, and they can then
ensure that company policies and security applies to those devices by configuring a device policy. You
should be aware that a company Group Policy applies only to domain-joined devices and not to devices
enabled for Workplace Join. If a device enabled for Workplace Join is compromised or a device owner
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-17
leaves the company, an administrator can remove the device object from the domain, and by doing so,
the administrator revokes the devices ability to access domain resources.
For more information, see the following webpage on the Microsoft TechNet website.
Overview: Join to Workplace from Any Device for SSO and Seamless Second Factor
Authentication Across Company Applications
Question: What is the difference in accessing company resources from domain-joined
devices and devices that are enabled for Workplace Join?
Scenarios for Using Workplace Join
Employees use different devices for accessing
company data. Many devices are company-owned
and those devices usually are domain-joined.
Users also might access company data by using
their own devices from inside the company
network and over the Internet. The companys IT
department can closely monitor and manage
domain-joined PCs, but non-domain joined
devices can be an issue. Users typically use these
devices not only for accessing virtual desktops,
but also for running company apps and accessing
other company resources. Such environments,
which adopt the BYOD scenario, are particularly suitable for the Workplace Join feature. Users can access
company resources from devices enabled for Workplace Join with SSO, and administrators can control
access to resources and the compliance of local copies of company data on such devices while a device is
not domain-joined.
A device that is enabled for the Workplace Join feature is used as a second authentication factor when
accessing claims-based company apps. For such apps, administrators can control not only who can access
them, but also from which devices they can be accessed, and if they can be accessed only from the
company network or also from the Internet. Devices enabled for Workplace Join trust the company
certification authority (CA), which makes it easier to configure them for additional features, such as Work
Folders.
Question: Can you enable the Workplace Join feature for a Windows 8 tablet?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Workplace Join Components
Workplace Join enables users to access company
resources from their own devices by using SSO
and without adding devices to the domain.
Workplace Join is a simple process, and any user
can perform it, but you first must configure a
companys infrastructure to allow Workplace Join.
There are several prerequisites that must be in
place before you can enable Workplace Join your
devices:
AD DS environment. Workplace Join requires
that you implement a domain environment.
At least one domain controller must be
running Windows Server 2012 or a newer operating system, and the schema must be extended to the
Windows Server 2012 R2 level.
PKI. The Workplace Join feature requires that PKI is deployed and properly configured. Devices must
trust the CA, which is true by default for domain-joined devices, but requires manual configuration on
non-domain joined devices. Certificates must include information on where the list of revoked
certificates are available, such as the CRL distribution point (CDP), and where up-to-date certificates
for the CA are available, such as authority information access (AIA). Devices must be able to access
certificate revocation list (CRL), delta CRL, and AIA before they can use Workplace Join.
Note: Delta CRL is published in a file, which includes the Plus Sign character (+) in its name
by default. Internet Information Services (IIS) Web server does not allow access to files with
special characters in their names by default, and you must enable double escaping to allow it.
You can verify that CRL, delta CRL, and AIA can be accessed by running Pkiview.msc on the server
where Active Directory Certificate Services (AD CS) is installed.
Active Directory Federation Services (AD FS). A company must set up AD FS before users can use the
Workplace Join feature on their devices. AD FS must be configured with an SSL certificate from a
trusted CA, and the SSL certificate must have properly configured Subject Name and Subject
Alternative Name attributes.
Device Registration Service. Device Registration Service registers a device in AD DS when you perform
Workplace Join. It also provides the certificate to users who enabled their device for Workplace Join.
A DNS record for the host named Enterpriseregistration. The name Enterpriseregistration is
mandatory and cannot be changed. The DNS server must resolve this name to the IP address of the
AD FS server, and the AD FS server must use it as one of its Subject Alternative Name attributes in
the SSL certificate.
Web Application Proxy. This is an optional component that is not required when you enable
Workplace Join on devices that are connected to the company network. If you want to enable
Workplace Join on devices that are not connected to the company network but are connected to the
Internet, you must set up Web Application Proxy.
A supported operating system on the device. The device that you want to enable for Workplace Join
must be running a supported operating system. Currently you can enable Workplace Join only on
devices that are running Windows 8.1, Windows RT 8.1, and iOS operating system.
When users enable Workplace Join on their devices, they can access a companys internal web
applications and company apps without entering credentials again. To use SSO, administrators must
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-19
configure claims-based web applications and create a relying party trust between the AD FS server to the
web server on which the web application is running.
For more information, the following Microsoft TechNet website:
Set up the lab environment for AD FS in Windows Server 2012 R2
Question: What must you configure on a device before you can enable the Workplace Join
feature on it?
Registering and Enrolling Devices
After all the prerequisites are met, you can enable
Workplace Join on a device. Any user with domain
credentials can enroll a device, and each device
can be enrolled multiple times, once per user who
uses that device. If you want to enroll the device,
you must perform the following procedure:
1. Click the Settings charm, and then select
Change PC settings.
2. On the PC settings page, click Network.
3. On the Network page, click Workplace.
4. On the Workplace page, enter the user ID
with which you want to Workplace Join the device. User ID looks the same as a users email address
and is composed from the users logon name, the at sign (@), and a domain suffix. Domain
administrators refer to user ID as the user principal name (UPN). When performing a Workplace Join,
a computer tries to resolve the Enterpriseregistration.<domain suffix> name, and verifies that the SSL
certificate is trusted and that it is still valid.
5. You need to enter user domain credentials. The device can be a workgroup member, but the user
must have a domain account to enable Workplace Join on the device.
6. The device is enabled for Workplace Join. The Device Registration Service creates a domain object for
the joined device in the RegisteredDevices AD DS container, and the user is provided with a certificate
for client authentication.
Note: You must configure a device that you want to Workplace Join with network settings
to resolve company server names. You also must configure the device to trust the company CA.
For more information, see the following Microsoft TechNet website:
Walkthrough Guide: Workplace Join with a Windows Device
Question: What information must you enter when you want to enable the Workplace Join
feature on a device?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Enrolling Devices
In this demonstration, you will see how a user can enable the Workplace Join feature on a Windows 8.1
device. The entire company infrastructure has been set up already. Because the Windows 8.1 device is not
a domain member, you first must configure it to trust the company CA and then perform Workplace Join.
Demonstration Steps
1. On LON-CL4, use Internet Explorer to connect to the company internal web app on following URL:
https://lon-svr2.adatum.com/claimapp. Use Adatum\adam and Pa$$w0rd as the credentials.
2. Close Internet Explorer.
3. Open Internet Explorer, and then navigate to the same URL: https://lon-svr2.adatum.com
/claimapp. Verify that you are again asked for your credentials.
5. On the PC settings page, navigate to Network and then Workplace. Join the device to Workplace
as adam@adatum.com and by using Pa$$w0rd as his password.
6. On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices
container contains an object of type msDS-Device, which represents the LON-CL4 computer that you
enabled for Workplace Join. Make note of the name of the msDS-Device object.
7. On LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate that
Device Registration Service provided to the user when the device was enabled for Workplace Join.
Verify that GUID is the same as the name of the msDS-Device object from Active Name Directory
Users and Computers.
8. Use Internet Explorer to navigate to the internal web app by entering following URL:
https://lon-svr2.adatum.com/claimapp. Use adatum\adam and Pa$$w0rd as the credentials.
9. Verify that Claim Type http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier
has the same value as the name of the msDS-Device object from Active Directory Users and
Computers.
https://lon-svr2.adatum.com/claimapp. Verify that this time, a webpage opens without asking for
credentials. You were not asked for credentials because you accessed it from the device that was
enabled for Workplace Join. Close Internet Explorer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-21
Lesson 4
Configuring Work Folders
Work Folders is a new Windows 8.1 feature that enables users to have their local copy of files in sync with
files on a Windows Server 2012 R2 file server. Users can use Work Folders even if their Windows 8.1 device
is not joined to the domain, and an administrator can configure policy for the local copy of the files. For
example, a local copy can be encrypted, and if a device is lost or an employee has left the company, the
local copy of the data in a Work Folder can be wiped remotely while user data on the device is left intact.
Lesson Objectives
Describe the features of Work Folders.
Describe Work Folders components.
Explain how to configure Work Folders.
Describe how to integrate Workplace Join and Work Folders.
Describe how to use GPOs to manage Work Folders.
Configure Work Folders.
Explain how to troubleshoot Work Folders.
Compare Work Folders with other file synchronization technologies.
Overview of Work Folders
Company files traditionally are stored on file
servers. This approach has many advantages, such
as central access control and auditing, central
backup, quotas, reporting, and availability from
any domain-joined and network-attached device.
However, users also need to access and modify
company data when they are not connected to a
company network and from non-domain joined
devices because the BYOD scenario is
implemented in many environments. There are
several solutions that you can use for such
scenarios, such as Folder Redirection, Offline Files,
and by using synchronization with SkyDrive or SkyDrive Pro. Windows 8.1 introduces an additional
solution, Work Folders, which can be useful in scenarios where users are using multiple devices for
accessing company data, they need to synchronize data between the devices, and some of the devices are
not domain-joined.
Work Folders allow home and office users to access their individual data, regardless of whether their
devices are connected to a company network or whether their devices are domain-joined or not. Work
Folders only store users individual files, and users can access their own Work Folders only. Work Folders
data is stored on a traditional file server, but devices also keep a local copy of the users subfolders in a
sync share, which is a user work folder. Users can access a local copy of their Work Folders even without
network connectivity, and any modifications they make are synchronized with their Work Folders on a file
server immediately or after connectivity to the file server is restored. Users can access and use Work
Folders from various devices, irrespective of their domain membership. Work Folders are currently
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
supported on Windows 8.1 and Windows RT 8.1 devices, but support for Windows 7 and iPad has been
announced. If users are using multiple devices that are configured with Work Folders, changes they make
on one device are synchronized with their other devices automatically. Because Work Folders content is
stored on a file server, you can use all the features that are available on a file server, such as dynamic
access control, auditing, quotas, file classification infrastructure, and protecting content with Rights
Management Services. You can define a policy for devices that access Work Folders. For example, you can
create a policy that requires that the local copy of the Work Folders data is encrypted on a device. You
also can use the Remote Business Data Removal feature to prevent access or remotely wipe the local copy
of Work Folders data on a device if the device is lost or if the employee leaves the company.
For more information, see the following webpage on the Microsoft TechNet website
Work Folders Overview
Question: Can you share your Work Folders content with your coworkers?
Work Folders Components
If you want to use Work Folders, several
components must be available in your
environment:
Work Folders server. You need a file server
that is running Windows Server 2012 R2 to
host Work Folders because previous versions
of Windows Server do not support the Work
Folders feature. The file server must be joined
to an AD DS domain and must have the Work
Folder role service installed, which is part of
File and Storage Services role. When you
install the role service, an additional access
protocol is added and Server Manager is extended. You can use Server Manager to create and
manage sync shares, which contain users Work Folders. You also can use Server Manager to view
who can access sync shares, when and from which devices users accessed it, and to perform other
tasks, such as setting quotas and managing volumes. Users can access and synchronize their Work
Folders by using the HTTPS encapsulated access protocol. Because synchronization uses HTTPS
encryption, the file server must have an installed SSL certificate, and that certificate must be trusted
by devices from where Work Folders are accessed.
Sync share. A sync share is a unit of synchronization between the Work Folders server and client
devices. You can create multiple sync shares on a Work Folders server, and each sync folder maps to
the physical folder on the file server. For each user who uses Work Folders, a personal subfolder is
created inside the sync share, and users can access and synchronize the content of their subfolders
only. You can configure who can access a sync share and specify a device policy, such as specifying
that the local copy of Work Folders data on client devices must be encrypted. Although users can
have permissions to access multiple sync shares, they are limited to a single sync share. You can
access a sync share only by using the Work Folders feature by default, but an administrator also can
create a Server Message Block (SMB) share that uses the same folder as a sync share. If users can
access sync share content by using SMB access also, you can view synced content from devices that
do not use Work Folders. Because the sync share is stored on a file server, you can use features such
as dynamic access control, quotas, and file screening when managing its content.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-23
User devices. These are the devices from which you can access, modify, and synchronize content that
is stored in Work Folders. You can access Work Folders from workgroup devices, devices that are
workplace-joined, or from domain member devices. The devices must be running one of the
supported operating systems, which currently are Windows 8.1 and Windows RT 8.1. Support for
Windows 7 and iPad devices has been announced. Devices also must trust the SSL certificate that the
Work Folders server is using. If devices are configured to use Work Folders, changes to local copies of
data are detected in real time and synchronized with the server. By default, devices check the Work
Folders server every 10 minutes and synchronize changes with local copies of the Work Folders data.
When you configure Work Folders on a device, you establish a Work Folders sync partnership between
the device and the file server. During initialization, the data directory, version database, and download
staging directory are created on a device. Version database helps to keep a local copy of the data in sync
with the data on file server. On the server side, when a user first synchronizes, similar structures are
created. The server Work Folders are provisioned only once per user, while the client side is provisioned
for each device on which the user is using Work Folders. When users modify their Work Folders content,
the following process takes place:
1. When users modify local Work Folders content, the change is detected on the client in real-time, the
client device initiates a sync session with the Work Folders server, and then uploads the changes.
2. After the upload is complete, the Work Folders server applies uploaded changes to the users Work
Folders content. By default, the server is configured so that it can perform all modifications to the
users data. If there is an error, for example, when the server permissions are modified and the server
cannot apply the modifications, the user is notified about the problem. If the file is changed on
multiple user devices at the same time in the same synchronization cycle, based on the time stamp,
the latest version of the file keeps the original file name. The other copies of the file are preserved in
the same directory, but their name is extended with the name of the device on which the conflict
occurred, and a number is added if there are multiple conflicts for the same file. The Work Folders
server keeps 100 conflict files and after that, Work Folders synchronization stops for the user until the
user manually resolves the problem.
3. Synchronization is initiated by the second client device. This can happen for two reasons: data is
modified also on the second client device, and the second client device initiates synchronization of
those modifications. Alternatively, if there are no local changes, the second device initiates
synchronization based on the pooling interval, which is 10 minutes by default. The second client
downloads changes from the Work Folders server and applies them to the local copy of the data.
When you use Work Folders, you should be aware of following:
In this first release of Work Folders, synchronization is limited to one partnership per user per device.
If multiple users use the same device, all users can have their own partnership with the sync folder on
the same or on different Work Folders servers, but the same user cannot create a sync partnership
with a second sync share on the same or different Work Folders servers.
Clients always initiate synchronization. A Work Folders server is passive and only responds to sync
requests.
Clients synchronize only with the Work Folders server. If users are using multiple devices and they are
all configured with Work Folders, devices do not synchronize changes between themselves, but only
with the server. After one device synchronizes changes with a server, other devices get the changes
from the server.
The system that applies the change, which can be either the user device or the Work Folders server, is
responsible for conflict resolution. Conflicts are resolved automatically by renaming the conflicting
files with older time stamps.
Question: Can users access multiple Work Folders?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Work Folders
A server administrator has to create Work Folders
on a Windows Server 2012 R2 file server before
you can configure and use Work Folders on a
Windows 8.1 computer. To create Work Folders
on a Windows Server 2012 R2, you must perform
the following two steps:
1. Install the Work Folders role service. Before
you can configure a file server to host Work
Folders, you first must install the Work Folders
role service. This is a new role service in
Windows Server 2012 R2, and you can install
it from Server Manager or by running the
following cmdlet:
Install-WindowsFeature FS-SyncShareService
2. Create a sync share for Work Folders. A sync share is the unit of synchronization that can be
synchronized with a user device. You can create a sync share by using Server Manager or by using the
New-SyncShare cmdlet. A sync share can be an existing SMB share, or you can point it to a new
folder. Multiple users can have access to the same sync share and because of that, you need to specify
the naming syntax for the user subfolders, which can be either user_alias or user_alias@domain. The
first syntax maintains compatibility with existing user folders that use aliases for their names, while the
second syntax eliminates conflicts between identical user aliases in multiple domains in the same
AD DS forest. By default, users synchronize their whole Work Folders structure, but you can limit the
synchronization to specific subfolders. You also can configure who has permissions to access the sync
folder and device policy, in which you define requirements that must be met on a device that will be
used for accessing sync shares.
After you configure Work Folders on a Windows Server 2012 R2 file server, you can deploy Work Folders
to client devices. Based on the client device type and whether it is domain-joined or not, you have
different options for deploying Work Folders:
Manual. You can configure Work Folders by using the Manage Work Folders option in Control Panel.
If the device is a domain member or is workplace-joined, you can enter a users email address, which
is used to automatically discover the Work Folders server where the users sync shares are located. If
the device is a member of a workgroup, you need to enter the Work Folders URL instead, as the user
email cannot be resolved.
Opt-in. You can configure Work Folders settings by using domain-based Group Policy, Windows
Intune, or Configuration Manager. But those settings are not mandatory. Users can decide if they
want to use those settings and configure Work Folders on the device or not.
Mandatory. You can use the same three methods, domain-based Group Policy, Windows Intune, or
Configuration Manager, to deliver Work Folders settings to a device. However, these settings are
mandatory and users cannot modify them. Work Folders are configured transparently on devices
without user interaction.
Question: Can you use Group Policy to deploy Work Folders centrally to devices that are not
domain-joined?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-25
Integrating Workplace Join and Work Folders
The Workplace Join feature primarily is targeted
for non-domain joined devices because you
already can use SSO from domain-joined devices
to access domain resources. If you use the
Workplace Join feature on a device, you can get a
similar SSO experience when accessing company
resources that support claims-based
authentication.
The Work Folders feature is targeted to all devices
that support Work Folders, regardless of their
domain membership and whether they are
enabled for Workplace Join or not. You can use
the Work Folders feature to synchronize content across all those devices, but one of the requirements is
that devices must trust a company CA. Domain-joined devices trust a company CA by default because the
domain-based Group Policy adds a CA public key in the trusted root CA certificate store of all domain
computers. But a domain-based Group Policy does not apply to workgroup devices or to devices that are
enabled for Workplace Join. Because of that, workgroups and devices that are enabled for Workplace Join
do not trust a company CA by default. But one of the requirements to enable a Workplace Join device is
that it trusts a company CA. If the device is enabled for Workplace Join, it is a bit easier to set up Work
Folders because it already trusts the company CA. However, you can set up Work Folders on a device
regardless of whether it is enabled for Workplace Join or not.
Note: Use Windows Intune or Configuration Manager to manage Work Folders centrally on
non-domain computers, regardless of whether they are enabled for Workplace Join or not.
Question: Is it required to enable a device for the Workplace Join feature before you can set
up Work Folders on that device?
Using GPOs to Manage Work Folders
You can deploy Work Folders by using Group
Policy. By using Group Policy, you can specify the
Work Folders configuration but still allow users to
decide if they want to use Work Folders on their
devices, because they have to use the Work
Folders control panel item to configure Work
Folders, such as in the opt-in scenario. You also
can use Group Policy to make the Work Folders
configuration mandatory. This configures devices
to use Work Folders transparently and without
user interaction, but prevents user from changing
the Work Folder configuration or specifying where
a local copy of sync folder data is stored.
Work Folderrelated settings are located in the user and computer parts of Group Policy. In the user part
of Group Policy, you can enable Work Folders, specify a Work Folders URL, and force automatic setup of
Work Folders. In the computer part of Group Policy, you can force all users of the device to which Group
Policy applies to use Work Folders automatically.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Note: If you configure the Work Folder settings in a domain-based Group Policy, those
settings can apply only to the domain-joined devices and to the users who sign in with domain
accounts. Those settings do not apply to devices that are members of a workgroup or are
enabled for Workplace Join. If you need to configure Work Folders automatically on devices that
are not domain members, you should use Windows Intune.
Question: Can you configure Work Folders settings in the user or computer part of Group
Policy?
Demonstration: Configuring Work Folders
In this demonstration, you will see how you can deploy Work Folders on a domain-joined Windows 8.1
device by using Group Policy and how to manually deploy Work Folders on workgroup Windows 8.1
devices.
Demonstration Steps
1. On LON-CL1, sign out, and then sign in as user adatum\adam with Pa$$w0rd.
2. Use File Explorer to create a new text document named On LON-CL1.txt in Work Folders.
1. On LON-CL4, use Work Folders to Set up Work Folders. Use following settings:
o Work Folders URL: https://lon-dc1.adatum.com
o Credentials: adatum\adam with Pa$$w0rd as the password
2. Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
Troubleshooting Work Folders
Work Folders use a client/server architecture. You
can set up Work Folders and then use them from
any supported device, regardless of its domain
membership. If a device is domain-joined, it
usually is already configured correctly to be able
to use Work Folders. If a device is not a member
of a domain, additional configuration steps must
be taken before you can use Work Folders
successfully.
If there is a problem with accessing and using
Work Folders, you can use several troubleshooting
tools. You first should verify that Work Folders are
available on a Windows Server 2012 R2 file server and that users have synchronization access. You can use
Server Manager to verify the configuration, to determine if users have ever connected to their sync share,
when the last connection was, and from which devices users connected to their sync shares. You also can
use the Get-SyncUserStatus cmdlet on the server to verify all that information. Based on the problem
that user has, there are several tools you could use for troubleshooting, including the following:
Standard networking troubleshooting tools such as Ipconfig.exe, Ping.exe and Nslookup.exe
Active Directory Users and Computers
Server Manager
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-27
File Explorer
Certificates snap-in
Events Viewer (WorkFolders logs)
Windows PowerShell, especially cmdlets from the SyncShare module
Note: Active Directory Users and Computers, Server Manager, and the SyncShare module
for Windows PowerShell are not included in the default Windows 8.1 installation. If you want to
use them on a Windows 8.1 computer, you need to install Remote Server Administration Tools.
The following list explains some of the potential issues and troubleshooting steps that you should be
aware of:
Network connectivity and name resolution. Before you can configure Work Folders on a device, the
device must be able to connect to a Work Folders server and be configured with a DNS server, which
is used for resolving the Work Folders server URL and user email addresses.
Users must have a domain account that has synchronization access to a sync share on a Work Folders
server. If users do not have domain accounts or access to sync share, they will not be able to connect
to Work Folders.
The device from which users want to use Work Folders must be running a supported operating
system and must be able to comply with the sync folder device policy. For example, if the sync folder
device policy requires encryption of Work Folders, the device must be able to encrypt a local copy of
the Work Folders content.
The device must trust the SSL certificate of the Work Folders server. In a domain environment with an
enterprise CA, domain-joined devices trust the enterprise CA by default. If the device is not domain-
joined, you must configure the device manually to trust a Work Folders server SSL certificate.
Users must have NTFS file system permissions to a sync share. When you create a sync share, users
have appropriate NTFS file system permissions by default. If the NTFS file system permissions are later
modified, it is possible that users can no longer synchronize changes.
If users change their domain passwords, they need to enter the latest password for accessing Work
Folders on a non-domain joined device.
If users use multiple devices with Work Folders and modify the content on one device, modified
content is not immediately synchronized with other devices. Content is synchronized with the server,
but other devices synchronize based on the pooling interval, which is 10 minutes by default. You can
decrease the pooling interval or manually trigger the synchronization from the device.
Multiple files with similar names. If the same file is modified on multiple devices before the
synchronization happens, for example when devices do not have connectivity to a Work Folders
server, conflicts will happen during synchronization. Conflicts will be resolved automatically, and there
will be multiple copies of the file with a similar namethe names of the additional copies will be
extended with the device name. You must review the copies manually, merge the changes, and then
decide if additional copies can be removed.
Question: Can you use the Work Folders Windows PowerShell cmdlets or Server Manager on
Windows 8.1 by default?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Comparing Work Folders with Other File Synchronization Technologies
Before implementing Work Folders, you should be
aware that there are other file synchronization
technologies available. You should be familiar
with their features and then decide which file
synchronization technology is most appropriate
for your environment. Some of them require that
the device is domain-joined, that additional
servers are deployed, or that files that synchronize
are used by a single user, while others can be used
on any Windows 8.1 device. File Synchronization
solutions that are provided by Microsoft include
SkyDrive, SkyDrive Pro, Work Folders and Folder
Redirection with Offline files.
If you want a solution for synchronizing data that is used for collaboration and is shared between team
members, you should consider SkyDrive Pro. SkyDrive Pro is available as part of Microsoft SharePoint

Server 2013 and Microsoft SharePoint Online, and you can access it if your company uses on-premise
SharePoint or if SharePoint is available as part of an Microsoft Office 365
subscription. You should be

aware that depending on what the company is using, shared data is hosted either in the company data
center or in the cloud. You also should note that SkyDrive Pro support is not included in Windows 8.1. You
can deploy it as part of Microsoft Office 2013 or as a separate SkyDrive Pro client. You can access SkyDrive
Pro from PCs and Windows Phone devices.
Other file synchronization technologies are intended for single-user access, although files that you store
on SkyDrive often are shared with others. Work Folders, and Folder Redirection store data on servers in a
company data center. However, Work Folders require that servers that store data are running Windows
Server 2012 R2, while folders can be redirected on file server irrespective of the Windows Server version it
is running. Windows 8.1 includes support for both technologies, but Folder Redirection can be used only
on domain-joined devices. Work Folders are available regardless of whether the device is joined to the
domain or not. Work Folders can be used on Windows 8.1, Windows 8, Windows 7, and iPad devices,
while Folder Redirection is available on Windows XP and newer domain-joined computers.
SkyDrive is a publicly available cloud storage service. Data that you save on SkyDrive is stored in the
public cloud, and you do not need any local server infrastructure; you only need Internet connectivity.
SkyDrive support is integrated in Windows 8.1, and you can access SkyDrive from various devices
regardless of their operating system and domain membership. SkyDrive is intended for personal data.
For more information, see the link on the Microsoft TechNet website
Work Folders Compared to Other Sync Technologies
Question: A user has three Windows 8.1 devices and needs to keep files synchronized
among all three devices. Two devices are domain-joined Windows 8.1 computers, and the
user also has a Windows 8.1 tablet, which is enabled for Workplace Join. The users company
has deployed two Windows Server 2012 R2 file servers. Which synchronization technology
should the user use?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-29
Lab: Configuring Resource Access for Non-Domain Joined
Devices
Scenario
A. Datum Corporation uses the AD DS environment, and all users access company data by using company
owned computers. Many users bring their own devices to work and would like to access company data
from them. These users complain that they must enter their credentials every time they access company
resources. Users with their own tablets complain that when they copy data locally, it is challenging to keep
it synchronized with files on the companys file servers. IT administrators complain that they do not have
an overview of user devices that are used for accessing company data, and that they cannot enforce
company security policies on data that is stored locally on such devices. A few weeks ago, a security
incident occurred because one of the managers lost his tablet, which contained confidential company
files.
Objectives
Implement Workplace Join.
Configure Work Folders.
Lab Setup
Virtual machines: 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1,
20687C-LON-CL4
Password: Pa$$w0rd
5. Repeat steps 2 to 4 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-CL1
6. Repeat steps 2 and 3 for 20687C-LON-CL4. Do not sign in until directed to do so.
Exercise 1: Implementing Workplace Join
Scenario
The IT department has decided that it will enable Workplace Join for the company. It has set up the
required infrastructure, and you have been asked to test the Workplace Join feature in Windows 8.1. You
decided to use your own Windows 8.1 device to perform the Workplace Join, and also to test if you can
use the internal company website by providing credentials only once to use SSO functionality.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
1. Verify Workplace Join prerequisites.
2. Workplace Join a Windows
8.1 computer.
3. Explore Workplace Join effects.
Task 1: Verify Workplace Join prerequisites
1. On LON-DC1, configure Active Directory Users and Computers to show Advanced Features.
2. Verify that user Adam Barr is in the Marketing OU and that his User logon name is
Adam@Adatum.com.
3. Verify that the RegisteredDevices container is empty.
4. Use Pkiview.msc to verify that status of all locations is OK and that AIA Location #2, CDP Location
#2, and DeltaCRL Location #2 are accessible over http protocol.
Note: CDP Location and Delta CRL Location have short validity period and their status
could be shown as Expiring. You can ignore their value in Status column.
5. Use DNS Manager to verify that Adatum.com zone has an Enterpriseregistration CNAME record that
points to LON-SVR1.adatum.com.
6. On LON-SVR1, use AD FS Management to verify that the Enable device authentication check box is
selected and that the Service communications certificate has following attributes:
o Subject Alternative Name: DNS Name=LON-SVR1.adatum.com, DNS
Name=Enterpriseregistration.adatum.com
o CRL Distribution Points: One of the URLs is accessible over http protocol.
o Authority Information Access: One of the URLs is accessible over http protocol.
Task 2: Workplace Join a Windows 8.1 computer
1. On LON-CL4, sign in as Admin with the password of Pa$$w0rd.
2. On LON-CL4, use nslookup command to verify that it can resolve
enterpriseregistration.adatum.com name.
3. Connect to \\LON-DC1\certificate as user adatum\adam with Pa$$w0rd.
4. Install the Root-CA certificate in the Trusted Root Certification Authorities certificates store.
5. Use Internet Explorer to connect to the internal company web app with the following URL:
https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with Pa$$w0rd as the credentials.
6. Verify that no Claim Type starts with http://schemas.microsoft.com/2012/01/devicecontext, and then
close Internet Explorer.
7. Open Internet Explorer, and then navigate to the same URL: https://LON-SVR2.adatum.com
/claimapp. Verify that you are again asked for your credentials. Close Internet Explorer.
8. On the PC settings page, navigate to Network and then Workplace. Join the device to Workplace
as adam@adatum.com, by using adam@adatum.com with Pa$$w0rd as the credentials.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-31
Task 3: Explore Workplace Join effects
1. On LON-DC1, use Active Directory Users and Computers to verify that the RegisteredDevices
container contains an object of type msDS-Device, which represents the LON-CL4 computer that you
enabled for Workplace Join. Make note of the name of the msDS-Device object.
2. On LON-CL4, use Internet Explorer to verify that the user has one certificate. This is the certificate that
Device Registration Service provided to the user when device was enabled for Workplace Join. Verify
that the GUID is the same as the name of the msDS-Device object from Active Directory Users and
Computers.
https://LON-SVR2.adatum.com/claimapp. Use adatum\adam with Pa$$w0rd as the credentials.
Computers.
6. Use Internet Explorer to navigate to an internal web app by entering following URL:
https://LON-SVR2.adatum.com/claimapp. Verify that this time, a webpage opens without asking
you for credentials. You were not asked for credentials because you accessed it from the device that
was enabled for Workplace Join.

Results: After completing this exercise, you should have successfully implemented and tested the
Workplace Join feature.
Exercise 2: Configuring Work Folders
Scenario
Users currently are using Offline Files to keep local copies of data in sync with data on a file server. But
many users are using devices that are not domain-joined, and they complain that they cannot use Offline
Files. The IT department is considering implementing Work Folders, but it must confirm that users with
non-domain devices will be able to use it, and that Work Folders will be configured automatically on
domain-joined devices. You were asked to implement a proof-of-concept deployment of Work Folders,
and based on the results, the IT department will decide if Work Folders meet the companys needs.
1. Install the Work Folders feature and create a sync share.
2. Bind an SSL certificate for Work Folders.
3. Configure Group Policy to deploy Work Folders.
4. Deploy Work Folders on a non-domain device.
5. Use Work Folders to synchronize files.
Task 1: Install the Work Folders feature and create a sync share
1. On LON-DC1, install the FS-SyncShareService feature by using the Install-WindowsFeature cmdlet.
2. Use Server Manager to create New Sync Share. Use following data:
o Local path: C:\syncshare1
o Structure for user folders: User alias
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
o Grant sync access to groups: Marketing
o Device policies: No policy is selected
3. Use Server Manager to verify that Syncshare1 is listed in the WORK FOLDERS section and that user
Adam Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders
1. On LON-DC1, use Internet Information Services (IIS) Manager to add https Site Bindings to the
Default Web Site. Use LON-DC1.adatum.com as a Secure Sockets Layer (SSL) certificate.
Task 3: Configure Group Policy to deploy Work Folders
1. On LON-DC1, use Group Policy Management to create and link a Group Policy named Deploy Work
Folders to the Marketing OU.
2. In the Deploy Work Folders Group Policy, under User Configuration\Policies
\Administrative Templates\Windows Components\Work Folders, enable the Specify Work
Folder settings setting, configure it with https://lon-dc1.adatum.com as Work Folders URL, and
then select the Force automatic setup check box.
3. On LON-CL1, sign out, and then sign in as adatum\adam with Pa$$w0rd.
4. Use File Explorer to create a New Text Document named On LON-CL1 in Work Folders.
Task 4: Deploy Work Folders on a non-domain device
1. On LON-CL4, use Work Folders to Set up Work Folders. Use following settings:
o Work Folders URL: https://lon-dc1.adatum.com
o Credentials: adatum\adam with Pa$$w0rd as the password
2. Verify that file On LON-CL1.txt is available in Work Folders on the LON-CL4 computer.
Task 5: Use Work Folders to synchronize files
1. On LON-CL4, use File Explorer to create a New Text Document named On LON-CL4.txt in
WorkFolders.
2. On LON-CL1, verify that only the On LON-CL1.txt file is displayed in Work Folders.
Note: Work Folders synchronizes every 10 minutes automatically. You have also option to manually
trigger synchronization.
3. Use File Explorer to Sync the Work Folders on LON-CL1.
4. Use File Explorer to verify that both files, On LON-CL1 and On LON-CL2 are displayed in Work
Folders.
5. Disable the Ethernet network connection by using Administrator and Pa$$w0rd as the credentials.
6. Modify the file On LON-CL1.txt in Work Folders by adding following content: Modified offline.
7. Create a New Text Document named Offline LON-CL1.txt in Work Folders.
8. On LON-CL4, modify the file On LON-CL1.txt in Work Folders by adding the following content:
Online modification.
9. On LON-CL1, enable the Ethernet network connection. Use Administrator and Pa$$w0rd as the
credentials.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 7-33
10. On LON-CL1, verify that four files are displayed in Work Folders, including On LON-CL1.txt and On
LON-CL1-LON-CL1.txt. Because the file was modified at two locations, a conflict occurred and one of
the copies was renamed.

Results: After completing this exercise, you should have successfully configure the Work Folders feature.
Manager.
4. Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1, and
20687C-LON-CL4.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Review Questions
Question: Do you need to grant domain users additional permissions to enable Workplace
Join on their devices?
Question: Can you access Work Folders content on a computer without network
connectivity?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-1
Module 8
Implementing Network Security
Contents:
Module Overview 8-1
Lesson 1: Overview of Threats to Network Security 8-2
Lesson 2: Configuring Windows Firewall 8-8
Lab A: Configuring Inbound and Outbound Firewall Rules 8-17
Lesson 3: Securing Network Traffic by Using IPsec 8-20
Lab B: Configuring IPsec Rules 8-28
Lesson 4: Guarding Windows 8.1 Against Malware 8-30
Lab C: Configuring Malware Protection 8-33

Module Overview
When computers are connected to a network, they are exposed to potential security threats. You need to
formulate a strategy to protect your computers. User policies, antivirus software, encrypted network
traffic, and other protective measures work together to help shield your Windows
8.1 computers from

security threats. It also is important to identify possible threats and to optimize appropriate Windows-
based network security features, such as Windows Firewall and Windows Defender, to help eliminate
them.
Objectives
Describe the threats to network security.
Configure Windows Firewall.
Secure network traffic by using Internet Protocol security (IPsec).
Guard Windows 8.1 against malware.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8-2 Implementing Network Security
Lesson 1
Overview of Threats to Network Security
Security is an integral part of any computer network, and you must consider it from many perspectives.
You must understand the nature of network-based security threats and be able to implement appropriate
security measures to mitigate these threats. In this lesson, you will learn about some of the network
security threats and the defense-in-depth strategy that helps you lessen your vulnerability to them. Finally,
you will learn about ways to mitigate the various network security threats that are discussed.
Lesson Objectives
Describe defense-in-depth.
Identify common network security threats.
Describe options for mitigation of network security threats.
What Is Defense-in-Depth?
You can mitigate risks to your computer network
by providing security at different infrastructure
layers. The term defense-in-depth typically
describes the use of multiple security technologies
at different points throughout your organization.
Policies, Procedures, and Awareness
Physical security measures must complement
organizational policies regarding security best
practices. For example, enforcing a strong user
password policy is not helpful if users write their
passwords down on sticky notes and then attach
those notes to their computer screens. When you
establish a security foundation for your organizations network, it is a good idea to start by creating
appropriate policies and procedures, and make users aware of them. Then, you might progress to the
other aspects of the defense-in-depth model.
Even when you implement policies to prevent security problems, users can circumvent them, either by
plan or inadvertently. Some ways that users can compromise policies and procedures include:
Users are unaware of the policies. When users are unaware of policies, you cannot expect them to
follow them.
Users view the policies as unnecessary. If you do not adequately communicate the reasons for
policies, some users will think of them as unnecessary.
Social engineering. Users and computer administrators are vulnerable to social engineering, where
hackers manipulate them into violating policies or revealing sensitive data. An example of this is when
you receive an email that appears to be from your bank, asking you to update your account
information by following a link in the email that resolves to a website that does not belong to your
actual banking system.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-3
Mitigation
You should consider taking the following actions to mitigate these threats:
Create specific policies that help prevent social engineering.
Educate users on policies and their relevance.
Implement compliance monitoring.
Physical Security
With respect to securing computer systems, enterprise administrators commonly overlook physical
security. If any unauthorized person can gain physical access to a computer, then most other security
measures are of little consequence. Make sure that computers that contain the most sensitive data, such
as servers, are physically secure.
In general, anyone who has physical access to computer systems can:
Damage systems. This can be as simple as storing a server next to a desk, where a user might
accidentally bump into it or spill a drink on it.
Install unauthorized software on systems. Hackers can use unauthorized software to attack systems.
For example, there are tools available to reset the administrator password on a Windows-based
workstation or member server.
Steal hardware. Hackers can steal laptops if you do not ensure that users secure them. They even can
steal servers, which often include extremely sensitive data and intellectual property, if you do not
secure them properly.
Mitigation
Restrict physical access by locking doors.
Monitor server room access.
Install fire suppression equipment.
Perimeter
No organization is an isolated enterprise. Organizations operate within a global community, and network
resources must be available to service that global community. Perimeter layer security refers to the
connectivity between your network and other untrusted networks. This might include building a website
to describe your organizations services or making internal services such as web conferencing and email
accessible externally, so that users can work from home or from satellite offices.
Perimeter networks mark the boundary between public and private networks. By providing specialized
servers such as reverse proxy servers in your perimeter network, you can provide corporate services across
a public network in a more secure manner.
Note: You can use a reverse proxy server to publish services such as email or web services
from a corporate intranet without placing email or Web servers in the perimeter.
You also need to consider the following access issues:
Remote access client. Though you can control the conditions under which they can connect, these
client computers access your network from a remote location over which you have little or no control.
Because of this, these types of clients have access to more data than a typical Internet client that
connects to a webpage.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Business partners. You do not control the networks of business partners, which means that you
cannot ensure that they have appropriate security controls in place. Therefore, if a business partner is
compromised, the network links between your organization and that partner pose a risk.
Mitigation
Implement firewalls at network boundaries.
Implement network address translation (NAT).
Use virtual private networks (VPNs) and implement encryption.
Internal Networks
As soon as you connect computers to a network, they are susceptible to a number of threats. Internal
network layer security refers to services and processes on your internally controlled network, including
LANs and wide area networks (WANs). The latter includes Multiprotocol Label Switching circuit, where you
control all aspects of the network.
Security threats to an internal network include eavesdropping, spoofing, denial-of-service (DoS) attacks,
and replay attacks. This is especially relevant when communication occurs over public networks because
users are working from home, remote offices, or other locations, such as coffee shops.
Mitigation
Segment your network.
Implement IPsec.
Implement a network-based intrusion-detection system.
Host
The host layer refers to a networks individual computers. This includes the operating system, but not
application software. Host-layer security includes operating system services such as a Web server, and
hackers can compromise it by:
Operating system vulnerabilities. An operating system is complex. Consequently, there are
vulnerabilities that hackers often can exploit. Attackers can use these vulnerabilities to install malware
(malicious software) or to control hosts.
Default operating system configurations. Operating systems and their services include default
configurations. In some cases, the default configuration might not include a password or might
include sample files with vulnerabilities. Attackers use their knowledge of default configurations to
compromise systems.
Viruses that attack hosts. A virus uses operating system flaws or default configurations to infect a host
and replicate itself.
Mitigation
Harden operating systems.
Implement a host-based intrusion-detection system.
Use host-based antivirus, antimalware, and antispyware software, such as Windows Defender.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-5
Application
The application layer refers to apps that run on hosts. This includes additional services such as mail servers,
and desktop apps such as the Microsoft
Office system. The risks to apps are similar to the risks that hosts
face, which can include:
App vulnerabilities. Apps are complex programs that are likely to have vulnerabilities. Attackers can
use these vulnerabilities to install malicious apps or remotely control a computer.
Default app configurations. Apps such as databases might have a default password or no password at
all. Not securing the default configuration simplifies the work of attackers who attempt to access a
system.
Viruses that users introduce. In some cases, users introduce viruses by their actions rather than by
flaws. In other cases, an app actually is a Trojan horse that contains malicious code embedded in what
appears to be a useful app.
Mitigation
Run apps at the lowest level of permissions possible.
Install Microsoft and third-party app security updates.
Enable only required features and functionality for operating systems and apps.
Data
The final layer of security is the data security layer. This includes data files, app files, databases, and Active
Directory
Domain Services (AD DS). When your data layer becomes compromised, it can
result in:
Unauthorized access to data files. Unauthorized access to data files might result in unauthorized users
reading data, such as users inadvertently viewing salaries for other staff members. It also might result
in data modification, which could cause it to be inaccurate.
Unauthorized access to AD DS. Hackers could reset user passwords and then attack your network by
using the new passwords.
Modification of app files. When app files are modified, they might perform unwanted tasks such as
data replication over the Internet, where an attacker can access it.
Mitigation
Implement and configure suitable NTFS files system permissions.
Implement encryption.
Implement rights management.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Common Network Security Threats
There are a variety of network security threats that
fall into many categories. Common network-
based security threats include:
Eavesdropping. An eavesdropping attack
occurs when a hacker captures network
packets that workstations connected to your
network send and receive. Eavesdropping
attacks might result in the compromise of
sensitive data such as passwords, which can
lead to other, more damaging attacks.
Note: Eavesdropping also is known as
network sniffing.
DoS attack. This type of attack limits the function of a network app, or it makes the app or network
resource unavailable. Hackers can initiate a DoS attack in several ways and often are aware of
vulnerabilities in the target app that they can exploit to render it unavailable. DoS attacks often are
performed by overloading a service that replies to network requestslike Domain Name System
(DNS)with a large number of fake requests in an attempt to overload and shut down a service or
the server that hosts the service.
Note: Hacking is a generic term that refers to the act of trying to crack a computer
program or code. When talking about network security, hacking is an important topic because
hackers will hack your network to attack it, your extended user base, or your cache of apps and
sensitive intellectual property.
Port scanning. Apps that run on a computer using the TCP/IP protocol use Transmission Control
Protocol (TCP) or User Datagram Protocol (UDP) ports to identify themselves. One way that attackers
exploit a network is to query hosts for the ports on which they listen for client requests. These ports
are said to be open. Once attackers identify an open port, they can use other attack techniques to
access a network.
Man-in-the-middle (MITM) attack. The network attacker uses a computer to impersonate a legitimate
host on the network with which your computers are communicating. The attacker intercepts all of the
communications intended for a destination host. The attacker might wish to view the data in transit
between the two hosts, but also can modify the data in transit before forwarding the packets to the
destination host.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-7
Options for Mitigation of Network Security Threats
Attackers look for access into your network by
using a variety of tools and techniques. Once they
have found a way in, however minor and
apparently innocuous, they can exploit that
success and take the attack further. For this
reason, it is important to implement a
comprehensive approach to network security to
ensure that one loophole or omission does not
result in another.
You can use any or all of the following defense
mechanisms to protect your network from
malicious attacks:
IPsec. IPsec provides a way to authenticate IP-based communications between two hosts and, where
desirable, encrypt that network traffic.
Firewalls. Firewalls allow or block network traffic based on the type of traffic.
Perimeter networks. A perimeter network is an isolated area on your network to and from which you
can define network traffic flow. When you need to make network services available on the Internet, it
is not advisable to connect hosting servers directly to the Internet. By placing these servers in a
perimeter network, you can make them available to Internet users without letting those users gain
access to your corporate intranet.
VPNs. When users must connect to an organizations intranet from the Internet, it is important that
they do so as securely as possible. The Internet is a public network, and data in transit across the
Internet is susceptible to eavesdropping or MITM attacks. By using VPNs, you can authenticate and
encrypt connections between remote users and your organizations intranet, thereby mitigating risk.
Server hardening. By only running the services that you need, you can make servers inherently more
secure. To determine what services you require, you must establish a baseline of security among your
servers. It is sometimes difficult to determine precisely which Windows Server
services you need to

support the functionality that you or your enterprise requires. Therefore, you can use tools such as
the Security Configuration Wizard or the Microsoft Baseline Security Analyzer to help you.
Intrusion detection. Although it is important to implement the preceding techniques to secure your
network, it also is sensible to monitor your network regularly for signs of attack. You can use
intrusion-detection systems to do this by implementing them on devices at the perimeter, such as
Internet-facing routers.
Domain Name System Security Extensions (DNSSEC). DNSSEC provides the ability for DNS servers and
resolvers to trust DNS responses by using digital signatures for validation. All signatures generated
are contained within the DNS zone itself in the new resource records. When a resolver issues a query
for a name, the accompanying digital signature is returned in the response. Validation of the
signature then is performed through the use of a preconfigured trust anchor. Successful validation
proves that no data modification or tampering has occurred.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Configuring Windows Firewall
Windows Firewall provides built-in functionality that you can use to protect Windows 8.1 computers from
unauthorized access attempts or other unwanted incoming or outgoing traffic on a network. Unwanted
traffic often comes from Internet-based sources, but the network security of any computer also can be
compromised from a LAN or WAN. You can use Windows Firewall to filter incoming and outgoing traffic
based on the traffics characteristics and the type of network to which a Windows 8.1 computer is
connected.
Lesson Objectives
Describe network location profiles.
Explain how to configure basic firewall settings.
Explain how to configure Windows Firewall with Advanced Security.
Explain how to identify well-known ports.
Configure inbound and outbound rules.
Understanding Network Location Profiles
The first time that you connect a computer to a
network, you must select a network location,
which sets appropriate firewall and security
settings automatically. When you connect to
networks in different locations, choosing a
network location can help you ensure that your
computer is set to an appropriate security level at
all times.
Windows 8.1 uses network location awareness
(NLA) to uniquely identify networks to which a
computer is connected. NLA collects information
from networks, including IP address and media
access control (MAC) address data from important network components like routers and gateways to
identify a specific network.
There are three network location types:
Domain networks. These are networks at a workplace that attach to a domain. Use this option for any
network that allows communication with a domain controller. Network discovery is on by default, and
you cannot create or join a HomeGroup.
Private networks. These are networks at home or work where you know and trust the people and
devices on the network. When you select Home or work (private) networks, this turns on network
discovery. Computers on a home network can belong to a HomeGroup.
Guest or public networks. These are networks in public places. This location keeps the computer from
being visible to other computers. When you select the Public place network location, HomeGroup is
not available and network discovery is turned off.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-9
You can modify the firewall settings for each type of network location from the main Windows Firewall
page. Click Turn Windows Firewall on or off, select the network location, and then make your selection.
You also can modify the following options:
Block all incoming connections, including those in the list of allowed programs.
Notify me when Windows Firewall blocks a new program.
Note: A system administrator can configure Windows Firewall settings by using Group
Policy.
The Public networks location blocks certain programs and services from running, which protects a
computer from unauthorized access. If you connect to a Public network and Windows Firewall is on, some
programs or services might ask you to allow them to communicate through the firewall so that they can
work properly.
Configuring Basic Firewall Settings
Windows 8.1 centralizes basic firewall information
in Control Panel, in the Network and Sharing
Center and System and Security items. In System
and Security, you can configure basic Windows
Firewall settings and access the Action Center to
view notifications for firewall alerts. In the
Network and Sharing Center, you can configure all
types of network connections, such as changing
the network location profile.
Firewall Exceptions
When you add a program to the list of allowed
programs or open a firewall port, you are allowing
that program to send information to or from your computer. Allowing a program to communicate
through a firewall is like poking a hole in the firewall. Each time you make another hole, the computer
becomes less secure.
Generally, it is safer to add a program to the list of allowed programs than to open a port for the app. If
you open a port without scoping the port to a specific app, you make a hole in the firewall, and it stays
open until you close the portwhether a program is using it or not. If you add a program to the list of
allowed programs, you are allowing the app itself to poke a hole in the firewall, but only when necessary.
The holes are open for communication only, as and when required by an allowed program or computer.
To add, change, or remove allowed programs and ports, click Allow an app or feature through Windows
Firewall in the left pane of the Windows Firewall page, and then click Change settings. For example, to
view performance counters from a remote computer, you must enable the Performance Logs and Alerts
firewall exception on the remote computer.
To help decrease security risks when you open communications, consider the following:
Only allow a program or open a port when necessary.
Remove programs from the list of allowed programs, or close ports when you do not require them.
Never allow a program that you do not recognize to communicate through the firewall.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Multiple Active Firewall Policies
Windows 8.1 includes multiple active firewall policies. These firewall policies enable computers to obtain
and apply a domain firewall profile, regardless of the networks that are active on the computers.
Information technology (IT) professionals can maintain a single set of rules for remote clients and those
that physically connect to an organizations network. To set up or modify profile settings for a network
location, click Change advanced sharing settings in the left pane of the Network and Sharing Center.
Windows Firewall Notifications
You also can display firewall notifications in the taskbar. Click Change notification settings in the left pane
of the Windows Firewall page, and then for each network location, check or clear the Notify me when
Windows Firewall blocks a new app check box.
Configuring Windows Firewall with Advanced Security
Although typical end-user configuration still
occurs via Windows Firewall in Control Panel, you
now can perform advanced configuration in
Windows Firewall with Advanced Security. This
snap-in is accessible in Control Panel from the
Windows Firewall page by clicking Advanced
settings in the left pane. The snap-in provides an
interface for configuring Windows Firewall locally,
on remote computers, and by using Group Policy.
Windows Firewall with Advanced Security is an
example of a network-aware app. You can create
a profile for each network location type, and each
profile can contain different firewall policies. For example, you can allow incoming traffic for a specific
desktop management tool when a computer is on a domain network, but block traffic when the computer
connects to public or private networks.
Network awareness enables you to provide flexibility on an internal network without sacrificing security
when users travel. A public network profile must have stricter firewall policies to protect against
unauthorized access. A private network profile might have less restrictive firewall policies to allow file and
print sharing or peer-to-peer discovery.
Windows Firewall with Advanced Security Properties
Use the Windows Firewall with Advanced Security Properties dialog box to configure basic firewall
properties for domain, private, and public network profiles. A firewall profile is a way of grouping settings,
including firewall rules and IPsec rules. Use the IPsec Settings tab on the Windows Firewall with Advanced
Security Properties dialog box to configure the default values for IPsec configuration options.
Note: To access the global profile settings in Windows Firewall with Advanced Security
Properties, perform one of the following procedures:
In the navigation pane, right-click Windows Firewall with Advanced Security, and then click
Properties.
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Overview
section, click Windows Firewall Properties.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-11
In the navigation pane, select Windows Firewall with Advanced Security, and then in the Actions
pane, click Properties.
The options that you can configure for each of the three network profiles are:
Firewall state. Turn on or off independently for each profile.
Inbound connections. Configure to block connections that do not match any active firewall rules,
block all connections regardless of inbound rule specifications, or allow inbound connections that do
not match an active firewall rule.
Outbound connections. Configure to allow connections that do not match any active firewall rules, or
block outbound connections that do not match an active firewall rule.
Settings. Configure display notifications, unicast responses, local firewall rules, and local IPsec rules.
Logging. Configure the following logging options:
o Name. Use a different name for each network profiles log file.
o Size limit (KB). The default size is 4096. Adjust this if necessary when troubleshooting.
o No logging occurs until you set one or both of following two options to Yes:
Log dropped packets
Log successful connections
Windows Firewall with Advanced Security Rules
Rules are a collection of criteria that define what traffic you will allow, block, or secure with a firewall. You
can configure the following types of rules:
Inbound
Outbound
IPsec
Inbound Rules
Inbound rules explicitly allow or block traffic that matches the rules criteria. For example, you can
configure a rule to allow traffic that is secured by IPsec for Remote Desktop through the firewall, but
block the same traffic if it is not secured by IPsec. You must use a separately configured IPsec rule to
secure the traffic.
When you first install the Windows operating system, Windows Firewall blocks all unsolicited inbound
traffic. To allow a certain type of unsolicited inbound traffic, you must create an inbound rule that
describes that traffic. For example, if you want to run a Web server, you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You can configure the default action that Windows
Firewall with Advanced Security takes, which is whether to allow or block connections when no inbound
rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule blocks it. Outbound rules explicitly allow or
deny traffic originating from a computer that matches a rules criteria. For example, you can configure a
rule to explicitly block outbound traffic to a computer by IP address through the firewall, but allow the
same traffic for other computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Inbound and Outbound Rule Types
There are four different types of inbound and outbound rules:
Program rules. These control connections for a program. Use this type of firewall rule to allow a
connection based on the program that is trying to connect. These rules are useful when you are not
sure of the port or other required settings, because you only specify the path to the programs
executable (.exe) file.
Port rules. These control connections for a TCP or UDP port. Use this type of firewall rule to allow a
connection based on the TCP or UDP port number over which the computer is trying to connect. You
specify the protocol and the individual or multiple local ports to which the rule applies.
Predefined rules. These control connections for a Windows-based experience. Use this type of firewall
rule to allow a connection by selecting one of the programs or experiences from the list. Network-
aware programs that you install typically add their own entries to this list so that you can enable and
disable them as a group.
Custom rules. Configure these as necessary. Use this type of firewall rule to allow a connection based
on criteria that other types of firewall rules do not cover.
Consider the scenario in which you want to create and manage tasks on a remote computer by using the
Task Scheduler user interface. Before connecting to the remote computer, you must enable the Remote
Scheduled Tasks Management firewall exception on the remote computer. You can do this by using the
predefined rule type on an inbound rule.
Alternatively, you might want to block all web traffic on the default TCP Web server port 80. In this
scenario, you create an outbound port rule that blocks the specified port. The next topic discusses well-
known ports, such as port 80.
IPsec Rules
Firewall rules and IPsec rules are complementary, and both contribute to a defense-in-depth strategy to
protect a computer. IPsec rules secure traffic as it crosses a network by using IPsec. Use IPsec rules to
specify that connections between two computers must be authenticated or encrypted. IPsec rules specify
how and when authentication occurs, but they do not allow connections. To allow a connection, create an
inbound or outbound rule. After an IPsec rule is in place, you can specify that inbound and outbound
rules apply only to specific users or computers.
You can create the following IPsec rule types:
Isolation rules. These isolate computers by restricting connections based on authentication criteria,
such as domain membership or health status. Isolation rules allow you to implement a server or
domain isolation strategy.
Authentication exemption rules. These designate connections that do not require authentication. You
can designate computers by specific IP address, an IP address range, a subnet, or a predefined group,
such as a gateway.
You typically use this type of rule to grant access to infrastructure computers, such as Active Directory
domain controllers, certification authorities (CAs), or Dynamic Host Configuration Protocol servers.
Server-to-server rules. These protect connections between specific computers. When you create this
type of rule, you must specify the network endpoints between which you want to protect
communications. Then, you designate requirements and the type of authentication that you want to
use, such as the Kerberos version 5 protocol. A scenario in which you might use this rule is to
authenticate the traffic between a database server and a business-layer computer.
Tunnel rules. These secure communications that travel between two computers by using tunnel mode
in IPsec instead of transport mode. Tunnel mode embeds the entire network packet into one that you
route between two defined endpoints.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-13
For each endpoint, specify a single computer that receives and consumes the sent network traffic, or
specify a gateway computer that connects to a private network onto which the received traffic is
routed after extracting it from the tunnel.
Custom rules. Configure these as necessary. Custom rules authenticate connections between two
endpoints when you cannot set up authentication rules by using the other rule types.
Monitoring
Windows Firewall uses the monitoring interface to display information about current firewall rules, IPsec
rules, and security associations (SAs). The Monitoring page displays which profiles are active (domain,
private, or public), and the settings for the active profiles.
The Windows Firewall with Advanced Security events also is available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource that you can use to view IPsec-related events. The
operational log is always on, and it contains events for IPsec rules.
Identifying Well-Known Ports
Before you configure either inbound or outbound
firewall rules, you must understand how apps
communicate on a TCP/IP network. At a high
level, when an app wants to establish
communications with an app on a remote host, it
creates a connection to a defined TCP or UDP
socket.
The combination of the following three parts
defines a socket:
The transport protocol that the app uses,
either TCP or UDP.
The Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6) address of the source and
destination hosts.
The TCP or UDP port number that the apps are using. TCP or UDP communications use ports to name
the ends of logical connections that transfer data.
Well-Known Ports
The Internet Assigned Numbers Authority (IANA) assigns the well-known ports, and on most systems.
Typically, only system processes or programs that privileged users execute can use these ports. Ports
receive a number between 0 and 65,535 and fall into three ranges:
Well-known ports are those from 0 through 1,023.
Registered ports are those from 1,024 through 49,151.
Dynamic and private ports are those from 49,152 through 65,535.
To view the current TCP/IP network connections and listening ports, use the netstat -a command or the
Get-NetTCPConnection Windows PowerShell
command-line interface cmdlet.

IANA assigns well-known ports to specific apps so that client apps can locate them on remote systems.
Therefore, to the extent that is possible, use the same port assignments with TCP and UDP. To view a list
of well-known ports and the associated services recognized by Windows 8.1, open the
C:\Windows\System32\drivers\etc\Services file. The following table identifies some well-known ports.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Port Protocol Application
21 TCP File Transfer Protocol (FTP)
23 TCP Telnet provides access to a command-line interface on
a remote host
25 TCP Simple Mail Transfer Protocol (SMTP) that email
servers and clients use to send email
53 UDP DNS
53 TCP DNS
80 TCP Hypertext Transfer Protocol (HTTP) that a Web server
uses
110 TCP Post Office Protocol version 3 (POP3) that email clients
use for email retrieval
143 TCP Internet Message Access Protocol (IMAP) used for
email retrieval from email clients
161 UDP Simple Network Management Protocol (SNMP)
389 TCP Lightweight Directory Access Protocol (LDAP)
443 TCP Hypertext Transfer Protocol Secure (HTTPS) for
secured Web servers
3389 TCP Remote Desktop Protocol (RDP) is a proprietary
protocol that provides a user with a graphical interface
to another computer

Typically, it is not necessary to configure applications to use specific ports. However, you must be aware of
the ports that applications use to ensure that the required ports are open through your firewall when you
use a port rule.
Remember that when you add a TCP or UDP port to the rules list, the port is open whenever Windows
Firewall with Advanced Security is running, regardless of whether there is a program or system service
listening for incoming traffic on the port. For this reason, if you need to allow unsolicited incoming traffic,
create a program rule instead of a port rule. With a program rule, the port opens and closes dynamically
as the program requires. You also do not need to be aware of the port number that the application uses.
If you change the application port number, the firewall automatically continues communication on the
new port.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-15
Demonstration: Configuring Inbound and Outbound Rules
In this demonstration, you will see how to configure inbound and outbound firewall rules for Windows
Firewall.
Demonstration Steps
Test Remote Desktop connectivity
1. Sign in to LON-CL2 as Adatum\Administrator with a password of Pa$$w0rd.
2. Open the Start screen, and then start the Remote Desktop Connection program.
3. Connect to LON-CL1, and sign in as Adatum\Administrator with a password of Pa$$w0rd.
4. After verifying the connection, sign out of LON-CL1.
Configure an inbound rule
1. Switch to LON-CL1.
3. Open Control Panel, and then open Windows Firewall.
4. Create the following Inbound Rule:
o Rule type: Predefined
o Rule Name: Remote Desktop
o Predefined Rules:
Remote Desktop Shadow (TCP-in)
Remote Desktop User Mode (TCP-In)
Remote Desktop User Mode (UDP-In)
o Action: Block the connection
Test the inbound rule
1. Switch to LON-CL2, open the Start screen, and then start the Remote Desktop Connection program.
2. Connect to LON-CL1.
3. Verify that the connection attempt fails.
Test outbound Remote Desktop connectivity
3. Connect to LON-DC1, and then sign in as Adatum\Administrator.
4. After verifying the connection, sign out of LON-DC1.
Configure an outbound rule
1. On LON-CL1, restore the Windows Firewall with Advanced Security window.
2. Create a new Program rule with the following properties:
a. Block connections from the C:\Windows\System32\mstsc.exe program.
3. Name the rule Block Outbound RDP to LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. Open the properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
5. Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Test outbound Remote Desktop connectivity
2. Attempt to connect to LON-DC1, which should fail immediately.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-17
Lab A: Configuring Inbound and Outbound Firewall Rules
Scenario
Remote Desktop is enabled on all client systems through a Group Policy Object (GPO). However, as part
of your infrastructure security plan, you must configure certain desktops systems, such as the Human
Resources department systems, for limited exposure to remote connections. Before implementing firewall
rules in a GPO, you want to validate your plan by manually configuring the rules on local systems. You
decide to control this through local firewall rules that block traffic on the client systems, using LON-CL1 as
a test computer.
Objectives
Create an inbound Windows Firewall rule.
Create an outbound Windows Firewall rule.
Lab Setup
Password: Pa$$w0rd
2. In Hyper-V

Exercise 1: Creating an Inbound Windows Firewall Rule
Scenario
To prevent incoming Remote Desktop connections, you must implement an inbound firewall rule on
LON-CL1 to block all incoming RDP traffic.
1. Test Remote Desktop connectivity.
2. Configure an inbound firewall rule.
3. Test the inbound firewall rule.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Test Remote Desktop connectivity
3. Connect to LON-CL1, and then sign in as Adatum\Administrator.
4. After verifying the connection, sign out of LON-CL1.
Task 2: Configure an inbound firewall rule
2. Open Control Panel, and then open Windows Firewall.
3. Create the following Inbound Rule:
o Rule type: Predefined
o Rule Name: Remote Desktop
o Predefined Rules:
Remote Desktop Shadow (TCP-in)
Remote Desktop User Mode (TCP-In)
Remote Desktop User Mode (UDP-In)
4. Minimize the Windows Firewall with Advanced Security window.
Task 3: Test the inbound firewall rule
1. Switch to LON-CL2, open the Start screen, and then start the Remote Desktop Connection program.
2. Connect to LON-CL1, and then sign in as Adatum\Administrator.

Results: After completing this exercise, you should have created an inbound Windows
Firewall rule.
Exercise 2: Create an Outbound Firewall Rule
Scenario
You must implement a firewall rule on LON-CL1 that prevents in from connecting to LON-DC1 using the
Remote Desktop Connection app.
1. Test Remote Desktop connectivity.
2. Configure an outbound rule.
3. Test the outbound rule.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-19
3. Connect to LON-DC1, and then sign in as Adatum\Administrator.
4. After verifying the connection, sign out of LON-DC1.
Task 2: Configure an outbound rule
1. On LON-CL1, restore the Windows Firewall with Advanced Security window.
2. Create a new Outbound Rule with the following properties:
o Rule Type: Program
o Program: C:\Windows\System32\mstsc.exe
o Profile: Domain, Private, and Public
o Name: Block Outbound RDP to LON-DC1
3. Open the Properties of the Block Outbound RDP to LON-DC1 rule, and then click the Scope tab.
4. Modify the scope so that the rule only applies to the remote IP address 172.16.0.10.
Task 3: Test the outbound rule
1. Open the Start screen, and then start the Remote Desktop Connection app.
2. Attempt to connect to LON-DC1, which should fail immediately.

Results: After completing this exercise, you should have configured and tested an outbound firewall rule.
When you finish the lab, leave the virtual machines running, as they are needed for the next lab.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Securing Network Traffic by Using IPsec
IPsec is a suite of protocols that can protect data in transit through a network by using security services
and, optionally, digital certificates with public and private keys. Because of its design, IPsec helps provide
much better security than previous protection methods. Network administrators who use IPsec do not
have to configure security for individual programs.
You can use IPsec rules to configure IPsec settings for specific connections between your computer and
other computers. Windows Firewall with Advanced Security uses IPsec rules to evaluate network traffic,
and then it blocks or allows messages based on the criteria that you establish in the rule. In some
circumstances, Windows Firewall with Advanced Security will block the communication. If you configure
settings that require security for a connection (in either direction), and the two computers cannot
authenticate each other, then IPsec blocks the connection. Once you enable and configure IPsec, it is
important that you know how to monitor IPsec.
Lesson Objectives
Identify the benefits of IPsec.
Identify tools for configuring IPsec.
Describe IPsec rules.
Explain how to configure authentication.
Explain how to choose an authentication method.
Explain how to monitor connection security.
Configure IPsec rules.
Benefits of IPsec
You can use IPsec to ensure confidentiality,
integrity, and authentication in data transport
across insecure channels. Though its original
purpose was to secure traffic across public
networks, many organizations have chosen to
implement IPsec to address perceived weaknesses
in their own private networks that might be
susceptible to exploitation.
If you implement it properly, IPsec provides a
private channel for sending and exchanging
potentially sensitive or vulnerable data, whether it
is email, FTP traffic, news feeds, partner and
supply-chain data, medical records, or any other type of TCP/IP-based data.
IPsec:
Offers mutual authentication before and during communications.
Forces both parties to identify themselves during the communication process.
Enables confidentiality through IP traffic encryption and digital packet authentication.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-21
IPsec Modes
IPsec has two modes:
Encapsulating security payload (ESP). Encrypts data through one of several available algorithms.
Authentication Header (AH). Signs traffic, but does not encrypt it.
Providing IP Traffic Integrity by Rejecting Modified Packets
ESP and AH verify the integrity of all IP traffic. If a packet has been modified, the digital signature will not
match, and IPsec will discard the packet. ESP in tunnel mode encrypts the source and destination
addresses as part of the payload. In tunnel mode, a new IP header is added to the packet that specifies
the tunnel endpoints source and destination addresses. ESP can make use of Data Encryption Standard
(DES), Triple Data Encryption Standard (3DES), Advanced Encryption Standard (AES), and DES encryption
algorithms in Windows Server 2012 R2. As a best practice, you should avoid using DES unless clients
cannot support the stronger encryption that AES or 3DES offer.
Providing Protection from Replay Attacks
ESP and AH use sequence numbers. As a result, any packets that hackers attempt to capture for later
replay use numbers that are out of sequence. Using sequenced numbers ensures that an attacker cannot
reuse or replay captured data to establish a session or gain information illegally. Using sequenced
numbers also protects against attempts to intercept a message and use it to access resources illegally,
possibly months later.
Tools for Configuring IPsec
Some network environments are ideal for using
IPsec as a security solution, while others are not.
We recommend IPsec for the following uses:
Packet filtering. IPsec functions in a limited
capacity as a firewall for protected computers.
You can combine IPsec with the NAT and
Basic Firewall functionality of the Routing and
Remote Access Service to allow or block
inbound or outbound traffic.
Securing host-to-host traffic. You can use
IPsec to encrypt traffic between servers, other
devices with static IP addresses, or network
subnets. For example, you can use IPsec to secure traffic between domain controllers in different sites,
or between an application server and the database server that hosts the applications database.
Securing traffic to servers. You can implement IPsec for all client computers that access a server. You
also can configure restrictions on the server, specifying which clients can connect.
Layer Two Tunneling Protocol (L2TP)/IPsec for VPN connections. You can combine the L2TP tunneling
protocol with IPsec, known as L2TP/IPsec, to provide additional data protection for VPN connections.
Site-to-site (gateway-to-gateway) tunneling. You can use IPsec to create site-to-site tunnels when you
need to connect to routers, gateways, or other network nodes that do not support L2TP/IPsec or
Point-to-Point Tunneling Protocol (PPTP) connections.
Enforcing logical networks (server/domain isolation). In a Windows-based network, you can isolate
server and domain resources logically to limit access to authenticated and authorized computers. For
example, you can create a logical network inside an existing physical network, where computers share
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
common requirements for secure communications. To establish connectivity, each computer in this
logically isolated network must provide authentication credentials to other computers.
This isolation prevents unauthorized computers and programs from gaining inappropriate access to
resources. IPsec ignores requests from computers that are not part of the isolated network. Server and
domain isolation can protect specific high-value servers and data, and it can protect managed
computers from unmanaged or rogue computers and users.
You can protect a network with two types of isolation:
Server isolation. To isolate a server, you configure specific servers to require an IPsec policy to accept
authenticated communications from other computers. For example, you might configure the
database server to accept connections from a web application server only.
Domain isolation. To isolate a domain, you use Active Directory domain membership to ensure that
computers that are domain members accept only authenticated and secured communications from
other domain-member computers. The isolated network consists only of that domains member
computers, and domain isolation uses an IPsec policy to protect traffic that is sent between domain
members, including all client and server computers.
Note: IPsec depends on IP addresses for establishing secure connections. Using dynamic IP
addresses for both clients and servers, or at either end of an IPsec connection, can introduce
significant complexity to the design of an IPsec policy.
Considering IPsec for Special Scenarios
If you perform the following tasks when using IPsec, you must consider additional configuration
requirements:
Protect traffic over wireless 802.11 LANs. You can use IPsec to encrypt traffic that is sent over 802.11
networks. However, you should not use IPsec for securing organizational 802.11 wireless LANs. You
should use Wi-Fi Protected Access 2 encryption and Institute of Electrical and Electronics Engineers,
Inc. (IEEE) 802.1X authentication instead.
You also can use L2TP/IPsec VPN connections to protect remote access traffic sent over the Internet
between organizational networks.
Use IPsec in tunnel mode for remote access VPN connections. You should not use IPsec only for
Windows-based VPN clients and servers. Rather, use L2TP/IPsec or PPTP.
What Are IPsec Rules?
An IPsec rule forces authentication between two
peer computers before they can establish a
connection and transmit secure information.
Windows Firewall with Advanced Security uses
IPsec to enforce the rules listed below. The
configurable rules are:
Isolation. An isolation rule isolates computers
by restricting connections that are based on
credentials, such as domain membership or
health status. Isolation rules allow you to
implement an isolation strategy for servers or
domains.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-23
Authentication exemption. You can use an authentication exemption to designate connections that
do not require authentication. You can designate computers by a specific IP address, an IP address
range, a subnet, or a predefined group, such as a gateway.
Server-to-server. A server-to-server rule protects connections between specific computers. This type
of rule usually protects connections between servers. When you create the rule, you specify the
network endpoints between which communications are protected. You then designate requirements
and the authentication that you want to use.
Tunnel. A tunnel rule allows you to protect connections between gateway computers, and typically,
you use it when you are connecting across the Internet between two security gateways.
Custom. Sometimes, you cannot set up authentication rules that you need by using the rules available
in the New Connection Security Rule Wizard. In such cases, you can use a custom rule to authenticate
connections between two endpoints.
How Firewall Rules and IPsec Rules Are Related
Firewall rules allow traffic through the firewall, but do not secure that traffic. To secure traffic with IPsec,
you can create connection security rules. However, when you create a connection security rule, this does
not allow the traffic through the firewall. You must create a firewall rule to do this if the traffic is not
allowed by the firewalls default behavior. Connection security rules do not apply to programs and
services, but rather, they apply between the computers that are the two endpoints.
Configuring Authentication
When you use the New Connection Security Rule
Wizard to create a new rule, you can use the
Requirements page to specify how you want
authentication to apply to inbound and outbound
connections. If you request authentication, this
enables communications when authentication
fails. If you require authentication, this causes the
connection to drop if authentication fails.
Request Authentication for Inbound and
Outbound Connections
Use the Request authentication for inbound and
outbound connections option to specify that all
inbound and outbound traffic must authenticate, but that the connection is allowable if authentication
fails. However, if authentication succeeds, traffic is protected. You typically use this option in low-security
environments or in an environment where computers must be able to connect, but cannot perform the
types of authentication that are available with Windows Firewall with Advanced Security.
Require Authentication for Inbound Connections and Request Authentication for
Outbound Connections
Use the Require authentication for inbound connections and request authentication for outbound
connections option if you want to require that all inbound traffic either is authenticated or else blocked.
Outbound traffic can be authenticated, but it is allowed if authentication fails. If authentication succeeds
for outbound traffic, that traffic is authenticated. You typically use this option in most IT environments in
which the computers that need to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Require Authentication for Inbound and Outbound Connections
Use the Require authentication for inbound and outbound connections option if you want to require that
all inbound and outbound traffic either is authenticated or else blocked. You typically use this option in
higher-security IT environments where you must protect and control traffic flow, and in which the
computers that must be able to connect can perform the authentication types that are available with
Windows Firewall with Advanced Security.
Choosing an Authentication Method
The New Connection Security Rule Wizard has a
page on which you can set up the authentication
method to configure the authentication
credentials that you want clients to use. If the rule
exists already, you can use the Authentication tab
in the Properties dialog box of the rule that you
wish to edit.
Default
Select the Default option to use the
authentication method that you configured on
the IPsec Settings tab of the Windows Firewall
with Advanced Security Properties dialog box.
Computer and User (Kerberos V5)
The Computer and user (Kerberos V5) method uses both computer and user authentication, which means
that you can request or require both the user and the computer to authenticate before communications
continue. You can use the Kerberos V5 authentication protocol only if both computers and users are
domain members.
Computer (Kerberos V5)
The Computer (Kerberos V5) method requests or requires the computer to authenticate by using the
Kerberos V5 authentication protocol. You can use the Kerberos V5 authentication protocol only if both
computers are domain members.
User (Kerberos V5)
The User (Kerberos V5) method requests or requires the user to authenticate by using the Kerberos V5
authentication protocol. You can use the Kerberos V5 authentication protocol only if the user is a domain
member.
Computer Certificate
The Computer certificate method requests or requires a valid computer certificate to authenticate, and
you must have at least one CA to do this. Use this method if the computers are not part of the same
AD DS domain.
Only Accept Health Certificates
The Only accept health certificates method requests or requires a valid health certificate to authenticate.
Health certificates declare that a computer has met system health requirements, as determined by a
Network Access Protection (NAP) health policy server, such as all software and other updates that network
access requires. These certificates are distributed during the NAP health evaluation process. Use this
method only for supporting NAP.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-25
Advanced
You can configure any available method, and you can specify methods for first authentication and second
authentication. First authentication methods include Computer (Kerberos V5), computer certificate, and a
Preshared key (not recommended). Second authentication methods include User (Kerberos V5), User
NTLM (Windows NT Challenge/Response protocol), user certificates, and computer certificates. Second
authentication methods are supported only by computers that are running Windows Vista
, Windows 7,
Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or
Windows Server 2012 R2.
Monitoring Connection Security
Windows Firewall with Advanced Security is a
stateful, host-based firewall that blocks incoming
and outgoing connections based on its
configuration. Although a typical end-user
configuration for Windows Firewall still occurs via
the Windows Firewall control panel item,
advanced configuration now occurs in the
Microsoft Management Console (MMC) snap-in
named Windows Firewall with Advanced Security.
The inclusion of this snap-in not only provides an
interface for configuring Windows Firewall locally,
but also for configuring Windows Firewall on
remote computers and through Group Policy. You also can use Windows PowerShell to configure
Windows Firewall policies throughout your environment. Windows Firewall functions now integrate with
connection security protection settings, reducing the possibility of conflict between the two protection
mechanisms.
Monitoring Options for Windows Firewall with Advanced Security
You can use the Windows Firewall with Advanced Security console to monitor security policies that you
create in the Connection Security Rules node. However, you cannot view the policies that you create by
using the IP Security Policy Management snap-in. These security options are for use with Windows Vista,
Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows
Server 2012, and Windows Server 2012 R2. For older operating systems, such as Windows XP and
Windows 2000, you must use Connection Security Rules node to view SAs and connections.
Monitoring Connection Security Rules
The Connection Security Rules node lists all of the enabled IPsec rules with detailed information about
their settings. Connection security rules define which authentication, key exchange, data integrity, or
encryption you can use to form an SA. The SA defines the security that protects the communication from
the sender to the recipient.
Implementing Connection Security Monitor
You can implement Connection Security Monitor as an MMC snap-in. It includes enhancements that you
can use to view details about an active connection security policy that the domain applies or that you
apply locally. Additionally, you can view Quick Mode and Main Mode statistics, and active connection
security SAs. You also can use Connection Security Monitor to search for specific Main Mode or Quick
Mode filters. To troubleshoot complex connection security policy designs, you can use Connection
Security Monitor to search for all matches for filters of a specific traffic type.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Changing Default Settings
You can change the Connection Security Monitor default settings, such as automatic refresh and DNS
name resolution. For example, you can specify the time that elapses between IPsec data refreshes.
Additionally, you can enable DNS name resolution for the IP addresses that you are monitoring. Note that
there are some issues to consider when enabling DNS. For example, it only works in a specific filter view
for Quick Mode and in SAs view for Quick Mode and Main Mode monitoring. There also is the possibility
that you can affect a servers performance if several items in the view require name resolution. Finally, the
DNS record name resolution requires a proper pointer (PTR) resource record in DNS.
Adding a Computer to Monitor
You can monitor computers remotely from a single console, but you must modify a registry value so that
the remote system accepts a console connection.
Setting the HKLM\system\currentcontrolset\services\policyagent\EnableRemoteMgmt registry
value to 1 prevents the IPsec service is not running error when you manage a computer remotely.
Obtaining Information About the Active Policy
You can get basic information about the current IP security policy in the Active Policy node of the IP
Security Monitoring snap-in to the MMC. During troubleshooting, this is useful to identify which policy
IPsec is applying to the server. Details such as the policy location and when it was modified last provide
key details when you are determining the current policy in place.
To view the IPsec rules in the active policy store, you can use the following Windows PowerShell
command:
Show-NetIPsecRule PolicyStore ActiveStore
Main Mode SA and Quick Mode SA
The Main Mode SA is the initial SA that is established between two computers. This negotiates a set of
cryptographic protection suites between both hosts. This initial SA allows Quick Mode key exchange to
occur in a protected environment. The Main Mode SA also is known as the Internet Security Association
Key Management Protocol or Phase 1 SA. Main Mode establishes the secure environment to other
exchange keys, as required by the IPsec policy.
A Quick Mode SA depends on the successful establishment of a Main Mode SA. A Quick Mode SA also is
known as an IPsec or Phase 2 SA. This process establishes keys based on the information that the policy
specifies. Quick Mode SAs establish protected transmission channels for the actual application IP data that
the policy specifies.
Monitoring SAs
The Security Associations folder lists all of the Main Mode and Quick Mode SAs with detailed information
about their settings and endpoints.
Main Mode
Main Mode statistics provide data about the total number of SAs created and invalid packet information.
Quick Mode
Quick Mode provides more detailed information about connections. If you are having issues with an IPsec
connection, Quick Mode statistics can provide insight into the problem.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-27
Demonstration: Configuring an IPsec Rule
In this demonstration, you will see how to configure and monitor IPsec rules.
Demonstration Steps
Create a connection rule
1. On LON-CL1, open Control Panel, open Windows Firewall, and then open the Advanced settings.
2. Create a connection Security rule that allows traffic on LON-CL1 with the following settings:
o Rule: Isolation
o Requirements: Require authentication for inbound connections and request authentication
for outbound connections
o Authentication: Computer and user (Kerberos V5)
o Name: Authenticate all inbound connections
Test connectivity between LON-CL2 and LON-CL1
1. Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1.
2. Close the Command Prompt window.
Create a connection rule by using Windows PowerShell
Open an Administrator: Windows PowerShell window, and then run the following cmdlet:
New-NetIPsecRule DisplayName Authenticate all inbound connections InboundSecurity
Require OutboundSecurity Request -Phase1AuthSet ComputerKerberos -Phase2AuthSet
UserKerberos
Test connectivity between LON-CL2 and LON-CL1
1. Ping LON-CL1.
2. Open Control Panel, open Windows Firewall, and then open the Advanced settings.
3. Examine the Security Associations monitoring.
Examine the security associations on LON-CL1 by using Windows PowerShell
1. Switch to LON-CL1, and open a Administrator: Windows PowerShell Command Prompt window.
2. To examine the Main Mode Security Associations, run the following cmdlet:
Get-NetIPsecMainModeSA
3. To examine the Quick Mode Security Associations, run the following cmdlet:
Get-NetIPsecQuickModeSA
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring IPsec Rules
Scenario
A. Datum Corporation uses many outside consultants. The enterprises management has a concern that if
consultants were on the company network, they might be able to connect to unauthorized computers.
Objectives
Create and configure an IPsec rule on one computer.
Lab Setup
Password: Pa$$w0rd
For this lab, you will use the available virtual machine environment. The required virtual machines should
be running already from the preceding lab.
Exercise 1: Creating and Configuring IPsec Rules
Scenario
You have decided to test using secured connections between computers on sensitive segments of your
network.
1. Create an Internet Protocol security (IPsec) rule on LON-CL1.
2. Test connectivity between LON-CL2 and LON-CL1.
3. Create a IPsec rule on LON-CL2 by using the Windows PowerShell command-line interface.
4. Test connectivity between LON-CL2 and LON-CL1.
Task 1: Create an Internet Protocol security (IPsec) rule on LON-CL1
1. On LON-CL1, open Control Panel, and then open Windows Firewall.
2. Create a connection Security rule that allows traffic on LON-CL1 with the following settings:
o Rule: Isolation
o Requirements: Require authentication for inbound connections and request authentication
for outbound connections
o Authentication: Computer and user (Kerberos V5)
o Name: Authenticate all inbound connections
Task 2: Test connectivity between LON-CL2 and LON-CL1
1. Switch to LON-CL2, open a Command Prompt window, and then ping LON-CL1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-29
Task 3: Create a IPsec rule on LON-CL2 by using the Windows PowerShell

command-line interface
1. On LON-CL2, open an Administrator: Windows PowerShell window, and then run the following
cmdlet:
UserKerberos
Note: The monitoring component for the newly created Connections Security Rule might
not be created in a timely fashion. To force the creation of the monitoring component, perform
1. Open the Control Panel, open Windows Firewall, and then navigate to the Advanced Security
page.
2. Under the Connection Security Rules node, double-click Authenticate all inbound connections.
3. In the Description field, type Requires inbound authentication, and then click OK.
1. Ping LON-CL1.
2. Open Control Panel, open Windows Firewall, and then open the Advanced settings.
3. Examine the Security Associations monitoring.
4. Switch to LON-CL1, and then open a Windows PowerShell Command Prompt window in
Administrator mode.
5. To examine the Main Mode Security Associations, run the following cmdlet:
6. To examine the Quick Mode Security Associations, run the following cmdlet:

Results: After completing this exercise, you should have created and tested IPsec rules.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Guarding Windows 8.1 Against Malware
Malware might show up on computers and devices in your organization, despite your efforts to prevent it.
When this occurs, you must investigate it immediately and take appropriate action. Windows 8.1 includes
components that can help you identify and remove malware from computers in your environment.
Lesson Objectives
Describe Windows 8.1 protection against malware.
Explain how to adjust Windows SmartScreen
settings.
Explain how to configure scanning options in Windows Defender.
Windows 8.1 Protection Against Malware
Windows 8.1 contains two important features that
help protect your computer against malware.
These two features are Windows SmartScreen and
Windows Defender, which are described in the
sections below.
Windows SmartScreen
The Windows SmartScreen safety feature in
Windows 8.1 helps protect against apps that
might contain malware or perform unwanted
operations on your computer. When an app is
executed, SmartScreen takes advantage of the
Microsoft SmartScreen online databases to
determine whether an app has been identified as malicious. Windows SmartScreen then will warn you
prior to executing a potentially malicious app.
The SmartScreen filter that is built into Internet Explorer scans incoming files, in addition to visited sites to
determine the possibility that content might compromise your computer. If content poses a risk,
SmartScreen will provide a warning to the user that the content or site might be unsafe.
Windows Defender
Windows Defender helps protect your computer from spyware, malware, and viruses. Windows Defender
also is Hyper-V
aware, meaning that it detects if Windows 8.1 is running as a virtual machine. Windows
Defender uses definitions to determine if software it detects is unwanted, and to alert you to potential
risks. To help keep definitions up-to-date, Windows Defender automatically installs new definitions as
they are released.
In Windows Defender, you can run a Quick, Full, or Custom scan. If you suspect spyware has infected a
specific area of a computer, you can customize a scan by selecting specific drives and folders. You also can
configure the schedule that Windows Defender will use.
You can choose to have Windows Defender exclude processes in your scan. Doing so can make the scan
complete faster, but your computer will be less protected. When Windows Defender detects potential
spyware activity, it stops the activity and then raises an alert.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-31
Alert levels help you determine how to respond to spyware and unwanted software. You can configure
Windows Defender behavior when a scan identifies unwanted software. You also are alerted if software
attempts to change important Windows operating system settings.
To help prevent spyware and other unwanted software from running on a computer, turn on Windows
Defender real-time protection.
Adjusting Windows SmartScreen Settings
Depending on the requirements of your
organization, you can adjust Windows
SmartScreen settings to alter its functionality. You
can configure Windows SmartScreen to treat
unrecognized apps in one of three ways by
selecting one of the below options:
Get administrator approval before running an
unrecognized app from the Internet
(recommended)
Warn before running an unrecognized app,
but dont require administrator approval
Dont do anything (turn off Windows SmartScreen)
Configuring Windows SmartScreen Settings
You can configure Windows SmartScreen settings by following this procedure:
1. From the Start screen, type SmartScreen.
2. In the Action Center window, click Change Windows SmartScreen settings.
3. In the Windows Smartscreen window, select the appropriate action you would like Smartscreen to
take when an unrecognized app is downloaded.
Configuring Scanning Options in Windows Defender
Windows Defender includes automatic scanning
options that provide regular scanning and on-
demand scanning for malware. The following
table identifies scanning options.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Scan options Description
Quick Checks the areas that malware, including viruses, spyware, and unwanted
software, are most likely to infect.
Full Checks all the files on your hard disk and all running programs.
Custom Enables users to scan specific drives and folders.

As a best practice, you should schedule a daily quick scan. At any time, if you suspect that spyware has
infected a computer, run a full scan. When you run a scan, the progress displays on the Windows
Defender Home page. When Windows Defender detects a potentially harmful file, it moves the file to a
quarantine area and does not allow it to run or allow other processes to access it. Once the scan is
complete, choose to Remove or Restore Quarantined items and to maintain the Allowed list. A list of
Quarantined items is available from the Settings page. Click View to see all items. Review each item and
individually Remove or Restore each. Alternatively, if you want to remove all Quarantined items, click
Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your
privacy and your computers security at risk.
If you trust software that has been detected, stop Windows Defender from alerting you to risks that the
software might pose by adding it to the Allowed list. If you decide to monitor the software later, remove it
from the Allowed list.
The next time Windows Defender alerts you about software that you want to include in the Allowed list, in
the Alert dialog box, on the Action menu, click Allow, and then click Apply actions. Review and remove
software that you have allowed from the Excluded files and locations list on the Settings page.
Advanced Scanning Options
When you scan the computer, you can choose from five additional options:
Scan archive files. Scanning these locations might increase the time that is required to complete a
scan, but spyware and other unwanted software can install itself and attempt to hide in these
locations.
Scan removable drives. Use this option to scan the contents of removable drives, such as USB flash
drives.
Create a system restore point. Use this option before applying actions to detected items. Because you
can set Windows Defender to remove detected items automatically, selecting this option allows you
to restore system settings.
Allow all users to view the full History results. Use this option to allow all users that sign into this
computer to see the scanning history. If you do not select this option, users will only see scan results
that relate to their files.
Remove quarantined files after: <Time>. Removes quarantined files after a set period of time. When
you enable this option, the default period is one month, but you can set it from one day to three
months.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-33
Lab C: Configuring Malware Protection
Scenario
You are planning to use Window Defender to check for malware every day. You also want to ensure that
Windows Defender will quarantine any files that it considers a severe risk to your systems security.
Objectives
Configure Windows Defender.
Lab Setup
Password: Pa$$w0rd
Exercise 1: Configuring Windows Defender
Scenario
You need to configure Windows Defender to perform a full scan every day at 2:00 A.M. Before
configuring Windows Defender, you plan on running a quick scan. Finally, you want to configure the
default actions for Windows Defender to take and to check the items that you do not want it to scan.
1. Perform a quick scan.
2. Test malware detection.
3. Examine the Windows Defender history.
Task 1: Perform a quick scan
1. On LON-CL1, open Control Panel, and then open Windows Defender.
2. On the Home page, perform a quick scan, and then review the results.
3. Close Windows Defender.
Task 2: Test malware detection
1. Open File Explorer, and then browse to E:\Labfiles\Mod08\Malware.
2. In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string that is
used to test malware detection.
3. In the sample.txt file, delete both instances of <remove>, including the brackets.
4. Save and close the file. Immediately, Windows Defender detects a potential threat.
5. Shortly thereafter, the sample.txt will be removed from the Malware folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Examine the Windows Defender history
1. Open Control Panel, and then open Windows Defender.
2. On the History tab, click View Details, and then review the results.
3. Remove any quarantined files.

Results: After completing this exercise, you should have configured and used Windows Defender.
When you finish the lab, revert the virtual machines to their initial state.
4. Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-DC1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 8-35
Best Practice: Configuration Guidelines for Windows Firewall with Advanced Security
You can configure Windows Firewall with Advanced Security in the following ways:
1. Configure a local or remote computer by using either the Windows Firewall with Advanced Security
snap-in to the MMC or the cmdlets in the NetSecurity module for Windows PowerShell.
2. Configure Windows Firewall with Advanced Security settings by using the Group Policy Management
Console or the cmdlets in the NetSecurity module.
3. If you configure the firewall by using Group Policy, you need to ensure that the Windows Firewall
service has explicit write access by its service security identifier to the location that you specify.
4. If you deploy Windows Firewall with Advanced Security by using Group Policy and then block
outbound connections, ensure that you enable the Group Policy outbound rules, and do full testing
in a test environment before deploying. Otherwise, you might prevent all of the computers that
receive the policy from updating the policy in the future, unless you intervene manually.
Best Practice: Implementing Defense-in-Depth
Supplement or modify the following best practices for your own work situation:
Create specific rules that help prevent social engineering, and educate users on these rules and their
relevance.
Restrict physical access to servers by locking doors, and then monitor server room access.
Implement antivirus and antispyware software.
Implement host-based firewalls.
Best Practice: Windows Defender
Supplement or modify the following best practices for your own work situation:
1. When you use Windows Defender, you must have current definitions.
2. To help keep your definitions current, Windows Defender automatically installs new definitions as
they are released. You also can set Windows Defender to check online for updated definitions before
scanning.
3. When you scan your computer, before applying actions to detected items, you should select the
advanced option to Create a system restore point. Because you can set Windows Defender to remove
detected items automatically, selecting this option allows you to restore system settings in case you
want to use software that you did not intend to remove.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Review Questions
Question: You need to ensure that traffic passing between a computer in the perimeter network
and one deployed in the internal network is encrypted and authenticated. The computer in the
perimeter is not a member of your AD DS forest. What authentication methods could you use if
you attempted to establish an IPsec rule between these two computers?
Question: If you wanted to ensure that only domain computers can communicate with other
domain computers, how could you achieve this with Windows Firewall?
Question: What does Windows Defender do to software that it quarantines?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
9-1
Module 9
Configuring File Access and Printers on Windows
8.1
Clients
Contents:
Module Overview 9-1
Lesson 1: Managing File Access 9-2
Lesson 2: Managing Shared Folders 9-16
Lesson 3: Configuring File Compression 9-25
Lab A: Configuring File Access 9-29
Lesson 4: Overview of SkyDrive 9-32
Lesson 5: Managing Printers 9-37
Lab B: Configuring Printers 9-41

Module Overview
This module provides the information and tools that you need to manage access to shared folders and
printers on a computer that is running the Windows
8.1 operating system. Specifically, the module

describes how to share and protect folders, configure folder compression, and how to install, configure,
and manage printers. Additionally, this module introduces SkyDrive
functionality.
To maintain network or local file and printer systems, it is essential to understand how to safeguard these
systems and make them operate as efficiently and effectively as possible. This includes setting up NTFS
folder permissions, compressing and managing shared folders and files, and configuring printers.
Objectives
Implement file access management in Windows 8.1.
Configure management of shared folders.
Configure file compression in Windows 8.1.
Describe the purpose and functionality of SkyDrive.
Manage printers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
9-2 Configuring File Access and Printers on Windows
8.1 Clients
Lesson 1
Managing File Access
One of the most common way that users access data is from network file shares. You can control access to
file shares with file share permissions and NTFS permissions. Understanding how to determine effective
permissions is essential to securing your files.
You can use NTFS permissions to define the level of access that users have to files that are available on a
network or locally on a Windows 8.1 computer. This lesson explores NTFS permissions and describes the
tools for managing files and folders, in addition to the effect of various file and folder activities on these
permissions.
Lesson Objectives
Describe local security permissions.
Describe the concept of permission inheritance.
Describe the tools for managing files and folder access.
Configure NTFS permissions.
Determine effective permissions.
Describe how copying and moving files and folders affects NTFS permissions.
Describe effective permissions.
Implement conditions to limit file and folder access.
Configuring Local Security Permissions
Permission is the authorization to perform an
operation on a specific object, such as a file. The
objects owners, or anyone with authority to grant
permissions, can do so. This typically includes
system administrators. If you own an object, you
can grant any user or security group any
permission on that object, including the
permission to take ownership.
Every container and object on a network has a set
of access-control information attached to it.
Known as a security descriptor, this information
controls the type of access allowed to users and
groups. You can define permissions within an objects security descriptor and then associate them with or
assign them to specific users and groups.
File and folder permissions define the type of access that you grant to a user, group, or computer. For
example, you can let one user read a files contents, while you let another user make changes to that file.
Alternatively, you can prevent all other users from accessing that file. You can set similar permissions on
folders.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-3
There are two levels of permissions:
Shared folder permissions. These allow security principals such as users to access shared resources
from across a network. Shared folder permissions only are in effect when a user accesses a resource
from a network. The next lesson covers this topic in detail.
NTFS permissions. These always are in effect, irrespective of whether a user accesses a file by
connecting across a network or by logging on to the local machine where the resource is located. You
can grant NTFS permissions to a file or folder for a named group or user.
Each NTFS file and folder has an access control list (ACL) with a list of users and groups who have
permissions on the file or folder. Each entry in the ACL is an access control entry that identifies the specific
permissions granted to a user or group.
Conflicts Between User Rights and Permissions
User rights allow administrators to assign specific privileges and logon rights to groups or users. These
rights authorize users to perform specific actions, such as logging on to a system interactively or backing
up files and directories. User rights are different from permissionsuser rights apply to user accounts,
whereas permissions are attached to objects.
Administrators can employ user rights to manage who has the authority to perform operations that span
an entire computer, rather than a particular object. Administrators assign user rights, to individual users or
groups as part of a computers security settings. Although you can manage user rights centrally through
Group Policy, Windows 8.1 applies user rights locally. Users can, and usually do, have different user rights
on different computers.
Unlike permissions, which an objects owner (or a user with appropriate permissions) grants, you assign
users rights as part of a computers local security policy.
There are two types of user rights: privileges, such as the right to back up files and directories, and logon
rights, such as the right to log on to a system locally.
Possible Scenarios
Conflicts between rights and permissions typically occur only where the rights that are required to
administer a system overlap with resource-ownership rights. When there is a conflict, rights override
permissions.
For example, to create a backup of files and folders, backup software must be able to traverse all folders in
an NTFS volume, list the contents of each folder, read the attributes of every file, and read data in any file
that has its archive attribute set. It is impractical to arrange this access by coordinating with the owner of
every file and folder. Therefore, the required rights are included in the Back up files and directories right,
which is assigned by default to two built-in groups: Administrators and Backup Operators. Any user who
has this right can access all files and folders on the computer to back up the system. The same default
permissions that allow members of the Backup Operators group to back up and restore files also enables
them to use the groups permissions for other purposes, such as reading another users files or installing
Trojan horse programs. Therefore, you should limit the Backup Operators group to highly trusted user
accounts that require the ability to back up and restore computers.
The ability to take ownership of files and other objects is another case where an administrators need to
maintain a system takes priority over an owners right to control access. Normally, you can take ownership
of an object only if its current owner grants you permission to do so. Owners of NTFS objects can allow
another user to take ownership by granting the other user Take Ownership permission. Owners of Active
Directory
Domain Services (AD DS) objects can grant another user the Modify Owner permission. A user
who has this right can take ownership of an object without the current owners permission. By default, the
right is assigned only to the built-in Administrators group. Administrators typically use this to take and
reassign ownership of resources for which the current owner is no longer available.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Types of NTFS Permissions
The two types of NTFS permissions are standard and special:
Standard permissions are the most commonly used permissions.
Special permissions provide a finer degree of control for assigning access to files and folders.
However, special permissions are more complex to manage than standard permissions.
Standard File and Folder Permissions
The following table lists the standard NTFS file and folder permissions. You can choose whether to allow
or deny each of the permissions.
File permissions Description
Full Control Complete control of the file or folder and control of permissions.
Modify Read and write permissionthis applies to an object and any child objects by
default. The specific permissions that make up Modify permissions are Traverse
Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended
Attributes, Create Files/Write Data, Create Folders/Append Data, Write
Attributes, Write Extended Attributes, Delete, and Read Permissions.
Read and Execute With this permission, you can see folder content, read files, and start
programsthis applies to an object and any child objects by default. The
specific permissions that make up Read and Execute permissions are Traverse
Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended
Attributes, and Read Permissions.
Read Read-only permissionthis applies to an object and any child objects by
default. The specific permissions that make up Read permissions are List
Folder/Read Data, Read Attributes and Read Extended Attributes.
Write With this permission, you can change folder and file contentthis applies to an
object and any child objects by default.
The specific permissions that make up Write permissions are Create Files/Write
Data, Create Folders/Append Data, Write Attributes, and Write Extended
Attributes.
Special permissions A custom configuration.
Note: Groups or users that are granted Full Control on a folder can delete any files in that
folder, regardless of the permissions protecting the file.
To modify NTFS permissions, you must have the Full Control NTFS permission for a folder or file. The one
exception is for file and folder owners. The owner of a file or folder can modify NTFS permissions, even if
they do not have any current NTFS permissions. Administrators can take ownership of files and folders to
make modifications to NTFS permissions.
Special File and Folder Permissions
Special permissions give you a finer degree of control for assigning access to files and folders. However,
special permissions are more complex to manage than standard permissions. The following table defines
the special permissions for which you can provide custom configuration for each file and folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-5

Traverse Folder/Execute
File
The Traverse Folder permission applies only to folders and allows or denies a
user permission to move through folders to reach other files or folders even
if the user does not have permissions for the traversed folders. Traverse
Folder takes effect only when you do not grant the Bypass Traverse
Checking user right to a group or user. The Bypass Traverse Checking user
right checks user rights in the Group Policy snap-in. By default, the Everyone
group is given the Bypass Traverse Checking user right.
The Execute File permission allows or denies access to program files that are
running. If you set the Traverse Folder permission on a folder, the Execute
File permission is not set automatically on all files in that folder.
List Folder/Read Data The List Folder permission allows or denies a user permission to view file
names and subfolder names in a folder. The List Folder permission applies
only to folders and affects only the contents of that folder. This permission is
not affected if the folder on which you are setting the permission is listed in
the folder list.
The Read Data permission applies only to files, and it allows or denies a user
from viewing data in files.
Read Attributes The Read Attributes permission allows or denies a user from viewing the
attributes of a file or folder, such as read-only and hidden attributes. NTFS
defines the attributes.
Read Extended
Attributes
The Read Extended Attributes permission allows or denies a user from
viewing the extended attributes of a file or folder. Extended attributes are
defined by programs, and they can vary by program.
Create Files/Write Data The Create Files permission applies only to folders, and it allows or denies a
user from creating files in a folder.
The Write Data permission applies only to files and allows or denies the user
from making changes to a file and overwriting existing content by NTFS.
Create Folders/Append
Data
The Create Folders permission applies only to folders and allows or denies a
user from creating folders in the folder.
The Append Data permission applies only to files and allows or denies a user
from making changes to the end of the file but not from changing, deleting,
or overwriting existing data.
Write Attributes The Write Attributes permission allows or denies a user from changing the
attributes of a file or folder, such as read-only or hidden. NTFS defines the
attributes.
The Write Attributes permission does not imply that you can create or
delete files or folders. It includes only the permission to make changes to
the attributes of a file or folder.
Write Extended
Attributes
The Write Extended Attributes permission allows or denies a user from
changing the extended attributes of a file or folder. Programs define the
extended attributes, which can vary by program.
The Write Extended Attributes permission does not imply that a user can
create or delete files or folders. It includes only the permission to make
changes to the attributes of a file or folder.
Delete Subfolders and
Files
The Delete Subfolders and Files permission applies only to folders and
allows or denies a user from deleting subfolders and files even if you do not
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
grant Delete permission on the subfolder or file.
Delete The Delete permission allows or denies a user from deleting the file or
folder. If you do not have the Delete permission on a file or folder, you can
still delete the file or folder if you have the Delete Subfolders and Files
permission on the parent folder.
Read Permissions Read permissions allows or denies a user from reading permissions about a
file or folder, such as Full Control, Read, and Write.
Change Permissions Change Permissions allows or denies a user from changing permissions on a
file or folder, such as Full Control, Read, and Write.
Take Ownership The Take Ownership permission allows or denies a user from taking
ownership of a file or folder. The owner of a file or folder can change
permissions on it regardless of any existing permissions that protect the file
or folder.
Conditions
In Windows 8.1, you can assign conditions that must be met for a permission to take effect. You can base
conditions on group memberships or the device with which a user accesses a file or folder. When viewing
the NTFS permissions for a file or folder, the applied conditions are listed in the Condition column in the
Advanced Security Settings for <file/foldername>.
When you use a Group condition, you can specify that the permission will apply to the user based on
the following group membership rules:
o Member of Any of the specified groups.
o Member of Each of the specified groups.
o Not Member of Any of the specified groups.
o Not Member of Each of the specified groups.
When you use a Device condition, you can specify that the permission will apply if a user accesses the
file from a specified computer or computers. The following topic explains this condition further.
You can specify multiple conditions that must be met for the configured permission to apply. For
example, you can create a permission that would give members of the Financial group Full Control
permissions if they also are members of the Managers group and are accessing the folder from
<computername>.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-7
Overview of Permission Inheritance
There are two types of permissions:
Explicit permissions. Permissions that are set
by default on nonchild objects when an
object is created, or by user action on
nonchild, parent, or child objects.
Inherited permissions. Permissions that
propagate to an object from a parent object.
Inherited permissions ease the task of
managing permissions and ensure the
consistency of permissions among all objects
within a given container.
Permission inheritance allows the NTFS permissions that are set on a folder to apply automatically to files
that users create in that folder and its subfolders. This means that you can set NTFS permissions for an
entire folder structure at a single point. If you have to modify the permissions, you then only have to
perform the change at that single point.
For example, when you create a folder called MyFolder, all subfolders and files created within MyFolder
automatically inherit that folders permissions. Therefore, MyFolder has explicit permissions, while all
subfolders and files within it have inherited permissions.
You also can add permissions to files and folders below an initial point of inheritance without modifying
the original permissions assignment. This grants a specific user or group different access than the
inherited permissions.
Inheritance for All Objects
If the Allow or Deny check boxes that are associated with each of the permissions appear shaded, a file or
folder has inherited permissions from its parent folder. There are three ways to make changes to inherited
permissions:
Make changes to a parent folder, and then the file or folder will inherit these permissions.
Select the opposite permission (Allow or Deny) to override the inherited permission.
Choose not to inherit permissions from a parent object. You then can make changes to the
permissions or remove a user or group from the permissions list of the file or folder.
You also can deny permissions explicitly. For example, Alice might not want Bob to be able to read her file
even though he is a member of the Marketing group. She can exclude Bob by explicitly denying him
permission to read the file. Normally, this is how you use explicit denial to exclude a subset (such as
Bob) from a larger group (such as Marketing) that is given permission to perform an operation.
Note that while possible, the use of explicit denials increases the complexity of the authorization policy,
which can create unexpected errors. For example, you might want to allow domain administrators to
perform an action but deny domain users. If you attempt to implement this by explicitly denying domain
users, you also deny any domain administrators who also are domain users. Though it is sometimes
necessary, you should avoid the use of explicit denials.
In most cases, Deny overrides Allow unless a folder inherits conflicting settings from different parents. In
that case, the setting inherited from the parent closest to the object in the subtree will have precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has an
explicit Allow permission entry. Explicit permissions take precedence over inherited permissions
even inherited Deny permissions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Child objects only inherit permissions that they are capable of inheriting. When you set permissions on a
parent object, you can decide whether folders, subfolders, and files can inherit permissions. Perform the
following procedure to assign permissions that can be inherited:
1. In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2. In the Advanced Security Settings for <file or folder> dialog box, the Inherited From column lists
from where the permissions are inherited. The Applies To column lists the folders, subfolders, or files
to which the permissions are applied.
3. Double-click the user or group for which you want to adjust permissions.
4. In the Permissions Entry for <name> dialog box, click the Applies to drop-down list, and then
select one of the following options:
o This folder only
o This folder, subfolders, and files
o This folder and subfolder
o This folder and files
o Subfolders and files only
o Subfolders only
o Files only
5. Click OK in the Permission Entry for <name> dialog box, click OK on the Advanced Security
Settings for <name> page, and then click OK on the Properties page.
If the Special permissions entry in Permissions for <User or Group> box is shaded, it does not
imply that this permission is inherited. Rather, this means that a special permission is selected.
Preventing Permission Inheritance
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit
these permissions. You can block permission inheritance to restrict access to these files and subfolders. For
example, you can assign all Accounting users the Modify permission to the ACCOUNTING folder. On the
subfolder WAGES, you can block inherited permissions and grant only a few specific users access to the
folder.
Note: When permission inheritance is blocked, you have the option to copy existing
permissions or begin with blank permissions. If you only want to restrict a particular group or
user, then copying existing permissions simplifies the configuration process.
To prevent a child file or folder from inheriting a permission from a parent folder, select This folder only in
the Applies to drop-down list when you set up permissions for the parent folder.
To prevent a folder or file from inheriting permissions from a parent folder, perform the following
procedure:
1. In File Explorer, right-click the file or subfolder, click Properties, click the Security tab, and then click
Advanced.
2. In the Advanced Security Settings for <file or folder> page, click Disable inheritance.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-9
3. In the Block Inheritance dialog box, select any of the following options:
o Convert inherited permissions into explicit permissions on this object
o Remove all inherited permissions from this object
o Cancel
4. Click OK in the Advanced Security Settings for <name> dialog box, and then click OK on the
Properties page.
Forcing Permission Inheritance
The Advanced Security dialog box for folders includes a check box labeled Replace all child object
permission entries with inheritable entries from this object. Selecting this check box will replace the
permissions on all child objects that you have the ability to change permissions on, including child objects
that had Block inheritance configured. This can be particularly useful if you need to change permissions
on a large number of subfolders and files, especially when the original permissions were set incorrectly.
Tools for Managing File and Folder Access
File access is based on NTFS permissions set in
ACLs. To use permissions to control access, you
need a way to set permissions on files and folders.
A number of tools are available for managing
access to files and folders. This topic will describe
the following tools:
File Explorer, formerly known as Windows
Explorer
The Windows PowerShell
command-line
interface
Icacls
File Explorer
File Explorer provides a simple interface that is familiar to most Windows users. You can perform several
functions by using File Explorer, including:
Creating files and folders
Accessing files and folders
Managing properties of files and folders
Searching for content in files and folders
Previewing contents of files and folders
File Explorer is pinned to the taskbar by default in Windows 8.1. You can use File Explorer to access the
properties of any file or folder that is attached to a local computer, provided that you have the rights to
do so. You can manage the attributes and local security (NTFS) permissions of those files and folders.
The toolbar in File Explorer is context sensitive such that when you click a particular type of object, like a
document or a bitmap image, the toolbar presents actions that you can perform on that type of object.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Windows PowerShell
Windows PowerShell provides cmdlets to manage files and folders. To manage NTFS permissions, you can
use the Get-ACL and Set-ACL cmdlets. For example, to see the current ACL on the C:\Perflogs directory
with the output in list format, you would run the following command:
Get-ACL C:\perflogs | Format-List
To modify the ACL of a file or folder, use the Set-ACL cmdlet in conjunction with the Get-ACL cmdlet.
The Get-ACL cmdlet provides the input by getting the object that represents the ACL of the file or folder.
Then the Set-ACL cmdlet changes the ACL of the target file or folder to match the values supplied by the
Get-ACL cmdlet. For example, to set the ACL on the folder C:\Qtr1_Sales to match the permissions,
including inheritance settings, on a folder named C:\Qrt2_Sales, you would run the following command:
Get-ACL C:\Qrt1_Sales | Set-ACL C:\Qrt2_Sales
You also can create variables and arguments to modify existing ACLs.
For more information on the Set-ACL cmdlet, refer to:
Set-ACL
Icacls
Icacls is a command-line utility that you can use to display or modify ACLs. It can grant standard
permissions such as Modify or Full Control, or specific permissions such as Write Data/Add File or Delete,
and it can modify inheritance settings. For example, to disable inheritance, remove the inherited ACLs,
and set new permissions for the Adatum\Sales group to be Modify and the Administrators group to be
Full Control on the folder C:\Data and all the objects in the folder, you would run the following command:
Icacls C:\data /inheritance:r /grant Adatum\Sales:(oi)M /grant Administrators:(oi)F
Where (oi) instructs Icacls to have objects in the folder inherit the Modify permission.
Demonstration: Configuring Local Security Permissions for Files and
Folders
In this demonstration, you will see how to configure NTFS permissions.
Demonstration Steps
Create a new folder
2. Start File Explorer.
3. Open the E:\Labfiles\Mod09 folder.
4. Create a folder named Adatum.
Disable inherited permissions on the Adatum folder
1. Open the Advanced security settings for the Adatum folder.
2. Disable inheritance for the Adatum folder, and then convert the inherited permissions to explicit
permissions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-11
3. Apply the change.
4. Note the change in the inheritance column. Note the contents of the Applies To column.
Create a file in the Adatum folder
1. In the Advanced Security Settings for Adatum dialog box, click OK.
2. Open the Adatum folder, and then create a new file named PermissionsTest.txt.
Examine the permissions on the PermissionsTest file
1. Open the Advanced security settings for the PermissionsTest file.
2. Review the permissions on the PermissionsTest file.
Grant managers Modify permissions on the PermissionsTest file
1. Add the Managers group, and then grant them Modify permissions to the PermissionsTest file.
2. Note the Managers permission and from where it is inherited.
4. Keep the virtual machines running for the next demonstration
Determining Effective Access for a File or Folder
Each file and folder contains user and group
permissions. Windows 8.1 determines a file or
folders effective permissions by combining its
user and group permissions. For example, if you
assign the Read permission to a user and assign
the Modify permission to a group that the user is
a member of, the effective permissions of the user
are Modify.
Note: When you combine permissions, a
Deny permission takes precedence and overrides
an Allow permission.
Effective Permissions Feature
The Effective Permissions feature determines the permissions a user or group has on an object by
calculating the permissions that are granted to the user or group. The calculation takes into account the
permissions in effect from group membership and any of the permissions inherited from the parent
object. It looks up all domain and local groups in which the user or group is a member.
Note: The Effective Permissions feature always includes the Everyone group when
calculating effective permissions, as long as the selected user or group is not a member of the
Anonymous Logon group.
The Effective Permissions feature only produces an approximation of the permissions that a user has. The
actual permissions a user has might be different because permissions can be granted or denied based on
how a user logs on. The Effective Permissions feature cannot determine this logon-specific information,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
because the user might not log on. Therefore, the effective permissions it displays reflect only those
permissions that are specified by a user or group, and not the permissions specified by the logon.
For example, if a user connects to a computer through a file share, the logon for that user is marked as a
Network Logon. You then can grant or deny permissions to the well-known security identifier Network
that the connected user receives. This way, a user has different permissions when logged on locally than
when logged on over a network.
You can view effective permissions in the Advanced Security Settings for <folder> dialog box. You can
access this dialog box from a folders Properties dialog box by using the Advanced button on the Security
tab, or directly from the Share menu on the ribbon.
How Does Copying and Moving Files and Folders Affect Access?
When copying or moving a file or folder, the
permissions might change, depending on where
you move the file or folder. Therefore, when you
copy or move files or folders, it is important to
understand the impact on permissions.
Effects of Copying Files and Folders
When you copy a file or folder from one folder to
another, or from one partition to another,
permissions for the files or folders might change.
Copying a file or folder has the following effects
on NTFS permissions:
When you copy a file or folder within a single NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a different NTFS partition, the copy of the folder or file inherits the
permissions of the destination folder.
When you copy a file or folder to a non-NTFS partition, such as a FAT file system partition, the copy
of the folder or file loses its NTFS permissions because non-NTFS partitions do not support NTFS
permissions.
Note: When you copy a file or folder within a single NTFS partition or between NTFS
partitions, you must have Read permission for the source folder and Write permission for the
destination folder.
Effects of Moving Files and Folders
When moving a file or folder, permissions might change, depending on the permissions of the destination
folder. Moving a file or folder has the following effects on NTFS permissions:
When you move a file or folder within an NTFS partition, the file or folder inherits the permissions of
the new parent folder. If the file or folder has explicitly assigned permissions, those permissions are
retained in addition to the newly inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit
permissions from their parent folder. If you move files that have only inherited permissions, they
do not retain these inherited permissions during the move.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-13
When you move a file or folder to a different NTFS partition, the folder or file inherits the permissions
of the destination folder. When you move a folder or file between partitions, Windows 8.1 copies the
folder or file to the new location and then deletes it from the old location.
When you move a file or folder to a non-NTFS partition, the folder or file loses its NTFS permissions
because non-NTFS partitions do not support NTFS permissions.
Note: When you move a file or folder within an NTFS partition or between NTFS partitions,
you must have both Write permission for the destination folder and Modify permission for the
source file or folder. Modify permission is required to move a folder or file because Windows 8.1
deletes the folder or file from the source folder after it copies it to the destination folder.
The Copy command is not aware of the security settings on folders or files. However, commands that are
more robust have this awareness. For example:
Xcopy has the /o switch to include Ownership and NTFS ACL settings.
Robocopy has several switches that will cause security information to be copied:
o /Copy:copyflag(s) the default setting is the equivalent of /Copy:DAT where D=Data,
A=Attributes and T=Timestamps. You can add the S flag where S=Security, i.e. NTFS ACLs
o /Sec is the equivalent of /Copy:DATS.
Discussion: Determining Effective Permissions
This discussion includes a scenario and three
underlying situations in which you are asked to
apply NTFS permissions. You and your classmates
will discuss possible solutions for each situation.
Scenario
User1 is a member of the Users group and the
Sales group. The graphic on the slide, which shows
folders and files on an NTFS partition, includes
three situations, each of which has a
corresponding discussion question.
Question: The Users group has Write
permission, and the Sales group has Read permission for Folder1. What permissions does
User1 have for Folder1?
Question: The Users group has Read permission for Folder1. The Sales group has Write
permission for Folder2. What permissions does User1 have for File2?
Question: The Users group has Modify permission for Folder1. The files in Folder 2 should
only be accessible to the Sales group, and they should only have read permissions to the
files. What do you need to do to ensure that the members of the Sales group only have Read
permission to the files in Folder 2?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Implementing Conditions to Limit File and Folder Access
Windows authorization and access control
technologies allow Windows Server
2012 R2 and
Windows 8.1 to employ Dynamic Access Control,
which provides detailed access to resources by
basing access decisions on conditions. The
following table lists the server-based features.
Feature Description
Central access rules Conditions based on criteria such as group membership, user
claims, device claims, or resource properties are used to create
authorization rules. You then can implement rules to limit
access to resources.
Central access policies Central access policies use conditional expressions to restrict
access to certain types of information, such as financial or
medical information. You can add policies to central access
rules and then apply the rules to files that contain sensitive
data.
Claims based authentication A claim is a piece of information that uniquely identifies a user
or device or resource. Claims take the form of authentication
tokens and might contain different types of information, such
as group memberships, security state of a computer, or
classification of a file. Windows Server 2012 R2 and
Windows 8.1 support the following types of claims:
User claims. AD DS attributes of the user.
Device claims. AD DS attributes of the computer.
Resource attributes. Resource properties published in AD DS.
Conditional expressions Conditional expressions allow or deny access to resources
when conditions such as group membership are met. You can
configure expressions in the properties of the file or folder, on
the Security tab, in Advanced Security Settings when you add a
new permission entry or edit an existing permission entry, or
you can use the Active Directory Administrative Center.
Advanced Security Settings
Both Windows Server 2012 R2 and Windows 8.1 provide Advanced Security Settings in the ACL Editor.
You can access these settings by opening the Security Properties of the file or folder and clicking
Advanced. In the Advanced Security Settings dialog box, adding a security principal displays the
Permission Entry screen where you can configure conditions to limit access. For example, you might set a
condition that specifies that only computers in the HR computer group can access the HR shared folder.
You also can specify conditions that have been defined by file classification properties, such as a files
business impact value. You can define multiple conditions by using the AND or OR operators to provide
granular access.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-15
Lesson 2
Managing Shared Folders
Collaboration is an important part of an administrators job. Your team might create documents that only
team members can share, or you might work with a remote team member who needs access to your
teams files. Because of collaboration requirements, you must understand how to manage shared folders
in a network environment.
Sharing folders enable users to connect to a shared folder over a network and to access the folders and
files that the shared folder contains.
Shared folders can contain applications, public data, or a users personal data. Managing shared folders
helps you provide a central location for users to access common files, and it simplifies the task of backing
up data that those folders contain. This module examines various methods of sharing folders, along with
the effect this has on file and folder permissions when you create shared folders on an NTFS-formatted
partition.
Lesson Objectives
Describe shared folders.
Describe methods for sharing folders.
Describe the effect of combining NTFS and share permissions.
Describe the Network and Sharing Center.
Describe how to configure a HomeGroup for resource access.
What Are Shared Folders?
Sharing a folder makes it available to multiple
users simultaneously over a network. When you
share a folder, you can identify specific users with
whom you want to share the folder, or you can
share it with all users on the network. Sharing is
limited to folders. You cannot share specific files
within a folder that is not shared.
Most organizations deploy dedicated file servers
to host shared folders. You can store files in
shared folders according to categories or
functions. For example, you can put shared files
for the Sales department in one shared folder, and
shared files for executives in another.
Windows 8.1 uses the Public folder to simplify file sharing. With Public folder sharing enabled, the Public
folders and all the folders within the Public folder are shared automatically with the name Public. You do
not have to configure file sharing on separate folders. Just move or copy a file or folder that you want to
share on the network to the Public folder on your Windows 8.1 client.
In Windows 8.1, members of the Administrators, Power Users, and Server Operators groups can share
folders. Other users who are granted the Create Permanent Shared Objects user right also can share
folders. If a folder resides on an NTFS volume, you must have at least Read permission to share the folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
When you share a folder, you must decide the permissions that a user or group will have when they
access the folder through the share. This is called sharing permissions.
Basic sharing permissions are simplified greatly in Windows 8.1, which offers two choices:
Read. The look but do not touch option. Recipients can open, but not modify or delete a file.
Read/Write. The full control option. Recipients can open, modify, or delete a file.
You can share folders with others on a network in several different ways:
In the Shared Folders snap-into the Microsoft
Management Console (MMC)

In File Explorer
Through the command line
Through the Computer Management tool
By using Windows PowerShell 4.0 cmdlets
Sharing Through Shared Folders
You can use Shared Folders to manage all file shares centrally on a computer. Use this snap-in to create
file shares, set permissions, and to view and manage open files and the users who are connected to a
computers file shares. Additionally, you can view the properties for the folder, which would allow you to
perform actions such as specifying NTFS permissions.
Using the Shared Folders snap-in presents the Create a Shared Folder Wizard when you create a new
share. By default, the share name is the same as the folder name, and all users have Read access share
permissions.
Sharing Through File Explorer
You can share a folder through File Explorer by using two options:
Using the Share with option from the shortcut menu or ribbon.
From the Sharing tab on the Properties dialog box.
Note: When sharing a folder through File Explorer the default permission gives the
Everyone group Full Control permission. For all other methods of sharing, the default permission
gives the Everyone group Read permission.
Using the Share with Option from the Shortcut Menu or Ribbon
The Share with option is a simple and fast way to share a folder. When you right-click a folder and then
select Share with, you get a submenu that allows you to either stop sharing the folder or share the folder
with specific people. When you share with specific people, you can select Everyone or use Find people to
share the folder with specific groups. After selecting who you want to share with, you can set either Read
or Read/Write permissions. The wizard will set the Share permissions as Everyone Full Control and the
NTFS permissions based on what you selected. The share name will be the same as the folder name.
Using the Sharing Tab on the Properties Dialog Box
Using the Properties dialog box provides two options. You can click the Share button, which then presents
the same dialog box as Share with Specific people, or you can click the Advanced Sharing button. When
you use Advanced Sharing, you can specify the Share name. The default is the same as the folder name,
and you can specify share permissions as Full Control, Change, or Read. Additionally, because you are in
the Properties dialog box, you can click the Security tab and set NTFS permissions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-17
Sharing Through the Command Line
You can share a folder through the command line by using the net share command, which the following
example shows in its basic form:
Net Share name=drive:path
This will create a simple share, which uses the share name that you specify and grants all users Read
permissions. Additional options include:
Option Description
/Grant:user
permission
Allows you to specify Read, Change, or Full share permissions for the
specified user.
/Users:number Allows you to limit the number of users who can connect to the share.
/Remark:text Allows you to add a comment to the share.
/Cache:option Allows you to specify the caching options for the share.
sharename /Delete Allows you to remove an existing share.
Sharing Through Computer Management
The Computer Management tool is a collection of MMC snap-ins that includes the Shared Folders snap-
in.
Sharing by Using Windows PowerShell 4.0 Cmdlets
Windows PowerShell 4.0 introduces several cmdlets that you can use to manage shares in Windows 8.1.
The command for creating a share by using Windows PowerShell 4.0 is:
New-SmbShare Name ShareName Path C:\LocalFolder
Additional Windows PowerShell commands for managing shares include:
Command Description
Get-SmbShare Gets a list of the existing shares on the computer.
Set-SmbShare Modify an existing share.
Remove-SmbShare Removes an existing share.
Get-SmbShareAccess Retrieves the share permissions for a share.
Get-Acl Retrieves the NTFS ACL (this cmdlet is not new).
Grant-SmbShareAccess Used to set share permissions on a share.
Set-Acl Used to set the NTFS ACL for a specified resource (this cmdlet is not new).
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Methods for Sharing Folders
Windows 8.1 provides two methods for sharing
folders directly from your computer:
Folder sharing. Enables sharing of music,
photos, and other files from any folder on
your computer, without having to move them
from their current location. There are two
types of folder sharing: basic and advanced.
Public folder sharing. Public folders serve as
open locations for sharing files. Copying a file
into a public folder makes it immediately
available to other users on a computer or
network.
Basic Folder Sharing
Basic folder sharing is the simplest form of folder sharing because it enables users to share a folder quickly
and simply. You can create basic folder shares by using the File Explorer Share with Wizard or the net
share command without any additional options.
Advanced Folder Sharing
You can use Advanced Sharing to exert more control over the folder sharing process. When you use
Advanced Sharing to share a folder, you must specify the following information:
A share name. The default name is the folder name.
The maximum number of concurrent connections to the folder. The default number is 20 concurrent
connections.
Shared folder permissions. The default permissions are Read permissions for the special group
Everyone. The permissions that are set here are only share permissions. This does not modify the
underlying NTFS permissions.
Caching options. The default caching option allows user-selected files and programs to be available
offline. You can disable offline files and programs, or you can configure files and programs to be
available offline automatically.
You can access Advanced Sharing by using the:
Shared Folder Wizard from the Shared Folder snap-in.
Sharing tab on the Properties dialog box.
Command line with optional settings.
Public Folder Sharing
When you turn on Public folder sharing in Windows 8.1, anyone with an account on your computer or a
PC on your network can access the contents of these folders. To share something, copy or move it into
one of the public folders. By default, Windows 8.1 provides the following Public folders:
Documents
Music
Pictures
Videos
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-19
You can view these folders by clicking File Explorer from the Start screen, and then clicking Libraries to
expand the folders.
By default, Public folder sharing is not enabled. However, files stored in the Public folder hierarchy are
available to all users who have an account on a given computer and can log on to it locally. You can
configure Windows 8.1 to allow access to Public folders from a network in the Change advanced sharing
settings link in the Network and Sharing Center in the All Networks section. You can:
Turn on sharing so that anyone with network access can read and write files in the Public folders.
Turn off Public folder sharing. Users who are logged on to this computer can still access these folders.
Public folder sharing does not allow you to fine-tune sharing permissions, but it does provide a simple
way to make your files available to others. When you enable public folder sharing, the system group
Everyone is granted Full Control permissions for the share and NTFS permissions.
Discussion: Combining NTFS and Share Permissions
When you create a shared folder on a partition
that is formatted with NTFS, both the shared
folder permissions and the NTFS permissions are
combined to protect file resources. NTFS
permissions apply whether users access a resource
locally or over a network, but they are filtered
against the shared folder permissions.
When you grant shared folder permissions on an
NTFS volume, the following rules apply:
Except when using the Share with Wizard, the
Everyone group is granted the Read shared
folder permission.
Users must have the appropriate NTFS permissions for each file and subfolder in a shared folderin
addition to the appropriate shared folder permissionsto access those resources.
When you combine NTFS permissions and shared folder permissions, the resulting permission is the
most restrictive one of the effective shared folder permissions or the effective NTFS permissions.
The share permissions on a folder apply to that folder, to all files in that folder, to subfolders, and to
all files in those subfolders when the content is accessed through the share.
Note: If the Guest user account is enabled on your computer, the Everyone group includes
anyone. As a best practice, remove the Everyone group from any permission lists, and replace it
with the Authenticated Users group.
The following analogy can be helpful in understanding what happens when you combine NTFS and share
permissions. When you are dealing with a shared folder, you must always go through the shared folder to
access its files over a network. Therefore, you can think of the shared folder permissions as a filter that
only allows users to perform those actions that are acceptable to the share permissions. All NTFS
permissions that are less restrictive than the share permissions are filtered out so that only the most
restrictive permissions remain.
For example, if a share permission is set to Read, the most that you can do is read through the share, even
if individual NTFS file permission is set to Full Control. If you configure the share permission to Modify,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
you are allowed to read or modify the share. If the NTFS permission is set to Full Control, the share
permissions filter the effective permission to Modify.
Question: If you assign a user Full Control NTFS permission to a file, but the user accesses
the file through a share with Read permission, what will be the effective permission that the
user will have on the file?
Question: If you want a user to be able to view all files in a shared folder but only be able to
modify certain files in that folder, what permissions do you give the user?
Question: Identify a scenario at your organization where it might be necessary to combine
NTFS and Share permissions. What is the reason for combining permissions?
The Network and Sharing Center
With older versions of Windows operating
systems, many different graphical interfaces and
commands were required to configure networking
and network sharing. Windows 8.1 makes this
significantly easier by providing all of the required
tools in one central location, the Network and
Sharing Center. You can access the Network and
Sharing Center through Control Panel.
It is important to be familiar with all aspects of the
Network and Sharing Center and be able to use it
to configure all types of network connections. This
topic focuses on the network sharing aspect of the
Network and Sharing Center. The Networking module, which is Module 6 in this course, covers network-
configuration topics.
The Network and Sharing Center provides the following tools:
Set up a new connection or network
Change advanced sharing settings
Troubleshoot problems
Set Up a New Connection or Network
You can customize currently active network connections and set up a new connection. Use the graphical
view of your current network to change the description and icon appearance of network components to
include more information. View and change network connection properties by clicking View Status on
the right side of the connection listing.
You can maintain the following network connections in this section:
Connect to the Internet. Set up a wireless, broadband, or dial-up connection to the Internet.
Set up a new network. Configure a new router or access point.
Set up a dial-up connection. Connect to the Internet by using a dial-up connection.
Connect to a workplace. Set up a dial-up or virtual private network connection to your workplace.
Note: You can change the network location profile between private and public. This
changes firewall and visibility settings for that network connection.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-21
Change Advanced Sharing Settings
The Network and Sharing Center includes a Change advanced sharing settings link that you can use to
enable, disable, and change the way that various network services behave. The first time that you connect
to a network, you must choose a network location. This automatically sets the appropriate firewall,
security, and sharing settings for the type of network to which you connect.
If you connect to networks in different locations, such as from your home network, at a local coffee shop,
or at work, then choosing a network location can help ensure that your computer is always set to an
appropriate security level. When users connects to a new network, they can select one of the following
network locations in Windows 8.1:
Private. In a trusted private network, all computers on a network are in a private network, and you
recognize them. Do not choose this network location for public places such as coffee shops and
airports.
Network discovery and file and printer sharing are turned on for private networks. This allows you to
see and access other computers and devices on a network and allows other network users to see and
access your computer
Guest or Public. If you do not recognize all the computers on a network (for example, you are in a
coffee shop or airport, or you have mobile broadband), then this is a public network and is not
trusted. This location helps you keep your computer from being visible to other computers around
you and helps protect your computer from any malware from the Internet. Also, choose this option if
you connect directly to the Internet without using a router or if you have a mobile broadband
connection. Network discovery and file and printer sharing are turned off.
Domain. The domain network location is used for domain networks such as those in corporate
workplaces. Your network administrator typically controls this type of network location.
All Networks. These settings apply regardless of the network profile.
Windows 8.1 automatically applies correct network settings based on the network location. For each of
these network profiles, you can configure the network sharing settings found in the following table.
Feature Settings Result
Network
discovery
On
Off
When network discovery is on, your computer can see other
network computers and devices and is visible to other
network computers.
File and printer
sharing
On
Off
When file and printer sharing is on, people on the network
can access files and printers that you have shared from your
computer.
Note: By default, Windows 8.1 uses Windows Firewall with Advanced Security. Therefore,
using another firewall might interfere with the network discovery and file sharing features.
The following table describes the All Networks settings.
Feature Setting Result
Public folder
sharing
On
Off
When Public folder sharing is on, people on the network,
including HomeGroup members, can access files in public
folders.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Feature Setting Result
Media streaming On
Off
When media streaming is on, people and devices on the
network can access pictures, music, and videos on your
computer. Your computer also can find media on the
network.
File sharing
connections
128-bit encryption
40- or 56-bit
encryption
Windows uses 128-bit encryption to help protect file
sharing connections. Some devices do not support 128-bit
encryption and must use 40- or 56-bit encryption.
Note: When a Server Message Block (SMB) client connects to a Windows share, the systems
negotiate their highest level of encryption, and the server will transfer an encryption key to the
client. This encryption key is used to generate an encrypted hash of the connecting users
password. This hash is then sent to the server with the user name. The server then will decrypt the
hash and validate the user. This ensures that the users password is never transmitted. If you are
using older client systems, you might need to allow 40-bit or 56-bit encryption.
Troubleshoot Problems
Use this feature to diagnose and repair network problems and to get troubleshooting information for the
following network components:
Internet connections
Shared folders
HomeGroup
Network adapter
Incoming connections
Connection to a workplace by using Windows 8.1 DirectAccess
Printers
Configuring a HomeGroup for Resource Access
A HomeGroup allows you to connect multiple
computers and share devices and libraries on your
home network if the systems are running
Windows 7 or newer. When you set up your first
home computer with the basic version of
Windows 8.1, a HomeGroup is created
automatically. HomeGroups are password
protected automatically by a system-generated
password. You can change the system-generated
password to one of your choosing in the
HomeGroup settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-23
When you add a second Windows 8.1 computer, you will be asked to join an existing HomeGroup instead
of creating a new one. To join an existing HomeGroup, you need to perform the following procedure:
1. Locate the password for your HomeGroup by going to HomeGroup settings on the first PC. Note the
password from the Membership section. You will need to enter it on the new computer.
2. On the new Windows 8.1 PC, go to the HomeGroup settings and locate the Membership section.
Windows will detect the HomeGroup automatically and prompt you for the password.
3. Enter the password of the HomeGroup and click Join.
The HomeGroup settings screen allows you to select which libraries or devices and printers you wish to
share with other users in the HomeGroup. The default permission for shared libraries is Read, but you can
change this. You also can exclude specific files from sharing. You can choose to share resources such as
individual files or devices with specific people or with everyone in the HomeGroup.
The HomeGroup will show up in File Explorer in the left pane and is named HomeGroup. Expanding the
HomeGroup folder will display the resources that are available on the network by the user name of the
owner of the device or library.
HomeGroups have the following restrictions:
A computers network location must be set to Private to join a HomeGroup.
Network sharing must be turned on.
Computers that are running Professional or Enterprise versions of Windows operating systems cannot
create HomeGroups, but they can join them.
Devices that are running Windows RT 8.1 can join a HomeGroup, but they cannot create one or share
content in one.
You cannot delete HomeGroups, but if nothing is shared and no computers have joined the HomeGroup,
it effectively does not exist.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Lesson 3
Configuring File Compression
The primary focus of this lesson is to examine the two methods in Windows 8.1 for compressing files and
folders to consume less disk space: NTFS file compression and compressed files and folders.
Lesson Objectives
Describe how NTFS file compression works.
Describe the impact of moving or copying compressed files and folders.
Describe how to create a compressed folder.
Compress files and folders.
Compressing Content to Save Disk Space
NTFS supports file compression on an individual-
file basis. The file compression algorithm is a
lossless compression algorithm. This means that
no data is lost when compressing and
decompressing a file, as opposed to other types of
compression algorithms, where some data is lost
each time data compression and decompression
occur.
NTFS compression, which is available on volumes
that use NTFS, has the following features and
limitations:
Compression is an attribute of a file or folder.
Volumes, folders, and files on an NTFS volume are either compressed or uncompressed.
New files that are created in a compressed folder are compressed by default.
The compression state of a folder does not necessarily reflect the compression state of the files within
that folder. For example, you can compress a folder without compressing its contents, and you can
compress some or all of the files in a compressed folder.
NTFS compression works with NTFS-compressed files without decompressing them because they are
decompressed and recompressed without user intervention:
o When you open a compressed file, the Windows operating system automatically decompresses it
for you.
o When the file closes, the Windows operating system compresses it again.
NTFS-compressed file and folder names display in a different color to make them easier to identify.
NTFS-compressed files and folders only remain compressed while they are stored on an NTFS volume.
You cannot encrypt an NTFS-compressed file.
The compressed bytes of a file are not accessible to applications, which see only the uncompressed
data:
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-25
o Applications that open a compressed file can perform tasks on it as if the file was not
compressed.
o You cannot copy compressed files to another file system.
Note: You can use the compact command-line tool to manage NTFS compression.
Discussion: What Is the Impact of Moving and Copying Compressed Files
and Folders?
Moving and copying compressed files and folders
can change their compression state.
This discussion presents five situations in which
you are asked to identify the impact of copying
and moving compressed files and folders. You and
your classmates will discuss the possible solutions
for each situation.
Question: What happens to the compression
state of a file or folder when you copy it
within an NTFS partition?
Question: What happens to the compression
state of a file or folder when you move it within an NTFS partition?
Question: What happens to the compression state of a file or folder when you copy or move
it between NTFS partitions?
Question: What happens to the compression state of a file that you copy or move between
FAT32 and NTFS volumes?
Creating a Compressed (Zipped) Folder
In Windows 8.1, you can combine several files and
folders into a single compressed folder by using
the Compressed (zipped) Folder feature. Use this
feature to share a group of files and folders with
others, without being concerned about sending
individual files and folders.
Files and folders that you compress by using the
Compressed (zipped) Folder feature can be
compressed on FAT and NTFS drives. A zipper
icon identifies files and folders that are
compressed by using this feature.
You can open files directly from these compressed
folders, and you can run some of these programs directly from compressed folders without
uncompressing them. Files in compressed folders are compatible with other file compression programs
and files. You also can move compressed files and folders to any drive or folder on your computer, the
Internet, or your network.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Compressing folders by using Compressed (zipped) Folder does not affect a computers overall
performance. CPU utilization increases only when you use Compressed (zipped) Folder to compress a file.
Compressed files take up less storage space, and you can transfer them to other computers more quickly
than uncompressed files. You can work with compressed files and folders the same way you work with
uncompressed files and folders.
Send To Compressed (zipped) Folder
By using the Send To Compressed (zipped) Folder command in File Explorer, you can quickly:
Create a compressed version of a file.
Send a file to a compressed (zipped) folder.
Alternatively, if a compressed folder has been created already, and you need to add a new file or folder to
it, you can drag the desired file to the compressed folder instead of using the Send To Compressed
(zipped) Folder command.
Comparing Zipped Folder Compression and NTFS Folder Compression
You should be aware of the differences between zipped folder compression and NTFS folder compression.
A zipped folder is a single file inside of which Windows allows you to browse. Some applications can
access data directly from a zipped folder, while other applications require that you first unzip the folder
contents before the application can access the data.
In contrast, individual files within a folder are compressed by NTFS compression. Therefore, NTFS
compression does not experience the data access issues that are associated with zipped folders because it
occurs at the individual file system level and not the folder level. Additionally, zipped folders are useful for
combining multiple files into a single email attachment, whereas NTFS compression is not.
File and folder compression that uses the Send To > Compressed (zipped) Folder command is different
from the NTFS file and folder compression that was discussed earlier:
For selected files or folders, the Send To > Compressed (zipped) Folder command compresses the
selected content into a portable zip file. The original file or folder is left unchanged, but a new,
compressed zip file is created.
NTFS compression does not create a second, compressed zip-type file. Instead, it actually reduces the
size of the selected file, folder, or volume by compressing its content.
Note: Unlike NTFS-compressed folders and files, you can move or copy compressed
(zipped) folders without change between volumes, drives, and file systems.
Demonstration: Compressing Files and Folders
In this demonstration, you will see how to compress files and folders.
Demonstration Steps
Compress a file
3. Open the E:\Labfiles\Mod09\Windows8Docs folder.
4. Compress the largest document in the folder.
5. Examine the file attributes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-27
Compress a folder
1. Compress the Windows8Docs folder.
2. Examine the folder and files in the folder.
3. Keep the virtual machines running for the next demonstration.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Lab A: Configuring File Access
Scenario
You have users in the Marketing department that need to share files between users. You will create a
shared folder on the network and configure permissions such that the Marketing users have Modify
permission to the shared folder and all other users have Read permission. You will also test the access to
the shared folder.
Objectives
Create a folder shared to all users.
Create a folder shared to specific users.
Lab Setup
Estimated Time: 15 Minutes
User names: Adatum\Administrator and Adatum\Ed
Password: Pa$$w0rd
2. In Hyper-V
Manager, click 20687B-LON-DC1, and in the Actions pane, click Start.

5. Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-CL2. Do not sign in until directed to
do so.
Exercise 1: Creating a Shared Folder for the Marketing Group
Scenario
You need to create a shared folder for the Marketing Department.
1. Create a Marketing folder.
2. Share the Marketing folder for Everyone.
3. Configure NTFS permissions for the Marketing folder.
4. Attempt to access the Marketing folder as Ed.
5. Sign in to LON-CL2 as Adam.
6. Attempt to access the Marketing folder as Adam.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-29
Task 1: Create a Marketing folder
1. Sign on to LON-CL1 as Adatum\Administrator.
2. Create a new folder in the E:\Labfiles\Mod09 folder named Marketing.
Task 2: Share the Marketing folder for Everyone
Share the Marketing folder so that Everyone can read it.
Task 3: Configure NTFS permissions for the Marketing folder
1. Configure the Marketing folder so that the Marketing security group has Modify permission.
Task 4: Attempt to access the Marketing folder as Ed
1. On LON-CL2, sign in as Adatum\Ed with password Pa$$w0rd.
2. Open the \\Lon-CL1\Marketing folder.
3. Attempt to create a file in the Marketing folder.
Task 5: Sign in to LON-CL2 as Adam
Sign in to LON-CL2 as Adatum\Adam.
Task 6: Attempt to access the Marketing folder as Adam
2. Open the \\LON-CL1\Marketing folder.
3. Attempt to create a file in the Marketing folder.
4. Close all windows, and then sign out.

Results: After completing this exercise, you should have created and shared a folder for the Marketing
department.
Exercise 2: Configuring File and Folder Compression
Scenario
In an effort to save space on your hard disk, you will compress a folder that contains documents.
The main tasks for this exercise is as follows:
1. Compress a folder.
Task 1: Compress a folder
2. Compress the E:\Labfiles\Mod09\Windows8Docs folder.
3. Examine the folder and files in the folder.

Results: After completing this exercise, you will have compressed a folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-31
Lesson 4
Overview of SkyDrive
In this lesson, you will learn about Microsofts SkyDrive service and its integration with Windows 8.1.
Lesson Objectives
Describe how to use SkyDrive for storing and sharing files.
Describe how to configure SkyDrive.
Describe how to share files in SkyDrive.
Describe how to synchronize and recover SkyDrive files.
Using SkyDrive for Storing and Sharing Files
SkyDrive is Microsofts cloud-based file service for
Microsoft account. The SkyDrive service allows for
7 gigabytes (GB) of free cloud storage. You can
use SkyDrive to save documents in a private store
and a public store so that you can share files with
anyone.
Note: You also can purchase more storage
space by clicking on the Buy more storage link in
the Storage space screen.
Features
SkyDrive offers many features that enable users to access and use SkyDrive as best fits their needs,
such as:
Microsoft Office. You can use Microsoft Office to save documents to SkyDrive by clicking the File
menu in Office 2013, clicking Save (or Save As), and then selecting SkyDrive as the save location.
Microsoft Office Web Apps. You can use Office Web Apps to view and edit documents that are stored
in SkyDrive.
PDF and OpenDocument Format (ODF) Support. You can view PDF and ODF documents that are
saved in SkyDrive.
Bing integration. You can use the Bing
Save & Share feature to save search histories in a SkyDrive

folder
For more information on SkyDrive features, refer to:
SkyDrive
Accessing SkyDrive
SkyDrive can be accessed in several different ways, including:
A web browser at http://www.SkyDrive.com
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Microsoft Office 365
Outlook
Web Access
A Windows PC that is running Windows Vista
Service Pack 2 (SP2) or newer

Windows Server 2008 SP2 and the Windows Platform Update for Windows Server 2008 or newer
Mac OS X 10.7 (Lion)
Windows Phone
app
An iOS app
An iPad app
Windows 8.1
SkyDrive Privacy
The Microsoft Online Privacy Statement specifies the terms of use of the personal information that you
provide when you use SkyDrive. Before you use Microsoft online services, you must read and understand
the privacy statement. The main points in the privacy statement include the following:
Microsoft collects personal information from you when you register, and may combine this
information with data that other companies and Microsoft services collect.
To personalize your experience, Microsoft tracks your interaction with their sites by using cookies and
other technologies.
Microsoft does not share your personal information with third parties, but may provide this
information to companies that work on behalf of Microsoft.
Microsoft uses your personal information to provide services such as personalized content and
advertising to inform you about Microsoft products and services, and to invite you to surveys of
Microsoft services.
Terms of Service
The SkyDrive terms of service specify how the information you post on SkyDrive will be used. Some of the
main terms of service are:
Ownership of Content. You own content such as documents, videos, photos, and email that you
upload to the services store. The same is true of content that you store on the services, or transfer
through it. Microsoft does not claim ownership of your content, except for Microsoft material, such as
clip art, that Microsoft licenses to you, and that you may use in your content.
Access of Content. You can choose who you share your content with. You can choose not to share
your content, to share your content publicly, or choose other users with whom you want to share
your content. If you share your content with other users, they may use, reproduce, distribute, or
display your content for free.
Microsoft Use of Content. Microsoft may use, modify, adapt, save, reproduce, distribute, and display
your content to protect you, and to improve Microsoft services. In such cases, Microsoft protects your
privacy by taking necessary steps. Examples of such usage of your content include isolation of
information from content to prevent and protect you from spam and malware.
Removal of Content. Microsoft may ask you to remove content that is in violation of the anti-spam
policy, the Microsoft Code of Conduct, or your local law, or if you infringe on a third partys
intellectual property. If you fail to comply, you may lose access to your account, or your account may
be cancelled. In such cases, Microsoft may also remove your content without asking you.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-33
Configuring SkyDrive Access
Before you can use SkyDrive from the
Windows 8.1 SkyDrive tile, you must connect your
domain or local account with your Microsoft
account. To begin the process, click the SkyDrive
tile from the Start screen. You then will be
prompted to sign in with your Microsoft account
or to create an account if you do not have one.
If you want to configure your synchronization
settings, you will need to connect your domain
account to your Microsoft account by performing
the following procedure:
1. From the Start screen, open the Computer
menu, and then select the Settings charm.
2. Click Change PC Settings, and then click the Accounts section.
3. To start the wizard for synchronizing your domain account with your Microsoft account, click
Connect your Microsoft account.
In the wizard, you can choose which features you want to synchronize, including:
Start screen. Colors and background.
Desktop personalization. Themes, taskbar, and more.
Ease of Access. High contrast, Narrator, Magnifier, and more.
Language preferences. Keyboards, other input methods, display language, and more.
App data. Certain settings in your apps.
Browser settings. History, bookmarks, and favorites.
Other Windows settings. File Explorer and mouse settings.
Passwords. For some apps, websites, networks, and HomeGroup.
You can toggle the synchronization setting of these options from the Sync your settings menu on the PC
Settings page.
Sharing Files in SkyDrive
You can use SkyDrive to share files as publicly
accessible folders or folders that you secure by
using your Microsoft account contacts. The
Windows 8.1 SkyDrive app lets you use SkyDrive
directly from your desktop.
By using the SkyDrive app, you can access and
manage all your folders from your computers
desktop.
A new, updated version of the SkyDrive app is
integrated into Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Sharing Folders in SkyDrive
When you first create a SkyDrive account, you have three folders by default: Documents, Pictures, and
Public. By default, the share folder setting for the Documents and Pictures folders are set to This folder is
not shared, which means that you are the only one who can access it. The Public folder is shared as
Everyone Can view, which means anybody can see, but not edit, any documents in that folder. When
you create a new folder in SkyDrive, you can choose how you want to share it.
Synchronizing and Recovering SkyDrive Files with Windows 8.1
In Windows 8, SkyDrive was available as an app; in
Windows 8.1, SkyDrive is integrated fully. During
setup, if you create a new Microsoft account or
use an existing one, you are prompted to accept
the default SkyDrive settings. The default SkyDrive
settings are:
Camera roll and PC settings will automatically
be backed up to the cloud.
New documents you create can be saved to
the cloud by default.
You have the option to turn off SkyDrive
integration. If you enable it, you will see a SkyDrive folder in the File Explorer folder tree. You can use the
SkyDrive folder to save, copy, or paste files in the same way you would use any network folder or folder
on a local disk.
Synchronization
Windows 8.1 provides a redesigned synchronization model for SkyDrive that is more efficient. The files in
the SkyDrive folder appear to be stored on the local hard disk, but the files are stored as placeholders that
take a small amount of space. Placeholder files contain a thumbnail and basic information about the file.
Files are downloaded to your local computer when you open them. This is beneficial for tablets,
smartphones, and other devices that have limited disk space. You also can control whether
synchronization and backup to SkyDrive will occur when you are on a metered connection, such tethered
to a smartphone. Synchronization happens automatically and cannot be triggered manually.
Note: If you have Apple devices, pictures that you store in the Camera Roll folder can be
configured to upload to SkyDrive automatically.
Support for Offline Files
You also can choose to make some files or folders available offline in the same way as with network-based
files. Simply right-click the file or folder in SkyDrive, and click Make available offline. This will keep a
synchronized copy on the local hard disk. If you edit or add a file to SkyDrive while you are offline, it is
kept on the local hard drive until you connect to the Internet. Then it synchronizes across all your
SkyDrive-enabled devices. If you are offline, you cannot edit files unless they have been cached to the
local disk previously.
Conflict Resolution
If you edit a cached file on one of your offline devices and then edit the same file from a different device
that is online, when synchronization occurs, you will get two versions of the file on the device that was
offline. The one that was modified while offline will be appended with the name of the device. For
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-35
example, if you edit a cached version of File1.txt on an offline device named Client1 and then modify
File1.txt from an online device before synchronization occurs, when the offline device connects to the
internet, a new file named File1.txt-Client1 will be created and synchronized to all devices.
Recovering Files
Occasionally, users might accidentally delete files. When users delete a file from a SkyDrive folder, it goes
to the Recycle Bin on the local machine and also to the Recycle Bin on all other Windows computers
where SkyDrive is enabled. You can restore a file or folder to SkyDrive from any of the Recycle Bins in
which it appears.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Lesson 5
Managing Printers
To set up a shared printing strategy to meet your users needs, you must understand Windows 8.1
printing components and how to manage them.
This lesson examines printing components in a Windows 8.1 environment, including printer ports and
drivers.
The instructor will demonstrate how to install and share a printer, and you will review how to use the Print
Management tool to administer multiple printers and print servers.
Lesson Objectives
Describe the new printing features in Windows 8.1
Describe the components of a printer.
Install and share a printer.
Describe how to manage client-side printing.
Describe how to manage print server properties.
Windows 8.1 Printer Features
Windows 8.1 supports two new features for
printing:
Near field communication (NFC) printing, also
known as tap-to-pair printing.
Three-dimensional printing
NFC Printing
Windows 8.1 supports NFC printing. Users can tap
their handheld device against a printer that is
equipped with an NFC tag and print directly.
These tags are inexpensive and can be purchased
and programmed for any existing printer.
Information Technology (IT) departments now can provide printing support for a wide variety of handheld
devices.
NFC currently is available for smartphones as a way to transfer files simply by touching the devices
together. That technology is expanding and becoming available for other purposes, such as printing.
3-D Printing
3-D printing is an emerging technology. Microsoft has worked closely with software and hardware
partners to build on this technology. Because 3-D printing is based on traditional two-dimensional
printing, there are familiar management abilities, such as print queue management. Now, companies that
design virtual models have the capability to print physical versions of those models at reasonable costs.
3-D printing has existed for some time, but it has been cost prohibitive for all but the largest
organizations. Desktop 3-D printers are making headway and soon will be within reach of small and
medium-size businesses.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-37
Overview of Printing Components
When you install and share a printer in
Windows 8.1, you must define the relationship
between the printer and two printer components:
the printer port and the printer driver. Typically,
Plug and Play devices install automatically.
However, when you add a wireless device or
printer in Devices and Printers by using the Add
devices and printers button, Windows 8.1 must be
able to communicate with the device to complete
the wizard. To specify all the connection
information for a printer manually, use the
Advanced printer setup button.
Defining the Printer Port
Windows 8.1 detects printers that you connect to your computer, and it installs the driver for the printer
automatically if the driver is available in the driver store. However, a Windows operating system might not
detect printers that connect by using older ports, such as serial or parallel ports, or network printers. In
these cases, you must configure a printer port manually.
Installing a Driver
A printer driver is a software interface that enables a computer to communicate with a printer device.
Without a printer driver, the printer that connects to a computer will not work properly. A printer driver is
responsible for converting a print job into a page-description language (PDL) that the printer can use to
print a job. The most common PDLs are PostScript, Printer Control Language, and XML Paper
Specification (XPS).
In most cases, drivers are included with the Windows operating system, or you can find them by checking
for updates with Windows Update in Control Panel. If the Windows operating system does not have the
driver you need, you can find it on the disc that came with the printer or on the manufacturer's website.
If the Windows operating system does not recognize your printer automatically, you must configure the
printer type during the installation process. The Printer Setup Wizard presents you with an exhaustive list
of currently installed printer types. However, if your printer is not listed, you must obtain and install the
necessary driver.
You can preinstall printer drivers in the driver store, thereby making them available in the printer list by
using the pnputil.exe command-line tool.
When you connect a new printer to your computer, the Windows operating system tries to find and install
a software driver for the printer. Occasionally, you might see a notification that a driver is unsigned or
altered, or that the Windows operating system cannot install it. You have a choice whether to install a
driver that is unsigned or has been altered since it was signed.
Demonstration: Installing and Sharing a Printer
In this demonstration, you will see how to create and share a printer.
Demonstration Steps
1. Sign in to LON-CL1 as Adatum\Administrator, and then open Control Panel.
2. Open the Add Printer Wizard.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
3. Create and share a Microsoft OpenXPS printer named AdatumPrinter.
Managing Client-Side Printing
Print Management provides a single interface to
administer multiple printers and print servers.
You can access the Print Management console
through the Administrative Tools folder in Control
Panel or you can open the Print Management
console directly by typing Printmanagement.msc
in the Search dialog box.
You can use Print Management to perform all the
basic management tasks for a printer. You also
can manage printers from the Devices and
Printers page in Control Panel.
View the Print Queue
After you initiate a print job, you can view, pause, or cancel it through the print queue. The print queue
shows you what is printing or waiting to print. It also displays information such as job status, who is
printing what, and how many unprinted pages remain. From the print queue, you can view and maintain
the print jobs for each printer.
You can access the print queue from the Print Management console through the See whats printing
option on the Devices and Printers page in Control Panel. Documents that are listed first will be the first
to print.
Cancel Print Jobs
If you start a print job by mistake, it is simple to cancel the print job even if printing is underway. To
cancel a print job:
1. Open the print queue for the specific printer by performing the steps outlined previously.
2. To cancel an individual print job, right-click the print job you want to remove, and then click Cancel.
3. To cancel all print jobs, click the Printer menu, and then click Cancel All Jobs. The item that is
printing currently might finish, but the remaining items will be cancelled.
Pause or Resume a Print Job
You can pause and resume a single print job or multiple jobs in the queue. To pause or resume a print
job:
2. To pause or resume an individual print job, right-click the print job, and then click Pause or Resume.
3. To pause all print jobs, click the Printer menu, and then click Pause Printing. To resume printing,
click Resume Printing.
Restart a Print Job
If a print job is printing in the wrong color ink or wrong size paper, you can start over. To restart a print
job:
2. Right-click the print job to be reprinted, and then click Restart.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-39
Reorder the Print Queue
If you are printing multiple items, you can change the order in which they print. To reorder the jobs in the
print queue:
2. Right-click the print job to be reordered, and then click Properties.
3. Click the General tab, and then drag the Priority slider left or right to change its print order. Items
with higher priority print first.
Managing Print Server Properties
Windows 8.1 includes Print and Document
Services. Windows 8.1 can act as a print server or
connect to Windows-based print servers through
the Print Management console and manage them
remotely. The Print Management console is
included in the built-in administration tools in
Windows 8.1. It allows administrators to perform
management tasks such as:
Install printer drivers and print devices
Manage print queues
View the status of printers
Installing Printer Drivers and Print Devices
You might need to support both 32-bit printer drivers and 64-bit printer drivers. The Print Management
console allows you to add printer drivers to the printer driver store that is found in the
Windows\System32\spool\drivers folder. You can use the Add Printer Driver Wizard to add drivers.
You also can add print devices by using the Network Printer Installation Wizard. The wizard allows you to:
Search a network for printers.
Add a TCP/IP or Web Service Printer by IP address or host name.
Add a new printer by using an existing port.
Create a new port and add a new printer.
Managing Print Queues
You can view all installed printers in the Printer node. You can view the printers queue by right-clicking
the printer and selecting Open Printer Queue from the shortcut menu.
View the Status of Printers
The Printer node shows information about each printer, including the queue status, number of jobs in the
queue, name and version of the printer driver, and the driver type.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Lab B: Configuring Printers
Scenario
A. Datum Corporation wants to use shared printers in its environment.
Objectives
After you complete this lab, you will be able to create and share a local printer.
Lab Setup
User names: Adatum\Administrator and Adatum\Ed
Password: Pa$$w0rd
5. Repeat steps 2 and 3 for 20687C-LON-CL1 and 20687C-LON-CL2. Do not sign in until directed to
do so.
Exercise 1: Creating and Sharing a Local Printer
Scenario
You need to create and share a printer on one of the local systems and then test connectivity to it.
1. Add and share a local printer.
2. Configure printer security.
3. Sign in to LON-CL2 as Ed.
4. Connect to a network printer.
Task 1: Add and share a local printer
1. Sign in to LON-CL1 as Adatum\Administrator, and then open Control Panel.
2. Open the Add Printer Wizard.
3. Create and Share a Microsoft OpenXPS printer named ManagersPrinter by using the Nul port.
Task 2: Configure printer security
1. Open the Print Management console.
2. Configure the ManagersPrinter so that Managers can print to it, and not Everyone.
3. Pause the ManagersPrinter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-41
Task 3: Sign in to LON-CL2 as Ed
Sign in to LON-CL2 as Adatum\Ed.
Task 4: Connect to a network printer
1. On LON-CL2, open the Add Printer Wizard.
2. Connect to ManagersPrinter.
3. Switch to LON-CL1, verify that the test page is in the ManagersPrinter queue, and then click Resume
Printing.

Results: After completing this exercise, you should have created, shared, and tested a printer.
4. Repeat steps 2 to 3 for 20687C-LON-CL1 and 20687C-LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1 Clients
Best Practice: NTFS Permissions
Supplement or modify the following best practices for your own work situations:
To simplify the assignment of permissions, you can grant the Everyone group Full Control share
permission to all shares and use only NTFS permissions to control access. Restrict share permissions to
the minimum required, to provide an extra layer of security in case NTFS permissions are configured
incorrectly.
When permission inheritance is blocked, you have the option to copy existing permissions or begin
with blank permissions. If you only want to restrict a particular group or user, then copy existing
permissions to simplify the configuration process.
Best Practice: Managing Shared Folders
Supplement or modify the following best practices for your own work situations:
If the guest user account is enabled on your computer, the Everyone group includes anyone. In
practice, remove the Everyone group from any permission lists and replace it with the Authenticated
Users group.
Using a firewall other than that supplied with Windows 8.1 can interfere with the network
discovery and file sharing features.
Review Questions
Question: A. Datum is installing Microsoft Dynamics GP and has contracted with a vendor to
provide some custom programming work. Joseph, a senior IT desktop specialist at A. Datum,
has been asked to configure the NTFS permissions for the GP planning files that the
company will be accumulating. A. Datum has asked that all IT users be assigned Modify
permissions to the GP Implementation Planning folder. However, A. Datum only wants the
subfolder titled Vendor Contracts to be available for viewing by a select group of managers.
How can Joseph accomplish this by taking into account permission inheritance?
Question: Robin recently created a spreadsheet in which she explicitly assigned it NTFS file
permissions that restricted file access to herself only. Following the system reorganization,
the file moved to a folder on another NTFS partition, and Robin discovered that other users
were able to access the spreadsheet. What is the probable cause of this situation?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 9-43
Tools
Use the following command-line tools to manage file and printer sharing.
Tool Description
Net share Share folders at the command prompt.
Net use Connect to shared resources at the command prompt.
lcacls.exe Configure NTFS file and folder permissions at the command prompt.
Compact.exe Compress NTFS files and folders at the command prompt.
Pnputil.exe Preinstall printer drivers in the driver store.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
10-1
Module 10
Securing Windows 8.1 Devices
Contents:
Module Overview 10-1
Lesson 1: Authentication and Authorization in Windows 8.1 10-2
Lesson 2: Implementing Local Policies 10-11
Lab A: Implementing Local GPOs 10-20
Lesson 3: Securing Data with EFS and BitLocker 10-23
Lab B: Securing Data by Using BitLocker 10-45
Lesson 4: Configuring UAC 10-47
Lab C: Configuring and Testing UAC 10-54

Module Overview
Users are becoming increasingly computer-literate, and they expect more from the technology that they
use at work. They expect to be able to work from home, from branch offices, and on the road without a
decrease in their productivity or a loss of access to the programs and applications that they need most. As
the needs of users have changed, the demands on information technology (IT) support professionals have
increased. Today, support professionals need to provide more capabilities and to support greater
flexibility while continuing to minimize security risks. In this module, you will explore features of the
Windows
8.1 operating system that you can use to maintain a secure computer environment for your
users by using Encrypting File System (EFS), BitLocker
Drive Encryption, and User Account Control (UAC).

Objectives
Implement authentication and authorization features in Windows
8.1.
Use GPOs to configure local policies.
Describe how to secure data with EFS and BitLocker Drive Encryption.
Describe how to configure UAC.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
10-2 Securing Windows 8.1 Devices
Lesson 1
Authentication and Authorization in Windows 8.1
Windows 8.1 provides a number of security technologies for devices, including authentication and
authorization, volume-based encryption for files and disks, and UAC. Some of these security technologies
strengthen the overall Windows infrastructure, and others are useful in controlling your system and your
data.
Before effectively defining Windows 8.1 security measures such as NTFS file system permissions and file
and folder sharing properties, it is essential that you understand the user account types that are used
during security configuration and how the Kerberos Version 5 (V5) protocol authenticates and authorizes
user logons. This lesson examines the authentication and authorization features that provide the
foundation for the Windows security infrastructure.
Lesson Objectives
Describe authentication and authorization.
Describe process of authentication and authorization.
Identify and describe important security features in Windows 8.1.
Describe how to use biometrics for authentication.
Describe how to configure a picture password or PIN for authentication.
Describe how to integrate Virtual Smart Cards into the authentication process.
What Are Authentication and Authorization?
Authentication is the process that confirms a users
identity when he or she accesses a computer
system or a system resource. In private and public
computer networks, including the Internet, the
most common authentication method that
controls access to resources is the verification of a
users credentialstypically, user name and
password.
However, for certain critical transactions such as
payment processing, user name and password
authentication has an inherent weakness because
passwords can be stolen or revealed inadvertently.
Because of this weakness, most Internet businesses implement digital certificates that a certification
authority (CA) issues and verifies. Authentication logically precedes authorization.
Authorization allows a system to determine whether an authenticated user can access and update secured
system resources. Examples of authorized permissions include file and file-directory access, hours of
access, amount of allocated storage space, and other specifications. Authorization has two facets:
A system administrator initially defines permissions for system resources.
A system or application verifies users permission values when users attempt to access or update a
system resource.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-3
You can provide authorization and access without implementing authentication. Typically, this is the case
when permissions are granted for anonymous users who are not authenticated. Usually, these permissions
are limited.
The Process of Authentication and Authorization
To understand the authentication and
authorization process, you first must understand
the role of user accounts. A user account is a
collection of information that the Windows
operating system uses to determine the user
rights and access permissions a person has on a
computer. A user account records the user name,
password, and a unique number that identifies
that account.
User Account Types and Rights
Windows 8.1 has three different user account
types, all of which offer users varying degrees of
access. The different user account types are:
Standard. Users with this account type can use most of the capabilities of a computer. A person who
logs on with a standard user account can use most apps on the computer and can change settings
that affect his or her user account.
However, the user typically cannot install or uninstall software and hardware, delete files that the
computer requires, or change settings that affect other users or the computers security. The system
might prompt a standard user for an administrator password before he or she can perform certain
tasks.
Administrator. Users with this account type can make changes that affect other users. Administrators
can change security settings, install software and hardware, and access all files on a computer.
Administrators also can make changes to other user accounts.
Guest. Users with this account type have temporary access to another users computer. People who
use guest user accounts cannot install software or hardware, change settings, or create a password.
You must enable this feature before your guests can use it.
Note: When you set up a computer, you are required to create an administrator user
account, which provides the ability to set up your computer and install any device-wide apps that
you want. After setup is complete, you should use a standard user account for your daily
computing tasks. Users then can use Windows Store to install user-specific apps. It is more secure
to use a standard user account than an administrator account. When you use a standard account,
you can prevent accidental changes that affect anyone who uses the computer, especially if your
user account credentials are stolen.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Authentication Methods
Users must authenticate to verify their identity when they access files over a network. Authentication is
performed during the network logon process. The Windows 8.1 operating system supports the following
authentication methods for network logons:
Kerberos protocol. This is the main logon authentication method that is used by clients and servers
that are running Windows operating systems. It provides authentication for user and computer
accounts.
NTLM. This method provides backward compatibility with pre-Windows 2000 operating systems and
some applications. However, it is less flexible, less efficient, and not as secure as the Kerberos
protocol.
Certificate mapping. Typically, this method is used in conjunction with smart cards. The certificate
stored on a smart card is linked to a user account for authentication. A smart card reader is used to
read a smart card and authenticate a user.
Kerberos Authentication
For Windows 8.1 clients, the Kerberos authentication protocol provides the mechanism for mutual
authentication between a client and a server before a network connection is opened between them.
Note: Active Directory
Domain Services (AD DS) implements Kerberos authentication.

In a client/server application model:
Windows 8.1 clients are apps that act on behalf of users who need to perform a task such as opening
a file, accessing a mailbox, querying a database, or printing a document.
Servers, such as Windows Server
2012, are apps that provide services to clients. Some examples of

services can include file storage, mail handling, query processing, print spooling, and a number of
other specialized tasks.
Clients initiate an action and servers respond. Typically, this means that a server listens to a
communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with authentication. The client and
server, in turn, step through a sequence of actions that helps parties on each end of the connection verify
that the party on the other end is genuine. If authentication is successful, session setup completes, and the
client/server application can start working.
Benefits of Kerberos Authentication for Windows 8.1 Clients
The Kerberos protocol allows you to turn off NTLM authentication once all network clients are capable of
Kerberos authentication. The Kerberos protocol is more flexible, efficient, and secure than NTLM. The
benefits of using Kerberos authentication are:
Faster connections. With NTLM authentication, an application server must connect to a domain
controller to authenticate each client. With Kerberos authentication, a server does not need to
connect to a domain controller. It can authenticate a Windows 8.1 client by examining the credentials
that a client presents. Clients can obtain credentials for a particular server once and then reuse them
throughout a network logon session.
Mutual authentication. By using NTLM, servers can verify the identities of their clients. However,
clients cannot use NTLM to verify a servers identity, and servers cannot verify the identity of another
server. NTLM authentication is ideal for a network environment in which servers are assumed to be
genuine. The Kerberos protocol makes no such assumptions, and it enables parties at both ends of a
network connection to identify and verify the party on the other end.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-5
Question: Which authentication method is used when a client computer that is running
Windows 8.1 logs on to AD DS?
Important Security Features in Windows 8.1
The Windows 8.1 operating system improves
platform security by including a number of apps
that help simplify the balancing of security and
usability. To diagnose, troubleshoot, and resolve
any security-related issues quickly and effectively,
you must understand how the new Windows 8.1
security features work.
The Windows 8.1 operating system provides the
following assortment of tools and features that
maximize platform and client security while
balancing security and usability:
Windows 8.1 Action Center. This is the
starting point for diagnosing and solving system issues. It also is a central location for users to address
messages about their local computer.
EFS. This is a built-in encryption tool for Windows-based file systems.
BitLocker and BitLocker To Go
. These tools help mitigate unauthorized data access by rendering

data inaccessible when you decommission or recycle BitLocker-protected computers. BitLocker To Go
provides similar protection for data on removable data drives.
AppLocker
. Administrators can use this tool to specify exactly what apps and services can run on a
users computer.
UAC. Users can use this tool to run their computers as standard users and perform all necessary daily
tasks.
Windows Firewall with Advanced Security (WFAS). This snap-in provides protection from malicious
users and apps that rely on unsolicited incoming traffic to attack computers.
Windows Defender. This feature helps protect your computer from spyware and other forms of
malicious software.
Using Biometrics for Authentication
The Windows Biometric Framework (WBF) was
first introduced in Windows 7. However, different
types of advanced hardware that take full
advantage of the WBF only became available in
Windows 8 and Windows 8.1. Biometrics is
another example of two-factor authentication,
which is an authentication method that requires
two authentication methods. These authentication
methods may include something the user
provides, such as certificates; something the user
knows, such as user names, passwords, or pass
phrases; physical attributes, such as a thumbprint;
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
or personal attributes, such as a personal signature. Biometrics allows for validation of user credentials in a
growing number of ways, including fingerprint recognition, retinal scanning, and facial recognition.
Biometrics is becoming the preferred method of authentication on mobile devices.
The Windows Biometrics Service is set to manual start by default. In Windows 8.1, this service:
Captures the input data from a biometric scan and stores it in a template.
Securely stores and manages the biometric template for future use.
Can be mapped to a unique identifier such as a GUID or a security identifier.
Allows additional templates to be created.
Can be extended by developers by using the WBF application programming interface (API).
In addition to the low-level framework support, Windows 8.1 offers users the following management
features that support biometrics:
A fingerprint management application within PC settings.
Support for installed biometric devices within Device Manager.
Group Policy Objects (GPOs) for configuring system-wide biometric options.
Credential Provider support that allows biometric data to be used to log on to a local or
domain-joined computer.
Note: Although the WBF is built into Windows 8.1, you must install a biometric device to
take advantage of the framework. Installed devices will appear in Device Manager and the
Control Panel.
Biometric Fingerprints
Currently, the WBF in Windows 8.1 only supports the fingerprint biometric factor. All versions of
Windows 8.1 support biometrics, allowing users to acknowledge a multitude of requests such as Windows
sign-in, remote access, and UAC by using their fingerprints.
You can record your fingerprint by using biometrics in Windows 8.1 by following the steps below:
1. On the Start screen, type Fingerprint.
2. Browse to PC Settings, click Accounts, and then click Sign-in options.
Note: The fingerprint option will only be available if there is a WBF-supported fingerprint
reader installed on the Windows 8.1 device.
When the biometric scanning process uses a fingerprint, the actual fingerprint picture is not itself stored.
Biometrics converts the scan into information that is required by the template. The sign-in process then
uses this information in a similar manner as the use of a password for authentication.
Credential Management UI Integration
After you configure fingerprint-based authentication, you can use it as an alternative way to authenticate
at a Windows password prompt. Whenever the Windows operating system requires a specific user to
authenticate, the Credential Management UI (CredUI) interface will display the option to authenticate via
a fingerprint.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-7
Note: Windows 8 provided a biometric devices Control Panel item. Windows 8.1 does not
include this item, but provides additional support through independent software vendors or
directly via the application that uses the fingerprint biometric feature.
Picture Passwords
Windows 8.1 is designed to be operated in both touch and traditional PC scenarios. The touch interface
offers a new way for users to log on and authenticate. Windows 8 introduced the option to use a picture
password or PIN as a logon option. For touch users, the use of a picture password or PIN is more intuitive
and quicker than the use of an on-screen keyboard to type a complex password.
For your picture password, you can choose a picture that came with Windows 8.1, or you can add your
own picture and then create gestures to create your own personal logon. When selecting an appropriate
picture, use one that has several points of interest, as this will increase the complexity of the password.
Gestures
By selecting a personal picture and drawing gestures in a way that is meaningful only to the user, a
picture password can be extremely secure and difficult for a hacker to crack. When you add gestures to
your picture password, you can choose from the gestures below:
A tap
A small clockwise circle
A small counterclockwise circle
A larger clockwise circle
A larger counterclockwise circle
A straight line drawn between any two points of interest on your picture
Microsoft
has increased the security of the picture password feature by introducing two safeguards
against repeated attacks:
When you enter your picture password incorrectly five times, the system will prevent you from using
the feature again until you log on with your plain text password.
To mitigate network attacks, the picture password is disabled in remote and network scenarios.
PIN Authentication
The option to use a four-digit PIN to sign in to Windows 8.1 offers users a simple, familiar, and quick way
to unlock their devices. Domain users are restricted from using a PIN password. However, an administrator
can override this restriction by configuring the Turn on PIN sign-in GPO within the Computer
Configuration\Administrative Templates\System\Logon container.
For more information, see Signing in with a picture password on the MSDN Blogs
website.
Note: Although a PIN might not be suitable in situations where complex passwords are
required, both the picture password and PIN sign-in options are attractive to users in low-risk
environments such as home users and those on personal devices.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring a Picture Password or PIN for Authentication
Create a picture password to sign in with gestures
Create a PIN password to sign in
Demonstration Steps
Create a picture password to sign in with gestures
2. On the Start screen, type Picture Password, and then click Set up picture password.
3. Click Choose picture, and then draw three gestures on your picture.
4. Click Finish, and then close the Sign-in account app.
Create a PIN password to sign in
1. On the Start screen, type PIN, and then click Set up PIN sign-in.
2. In the Sign-in options window, under the PIN option, click Add, and then create a PIN.
Integrating Virtual Smart Cards into the Authentication Process
Windows 8.1 builds on the features of Windows 7
and offers enhanced support for smart cards.
System administrators can use smart cards to
protect the security of an organizations
computers and devices. Smart card technology
offers significant advantages in the protection of
business assets. However, with the exception of
large and medium-sized organizations, there has
not been a widespread adoption of smart card
technology. Reasons include the additional cost of
hardware devices and the complexity of smart
card management and control.
To address these issues, Windows 8.1 introduces Virtual Smart Card technology. Network administrators
can bring this technology to end users without the previous hardware requirements of card readers and
the cards themselves. At the same time, Virtual Smart Cards still take advantage of the Personal Identity
Verification benefits that the smart card feature provides.
Note: Smart cards are another example of a multifactor authentication. The user must have
access to a smart card reader and knowledge of the password or PIN to be able to authenticate
and gain access to a system.
Many Windows 8.1 devices now ship with a Trusted Platform Module (TPM) that meets specification
version 1.2. A Virtual Smart Card takes advantage of a devices tamper-proof TPM security chip to store
certificates that are used to authenticate each user account. Because a TPM is an internal component of a
device, you configure a Virtual Smart Card to protect a device in an environment that is domain-joined or
is not domain-joined.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-9
Being virtual, once you configure a device to use TPM, you do not require any further hardware or cards.
Effectively, the device acts as a smart card reader, and users supply an unlock PIN that is personal to them.
A TPM chip can store up to six Virtual Smart Cards.
Note: If a TPM is present, it might need to be turned on in the system BIOS/Unified
Extensible Firmware Interface (UEFI) firmware.
Note: You must run the Tpmvscmgr.exe command-line utility with local administrator
permissions to gain access to a TPM and generate a Virtual Smart Card.
Tpmvscmgr.exe
Windows 8.1 provides the Tpmvscmgr.exe Virtual Smart Card management tool that administrators can
use to provision Virtual Smart Cards on a device. The syntax of Tpmvscmgr.exe is as follows:
tpmvscmgr.exe create /name NameofVSC /pin prompt /puk prompt /adminkey random /generate
Notice that the command is configured to ask the user for a PIN. The user also is asked for a PIN unlock
key (PUK), which can be used to unlock a Virtual Smart Card and reset the PIN if it is forgotten. The
default PIN and PUK must be at least eight characters long. Once the command has completed, you will
be notified of the device instance ID for the NameofVSC. You should record this device instance ID so that
if required, you will be able to delete a Virtual Smart Card from a device. You also are able to configure an
administrator key, which provides an alternative method of unlocking a card for a PIN reset. In the above
example, Tpmvscmgr.exe will generate a random 48-hexadecimal digit administrator key.
In Windows 8.1, the process to enroll TPM-enabled devices to be used as a Virtual Smart Card device has
improved. The high-level process for using a Virtual Smart Card is as follows:
1. Enable TPM 1.2 in BIOS/UEFI firmware.
2. Create and install a Virtual Smart Card by using the Virtual Smart Card management tool,
Tpmvscmgr.exe.
3. Enroll for a logon certificate (protected by the TPM).
4. Sign in to the device with the smart card PIN.
The default PIN policy for a Virtual Smart Card that is generated by Windows 8.1 is as follows:
Minimum length of 8
Maximum length of 127
Uppercase characters allowed
Lowercase characters allowed
Digits allowed
Special characters allowed
Note: The lower and upper boundaries for PIN length are 4 and 127 respectively.
In a corporate AD DS environment, you likely have a CA configured already. Once your device has created
a Virtual Smart Card, you then will enroll for a logon certificate from your Windows CA by using the
Certificate Enrollment Wizard, which can be found in the Certificates Microsoft Management Console
(MMC) snap-in, which is accessed by typing Certmgr.msc at the Start screen.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Note: A PIN typically is a secret numeric password. However, a Virtual Smart Card allows a
PIN to include digits, alphabetic and special characters, and not just numbers. The term PIN has
been retained because legacy smart cards used simple numeric PINs.
For more information, see Understanding and Evaluating Virtual Smart Cards at the
Microsoft Download Center.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-11
Lesson 2
Implementing Local Policies
Before learning about the important security features in Windows 8.1, it is important that you understand
the best ways in which to configure security-related settings in Windows 8.1. Although you can perform
computer-specific administration and configuration tasks manually, it can be more efficient to implement
your planned configuration settings by using GPOs. GPOs provide an infrastructure for centralized
configuration management of operating systems and the applications that run on operating systems. This
lesson discusses Group Policy fundamentals such as the difference between local and domain-based
policy settings. It also describes how you can use Group Policy to simplify managing computers and users
in an AD DS environment.
Lesson Objectives
Describe Group Policy.
Describe how to apply GPOs.
Describe how multiple local GPOs work.
Describe how to create multiple local GPOs.
Describe how to configure local security policy settings.
Describe Microsoft Security Compliance Manager.
Overview of Group Policy
Group Policy is a technology that you can use to
manage a large number of computer and user
accounts efficiently through a centralized model.
GPOs commonly are used in corporate
environments in which several computers and
users are part of the same domain. By using GPOs,
you can impose certain behaviors on several
features for the computers and users that belong
to the AD DS domain. GPOs can define computer
settings ranging from the computer desktops to
screen saver timeouts. You configure Group Policy
changes on a server, which then propagates to
each client computer in the domain.
Group Policy in Windows 8.1 uses XML-based templates to describe registry settings. When you enable
settings in these templates, you can use Group Policy to apply computer and user settings either on local
computers or centrally through AD DS.
You can use Group Policy to:
Apply customized or specific configurations.
Deploy software applications.
Enforce security settings.
Enforce a standardized desktop environment.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Local Group Policy in Windows 8.1
A local GPO is the least influential object in an AD DS environment because its settings can be overwritten
by GPOs that are associated with sites, domains, and organizational units (OUs). In an environment that is
not networked, or in a networked environment that does not have a domain controller, local GPO settings
are important because they are not overwritten by other GPOs. Stand-alone computers only use local
GPOs to control the environment.
Each Windows 8.1 computer has one local GPO that contains default computer and user settings
regardless of whether the computer is part of an AD DS environment. In addition to this default local
GPO, you can create custom local user GPOs. You can maintain these local GPOs by using the Local Group
Policy Editor snap-in.
Note: To access the Local Group Policy Editor, open a new Microsoft Management Console
(MMC) by running Mmc.exe, and then add the Group Policy Object Editor snap-in to the MMC.
By using Group Policy, you can define the state of users' work environments once and then rely on the
system to enforce the policies that you define. With the Group Policy snap-in, you can specify policy
settings for the following:
Registry-based policies include Group Policy for the Windows 8.1 operating system, its components,
and for apps. To manage these settings, use the Administrative Templates node of the Group Policy
Editor snap-in.
Security options include options for local computer security settings.
You can use software installation and maintenance options to centrally manage program installation,
updates, and removal.
Script options include scripts for computer startup and shutdown, and user sign-in and sign-out.
Using the Group Policy Object Editor
The Group Policy Object Editor contains the following major nodes:
Computer Configuration. This section enables you to set policies that are applied to a computer
regardless of who logs on to the computers. Computer Configuration typically contains subitems for
software settings, Windows settings, and administrative templates.
User Configuration. This section enables you to set policies that apply to users regardless of which
computer they sign in to. User Configuration typically contains subitems for software settings,
Windows settings, and administrative templates.
To use the Group Policy Object Editor, perform the following steps:
1. Expand the GPO that you want, such as Local Computer Policy.
2. Expand the configuration item that you want, such as Computer Configuration.
3. Expand the subitem that you want, such as Windows Settings.
4. Navigate to the folder that contains the policy setting that you want. The policy settings are displayed
in the right pane on the Group Policy Editor snap-in.
Note: If no policy is defined for the selected item, right-click the folder that you want. On
the shortcut menu that appears, point to All Tasks, and then click the command that you want.
The commands that are displayed on the All Tasks submenu are context-sensitive. Only those
commands that are applicable to the selected policy folder appear on the menu.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-13
5. In the Setting list, double-click the policy setting that you want.
Note: When you work with policy settings in the Administrative Templates folder, if you
want to view more information about the selected policy setting, click the Extended tab in the
right pane of the MMC.
6. Edit the settings of the policy in the dialog box that appears, and then click OK.
7. When you are finished, quit the MMC.
Note: If you need to maintain domain-level GPOs from a Windows 8.1 client computer
without initiating an interactive session, you first must install Remote Server Administration Tools
(RSAT) on your Windows 8.1 client computer, and then install the Group Policy Management
Console (GPMC). This provides remote access to the domain-level GPOs on Windows Server 2008
and newer servers.
For more information, see Remote Server Administration Tools for Windows 8.1 Preview at
the Microsoft Download Center.
How Do You Apply GPOs?
Client components known as Group Policy client-
side extensions initiate Group Policy by requesting
GPOs from the domain controller that
authenticated them. Group Policy client-side
extensions interpret and apply policy settings.
Windows 8.1 applies computer settings when a
computer starts, and it applies user settings when
a user signs in to a computer. Both computer and
user settings are refreshed at regular, configurable
intervals. The default refresh interval is every 90
minutes.
Group Policy is processed in the following order:
1. Local Computer Policy settings.
2. Site-level policy settings.
Note: In smaller networks, you likely will configure all computers as part of a default AD DS
site object. Therefore, you can disregard the site-level AD DS container when planning GPOs.
3. Domain-level policy settings.
4. OU policy settings.
Note: Typically, you create an OU to contain objects such as users and computers that you
wish to administer in a similar manner. For example, you might want to delegate control of all
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
those objects to a local administrator, or you might want all the objects in an OU to have the
same configured settings. In small networks, you can configure most settings at the domain-level,
and then it is unnecessary to create complex, nested OU structures for management purposes.
Policy settings that are applied to higher-level containers pass through to all subcontainers in that part of
the AD DS tree. For example, a policy setting applied to an OU also applies to any child OUs below it.
If policy settings are applied at multiple levels, a user or computer receives the effects of all policy
settings. In case of a conflict between policy settings, the policy setting that is applied last is the effective
policy, though you can change this behavior as necessary.
Note: You can enforce individual policies, which ensures that the settings from an enforced
policy take precedence over other settings further down the AD DS tree. It also is possible to
block inheritance, although blocking is applied to containers rather than to policies. In large
network environments with many containers and policies, it sometimes can be difficult to
determine which settings from which policies are in force on a given computer or user. A domain
administrator can use the Group Policy Modeling and Group Policy Results nodes in the GPMC to
help determine the application of policies.
How Multiple Local GPOs Work
Securing computers and users' devices is an
important responsibility of a network
administrator. Given the plethora of configurable
settings, most domain administrators manage
these settings by using domain-based GPOs. For
stand-alone Windows 8.1 client computers, you
can address this issue through Multiple Local
Group Policy Objects (MLGPOs).
MLGPOs improve previous Local Group Policy
technology by allowing you to apply different
levels of Local Group Policy to local users on a
stand-alone computer. This technology is ideal for
shared computing environments where domain-based management is not available, such as shared
library computers or public Internet kiosks.
Introduction to MLGPO
Local Group Policy is a subset of the broader Group Policy technology. Group Policy is domain-based,
whereas Local Group Policy is specific to a local computer. Both technologies allow you to configure
specific settings in the operating system and then force those settings to computers and users.
Local Group Policy is not as robust as Group Policy. For example, you can use Group Policy to configure
any number of policies that might affect some, all, or none of the users of a domain-joined computer. You
can even use Group Policy to apply policies to users that have specific group memberships.
Local Group Policy
The Local Group Policy layer is the topmost layer in the list of MLGPOs. Local Group Policy, which also is
known as the Local Computer Policy, is the only Local GPO that allows computer settings. Besides
computer settings, you can select user settings. User settings that are contained in the Local Group Policy
apply to all users of the computereven the local administrator. Local Group Policy behaves the same as
it did in previous versions of the Windows operating system.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-15
Administrators and Non-Administrators Local Group Policy
The Administrators and Non-Administrators Local GPOs do not exist by default. You must create them if
you want to use them on your Windows 8.1 client. These GPOs act as a single layer and logically sort all
local users into two groups when a user signs in to the computer: a user is either an administrator or a
non-administrator. Users who are members of the Administrators group receive policy settings assigned in
the Administrators Local Group Policy. All other users receive policy settings assigned in the Non-
Administrators Local Group Policy.
User-Specific Group Policy
Local administrators can use the last layer of the Local GPO, Per-User Local GPOs, to apply specific policy
settings to a specific local user.
Processing Order
The benefits of MLGPOs come from the processing order of the three separate layers. The layers are
processed as follows:
1. The Local GPO applies first. This Local GPO might contain both computer and user settings. User
settings contained in this policy apply to all users, including the local administrator.
2. The Administrators and Non-Administrators Local GPOs are applied next. These two Local GPOs
represent a single layer in the processing order, and the user receives one or the other. Neither of
these Local GPOs contains computer settings.
3. User-specific Local Group Policy is applied last. This layer of Local GPOs contains only user settings,
and you apply it to one specific user on a local computer.
Conflict Resolution Between Policy Settings
Available user settings are the same between all Local GPOs. It is possible that a policy setting in one Local
GPO contradicts the same setting in another Local GPO. Windows 8.1 resolves these conflicts by using the
Last Writer Wins method. This method resolves conflicts by overwriting any previous setting with the last-
read (most current) setting. The final setting is the one that the Windows operating system uses.
For example, an administrator enables a setting in a Local GPO. The administrator then disables the same
setting in a user-specific Local GPO. When a non-administrator user signs in to the computer, the
Windows operating system reads the Local GPO first, followed by the Non-Administrators Local GPO, and
then the user-specific Local GPO.
The state of the policy setting is enabled when the Windows operating system reads the Local GPO. The
policy setting is not configured in the Non-Administrators Local GPO. This has no effect on the state of
the setting, so it remains enabled. The policy setting is disabled in the user-specific Local GPO. This
changes the state of the setting to disabled. Windows reads the user-specific Local GPO last; therefore, it
has the highest precedence. The Local Computer Policy has a lower precedence.
Domain Member Computers
Stand-alone computers benefit the most from MLGPOs because they are managed locally. Domain-based
computers apply Local Group Policy first and then domain-based policy. Windows 8.1 continues to use
the Last Writer Wins method for conflict resolution. Therefore, policy settings originating from domain
Group Policy overwrite any conflicting policy settings found in any Local Group Policy to include
administrative, non-administrative, and user-specific Local Group Policy.
You can disable the processing of local GPOs on clients that are running Windows 8.1 by enabling the
Turn off Local Group Policy objects processing policy setting in a domain GPO. You can find this
setting by expanding Computer Configuration, expanding Administrative Templates, expanding System,
and then clicking Group Policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Creating Multiple Local GPOs
MLGPOs are created by adding the snap-in for the Group Policy Object Editor to a MMC, and then
performing the following procedure:
1. Click Browse in the Select Group Policy dialog box.
2. Click the Users tab.
3. Select the object you for which you want to create a special GPO. You must add a separate instance
of the snap-in for each instance of the local GPO that you want to create.
Question: An administrator selects the Disable the Security page policy setting in the Local
GPO. The administrator then enables the same setting in a user-specific Local GPO. The user
who logs on to the computer is not an administrator. Which policy setting will be applied to
this Local GPO?
Demonstration: Creating Multiple Local GPOs
Create a custom management console.
Modify the local policy settings.
Test multiple local Group Policy settings.
Demonstration Steps
Create a custom management console
2. Open the Microsoft Management Console, and then add the Group Policy Object Editor snap-in to
the console. Set the focus for the local computer.
3. Add the Group Policy Object Editor snap-in to the console again, this time selecting the
Administrators group as the focus.
4. Add the Group Policy Object Editor snap-in to the console for a third time, this time selecting the
Non-Administrators group as the focus.
5. Save the console to the desktop.
Modify the local policy settings
1. Create a logon script for the default computer policy.
2. Create a logon script that applies only to administrators.
3. Create a logon script that applies to non-administrators.
Test multiple local Group Policy settings
1. Sign in as a standard user to verify that both the computer and non-administrator policies apply.
2. Sign in as administrator to verify that both the computer and administrators policies apply.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-17
Demonstration: Configuring Local Security Policy Settings
Security-Related Group Policy Settings
A computer that belongs to an AD DS domain receives many of its security-related configuration settings
through a GPO. You can use the Local Group Policy Editor to configure the same settings on a stand-
alone workstation that is running Windows 8.1.
To configure local Group Policy, run Gpedit.msc from the Run box with elevated permissions. You then
can use the local Group Policy Object Editor to configure the security-related settings that are described
in the following table.
Setting Meaning
Password Policy A subcomponent of Account Policies that enables you to
configure password history, maximum and minimum password
age, password complexity, and password length.
Note: This only applies to local accounts.

Account Lockout Policy A subcomponent of Account Policies that enables you to
define settings related to the action that you want
Windows 8.1 to take when a user enters an incorrect password
at logon.
Note: This only applies to local accounts.

Audit Policy A subcomponent of Local Policies that enables you to define
audit behavior for various system activities, including logon
events and object access.
User Rights Assignment A subcomponent of Local Policies that enables you to
configure user rights, including the ability to sign in locally,
access the computer from the network, and shut down the
system.
Security Options A subcomponent of Local Policies that enables you to
configure many settings, including Interactive logon settings,
UAC settings, and Shutdown settings.
WFAS Enables you to configure the firewall settings.
Network List Manager Policies Enables you to configure user options for configuring new
network locations.
Public Key Policies Include settings for Automatic Certificate Requests and
Encrypted Data Recovery Agents.
Software Restrictions Policies Enables you to identify and control which applications can run
on the local computer.
IP Security Policies Enables you to create, manage, and assign Internet Protocol
security (IPsec) polices.
Windows Update Enables you to configure Automatic Updates. Located under
Administrative Templates\Windows Components.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Setting Meaning
Disk Quotas Enables you to configure disk quotas. Located under
Administrative Templates\System.
Driver Installation Enables you to configure driver installation behavior. Located
under Administrative Templates\System.

After you configure the local policy, you can export security-related settings to a policy file and then save
them in a security template file with an .inf extension. You then can import the template into the Local
Group Policy Editor to use these templates to configure additional computers.
This demonstration shows different security settings in the Windows 8.1 Local Group Policy Editor and
then reviews the changes to some of these settings.
Demonstration Steps
2. Open the Group Policy Management Editor.
3. Browse to Computer Configuration\Windows Settings\Security Settings, and then review the
settings.
Microsoft Security Compliance Manager
Within Microsoft, there is a group called the
Solution Accelerators team, which works on
presenting free tools to help organizations make
the most of the enterprise software that they use.
As each version of an underlying technology such
as the Windows operating system or Internet
Explorer
is updated, the Solution Accelerator

tool also is updated, sometimes with improved
functionality.
First released in 2010, the Security Compliance
Manager tool allows an enterprise administrator
to quickly configure and manage the computers
by using Group Policy and Microsoft System Center 2012 R2 Configuration Manager. Security Compliance
Manager has evolved over several years and continues to benefit from industry experts feedback and
from extensive field use. This free tool comes complete with ready-to-deploy policies and desired
configuration management configuration packs, which can be used with Configuration Manager.
Administrators can modify any of the supplied policies to generate a custom policy that is available for
export. You then can incorporate the custom policy into your preferred deployment tool such as
Configuration Manager or the Microsoft Deployment Toolkit.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-19
Administrators can use Security Compliance Manager to plan, deploy, operate, and manage security
baselines quickly, which are essential for securing Windows client and server operating systems, Microsoft
Office and other Microsoft applications. With Security Compliance Manager, you can configure the latest
software releases and also configure previous editions of Windows Server and Microsoft Office.
Throughout the lifespan of the tool, by default, Security Compliance Manager automatically checks for
new updates to the available baselines each time you start the tool. Some of the key features of Security
Compliance Manager are:
Baselines based on Microsoft security guide recommendations and industry best practices. You can
compare your configuration against industry best practices for the latest Windows client and server
operating systems.
Centralized security baseline management features to manage the security and compliance process
efficiently.
Gold master support that allows the import of your existing Group Policy to reuse and deploy.
Stand-alone machine configuration that allows you to deploy your configurations to computers that
are not domain-joined.
Updated security guides provide security expertise and best practices.
For more information, see the Microsoft Security Compliance Manager page at the
Microsoft Download Center.
For more information, see Solution Accelerators Downloads on the Microsoft TechNet
website.
Question: Discuss scenarios when you would use Security Compliance Manager in an
organization.
Question: Your organization creates operations manuals for customers and uses several
versions of Microsoft Word to produce the manuals, depending on client requirements.
What tool would you recommend for creating and maintaining baseline security
configurations for your organization if there is a requirement to ensure that all Microsoft
Office applications are configured with the latest security baseline?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Implementing Local GPOs
Scenario
Holly Dickson is the IT manager at A. Datum Corporation. She has expressed a concern that some of the
laptop computers that users use outside of the A. Datum network are susceptible to security breaches. She
wants you to investigate how best to configure security and other settings on these computers.
Objectives
Create multiple local GPOs.
Test the Application of the local GPOs.
Lab Setup
Virtual machine: 20687C-LON-DC1
Password: Pa$$w0rd
o User name: Administrator
o Domain: Adatum
Exercise 1: Creating Multiple Local GPOs
Scenario
Although you typically configure most security and other settings by using domain-based GPOs, you
decide that for the roaming laptop computers, implementing local GPOs would achieve Hollys goal of
securing them. You decide to implement multiple local GPOs to ensure that administrator and standard
user accounts can have different settings.
1. Create a management console for multiple local Group Policy settings.
2. Configure the local computer settings.
3. Configure non-administrators security settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-21
Task 1: Create a management console for multiple local Group Policy settings
1. Sign in to LON-CL1, and then open the Microsoft Management Console.
2. Add the following snap-ins to the console:
o Group Policy Object Editor: Local Computer
o Group Policy Object Editor: Administrators
o Group Policy Object Editor: Non-Administrators
3. Save the console to the Desktop with the name Multiple Local Group Policy Editor.
Task 2: Configure the local computer settings
1. Create a logon script in the Local Computer Policy.
2. Add the following text to the script file: msgbox Warning. You are not connected to the A
Datum Domain.
3. Save the script file as RoamingScript.vbs.
4. Change Save as type: to All Files, and then click Save.
Task 3: Configure non-administrators security settings
1. Select the Non-Administrators Policy, and then navigate to User Configuration
\Administrative Templates\Control Panel.
2. Enable the Prohibit access to Control Panel and PC settings policy setting.

Results: After completing this exercise, you should have created and configured multiple local Group
Policy Objects (MLGPOs) successfully.
Exercise 2: Testing the Application of the Local GPOs
Scenario
You have created and configured multiple local GPOs successfully. You now must sign in to test the
application of the local GPOs.
1. Sign in as a standard user to test the policies.
2. Sign in as administrator to test the policies.
Task 1: Sign in as a standard user to test the policies
2. Sign in as Adatum\Holly with password Pa$$w0rd, and then verify that the logon script runs on the
desktop.
3. Attempt to open Control Panel.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Sign in as administrator to test the policies
1. Sign in as Adatum\Administrator with password Pa$$w0rd, and then verify that the logon script
runs on the desktop.
2. Attempt to open Control Panel.

Results: After completing this exercise, you should have implemented and tested multiple local GPOs
successfully.
When you are finished with the lab, leave the virtual machines running as they are needed for the next
lab.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-23
Lesson 3
Securing Data with EFS and BitLocker
Devices, laptops, and hard drives can be stolen, which poses a risk for confidential data. You can secure
data against these risks by using a two-phased defensive strategy that incorporates both EFS and
BitLocker.
This lesson provides a brief overview of EFS and BitLocker. However, IT professionals who are interested in
implementing EFS must research it thoroughly before making a decision to use it. To implement a secure
and recoverable EFS policy, you must have a more comprehensive understanding of EFS. If you implement
EFS without implementing proper recovery operations or without understanding how the feature works,
you can cause your data to be exposed unnecessarily.
BitLocker is another defensive strategy that complements EFS. BitLocker protects against data theft or
exposure on computers that are lost or stolen, and it offers more secure data deletion when computers
are decommissioned. Data on a lost or stolen computer is vulnerable to unauthorized access, either by
running a software attack tool against it or by transferring the computer's hard disk to a different
computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers by combining
two major data-protection procedures: encrypting the entire Windows operating system volume on the
hard disk, and encrypting multiple fixed volumes.
Lesson Objectives
Describe EFS.
Describe how to encrypt and decrypt files with EFS.
Describe BitLocker.
Describe BitLocker To Go.
Describe BitLocker requirements.
Describe BitLocker modes.
Describe Group Policy settings for BitLocker.
Describe how to configure BitLocker.
Describe how to configure BitLocker To Go.
Describe how to recover BitLocker-encrypted drives.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is EFS?
EFS is a built-in file encryption tool for Windows-
based file systems. A component of the NTFS file
system, EFS enables transparent encryption and
decryption of files by using advanced, standard
cryptographic algorithms. Any individual or
program that does not possess an appropriate
cryptographic key cannot read encrypted data.
You can protect encrypted files even from those
who gain physical possession of a computer on
which files are storedeven people who are
authorized to access a computer and its file
system cannot view the data.
Encryption is a powerful addition to any defensive plan, but you also must use other defensive strategies
because encryption is not the correct countermeasure for every threat. Also, every defensive weapon, if
you use it incorrectly, carries a potential for harm.
The basic EFS features are as follows:
EFS encryption does not occur at the application level. It occurs at the file-system level. Therefore, the
encryption and decryption process is transparent to the user and the application. If you mark a folder
for encryption, EFS will encrypt every file created in or moved to the folder. Applications do not have
to understand EFS or manage EFS-encrypted files any differently than unencrypted files.
If a user attempts to open a file and possesses the necessary key, the file opens without additional
effort on the users part. If a user does not possess the key, he or she receives an access-denied
message.
File encryption uses a symmetric key that it encrypts with a users public key, which is stored in the file
header. Additionally, it stores a certificate with the users public and private keys (known as
asymmetric keys) in the users profile. This key pair is bound to a user identity and made available to
the user who has possession of the user ID and password. The users private key must be available for
decryption of the file.
If a private key incurs damage or is lost, even the user who encrypted the file cannot decrypt it. If a
recovery agent exists, the file might be recoverable. If you implement key archival, then you can
recover the key and decrypt the file. Otherwise, the file might be lost. This encryption system is
referred to as Public Key Infrastructure.
You can archive a users certificate that contains his or her public and private keys, such as exporting
it to a USB flash drive. You then can keep the USB flash drive in a safe place for recovery if the keys
incur damage or are lost.
A users password protects the public and private keys. Any user who can obtain the user ID and
password can sign in as that user and then decrypt that users files. Therefore, a strong password
policy and strong user education must be a component of each organizations security practices to
protect EFS-encrypted files.
EFS-encrypted files do not remain encrypted during transport if you save them to, or open them
from, a folder on a remote server. The file is decrypted and then traverses the network in plain text.
EFS then encrypts it locally if you save it to a folder on the local drive that is marked for encryption.
EFS-encrypted files can remain encrypted while traversing a network if you save them to a Web folder
by using the World Wide Web Distributed Authoring and Versioning protocol.
EFS is supported only on the NTFS file system. If a user has permission to decrypt a file and moves or
copies an encrypted file to a non-NTFS file system, such as a USB flash drive that is formatted with the
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-25
FAT or FAT32 file system, the file is decrypted and is no longer encrypted. If a user does not have
permission to decrypt a file and attempts to move or copy an encrypted file to a non-NTFS file
system, such as a USB flash drive that is formatted with the FAT or FAT32 file system, the operation
will result in a permission-denied error.
EFS supports industry-standard encryption algorithms, including Advanced Encryption Standard
(AES). AES uses a 256-bit symmetric encryption key and is the default EFS algorithm.
The following are additional important facts about implementing EFS on Windows 8.1:
Support for storing private keys on smart cards. Windows 8.1 includes full support for storing users
private keys on smart cards. If a user signs in to Windows 8.1 with a smart card, EFS also can use the
smart card for file encryption. Administrators can store their domains recovery keys on a smart card.
Recovering files is then as simple as signing in to the affected machine, either locally or by using
Remote Desktop, and using the recovery smart card to access the files.
Encrypting File System Rekeying Wizard. The Encrypting File System Rekeying Wizard allows users to
choose an EFS certificate and then select and migrate the existing files that will use the newly chosen
EFS certificate. Administrators can use the wizard to migrate users in existing installations from
software certificates to smart cards. The wizard also is helpful in recovery situations because it is more
efficient than decrypting and re-encrypting files.
Group Policy settings for EFS. You can use Group Policy to control and configure EFS protection
policies centrally for an entire enterprise. For example, Windows 8.1 allows page file encryption
through the local security policy or Group Policy.
Per-user encryption of Offline Files. You can use EFS to encrypt offline copies of files from remote
servers. When this option is enabled, each file in the offline cache is encrypted with a public key from
the user who cached the file. Thus, only that user has access to the file, and even local administrators
cannot read the file without access to the user's private keys.
Selective Wipe. A new feature of Windows 8.1 in a corporate environment is Selective Wipe. If a
device is lost or stolen, an administrator can revoke the EFS key that was used to protect the files on
the device. Revoking a key prevents all access to data files that are stored on a users device.
Note: When users encrypt files in remote shared folders, their keys are stored on the file
server.
Obtaining Key Pairs
Users need asymmetric key pairs to encrypt data, and they can obtain these keys:
From a CA. An internal or third-party CA can issue EFS certificates. This method provides central
management and backups of keys.
By self-generating them. If a CA is unavailable, users can generate a key pair. These keys have a
lifespan of 100 years. This method is more cumbersome than using a CA because there is no
centralized management, and users become responsible for managing their own keys. Additionally, it
is more difficult to manage for recovery. However, it is still a popular method because no setup is
required.
Managing EFS Certificates
EFS uses public key cryptography to allow file encryption. The keys are obtained from a users EFS
certificate. Because EFS certificates also might contain private key information, you must manage them
correctly.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Users can make encrypted files accessible to other users EFS certificates. If you grant access to another
users EFS certificate, that user can in turn make the file available to other users EFS certificates.
Note: You can issue EFS certificates only to individual users, not to groups.
Backing Up Certificates
CAs can archive and recover CA-issued EFS certificates. Users must back up their self-generated EFS
certificates and private keys manually. To do this, they can export the certificate and private key to a
Personal Information Exchange (.pfx) file, which is password-protected during the export process. The
password then is required to import the certificate into a users certificate store.
If you need to distribute only your public key, you can export the client EFS certificate without the private
key to Canonical Encoding Rules (.cer) files. A users private key is stored in the users profile in the RSA
folder, which is accessed by expanding AppData, expanding Roaming, expanding Microsoft, and then
expanding Crypto. Because there is only one instance of the key, it is vulnerable to hard-disk failure or
data corruption.
The Certificate Microsoft Management Console (MMC) snap-in exports certificates and private keys. The
Personal Certificates store contains the EFS certificates.
Sharing Encrypted Files
EFS users can share encrypted files with other users on file shares and in Web folders. With this support,
you can grant individual users permission to access an encrypted file. The ability to add users is restricted
to individual files. After you encrypt a file, you can enable file sharing through the user interface. You first
must encrypt a file and then save it before adding more users. You can add users from a local computer
or from AD DS if the user has a valid certificate for EFS.
It is important that users who elect to share encrypted files are aware of the following points:
Shared EFS files are not file shares. If authorized users need to access shared EFS files over a network,
a file share or Web folder is required. Alternatively, users can establish remote sessions with
computers that store encrypted files by using Remote Desktop Services.
Any user who is authorized to decrypt a file can authorize other users to access the file. Granting
access is not limited to the file owner. Caution users to share files only with trusted accounts because
those accounts can authorize other accounts. Removing the Write permission from a user or group of
users can prevent this problem, but it also prevents the user or group from modifying the file.
EFS sharing requires that the users who will have authorization to access the encrypted file have EFS
certificates. These certificates can be located in roaming profiles or in the user profiles on the
computer on which the file to be shared is stored, or they can be stored in and retrieved from AD DS.
EFS sharing of an encrypted file often means that users will access the file across a network. It is best if
Web folders are used for encrypted file storage whenever possible.
If a user chooses to remotely access an encrypted file that is stored on a file share and authorizes
other users to access the file, the authorization process and requirements are the same as on the local
computer. Additionally, EFS must impersonate the user to perform this operation, and all the
requirements for remote EFS operations on files stored on file shares apply.
If a user chooses to remotely access an encrypted file that is stored on a Web folder and authorizes
other users to access the file, the file automatically is transmitted to the local computer in ciphertext.
The authorization process takes place on the local computer with the same requirements as for
encrypted files stored locally.
Question: Why is it not possible to encrypt system files with EFS?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-27
Demonstration: Encrypting Files and Folders with EFS
This demonstration shows how to encrypt and decrypt files and folders by using EFS.
Demonstration Steps
Create a new Microsoft Word document
2. Open File Explorer, and then create a new folder called Encrypted on drive C.
3. Create a Word document in this folder named Private.docx.
Encrypt the folder
1. Encrypt the new folder and its contents.
Confirm that the file and folder have been encrypted
1. Sign in as Holly.
2. Open File Explorer, and then navigate to C:\Encrypted\Private.docx.
3. Attempt to open the file to confirm that the file and folder have been encrypted.
Decrypt the folder
1. Sign in as administrator.
2. Open File Explorer, and then navigate to C:\Encrypted\Private.docx.
3. Decrypt the file and folder.
Confirm that the file and folder have been decrypted
1. Sign in as Holly.
2. Open File Explorer, and then navigate to C:\Encrypted\Private.doc.
3. Attempt to open the file to confirm that it has been decrypted.
What Is BitLocker?
BitLocker provides protection for a computer
operating system and the data that is stored on
the operating system volume. It helps ensure that
data stored on a computer remains encrypted
even if someone tampers with the computer when
the operating system is not running. BitLocker
provides a closely integrated solution in
Windows 8.1 to address the threats of data theft
or exposure from lost, stolen, or inappropriately
decommissioned computers.
Data on a lost or stolen computer can become
vulnerable to unauthorized access when a user
either runs a software attack tool against it or transfers the computers hard disk to a different computer.
BitLocker helps mitigate unauthorized data access by enhancing Windows file and system protections.
BitLocker also helps render data inaccessible when you decommission or recycle BitLocker-protected
computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
BitLocker performs two functions that provide offline data protection and system-integrity verification:
It encrypts all data that is stored on a Windows operating system volume and configured data
volumes. This includes the Windows operating system, hibernation and paging files, applications, and
application data. BitLocker also provides umbrella protection for non-Microsoft applications, which
benefits the applications automatically when they are installed on an encrypted volume.
By default, it is configured to use a TPM to help ensure the integrity of startup components, which an
operating system uses in the early stages of the startup process. It locks any BitLocker-protected
volumes, so they remain protected even if someone tampers with the computer when the operating
system is not running. We will see later in this module that BitLocker can be enabled on devices
without a TPM chip.
Note: BitLocker is available in the Windows 8.1 Pro and Windows 8.1 Enterprise editions
only.
System Integrity Verification
BitLocker uses a TPM to verify the integrity of the startup process by:
Providing a method to check that early boot file integrity has been maintained, and to help ensure
that there has been no adverse modification of those files, such as with boot sector viruses or root
kits.
Enhancing protection to mitigate offline software-based attacks. Any alternative software that might
start the system does not have access to the decryption keys for a Windows operating system volume.
Locking the system when it is tampered with. If any monitored files have been tampered with, the
system does not start. This alerts a user to tampering because the system fails to start as usual. In the
event that system lockout occurs, BitLocker offers a simple recovery process.
In conjunction with a TPM, BitLocker verifies the integrity of early startup components, which helps
prevent additional offline attacks, such as attempts to insert malicious code into those components. This
functionality is important because the components in the earliest part of the startup process must be
available unencrypted so that the computer can start.
As a result, an attacker can change the code of those early startup components and then gain access to a
computer even though the data on the disk was encrypted. Then, if the attacker gains access to
confidential information, such as the BitLocker keys or user passwords, the attacker can circumvent
BitLocker and other Windows security protections.
Comparing BitLocker and EFS
The following table compares BitLocker and EFS encryption functionality.
BitLocker functionality EFS functionality
Encrypts volumes (the entire operating system
volume, including Windows system files and the
hibernation file)
Encrypts files
Does not require user certificates Requires user certificates
Protects the operating system from modification Does not protect the operating system from
modification

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-29
Device Encryption
Device encryption is a new feature built into all versions of Windows 8.1. It uses the same encryption
technology that was implemented on Windows RT devices to help protect your devices data by blocking
malicious users from accessing any of the files on your drive. In previous versions of Windows operating
systems, a thief could physically remove a drive from a computer and then install it into a different device,
thereby bypassing logon security.
By default, device encryption protects the operating system drive and any fixed data drives on the system
by using AES 128-bit encryption, which uses the same technology as used in BitLocker. Device encryption
can be used with either a Microsoft account or a domain account.
Device encryption is enabled automatically on all versions of Windows 8.1 on new devices so that the
device is always protected. Supported devices that are upgraded to Windows 8.1 with a clean installation
also will benefit from device encryption.
A user can turn off device encryption by using PC info within PC and devices, which can be found within
Change PC Settings. The Device Encryption section appears at the bottom of the PC info page and can be
turned off for all devices except those running Windows 8 RT.
BitLocker To Go
When a laptop is lost or stolen, the loss of data
typically has more impact than the loss of the
computer asset. As more people use removable
storage devices, they can lose data without losing
a computer. BitLocker To Go provides enhanced
protection against data theft and exposure by
extending BitLocker support to removable storage
devices such as USB flash drives, and you can
manage it through Group Policy.
In Windows 8.1, users can encrypt their removable
media by opening File Explorer, right-clicking the
drive, and clicking Turn On BitLocker. They then
will be asked to choose a method to unlock the drive. These options include:
Password. This is a combination of letters, symbols, and numbers that a user will enter to unlock a
drive.
Smart card. In most cases, a smart card is issued by your organization, and a user enters a smart card
PIN to unlock a drive.
After choosing an unlock method, users must print or save their recovery key. You can store this 48-digit
key in AD DS so that you can use it if other unlock methods fail, such as when users forget their
passwords. Finally, users must confirm their unlock selections to begin encryption. When you insert a
BitLocker-protected drive into your computer, the Windows operating system will detect that the drive is
encrypted automatically and then prompt you to unlock it.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
BitLocker Requirements
In both Windows 7 and Windows 8.1, drives are
prepared for use by BitLocker automatically. As a
result, there is no need to create separate
partitions before turning BitLocker on. This is an
improvement over BitLocker in Windows Vista
,
which required that users manually partition their
hard drive.
Windows 8.1 automatically creates the system
partition on a hard drive. This partition does not
have a drive letter, so it is not visible in File
Explorer and data files will not be written to it
inadvertently. In a default installation, a computer
will have a separate system partition and an operating system drive. The system partition is smaller in
Windows 7 and Windows 8.1 than in Windows Vista, requiring only 100 megabytes (MB) of space.
You can use BitLocker to encrypt operating system drives, fixed data drives, and removable data drives in
Windows 8.1. When you use BitLocker with data drives, you can format the drive with the exFAT, FAT16,
FAT32, or NTFS file system, but the drive must have at least 64 MB of available disk space. When you use
BitLocker with operating system drives, you must format the drive with the NTFS file system.
Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from
the hard disk, you must have one of the following:
A computer with TPM 1.2.
A removable USB memory device, such as a USB flash drive.
On computers that do not have TPM 1.2, you still can use BitLocker to encrypt the Windows operating
system volume. However, this implementation requires the user to insert a USB startup key to start the
computer or resume from hibernation, and it does not provide the prestartup system integrity verification
that BitLocker provides when working with a TPM.
Additionally, BitLocker offers the option to lock the normal startup process until a user supplies a PIN or
inserts a removable USB device, such as a flash drive, that contains a startup key. These additional security
measures provide multifactor authentication and assurance that a computer will not start or resume from
hibernation until the correct PIN or startup key is presented.
Hardware Requirements
To turn on BitLocker, a computer must:
Have the hard drive space necessary for Windows 8.1 to create two disk partitions: one for the
operating system volume and one for the system volume:
o Operating system volume. This partition includes the drive on which you install Windows.
BitLocker encrypts this drive, which no longer needs a drive letter.
o System volume. A second partition is created as needed when you enable BitLocker in
Windows 8.1. This partition must remain unencrypted so that you can start the computer. This
partition must be at least 100 MB, and must be set as the active partition.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-31
Have a BIOS that is compatible with TPM or supports USB devices during computer startup. The BIOS
must be:
o Trusted Computing Group (TCG) compliant.
o Set to start first from the hard disk, and not the USB or CD drives.
o Able to read from a USB flash drive during startup.
Determining if a Computer Has a TPM Version 1.2 Chip
BitLocker does not require a TPM. However, only a computer with a TPM can provide the additional
security of prestartup system-integrity verification. Perform the following procedure to determine if a
computer has a TPM version 1.2 chip:
1. Open Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. In the lower left corner, click TPM Administration. The TPM Management on Local Computer
console opens. If the computer does not have a TPM 1.2 chip, the Compatible TPM cannot be
found message appears.
BitLocker Modes
BitLocker can run on two types of computers:
Those that are running TPM 1.2 and newer
Those without TPM 1.2, but which have a
removable USB memory device
This topic provides an in-depth examination of
these two BitLocker modes.
Computers with TPM 1.2
The most secure implementation of BitLocker
takes advantage of the enhanced security
capabilities of TPM 1.2. The TPM is a hardware
component that manufacturers install in many newer computers. It works with BitLocker to help protect
user data and to ensure that a computer that is running Windows 8.1 is not tampered with while the
system is offline.
BitLocker supports TPM 1.2, but it does not support older TPMs. Version 1.2 TPMs provide increased
standardization, security enhancement, and improved functionality compared to previous versions.
Windows 8.1 was designed with these TPM improvements in mind.
On computers that have TPM 1.2, BitLocker uses the enhanced TPM security capabilities to help ensure
that your data is accessible only if the computer's startup components appear unaltered and the
encrypted disk is located in the original computer.
If you enable BitLocker on a Windows 8.1 computer that has TPM 1.2, you can add the following
additional factors of authentication to the TPM protection:
BitLocker offers the option to lock the normal startup process until a user supplies a PIN or inserts a
USB device, such as a flash drive, that contains a BitLocker startup key.
Both the PIN and the USB device can be required.
In a scenario that uses a TPM with an advanced startup option, you can add a second factor of
authentication to the standard TPM protection: a PIN or a startup key on a USB flash drive. To use a USB
flash drive with a TPM, the computer must have a BIOS that can read USB flash drives in the pre-operating
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
system environment (at startup). You can check your BIOS by running a hardware test near the end of the
BitLocker setup wizard.
These additional security measures provide multifactor authentication and help ensure that the computer
will not start or resume from hibernation until a user presents the correct authentication method.
How TPM Works
On computers equipped with a TPM, each time a computer starts, each of the early startup components,
such as the BIOS, the boot sector, and the boot manager code, examines the code that is about to run,
calculates a hash value, and stores the value in the TPM. Once that value is stored in the TPM, it cannot be
replaced until the user restarts the system. A combination of these values is recorded.
You can use these recorded values to protect data by using the TPM to create a key that links to these
values. When you create this type of key, the TPM encrypts it and only that specific TPM can decrypt it.
Each time the computer starts, the TPM compares the values generated during the current startup with
the values that existed when the key was created. It decrypts the key only if those values match. This
process is called sealing and unsealing the key.
As part of its system integrity verification process, BitLocker examines and seals keys to the measurements
of the following:
The Core Root of Trust for Measurement The BIOS and any platform extensions
Option read-only memory (ROM) code
Master boot record code
The NTFS boot sector
The Boot Manager
If any of these items change unexpectedly, BitLocker locks the drive to prevent it from being accessed or
decrypted.
Computers Without TPM 1.2
By default, BitLocker is configured to look for and use a TPM. You can use Group Policy to allow BitLocker
to work without a TPM and store keys on an external USB flash drive. However, BitLocker then cannot
verify early startup components.
You can enable BitLocker on a computer without TPM 1.2 as long as the BIOS has the ability to read from
a USB flash drive in the boot environment. This is because BitLocker will not unlock a protected volume
until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash
drive containing the BitLocker startup key for that computer. However, computers without TPMs will not
be able to use the system-integrity verification that BitLocker provides.
If a startup key is located on a USB flash drive, your computer must have a BIOS that can read USB flash
drives in the pre-operating system environment (at startup). You can check your BIOS by running the
hardware test that is near the end of the BitLocker setup wizard.
To help determine whether a computer can read from a USB device during the boot process, use the
BitLocker System Check as part of the BitLocker setup process. This system check performs tests to
confirm that the computer can read from USB devices properly at the appropriate time and that the
computer meets other BitLocker requirements.
To enable BitLocker on a computer without a TPM, use Group Policy to enable the advanced BitLocker
user interface. With advanced options enabled, the non-TPM settings appear in the BitLocker setup
wizard.
Question: What is a disadvantage of running BitLocker on a computer that does not contain
TPM 1.2?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-33
Group Policy Settings for BitLocker
BitLocker in Windows 8.1 introduces several new
Group Policy settings that permit straightforward
feature management. For example, you can:
Require all removable drives to be BitLocker-
protected before users can save data to them.
Require or disallow specific methods for
unlocking BitLocker-protected drives.
Configure methods to recover data from
BitLocker-protected drives if a user's unlock
credentials are not available.
Require or prevent different types of recovery
password storage or make them optional.
Prevent BitLocker from being enabled if the keys cannot be backed up to AD DS.
In addition to recovery passwords, you can use Group Policy to configure a domain-wide public key called
a data recovery agent that will permit an administrator to unlock any drive encrypted with BitLocker.
Before you can use a data recovery agent, you must add it from the Public Key Policies item in either the
GPMC or the Local Group Policy Editor.
To use a data recovery agent with BitLocker, you must enable the appropriate Group Policy setting for the
drives that you are using with BitLocker. These policy settings are:
Choose how BitLocker-protected operating system drives can be recovered
Choose how BitLocker-protected removable data drives can be recovered
Choose how BitLocker-protected fixed data drives can be recovered
When you enable the policy setting, select the Enable data recovery agent check box. There is a policy
setting for each type of drive, so you can configure individual recovery policies for each type of drive on
which you enable BitLocker.
You also must enable and configure the Provide the unique identifiers for your organization policy
setting to associate a unique identifier with a new drive that is protected with BitLocker. Identification
fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker will
manage and update data recovery agents only when an identification field is present on a drive and is
identical to the value that is configured on the computer.
Using these policy settings helps enforce standard deployment of BitLocker in your organization. Group
Policy settings that affect BitLocker are located in Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption. Globally applied BitLocker Group Policy
settings are located in this folder. Subfolders for fixed data drives, operating system drives, and removable
drives support the configuration of policy settings specific to those drives.
Note: If you want to use BitLocker to protect an operating system drive on a computer that
does not have a TPM, you must enable the Require additional authentication at startup policy
setting, and then within that setting, click Allow BitLocker without a compatible TPM.
Summary of Group Policy Settings
The BitLocker Drive Encryption folder contains the following subfolders: Fixed Data Drives, Operating
System Drives, and Removable Data Drives.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The following table summarizes some of the key policy settings that affect Windows 8.1 client computers.
Each setting includes the following options: Not Configured, Enabled, and Disabled. The default setting
for each setting is Not Configured.
Setting name Location Description
Choose default folder
for recovery password
BitLocker Drive
Encryption folder
This specifies a default location, which is
shown to the user, to which the user can save
recovery keys. This can be a local or network
location. The user is free to choose other
locations.
Choose drive
encryption method and
cipher strength
BitLocker Drive
Encryption folder
This allows you to configure the algorithm
and cipher strength that BitLocker uses to
encrypt files. If you enable this setting, you
will be able to choose an encryption
algorithm and key cipher strength. If you
disable or do not configure this setting,
BitLocker will use the default encryption
method of AES 128-bit with Diffuser or the
encryption method that the setup script
specifies.
Provide the unique
identifiers for your
organization
BitLocker Drive
Encryption folder
This allows you to associate unique
organizational identifiers to a new drive that
is enabled with BitLocker. BitLocker will
manage and update data recovery agents
only when the identification field on the
drive matches the value that you configure in
the identification field. This also applies to
removable drives that you configure by using
BitLocker To Go.
Prevent memory
overwrite on restart
BitLocker Drive
Encryption folder
This controls computer restart performance
at the risk of exposing BitLocker secrets.
BitLocker secrets include key material that
you use to encrypt data. If you enable this
setting, memory will not be overwritten when
the computer restarts. This can improve
restart performance, but it does increase the
risk of exposing BitLocker secrets. If you
disable or do not configure this setting,
BitLocker removes secrets from memory
when the computer restarts.
Deny write access to
fixed drives not
protected by BitLocker
Fixed Data Drives folder This determines whether BitLocker protection
is required for fixed data drives to be
writable on a computer. If you enable this
setting, all fixed data drives that are not
BitLocker-protected will be mounted as read-
only. If the drive is BitLocker-protected, or if
you disable or do not configure this setting,
all fixed data drives will be mounted with
read/write permission.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-35

Allow access to
BitLocker-protected
data drives from earlier
versions of Windows
Fixed Data Drives folder This configures whether fixed data drives
formatted with the FAT file system can be
unlocked and viewed on computers that are
running Windows Server 2008, Windows
Vista, and Windows XP with Service Pack 3
(SP3) or Service Pack 2 (SP2) operating
systems.
Choose how BitLocker-
protected fixed drives
can be recovered
Fixed Data Drives folder This allows you to control how BitLocker-
protected fixed data drives are recovered in
the absence of the required credentials.
Require additional
authentication at
startup
Operating System Drives
folder
This allows you to configure whether you can
enable BitLocker on computers without a
TPM, and whether you can use multifactor
authentication on computers with a TPM.
protected operating
system drives can be
recovered
folder
This allows you to control how BitLocker-
protected operating system drives are
recovered in the absence of the required
startup key information.
Configure TPM
platform validation
profile
folder
This configures which of the TPM platform
measurements stored in the Platform
Configuration Register indices are used to
seal BitLocker keys.
Control use of
BitLocker on removable
drives
Removable Data Drives
folder
This controls the use of BitLocker on
removable data drives.
Configure use of smart
cards on removable
data drives
folder
This allows you to specify whether smart
cards can be used to authenticate user access
to BitLocker-protected removable drives on a
computer.
Deny write access to
removable drives not
protected by BitLocker
folder
This configures whether BitLocker protection
is required for a computer to be able to write
data to a removable data drive.
Allow access to
BitLocker-protected
removable drives from
earlier versions of
Windows
folder
This configures whether removable data
drives formatted with the FAT file system can
be unlocked and viewed on computers that
are running Windows Server 2008, Windows
Vista, and Windows XP with SP3 or SP2
operating systems.
Configure use of
passwords for
removable data drives
folder
This specifies whether a password is required
to unlock BitLocker-protected removable
data drives. If you choose to allow the use of
a password, you can require a password to
be used, enforce complexity requirements,
and configure a minimum length.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

protected removable
drives can be recovered
folder
This allows you to control how BitLocker-
protected removable data drives are
recovered in the absence of the required
startup key information.
Group Policy Settings and TPM
Group Policy settings that control TPM behavior are located in Computer Configuration\Administrative
Templates\System\Trusted Platform Module Services. The following table summarizes these settings.
Setting name Default Description
Turn on TPM backup to
AD DS
Disabled This controls whether TPM owner password
information is backed up in AD DS. If you
enable this setting, it also can control
whether backup is required or optional.
Configure the list of
blocked TPM
commands
None This allows you to disable or enable specific
TPM functions, but the next two settings can
restrict which commands are available. Group
Policy-based lists override local lists. You can
configure local lists in the TPM Management
console.
Ignore the default list
of blocked TPM
commands
Disabled By default, BitLocker blocks certain TPM
commands. To enable these commands, you
must enable this policy setting.
Ignore the local list of
blocked TPM
commands
Disabled By default, a local administrator can block
commands in the TPM Management console.
You can use this setting to prevent that
behavior.
Microsoft BitLocker Administration and Monitoring 2.0
You have seen in this module that BitLocker and BitLocker To Go offer enhanced protection against data
theft or data exposure from computers that might have been lost or stolen. We recommended that
medium and large organizations that deploy BitLocker should use the Microsoft BitLocker Administration
and Monitoring 2.0 tool to provide management capabilities for BitLocker and BitLocker To Go.
Administrators can use Microsoft BitLocker Administration and Monitoring to simplify the following
BitLocker management tasks:
Deployment and encryption key recovery
Centralized compliance monitoring and reporting
Provisioning encrypted drives
Supporting encrypted drives within an organization
Microsoft BitLocker Administration and Monitoring 2.0 enables administrators to enforce organizational
BitLocker encryption policies across an enterprise. It also enables administrators to monitor the
compliance of client computers with those policies, providing centralized reporting on the encryption
status of devices used on a network.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-37
Note: Microsoft BitLocker Administration and Monitoring 2.0 is only available as part of the
Microsoft Desktop Optimization Pack, which offers Microsoft Software Assurance customers a
suite of premium utilities which are useful for administrators to manage desktop computers and
devices within an organization.
Microsoft BitLocker Administration and Monitoring 2.0 is not supported with Windows 8.1.
Microsoft is planning to release a newer version that is compatible with Windows 8.1.
In addition, Microsoft BitLocker Administration and Monitoring lets you access recovery key information,
which is helpful when users forget their PIN or password, or when their BIOS/UEFI firmware or boot
record changes. By adopting an enterprise BitLocker management solution, organizations can increase the
level of effectiveness of BitLocker significantly and can reduce the administrative overhead and the total
cost of ownership.
Note: Microsoft BitLocker Administration and Monitoring 1.0 supports Windows 7, whereas
Microsoft BitLocker Administration and Monitoring 2.0 supports Windows 7 and Windows 8
Microsoft BitLocker Administration and Monitoring 2.0 provides the following new features and
functionality:
Integration with Configuration Manager
Hardware compatibility integration with Configuration Manager
Protectors flexible policy, which allows more configuration options
Microsoft BitLocker Administration and Monitoring 2.0 client can now upgrade the Microsoft
BitLocker Administration and Monitoring 1.0 client
Microsoft BitLocker Administration and Monitoring 2.0 can now upgrade previous version of the
Microsoft BitLocker Administration and Monitoring Server
Microsoft BitLocker Administration and Monitoring 2.0 support for BitLockers enterprise scenarios on
Windows 8
Self-Service Portal for end users to recover their recovery keys
Automatic resumption of BitLocker protection from a suspended state after restart
Fixed data drives can be configured to unlock automatically without a password
For more information, see the Volume Licensing page on the Microsoft website.
For more information, see Microsoft BitLocker Administration and Monitoring on the
Microsoft TechNet website.
Question: How can you use Microsoft BitLocker Administration and Monitoring 2.0 to
reduce the amount of time that the help desk is required to spend recovering a BitLocker
unlock key for a remote user?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring BitLocker
In Windows 8.1, you can enable BitLocker from
the Control Panel or by right-clicking the volume
that you want to encrypt. This initiates the
BitLocker Drive Encryption Wizard, which validates
system requirements. During the preparation
phase, BitLocker creates the second partition if it
does not exist.
Administration
You can manage BitLocker by using the BitLocker
Drive Encryption item within Control Panel.
Manage-bde, also is available to add scripting
functionality remotely from the Windows
PowerShell
command-line interface or from a Command Prompt window.

After you encrypt and protect a volume by using BitLocker, local and domain administrators can use the
Manage Keys page in the BitLocker control panel item to duplicate keys and reset PINs.
Turning on BitLocker with TPM Management
The BitLocker control panel item displays BitLocker's status and provides the functionality to enable or
disable BitLocker. If BitLocker is actively encrypting or decrypting data due to a recent installation or
uninstall request, the progress status appears. IT professionals also can use the BitLocker control panel
item to access the TPM Management snap-in to MMC.
Perform the following procedure to turn on BitLocker:
1. In Control Panel, click System and Security, and then click BitLocker Drive Encryption.
2. If the User Account Control dialog box appears, confirm that the action it displays is what you want,
and then click Continue.
3. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume.
A message appears, warning that BitLocker encryption might have a performance impact on your
computer.
If your TPM is not initialized, the Initialize TPM Security Hardware Wizard appears. Follow the
directions to initialize the TPM, and then restart or shut down your computer.
4. The Save the recovery password page shows the following options:
o Save the password on a USB drive. Saves the password to a USB flash drive.
o Save the password in a folder. Saves the password to a folder on a network drive or other
location.
o Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option and
then follow the wizard steps to set the location for saving or printing the recovery password.
When you finish saving the recovery password, click Next.
5. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check
check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts and
then BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is
not, an error message will alert you to the problem.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-39
6. If the computer is ready for encryption, the Encryption in Progress status bar displays. You can
monitor the ongoing completion status of the disk-volume encryption by dragging your mouse
pointer over the BitLocker Drive Encryption icon, which is in the notification area at the bottom of
your screen.
By completing this procedure, you will have encrypted the operating system volume and created a
recovery password unique to this volume. The next time that you sign in, you will see no change. If the
TPM ever changes or BitLocker cannot access it, or if there are changes to key system files or someone
tries to start the computer from a product CD or DVD to circumvent the operating system, the computer
will switch to recovery mode until the user supplies the correct recovery password.
Turning on BitLocker Without TPM Management
Use the following procedure to change your computer's Group Policy settings so that you can turn on
BitLocker without a TPM. Instead of a TPM, you will use a startup key to authenticate yourself. The startup
key is on a USB flash drive that you insert into the computer before you turn it on.
For this scenario, you must have a BIOS that will read USB flash drives in the pre-operating system
environment (at startup). You can check your BIOS by running the system check that is in the final step of
the BitLocker wizard.
Before you start:
You must be signed in as an administrator.
BitLocker must be installed on this computer.
You must have a USB flash drive to save the recovery password.
You should try to use a second USB flash drive to store the startup key separate from the recovery
password.
Perform the following steps to turn on BitLocker on a computer without a compatible TPM:
1. Run Gpedit.msc.
2. If the User Account Control dialog box appears, confirm that the action it displays is the action that
you want to occur, and then click Continue.
3. In the Local Group Policy Editor console tree, click Computer Configuration, click Administrative
Templates, click Windows Components, click BitLocker Drive Encryption, and then click
Operating System Drives.
4. Double-click the Require additional authentication at startup setting.
5. Select the Enabled option, select the Allow BitLocker without a compatible TPM check box, and
then click OK. You have changed the policy setting so that you can use a startup key instead of a
TPM.
6. Close the Local Group Policy Editor.
7. To force Group Policy to apply immediately, from a command prompt, type gpupdate.exe /force,
and then press Enter.
8. From Control Panel, click System and Security, and then click BitLocker Drive Encryption.
9. If the User Account Control dialog box appears, confirm that the action it displays is what you want,
and then click Continue.
10. On the BitLocker Drive Encryption page, click Turn On BitLocker. This will appear only with the
operating system volume.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
11. On the Set BitLocker Startup Preferences page, select the Require Startup USB Key at every
startup option. This is the only option available for non-TPM configurations. You must insert this key
before you start the computer, each time you start it.
12. Insert your USB flash drive in the computer if you have not done so already.
13. On the Save your Startup Key page, choose the location of your USB flash drive, and then click
Save.
14. The following options are available on the Save the recovery password page:
o Save the password on a USB drive. Saves the password to a USB flash drive.
o Save the password in a folder. Saves the password to a folder on a network drive or other
location.
o Print the password. Prints the password.
Use one or more of these options to preserve the recovery password. For each, select the option and
then follow the wizard steps to set the location for saving or printing the recovery password. Do not
store the recovery password and the startup key on the same media. When you have finished saving
the recovery password, click Next.
15. On the Encrypt the selected disk volume page, confirm that the Run BitLocker System Check
check box is selected, and then click Continue.
Confirm that you want to restart the computer by clicking Restart Now. The computer restarts, and
BitLocker verifies whether the computer is BitLocker-compatible and ready for encryption. If it is not,
an error message will alert you to the problem before encryption starts.
16. If the computer is ready for encryption, the Encryption in Progress status bar is displayed. You can
monitor the ongoing completion status of the disk-volume encryption by dragging your mouse
pointer over the BitLocker Drive Encryption icon, which is in the notification area at the bottom of
your screen. You also can click the Encryption icon to view the status.
By completing this procedure, you have encrypted the operating system volume and created a recovery
password unique to that volume. The next time that you turn your computer on, you must plug in the
USB flash drive with the startup key into one of the computers USB ports. If not, you will not be able to
access data on your encrypted volume.
If you do not have the USB flash drive that contains your startup key, then you will need to use recovery
mode and supply the recovery password to access data.
Upgrading a BitLocker-Enabled Computer
The following steps are necessary to upgrade a BitLocker-enabled computer.
Temporarily turn off BitLocker by placing it into disabled mode.
Upgrade the system or the BIOS.
Turn BitLocker on.
Forcing BitLocker into disabled mode keeps the volume encrypted, but the volume master key is
encrypted with a symmetric key that it stores unencrypted on the hard disk. The availability of this
unencrypted key disables the data protection that BitLocker offers, but it ensures that subsequent
computer startups succeed without further user input. When you re-enable BitLocker, the unencrypted
key is removed from the disk and BitLocker protection is turned on. Additionally, BitLocker identifies the
volume master key and encrypts it again.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-41
Moving a BitLocker-Enabled Computer
Moving the encrypted volume, which is the physical disk, to another BitLocker-enabled computer requires
that you turn off BitLocker temporarily. No additional steps are required because the key that is
protecting the volume master key is stored unencrypted on the disk.
Note: Exposing the volume master key even for a brief period is a security risk. An attacker
can access the volume master key and full volume encryption key when these keys are exposed
by the clear key.
Computer Decommissioning and Recycling
Many personal computers are reused by people other than the computer's initial owner or user. In
enterprise scenarios, you might redeploy computers to other departments or remove them from an
organization as part of a standard computer hardware-refresh cycle.
On unencrypted drives, data might remain readable even after the drive has been formatted. Enterprises
often use multiple overwrites or physical destruction to reduce the risk of exposing data on
decommissioned drives.
You can use BitLocker to create a simple, cost-effective decommissioning process. Leaving data encrypted
by BitLocker and then removing the keys results in an enterprise permanently reducing the risk of
exposing this data. It becomes nearly impossible to access BitLocker-encrypted data after removing all
BitLocker keys, because this requires solving 128-bit or 256-bit AES encryption.
Note: Perform the procedures that this section describes only if you do not want or need
the data in the future. You cannot recover the data in the encrypted volume if you perform the
procedures that this section details.
You can remove a volumes BitLocker keys by formatting that volume from Windows 8.1. The format
command has been updated to support this operation. To format the operating system volume, you can
open a command prompt by using the recovery environment that the Windows 8.1 installation DVD
includes.
Alternatively, an administrator can create a script that effectively removes all BitLocker key protectors.
Running such a script will leave all BitLocker-encrypted data unrecoverable when you restart the
computer. As a safety measure, BitLocker requires that an encrypted volume have at least one key
protector. Given this requirement, you can decommission the drive by creating a new external key
protector, not saving the created external key information, and then removing all other key protectors on
the volume
After you remove the BitLocker keys from the volume, you need to perform follow-up tasks to complete
the decommissioning process. For example, reset the TPM to its factory defaults by clearing the TPM, and
discard saved recovery information for the volume, such as printouts, files stored on USB devices, and
information stored in AD DS.
Question: When turning on BitLocker on a computer with TPM 1.2, what is the purpose of
saving the recovery password?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring BitLocker To Go
BitLocker To Go protects data on removable data
drives. It allows you to configure BitLocker on USB
flash drives and external hard drives. The option is
available by simply right-clicking on a drive in File
Explorer to enable BitLocker protection.
BitLocker To Go Scenario
Consider the following scenario. An administrator
configures Group Policy to require that users can
save data only on data volumes that are protected
by BitLocker. Specifically, the administrator
enables the Deny write access to removable
drives not protected by BitLocker policy setting
and deploys it to the domain.
Meanwhile, an end user inserts a USB flash drive. Because the USB flash drive is not protected with
BitLocker, Windows 8.1 displays an informational dialog box indicating that the device must be encrypted
with BitLocker. From this dialog, the user chooses to launch the BitLocker wizard to encrypt the volume or
continues working with the device as read-only.
If the user decides to implement the device as read-only and then attempts to save a document to the
flash drive, an access-denied error message appears.
Configuring BitLocker To Go
When you select the Turn On BitLocker menu option, you must specify how you want to unlock a drive in
the subsequent wizard. You can select one of the following methods:
A recovery password or passphrase. You can configure the complexity in Group Policy.
A smart card.
Always auto-unlock this device on this PC.
After you configure a device to use BitLocker, when a user saves documents to an external drive, BitLocker
encrypts them. When the user inserts the USB flash drive on a different computer, the computer detects
that the portable device is BitLocker-protected and prompts the user to specify the passphrase. The user
can specify to unlock the volume automatically on the second computer.
Note: In the above scenario, the second computer does not have to be encrypted with
BitLocker.
If a user forgets the passphrase for a device, he or she can use the I forgot my passphrase option from the
BitLocker Unlock Wizard to recover it. Clicking this option displays a recovery password ID that the user
supplies to an administrator, who then uses the password ID to obtain the devices recovery password.
This recovery password can be stored in AD DS and recovered with the BitLocker Recovery Password
Viewer.
Question: How do you enable BitLocker To Go for a USB flash drive?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-43
Recovering BitLocker-Encrypted Drives
When a BitLocker-enabled computer starts,
BitLocker checks the operating system for
conditions that might indicate a security risk. If
such a condition is detected, BitLocker does not
unlock the system drive, and instead enters
recovery mode. When a computer enters recovery
mode, the user must enter the correct recovery
password to continue. The recovery password is
tied to a particular TPM or computer, not to
individual users, and typically it does not change.
Save the recovery information on a USB flash drive
or in AD DS by using one of these formats:
A 48-digit number divided into eight groups. During recovery, use the function keys to type this
password into the BitLocker recovery console.
A recovery key in a format that can be read directly by the BitLocker recovery console.
Locating a BitLocker Recovery Password
A BitLocker recovery password is a 48-digit password that unlocks a system in recovery mode. The
recovery password is unique to a particular BitLocker encryption, and you can store it in AD DS.
The recovery password will be required if the encrypted drive must be moved to another computer or
changes are made to the system startup information. This password is so important that you should make
additional copies of the password and store it in safe places to ensure access to your data.
You will need your recovery password to unlock the encrypted data on the volume if BitLocker enters a
locked state. This recovery password is unique to this particular BitLocker encryption. You cannot use it to
recover encrypted data from any other BitLocker encryption session.
A computer's password ID is a 32-character password that is unique to a computer name. You can find the
password ID under a computer's property settings, which you can use to locate passwords that are stored
in AD DS. To locate a password, the following conditions must be true:
You must be a domain administrator or have delegate permissions.
The client's BitLocker recovery information is configured to be stored in AD DS.
The clients computer has been joined to the domain.
BitLocker must have been enabled on the client's computer.
Prior to searching for and providing a recovery password to a user, confirm that the person is the account
owner and is authorized to access data on the computer in question.
Search for the password in Active Directory Users and Computers by using either one of the following:
Drive label
Password ID
When you search by drive label, after locating the computer, right-click the drive label, click Properties,
and then click the BitLocker Recovery tab to view associated passwords.
To search by password ID, right-click the domain container, and then click Find BitLocker Recovery
Password. In the Find BitLocker Recovery Password dialog box, enter the first eight characters of the
password ID in the Password ID field, and then click Search.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Examine the returned recovery password to ensure it matches the password ID that the user provides.
Performing this step helps verify that you have obtained the unique recovery password.
Data Recovery Agent Support
Windows 8.1 BitLocker provides data recovery agent support for all protected volumes. This provides
users with the ability to recover data from any BitLocker and BitLocker To Go device when the data is
inaccessible. This technology assists in the recovery of organizational data on a portable drive by using the
key that was created by the enterprise.
Data recovery agent support allows you to dictate that all BitLocker-protected volumes, such as operating
system, fixed, and new portable volumes, are encrypted with an appropriate data recovery agent. The
data recovery agent is a new key protector that is written to each data volume so that authorized IT
administrators will always have access to BitLocker-protected volumes.
Back Up Your Windows 8.1 BitLocker Recovery Key to a Microsoft Account
For devices that are not domain-joined, Windows 8.1 allows a user to back up their BitLocker recovery key
to a Microsoft account, which then is stored within the users SkyDrive
. During the configuration of

BitLocker on a fixed or removable drive and just before encryption begins, you are prompted to specify
how you want to back up your recovery key. You are presented with the following locations:
Save to your Microsoft account
Save to a USB flash drive
Save to a file
Print the recovery key
To obtain your saved BitLocker recovery key, open an Internet browser and navigate to
https://skydrive.com/RecoveryKey and then sign in with your Microsoft account. You will find the recovery
keys for all of your BitLocker-protected drives in this location.
Question: What is the difference between the recovery password and the password ID?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-45
Lab B: Securing Data by Using BitLocker
Scenario
A user at A. Datum is working on a project that requires him to take his laptop computer home each day.
The data files are very sensitive and must be secure at all times. The laptop computer does not have TPM
1.2.
Objectives
Protect files with BitLocker.
Lab Setup
Virtual machine: 20687C-LON-DC1
Password: Pa$$w0rd
Exercise 1: Protecting Files with BitLocker
Scenario
You have decided to implement BitLocker to protect the users data files.
1. Configure GPO settings for BitLocker.
2. Enable BitLocker.
3. Complete the process of enabling BitLocker.
Task 1: Configure GPO settings for BitLocker
2. Open the Local Group Policy Editor.
3. Enable the Require additional authentication at startup value located at
Computer Configuration\Administrative Templates\Windows Components
\BitLocker Drive Encryption\Require additional authentication at startup.
5. Refresh the Group Policy settings on the local computer by running gpupdate /force.
Task 2: Enable BitLocker
1. On LON-CL1, open File Explorer, right-click Local Disk (C:), and then click Turn on BitLocker.
2. Select the Enter a password option. This is necessary because the virtual machine does not support
USB flash drives.
3. Use password: Pa$$w0rd.
4. Save the recovery key to the Allfiles (E:) drive.
5. When prompted, click Restart now.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 3: Complete the process of enabling BitLocker
1. When LON-CL1 is restarting, when prompted, enter password Pa$$w0rd to unlock the drive.
3. Open File Explorer, and then view the status of BitLocker on the Local Disk (C:). The drive is being
encrypted.

Results: After completing this exercise, you should have encrypted the hard drive successfully.
lab.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-47
Lesson 4
Configuring UAC
Many users sign in to their computers with a user account that has more rights than necessary to run their
applications and access their data files. Using an administrative user account for day-to-day user tasks
poses significant security risks. In older versions of the Windows operating system, administrators were
encouraged to use an ordinary user account for most tasks and to use the Run As account to execute
tasks that required additional rights. Windows 8.1 provides UAC to simplify and secure the process of
elevating your account rights. However, unless you know how UAC works and its potential impact, you
might have problems when you attempt to carry out typical end-user support tasks. This lesson introduces
how UAC works and how you can use UAC-related desktop features.
Lesson Objectives
Describe UAC.
Describe how UAC works.
Explain how to configure UAC notification settings.
Describe how to configure UAC with GPOs.
What Is UAC?
UAC is a security feature that provides a way for
each user to elevate their status from a standard
user account to an administrator account without
signing out or switching users. UAC is a collection
of features rather than just a prompt. These
featureswhich include File and Registry
Redirection, Installer Detection, the UAC prompt,
the ActiveX Installer Service, and moreallow
Windows users to operate with user accounts that
are not members of the Administrators group.
These accounts typically are referred to as
standard users and are broadly described as
operating with least privilege. The most important fact is that when users sign in with standard user
accounts, the experience typically is much more secure and reliable.
Windows 8.1 reduces the number of operating system applications and tasks that require elevation so that
standard users can do more while experiencing fewer elevation prompts. This improves the interaction
with UAC while upholding high security standards.
When you need to make changes to your computer that require administrator-level permission, UAC
notifies you as follows:
If you are an administrator, click Yes to continue.
If you are not an administrator, someone with an administrator account on the computer will have to
enter his or her password for you to continue.
If you are a standard user, providing permission temporarily gives you administrator rights to complete
the task, and then your permissions are returned back to a standard user when you are finished. This
ensures that even if you are using an administrator account, changes cannot be made to your computer
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
without you knowing about it. This helps prevent malware and spyware from being installed on, or
making changes to, your computer.
How UAC Works
There are two general types of user groups in
Windows 8.1: standard users and administrative
users. UAC simplifies users ability to operate as
standard users and perform all their necessary
daily tasks. Administrative users also benefit from
UAC because administrative permissions are
available only after UAC requests permission from
the user for that instance.
Standard Users
In previous versions of the Windows operating
system, many users were configured to use
administrative permissions rather than standard
user permissions. This was done because previous versions of the Windows operating system required
administrator permissions to perform basic system tasks, such as adding a printer or configuring the time
zone. In Windows 8.1, many of these tasks no longer require administrative permissions.
When users have administrative permissions to their computers, they can install additional software.
Despite corporate policies against installing unauthorized software, many users still do it, which can make
their systems less stable and drive up support costs.
When you enable UAC and a user needs to perform a task that requires administrative permissions, UAC
prompts the user for administrative credentials. In a corporate environment, the help desk can give a user
temporary credentials that have local administrative permissions to complete the task.
The default UAC setting allows a standard user to perform the following tasks without receiving a UAC
prompt:
Install updates from Windows Update.
Install drivers from Windows Update or those that are included with the operating system.
View Windows settings. However, a standard user is prompted for elevated permissions when
changing Windows settings.
Pair Bluetooth devices with the computer.
Reset the network adapter and perform other network diagnostic and repair tasks.
Administrative Users
Administrative users automatically have:
Read/write/execute permissions to all resources.
All Windows permissions.
While it might seem clear that all users will not be able to read, alter, and delete any Windows resource,
many enterprise IT departments that are running older versions of Windows operating systems had no
other option but to assign all of their users to the local Administrators group.
One of the benefits of UAC is that it allows users with administrative permissions to operate as standard
users most of the time. When users with administrative permissions perform a task that requires
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-49
administrative permissions, UAC prompts the user for permission to complete the task. When the user
grants permission, the task in question is performed by using full administrative rights, and then the
account reverts to a lower level of permission.
UAC Elevation Prompts
Many applications by default require users to be administrators because they check Administrators group
membership before running an application. No user security model existed for the Microsoft Windows 95
and the Microsoft Windows 98 operating systems. As a result, developers designed applications assuming
that they will be installed and run by users with administrator permissions. A user security model was
created for Microsoft Windows NT
, but all users were created as administrators by default. Additionally, a

standard user on a Windows XP computer must use the Run As command by right-clicking the executable
file within Windows Explorer, or sign in with an administrator account to install applications and perform
other administrative tasks.
The following list details some of the tasks that a standard user can perform:
Establish a Local Area Network connection
Establish and configure a wireless connection
Modify Display settings
Users cannot defragment the hard drive, but a service does this on their behalf
Play CD/DVD media (configurable with Group Policy)
Burn CD/DVD media (configurable with Group Policy)
Change the desktop background for the current user
Open Date and Time in Control Panel and change the time zone
Use Remote Desktop to connect to another computer
Change user's own account password
Configure battery power options
Configure Accessibility options
Restore user's backup files
Set up computer synchronization with a mobile device (smart phone, laptop, or PDA)
Connect and configure a Bluetooth device
The following list details some of the tasks that require elevation to an administrator account:
Install and uninstall applications
Install a driver for a device, such as a digital camera driver
Install Windows updates
Configure Parental Controls
Install an ActiveX
control
Open Windows Firewall in Control Panel
Change a user's account type
Modify UAC settings in the Security Policy Editor snap-in (Secpol.msc) to the MMC
Configure Remote Desktop access
Add or remove a user account
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Copy or move files into the Program Files or Windows directory
Schedule Automated Tasks
Restore system backup files
Configure Automatic Updates
Browse to another user's directory
When you enable UAC, members of the local Administrators group run with the same access token as
standard users. Only when a member of the local Administrators group gives approval can a process use
the administrators full access token.
This process is the basis of the Admin Approval Mode principle. Users elevate only to perform tasks that
require an administrator access token. When a standard user attempts to perform an administrative task,
UAC prompts the user to enter valid credentials for an administrator account. This is the default for
standard user-prompt behavior.
The elevation prompt displays contextual information about the executable that is requesting elevation.
The context is different depending on whether the application is signed by Microsoft Authenticode

technology. The elevation prompt has two variations that are detailed in the table below: the consent
prompt and the credential prompt.
Elevation prompt Description
Consent prompt Displayed to administrators in Admin Approval Mode when they
attempt to perform an administrative task. It requests approval to
continue from the user.
Credential prompt Displayed to standard users when they attempt to perform an
administrative task.
Note: Elevation entry points do not remember that elevation has occurred, such as when
you return from a shielded location or task. As a result, the user must re-elevate to enter the task
again.
While the number of UAC elevation prompts for a standard user who performs an everyday task has been
reduced in Windows 8.1, there are times when it is appropriate for an elevation prompt to be returned.
For example, viewing firewall settings does not require elevation; however, changing the settings does
require elevation because the changes have a system-wide impact.
Types of Elevation Prompts
When a permission or password is needed to complete a task, UAC will notify you with one of four
different types of dialog boxes. The following table describes the different types of dialog boxes that are
used to notify you, and the table provides guidance on how to respond to them.
Type of elevation prompt Description
A setting or feature that is
part of Windows needs your
permission to start.
This item has a valid digital signature that verifies that Microsoft is
the publisher of this item. If you get this type of dialog box, it is
usually safe to continue. If you are unsure, check the name of the
program or function to decide if it is something you want to run.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-51

Type of elevation prompt
Description
A program that is not part of
Windows needs your
This program has a valid digital signature, which helps to ensure that
the program is what it claims to be and verifies the identity of the
publisher of the program. If you get this type of dialog box, make
sure the program is the one that you want to run and that you trust
the publisher.
A program with an unknown
publisher needs your
This program does not have a valid digital signature from its
publisher. This does not necessarily indicate danger because many
older, legitimate apps lack signatures. However, use extra caution
and only allow a program to run if you obtained it from a trusted
source, such as the original CD or a publisher's website. If you are
unsure, search the Internet for the programs name to determine if it
is a known program or malware.

Most of the time, you should log on to your computer with a standard user account. You can browse the
Internet, send email, and use a word processor, all without an administrator account. When you want to
perform an administrative task such as installing a new program or changing a setting that will affect
other users, you do not have to switch to an administrator account; the Windows operating system will
prompt you for permission or an administrator password before performing the task. Another
recommendation is that you create standard user accounts for all the people that use your computer.
Question: What are the differences between a consent prompt and a credential prompt?
Configuring UAC Notification Settings
In Windows 8.1, you can adjust how often UAC
notifies you when changes are made to your
computer. To do this, from Control Panel, click
System and Security, and then under Action
Center, click Change User Account Control
settings. Use the slider to determine how
Windows will prompt you. The default is Notify
me only when apps try to make changes to my
computer.
The following table identifies the four settings that
enable customization of the elevation prompt
experience.
Prompt Description
Never notify me UAC is off.
Notify me only when apps try to make
changes to my computer (do not dim my
desktop)
When a program makes a change, a prompt appears,
and the desktop is dimmed to provide a visual cue that
installation is being attempted. Otherwise, the user is
not prompted.
Notify me only when apps try to make
changes to my computer (default)
When a program makes a change, a prompt appears,
but the desktop is not dimmed. Otherwise, the user is
not prompted.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Prompt Description
Always notify me The user is always prompted when changes are made to
the computer.

Because you can configure the user experience with Group Policy, there can be different user experiences
depending on policy settings. The configuration choices made in your environment affect the prompts
and dialog boxes that standard users, administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to Always notify me
or Always notify me and wait for my response. With this type of configuration, a yellow notification
appears at the bottom of the User Account Control Settings page, indicating the requirement.
Question: Which two configuration options are combined to produce the end-user elevation
experience?
Demonstration: Configuring UAC with GPOs
Open the User Accounts window.
Review user groups.
View the Credential prompt.
Change UAC settings and view the Consent prompt.
Demonstration Steps
View the current UAC settings
3. Navigate to Computer Configuration\Windows Settings\Security Settings
\Local Policies\Security Options.
Configure the UAC settings
Create a UAC Group Policy setting that prevents access elevation. Modify the User Account Control:
Behavior of the elevation prompt for standard users setting to be Automatically deny elevation
requests.
Test the UAC settings
1. Sign in as Holly, a standard user.
2. Attempt to open Local Group Policy Editor snap-in, an administrative task.
Reconfigure the UAC settings
3. Navigate to Computer Configuration\Windows Settings\Security Settings
\Local Policies\Security Options.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-53
4. Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to be Prompt for credentials.
Test the UAC settings
1. Sign in as Holly, a standard user.
2. Attempt to open an Administrative Command Prompt, an administrative task.
3. Enter administrative credentials as prompted.
Question: Which UAC feature detects when an application is being installed in Windows 8.1?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab C: Configuring and Testing UAC
Scenario
Holly, the IT manager, is concerned that staff might be performing configuration changes to their
computers for which they have no authorization. Windows 8.1 does not allow users to perform these
tasks. However, Holly wants to ensure that users are prompted properly about their attempted actions.
Objectives
Modify UAC prompts.
Lab Setup
Password: Pa$$w0rd
be running from the preceding lab.
Exercise 1: Modifying UAC Prompts
Scenario
You decide to reconfigure the UAC notification behavior and prompts.
1. Modify the User Account Control (UAC) prompts.
2. Modify the UAC notification level.
3. Test the UAC settings.
Task 1: Modify the User Account Control (UAC) prompts
2. Open the Local Group Policy Editor, and then navigate to Computer Configuration
\Windows Settings\Security Settings\Local Policies\Security Options.
3. Modify the User Account Control: Behavior of the elevation prompt for standard users setting
to be Prompt for credentials on the secure desktop.
Task 2: Modify the UAC notification level
1. Enable the User Account Control: Only elevate executables that are signed and validated value.
2. Enable the User Account Control: Behavior of the elevation prompt for administrators in
Admin Approval Mode value and select the Prompt for consent on the secure desktop option.
Task 3: Test the UAC settings
1. Sign in to LON-CL1 as Adatum\Dan with password Pa$$w0rd.
2. Open Command Prompt (Admin). You are prompted by UAC for credentials on the secure desktop.
Provide the necessary credentials, and after Command Prompt (Admin) opens, close Command
Prompt (Admin), and then sign out.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-55
3. Sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd, and open Action Center to
verify that the notification settings for UAC are configured for Always notify.

Results: After completing this exercise, you should have reconfigured UAC notification behavior and
prompts.
Manager.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Best Practice:
Best Practices for EFS
The following is a list of standard best practices for EFS users:
Users should export their certificates and private keys to removable media, and then store the media
securely when it is not in use. For the greatest possible security, a private key must be removed from
a computer whenever the computer is not in use. This protects against attackers who physically
obtain a computer and try to access the private key. When you must access encrypted files, you can
import the private key easily from the removable media.
Encrypt the My Documents folder for all users (User_profile\My Documents). This ensures that the
personal folder, where most documents are stored, is encrypted by default.
Users should encrypt folders rather than individual files. Programs work on files in various ways.
Encrypting files consistently at the folder level ensures that files are not decrypted unexpectedly.
Private keys that are associated with recovery certificates are extremely sensitive. You must generate
these keys either on a computer that is physically secure, or you must export their certificates to a .pfx
file, protect them with a strong password, and then save them on a disk that is stored in a physically
secure location.
You must assign recovery agent certificates to user accounts that you do not use for any other
purpose.
Do not destroy recovery certificates or private keys when recovery agents are changed (agents are
changed periodically). Keep them all until all files that might have been encrypted with them are
updated.
Designate two or more recovery agent accounts per OU, depending on the size of the OU. Designate
two or more computers for recovery: one for each designated recovery agent account. Grant
permissions to appropriate administrators who use the recovery agent accounts. It is a good idea to
have two recovery agent accounts. Having two computers that hold these keys provides more
redundancy for the recovery of lost data.
Implement a recovery agent archive program to ensure that you can recover encrypted files by using
obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a
controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlled
access vault, and you must have two archives: a master and a backup. The master is kept on-site,
while the backup is located in a secure, off-site location.
Avoid using print spool files in your print server architecture, or make sure that print spool files are
generated in an encrypted folder.
EFS does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server
usage wisely. Load balance your servers when many clients use EFS.
Best Practices for UAC
UAC security settings are configurable in the local Security Policy Manager (Secpol.msc) or the Local
Group Policy Editor (Gpedit.msc). However, in most corporate environments, Group Policy is preferred
because it can be managed and controlled centrally. There are nine GPO settings that you can
configure for UAC.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 10-57
Because the user experience can be configured with Group Policy, there can be different user
experiences depending on policy settings. The configuration choices made in your environment affect
the prompts and dialog boxes that standard users, administrators, or both can view.
For example, you might require administrative permissions to change the UAC setting to
Always notify me or Always notify me and wait for my response. With this type of
configuration, a yellow notification appears at the bottom of the User Account Control
Settings page, indicating the requirement.
Although UAC enables you to sign in with an administrative user account to perform everyday user
tasks, it is still a good practice to sign in by using a standard user account for these everyday tasks.
Sign in as an administrator only when necessary.
Best Practices for BitLocker
BitLocker stores its own encryption and decryption key in a hardware device that is separate from the
hard disk, so you must have one of the following:
A computer with TPM.
A removable USB storage device, such as a USB flash drive. If your computer does not have TPM 1.2
or newer, BitLocker stores its key on the memory device.
The most secure implementation of BitLocker takes advantage of the enhanced security capabilities
of TPM 1.2.
On computers that do not have a TPM 1.2, you can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation will require the user to insert a USB startup
key to start the computer or resume from hibernation and does not provide the prestartup system-
integrity verification that BitLocker offers when it works with a TPM.
Review Questions
Question: When you implement UAC, what happens to standard users and administrative users
when they perform a task that requires administrative permissions?
Question: What are the requirements for BitLocker to store its own encryption and decryption
key in a hardware device that is separate from a hard disk?
Question: An administrator configures Group Policy to require that data can be saved only on
data volumes that are protected by BitLocker. Specifically, the administrator enables the Deny
write access to removable drives not protected by BitLocker policy setting and deploys it to
the domain. Meanwhile, an end user inserts a USB flash drive that is not protected with BitLocker.
What will happen, and how can the user resolve the situation?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
11-1
Module 11
Configuring Applications for Windows 8.1
Contents:
Lesson 1: Application Deployment Options in Windows 8.1 11-2
Lesson 2: Managing Windows Store Apps 11-14
Lesson 3: Configuring Internet Explorer Settings 11-19
Lab A: Configuring Internet Explorer Security 11-29
Lesson 4: Configuring Application Restrictions 11-32
Lab B: Configuring AppLocker 11-40

Module Overview
Computer users require applications for every task they perform, such as editing documents, querying
databases, and generating reports. As part of administering the Windows
8.1 operating system, you need

a strategy for deploying and managing the applications that users in your organization will run on their
new Windows 8.1computers and devices. Based on the specific needs of your organization, you can
choose from a variety of methods to deploy and manage applicationsfrom manual deployment
methods to fully automated management technologies. You also need a strategy to handle the
application compatibility issues that might arise when you try to run applications that were designed for
older versions of Windows operating systems.
Objectives
Describe application deployment options in Windows 8.1.
Install and manage Windows Store apps.
Configure and secure Internet Explorer
.
Configure application restrictions.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
11-2 Configuring Applications for Windows 8.1
Lesson 1
Application Deployment Options in Windows 8.1
In your organization, scenarios might exist for which certain application deployment methods are more
appropriate than others. In this lesson, you will learn about traditional application deployment, in addition
to the methods that you can use to automate application deployment.
Lesson Objectives
Differentiate between the types of apps in Windows 8.1.
Describe manual application installation.
Explain the methods for automating installation of desktop apps.
Describe App-V.
Explain how to sequence applications by using App-V.
Explain the options for deploying App-V applications.
Describe RemoteApp programs.
Explain how to deploy RemoteApp programs.
Types of Apps in Windows 8.1
In Windows 8.1, there are two types of apps:
desktop apps and Windows Store apps. Users
install and manage these two types of apps in
different ways. The following sections outline the
differences between both types.
Desktop Apps
Desktop apps are the traditional apps, such as
Microsoft
Office 2013. Most users and network

administrators are familiar with desktop apps.
Desktop apps can be installed on Windows 8.1
and can be installed locally by an administrator
with a product DVD that contains a desktop app,
or via a network or by downloading an app from the Internet.
Windows desktop apps:
Are installed by using .exe or .msi installer files.
Can be automated.
Can be replaced by distributed app installation and execution methods in larger environments.
Windows Store Apps
A Windows Store app is a special type of app that is designed to run on computers that are running
Windows 8 and newer. Windows Store apps do not run on Windows 7 or older versions of Windows
operating systems.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-3
Windows Store apps:
Can run on Windows 8.1, Windows 8, Windows RT 8.1, and Windows RT.
Are available from the Windows Store or through sideloading.
Are distributed in the .appx file format and must be digitally signed.
Run in full-screen mode by default when not running as active tiles, and two or more Windows Store
apps can be displayed at the same time on one or more displays.
Are not installed by means of traditional application deployment methods.
If your organization has developed custom Windows Store apps, you can use a process called sideloading
to install these apps. When sideloading a Windows Store app, you use an .appx installer file. You can use
Dism.exe or the Windows PowerShell
command-line interface to sideload and manage Windows Store

apps. For large scale deployment of sideloaded apps, an enterprise also could use System Center 2012 R2
Configuration Manager.
Sideloading Windows Store apps has the following prerequisites:
Sideloading must be enabled in Group Policy.
Windows Store apps must be digitally signed.
To enable sideloading, configure the Allow all trusted apps to install Group Policy setting. This item is
located in the Computer Configuration\Administrative Templates\Windows Components\App Package
Deployment node of the Group Policy Management Console.
Manual Application Installation
To install a desktop app from local media, an
interactive user inserts a product DVD that
contains a desktop app, after which Windows 8.1
prompts the user about what to do. Typically, a
user chooses to run Setup.exe.
Note: You also can install desktop apps by
using Control Panel. If a network administrator
has made applications available for network
installation, you can open Control Panel, and then
click Get Programs. A list of apps that are available
for network installation displays. Windows 8.1 makes these apps available by using Group Policy
Objects (GPOs) and software distribution points.
The installation process for a desktop app begins, and the app installs. By default, all users run as standard
users. Windows 8.1 will prompt the user to elevate to full administrator privileges through User Account
Control (UAC) to install the application.
Note: Apps installed across a network can be installed automatically without user
intervention, depending on the configuration of the app package.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Installer
The Windows Installer is the desktop app installation and configuration service for Windows 8.1. Windows
Installer packages are packaged apps in the .msi file format. An app that is designed for deployment on
Windows-based client computers often is available from a vendor in the .msi format already. You also can
use non-Microsoft app packaging products to convert app installers from the .exe file format to Windows
Installer packages in the .msi format.
A Windows Installer package in the .msi format includes the information that is necessary to add, remove,
and repair an application. You can install an app installer in the .msi format locally, or you can deploy it
through an automatic application deployment solution, such as Group Policy or Configuration Manager.
Because of the way that Windows Installer packages manage changes to an operating system,
applications that you deploy from these packages are more likely to uninstall cleanly than those that you
deploy by using applications installers in executable files. This fact is important from an application-
management perspective because it is just as important to be able to remove an application cleanly
leaving no trace that the application was installed on a target computeras it is to be able to install it
correctly in the first place.
If an app is packaged as an .msi file and is accessible from the target computer, you can run Msiexec.exe
from an elevated command prompt to install a desktop app. For example, to install an app from a shared
folder, run the following sample command from an elevated command prompt:
Msiexec.exe /i \\lon-dc1\apps\app1.msi
Administrators also can use Windows Installer to update and repair installed desktop apps.
Methods to Automate Desktop App Installation
A single, user-directed installation process works
in situations where a desktop app is installed only
once or twice. However, for larger and more
complex installations, planning and performing an
automated desktop app deployment might be a
better choice. Several options exist for automating
the deployment of desktop apps to computers
that are running Windows 8.1.
Automating Installation by Using Group
Policy
Group Policy software deployment enables the
deployment of desktop apps in the Windows
Installer .msi file format to computers that belong to a Active Directory
Domain Services (AD DS)

environment. Group Policy software deployment offers the most basic form of automated app
deployment. To perform Group Policy software deployment, you configure a GPO. Use Group Policy as a
software deployment method in small organizations where the desktop apps that you want to deploy
already are packaged in the Windows Installer format.
Group Policy software deployment has the following requirements and properties:
The target computers must belong to an AD DS domain.
The software must be packaged in the Windows Installer .msi file format.
User and computer accounts can be the targets of an application deployment.
You can target a deployment at the domain level, the site level, or the organizational unit level.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-5
Group Policy software deployment supports the following deployment types:
Assign. You can assign applications to users or computers. When you assign an application to a user,
the application installs when the user signs in. When you assign an application to a computer, the
application installs when the computer starts.
Publish. You can publish applications to users. Doing so makes an application available through the
Programs and Features item in Control Panel. You cannot publish applications to computers.
Group Policy software deployment has the following drawbacks:
Difficulty in determining the success of deployments. Group Policy software deployment does not
include reporting functionality. The only way to determine whether an application has installed is to
check it manually.
No prerequisite checking. Group Policy software deployment does not enable you to perform
prerequisite checks directly. You can use Windows Management Instrumentation queries to check,
but doing so is a complex operation that requires significant expertise and time.
No installation schedule. Deployment will occur the next time a Group Policy refresh occurs. You
cannot schedule Group Policy software deployment to occur at a specific date and time.
Automating Installation by Using MDT
Microsoft Deployment Toolkit (MDT) 2013 is a solution accelerator that you can use to automate the
deployment of operating systems and applications to computers. You can use MDT to perform lite-touch
installation (LTI). LTI requires that you trigger operating system deployment or application installation on
each computer, but it requires minimal intervention after the deployment begins. You can use MDT to
perform automated operating system and application deployment without deploying Configuration
Manager. However, you can use MDT when it is integrated with Configuration Manager to perform zero-
touch installation (ZTI). ZTI enables operating system and application deployment and migration without
requiring any intervention.
You can use MDT to perform LTI deployment and migration from the following operating systems:
Windows 8.1 or Windows 8
Windows 7
Windows Vista
Service Pack 2 (SP2)

Windows XP Service Pack 3
Windows Thin PC
Windows Server
2012
Windows Server 2008 R2
Windows Server 2008 SP2
The LTI process requires only the tools that are available in MDT. You do not need to deploy
Configuration Manager in your environment to perform LTI. To perform LTI by using MDT, perform the
following steps:
1. Deploy MDT on a computer that will function as the management computer, create a deployment
share on this computer, and then import the image files that you will use.
2. Create a task sequence and a boot image for the computer that will function as the reference
computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
3. Start the reference computer by using the medium that contains MDT. The task sequence files, task
sequence, and boot image transfer to the reference computer.
4. Use the Windows Deployment Wizard to deploy the operating system. After deployment, capture the
reference computer as an image.
5. Transfer the captured image to the management computer.
6. Create a new boot image and task sequence for deployment to the target computers.
7. Start the deployment target computers by using the medium that contains MDT. The task sequence
files, task sequence, and boot image transfer to the reference computer.
8. Run the Windows Deployment Wizard to deploy the prepared image.
Automating Installation by Using Configuration Manager
Configuration Manager provides a comprehensive platform for application deployment and management,
and it supports deploying applications in the .exe, .msi, .appv, and .appx file formats. Configuration
Manager enables administrators to target deployments to groups of users and computers, and to
configure deployments to occur at specific dates and times. Computers must have the Configuration
Manager client installed to receive software that Configuration Manager deploys.
Collections
Configuration Manager enables the deployment of applications to computers, users, and security groups.
Configuration Manager enables you to create collections that consist of manually created groups of users
or computers. Collections also can be based on the results of queries of user or computer properties.
Because Configuration Manager can collect information about all aspects of a user or computer, including
all AD DS attributes and software and hardware configurations, you can create focused collections for
targeted application deployment. For example, you can create a collection that includes only the
computers that are located at a specific site with a certain deployed application and a specific piece of
installed hardware.
Multiple Deployment Types
Configuration Manager enables you to use multiple deployment types when deploying an application.
With this feature, you can configure a single application deployment but make it possible for that
deployment to occur in different ways, depending on the conditions that apply to the target computer or
user. For example, you can configure an application to install locally if a user is logged on to his or her
primary device, but to stream as a Microsoft Application Virtualization (App-V) application if the user is
logged on to another device. Deployment types also enable you to configure the deployment of the x86
version of an application if the target computer has a 32-bit processor, or to configure the deployment of
the x64 version if the target computer has a 64-bit processor.
Reporting
Configuration Manager includes extensive reporting functionality. This feature enables you to determine
how successful an application deployment was after its completion. Configuration Manager also enables
you to simulate application deployments before performing them. This feature enables you to
determinebefore you perform an actual deploymentwhether any factors that you have not
considered might block a successful application deployment.
Wake On LAN and Maintenance Windows
Configuration Manager supports Wake On LAN (WOL) functionality and maintenance windows. Instead of
interrupting a user with an application installation that might require a restart and the disruption of his or
her current productivity, WOL functionality enables application deployment to occur after-hours, when
the compatible computer is in a low power state. Configuration Manager sends a special signal to these
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-7
computers, which return to a fully powered-on state, perform the application installation, and then return
to the low power state.
Maintenance windows enable administrators to define when operations such as software installations and
software update deployments should occur. Maintenance windows give users a predictable period during
which they know that operations requiring a restart of their computers might occur. If users know that
their computers might need to restart at a certain time each week, they are less likely to leave important
documents and programs open at that time, thereby avoiding potential data loss.
Software Inventory, Software Metering, and Asset Intelligence
Configuration Manager supports software inventory, software metering, and Asset Intelligence. A software
inventory enables you to determine which applications are installed on computers in your organization.
Software metering enables you to monitor how often particular applications are used. Asset intelligence
enables you to check software licensing compliance, helping ensure that the number of applications
deployed within an organization equals the number of software licenses that are available for those
applications. With this information, you can make informed decisions with respect to future software
deployment. You also can use software inventory and software metering information as a basis for the
creation of collections.
Automating Installation by Using Windows Intune
You can use Windows Intune to perform software deployment on user or computer groups. Users and
computers can belong to multiple groups. You can configure Windows Intune to synchronize account
information from AD DS.
You need to deploy the Windows Intune client on the target computers to use Windows Intune. If users
have local Administrator rights, they can perform this operation themselves by downloading the
Windows Intune client software from the Windows Intune site in their organization. If users do not have
Administrator rights, they can install the Windows Intune client by using Windows Remote Assistance or
by bringing their computers to a branch office location.
You can use Windows Intune to deploy applications to Windows Intune clients in both the .exe and .msi
file formats. You must upload applications to Windows Intune before you can deploy them. You can make
software available as an optional installation or configure it as a required installation.
Windows Intune provides reporting on the success and failure of targeted application deployment. This
feature means that you can determine how many clients out of the target group successfully installed the
deployed application. It also is possible to use Windows Intune to remove applications that were deployed
to client computers previously.
You can integrate Windows Intune with Configuration Manager, enabling you to manage devices that are
hosted in both platforms from a single console. You can use Windows Intune to manage computers that
are running Windows 8.1 irrespective of whether they are members of an AD DS domain. In addition, you
can use Windows Intune to manage computers that are running Windows 8, Windows RT 8.1, Mac OS X,
Windows 7, Windows Vista, and Windows XP. You can use Windows Intune to manage PCs and devices at
scale.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Is App-V?
App-V is a Microsoft solution that enables users to
run virtualized applications on their computers
without having to install or configure them
locally. App-V benefits an organization though
faster deployment of applications and updates,
and it minimizes conflicts between applications
and various versions of applications. Before a
Windows 8.1 computer can run streamed App-V
applications, you must install the App-V client.
The App-V client provides an isolated execution
environment in which App-V applications run. The
virtualized applications interact with the App-V
client rather than directly with the host operating system.
With App-V, you can perform nonpersistent application deployment. Nonpersistent application
deployment is useful in scenarios where a person might need to use an application on a computer on a
one-off or infrequent basis. This type of deployment also is useful in environments where people are not
assigned specific computers. For example, a person might need to use a specific application that is not
installed as part of the standard operating-system build in an organization where people are assigned
desktops each day on a first-come, first-served basis. With App-V, you can provision an application to a
user no matter which computer the user is assigned to. You can configure the application so that it will no
longer be present on the computer after the user signs out.
App-V is part of the Microsoft Desktop Optimization Pack. App-V supports the virtualization of
applications that run on Windows 8.1 computers and Remote Desktop Services (RDS) on Windows
Server 2012 R2. App-V also supports client computers that are running Windows 7, Windows Vista, and
Windows XP. It also can be used with RDS on Windows Server 2008 R2 and Windows Server 2008.
Applications are still limited by platform constraints. You cannot run an x64 application on an x86 host,
and an application that requires 4 gigabytes (GB) of RAM to run in a traditional manner still requires 4 GB
of RAM to run when sequenced.
When planning whether to use App-V as a part of your organizations application deployment strategy,
consider the following:
App-V allows users to run different versions of the same application concurrently. Most applications
do not allow you to install a later version of the application side-by-side with an older version.
However, when applications are virtualized through App-V, the applications are unaware of each
other because each has its own silo that the App-V client provides.
App-V minimizes application conflict. Although unusual, applications can conflict because of
dynamic-link library (DLL) or application programming interface (API) conflicts. When applications are
virtualized and running in separate silos under the App-V client, these conflicts do not occur.
App-V applications can be streamed. App-V applications can be streamed from distribution points.
This feature means that rather than waiting for an entire application to be transferred across a
network and installed, a user can start using the application as soon as enough of it has transferred
across the network for it to begin running. App-V uses Hypertext Transfer Protocol (HTTP) for
streaming rather than Real-Time Streaming Protocol (RTSP), which was used in older versions of the
product.
A deployment does not require a restart. You can deploy an App-V application to a target computer,
and the user can run that application without requiring the target computer to restart.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-9
No extra prerequisite components are required. Other than the App-V client, which must be present,
any prerequisite components are included when sequencing the application. It is not necessary to
deploy extra components, such as Microsoft Visual C++
runtime files, prior to deploying a

sequenced application.
Upgrades are simplified. Because an App-V application runs in its own silo that is disconnected from
the operating system, you can deploy an upgrade to an application over the existing application. This
process is called resequencing.
Nonpersistent installation. You can configure streamed App-V applications so that they are not stored
in the App-V cache after a user signs out. This feature enables you to have applications follow users as
they sign in to different computers, while ensuring that only one instance of an application is
deployed to a user. It also enables sensitive applications to be present on the local computer only
when specific users are signed in, and otherwise, to be inaccessible.
Applications use local resources. A drawback of Windows Server 2012 R2 RemoteApp is that when
multiple users are using a RemoteApp program from the same Remote Desktop (RD) Session Host
server, that server might be under resource pressure. On the other hand, an App-V application uses
the resources of the local computer; therefore, the application does not consume the resources of the
App-V server.
Sequencing Applications with App-V
By sequencing an application, you can create a
version of that application that runs within the
App-V client environment. You must sequence an
application before it can run on a computer that
has the App-V client installed.
The sequencing process is similar to the
application packaging process to create a
Windows Installer package. Sequencing an
application with the App-V Sequencer produces
an .appv file and a .msi file. You can deploy an
.msi file to a computer in the same way as any
other .msi file, although the application will run
only if the App-V client is installed. When deployed as an .msi file, an application will remain on a
computer until it is uninstalled. An application is streamed when deployed as an .appv file. The length of
time that it remains in the .appv cache depends on the deployment settings.
The sequencing process records all changes that the installation of an application makes to a client
computer. These changes include those made to files and folders, environment variables, .ini files, and the
registry. The sequencing process functions in the following way:
1. The App-V Sequencer initiates the applications installation process.
2. The Sequencer records all changes to files, registry settings, environment variables, and DLLs, in
addition to any other changes to the computer that hosts the Sequencer.
3. The Sequencer generates a special virtual environment.
4. The Sequencer runs the application in this environment. This includes all the modifications that were
made to the computer that hosts the Sequencer.
5. The technician performing the sequencing performs any required post-installation configuration
tasks. The Sequencer records any additional modifications.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. The Sequencer generates .appv and .msi files and writes them to the folder that the technician
specified.
The computer that functions as the Sequencer needs special preparation. This preparation involves
shutting down services and applications, such as antimalware scanners, that might cause problems with
the sequencing process. You should deploy the role of Sequencer on a virtual machine. The Sequencer
records changes that are made to the host operating system during the application installation. When you
deploy the Sequencer on a virtual machine, you can use virtual machine snapshots to roll the virtual
machine back to a clean configuration after you sequence each application. This computer should run the
same operating system as the clients on which you will be deploying the sequenced application. You can
sequence an x86 application on a computer running an x64 version of the App-V Sequencer.
Options for Deploying App-V Applications
You have a number of options for deploying
App-V applications after you ensure that the
App-V client is locally installed. The option that
you choose depends on what infrastructure is
available in your organization. Three App-V
deployment models exist:
The stand-alone deployment model
The App-V full infrastructure model
The Configuration Manager integrated model
Stand-alone Deployment Model
The stand-alone deployment model requires that you deploy a minimal amount of infrastructure. In this
deployment model, you must deploy a Sequencer to create sequenced applications, and you must deploy
the App-V client to all the Windows 8.1 client computers that will consume App-V applications. In the
stand-alone deployment model, you deploy sequenced applications in Windows Installer format either
manually, through Group Policy, or through Windows Intune. Applications that you deploy by using the
stand-alone deployment model remain on target computers until they are uninstalled.
App-V Full Infrastructure Model
The App-V full infrastructure model is appropriate for organizations that want to stream virtualized
applications to clients but have not deployed Configuration Manager. In addition to the App-V client
being installed on all Windows 8.1 client computers and the computer that functions as the Sequencer,
this model requires the deployment of the following components:
Management server. This server enables administrators to manage the App-V infrastructure and to
assign the rights that allow users to consume applications.
Management server database. This database stores configuration settings for the management server.
Publishing server. Sequenced applications are streamed to App-V clients over HTTP from the
publishing server.
Reporting server. This server enables the generation of reports that detail application deployment and
consumption.
Reporting server database. This database stores reporting server data.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-11
You can deploy each of the preceding roles on the same server. In large environments, you deploy
publishing servers to each branch office so that Windows 8.1 computers will be able to stream
applications locally rather than across wide area network (WAN) links.
Configuration Manager Integrated Model
You can use Configuration Manager to deploy applications in the .appv and .msi formats to client
computers. An advantage of the Configuration Manager integrated model over the other models is that
you can configure the application deployment process to detect automatically whether a target computer
has an App-V client installed and, if a client is not present, to deploy a client before deploying the
application. The Configuration Manager integrated model supports streaming when deploying sequenced
applications in the .appv format, and it supports local installation when using sequenced applications in
the .msi format. The Configuration Manager integrated model requires that you have deployed
Configuration Manager in your environment previously and have configured a computer to function as an
application Sequencer.
What Are RemoteApp Programs?
Windows Server 2012 R2 RemoteApp programs
display locally but run remotely. From a users
perspective, a RemoteApp program appears to be
the same as any other application that is running
on a computer. Consider deploying RemoteApp in
situations where an application does not run on a
client computer. Here are some of the scenarios in
which you can use RemoteApp to deploy an
application:
Users of computers that are running
Windows RT 8.1 need to access an application
that only runs on the x64 version of
Windows 8.1.
Users of computers that are running the x86 version of Windows 8.1 need to access an application
that is available only in an x64 version.
Users of computers that have 4 GB of RAM need to run an application that requires 8 GB of RAM.
In each of the preceding scenarios, the application is provided to the user through RemoteApp. The
application displays locally but runs on a platform that has appropriate hardware resources to support the
application. RemoteApp programs can run directly on RD Session Host servers or on separate virtual
machines in a Remote Desktop Virtual Desktop Infrastructure (VDI) scenario. From the users perspective,
little difference exists between a RemoteApp program that is running on an RD Session Host server and a
RemoteApp program installed on a virtual machine in a VDI scenario.
Running a RemoteApp program on an RD Session Host server has the following advantages and
disadvantages:
You install applications directly on RD Session Host servers and then make them available to users as
RemoteApp programs. This technique makes it simpler to deploy applications than by using
RemoteApp on VDI.
You cannot deploy different versions of the same application on RD Session Host servers. The
exception to this rule occurs when you also deploy the App-V client on the RD Session Host
Application Virtualization server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Some applications cannot be installed in the RD Session Host environment.
You must configure each RD Session Host server identically in the server farm.
You can scale this solution by adding more identically configured RD Session Host servers. Doing so
can be complicated if a large number of applications need to be deployed on each RD Session Host
server.
The RemoteApp on VDI solution has the following advantages and disadvantages:
You install applications on virtual machines and make them available to users as published
RemoteApp programs.
Having to deploy Windows Server 2012 R2 Hyper-V
and configure virtual machines for VDI can

make this solution seem more complex from an administrative standpoint.
Applications run on client virtual machines. Therefore, applications that are not supported on
RD Session Host servers can be deployed as RemoteApp programs.
You do not need to configure virtual machines identically. You install an application on one or more
virtual machines, and the Remote Desktop Connection Broker connects users to virtual machines that
have the RemoteApp program installed.
Make sure that you have enough virtual machines with an application installed to meet the demand
for that application. In complex environments, you can use System Center 2012 R2 - Orchestrator and
System Center 2012 R2 - Virtual Machine Manager to automate the deployment of extra virtual
machines and applications to meet specific demands.
RemoteApp on VDI is more scalable. You can deploy Hyper-V, virtual machines, and also use cloned
virtual machines.
Deploying RemoteApp Programs
You can publish RemoteApp programs in the
following three ways:
By using the RemoteApp Manager
administration console.
Through Remote Desktop (RD) Web Access.
By using Group Policy.
You can publish RemoteApp programs by using
the RemoteApp Manager administration console.
The management server detects applications that
have been installed on RD Session Host servers if
you are using RemoteApp with a session host, and
it also detects applications that are installed on virtual machines if you are using RemoteApp with virtual
machines. You can use this console to configure session collections and RemoteApp permissions. By doing
so, you can control which users will be able to access specific published RemoteApp programs.
You can make RemoteApp programs available through RD Web Access. When you do so, users can
connect to the RD Web Access server to launch applications. By default, the location of the RD Web
Access site is https://<ServerFQDN>/RDWeb, where <ServerFQDN> represents the fully qualified domain
name (FQDN) of the RD Web Access server. When a user connects to this site, the site displays a list of
RemoteApp programs and RD Session Host servers to which that user has access.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-13
You can publish RemoteApp programs through Group Policy by configuring the default connection URL
policy with the address of the RemoteApp feed. When you do so, the list of available RemoteApp
programs is published to the Start screen of Windows 8.1. The default location of this feed is
https://<ServerFQDN>/Rdweb/webfeed.aspx. You can configure the default connection URL by editing
the following policy: User Configuration\Policies\Administrative Templates\Windows
Components\Remote Desktop Services\RemoteApp and Desktop Connections
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Managing Windows Store Apps
Windows 8.1 supports Windows Store apps that were introduced with Windows 8 and Windows RT.
Windows Store apps are small, light, and easily accessible. It is important that you know how to manage
user access to the Windows Store, which will enable you to control the installation and use of these apps.
Lesson Objectives
Describe the Windows Store and Windows Store apps.
Explain how to manage and restrict access to the Windows Store.
Describe how to sideload of Windows Store apps.
Sideload Windows Store apps.
What Is the Windows Store?
The Windows Store provides a convenient, single-
location for users to access and download apps.
Users can access the Windows Store from the
Start screen without needing to navigate to
Control Panel.
Note: To access the store, users must sign in
to Windows by using a Microsoft account. Users
can create this account during Windows 8.1
installation, or they can define it after installation.
Windows Store Apps
The Windows Store is enables users to access and install Windows Store apps. These are not like desktop
apps, such as Microsoft Office 2013.
These apps can communicate with one another and with Windows 8.1 so that it is easier to search for and
share information, such as photographs. When an app is installed, from the Start screen, users can see Live
tiles that constantly update with live information from the installed apps.
Locating Windows Store Apps
The landing page is the initial page that users see when accessing the Windows Store. When users
connect to the Windows Store, they can locate apps easily on the landing page. Windows Store Apps are
divided into categories such as Games, Entertainment, Music & Videos, and others.
Users also can use the Windows 8.1 Search charm to search the Windows Store for specific apps. For
example, if a user is interested in an app that provides video-editing capabilities, he or she can select the
Search charm, type in a search text string, and then click Store. The Windows Store returns suitable apps
from which the user can make a selection.
Installing Windows Store Apps
Installing Windows Store apps is a straightforward task for most users. A single tap on the appropriate app
in the listing should be sufficient to install the app. Apps install in the background so that users can
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-15
continue browsing the Windows Store. After an app is installed, a tile for the app appears on the users
Start screen.
Updating Windows Store Apps
Windows 8.1 checks the Windows Store for updates to installed apps on a daily basis. When an update for
an installed Windows Store app is available, Windows updates the Store tile on the Start screen to display
an indication that updates are available. When a user selects the Store tile and connects to the Windows
Store, the user can choose to update one, several, or all of his or her installed apps for which updates are
available.
Installing Windows Store Apps on Multiple Devices
Many users have multiple devices, such as desktop and laptop computers. The Windows Store allows 81
installations of a single Windows Store app so that users can run the app on all of their devices. If users
attempt to install an app on an 82
nd
device, they are prompted to remove the app from another device.
Managing Access to the Windows Store
While it might be convenient to let users search
for and install apps, it does pose potential
problems for network administrators who want to
control app installation or to impose a rigid
desktop standard on network-connected
computers. For this reason, you can use domain-
based or local GPOs to control access to the
Windows Store.
Disable the Store application
To control access to the Store, perform the
following procedure:
1. From the Start screen, run gpedit.msc with administrative permissions, and then load the Local
Group Policy Editor.
2. Under Local Computer Policy, expand User Configuration, expand Administrative Templates,
expand Windows Components, and then click Store.
3. In the results pane, double-click Turn off the Store application.
4. In the Turn off the Store application dialog box, click Enabled, and then click OK.
When the Windows Store is disabled, users will see a Windows Store isnt available on this PC message
when they attempt to access the Store tile on the Start screen.
Note: You can use a GPO to disable the Windows Store for target computers, specific users,
or groups of users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Controlling the Windows Store Apps That Can Be Installed
In addition to disabling the Windows Store on a computer, you also can use AppLocker
to control which
apps can be installed.
Note: AppLocker is covered later in this module.
Managing Updates
Information technology (IT) administrators have limited control over updates for installed Windows Store
apps. By default, the app-update process is automated for users running Windows 8.1. It is possible to
turn off automatic updates for apps at any time by configuring the App updates setting within the
Windows Store. Unless you disable the automatic app updates, you cannot control which updates are
available. Once triggered, all updates will be downloaded.
How to Sideload Windows Store Apps
Many larger organizations will want to distribute
Windows Store apps to their client computers that
are intended for internal use only. These line-of-
business (LOB) apps are not available on the
Windows Store. Therefore, you must provide
some other method for distribution and
installation of these applications. Sideloading
provides such a mechanism for distribution of
LOB apps to client computers without publishing
them in and downloading them from the
Windows Store.
You can use the Dism.exe command-line tool
and Windows PowerShell to add, list, and remove LOB apps. Windows PowerShell is the preferred method
because it provides administrators much more functionality to sideload, especially when deploying a LOB
app to a large volume of client computers.
Note: Enterprises also can use Windows Intune to deploy apps via the Windows 8.1 Self-
Service Portal app.
To prevent malware being deployed via the sideloading process, Windows 8.1 only allows apps that have
been signed by the developer using a trusted root certificate. If your organization creates a LOB app, it
also should be signed by using the organizational trusted root certificate. You can use a self-signed
certificate to sideload an app, but administrators should note that this is not a best practice in a
production environment.
Sideloading Requirements Enterprise Scenarios
Computers must meet the following requirements to sideload Windows Store apps on them:
Computers must run the Windows 8.1 Enterprise operating system.
Computers must be members of a domain.
The Allow all trusted apps to install GPO setting must be enabled.
The app must be digitally signed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-17
Sideloading Requirements BYOD Scenarios
In a Bring Your Own Device (BYOD) scenario where a personal device such as a Surface 2
tablet is used in
the workplace, you also can sideload this device with LOB apps by first installing a sideloading product
key on the device. A sideloading product key can be obtained in the following ways:
A developer will have a license to test the sideloading of an app on devices.
From Microsoft Volume Licensing.
To activate a sideloading product key, follow this procedure:
1. Select Command Prompt (Admin) from the Administrative menu by pressing Windows logo key+X.
2. Type Slmgr /ipk <sideloading product key>.
3. Type Slmgr /ato ec67814b-30e6-4a50-bf7b-d55daf729d1e.
4. Restart the Windows operating system.
Note: The activation GUID will always be ec67814b-30e6-4a50-bf7b-d55daf729d1e.
Demonstration: Sideloading Windows Store Apps
Enable sideloading.
Install the root certificate.
Install a LOB app.
Remove an installed LOB app.
Demonstration Steps
Enable sideloading
2. Open the Local Group Policy Editor (Gpedit.msc).
3. Under Local Computer Policy in the navigation pane, expand Computer Configuration, expand
Administrative Templates, expand Windows Components, and then click App Package
Deployment.
4. In the results pane, double-click Allow all trusted apps to install.
5. In the Allow all trusted apps to install dialog box, click Enabled, and then click OK.
6. Force a Group Policy update Close all open windows.
Install the root certificate
Note: To be able to sideload the app, the Windows operating system must trust the app.
For testing purposes, the app is using a self-signed certificate. You need to install the root
certificate on the client.
1. Right-click the file E:\Labfiles\Mod11\LeXProductsGrid81_1.1.0.2_AnyCPU.cer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2. Install the certificate into the Local Machine Trusted Root Certification Authorities certificate
store.
3. Confirm that the import was successful.
Note: Your LOB apps must be digitally signed and can be installed only on computers that
trust the certification authority that provided the apps signing certificate.
Install a LOB app
2. On LON-CL1, open a Windows PowerShell command prompt window, type import-module appx,
3. To install the app package, at the Windows PowerShell command prompt, type add-appxpackage
E:\Labfiles\Mod11\LeXProductsGrid81_1.1.0.2_AnyCPU.appx, and then press Enter.
4. On the Start screen, type TestAppTKL1 and then press Enter. Verify that the six groups of Tiles are
present in the TestAppTKL1app.
Remove an installed LOB app
2. Use the Windows PowerShell command Remove-AppxPackage <Package1> to remove the
TestAppTKL1 app from LON-CL1.
Note: The full package name for the sideloaded app is:
6483TKL.TestAppTKL1_1.1.0.2_neutral__aervmpxrfxxmo
3. Close the Windows PowerShell Command Prompt window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-19
Lesson 3
Configuring Internet Explorer Settings
A browser is like any other application. You either can manage and secure it well, or manage it poorly. If
you manage a browser poorly, you and your organization risk consuming more time and money
supporting users and dealing with security infiltrations, malware, and loss of productivity.
Users can browse more safely by using Internet Explorer 11, which in turn helps maintain customer trust in
the Internet and helps protect the IT environment from the evolving threats that the web presents.
Internet Explorer 11 specifically helps users maintain their privacy with features such as InPrivate

Browsing and InPrivate Filtering. The SmartScreen
Filter provides protection against social engineering

attacks by:
Identifying malicious websites that try to trick people into providing personal information or installing
malware.
Blocking malware downloads.
Providing enhanced antimalware support.
Internet Explorer 11 helps prevent a browser from becoming an attack agent, and it provides more
detailed control over installation of ActiveX
controls with per-site and per-user ActiveX features. The

cross-site scripting filter protects websites from attacks.
Lesson Objectives
Describe Compatibility View.
Explain the function of various Internet Explorer privacy features.
Describe the SmartScreen feature.
Explain how to manage Internet Explorer add-ons.
List and explain other Internet Explorer security features.
Configure security settings in Internet Explorer.
What Is Compatibility View?
None of the improvements in Internet Explorer 11
matter if websites look bad or work poorly.
Internet Explorer 11 includes advancements in
compliance with web standards, enabling websites
to be created more efficiently and operate more
predictably. Each new version of Internet Explorer
must try to maintain compatibility with existing
websites. Internet Explorer 11 includes multiple
layout engines, putting the decision of whether
Internet Explorer 11 needs to support legacy
behaviors or strict standards in the hands of web
developers, who can specify which layout engine
to use on a page-by-page basis.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Internet Explorer 11 provides an automatic Compatibility View that invokes an older Internet Explorer
engine to display webpages whenever a legacy website is detected. This helps improve compatibility with
applications written for older versions of Internet Explorer. If you do not see the Compatibility View
button appear in the Address bar, there is no need to turn on Compatibility View because Internet
Explorer 11 will have detected that the webpage has loaded correctly.
Note: By default, intranet sites and apps continue to run in Internet Explorer 11, which
supports Compatibility View.
Compatibility View in Internet Explorer 11 helps display a webpage as it is meant to be viewed. This view
provides a straightforward way to fix display problems such as out-of-place menus, images, and text. The
main features in Compatibility View are:
Internet websites display in Internet Explorer 11 standards mode by default. Use the Compatibility
View button to fix sites that render differently than expected.
Internet Explorer 11 remembers sites that have been set to Compatibility View so that the button only
needs to be pressed once for a site. After that, the site is always rendered in Compatibility View unless
it is removed from the list.
Intranet websites display in Compatibility View by default. This means that internal websites that were
created for older versions of Internet Explorer will work.
You can use Group Policy to set a list of websites to be rendered in Compatibility View.
Switching in and out of Compatibility View occurs without requiring that a user restart the browser.
The Compatibility View button only displays if is not clearly stated how the website is to be rendered. In
other cases, such as viewing intranet sites or viewing sites with a <META> tag or a / HTTP header that
indicates Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 standards, the
button is hidden.
When Compatibility View is activated, the page refreshes and a balloon tip in the taskbar notification area
indicates that the site is now running in Compatibility View.
Configuring Compatibility View
The Compatibility View settings option in the Tools menu enables you to customize the Compatibility
View to meet enterprise requirements. For example, you can configure it so that all intranet sites display in
Compatibility View (the default), or you can configure it so that all website are viewed in Compatibility
View.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-21
Privacy Features
One of the biggest concerns for users and
organizations is the issue of security and privacy
when using the Internet. Internet Explorer 11
helps users maintain their security and privacy. For
enterprises that need users to be able to browse
without collecting browsing history, Internet
Explorer 11 has a privacy mode called InPrivate
Browsing, which allows users to surf the web
without leaving a trail. As an alternative to
InPrivate Browsing, a user can use the Delete
Browsing history option found in the Internet
options dialog box to delete their browsing
history manually without losing site functionality.
InPrivate Browsing
InPrivate Browsing helps protect data and privacy by preventing browsing history, temporary Internet
files, form data, cookies, user names, and passwords from being stored or retained locally by the browser.
This leaves virtually no evidence of browsing or search history as the browsing session does not store
session data.
From an enterprise and IT professional perspective, InPrivate Browsing is inherently more secure than
using the Delete Browsing history option to maintain privacy because there are no logs kept or tracks
made during browsing. InPrivate Browsing is a proactive feature because it enables you to control what is
tracked in a browsing session.
Some users might attempt to use InPrivate Browsing to conceal their tracks when browsing prohibited or
nonwork websites. However, you have full manageability control, and you can use Group Policy to
configure how your organization uses InPrivate Browsing.
Tracking Protection
Most websites today contain content from several different sites. The combination of these sites
sometimes is referred to as a mashup. People begin to expect this type of integrationfrom something
like an embedded map from a mapping site, to greater integration of advertisements or multimedia
elements. Organizations try to offer more of these experiences because it draws potential customers to
their site. This capability makes the web more robust, but it also provides an opportunity for a hacker to
create and exploit vulnerabilities.
Every piece of content that a browser requests from a website discloses information to that site,
sometimes even if a user has blocked all cookies. Often, users are not fully aware that their web browsing
activities are tracked by websites other than those they have consciously chosen to visit.
Tracking Protection monitors the frequency of all third-party content as it appears across all websites that
a user visits. An alert or frequency level is configurable and is initially set to 10. Third-party content that
appears with high incidence is blocked when the frequency level is reached. Tracking Protection does not
discriminate between different types of third-party content. It blocks content only when it appears more
than the predetermined frequency level.
Note: Tracking Protection Lists can help increase your browsing privacy. When you install a
Tracking Protection List, you will prevent the websites specified in the list from sending your
browsing history to other content providers. Microsoft maintains a website that contains Tracking
Protection Lists that you can install.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tracking Protection Lists
www.iegallery.com
Delete Browsing History
Cookies and cookie protection are one aspect of online privacy. Some organizations write scripts to clean
up cookies and browsing history at the end of a browsing session. This type of environment might be
necessary for sensitive data, for regulatory or compliance reasons, or for private data in the healthcare
industry.
The Delete Browsing History dialog box in Internet Explorer 11 enables users and organizations to delete
browsing history selectively. For example, a history can be removed for all websites except those in a
users Favorites. You can switch this feature on and off in the Delete Browsing History dialog box, and it is
called Preserve Favorites website data.
You can configure Delete Browsing history options through Group Policy. You also can configure which
sites are included automatically in Favorites. This allows you to create policies that ensure security without
impacting daily interactions with a users preferred and favorite websites. The Delete browsing history on
exit check box in Internet options allows you to delete the browsing history automatically when Internet
Explorer 11 closes.
The SmartScreen Feature
Businesses put a lot of effort into protecting
computer assets and resources. Phishing attacks,
otherwise known as social engineering attacks,
can evade those protections and result in users
giving up personal information. The majority of
phishing scams target individuals in an attempt to
extort money or perform identity theft.
The SmartScreen Filter helps protect against
phishing websites, other deceptive sites, and sites
known to distribute malware.
How the SmartScreen Filter Works
The SmartScreen Filter was introduced in earlier versions of Internet Explorer and has developed into a
range of defensive tools including:
Windows SmartScreen, which is the client feature
SmartScreen Filter, which is the spam filtering solution built into Microsoft email solutions
Internet Explorer 11 SmartScreen Filter
The SmartScreen Filter component of Internet Explorer 11 relies on a web service backed by a Microsoft-
hosted URL reputation database. The SmartScreen Filters reputation-based analysis works alongside other
signature-based antimalware technologies, such as Windows Defender, to provide comprehensive
protection against malware. With the SmartScreen Filter enabled, Internet Explorer 11 performs a detailed
examination of an entire URL string and compares the string to a database of sites known to distribute
malware. The SmartScreen Filter then checks the website that a user is visiting against a dynamic list of
reported phishing sites and malware sites. If the website is known to be unsafe, it is blocked and the user
is notified.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-23
Manually Checking Website Safety
You can check the safety of a website manually with SmartScreen Filter. To do so, perform the following
procedure:
1. On the Start screen, click Internet Explorer.
2. Visit the website that you want to check.
3. On the Tools menu, click Safety.
4. Click SmartScreen Filter, and then click Check This Website.
Turning Off SmartScreen Filter
To turn off SmartScreen Filter, follow this procedure:
1. On the Start screen, click Internet Explorer.
3. Click Turn off SmartScreen Filter.
4. In the Microsoft
SmartScreen Filter dialog box, click OK.

Turning On SmartScreen Filter
Follow this procedure to turn on SmartScreen Filter:
1. On the Start screen click Internet Explorer.
3. Click Turn on SmartScreen Filter.
4. In the Microsoft SmartScreen Filter dialog box, click OK.
Managing Internet Explorer Add-ons
Most websites will display normally when you use
Internet Explorer without any add-ons or
modifications. Internet Explorer 11, included by
default in Windows 8.1, is designed to provide an
experience that is free from add-ons. Add-ons
that enhance the browsing experience by
providing multimedia content also are referred to
as:
ActiveX controls
Plug-ins
Browser extensions
Browser helper objects
Toolbars
Explorer bars
Search providers
Accelerators
Tracking Protection Lists
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
The following are examples of plug-in based technology:
Microsoft Silverlight

Apple QuickTime
Java applets
Adobe Flash Player
Skype Click to Call
Two popular multimedia extensionsHTML5 and Adobe Flashare supported out-of-the-box as a
platform feature on both the Internet Explorer and Internet Explorer for the desktop version. In previous
versions of Internet Explorer, some multimedia add-ons could cause security concerns, which now have
been addressed. This is because Automatic Updates is able to patch Internet Explorer and remediate
problems quickly whenever a problem is identified.
Sometimes an add-on such as a pop-up advertisement can annoy users, or even create problems and
affect browser performance. A user can disable an individual add-on or all add-ons within Internet
Explorer 11 by using the Manage Add-ons dialog box. To do so, perform the following procedure:
1. From the Start screen, click Internet Explorer.
2. On the Tools menu, click Manage add-ons.
3. In the Manage Add-ons dialog box, in the Show drop-down list, click All add-ons.
4. Find the name of the add-on that you want to modify in the reading pane. To disable an add-on,
click it, and then click Disable. To enable an add-on, tap or click it, and then click Enable.
5. Close the Manage Add-ons dialog box.
Note: Add-ons will work only in Internet Explorer for the desktop. The Windows UI version
of Internet Explorer always runs with Enhanced Protected Mode enabled, which means add-on
free browsing.
If an organization wants to restrict users from viewing Adobe Flash videos, you can turn this feature on or
off by using the Group Policy setting by performing the following procedure:
2. On the Start screen, type gpedit.msc, and then press Enter.
3. In the Local Group Policy Editor, expand User Configuration, expand Administrative Templates,
expand Windows Components, expand Internet Explorer, expand Security Features, expand Add-
on Management, and then double-click Turn off Adobe Flash in Internet Explorer and prevent
applications from using Internet Explorer technology to instantiate Flash objects.
4. Click Enable.
5. Close Local Group Policy Editor.
Windows 8.1 provides more than 90 GPOs that allow IT professionals to manage Internet Explorer 11 by
using Group Policy. Settings that are related to Internet Explorer 11 can be found within the following
locations in the Local Group Policy Editor:
Computer Configuration\Administrative Templates\Windows Components\Internet Explorer
User Configuration\Administrative Templates\Windows Components\Internet Explorer
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-25
Another popular add-on that can increase productivity for users is modifying the default Internet search
provider. This can be achieved by performing the following procedure:
1. From the Start screen, click Internet Explorer.
3. In the Manage Add-ons dialog box, click Search Providers.
4. Right-click the name of the search provider that you want to use in the reading pane, and then click
Set as default.
5. If the search provider is not listed, click Find more search providers.
6. On the Internet Explorer Gallery webpage at http:www.iegallery.com/en-us/addons, click the
search provider.
7. Click Add to Internet Explorer.
8. In the Manage Add-ons dialog box, click Search Providers, right-click the search provider that you
added, and then click Set as default.
9. Close the Manage Add-ons dialog box.
Internet Explorer Administration Kit
The Internet Explorer Administration Kit (IEAK) 11 is a set of tools that IT professionals can use to create,
deploy, and manage customized versions of Internet Explorer 11 for use in organizations.
Internet Explorer Administration Kit information and downloads
Atari Arcade with Internet Explorer 11 brings arcade classics to the web this is an example
of the capabilities available within the modern browser.
Other Security Features
Additional security features in Internet Explorer 11
include the following:
You can increase security and trust through
improvements in ActiveX controls that enable
control of how and where an ActiveX control
loads and which users can load them.
The Cross-Site Scripting Filter helps block
Cross-Site Scripting attacks, one of the most
common website vulnerabilities today.
Data Execution Prevention (DEP) is enabled
by default to help prevent system attacks
where malware exploits memory-related vulnerabilities to execute code.
ActiveX Controls and Management
ActiveX controls are relatively straightforward to create and deploy, and they provide extra functionality
beyond regular webpages. Organizations cannot control the inclusion of ActiveX controls or how they are
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
written. Therefore, organizations need a browser that provides flexibility in dealing with ActiveX controls
so that they are usable, highly secure, and pose as small a threat as possible.
Per-User ActiveX
By default, Internet Explorer 11 employs ActiveX Opt-In, which disables most controls on a user's
computer. Per-user ActiveX makes it possible for standard users to install ActiveX controls in their own
user profile without requiring administrative permissions. This helps organizations realize the full benefit
of UAC, giving standard users the ability to install ActiveX controls that are necessary in their daily
browsing.
In most situations, if a user happens to install a malicious ActiveX control, the overall system remains
unaffected because the control is installed under the users account only. Because installations are
restricted to a user profile, the cost and risk of a compromise are lowered significantly.
When a webpage attempts to install a control, an information bar is displayed to the user. Users can
choose to install the control system-wide or only for his or her user account. The options in the ActiveX
menu vary depending on a users rights, as managed by Group Policy settings, and whether the control
has been packaged to allow per-user installation. You can disable this feature in Group Policy.
Per-Site ActiveX
When a user navigates to a website that contains an ActiveX control, Internet Explorer 11 performs a
number of checks, including a determination of where a control is permitted to run. If a control is installed
but is not permitted to run on a specific site, an information bar appears that asks the users permission to
run on the current website or on all websites. Administrators can use Group Policy to preset Internet
Explorer configurations with allowed ActiveX controls and their related trusted domains.
Cross-Site Scripting Filter
Most sites have a combination of content from local site servers and content obtained from other sites or
partner organizations. Cross-Site Scripting attacks exploit vulnerabilities in web applications and enable an
attacker to control the relationship between a user and a website or web application that they trust.
Cross-Site Scripting can enable attacks such as:
Cookie theft, including session cookies, which can lead to account hijacking.
Monitoring keystrokes.
Performing actions on the victim website on behalf of the victim user.
Cross-Site Scripting can use a victims website to subvert a legitimate website.
Internet Explorer 11 includes a filter that helps protect against Cross-Site Scripting attacks. The Cross-Site
Scripting Filter has visibility into all requests and responses flowing through the browser. When the filter
discovers likely Cross-Site Scripting in a request, it identifies and neutralizes the attack if it is replayed in
the servers response. The Cross-Site Scripting filter helps protect users from website vulnerabilities. It does
not ask difficult questions that users are unable to answer, nor does it harm functionality on a website.
DEP
Internet Explorer 7 introduced a Control Panel option to enable memory protection to help mitigate
online attacks. DEP or No Execute (NX). DEP/NX helps thwart attacks by preventing code from running in
memory that is marked non-executable, such as a virus disguised as a picture or video. DEP/NX also
makes it harder for attackers to exploit certain types of memory-related vulnerabilities, such as buffer
overruns.
DEP/NX protection applies to both Internet Explorer and the add-ons it loads. No additional user
interaction is required to activate this protection, and unlike Internet Explorer 7, this feature is enabled by
default for Internet Explorer 11.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-27
Enhanced Protected Mode
Protected Mode was first introduced in Internet Explorer 7 with Windows Vista as a defense-in-depth
feature, which reduced the amount of permissions that a browser was given to modify system settings or
to write to a computers hard disk. Internet Explorer 11 builds on the additional security that was offered
by previous versions of Internet Explorer. Unlike Internet Explorer 10, Enhanced Protected Mode is turned
on by default in Internet Explorer 11.
The inclusion of some additional capabilities in Enhanced Protected Mode are described in the following
table.
Enhancement Description
64-bit processes Protection against address space layout randomization
and heap spraying attacks.
Protecting your personal information Enhanced Protected Mode restricts Internet Explorer from
file locations that contain your personal information until
you grant permission to it.
Protecting your corporate assets Enhanced Protected Mode restricts an exploits ability to
access corporate network resources.

More information relating to the Internet Explorer Enhanced Protected Mode
Question: What is the Cross-Site Scripting Filter?
Demonstration: Configuring Internet Explorer
Enable Configure Compatibility View.
Delete browsing history.
Configure InPrivate Browsing.
View the add-on management interface.
Manage downloading with the Download Manager.
Demonstration Steps
Configure Compatibility View
1. Sign in to LON-CL1 as administrator, and then open Internet Explorer.
2. Enable the Menu bar.
3. In Internet Explorer, open the LON-DC1 website at http://LON-DC1.
4. Add the website to Compatibility View.
Delete browsing history
2. Delete the selected browsing history.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configure InPrivate Browsing
1. Open InPrivate Browsing.
3. Verify that the website address has not been retained in the browsing history.
View the add-on management interface
1. Open the Add-on manager.
2. Review the current add-ons.
Download a file
1. Navigate to http://LON-DC1, and then click the Download Current Projects link.
2. View the current downloads.
3. Open a downloaded file.
4. Close Microsoft Office Excel
and other open windows.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-29
Lab A: Configuring Internet Explorer Security
Scenario
Holly Dickson at A. Datum Corporation, is concerned about her users security settings when they are
browsing the Internet, especially when they are doing so while connected to their customers networks.
She has asked you to investigate the improvement of Internet Explorer security settings on her users
computers.
Objectives
Configure security settings in Internet Explorer.
Lab Setup
Password: Pa$$w0rd
2. In Hyper-V

o Domain: Adatum
Exercise 1: Configuring Internet Explorer
Scenario
In this exercise, you will implement some of the security and compatibility features in Internet Explorer 11.
1. Enable Compatibility View in Internet Explorer.
2. Delete browsing history.
3. Configure InPrivate Browsing.
4. Configure intranet security settings.
5. View the add-on management interface.
6. Download a file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 1: Enable Compatibility View in Internet Explorer
1. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open Internet
Explorer.
2. Verify that Internet Explorer uses Microsoft compatibility lists.
Task 2: Delete browsing history
1. On the Tools menu, click Internet options and then open the Delete Browsing History dialog box.
2. In the Delete Browsing History dialog box, select the Preserve Favorites website data and History
check boxes. Clear all other options, click Delete, and then click OK.
4. Open Internet Explorer, navigate to http://LON-DC1, and then verify that this sites address is stored
in your history.
5. Delete the browsing history again, selecting only Temporary Internet files and website files and
Cookies and website data and History.
6. Verify that there are no site addresses showing in your history.
Task 3: Configure InPrivate Browsing
1. Open an InPrivate Browsing window.
2. Navigate to http://LON-DC1.
3. Confirm that this address has not been retained in your site history.
Task 4: Configure intranet security settings
1. Configure the Local intranet security settings to High.
2. In the Address bar, type http://LON-DC1, and then press Enter.
3. Click the Current Projects link on the intranet home page. This fails to load a required add-on. Close
the newly opened tab.
4. Add the local intranet to the trusted sites.
5. Click the Current Projects link on the intranet home page. This attempt is successful.
Task 5: View the add-on management interface
1. In Internet Explorer, from the Tools menu, open the Manage Add-ons dialog box.
2. Review the current add-ons.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-31
Task 6: Download a file
1. Browse to http://LON-DC1, and then click the Download Current Projects link.
2. View the current downloads.
3. Open a downloaded file.
4. Close Excel.

Results: After completing this exercise, you should have successfully configured security and compatibility
settings in Internet Explorer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 4
Configuring Application Restrictions
The reliability and security of enterprise devices significantly increases with the ability to control which
applications a user, or set of users, can run. Overall, an application lockdown policy can lower the total
cost of computer ownership in an enterprise. AppLocker controls application execution and simplifies the
ability to author an enterprise application lockdown policy. It also reduces administrative overhead and
helps administrators control how users access and use files such as .exe and .appx files, scripts, Windows
Installer files (.msi, .mst and .msp files), and .dll files.
Lesson Objectives
Describe how to use AppLocker to control application usage.
Explain how AppLocker rules work to enforce your chosen application usage policy.
Configure AppLocker rules.
Enforce AppLocker rules.
What Is AppLocker?
Todays organizations face a number of
challenges in controlling which applications run
on client computers, including:
The packaged and custom applications that
users can access.
Which users are allowed to install new
software.
Which versions of applications are allowed to
run, and for which users.
Users who run unauthorized software can
experience a higher incidence of malware
infections and generate more help desk calls. However, it can be difficult for you to ensure that user
computers are running only approved, licensed software.
Windows Vista addressed this issue by supporting software restriction policies, which administrators used
to define the list of applications that users were allowed to run. AppLocker builds on this security layer,
providing you with the ability to control how users run all types of applications, such as executable files,
Windows Store .appx apps, scripts, Windows Installer files (.msi, .mst and .msp), and.dll files.
AppLocker Benefits
You can use AppLocker to specify exactly what is allowed to run on user PCs and devices. This allows users
to run the applications, installation programs, and scripts that they require to be productive, while still
providing the security, operational, and compliance benefits of application standardization.
AppLocker can be useful for organizations that want to:
Limit the number and types of files that are allowed to run, by preventing unlicensed or malware
from running, and by restricting the ActiveX controls that are installed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-33
Reduce the total cost of ownership by ensuring that workstations are homogeneous across an
enterprise and that users are running only the software and applications that the enterprise approves.
Reduce the possibility of information leaks from unauthorized software.
Question: What are some applications that are good candidates for you to apply an
AppLocker rule?
AppLocker Rules
You can prevent many problems in your work
environment by controlling what applications a
user can run. AppLocker lets you do just this by
creating rules that specify exactly what
applications a user is allowed to run, and can be
configured to continue to function even when
applications are updated.
Because AppLocker is an additional Group Policy
mechanism, IT professionals and system
administrators need to be comfortable with Group
Policy creation and deployment. This makes
AppLocker ideal for organizations that currently
use Group Policy to manage their Windows 8.1 computers or have per-user application installations.
To author AppLocker rules, there is a new AppLocker Microsoft Management Console (MMC) snap-in in
the Group Policy Management Console (GPMC) that offers an improvement to the process of creating
AppLocker rules. AppLocker provides several rule-specific wizards. You can use one wizard to create a
single rule and another wizard to generate rules automatically, based on your rule preferences and the
folder that you select. The four wizards that AppLocker offers administrators to author rules are:
Executable Rules
Windows Installer Rules
Script Rules
Packaged app Rules.
At the end of the wizard, you can review the list of analyzed files. You can then modify the list to remove
any file before rules are created for the remaining files. You can also receive useful statistics about how
often a file has been blocked, or test the AppLocker policy for a specific computer.
Accessing AppLocker
To access AppLocker, run Gpedit.msc from the Start screen. Then browse to Computer Configuration,
Windows Settings, Security Settings, and then Application Control Policies. Expand the Application Control
Policies node, and click AppLocker.
In AppLocker you can configure Executable Rules, Windows Installer Rules, and Script Rules. For example,
you can right-click the Executable Rules node, and then click Create New Rule. You then can create a rule
that allows or denies access to an executable file based on such criteria as the file path or publisher.
AppLocker also will let you apply both default and automatically generated rules.
Creating Default AppLocker Rules
Many organizations implement standard user policies, which allow users to sign in to their computers only
as a standard user. More independent software vendors are creating per-user applications that do not
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
require administrative rights to be installed and are installed and run in the user profile folder. As a result,
standard users can install many applications and circumvent the application lockdown policy.
With AppLocker, you can prevent users from installing and running per-user applications by creating a set
of default AppLocker rules. The default rules also ensure that the key operating system files are allowed to
run for all users.
Note: Before you manually create new rules or automatically generate rules for a specific
folder, you must create default AppLocker rules.
Specifically, default rules enable the following:
All users can run files in the default Program Files directory.
All users can run all files signed by the Windows operating system.
Members of the built-in Administrators group can run all files.
Perform the following steps to create default AppLocker rules:
1. To open the Local Security Policy MMC snap-in, run secpol.msc.
2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3. Right-click Executable Rules, and then click Create Default Rules.
By creating these rules, you also have automatically prevented all non-administrator users from being
able to run programs that are installed in their user profile directory. You can recreate the rules at any
time.
Note: Without default rules, critical system files might not run. Once you have created one
or more rules in a rule collection, only applications that are affected by those rules are allowed to
run. If default rules are not created, and you are blocked from performing administrative tasks,
restart the computer in safe mode, add the default rules, delete any Deny rules that are
preventing access, and then refresh the computer policy.
Automatically Generating AppLocker Rules
Once you create default rules, you can create custom application rules. To facilitate creating sets or
collections of rules, AppLocker includes a new Automatically Generate Rules Wizard that is accessible from
the Local Security Policy console. This wizard simplifies the task of creating rules from a user-specified
folder. By running this wizard on reference computers and specifying a folder that contains the .exe files
for applications for which you want to create rules, you can quickly create AppLocker policies
automatically.
When you create a rule manually, you can choose whether it is an Allow or Deny rule. Allow rules enable
applications to run, whereas Deny rules prevent applications from running. The Automatically Generate
Rules Wizard only creates Allow rules.
Note: After you create one or more rules in a rule collection, only applications that are
affected by those rules are allowed to run. For this reason, always create the default AppLocker
rules for a rule collection first. If you did not create default rules and are prevented from
performing administrative tasks, restart the computer in safe mode, add the default rules, delete
any Deny rules that are preventing access, and then refresh the computer policy.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-35
You can create exceptions for .exe files. For example, you can create a rule that allows all Windows
processes to run except Regedit.exe and then use audit-only mode to identify files that will not be
allowed to run if the policy is in effect. You can create rules automatically by running the wizard and
specifying a folder that contains the .exe files for applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. Creating rules to allow
.exe files in user profiles might not be secure.
Before you create the rules at the end of the wizard, review the analyzed files and view information about
the rules that will be created. After the rules are created, edit them to make them more or less specific. For
example, if you selected the Program Files directory as the source for automatically generating the rules
and also created the default rules, there is an extra rule in the Executable Rules collection.
Automatically Generating Rules
To generate rules automatically from a reference folder:
1. Ensure that the Local Security Policy MMC is open.
2. In the console tree under Application Control Policies\AppLocker, right-click Executable Rules,
and then click Automatically Generate Rules.
3. On the Folder and Permissions page, click Browse.
4. In the Browse For Folder dialog box, select the folder that contains the .exe files that you want to
create the rules for, and then click OK.
5. Type a name to identify the rules, and then click Next. To help sort the rules in the MMC list view, the
name that you provide is used as a prefix for the name of each rule that is created.
6. On the Rule Preferences page, click Next without changing any of the default values. The Rule
generation progress dialog box is displayed while the files are processed.
7. On the Review Rules page, click Create. The wizard closes, and the rules are added to the Executable
Rules details pane.
After automatically generating rules based on your preferences, you can edit the rules to make them
more detailed.
Creating Rules Allowing Only Signed Applications to Run
With the advent of new experimental identification technologies in web browsers and operating systems,
more independent software vendors are using digital signatures to sign their applications. These
signatures simplify an organizations ability to identify applications as genuine and to create a better and
more trustworthy user experience.
Creating rules based on the digital signature of an application helps make it possible to build rules that
survive application updates. For example, an organization can create a rule to allow all versions greater
than 9.0 of a program to run if it is signed by the software publisher. In this way, when the program is
updated, IT professionals can deploy the application update safely without having to build another rule.
Note: Before performing the following procedure, ensure that you have created default
rules.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Perform the following steps to allow only signed applications to run:
1. To open the Local Security Policy MMC snap-in, on the Start screen, type secpol.msc, and then press
Enter.
2. In the console tree, double-click Application Control Policies, and then double-click AppLocker.
3. Right-click Executable Rules, and then click Create New Rule.
4. On the Before You Begin page, click Next.
5. On the Permissions page, click Next to accept the default settings.
6. On the Conditions page, click Next.
7. On the Publisher page, note that the default setting is to allow any signed file to run, and then click
Next.
8. On the Exceptions page, click Next.
9. On the Name and Description page, accept the default name or enter a custom name and
description, and then click Create.
By using this rule and ensuring that all applications are signed within your organization, you can be sure
that users are running only applications from known publishers.
Note: This rule prevents unsigned applications from running. Before implementing this
rule, ensure that all of the files that you want to run in your organization are digitally signed. If
any applications are not signed, consider implementing an internal signing process to sign
unsigned applications with an internal signing key.
Deleting Unnecessary Rules
If you created default rules and then selected the Program Files folder as the source to generate rules
automatically, there are one or more extraneous rules in the Executable Rules collection. When you create
the default rules, a path rule is added to allow any .exe file in the entire Program Files folder to run. This
rule is added to ensure that users are not prevented by default from running applications. Because this
rule conflicts with rules that were generated automatically, delete this rule to ensure that the policy is
more specific. The name of the default rule is (Default Rule) Microsoft Windows Program Files Rule.
Perform the following procedure to delete a rule:
1. Ensure that the Local Security Policy MMC is open.
2. In the console tree under Application Control Policies\AppLocker, click Executable Rules.
3. In the details pane, right-click (Default Rule) Microsoft Windows Program Files Rule, and then
click Delete.
4. In the AppLocker dialog box, click Yes.
To determine if any applications are excluded from the rule set, enable the Audit only enforcement
mode.
Starting the Application Identity Service
Before you can enforce AppLocker policies, you must start the Application Identity service. You need to be
a member of the local Administrators group, or equivalent, to start the service by using the following
procedure:
1. Click Start, type Services, and then click View local services.
2. In the Services console, double-click Application Identity.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-37
3. In the Application Identity Properties dialog box, in the Startup type list, click Automatic, click
Start, and then click OK.
Note: If an AppLocker rule is not working, check to see that the Application Identity service
has started. This service is required to be running for AppLocker to work.
Question: When testing AppLocker, you must consider carefully how you will organize rules
between linked Group Policy Objects (GPOs). What do you do if a GPO does not contain the
default AppLocker rules?
Demonstration: Configuring AppLocker Rules
Create a custom AppLocker rule.
Automatically generate the script rules.
Demonstration Steps
Create a custom AppLocker rule
3. In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
expand Security Settings, expand Application Control Policies, and then double-click AppLocker.
4. Create a new executable rule:
o Permissions: Deny
o Group: Marketing
o Program: C:\Windows\Regedit.exe
Automatically generate the script rules
1. Click the Script Rules node.
2. Select Automatically generate rules.
Demonstration: Enforcing AppLocker Rules
After you create new AppLocker rules, you must configure enforcement for the rule collections and
refresh the computer's policy. Enforcement is configured in the Local Security Policy console in the
Configure Rule Enforcement area. The following table outlines the three enforcement options for each
rule type.
Enforcement mode Description
Enforce rules with Group Policy inheritance Default setting. If linked GPOs contain a different
setting, that setting is used. If any rules are present in
the corresponding rule collection, they are enforced.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Enforcement mode Description
Enforce rules Rules are enforced.
Audit only Rules are audited, but not enforced.

To view information about applications that are affected by AppLocker rules, use Event Viewer. Each event
in the AppLocker operational log contains detailed information, such as the following:
Which file was affected and the path of that file
Whether the file was allowed or blocked
The rule type: Path, File Hash, or Publisher
The rule name
The security identifier for the user that is targeted in the rule
Review the entries in the log to determine if any applications were not included in the rules. The following
table identifies three events to use in determining which applications are affected.
Event ID Level Event text Description
8002 Informational Access to <file_name> is
allowed by an
administrator.
Specifies that the file is allowed
by an AppLocker rule.
8003 Warning Access to <file_name> is
monitored by an
administrator.
Applied only when in the Audit
only enforcement mode.
Specifies that the file will be
blocked if the Enforce rules
enforcement mode is enabled.
8004 Error Access to <file_name> is
restricted by an
administrator.
Applied only when the Enforce
rules enforcement mode is
either directly or indirectly set
through Group Policy
inheritance. The file cannot
run.
Demonstration
This demonstration will show the different enforcement options and how to configure the enforcement
for the rule that was created in the previous demonstration. The demonstration then will verify the
enforcement with gpupdate.
Demonstration Steps
Enforce AppLocker rules
1. Switch to the Local Group Policy Editor.
2. View the properties of the AppLocker node.
3. Configure Enforcement:
o Executable rules: Enforce rules
o Script rules: Audit only
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-39
Confirm the executable rule enforcement
1. Refresh the Group Policy settings by typing gpudate /force.
2. Open Computer Management, and then select Event Viewer.
3. Review the System log for Event ID 1502. This tells us that the Group Policy settings were refreshed.
4. Start the Application Identity service, which is required for AppLocker enforcement.
Test the executable rule enforcement
1. Sign out, and then sign in as Adatum\Adam.
2. Attempt to run Regedit.exe from the command prompt. You are successful, as the signed in user is
not a member of the Marketing group.
3. Sign in as Adatum\Administrator.
4. Open Event Viewer, and in Application and Services Logs\Microsoft\Windows\ AppLocker, select
the EXE and DLL log.
5. Review the entries. Locate Event ID 8004. It indicates that an attempt was made to run Regedit.exe,
which was allowed to run.
6. Close all open windows, and then sign out.
Question: What is the command to update a computer's policy, and where is it run?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Configuring AppLocker
Scenario
Holly is concerned that people in her department are spending time listening to music files. She wants a
way to disable the Windows Media
Player. You decide to implement AppLocker to prevent members of

the IT group from running this program.
Objectives
Configure AppLocker rules.
Test AppLocker rules.
Lab Setup
Password: Pa$$w0rd
o 20687C-LON-DC1
o 20687C-LON-CL1
Exercise 1: Configuring AppLocker Rules
Scenario
In this exercise, you will create the executable and default AppLocker rules.
1. Create a new executable rule.
2. Enforce AppLocker rules.
Task 1: Create a new executable rule
1. Sign in as Adatum\Administrator with password Pa$$w0rd.
2. Open the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings,
3. Create a new Executable rule with the following properties:
o Permissions: Deny
o Group: IT
o Program: C:\Program Files\Windows Media Player\wmplayer.exe
4. Create the default rules.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-41
Task 2: Enforce AppLocker rules
1. In the Local Group Policy Editor, open the AppLocker Properties, and then configure the Executable
rules for Enforce rules.
2. Close the Local Group Policy Editor, and then open an elevated command prompt. Run the
gpupdate /force command.

Results: After completing this exercise, you should have created the required AppLocker
rule
successfully.
Exercise 2: Testing the AppLocker Rules
Scenario
In this exercise, you will confirm the executable rule and then test it by signing in as a member of the IT
group.
1. Confirm the executable rule enforcement.
2. Test the enforcement.
Task 1: Confirm the executable rule enforcement
2. Open Event Viewer, and then expand Windows Logs.
3. View the System log in Event Viewer. Check for Event ID 1502.
4. Start the Application Identity service.
5. Sign out from LON-CL1
Task 2: Test the enforcement
1. Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd.
2. Attempt to open Windows Media Player.
3. Sign out, and then sign in as Adatum\Administrator with password Pa$$w0rd.
4. Open Event Viewer.
5. Locate the Application and Services\Microsoft\Windows\AppLocker\EXE and DLL log. Locate
Event ID 8004. This shows that Holly attempted to run a prohibited application.
6. Close all open windows, and then sign out.

Results: After completing this exercise, you should have verified the function of your executable
AppLocker rule successfully.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
When you have finished the lab, revert all virtual machines to their initial state:

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 11-43
Best Practice: Best Practices for AppLocker
Before you manually create new rules or automatically generate rules for a specific folder, you should
create the default AppLocker rules. The default rules ensure that key operating system files are
allowed to run for all users.
When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a
GPO does not contain default rules, then add the rules directly to the GPO or add them to a GPO that
links to it.
After creating new rules, you must configure enforcement for the rule collections and then refresh the
computer's policy.
By default, AppLocker rules do not allow users to open or run any files that are not specifically
allowed. Administrators must maintain a current list of allowed applications.
If AppLocker rules are defined in a GPO, only those rules are applied. To ensure interoperability
between software restriction policy rules and AppLocker rules, define software restriction policy rules
and AppLocker rules in different GPOs.
When you set an AppLocker rule to Audit only, the rule is not enforced. When a user runs an
application that is included in the rule, the application opens and runs normally, and information
about that application is added to the AppLocker event log.
AppLocker policies do not work correctly.

Review Questions
Question: What are some of the privacy features in Internet Explorer?
Question: Trevor has implemented AppLocker. Before he created the default rules, he created a
custom rule that allowed all Windows processes to run except for Regedit.exe. Because he did not
create the default rules first, he is blocked from performing administrative tasks. What does he
need to do to resolve the issue?
Tools
Tool Use for Where to find it
Windows PowerShell Command-line management
tool
Windows 8.1
Dism.exe Servicing and managing
Windows images
Windows 8.1
Msiexec.exe Managing installations Command line
Gpupdate Managing policy application Command line

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
12-1
Module 12
Optimizing and Maintaining Windows 8.1 Computers
Contents:
Lesson 1: Optimizing Performance in Windows 8.1 12-2
Lab A: Optimizing Windows 8.1 Performance 12-10
Lesson 2: Managing the Reliability of Windows 8.1 12-14
Lesson 3: Managing Software Updates in Windows 8.1 12-19
Lab B: Maintaining Windows Updates 12-26

Module Overview
Users have high expectations of technology. Therefore, performance is a key issue in todays business
environment, and it is important to consistently optimize and manage your systems performance.
The Windows
8.1 operating system includes several monitoring and configuration tools that you can use
to obtain information about computer performance, to maintain reliability, and to configure operating
system and app updates.
Objectives
Optimize Windows 8.1 performance.
Manage the reliability of Windows 8.1.
Manage software updates in Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
12-2 Optimizing and Maintaining Windows 8.1 Computers
Lesson 1
Optimizing Performance in Windows 8.1
A computer system that performs at a low efficiency level can cause problems in a work environment.
Poor performance potentially reduces user productivity and consequently increases user frustration.
Computers that are not performing to their full capability need to be examined so that you can determine
the source of the poor performance and correct it. Windows 8.1 helps you to determine potential causes
of poor performance and then provides appropriate tools to resolve performance issues.
Lesson Objectives
Identify common issues with performance and reliability.
Describe how to use Task Manager to identify performance problems.
Describe how to use Performance Monitor and data collector sets.
Use Resource Monitor to view system performance.
Analyze system performance by using Performance Monitor and data collector sets.
Describe the considerations for monitoring system performance.
Discussion: Common Issues with Performance and Reliability
Poor performance and a lack of reliability are two
of the most common user complaints about
computer systems. Computers respond slowly for
several reasons, such as having an excessively
fragmented file system, unnecessary software that
consumes resources, too many startup programs,
or perhaps even a virus. Additionally, the software
that users install might have operational
problems, incompatible drivers, or result in
operating system failures. All of these issues can
affect a computers reliability.
Performance is a measure of how quickly a
computer finishes application and system tasks. Performance problems can occur when computers lack
available resources.
Reliability is a measure of how a system conforms to expected behavior. A system that often deviates from
the behavior that you configure or expect has poor reliability.
Question: What factors can influence computer system performance?
Question: What factors might contribute to reliability issues in a computer system?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-3
Overview of Task Manager
In Windows 8.1, Task Manager provides
information that can help you identify and resolve
performance-related problems. Task Manager
includes the following tabs:
Processes. The Processes tab displays a list of
running programs, which is subdivided into
apps and internal Windows processes. For
each running process, this tab displays a
summary of processor and memory usage.
Performance. The Performance tab displays a
summary of central processing unit (CPU) and
memory usage, and network statistics.
App history. The App history tab displays statistics and resource consumption by apps. This is useful
for identifying a specific app that is consuming excessive resources.
Startup. The Startup tab displays items that are configured to run at startup. You can choose to
disable any programs listed.
Users. The Users tab displays resource consumption on a per-user basis. You also can expand the user
view to see more detailed information about the specific processes that a user is running.
Details. The Details tab lists all the running processes on a server, providing statistics about the CPU,
memory, and other resource consumption. You can use this tab to manage running processes. For
example, you can stop a process, stop a process and all related processes, and change the priority
values of processes. By changing the priority of a process, you determine how much CPU resources
the process can consume. By increasing the priority, you allow the process to request more CPU
resources.
Services. The Services tab provides a list of running Windows services with related information,
including whether a service is running and the processor identifier (PID) value of a running service.
You can start and stop services by using the list on the Services tab.
Generally, you might consider using Task Manager when a performance-related problem first becomes
apparent. For example, you might examine running processes to determine if a particular program is
using excessive CPU resources. Always remember that Task Manager only shows current resource
consumption. You also might need to examine historical data to determine the true picture about a server
computers performance and response under load.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Using Performance Monitor and Data Collector Sets
Performance Monitor is a Microsoft Management
Console (MMC) snap-in that you can use to obtain
system performance information. You can use this
tool to analyze performance effects that apps and
services have on your computer, and you also can
use it to obtain an overview of system
performance or to collect detailed information for
troubleshooting.
Performance Monitor includes the following
features:
Monitoring Tools
Data Collector Sets
Reports
You also can access Resource Monitor from Performance Monitor.
Monitoring Tools
Monitoring Tools contains the Performance Monitor, and it provides a visual display of built-in Windows
performance counters, either in real time or as historical data.
Performance Monitor includes the following features:
Multiple graph views
Custom views that you can export as data collector sets
Performance Monitor uses performance counters to measure a systems state or activity, while the
operating system or individual apps might include performance counters. Performance Monitor requests
the current value of performance counters at specified time intervals.
You can add performance counters to Performance Monitor by performing a drag-and-drop operation on
the counters or by creating a custom data collector set.
Performance Monitor features multiple graph views that you can use for a visual review of performance
log data. You can create custom views in Performance Monitor that you can export as data collector sets
for use with performance and logging features.
Data Collector Sets
A data collector set is a custom set of performance counters, event traces, and system-configuration data.
After you create a combination of data collectors that describe useful system information, you can save
them as a data collector set, and then run and view the results.
A data collector set organizes multiple data-collection points into a single, portable component. You can
use a data collector set on its own, group it with other data collector sets and incorporate it into logs, or
view it in Performance Monitor. You can configure a data collector set to generate alerts when it reaches
thresholds so that third-party apps can use it.
You also can configure a data collector set to run at a scheduled time, for a specific length of time, or until
it reaches a predefined size. For example, you can run a data collector set for 10 minutes every hour
during your working hours to create a performance baseline. You also can set a data collector to restart
when it reaches set limits so that a separate file will be created for each interval.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-5
You can use data collector sets and Performance Monitor tools to organize multiple data collection points
into a single component that you can use to review or log performance.
Performance Monitor also includes default data collector set templates to help system administrators
begin the process of collecting performance data that is specific to a server role or monitoring scenario.
Reports
Use the Reports feature to view and generate reports from a set of counters that you create by using data
collector sets.
Resource Monitor
Use this view to monitor the use and performance of CPU, disk, network, and memory resources in real
time. This lets you identify and resolve resource conflicts and bottlenecks.
By expanding the monitored elements, system administrators can identify which processes are using
which resources. In previous versions of Windows operating systems, Task Manager made this this real-
time, process-specific data available, but only in a limited form.
Demonstration: Using Resource Monitor
In this demonstration, you will see how to use Resource Monitor.
Demonstration Steps
2. Open Resource Monitor.
3. View the information on the Overview tab. This tab shows CPU usage, disk I/O, network usage, and
memory usage information for each process. A bar above each section provides summary
information.
4. View the information on the CPU tab. This tab has more detailed CPU information that you can filter
so that it is based on the process.
5. View the information on the Memory tab. This tab provides detailed information about memory
usage for each process. Notice that the process that you selected previously remains selected so that
you can review multiple kinds of information about a process as you switch between tabs.
6. View the information on the Disk tab. This tab shows processes with recent disk activity.
7. View the information in the Network tab. This tab provides information about all processes with
current network activity.
Demonstration: Analyzing System Performance by Using Performance
Monitor and Data Collector Sets
In this demonstration, you will see how to analyze system performance by using data collector sets and
Performance Monitor.
Demonstration Steps
Open Performance Monitor
1. Sign in to LON-CL1 as administrator, and then open Performance Monitor.
2. View the default chart.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Add new values to the chart
Add additional real-time counters to the default chart view.
Create a data collector set
Create a user-defined data collector set.
Examine a report
Examine a report on the collected data.
Considerations for Monitoring System Performance
Monitor the Current System Resource
by Using Resource Monitor
Resource Monitor provides at-a-glance data for
CPU, disk, network, and memory resources.
Therefore, it is a good starting point for
monitoring or troubleshooting tasks.
Resource Monitor shows you what happens with
your current Windows operating system. You can
view which processes are consuming CPU
resources and generating disk activity, and you
also can view the current activity of the network
adapter. Note that each tab provides additional details.
For example, if you suspect high consumption of your CPU processing capacity, you can view the CPU tab
and then see exactly what processes are executing on your machine, how many threads they are
executing, and how much CPU use is occurring. You also can view your computers installed memory, how
much the operating system can use, how much it is using currently, and how much is reserved for
hardware. From the Disk view, you can view all disk I/O and detailed information on disk activity. You can
view processes with network activity in the Network view, and monitor which processes are running and
consuming too much bandwidth.
Additionally, Resource Monitor enables you to investigate which product, which tool, or which app is
running currently and consuming CPU, disk, network, and memory resources.
Create a Performance Baseline by Using Performance Monitor and Data Collector
Sets
You can set up a baseline in Performance Monitor to help you with the following tasks:
Evaluating a computers workload.
Monitoring system resources.
Noticing changes and trends in resource use.
Testing configuration changes.
Diagnosing problems.
By using data collector sets, you can establish a baseline to use as a standard for comparison. Create a
baseline when you first configure a computer, at regular intervals of typical usage, and when you make
any changes to a computers hardware or software configuration. If you have appropriate baselines, you
can determine which resources are affecting a computers performance.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-7
You can monitor your system remotely. However, the use of counters across a network connection for an
extended period of time can congest network traffic. If you have disk space on a server for performance
log files, we recommend that you record performance log information locally.
Performance issues can occur because of the number of counters being sampled and the frequency with
which sampling occurs. Therefore, it is important to test the number of counters and the frequency of
data collection. This lets you determine the right balance between your environments needs and the
provision of useful performance information. For an initial performance baseline, however, we
recommend that you use the highest number of counters possible and the highest frequency available.
The following table shows commonly used performance counters.
Counter Usage
LogicalDisk\% Free Space This counter measures the percentage of
free space on a selected logical disk drive.
Take note if this falls below 15 percent
because you risk running out of free space
for the operating system to use to store
critical files. One obvious solution is to add
more disk space.
PhysicalDisk\% Idle Time This counter measures the percentage of
time the disk was idle during the sample
interval. If this counter falls below 20
percent, the disk system is saturated. You
might consider replacing the current disk
system with a faster one.
PhysicalDisk\Avg. Disk sec/Read This counter measures the average time, in
seconds, to read data from the disk. If the
number is larger than 25 milliseconds (ms),
that means the disk system is experiencing
latency when it is reading from the disk.
PhysicalDisk\Avg. Disk sec/Write This counter measures the average time, in
seconds, it takes to write data to the disk.
If the number is larger than 25 ms, the disk
system experiences latency when it is
writing to the disk.
PhysicalDisk\Avg. Disk Queue Length This counter indicates how many I/O
operations are waiting for the hard drive
to become available. If the value is larger
than two times the number of spindles, it
means that the disk itself might be the
bottleneck.
Memory\Cache Bytes This counter indicates the amount of
memory that the file-system cache is
using. There might be a disk bottleneck if
this value is greater than 300 megabytes
(MB).
Memory\% Committed Bytes In Use This counter measures the ratio of
Committed Bytes to the Commit Limit, or
in other words, the amount of virtual
memory in use. If the number is greater
than 80 percent, it indicates insufficient
memory.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Counter Usage
Memory\Available MBytes This counter measures the amount of
physical memory, in megabytes, available
for running processes. If this value is less
than 5 percent of the total physical
random access memory (RAM), that means
there is insufficient memory, and that can
increase paging activity.
Memory\Free System Page Table Entries This counter indicates the number of Page
Table Entries not currently in use by the
system. If the number is less than 5,000,
there might be a memory leak.
Memory\Pool Nonpaged Bytes This counter measures the size, in bytes, of
the nonpaged pool. This is an area of
system memory for objects that cannot be
written to disk, but instead must remain in
physical memory as long as they are
allocated. There is a possible memory leak
if the value is greater than 175 MB (or 100
MB with a /3GBswitch).
Memory\Pool Paged Bytes This counter measures the size, in bytes, of
the paged pool. This is an area of system
memory for objects that can be written to
disk when they are not being used. There
might be a memory leak if this value is
greater than 250 MB (or 170 MB with the
/3 GB switch).
Memory\Pages/sec This counter measures the rate at which
pages are read from, or written to, the disk
to resolve hard page faults. If the value is
greater than 1,000, as a result of excessive
paging, there might be a memory leak.
Processor\% Processor Time This counter measures the percentage of
elapsed time that the processor spends
executing a non-idle thread. If the
percentage is greater than 85 percent, the
processor is overwhelmed, and the
computer might require a faster processor.
Processor\% User Time This counter measures the percentage of
elapsed time that the processor spends in
user mode. If this value is high, the server
is busy with the app.
Processor\% Interrupt Time This counter measures the time that the
processor spends receiving and servicing
hardware interruptions during specific
sample intervals. This counter indicates a
possible hardware issue if the value is
greater than 15 percent.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-9

Counter Usage
System\Processor Queue Length This counter indicates the number of
threads in the processor queue. The server
does not have enough processor power if
the value is more than two times the
number of CPUs for an extended period of
time.
Network Interface\Bytes Total/sec This counter measures the rate at which
bytes are sent and received over each
network adapter, including framing
characters. The network is saturated if you
discover that more than 70 percent of the
interface is consumed.
Network Interface\Output Queue Length This counter measures the length of the
output packet queue, in packets. There is
network saturation if the value is more
than two.
Process\Handle Count This counter measures the total number of
handles that a process currently has open.
This counter indicates a possible handle
leak if the number is greater than 10,000.
Process\Thread Count This counter measures the number of
threads currently active in a process. There
might be a thread leak if this number is
more than 500 between the minimum and
maximum number of threads.
Process\Private Bytes This counter indicates the amount of
memory that this process has allocated
that it cannot share with other processes. If
the value is greater than 250 between the
minimum and maximum number of
threads, there might be a memory leak.
Plan Monitoring Carefully
If you are monitoring several data collector sets that sample data at frequent intervals, this can create a
load on the system that you are monitoring and large log files that youll need to analyze. Plan the
monitoring of the counters and sampling intervals carefully to ensure that the data that you collect
represents system performance accurately.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab A: Optimizing Windows 8.1 Performance
Scenario
Users at A. Datum Corporation are about to receive new Windows 8.1 computers. Use Performance
Monitor to establish a performance baseline and measure a typical computers responsiveness under a
representative load. This will help ensure that resources, such as RAM and CPU, are specified correctly for
these computers.
Objectives
After you have completed this lab, you will be able to:
Create a performance baseline.
Introduce additional workload.
Measure system performance and analyze results.
Lab Setup
Password: Pa$$w0rd
2. In Hyper-V

o Domain: Adatum
Exercise 1: Creating a Performance Baseline
Scenario
In this exercise, you will create a performance baseline against which to measure future performance.
1. Establish a performance baseline.
2. View the baseline report.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-11

Task 1: Establish a performance baseline
1. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open
Performance Monitor.
2. Create a user-defined data collector set with the following properties:
o Name: Adatum Baseline
o Create manually (Advanced)
o Performance counter
o Sample interval: 1 second
o Counters to include:
Memory > Pages/sec
Network Interface > Packets/sec
PhysicalDisk > % Disk Time
Physical Disk > Avg. Disk Queue Length
Processor > % Processor Time
System > Processor Queue Length
3. Start the data collector set, and then start the following programs:
o Microsoft
Word 2013
o Microsoft Office Excel

2013
o Microsoft Office PowerPoint
2013
4. Close all Microsoft Office apps, and in Performance Monitor, stop the Adatum Baseline data collector
set.
Task 2: View the baseline report
1. In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the report that has a
name that begins with LON-CL1.
2. Record the following values:
o Memory\Pages/sec
o Network Interface Packets/sec
o PhysicalDisk\% Disk Time
o PhysicalDisk\Avg. Disk Queue Length
o Processor\% Processor Time
o System\Processor Queue Length

Results: After completing this exercise, you should have created a performance baseline.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Exercise 2: Introducing Additional Workload
Scenario
In this exercise, you introduce additional computer workload by running a script that performs various
tasks on the computer.
1. Create a load on the computer.
Task 1: Create a load on the computer
1. On LON-CL1, in Performance Monitor, start the Adatum Baseline data collector set.
2. Run the E:\Labfiles\Mod12\Load.cmd script.

Results: After completing this exercise, you should have generated additional load on the computer.
Exercise 3: Measuring System Responsiveness Under Load
Scenario
In this exercise, you will compare the results that you collected during performance monitoring with those
collected earlier when you created the baseline.
1. Identify performance bottlenecks in the computer.
Task 1: Identify performance bottlenecks in the computer
1. Open Resource Monitor.
2. Which components are under strain?
3. After a few minutes, close the instance of C:\Windows\System32\Cmd.exe launched by the script.
4. Switch to Performance Monitor, and then stop the Adatum Baseline data collector set, if necessary.
5. In Performance Monitor, locate Reports\User Defined\Adatum Baseline. Click the second report
that has a name that begins with LON-CL1.
6. View the data as a report.
7. Record the component details:
o Memory\Pages/sec
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-13

8. In your opinion, which components are affected the most?
9. Close all open windows and programs, and then go back to the Start screen.

Results: After completing this exercise, you should have identified the computers performance
bottleneck.
When you have finished the lab, leave the virtual machines running, as they are needed for the next
lab.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Managing the Reliability of Windows 8.1
Windows 8.1 includes several diagnostic tools that you can use to identify and potentially provide a
workaround for different hardware and driver failures that might occur on a Windows 8.1 computer. This
lesson introduces you to these tools, and explains how you can use them to diagnose problems in your
environment.
Lesson Objectives
Describe problems that the Windows diagnostic tools can help resolve.
Describe how to use the Windows Memory Diagnostics tool.
Describe how to use the Windows Network Diagnostics tool.
Describe how to use Reliability Monitor.
Describe how to use Problems Reports and Solutions tool.
Problems That Windows Diagnostic Tools Can Help Resolve
You can solve computer problems effectively and
reliably only by diagnosing them accurately.
Therefore, if you understand the capabilities of
Windows 8.1 diagnostics tools, you can determine
where to find the troubleshooting information
that you need to address existing problems and
prevent future issues.
WDI includes diagnostic tools that you can use to
troubleshoot network-related issues, startup
problems, and problems with unreliable memory.
Unreliable Memory
Memory problems can be especially difficult to troubleshoot because they frequently manifest themselves
as app issues. Failing memory can cause app failures, operating system faults, and stop errors, and it can
be difficult to identify because problems can be intermittent. For example, a memory chip might function
perfectly when you test it in a controlled environment. However, it can start to fail when you use it in a
hot computer.
Failing memory chips return data that differs from what an operating system stored originally. This can
lead to secondary problems, such as corrupted files. Frequently, administrators take extreme steps, such as
reinstalling apps or operating systems, to repair problems, only to have the failures persist.
Network-Related Problems
Network errors frequently cause an inability to access network resources and can be difficult to diagnose.
Network interfaces that you do not configure correctly, incorrect IP addresses, hardware failures, and
many other problems can affect connectivity. Operating system features such as cached credentials enable
users to sign in as domain users, even when a network connection is not present. This feature can make it
appear as if users have logged on to the domain successfully, even when they have not. Although this
feature is useful, it does add another layer to the process of troubleshooting network connections.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-15
Startup Problems
When diagnosing startup problems, you usually do not have access to Windows 8.1 troubleshooting and
monitoring tools. Malfunctioning memory, incompatible or corrupted device drivers, missing or corrupted
startup files, or corrupted disk data can all cause startup failures.
Windows Memory Diagnostic Tools
The Windows Memory Diagnostics tool works
with Microsoft Online Crash Analysis to monitor
computers for defective memory, and it
determines whether defective physical memory is
causing program crashes. If the Windows Memory
Diagnostics tool identifies a memory problem,
Windows 8.1 avoids using the affected part of
physical memory so that the operating system can
start successfully and avoid app failures.
In most cases, a Windows operating system
automatically detects possible problems with a
computers memory and then displays a
notification that asks whether to run the Windows Memory Diagnostics tool.
You also can start the Windows Memory Diagnostics tool from Control Panel\System and
Security\Administrative Tools.
How Does the Windows Memory Diagnostics Tool Run?
If the Windows Memory Diagnostics tool detects any problems with physical memory, Microsoft Online
Crash Analysis automatically prompts you to run the tool.
You can decide whether to restart your computer and check for problems immediately, or to schedule the
tool to run when the computer next restarts.
When the computer restarts, the Windows Memory Diagnostics tool tests the computers memory. When
this tool runs, it shows a progress bar that indicates the status of the test. It might take several minutes for
the tool to finish checking a computer's memory. When the test finishes, the Windows operating system
restarts again automatically, and the tool provides a clear report that details the problem. It also writes
information to the event log so that it can be analyzed.
You can run the Windows Memory Diagnostics tool manually. You have the same two choices: run the
tool immediately or schedule it to run when the computer restarts. Additionally, you can start the
Windows Memory Diagnostics tool from installation media.
Advanced Options
To access advanced diagnostic options, press F1 while the test is running. Advanced options include the
following:
Test mix. Select what kind of test to run.
Cache. Select the cache setting for each test.
Pass count. Enter the number of times that the test mix should repeat the tests.
Press the Tab key to move between the advanced options. When you finish selecting your options, press
F10 to start the test.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Network Diagnostics Tool
The Windows Network Diagnostics tool provides
an advanced way to resolve network-related
issues. When users cannot connect to a network
resource, they receive specific repair options
instead of general error messages, which can be
difficult to understand. By understanding the
repair options that the Windows Network
Diagnostics tool presents, you can troubleshoot
network-related issues effectively.
You can start the Windows Network Diagnostic
tool by clicking Troubleshoot problems in the
Network and Sharing Center. From this page, you
can troubleshoot different network problems. Some of these problems and tools are as follows:
Internet Connections. Inability to connect to the Internet or to a particular website.
Shared Folders. Inability to access shared files and folders on other computers.
HomeGroup. Inability to view the computers or shared files in a homegroup for workgroup-
configured computers.
Network Adapter. Problems with Ethernet, wireless, or other network adapters.
Incoming Connections. Issues allowing other computers to connect to your computer.
Connections to a Workplace Using DirectAccess. Problems with connecting to your workplace when
using DirectAccess.
Printer. Problems on printer connections.
How Does the Windows Network Diagnostics Tool Run?
The Windows Network Diagnostics tool runs automatically when it detects a problem. You also can decide
to run the tool manually by using the Diagnose option on the Local Area Connections Status property
sheet.
If Windows 8.1 detects a problem that it can repair automatically, it will do so. If Windows 8.1 cannot
repair the problem automatically, it directs the user to perform simple steps to resolve the problem
without having to call support.
What Is Reliability Monitor?
Reliability Monitor reviews a computers reliability
and problem history. You can use the Reliability
Monitor to obtain several kinds of reports and
charts that can help you identify the source of
reliability issues. Access the Reliability Monitor by
clicking View reliability history in the Maintenance
section of the Action Center.
The following topics explain the main features of
the Reliability Monitor in more detail.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-17

System Stability Chart
A System Stability Chart summarizes system stability for the past year in daily increments. This chart
indicates any information, error, or warning messages, and it simplifies the task of identifying issues and
the date on which they occurred.
Installation and Failure Reports
The System Stability Report also provides information about each event in the chart. These reports include
the following events:
Software Installs
Software Uninstalls
Application Failures
Hardware Failures
Windows Failures
Miscellaneous Failures
Records Key Events in a Timeline
The Reliability Monitor tracks key events about the system configuration, such as the installation of new
apps, operating system patches, and drivers. It also tracks the following events and helps you identify the
reasons for reliability issues:
Memory problems
Hard-disk problems
Driver problems
Application failures
Operating system failures
The Reliability Monitor is a useful tool that provides a timeline of system changes, and then it reports a
systems reliability. You can use this timeline to determine whether a particular system change correlates
with the start of system instability.
What Is the Problem Reports and Solutions Tool?
The Problem Reports and Solutions tool in
Reliability Monitor helps you track problem
reports and any solution information that other
tools have provided. This tool only helps store
information. Windows Error Reporting handles all
Internet communication that is related to problem
reports and solutions. The Problem Report and
Solution Tool provides a list of the attempts made
to diagnose a computers problems.
If an error occurs while an app is running,
Windows Error Reporting prompts the user to
choose if they want to send error information to
Microsoft over the Internet. If information is available that can help a user resolve a problem, Windows
displays a message to the user with a link to information about how to resolve the issue.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
You can use the Problem Reports and Solutions tool to track resolution information and to recheck and
find new solutions. You can start the Problem Reports and Solutions tools from the Reliability Monitor.
The following tools are available:
Save reliability history
View all problem reports
Check for solutions to all problems
Clear the solution and problem history
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-19
Lesson 3
Managing Software Updates in Windows 8.1
To keep your Windows 8.1 systems functioning properly and to protect them, you must update systems
regularly with the latest security updates and fixes. Windows Update enables you to download and install
important and recommended updates automatically instead of visiting the Windows Update website.
You must be aware of the configuration options that Windows Update has available, and you must be
able to guide users on how to configure these options.
Lesson Objectives
Explain how to configure local Windows Update settings.
Describe the process of managing applied updates.
Describe the Windows Update Group Policy settings.
Configuring Windows Update Settings
Windows Update is a service that provides
software updates that keep your computer up-to-
date and protected. You can configure Windows
Update to download and install updates
automatically for a computer, or you can install
updates manually. On the Windows Update page,
you can see the important and optional updates
that are available for a computer.
You should configure computers that are running
Windows 8.1 to download and install updates
automatically. Therefore, make sure that a
computer has the most up-to-date and protected
configuration as possible.
You can turn on Automatic Updates during the initial Windows 8.1 setup, or you can configure it later.
Windows Update downloads a computers updates in the background while you are online. If your
Internet connection is interrupted before an update downloads fully, the download process resumes when
the connection becomes available.
Configure Settings
The Automatic Updates feature of Windows Update downloads and installs important updates, including
security and critical performance updates. However, you have to select recommended and optional
updates manually.
The time of installation depends on the configuration options that you select. Most updates occur
seamlessly, with the following exceptions:
If an update requires a restart to complete installation, you can schedule it for a specific time.
When a software update applies to a file that is in use, Windows 8.1 can save the apps data, close the
app, update the file, and then restart the app. Windows 8.1 might prompt the user to accept the
Microsoft Software License Terms when the app restarts.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
When you configure Windows Update, consider the following:
You should use the recommended settings to download and install updates automatically.
The recommended settings download and install updates automatically daily at 3:00 A.M. If a
computer is turned off, the installation will be done the next time the computer is turned on.
By using the recommended settings, users do not have to search for critical updates or worry that
critical fixes might be missing from their computers.
You should use Windows Server Update Services (WSUS) to manage Windows Update in an enterprise
environment.
You can use Microsoft System Center 2012 R2 Configuration Manager for environments that have a
large number of computers or that require specialized management that WSUS does not provide.
Change Settings
From the Windows Update page, you also have access to the Change settings features. On the Change
settings page, four settings are available for Important updates:
Install updates automatically (recommended).
Download updates but let me choose whether to install them.
Check for updates but let me choose whether to download and install them.
Never check for updates (not recommended).
We recommend that you choose to have updates installed automatically so that Windows will install
important updates as they become available.
If you do not want updates to be installed or downloaded automatically, you can instead select the option
to be notified when updates apply to your computer so that you can download and install them yourself.
For example, if you have a slow Internet connection or your work is interrupted because of automatic
updates, you can have Windows check for updates but download and install them yourself later at a
suitable time.
Managing Applied Updates
Generally, applying updates does not create
problems for most computers. However,
occasionally, an installed update might conflict
with the unique combination of installed
hardware and software on a users computer. This
can result in a reliability problem. When this
occurs, you can use Windows Update to review
installed updates, and where necessary, you can
uninstall an update.
View Update History
To review your update history, from the Windows
Update page, click View update history. In the
Status column, you can make sure that all important updates were installed successfully.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-21
Uninstall Updates
If an update has been installed that you would like to remove, from the View Update History page, click
Installed Updates. You then can view all the installed updates, and where necessary, you can right-click an
update, and then click Uninstall.
Hide Updates
If an update attempts to reinstall at a later time, you can hide the update. To hide an update that you do
not wish to install, from Windows Update, click the link for the available updates. Right-click the update
that you do not want to install, and then click Hide update.
Restore Hidden Updates
If you have resolved the underlying problem with an update that you uninstalled, and you wish to install
it, you first must unhide the update. From Windows Update, click Restore hidden updates.
Windows Update Group Policy Settings
Group Policy is an administrative tool for
managing user and computer settings over a
network.
There are several Group Policy settings for
Windows Update:
Do not display the Install Updates and
Shut Down option in the Shut Down
Windows dialog box.
This policy setting allows you to manage
whether the Install Updates and Shut Down
option is displayed in the Shut Down
Windows dialog box.
If you enable this policy setting, Install Updates and Shut Down will not appear as a choice in the Shut
Down Windows dialog box even if updates are available for installation when the user selects the Shut
Down option in the Start menu.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be
available in the Shut Down Windows dialog box if updates are available when the user selects the
Shut Down option in the Start menu.
Do not adjust the default option to Install Updates and Shut Down in the Shut Down Windows
dialog box.
You can use this policy setting to manage whether the Install Updates and Shut Down option is
allowed to be the default choice in the Shut Down Windows dialog box.
If you enable this policy setting, the user's last shutdown choice, such as Hibernate and Restart, is the
default option in the Shut Down Windows dialog box, regardless of whether the Install Updates and
Shut Down option is available in the What do you want the computer to do? list.
If you disable or do not configure this policy setting, the Install Updates and Shut Down option will be
the default option in the Shut Down Windows dialog box if updates are available for installation when
the user selects the Shut Down option in the Start menu.
Enabling Windows Update Power Management to automatically wake up the system to install
scheduled updates
This policy setting specifies whether Windows Update will use the Windows power management
features to wake up your system automatically from hibernation if updates need to be installed.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Windows Update will wake up your system automatically only if you configure Windows Update to
install updates automatically. If the system is in hibernation when the scheduled install time occurs
and there are updates to be applied, Windows Update will use the Windows power Management
features to wake the system automatically to install the updates.
The system will not wake unless there are updates to be installed. If the system is on battery power,
when Windows Update wakes it up, it will not install updates, and the system will return to
hibernation automatically in two minutes.
Configure Automatic Updates
This setting specifies whether the computer will receive security updates and other important
downloads through the Automatic Updates feature. If Automatic Updates are enabled on your
computer, you must select one of the four options in the Group Policy setting:
o 2 = Notify before downloading any updates and notify again before installing them
When Windows finds updates that apply to your computer, an icon appears in the status area
with a message that updates are ready to be downloaded.
Clicking the icon or message provides the option to select the specific updates that you want to
download. Windows then downloads your selected updates in the background.
When the download is complete, an icon again appears in the status area with notification that
the updates are ready to be installed. Clicking the icon or message provides the option to select
which updates to install.
o 3 = (Default setting) Download the updates automatically and notify when they are ready
to be installed
Windows finds updates that apply to your computer and then downloads them in the
background so that the user is not notified or interrupted during this process.
When the download is complete, an icon appears in the status area with notification that the
updates are ready to be installed. Clicking the icon or message provides the option to select
which updates to install.
o 4 = Automatically download updates and install them on the schedule specified below
Specify the schedule by using the options in the Group Policy setting. If no schedule is specified,
the default schedule for all installations will be daily at 3:00 A.M.
If any of the updates require a restart to complete the installation, Windows will restart the
computer automatically. If a user is signed in to the computer when Windows is ready to restart,
the user will be notified and given the option to delay the restart.
o 5 = Allow local administrators to select the configuration mode that Automatic Updates
must notify and install updates
With this option, local administrators will be allowed to use the Automatic Updates control panel
item to select a configuration option. For example, they can choose their own scheduled
installation time. Local administrators will not be allowed to disable Automatic Updates
configuration.
To use the Configure Automatic Updates setting, click Enabled, and then select one of the options (2,
3, 4, or 5).
If the status is set to Enabled, Windows recognizes when the computer is online and then uses its
Internet connection to search Windows Update for updates that apply to your computer.
If the status is set to Disabled, you manually must download and install any updates that are available
on Windows Update.
If the status is set to Not Configured, the use of Automatic Updates is not specified at the Group
Policy level. However, an administrator can still configure Automatic Updates through Control Panel.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-23

Specify intranet Microsoft update service location
With this setting, you can specify a server on a network to function as an internal update service. The
Automatic Updates client will search this service for updates that apply to computers on the network.
To use this setting, you must set two server name values: the server from which the Automatic
Updates client detects and downloads updates, and the server to which updated workstations upload
statistics. You can set both values to be the same server.
If the status is set to Enabled, the Automatic Updates client connects to a specified intranet Microsoft
Update service instead of Windows Update to search for and download updates. Enabling this setting
means that end users in your organization do not have to go through a firewall to get updates, and it
gives you the opportunity to test updates before deploying them.
If the status is set to Disabled or Not Configured, and if Automatic Updates is not disabled by policy
or user preference, the Automatic Updates client connects directly to the Windows Update site on the
Internet.
Automatic Updates detection frequency
This policy specifies how long a Windows operating system will wait before checking for available
updates. The exact wait time is determined by using the hours that you specify in this policy, minus
zero to twenty percent of the hours specified. For example, if this policy is used to specify a 20-hour
detection frequency, all clients to which this policy is applied will check for updates anywhere
between 16 and 20 hours.
If the status is set to Enabled, Windows checks for available updates at the specified interval.
If the status is set to Disabled or Not Configured, Windows checks for available updates at the default
interval of 22 hours.
Allow non-administrators to receive update notifications
This policy setting allows you to control whether non-administrative users will receive update
notifications based on the Configure Automatic Updates policy setting.
If you enable this policy setting, Automatic Update and Microsoft Update will include
non-administrators during the process of determining which signed-in user will receive update
notifications.
Non-administrative users will be able to install all optional, recommended, and important content for
which they received a notification. Users will not see a User Account Control window and do not need
elevated permissions to install these updates, except in the case of updates that contain User
Interface, End User License Agreement, or Windows Update setting changes.
If you disable or do not configure this policy setting, only administrative users will receive update
notifications. By default, this policy setting is disabled.
If the Configure Automatic Updates policy setting is disabled or not configured, then the Elevate
Non-Admin policy setting has no effect.
Turn on Software Notifications
This policy setting allows you to control whether users can view detailed, enhanced notification
messages about featured software from the Microsoft Update service.
Enhanced notification messages convey the value of optional software, and they promote its
installation and use. This policy setting is intended for use in loosely managed environments in which
you allow end-user access to the Microsoft Update service.
If you enable this policy setting, a notification message will appear on users' computers when the
featured software is available. Users can click the notification to open the Windows Update app and
get more information about the software or install it. Users also can click Close this message or Show
me later to defer the notification as appropriate. In Windows 8.1, this policy setting only will control
detailed notifications for optional apps.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
If you disable or do not configure this policy setting, Windows 8.1 users will not be offered detailed
notification messages for optional apps. By default, this policy setting is disabled. If you are not using
the Microsoft Update service or if the Configure Automatic Updates policy setting is disabled or is not
configured, the Software Notifications policy setting has no effect.
Let the service shut down when it is idle
This setting controls how many minutes the Windows Update service will wait before shutting down
when there are no scans, downloads, or installations in progress. If configured to zero, the service will
run always.
Allow Automatic Updates immediate installation
This setting specifies whether Automatic Updates will install certain updates automatically that neither
interrupt Windows services nor restart the Windows operating system. If you set the status to
Enabled, Automatic Updates will install these updates immediately once they are downloaded and
ready to install.
If you set the status to Disabled, such updates will not be installed immediately. If the Configure
Automatic Updates policy is disabled, this policy has no effect.
Turn on recommended updates via Automatic Updates
This setting specifies whether Automatic Updates will deliver both important and recommended
updates from the Windows Update service. When this policy is enabled, Automatic Updates will install
recommended and important updates from Windows Update. When disabled or not configured,
Automatic Updates will continue to deliver important updates if it is configured already to do so.
No auto-restart with logged on users for scheduled automatic updates installations
This setting specifies that to complete a scheduled installation, Automatic Updates will wait for the
computer to be restarted by any user who is logged on, instead of causing the computer to restart
automatically.
If the status is set to Enabled, Automatic Updates will not restart a computer automatically during a
scheduled installation if a user is logged on to the computer. Instead, Automatic Updates will notify
the user to restart the computer.
Re-prompt for restart with scheduled installations
This setting specifies the amount of time for Automatic Updates to wait before prompting a user
again to restart and complete the update process.
If the status is set to Enabled, a scheduled restart will occur in the specified number of minutes after
the previous prompt for restart was postponed.
If the status is set to Disabled or Not Configured, the default interval is 10 minutes.
Delay Restart for scheduled installations
This setting specifies the amount of time for Automatic Updates to wait before proceeding with a
scheduled restart.
If the status is set to Enabled, a scheduled restart will occur at the specified number of minutes after
the installation is finished.
If the status is set to Disabled or Not Configured, the default wait time is 15 minutes.
Reschedule Automatic Updates scheduled installations
This setting specifies the amount of time for Automatic Updates to wait, following system startup,
before proceeding with a scheduled installation that was missed previously.
If you set the status to Enabled, a scheduled installation that did not take place earlier will occur at
the specified number of minutes after the computer is next started.
If you set the status to Disabled, a missed scheduled installation will occur with the next scheduled
installation.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-25
If you set the status to Not Configured, a missed scheduled installation will occur one minute after the
computer is next started.
Enable client-side targeting
This setting specifies the target group name or names that will be used to receive updates from an
intranet Microsoft Update service.
If you set the status to Enabled, the specified target group information is sent to the Microsoft
Update service, an intranet that uses this information to determine which updates must be deployed
to a computer.
If the intranet Microsoft Update service supports multiple target groups, this policy can specify
multiple group names separated by semicolons. Otherwise, you must specify a single group.
If the status is set to Disabled or Not Configured, no target group information will be sent to the
intranet Microsoft Update service.
Allow signed updates from an intranet Microsoft update service location
This policy setting allows you to manage whether Automatic Updates accepts updates that are signed
by entities other than Microsoft when an update is found on an intranet Microsoft Update service
location.
If you enable this policy setting, Automatic Updates accepts updates that are received through an
intranet Microsoft Update service location if the updates are signed by a certificate in the Trusted
Publishers certificate store of the local computer.
If you disable or do not configure this policy setting, updates from an intranet Microsoft Update
service location must be signed by Microsoft.
Note: This setting sometimes is used on a critical system that cannot be restarted or
changed without first being scheduled. If you enable this setting, you must implement another
method of update delivery to ensure that these systems are kept up-to-date.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Maintaining Windows Updates
Scenario
When A. Datum received the first shipment of Windows 8.1 computers, Holly disabled Automatic Updates
because she was concerned that they would cause problems with a custom app on these systems.
After extensive testing, you have determined that it is extremely unlikely that Automatic Updates will
cause a problem with this app.
Objectives
After you complete this lab, you will be able to configure local Windows Update settings.
Lab Setup
Password: Pa$$w0rd
o 20687C-LON-DC1
o 20687C-LON-CL1
Exercise 1: Configuring Windows Update
Scenario
You have to confirm that Automatic Updates are disabled for the Windows 8.1 computers, and then you
must enable Automatic Updates by implementing a Group Policy.
1. Verify that Automatic Updates are disabled.
2. Enable Automatic Updates in Group Policy.
3. Verify that the Automatic Updates setting from the Group Policy Object is being applied.
Task 1: Verify that Automatic Updates are disabled
On LON-CL1, open Windows Update, and then verify that Automatic Updates are disabled.
Task 2: Enable Automatic Updates in Group Policy
1. Sign in to LON-DC1 as Adatum\Administrator with password Pa$$w0rd, and then open the Group
Policy Management administrative tool.
2. Edit the Default Domain Policy:
o Modify the settings for Computer Configuration\Policies\Administrative Templates
\Windows Components\Windows Update\Configure Automatic Updates:
Enabled
4 Auto download and schedule the install
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 12-27
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is
being applied
1. On LON-CL1, open and command prompt and run gpupdate /force to update the Group Policy
settings.
2. Open Windows Update, and then verify that the new settings have been applied.

Results: After completing this exercise, you should have configured Windows Update settings by using
Group Policy Objects.
Manager.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Review Questions
Question: You are having problems with your computers performance. How can you create
a data collector set to analyze a performance problem?
Question: What are the benefits of creating a data collector set?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
13-1
Module 13
Configuring Mobile Computing and Remote Access
Contents:
Lesson 1: Configuring Mobile Computers and Device Settings 13-2
Lab A: Configuring a Power Plan 13-9
Lesson 2: Overview of DirectAccess 13-11
Lab B: Implementing DirectAccess by Using the Getting Started Wizard 13-22
Lesson 3: Configuring VPN Access 13-26
Lesson 4: Configuring Remote Desktop and Remote Assistance 13-35
Lab C: Implementing Remote Desktop 13-39

Module Overview
Mobile computers are available in many types and configurations. This module includes descriptions of
various available mobile devices and describes how you can synchronize them with a computer that is
running the Windows
8.1 operating system. Additionally, this module describes various power options
that you can configure in Windows 8.1.
Windows 8.1 helps end users become more productive, regardless of their location, or that of the data
they need. For users who want to use virtual private networks (VPNs) to connect to enterprise resources,
new features in Windows 8.1 and Windows Server
2012 R2 create a seamless experience. You can use

DirectAccess, VPN, and Remote Desktop functionality to enable users to access their work environments
from anywhere they are connected.
Objectives
Configure mobile computers and device settings.
Configure DirectAccess.
Configure VPN access.
Configure Remote Desktop and Remote Assistance.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
13-2 Configuring Mobile Computing and Remote Access
Lesson 1
Configuring Mobile Computers and Device Settings
This lesson defines common terminology for mobile computing and provides an overview of related
configuration settings that you can modify in Windows 8.1. Additionally, it provides guidelines for
applying these configuration settings to Windows 8.1 computers.
Lesson Objectives
Describe the various types of mobile computers and devices.
Describe the tools for configuring mobile computers and devices.
Describe mobile device synchronization partnerships.
Describe the available options to manage power settings in Windows 8.1.
Configure a power plan in Windows 8.1.
Discussion: Types of Mobile Computers and Devices
Computers play an important part in peoples
daily lives, and the ability to carry out computing
tasks at any time and in any place has become a
necessity for many users. A mobile computer is a
device that you can use for work, even when you
are away from your office.
You must be able to answer users questions
about mobile computers, and you must be able to
assist users and other information technology (IT)
support staff in choosing appropriate mobile
computers for an organization. Different types of
mobile computer include:
Laptops and notebook computers
Tablet PCs
Netbook computers
Ultrabook computers
Portable media players
Laptop and Notebook Computers
People often use the terms laptop and notebook interchangeably. However, the term notebook computer
refers to a computer that is lighter or smaller than a laptop. A laptop computer is a portable computer
that contains an integrated screen, battery, keyboard, and pointing device. A laptop computer also might
contain a CD or DVD drive. Many organizations issue laptop computers to employees rather than desktop
computers so that they can work remotely. Hardware manufacturers are responding to this demand by
producing laptops with specifications that are equivalent to or better than many desktop computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-3
Tablet PCs
A tablet PC is a fully functional laptop computer with a touchscreen that is designed to interact with a
users fingers or a stylus. Tablet PCs might have a detachable keyboard and touchpad. Many tablet PC
screens also turn or fold onto the keyboard. Most tablet PCs allow multiple touch inputs simultaneously
on the screen, allowing for complex gestures such as pinching to zoom and scrolling. Windows 8.1
provides an optimized UI for devices that support touchscreens.
Netbook Computers
A typical netbook computer features a 7-inch diagonal display, weighs around 2 pounds or 1 kilogram
(kg), has an integrated touch panel, and has both Wi-Fi and Bluetooth enabled. A netbook computer is
approximately the size and shape of a paperback book. Manufacturers build specialized components for
ultra-mobile PCs, such as ultra-low-voltage processors from Intel, which help optimize battery life and
minimize cooling requirements.
Netbook computers typically are equipped with 1 gigabyte (GB) of RAM and a solid-state hard disk drive.
Netbook computers offer significant improvements in power consumption compared with more
traditional laptops, and they provide the applications that mobile users require.
Ultrabook Computers
These thin, lightweight laptop computers provide more power and larger displays than netbooks, thereby
enabling users to perform multiple tasks with their computers. Typically, Ultrabook computers have the
same weight as netbooks, but are equipped with 4 GB of RAM and high-speed Intel mobile processors.
Display sizes are 13.3 inches diagonally.
Mobile Devices
You must be able to assist users with connecting their mobile devices to Windows 8.1 computers. A
mobile device is a computing device that is optimized for specific mobile computing tasks. Mobile devices
typically synchronize with desktop or mobile computers to obtain data. The following types of mobile
devices are available:
Personal digital assistants (PDAs)
Windows Phone
devices
Portable media players
Mobile phones
Windows Phone Devices
Windows Phone devices are smartphones that feature an operating system with the familiar Windows UI
and applications that are part of the Windows 8.1 operating system and Microsoft
Office.
Windows Phone devices also include Music and Videos Hubs and typically feature mobile phone,
Bluetooth, wireless broadband, and Wi-Fi capabilities. Although you can sometimes use a keyboard on
these devices, they typically are touchscreen devices on which you can use your finger to navigate the
operating system and use applications. Additionally, the Windows Phone operating system supports voice
commands.
Note: Bluetooth is a wireless communications protocol that uses shortwave radio signals to
replace cables and enable compatible devices to communicate with each other. Bluetooth uses a
low-powered radio signal in the unlicensed 2.4 gigahertz (GHz) to 2.485 GHz spectrum, also
known as the Industrial, Scientific, and Medical (ISM) band.
Bluetooth employs a technology called Adaptive Frequency Hopping, which helps devices switch
frequencies within the ISM band. Bluetooth enables compatible devices to switch frequencies up
to 1,600 times a second within the ISM band to maintain optimal connectivity.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Portable Media Player
A portable media player is a small, battery-powered device that contains flash memory or a hard drive
from which you can play digital media files. Some of these devices have a screen. A Windows computer
copies the media to the device, which means that you can use media from your own CD and DVD
collection, or you can buy and download media from numerous online media services.
Mobile Phone
A mobile phone, also known as a cellular phone, is a portable telephone that uses a form of radio
connectivity. Many mobile phones now have some PDA and media player functionality. You typically use
a numerical keypad as the input for this device type.
Tools for Configuring Mobile Computers and Device Settings
When you select a mobile computer operating
system, ensure that the device can adapt to a
variety of scenarios. Windows 8.1 gives you with
the ability to change configuration settings based
on specific requirements.
You can access and configure mobile computer
settings by using the Mobile Computer control
panel category page of configuration settings.
You can access various settings such as Power
Management, Windows Mobility Center, Sync
Center, and Presentation Settings.
Power Management
Windows 8.1 power management includes a simple-to-find battery meter that tells you at a glance what
power plan you are using and how much battery life is remaining. Use the battery meter to access and
change the power plan to meet your needs. For example, you might want to conserve power by limiting
the central processing unit (CPU) or configuring when your hard drive will turn off.
Power plans let you adjust your computers performance and power consumption. To access power plans
in Windows 8.1, from Desktop, in the taskbar, right-click the battery icon, and then click Power Options.
You also can change the Battery Status in the Windows Mobility Center. To access the Windows Mobility
Center, in Control Panel, in the Hardware and Sound category, click Adjust commonly used mobility
settings.
Windows Mobility Center
In Windows 8.1, the key mobile-related system configuration settings are all collected in the Windows
Mobility Center. By using the Windows Mobility Center, you can adapt a mobile computer to meet
different requirements as you change locations, networks, and activities. The Windows Mobility Center
includes settings for:
Display brightness
Volume
Battery Status
External Display
Sync Center
Presentation Settings
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-5
Computer manufacturers can customize the Windows Mobility Center to include other hardware-specific
settings, such as Bluetooth or auxiliary displays.
Sync Center
The Windows 8.1 Sync Center provides a single interface from which you can manage data
synchronization in several scenarios: between multiple computers; between corporate network servers and
computers; and with devices that you connect to the computer, such as a PDA, a mobile phone, and a
music player.
Because different devices synchronize by using different procedures, depending on the data source, there
is no easy way to manage all of the individual sync relationships in older versions of the Windows
operating system. The Sync Center enables you to initiate a manual synchronization, stop in-progress
synchronizations, see the status of current synchronization activities, and receive notifications to resolve
sync conflicts.
A sync partnership is a set of rules that tells the Sync Center how and when to synchronize files or other
information between two or more locations. A sync partnership typically controls how files synchronize
between a computer and mobile devices, network servers, or compatible programs.
For example, you might create a sync partnership that instructs the Sync Center to copy every new file in
the My Documents folder to a USB hard disk each time that you plug the device into the computer. You
might create a more complex sync partnership to keep a wide variety of files, folders, and other
information synchronized between a computer and a network server. Access the Sync Center by clicking
Sync Center from the Windows Mobility Center screen.
Windows Mobile Device Center
Windows Mobile
Device Center is a data synchronization program that you can use with mobile devices.
It gives Windows users a way to transport documents, calendars, contact lists, and email between their
desktop computer and mobile devices that support the Exchange ActiveSync
protocol.
Windows Mobile Device Center provides overall device management features for Windows Mobilebased
devices in Windows 8.1, including smartphones. To access the Windows Mobile Device Center, go to
Control Panel.
Presentation Settings
Mobile users often have to reconfigure their computer settings for meetings or conference presentations,
such as changing screen-saver timeouts or desktop wallpaper. To improve the user experience and avoid
this inconvenience, Windows 8.1 includes a group of presentation settings that you can apply when you
connect to a display device.
To access the presentation settings, click Presentation Settings in the Windows Mobility Center in Control
Panel. When you finish a presentation, return to the previous settings by clicking the notification area
icon.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
What Are Mobile Device Sync Partnerships?
You might need to assist users in establishing
mobile device sync partnerships. A mobile device
sync partnership updates information about the
mobile device and the host computer. It typically
synchronizes calendar information, clocks, email
messages, Microsoft Office documents, and media
files on supported devices. You can create mobile
device sync partnerships with PDAs, mobile
phones, Windows Phone devices, and portable
media players.
Creating a Mobile Device Sync
Partnership
Creating a sync partnership with a portable media player is straightforward. The following procedure
describes how to connect a portable media player to a Windows 8.1 computer, create a sync partnership,
and synchronize media to the device:
1. Connect the device to a Windows 8.1 computer and open Sync Center. Windows 8.1 includes drivers
for many common devices, but you also can obtain drivers from the CD that came with the device, or
from Windows Update.
2. Set up a sync partnership by clicking Set up for a media device Sync Partnership. This opens
Windows Media
Player.
3. Select some media files or a playlist to synchronize to the device. To select media, simply drag it onto
the Sync dialog box on the right side of Windows Media Player.
4. Click Start Sync. When your chosen media has transferred to the device, disconnect the device from
the computer, and then close Windows Media Player.
Using Windows Mobile Device Center
Windows Mobile Device Center is a data synchronization program for mobile devices. It provides
Windows users a way to transport documents, calendars, contact lists, and email between their desktop
computer and a mobile device that supports the Exchange ActiveSync protocol.
Windows Mobile Device Center provides overall device management features for Windows Phone-based
devices in Windows 8.1.
The default options for Windows Mobile Device Center include core device-connectivity components
only. These components enable the operating system to identify that a Windows Phone-based device is
connected, and then load the appropriate device drivers and services. The Windows Mobile Device Center
base application enables some basic functionality, including the ability to browse a devices contents, to
use desktop pass-through to synchronize with Microsoft Exchange Server, and to change some general
computer and connection settings.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-7
Power Plans and Power-Saving Options
For mobile computer users, maintaining optimal
system performance while conserving battery life
has always been an important requirement. To
advise users on how to conserve battery life
without affecting system performance, you must
be familiar with the various factors that affect
power consumption. You also must be familiar
with the power plans and power-saving options
that are available in Windows 8.1.
By using Windows 8.1 power options, you can
conserve a mobile computers battery. A user can
change various performance options, such as:
CPU speed
Display brightness
By using the CPU speed option, you can lower the speed of the computer processor, thereby reducing its
power consumption. Screen brightness requires power, and lowering the brightness reduces power usage.
Power Plans
In Windows 8.1, power plans help you maximize computer and battery performance. With power plans,
you can change a variety of system settings to optimize power or battery usage with a single click,
depending on the scenario. There are three default power plans:
Power saver. This plan saves power on a mobile computer by reducing system performance. Its
primary purpose is to maximize battery life.
High performance. This plan provides the highest level of performance on a mobile computer by
adapting processor speed to your work or activity, and by maximizing system performance.
Balanced. This plan balances energy consumption and system performance by adapting the
computers processor speed to your activity.
The balanced plan provides the best balance between power and performance. The power saver plan
reduces power usage by lowering the performance. The high performance plan consumes more power by
increasing system performance. Each plan provides alternate settings for AC or DC power.
You can customize or create additional power plans by using Power Options in Control Panel. Some
hardware manufacturers supply additional power plans and power options. When you create additional
power plans, be aware that the more power the computer consumes, the less time it runs on a single
battery charge. By using Power Options, you can configure settings such as Choose what closing the lid
does.
In addition to considering power usage and performance, you also must consider the following three
options for turning a computer on and off:
Shut down
Hibernate
Sleep
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Shut Down
When you shut down a computer, Windows 8.1 does the following:
Saves all open files to the hard disk.
Saves the memory contents to the hard disk or discards them as appropriate.
Clears the page file.
Closes all open applications.
Windows 8.1 then signs out the active user and turns off the computer.
Hibernate
When you put a computer in hibernation, Windows 8.1 saves the system state and the system memory
contents to a file on the hard disk and then shuts down the computer. This state requires no power
because the hard disk is storing the data.
Windows 8.1 supports hibernation at the operating system level without any additional drivers from a
hardware manufacturer. Hibernation data is stored in a hidden system file called Hiberfil.sys. This file is the
same size as the physical memory in the computer and typically is located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open programs to memory. This provides fast resume
capability, typically within several seconds. Sleep does consume a small amount of power.
Windows 8.1 automatically goes to sleep when you press the power button on the computer. If the
battery power of the computer is low, Windows 8.1 puts the computer in hibernation.
Alternatively, you can enable hybrid sleep, during which Windows 8.1 saves data to the hard disk and to
memory. If a power failure occurs on a computer when it is in hybrid sleep, data is not lost. Use hybrid
sleep as an alternative to hibernation. Hybrid sleep uses the same Hiberfil.sys hidden system file as
hibernation.
Demonstration: Configuring Power Plans
In this demonstration, you will see how to configure a power plan.
Demonstration Steps
Create a power plan for Adams laptop
1. Sign in to LON-CL1 as Adatum\Adam, and then open Control Panel.
2. Locate Power Options in System and Security.
3. Using the existing power saver plan, create a new plan named Adams Plan.
Configure the power plan
1. Configure advanced plan settings.
2. Configure Adams Plan with the following properties:
o Turn off hard disk after: 10 minutes
o Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving
o Power buttons and lid, Power button action: Shut down
o Close Power Options.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-9
Lab A: Configuring a Power Plan
Scenario
Adam is about to take a long trip to visit all of A. Datum Corporations customers in the United Kingdom.
Before he leaves, he would like you to optimize the power consumption on his Windows 8.1 laptop.
Objectives
Create a new power plan.
Configure basic and advanced power plan settings.
Lab Setup
Password: Pa$$w0rd
2. In Hyper-V

o Domain: Adatum
5. Repeat steps 2 to 3 for 20687C-LON-CL1. Do not sign in until directed to do so.
Exercise 1: Creating and Configuring a New Power Plan
Scenario
Adam wants to ensure that his computers battery lasts as long as possible between charges while he is on
his trip. He does not want to impose on his customers by asking to plug his computer into an electrical
socket at their offices, and he would rather charge his laptop in the evenings at his hotel.
1. Create a power plan on Adams laptop computer.
2. Configure the power plan.
Task 1: Create a power plan on Adams laptop computer
2. Open Control Panel.
3. From System and Security in Control Panel, click Power Options.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. Create a new power plan with the following properties:
o Based on: Power saver
o Name: Adams power-saving plan
Task 2: Configure the power plan
1. In Power Options, under Adams power-saving plan, click Change plan settings.
2. Modify the new power plan with the following properties:
3. Close all open windows, and then sign out from LON-CL1.

Results: After completing this exercise, you should have successfully created and configured a suitable
power plan for Adams laptop computer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-11
Lesson 2
Overview of DirectAccess
The DirectAccess feature in Windows 8.1 enables seamless remote access to intranet resources without
first establishing a user-initiated VPN connection. The DirectAccess feature also ensures seamless
connectivity to an application infrastructure for internal users and remote users.
Unlike traditional VPNs that require user intervention to initiate a connection to an intranet, DirectAccess
enables any application that supports Internet Protocol version 6 (IPv6) on a client computer to have
complete access to intranet resources. DirectAccess also enables you to specify resources and client-side
applications that are restricted for remote access.
Lesson Objectives
Describe the components that are required to implement DirectAccess.
Describe DirectAccess tunneling protocol options.
Describe how DirectAccess works for internal clients.
Describe how DirectAccess works for external clients.
Configure DirectAccess by running the Getting Started Wizard.
Identify the changes made by the Getting Started Wizard.
Identify the settings in the Getting Started Wizard.
Identify Windows 8.1 DirectAccess client components.
DirectAccess Components
To deploy and configure DirectAccess, your
organization must support the following
infrastructure components:
DirectAccess server
DirectAccess clients
Network Location Server
Internal resources
A Microsoft
Active Directory
Domain
Services (AD DS) domain
Group Policy
Public key infrastructure (PKI)optional for the internal network
Domain Name System (DNS) server
Network Access Protection (NAP) server
DirectAccess Server
The DirectAccess server can be any computer running Windows Server 2012 R2 or Windows Server 2012
that you join to a domain, which accepts connections from DirectAccess clients, and that establishes
communication with intranet resources. This server provides authentication services for DirectAccess
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
clients and acts as an Internet Protocol security (IPsec) tunnel mode endpoint for external traffic. The new
Remote Access server role allows centralized administration, configuration, and monitoring for both
DirectAccess and VPN connectivity.
Compared with the previous implementation in Windows Server 2008 R2, the new wizard-based setup
simplifies DirectAccess management for small and medium-size organizations. The wizard does so by
removing the need for full PKI deployment and removing the requirement for two consecutive public
Internet Protocol version 4 (IPv4) addresses for the physical adapter that is connected to the Internet. In
Windows Server 2012 R2, the wizard detects the actual implementation state of the DirectAccess server,
and automatically selects the best deployment, thereby not showing the administrator the complexity of
manually configuring IPv6 transition technologies.
DirectAccess Clients
A DirectAccess client can be any domain-joined computer that is running the Enterprise edition of
Windows 7, Windows 8, or Windows 8.1.
Note: With off-premises provisioning, you can join the client computer in a domain
without connecting the client computer in your internal premises.
The DirectAccess client computer connects to the DirectAccess server by using IPv6 and IPsec. If a native
IPv6 network is not available, the client establishes an IPv6-over-IPv4 tunnel by using 6to4 or Teredo.
Note that the user does not have to be logged on to the computer for this step to complete.
If a firewall or proxy server prevents the client computer that is using 6to4 or Teredo from connecting to
the DirectAccess server, the client computer automatically attempts to connect by using the Internet
Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS), which uses a Secure Sockets Layer (SSL)
connection to ensure connectivity.
Network Location Server
A DirectAccess client uses the Network Location Server to determine its location. If the client computer
can securely connect to the Network Location Server by using HTTPS, then the client computer assumes it
is on the intranet, and the DirectAccess policies are not enforced. If the Network Location Server cannot
be contacted, the client assumes it is on the Internet. The Network Location Server is installed on the
DirectAccess server with the Web server role.
Note: The URL for the Network Location Server is distributed by using a Group Policy
Object (GPO).
Internal Resources
You can configure any IPv6-capable application that is running on internal servers or client computers to
be available for DirectAccess clients. For older applications and servers that do not have IPv6 support,
such as Windows Server 2003 or other non-Microsoft operating systems, Windows Server 2012 R2
includes native support for protocol translation (NAT64) and a name resolution (DNS64) gateway to
convert IPv6 communication from the DirectAccess client to IPv4 for internal servers.
Active Directory Domain
You must deploy at least one AD DS domain running, at a minimum, Windows Server 2003 domain
functional level. DirectAccess provides integrated multiple-domain support, which allows client computers
from different domains to access resources that might be located in different trusted domains.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-13
Group Policy
You need to use Group Policy for the centralized administration and deployment of DirectAccess settings.
The Getting Started Wizard creates a set of GPOs and settings for DirectAccess clients, the DirectAccess
server, and selected servers.
PKI
PKI deployment is optional for simplified configuration and management. DirectAccess enables client
authentication requests to be sent over an HTTPS-based Kerberos proxy service that is running on the
DirectAccess server. This eliminates the need for establishing a second IPsec tunnel between clients and
domain controllers. The Kerberos proxy will send Kerberos requests to domain controllers on behalf of the
client. However, for a full DirectAccess configuration that allows NAP integration, two-factor
authentication, and force tunneling, you still must implement certificates for authentication for every
client that will participate in DirectAccess communication.
DNS Server
When using Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), you must use at least Windows
Server 2008 R2, Windows Server 2008 with the Q958194 hotfix, Windows Server 2008 Service Pack 2 or
newer, or a non-Windows DNS server that supports DNS message exchanges over ISATAP.
NAP Servers
NAP is an optional component of the DirectAccess solution that allows you to provide compliance
checking and enforce security policy for DirectAccess clients over the Internet. DirectAccess provides the
ability to configure NAP health check directly from the setup UI.
Remote Access (DirectAccess, Routing and Remote Access) Overview
DirectAccess Tunneling Protocol Options
DirectAccess uses IPv6 and IPsec when clients
connect to internal resources. However, many
organizations do not have native IPv6
infrastructure. Therefore, DirectAccess uses
transitioning tunneling technologies to connect
IPv6 clients to connect to IPv4 internal resources,
and by communicating through IPv4-based
Internet.
DirectAccess tunneling protocols include:
ISATAP. ISATAP enables DirectAccess clients
to connect to the DirectAccess server over the
IPv4 networks for intranet communication. By
using ISATAP, an IPv4 network emulates a logical IPv6 subnet to other ISATAP hosts, where ISATAP
hosts automatically tunnel to each other for IPv6 connectivity. Windows Vista
, Windows Server 2008,

and newer Windows client and server operating systems can act as ISATAP hosts. ISATAP does not
need changes on IPv4 routers because IPv6 packets are tunneled within an IPv4 header. To use
ISATAP, you have to configure DNS servers to answer ISATAP queries, and Ipv6 must be enabled on
network hosts.
6to4. 6to4 enables DirectAccess clients to connect to the DirectAccess server over the IPv4-based
Internet. You can use 6to4 when clients have a public IP address. IPv6 packets are encapsulated in an
IPv4 header, and sent over the 6to4 tunnel adapter to the DirectAccess server. You can configure the
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6to4 tunnel adapter for DirectAccess clients and the DirectAccess server by using a GPO. 6to4 cannot
work if clients are located behind an IPv4 network address translation (NAT) device.
Teredo. Teredo enables DirectAccess clients to connect to the DirectAccess server across the IPv4
Internet, when clients are located behind an IPv4 NAT device and where you should configure the
firewall to allow outbound traffic on User Datagram Protocol (UDP) port 3544. Clients that have a
private IPv4 address use Teredo to encapsulate IPv6 packets in an IPv4 header and send them over
the IPv4-based Internet. You can configure Teredo for DirectAccess clients and the DirectAccess
server by using a GPO.
IP-HTTPS. IP-HTTPS enables DirectAccess clients to connect to the DirectAccess server over the IPv4-
based Internet. IP-HTTPS is used by clients that are unable to connect to the DirectAccess server by
using ISATAP, 6to4, or Teredo. You can configure IP-HTTPS for DirectAccess clients and the
DirectAccess server by using Group Policy.
IPv6 Transition Technologies
How DirectAccess Works for Internal Clients
A Network Location Server is an internal network
server that hosts an HTTPS-based URL.
DirectAccess clients try to access a Network
Location Server URL to determine if they are
located on the intranet or on a public network.
The DirectAccess server also can be the Network
Location Server. In some organizations where
DirectAccess is a business-critical service, the
Network Location Server should be highly
available. Generally, the Web server on the
Network Location Server does not have to be
dedicated just to supporting DirectAccess clients.
It is critical that the Network Location Server be available from each company location, because the
behavior of the DirectAccess client depends on the response from the Network Location Server. Branch
locations might need a separate Network Location Server at each branch location to ensure that the
Network Location Server remains accessible even when there is a link failure between branches.
How DirectAccess Works for Internal Clients
The DirectAccess connection process happens automatically, without requiring user intervention.
DirectAccess clients use the following process to connect to intranet resources:
1. The DirectAccess client tries to resolve the fully qualified domain name (FQDN) of the Network
Location Server URL.
Because the FQDN of the Network Location Server URL corresponds to an exemption rule in the
Name Resolution Policy Table (NRPT), the DirectAccess client instead sends the DNS query to a locally
configured DNS server (an intranet-based DNS server). The intranet-based DNS server resolves the
name.
2. The DirectAccess client accesses the HTTPS-based URL of the Network Location Server, and during
this process, it obtains the certificate of the Network Location Server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-15
3. Based on the certificate revocation list (CRL) distribution points field of the Network Location Servers
certificate, the DirectAccess client checks the CRL revocation files in the CRL distribution point to
determine if the Network Location Servers certificate has been revoked.
4. If the HTTP response code is 200, the DirectAccess client determines the success of the Network
Location Server URL (successful access, certificate authentication, and revocation check). Next, the
DirectAccess client will use the network location awareness service to determine if it should switch to
the domain firewall profile and ignore the DirectAccess policies because it is on the organizations
network.
5. The DirectAccess client computer attempts to locate and log on to the AD DS domain by using its
computer account. Because the client no longer references any DirectAccess rules in the NRPT for the
rest of the connected session, all DNS queries are sent through interface-configured DNS servers
(intranet-based DNS servers). With the combination of network location detection and computer
domain logon, the DirectAccess client configures itself for normal intranet access.
6. Based on the computers successful logon to the domain, the DirectAccess client assigns the domain
(firewall network) profile to the attached network.
By design, the DirectAccess connection security tunnel rules are scoped for the public and private firewall
profiles, and they are disabled from the list of active connection security rules.
The DirectAccess client has successfully determined that it is connected to its intranet, and does not use
DirectAccess settings (NRPT rules or Connection Security tunnel rules). The DirectAccess client can access
intranet resources normally. It also can access Internet resources through normal means, such as a proxy
server.
How DirectAccess Works for External Clients
When a DirectAccess client cannot reach the URL
address specified for the Network Location Server,
the DirectAccess client assumes that it is not
connected to the intranet and that it is located on
the Internet. When the client computer cannot
communicate with the Network Location Server, it
starts to use NRPT and connection security rules.
The NRPT has DirectAccess-based rules for name
resolution, and connection security rules define
DirectAccess IPsec tunnels for communication
with intranet resources. Internet-connected
DirectAccess clients use the following process to
connect to intranet resources:
1. The DirectAccess client attempts to access the Network Location Server.
2. The client attempts to locate a domain controller.
3. The client attempts to access intranet resources first, and then Internet resources.
DirectAccess Client Attempts to Access the Network Location Server
The DirectAccess clients attempt to access the Network Location Server as follows:
1. The client tries to resolve the FQDN of the Network Location Server URL. Because the FQDN of the
Network Location Server URL corresponds to an exemption rule in the NRPT, the DirectAccess client
does not send the DNS query to a locally configured DNS server (an Internet-based DNS server). An
external Internet-based DNS server would not be able to resolve the name.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
2. The DirectAccess client processes the name resolution request as defined in the DirectAccess
exemption rules in the NRPT.
3. Because the Network Location Server is not found on the same network where the DirectAccess client
is currently located, the DirectAccess client applies a public or private firewall network profile to the
attached network.
4. The Connection Security tunnel rules for DirectAccess, scoped for the public and private profiles,
provide the public or private firewall network profile.
The DirectAccess client uses a combination of NRPT rules and connection security rules to locate and
access intranet resources across the Internet through the DirectAccess server.
DirectAccess Client Attempts to Locate a Domain Controller
After starting up and determining its network location, the DirectAccess client attempts to locate and log
on to a domain controller. This process creates an IPsec tunnel, or an infrastructure tunnel, by using the
IPsec tunnel mode and encapsulating security payload (ESP), to the DirectAccess server. The process is as
follows:
1. The DNS name for the domain controller matches the intranet namespace rule in the NRPT, which
specifies the IPv6 address of the intranet DNS server. The DNS client service constructs the DNS name
query that is addressed to the IPv6 address of the intranet DNS server and forwards it to the
DirectAccess clients TCP/IP stack for sending.
2. Before sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall
outgoing rules or connection security rules for the packet.
3. Because the destination IPv6 address in the DNS name query matches a connection security rule that
corresponds with the infrastructure tunnel, the DirectAccess client uses AuthIP and IPsec to negotiate
and authenticate an encrypted IPsec tunnel to the DirectAccess server. The DirectAccess client (both
the computer and the user) authenticates itself with its installed computer certificate and its NTLM
credentials, respectively.
Note: AuthIP enhances authentication in IPsec by adding support for user-based
authentication with Kerberos version 5 protocol or SSL certificates. AuthIP also supports efficient
protocol negotiation and usage of multiple sets of credentials for authentication.
4. The DirectAccess client sends the DNS name query through the IPsec infrastructure tunnel to the
DirectAccess server.
5. The DirectAccess server forwards the DNS name query to the intranet DNS server. The DNS name
query response is sent back to the DirectAccess server and back through the IPsec infrastructure
tunnel to the DirectAccess client.
Subsequent domain logon traffic goes through the IPsec infrastructure tunnel. When the user on the
DirectAccess client logs on, the domain logon traffic goes through the IPsec infrastructure tunnel.
DirectAccess Client Attempts to Access Intranet Resources
The first time that the DirectAccess client sends traffic to an intranet location that is not on the list of
destinations for the infrastructure tunnel (such as an email server), the following process occurs:
1. The application or process that attempts to communicate constructs a message or payload, and
hands it off to the TCP/IP stack for sending.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-17
3. Because the destination IPv6 address matches the connection security rule that corresponds with the
intranet tunnel (which specifies the IPv6 address space of the entire intranet), the DirectAccess client
uses AuthIP and IPsec to negotiate and authenticate an additional IPsec tunnel to the DirectAccess
server. The DirectAccess client authenticates itself with its installed computer certificate and the user
accounts Kerberos credentials.
4. The DirectAccess client sends the packet through the intranet tunnel to the DirectAccess server.
5. The DirectAccess server forwards the packet to the intranet resources. The response is sent back to
the DirectAccess server and back through the intranet tunnel to the DirectAccess client.
Any subsequent intranet access traffic that does not match an intranet destination in the infrastructure
tunnel connection security rule goes through the intranet tunnel.
DirectAccess Client Attempts to Access Internet Resources
When the user or a process on the DirectAccess client attempts to access an Internet resource (such as an
Internet Web server), the following process occurs:
1. The DNS client service passes the DNS name for the Internet resource through the NRPT. There are
no matches. The DNS client service constructs the DNS name query that is addressed to the IP
address of an interface-configured Internet DNS server and hands it off to the TCP/IP stack for
sending.
3. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the DNS name query
normally.
4. The Internet DNS server responds with the IP address of the Internet resource.
5. The user application or process constructs the first packet to send to the Internet resource. Before
sending the packet, the TCP/IP stack checks to determine if there are Windows Firewall outgoing
rules or connection security rules for the packet.
6. Because the destination IP address in the DNS name query does not match the connection security
rules for the tunnels to the DirectAccess server, the DirectAccess client sends the packet normally.
Any subsequent Internet resource traffic that does not match a destination in either the infrastructure
intranet tunnel or connection security rules is sent and received normally.
The process of accessing the domain controller and intranet resources is very similar to the connection
process, because both of these processes use NRPT tables to locate appropriate DNS server to resolve the
name queries. However, the main difference is in the IPsec tunnel that is established between the client
and DirectAccess server. When accessing the domain controller, all the DNS queries are sent through the
IPsec infrastructure tunnel, and when accessing intranet resources, a second IPsec tunnel is established to
access intranet resources.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring DirectAccess by Running the Getting Started
Wizard
In this demonstration, you will learn how to configure DirectAccess by running the Getting Started
Wizard.
Demonstration Steps
1. Switch to LON-SVR2.
2. On LON-SVR2 in the Server Manager console, select Remote Access Management. Complete the
Getting Started Wizard in the Remote Access Management console with the following settings:
o On the Configure Remote Access page, click Deploy DirectAccess only.
o Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients
to connect to Remote Access server box, type 131.107.0.2.
o On the Remote Access Review page, remove the Domain Users group, and add the
DA_Clients group
o On the Remote Access Review page, clear the Enable DirectAccess for mobile computers
only check box.
3. Restart LON-SVR2.
Getting Started Wizard Configuration Changes
The Getting Started Wizard makes multiple
configuration changes so that DirectAccess clients
can connect to an intranet. These changes include:
GPO settings. Two GPOs are created to define
which computers will be allowed to connect
to an organizations network by using
DirectAccess:
o DirectAccess server settings GPO. Defines
settings that will apply to DirectAccess
servers.
o DirectAccess client settings GPO. Defines
settings that will apply to DirectAccess clients.
Remote clients. In the wizard, you can configure the following client computer settings for
DirectAccess:
o Select groups. You can select which groups of client computers will be configured for
DirectAccess. By default, the Domain Computers group will be configured for DirectAccess. In the
wizard, you can edit this setting and replace the Domain Computers group with a custom
security group.
o Enable DirectAccess for mobile computers only. This setting is enabled by default, but you can
disable it in the wizard.
o DirectAccess Connectivity Assistant. The Network Connectivity Assistant runs on every client
computer and provides DirectAccess connectivity information, diagnostics, and remediation
support.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-19
o Resources that validate connectivity to an internal network. DirectAccess client computers need
information that will help them decide whether they are located on an intranet or the Internet.
Therefore, they will contact resources that you provide in this wizard. You can provide the URL
that will be accessed by HTTP request or the FQDN that will be contacted by PING command. By
default, this is not configured.
o Help desk email address. By default, this setting is not configured.
o DirectAccess connection name. The default name is Workplace Connection.
o Allow DirectAccess clients to use local name resolution. This setting is disabled by default.
Remote access server. In the wizard, you define the network topology where the DirectAccess server is
located:
o On an edge of the internal corporate network, where the edge server has two network adapters.
o On a server located behind an edge device, where the server has two network adapters.
o On a server located behind an edge device, where the server has one network adapter.
One of the preceding settings is already selected in the wizard. The public name or IPv4 address
where DirectAccess clients connect from the Internet is already entered in the wizard.
You can also define the network adapter to which the DirectAccess clients connect, as well as
certificates used for IP-HTTPS connections.
Infrastructure servers. In the wizard, you define infrastructure servers. DirectAccess clients connect to
these servers before they connect to internal corporate resources. By default, two entries are
configured: the domain name suffix and DirectAccess-NLS name followed by the domain name suffix.
For example, if the domain name is contoso.com, then the following entries are configured:
contoso.com and DirectAccess-NLS.contoso.com.
Demonstration: Identifying the Getting Started Wizard Settings
In this demonstration, you will identify the changes made by the DirectAccess Getting Started Wizard.
Demonstration Steps
1. On LON-SVR2, switch to the Server Manager console, and then open the Remote Access
Management console.
2. In Remote Access Management console, select DirectAccess and VPN.
3. In the Remote Access Setup window, under the image of the client computer labeled as Step 1
Remote Clients, click Edit to display the DirectAccess Client Setup window.
4. Review the default settings of all items in the menu on the left, Deployment Scenario, Select
Groups, and Network Connectivity Assistant, and then close the window without saving any
changes.
Remote Access Servers, click Edit to display the Remote Access Server Setup window.
6. Review the default settings of all items in the menu on the left, Network Topology, Network
Adapters, and Authentication, and then close the window without saving any changes.
Infrastructure Servers, click Edit to display the Infrastructure Server Setup window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8. Review the default settings of all items in the menu on the left, Network Location Server, DNS,
DNS Suffix Search List, and Management, and then close the window without saving any
changes.
Application Servers, click Edit to display the DirectAccess Application Server Setup window.
10. Review the default settings for all items, and then close the window without saving any changes.
Windows 8.1 DirectAccess Client Components
Windows 8.1 hosts several components that work
together to facilitate DirectAccess connectivity:
Connection security rules and Windows
Firewall. Connection security rules determine
how your computer will connect to network
resources. By default, the DirectAccess GPOs
that are created by the Getting Started
Wizard will create a connection security rule
in Windows Firewall named ClienttoCorp. The
connection security rule will enable an IPsec
connection to the DirectAccess server if the
client computer cannot resolve the FQDN of
the Network Location Server.
NRPT. The DirectAccess GPOs also will create NRPT entries for the client computer. You can view the
configuration of the NRPT by running the Get-DNSClientNrptPolicy cmdlet in the Windows
PowerShell
command-line interface. The NRPT will have an entry for each DNS namespace that has
been configured for DirectAccess.
IPv6 connectivity. IPv6 must be enabled on the DirectAccess client to connect to the DirectAccess
server. When you ping by DNS name to the DirectAccess server or to internal network resources, the
address will be converted to IPv6 through IPv6 and IPv4 transition technologies.
DirectAccess Troubleshooting Tools in Windows 8.1
Incorrect Group Policy application is the most common cause of DirectAccess client configuration issues,
but network connectivity configuration and Windows Firewall configuration also can affect DirectAccess
functionality. You can use the following tools to confirm or troubleshoot DirectAccess connectivity in
Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-21
DirectAccess Windows PowerShell cmdlets
You can use several DirectAccess Windows PowerShell cmdlets to configure and view the configuration
status of a DirectAccess client. The most relevant cmdlets for troubleshooting and configuration are Get-
DAConnectionStatus and Get-DAClientExperienceConfiguration.
Cmdlet Description
Get-DAConnectionStatus Shows the current status of a DirectAccess
client connection.
Disable-DAManualEntryPointSelection Disables a manually selected DirectAccess
entry point and reverts the selection to the
default.
Enable-DAManualEntryPointSelection Enables a specific DirectAccess entry point to
use for connectivity.
Get-DAClientExperienceConfiguration Returns the current client experience
configuration for DirectAccess.
Get-DAEntryPointTableItem Retrieves the list of entry points that have
been configured for DirectAccess.
New-DAEntryPointTableItem Configures a new entry point for multisite
DirectAccess.
Remove-DAEntryPointTableItem Removes a DirectAccess entry point from the
specified configuration store.
Rename-DAEntryPointTableItem Renames a DirectAccess entry point.
Reset-
DAClientExperienceConfiguration
Restores the specified DirectAccess client
configuration to the defaults.
Reset-DAEntryPointTableItem Resets the specified DirectAccess entry point
configuration to the default configuration.
Set-DAClientExperienceConfiguration Modifies the configuration of the specified
DirectAccess client user experience.
Set-DAEntryPointTableItem Modifies the configuration of a DirectAccess
entry point stored in a GPO.
Workplace Connection page
You can use the Workplace Connection page to determine if DirectAccess is on the client computer. To
view DirectAccess status, open the Charms menu, click PC Settings, click Network, click Connections, and
then click Workplace Connection. The Workplace Connection page will provide your current DirectAccess
status, and a link that enables you to collect DirectAccess logs.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab B: Implementing DirectAccess by Using the Getting
Started Wizard
Scenario
Many users at A. Datum work from outside the organization. This includes mobile users and people who
work from home. These users currently connect to the internal network by using a third-party VPN
solution. The Security department is concerned about the security of the external connections and wants
to ensure that the connections are as secure as possible. The Support team wants to minimize the number
of support calls related to remote access and would like to have more options for managing remote
computers.
IT management at A. Datum is considering deploying DirectAccess as the remote access solution for the
organization. As an initial proof-of-concept deployment, management has requested that you configure a
simple DirectAccess environment that can be used with Windows 8.1 client computers.
Objectives
Configure DirectAccess.
Validate the DirectAccess deployment.
Lab Setup
Virtual machines: 20687C-LON-DC1, 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1
Password: Pa$$w0rd
Lab Setup
1. On the host computer, on the Start screen, click Hyper-V Manager.
5. Repeat steps 2 to 4 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-CL1.
Enable Ethernet 2 on LON-SVR2:
2. From the Start screen, type ncpa.cpl, and then press Enter.
3. In the Network Connections window, right-click Ethernet 2, and then click Enable.
4. Close the Network Connections window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-23
Exercise 1: Configuring DirectAccess
Scenario
You must prepare the DirectAccess infrastructure for deployment. You must install the Remote Access
server role on LON-SVR2, and configure DirectAccess on the DirectAccess server by using the Getting
Started Wizard.
1. Install the Remote Access server role.
2. Create a security group for DirectAccess clients.
3. Configure DirectAccess by using the Getting Started Wizard.
Task 1: Install the Remote Access server role
On LON-SVR2, install the Remote Access server role with the DirectAccess and VPN (RAS) role
service.
Task 2: Create a security group for DirectAccess clients
1. On LON-DC1, open Active Directory Users and Computers.
2. In Active Directory Users and Computers, create a new global security group named DA_Clients in
the Users container.
3. Add LON-CL1 to the DA_Clients group.
Task 3: Configure DirectAccess by using the Getting Started Wizard
2. On LON-SVR2 in the Server Manager console, select Remote Access Management. Complete the
Getting Started Wizard in the Remote Access Management console with the following settings:
a. On the Configure Remote Access page, click Deploy DirectAccess only.
b. Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients
to connect to Remote Access server box, type 131.107.0.2.
c. On the Remote Access Review page, remove the Domain Users group, and add the
DA_Clients group
d. On the Remote Access Review page, clear the Enable DirectAccess for mobile computers
only check box.
4. Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with a password of
Pa$$w0rd.
5. Open the Remote Access console and view the Operations Status page.
6. All components should have a Status of Working and a green check mark beside them. If this is not
the case, click Refresh to update the Operations Status view. You might have to do this several times.

Results: After completing this exercise, you should have successfully configured DirectAccess by using the
Getting Stared Wizard.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Validating the DirectAccess Deployment
Scenario
Now that you have configured DirectAccess, you need to verify that DirectAccess is working. You will start
by verifying the changes made by the Getting Started Wizard, and then you will verify that client
computers can access the internal network by using DirectAccess.
1. Verify the DirectAccess GPO deployment.
2. Test DirectAccess connectivity.
Task 1: Verify the DirectAccess GPO deployment
2. Restart LON-CL1 and sign in as Adatum\Administrator with a password of Pa$$w0rd to apply the
GPOs.
3. Open a command prompt on LON-CL1
4. At the command prompt, type gpresult /R to verify that the DirectAccess Client Settings GPO is
applied to the Computer Settings.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, and then
repeat steps 3 and 4 on LON-CL1.
5. Run the following command at the command prompt.
netsh name show effectivepolicy
Verify that the following message is displayed: DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
6. To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and
then press Enter.
7. In the Network Connections window, right-click the Ethernet connection, and then click Disable.
8. In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable.
Task 2: Test DirectAccess connectivity
2. In File Explorer, create a shared folder named C:\Data with the default settings for the Everyone
group.
4. On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access
the folder content.
6. Move the pointer to the lower-right corner of the screen, and in the notification area, click search,
and in the search box, type cmd.
7. At the command prompt, run the ipconfig command.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-25
Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an
IP-HTTPS address.
8. At the command prompt, type the following command, and then press Enter.
Netsh name show effectivepolicy
9. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for
adatum.com and Directaccess-NLS.Adatum.com.
10. At the Windows PowerShell command prompt, type the following command, and then press Enter:
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings.
12. In the Remote Access Management console, click Remote Client Status.
Note: Notice that Client is connected via IPHttps. In the Connection Details pane, in the
bottom-right of the screen, note the use of the Kerberos protocol for the Machine and the User.

Results: After completing this exercise, you should have successfully validated the DirectAccess
deployment.
Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-DC1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 3
Configuring VPN Access
To implement and support a VPN environment properly within your organization, you must understand
how to select a suitable tunneling protocol, how to configure VPN authentication, and how to configure
other settings to support your chosen environment.
Lesson Objectives
Describe a VPN connection.
Describe the tunneling protocols that VPNs use.
Describe VPN authentication mechanisms.
Describe VPN Reconnect and VPN Auto-trigger.
Configure a VPN.
Describe the Connection Manager Administration Kit (CMAK).
Identify key steps for configuring and distributing a connection profile.
Create a connection profile.
What Is a VPN Connection?
A VPN provides a point-to-point connection
between components of a private network,
through a public network such as the Internet.
Tunneling protocols enable a VPN client to
establish and maintain a connection to the
listening virtual port of a VPN server. To emulate a
point-to-point link, the data is encapsulated, or
wrapped, and prefixed with a header. This header
provides routing information that enables the
data to traverse the public network to reach its
endpoint.
To emulate a private link, the data is encrypted to
ensure confidentiality. Packets that are intercepted on the public network are indecipherable without
encryption keys. Two types of VPN connections exist:
Remote access
Site-to-site
Remote Access VPN Connections
Remote access VPN connections enable users that are working at home, at customer sites, or from public
wireless access points to access a server that exists in your organizations private network. They do so by
using the infrastructure that a public network, such as the Internet, provides.
From the users perspective, the VPN is a point-to-point connection between the computer, the VPN
client, and your organizations server. The exact infrastructure of the shared or public network is irrelevant,
because it logically appears as if the data is sent over a dedicated private link.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-27
Site-to-Site VPN Connections
Site-to-site VPN connections, which also are known as router-to-router VPN connections, enable your
organization to have routed connections between separate offices or with other organizations over a
public network, while maintaining secure communications.
A routed VPN connection across the Internet logically operates as a dedicated wide area network link.
When networks connect over the Internet, a router forwards packets to another router across a VPN
connection. To the routers, the VPN connection operates as a data-link layer link.
A site-to-site VPN connection connects two portions of a private network. The VPN server provides a
routed connection to the network to which the VPN server is attached. The calling router (the VPN client)
authenticates itself to the answering router (the VPN server), and for mutual authentication, the answering
router authenticates itself to the calling router.
In a site-to site VPN connection, the packets that are sent from either router across the VPN connection
typically do not originate at the routers.
Properties of VPN Connections
VPN connections that use Point-to-Point Tunneling Protocol (PPTP), Layer Two Tunneling Protocol (L2TP)
with IPsec, and Secure Socket Tunneling Protocol (SSTP) have the following properties:
Encapsulation. With VPN technology, private data is encapsulated with a header that contains routing
information, which allows the data to traverse the transit network.
Authentication. Authentication for VPN connections takes the following three forms:
o User-level authentication by using Point-to-Point Protocol (PPP) authentication. To establish the
VPN connection, the VPN server authenticates the VPN client that is attempting to make the
connection by using a PPP user-level authentication method and verifies that the VPN client has
the appropriate authorization. If you use mutual authentication, the VPN client also authenticates
the VPN server, which provides protection against computers that are masquerading as VPN
servers.
o Computer-level authentication by using Internet Key Exchange (IKE). To establish an IPsec
security association, the VPN client and the VPN server use the IKE protocol to exchange either
computer certificates or a preshared key. In either case, the VPN client and VPN server
authenticate each other at the computer level. We recommend computer-certificate
authentication because it provides much stronger authentication. Note that computer-level
authentication is performed only for L2TP/IPsec connections.
o Data origin authentication and data integrity. To verify that the data that is sent over the VPN
connection originated at the connections other end and was not modified in transit, the data
contains a cryptographic checksum based on an encryption key that only the sender and receiver
know. Data origin authentication and data integrity are available only for L2TP/IPsec connections.
Data encryption. To ensure data confidentiality as the data traverses the shared or public transit
network, the sender encrypts the data and the receiver decrypts it. The encryption and decryption
processes depend on both the sender and the receiver using a common encryption key. Intercepted
packets sent along the VPN connection in the transit network will be unintelligible to anyone who
does not have the common encryption key.
The encryption keys length is an important security parameter. You can use computational
techniques to determine the encryption key. However, such techniques require an increasing amount
of computing power and computational time as encryption keys become larger. Therefore, it is
important to use the largest possible key size to help ensure data confidentiality.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Tunneling Protocols for VPN Connections
You can use the following tunneling protocols for
VPN connections in Windows 8.1.
PPTP
PPTP encrypts and encapsulates traffic in an IP
header and then sends it across an IP network.
You can use PPTP for remote client and site-to-
site VPN connections. When using the Internet,
the VPN server provides the following
functionality to the client:
Encapsulation. PPTP encapsulates PPP frames
in IP datagrams for network transmission.
PPTP uses Transmission Control Protocol (TCP) to manage the tunnel and a modified version of
Generic Routing Encapsulation to encapsulate PPP frames for data that is transmitted through the
tunnel. PPP frames can be encrypted, compressed, or both.
Encryption. The PPP frame is encrypted with Microsoft Point-to-Point Encryption by using encryption
keys. These keys are generated by the Microsoft version of the Challenge Handshake Authentication
Protocol version 2 (MS-CHAPv2) or the Extensible Authentication Protocol-Transport Layer Security
(EAP-TLS) authentication process. VPN clients must use MS-CHAPv2 or EAP-TLS authentication.
L2TP
L2TP enables you to encrypt multiple-protocol traffic to send over any medium that supports point-to-
point datagram delivery, such as IP or asynchronous transfer mode. L2TP is a combination of PPTP and
Layer 2 Forwarding (L2F). L2TP represents the best features of PPTP and L2F.
L2TP relies on IPsec for traffic encryption. The combination of L2TP and IPsec is known as L2TP/IPsec.
L2TP is built into Windows 8.1, Windows 8, Windows Vista, and Windows XP remote access clients, and
VPN server support for L2TP is built into the Windows Server 2008 and Windows Server 2012 families, as
follows:
Encapsulation. Encapsulation for L2TP/IPsec packets consists of two layers:
o First layer: L2TP encapsulation. A PPP frame (an IP datagram) is wrapped with an L2TP header
and a UDP header.
o Second layer: IPsec encapsulation. The resulting L2TP message is wrapped with an IPsec ESP
header and trailer, an IPsec authentication trailer that provides message integrity and
authentication, and a final IP header. The IP header contains the source and destination IP
addresses that correspond to the VPN client and the VPN server.
Encryption. The L2TP message is encrypted with either Advanced Encryption Standard (AES) or Triple
Data Encryption Standard (3DES) by using encryption keys that the IKE negotiation process generates.
SSTP
SSTP is a tunneling protocol that uses HTTPS over TCP port 443. SSTP commonly is used in scenarios
where PPTP and L2TP/IPsec traffic might be blocked by firewalls. SSTP uses the SSL channel of HTTPS to
encapsulate PPP traffic.
When a client tries to establish an SSTP-based VPN connection, SSTP first establishes two-way
communication on the HTTPS layer with the SSTP server. When this communication is established, the
protocol packets flow as the data payload, as follows:
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-29
Encapsulation. SSTP encapsulates PPP frames in IP datagrams for transmission over a network. SSTP
uses a TCP connection over port 443 for tunnel management and as PPP data frames.
Encryption. The SSTP message is encrypted with the SSL channel of HTTPS.
IKEv2
Internet Key Exchange version 2 (IKEv2) uses the IPsec tunnel mode protocol over UDP port 500. Because
of its support for mobility, IKEv2 is much more resilient than other protocols to changing network
connectivity. This resiliency makes it a good choice for mobile users who move among access points and
even switch between wired and wireless connections. An IKEv2 VPN provides resilience to the VPN client
when the client either moves from one wireless hotspot to another or switches from a wireless to a wired
connection. This ability is a requirement of VPN Reconnect.
The use of IKEv2 and IPsec enables support for strong authentication and encryption methods, as follows:
Encapsulation. IKEv2 encapsulates datagrams by using IPsec ESP or Authentication Header (AH)
headers for transmission over a network.
Encryption. The message is encrypted via one of the following protocols by using encryption keys that
are generated from the IKEv2 negotiation process: AES 256, AES 192, AES 128, or 3DES encryption
algorithms.
IKEv2 is supported only on computers that are running Windows 8.1, Windows 8, Windows 7,
Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2.
VPN Authentication
Authenticating users is an important security
concern, especially when they connect over a
public network such as the Internet.
Authentication methods typically use an
authentication protocol that is negotiated during
the connection establishment process.
Windows Server 2012 R2 and Windows 8.1
support a number of authentication methods:
Password Authentication Protocol (PAP). PAP
uses plaintext passwords and is the least
secure authentication protocol. It typically is
negotiated if the remote access client and
remote access server cannot negotiate a more secure form of validation. PAP is included only for
backward compatibility, and you should avoid using it.
CHAP. CHAP is a challenge/response authentication protocol that uses the industry-standard
Message Digest 5 (MD5) hashing scheme. Various vendors of network access servers and clients
support CHAP. CHAP is not considered to be sufficiently secure, and you should consider using MS-
CHAPv2 in its place.
MS-CHAPv2. MS-CHAPv2 provides a one-way, encrypted-password, mutual-authentication process.
This version is preferable to CHAP and MS-CHAP version 1.
EAP. EAP uses an arbitrary authentication mechanism to authenticate a remote access connection.
The remote access client and the authenticator, which is either the remote access server or the
Remote Authentication Dial-In User Service (RADIUS) server, negotiate the exact authentication
scheme to use.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Digital certificates. Certificates are digital documents that are issued by certification authorities (CAs),
such as Microsoft
Active Directory Certificate Services (AD CS) and the VeriSign public CA. You can
use certificates for many purposes, such as code signing and securing email communication.
However, with VPNs, you use certificates for network access authentication because they provide
strong security for authenticating users and computers and eliminate the need for less-secure,
password-based authentication methods. Network Policy Server uses EAP-TLS and Protected
Extensible Authentication Protocol (PEAP) to perform certificate-based authentication for many types
of network access, including VPN and wireless connections.
Two authentication methods, EAP and PAP, use certificates when you configure them with certificate-
based authentication types. With EAP, you can configure the authentication type TLS (EAP-TLS), and with
PEAP, you can configure the authentication types TLS (PEAP-TLS) and MS-CHAP v2 (PEAP-MS-CHAPv2).
These authentication methods always use certificates for server authentication. Depending on the
authentication type that you configure with the authentication method, you also might use certificates for
user authentication and client computer authentication.
The use of certificates for VPN connection authentication offers the strongest form of authentication that
is available in Windows 8.1. You must use certificates for IPsec authentication on VPN connections that are
based on L2TP/IPsec. PPTP connections do not require certificates, although you can configure PPTP
connections to use certificates for computer authentication when you use EAP-TLS as the authentication
method. For wireless clients, use PEAP with EAP-TLS and smart cards or certificates for authentication.
Each of these authentication methods has advantages and disadvantages in terms of security, usability,
and breadth of support. However, password-based authentication methods do not provide strong
security, and we do not recommend them. You should use a certificate-based authentication method for
all network access methods that support certificate use.
What Are VPN Reconnect and VPN Auto-trigger?
VPN Reconnect and VPN Auto-trigger provide
VPN users with a less complex VPN experience.
These features make the process of establishing
VPN connections as simple as possible.
VPN Reconnect
In dynamic business scenarios, users must be able
to access data securely at any time, from
anywhere, and continuously, without interruption.
To meet these requirements, you can configure
the VPN Reconnect feature that is available in
Windows Server 2008 R2, Windows 8.1,
Windows 8, and Windows 7. With this feature, users can access an organizations data by using a VPN
connection, which automatically reconnects if connectivity is interrupted. This feature also enables
roaming among different networks.
VPN Reconnect uses IKEv2 technology to help provide seamless and consistent VPN connectivity. VPN
Reconnect automatically reestablishes a VPN connection when Internet connectivity becomes available
again. Users who connect via a wireless mobile broadband card benefit most from this capability.
Consider a user with a Windows 8.1 laptop. When the user travels to work on a train, he or she connects
to the Internet by using a wireless mobile broadband card and then establishes a VPN connection to the
companys network. When the train passes through a tunnel, the Internet connection is lost. After the train
emerges from the tunnel, the wireless mobile broadband card automatically reconnects to the Internet.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-31
With Windows Vista, the VPN does not reconnect automatically. Therefore, the user has to repeat the
multistep process of connecting to the VPN manually. Doing so is time-consuming for mobile users with
intermittent connectivity.
With VPN Reconnect, Windows 8.1, Windows 8, and Windows 7 automatically reestablish active VPN
connections when Internet connectivity is reestablished. Even though the reconnection might take several
seconds, users reconnect automatically and have access to internal network resources.
The system requirements for using the VPN Reconnect feature are:
Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 as a VPN server.
Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, or Windows
Server 2008 R2 as the VPN client operating system.
A PKI, because a remote connection with VPN Reconnect requires a computer certificate. Certificates
issued by either an internal or a public CA can be used.
VPN Auto-Trigger
You can configure Windows 8.1 to connect automatically through VPN when applications or network
locations are used that require organizational network resources. Configuration for VPN Auto-trigger in
Windows 8.1 is performed by using Windows PowerShell cmdlets that enable you to add and remove
triggers for the following scenarios:
App-based triggering. When app-based triggering is configured, the VPN connection is triggered by
a specific app being run. In this case, the app is added as a trigger to the VPN connection profile by
using the Add-VpnConnectionTriggerApplication cmdlet. You can remove app triggers by using
the Remove-VpnConnectionTriggerApplication cmdlet in Windows PowerShell.
Name-based triggering. You configure name-based triggering by adding DNS name suffixes to the
VPN connection profile by using the Add-VpnConnectionTriggerDns cmdlet. You can remove
name-based triggers by using the Remove-VpnConnectionTriggerApplication cmdlet in Windows
PowerShell.
Configuring trusted networks
Trusted networks are represented by DNS suffixes where VPN Auto-trigger is not enabled. For example, if
a user has his or her laptop connected to an internal corporate network, the laptop will have access to
resources on the internal network without requiring a VPN connection. In this case, you would add the
DNS suffix or suffixes for the internal network by using the Add-
VpnConnectionTriggerTrustedNetwork cmdlet. If a client computer always connects from outside an
internal network, then no trusted networks need to be configured.
Enabling VPN Auto-triggering in the UI
When a VPN profile is configured with one more triggers, the user is presented with an option in the
network connection window labeled, Let apps automatically use this VPN connection. When the check
box for this option is selected, VPN Auto-trigger will connect the VPN.
Scenarios that do not support VPN Auto-triggering
The following scenarios do not support the use of VPN Auto-triggering in VPN profiles:
Split-tunneling is disabled. If the ability of a VPN connection to route specific traffic to an
organizations network and other traffic through the clients connection to the Internet is disabled,
you cannot use VPN Auto-triggering. VPN Auto-triggering requires split-tunneling to be enabled on
the VPN connection.
The client computer is joined to a domain. VPN Auto-trigger is not supported on domain-joined
computers. You can use a domain-joined computer to create and configure VPN profiles that support
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
VPN Auto-triggering, but the actual Auto-triggering functionality will not operate on the domain-
joined computer.
Automatically Triggering VPN Connections and VPN Diagnostics Enhancements in Windows
8.1
Demonstration: Configuring a VPN
Create a new VPN connection.
Configure the VPN connection.
Test the connection.
Demonstration Steps
Create a new VPN connection
1. Sign in as an administrator, and then open Network and Sharing Center.
2. Create a new VPN by selecting Connect to a workplace.
3. Configure the initial settings, including 172.16.0.10 as the target IPv4 address and HQ as the name.
Configure the VPN connection
Modify the VPN settings to select PPTP as the tunneling type.
Test the connection
1. Connect to LON-DC1 with the HQ VPN, and then authenticate by using the Adatum\Administrator
account.
2. Disconnect the HQ connection.
What Is the CMAK?
You can use the CMAK to customize users
remote-connection options by creating
predefined connections to remote servers and
networks. You use the CMAK wizard to create and
customize a connection for your users. The CMAK
wizard creates an executable file that you can
distribute in many ways or include during
deployment activities as part of an operating
system image.
Connection Manager is a client network-
connection tool that enables a user to connect to
a remote network, such as an Internet Service
Provider or a corporate network that a VPN server protects.
CMAK is an optional component that is not installed by default. You must install CMAK to create
connection profiles that your users can install and use to access remote networks.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-33
Configuring and Distributing a Connection Profile
You can configure a new or existing connection
profile by using the CMAK Connection Profile
Wizard. Each page of the wizard allows you to
complete another step of the process. The options
presented in the CMAK wizard are:
Select the Target Operating System
Create or Modify a Connection Profile
Specify the Service Name and the File Name
Specify a Realm Name
Merge Information from Other Connection
Profiles
Add Support for VPN Connections
Add a Custom Phone Book
Configure Dial-up Networking Entries
Specify Routing Table Updates
Configure Proxy Settings for Internet Explorer
Add Custom Actions
Display Custom Bitmaps and Icons
Customize the Notification Area Shortcut Menu
Include a Custom Help File
Display Custom Support Information
Include Connection Manager Software with the Connection Profile
Display a Custom License Agreement
Install Additional Files with the Connection Profile
Build the Connection Profile and its Installation Program
Make Advanced Customizations
Your Connection Profile is Complete and Ready to Distribute
Demonstration: Creating a Connection Profile
You will require the 20687C-LON-DC1 and 20687C-LON-CL1 virtual machines for this demonstration.
These should be running already.
Demonstration Steps
Install the CMAK feature
1. If necessary, on LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd.
2. Open Control Panel, and then enable the RAS Connection Manager Administration Kit (CMAK)
feature.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Create a connection profile
1. Open the Connection Manager Administration Kit from Administrative Tools.
2. Complete the wizard to create the connection profile.
Examine the created profile
Use File Explorer to examine the contents of the folder created by the CMAK wizard to create the
connection profile. Normally, you now would distribute this profile to your users.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-35
Lesson 4
Configuring Remote Desktop and Remote Assistance
Many organizations use remote management and troubleshooting so that they can reduce
troubleshooting time and reduce travel costs for support staff. Remote troubleshooting allows support
staff to operate effectively from a central location.
Lesson Objectives
Describe Remote Desktop and Remote Assistance.
Describe how to configure and use Remote Desktop.
Configure and use Remote Assistance.
What Are Remote Desktop and Remote Assistance?
The Windows 8.1 operating system supports
remote troubleshooting capabilities such as
Remote Desktop, Remote Assistance, and other
remote administrative tools.
Note: You also can use Windows PowerShell
to perform remote administration. This is known
as remoting, which lets you run Windows
PowerShell cmdlets on remote computers. The
appendix of this course discusses Windows
PowerShell remoting in detail.
Remote Desktop
Remote Desktop uses the Remote Desktop Protocol (RDP) to allow users to access files on their office
computer from another computer, such as one located at their home. Additionally, Remote Desktop
allows administrators to connect to multiple Windows Server sessions for remote administration purposes.
While a Remote Desktop session is active, Remote Desktop locks the target computer, prohibiting
interactive logons for the sessions duration.
Note: Microsoft RemoteFX
delivers a rich user experience for Virtual Desktop

Infrastructure by providing a three-dimensional virtual adapter, intelligent codecs, and the ability
to redirect USB devices in virtual machines. RemoteFX is integrated with the RDP protocol, which
enables shared encryption, authentication, management, and device support.
Remote Assistance
Remote Assistance allows a user to request help from a remote administrator. To access Remote
Assistance, run the Windows Remote Assistance tool. By using this tool, you can do the following:
Invite someone who is trustworthy to help you.
Offer to help someone.
View the remote users desktop.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Chat with the remote user with text chat.
Send a file to the remote computer.
Request to take remote control of the remote desktop, if permissions allow.
Users can send Remote Assistance invitations through email or by saving a request to a file that the
remote administrator can read and act upon.
Windows Firewall
Windows 8.1 prevents remote troubleshooting tools from connecting to the local computer by using
Windows Firewall. However, by default, Windows Firewall will allow Remote Desktop and Remote
Assistance traversal of the firewall.
To enable support for other applications, complete the following procedure:
1. Open Windows Firewall from Control Panel.
2. Click Allow a program or feature through the Windows Firewall, and then select for what you
want to enable an exception.
Configuring Remote Desktop
To access a remote computer from a source
computer by using the Remote Desktop feature,
you need to configure certain Remote Desktop
settings on both computers.
On the remote computer, you need to perform
the following steps to enable remote access to the
computer:
1. In Control Panel, click System and Security,
click System, and then click Remote
settings.
2. In the Remote tab of the System Properties
dialog box, you can select one of the following options:
o Dont allow connections to this computer.
o Allow connections from computers running any version of Remote Desktop. This is a less
secure option.
o Allow connections only from computers running Remote Desktop with Network Level
Authentication. This is a more secure option.
3. Click Select Users. If you are prompted for an administrator password or confirmation, type the
password or provide confirmation.
4. If you are an administrator on the computer, your current user account will be added automatically to
the list of remote users, and you can skip the next two steps.
5. In the Remote Desktop Users dialog box, click Add.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-37
6. In the Select Users or Groups dialog box, do the following:
a. To specify the location in which to search for the remote user, click Locations, and then select
the location you want to search.
b. Enter the object names to select, type the name of the user that you want to add as a remote
user, and then click OK.
On the source computer, you need to perform the following to access the remote computer:
1. Start Remote Desktop.
2. Before connecting, enter the logon credentials on the General tab, and make desired changes to the
options in the Display, Local Resources, Programs, Experience, and Advanced tabs:
o Display. Choose the remote desktop display size. You have the option to run the remote desktop
in full-screen mode.
o Local Resources. Configure local resources for use by the remote computer, such as Clipboard
and printer access.
o Programs. Specify which programs you want to start when you connect to the remote computer.
o Experience. Choose connection speeds and other visual options.
o Advanced. Provide security credential options.
3. Save these settings for future connections by clicking Save on the General tab.
4. Click Connect to connect to the remote computer.
Demonstration: Configuring Remote Assistance
This demonstration shows how to enable and use Remote Assistance. Adam needs help with a Microsoft
Word feature. He requests assistance, and you provide guidance on the feature by using Remote
Assistance.
Demonstration Steps
Create a Microsoft Word 2013 Document
1. Sign in as Adam, and then open Microsoft Word 2013.
2. Create a blank document, and type this is my document into the new Microsoft Word document.
Enable and then request Remote Assistance
1. Open Remote settings, and then specify administrative credentials when prompted by User Account
Control.
2. Verify that remote access is allowed on this computer.
3. Run msra.exe, and then request Remote Assistance.
4. Save the invitation to a shared folder location that is accessible by your invitee.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Provide Remote Assistance
1. Switch to LON-CL2, and then sign in as Holly.
2. Retrieve the Remote Assistance request file, and then enter the password.
3. Request access, and then await acknowledgement.
4. Take remote control, and then direct the user how to create a comment in a Word 2013 document.
5. Create a chat window, and then ask the user if they are satisfied with the offered solution.
6. Close the session.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-39
Lab C: Implementing Remote Desktop
Scenario
Adam has a desktop computer in his office in London that he might wish to use while he travels around
the UK between his customers.
Objectives
Configure Remote Desktop.
Lab Setup
Password: Pa$$w0rd
o 20687C-LON-DC1
o 20687C-LON-CL1
You also will need to start and connect to 20687C-LON-CL2. Do not sign in until directed to do so.
Exercise 1: Configuring a Remote Desktop Connection
Scenario
You decide to enable Remote Desktop on his desktop computer so that Adam can access it to work on his
data files should the need arise. Before Adam leaves, you decide to test the Remote Desktop connection
to his desktop computer from his laptop.
1. Enable Remote Desktop through the firewall, and enable Remote Desktop on Adams office
computer.
2. Connect to the remote computer with Remote Desktop.
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on
Adams office computer
1. On LON-CL1, open Windows Firewall, and then enable Remote Desktop through the firewall for all
network location profiles (Domain, Private, and Public).
2. In Control Panel, in System and Security, click Allow remote access, and then select the following
options:
a. Click Allow remote connections to this computer.
b. Add Adatum\Adam as a Remote Desktop user.
3. Confirm your changes, and then close all open windows.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. Sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd, and then open Remote
Desktop Connection.
5. Specify the computer to connect to as LON-CL1, and then click Show Options.
6. On the Advanced tab, under Server authentication, in the If server authentication fails drop-
down list, click Connect and dont warn me.
Note: You also can enable this firewall rule indirectly by enabling Remote Desktop from
Control Panel\System\Remote settings.
Task 2: Connect to the remote computer with Remote Desktop
1. Connect to LON-CL1. When prompted, enter the user name Adatum\Adam and the password
Pa$$w0rd.
2. Determine the computer name within the Remote Desktop session.
3. Close the Remote Desktop session, and then close all open windows.
4. On LON-CL1, notice that you have been signed out.

Results: After completing this exercise, you should have successfully verified that Remote Desktop is
functional.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 13-41
Review Question
Question: You have some important files on your desktop work computer that you need to
retrieve when you are at a clients location with your laptop computer. What do you need to do
on your desktop computer to ensure that you can download your files when at a customer site?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
14-1
Module 14
Recovering Windows
8.1
Contents:
Lesson 1: Backing Up and Restoring Files in Windows 8.1 14-2
Lesson 2: Recovery Options in Windows 8.1 14-5
Lab: Recovering Windows 8.1 14-18

Module Overview
It is important to protect data on your computer from accidental loss or corruption. To recover from a
problem, typically it is easier to restore system settings than to reinstall an operating system and apps. The
Windows
8.1 operating system provides a number of features that you can use to protect important data
files, in addition to tools that you can use to recover a computer that will not start or that starts with
errors. You can use features such as File History, System Protection, and synchronization with SkyDrive
to
protect your data. To support your users, it is important that you understand how to use these features
and tools.
Objectives
Back up and restore files in Windows 8.1.
Explain the use of recovery options in Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
14-2 Recovering Windows 8.1
Lesson 1
Backing Up and Restoring Files in Windows 8.1
Although you might implement a file-recovery strategy for user data that is stored on network file servers
or network-accessible storage devices, you should remember that users often save their work to local
storage. Consequently, it is important that you provide some method of local file recovery so that you can
recover these data files if they become corrupted or you delete them accidentally.
Lesson Objectives
Explain the need for data backup.
Describe File History.
Configure and use File History.
Discussion: The Need for Data Backup
A computer contains different types of data that it
stores in different locations. Computer data types
include operating system configuration files, app
settings, user-related settings, and user data files.
The latter can include documents, images,
spreadsheets, and other types of files. Although
computers are very reliable and most operating
systems are robust and recoverable, problems do
occur. Sometimes these problems can result in
data loss.
When data is stored on file servers, it usually is
highly available and centrally backed up. But
because users also store data locally, it is important that you protect data files and settings so that if a
computer problem occurs, no data is lost.
A computer that is running Windows 8.1 stores data files and settings in several locations, so you need to
ensure that you protect all of them. You can help protect these data files and settings by:
Storing them on a file server, for example, when using Folder Redirection.
Manually copying files to other media.
By using Windows 8.1 file-recovery tools, such as File History.
Syncing files and settings with SkyDrive.
Question: Does Windows 8.1 include a backup tool?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-3
What Is File History?
Windows 8.1 enables users with multiple devices
to synchronize their settings and data across these
devices. In such a scenario, traditional system
backup is not a requirement. Windows 8.1
includes features to protect user files and the
ability to revert devices to their initial
configurations, either by keeping user settings or
not. In such environments, traditional backup
seems obsolete because it is lengthy,
device-specific, and includes content that is part
of the initial device configuration. For these
reasons, Windows Backup is no longer part of
Windows 8.1. However, Windows 8.1 provides other features that you can use to protect user settings and
data.
File History
With File History, Windows 8.1 can save copies of your files automatically to a removable local drive or to
a shared folder on a network. After you enable File History, it periodically saves a copy of your modified
files to a designated location. Windows 8.1 saves modified files each hour and keeps file versions
indefinitely by default. However, you can configure the interval at which saves occur and how long
Windows 8.1 will keep saved files.
File History save files from the following folders:
Contacts
Desktop
Favorites
Additionally, File History save files from the following libraries:
Documents
Music
Pictures
Videos
Note: You cannot add additional folders or libraries to this list, but you can add folders to
the libraries that are protected by File History. You also can define exceptions if you do not want
all files for the included folders and libraries to be included in File History.
To recover files, from the File History dialog box, you can click Restore personal files, and then select the
file from the folders or libraries. Alternatively, you can recover files directly from File Explorer. Navigate to
the folder that contains a deleted file, and then on the Home ribbon, click History. File History opens and
lists the recoverable files.
Question: Is File History turned on by default?
Question: Can you protect additional folders by using File History?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Demonstration: Configuring and Using File History
In this demonstration, you will see how to configure File History in Windows 8.1 and use this feature to
recover a deleted file.
Demonstration Steps
1. Create a new Microsoft
Word 2013 document named Recovery file in the Documents library.

2. Modify the contents of the Recovery file document, and then save the file.
3. Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History.
4. Delete the file named Recovery file in the Documents library.
5. Use the History option in File Explorer to recover the file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-5
Lesson 2
Recovery Options in Windows 8.1
Registry corruption and issues with device drivers or system services can result in startup-related
problems. Systematic troubleshooting is essential so that you can determine and resolve the underlying
cause of the problem quickly and efficiently.
This lesson describes how to identify and troubleshoot issues that affect an operating systems ability to
start, and how to identify problematic services that are running on an operating system. It also describes
how to use troubleshooting tools in Windows 8.1. These tools are known collectively as the Windows
Recovery Environment (RE).
Lesson Objectives
Explain the Windows 8.1 startup process.
Describe Windows startup and recovery options.
Describe System Restore.
Describe the Boot Configuration Data (BCD) store.
Describe BCD configuration settings.
Describe advanced startup settings.
Describe the tools available in Windows RE.
Resolve startup-related problems.
Explain how to configure a recovery drive.
The Windows 8.1 Startup Process
Before you can recover a Windows 8.1 computer
that does not start or starts with errors, you must
understand how the operating system starts up
when there are no issues. The Windows 8.1 boot
loader architecture provides a quick and secure
mechanism for starting the Windows operating
system.
The boot loader architecture has three main
components:
The Windows Boot Manager (Bootmgr.exe)
The Windows OS Loader (Winload.exe)
The Windows Resume Loader (Winresume.exe)
Windows Boot Manager
As a computer starts, Bootmgr.exe loads first and then reads the BCD, which is a database of startup
configuration information that the hard disk stores in a format similar to the registry.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Note: The BCD provides a firmware-independent mechanism for manipulating boot
environment data for any type of Windows system. Windows 8.1 use the BCD to load the
operating system or to run boot applications, such as memory diagnostics. Its structure is very
similar to a registry key, although you should not manage it with the Registry Editor.
Bootmgr.exe replaces much of the functionality of the legacy NTLDR bootstrap loader that was used in
Windows XP and older versions of the Windows operating system. Bootmgr.exe is a separate entity, and it
is unaware of other startup operations of the operating system. Bootmgr.exe switches the processor into
32-bit or 64-bit protected mode, prompts the user for which operating system to load (if multiple
operating systems are installed), and starts NTLDR if you have Windows XP or older installed.
Windows OS Loader
Winload.exe is the operating system boot loader that Windows Boot Manager invokes. Winload.exe loads
the operating system kernel (Ntoskrnl.exe) and device drivers with start values of 0, which, combined with
Bootmgr.exe, makes Winload.exe functionally equivalent to NTLDR. Winload.exe initializes memory, loads
drivers that should start, and then transfers control to the kernel.
Windows Resume Loader
If the BCD contains information about a current hibernation image, Bootmgr.exe passes that information
to Winresume.exe. Bootmgr.exe then exits, and Winresume.exe starts. Winresume.exe reads the
hibernation image file and uses it to return the operating system to its pre-hibernation running state.
Windows 8.1 Startup Process on BIOS-Based Computers
When you switch on a computer, the startup process loads the BIOS. When it loads the BIOS, the system
accesses the boot drive master boot record (MBR), followed by the drives boot sector.
The Windows 8.1 startup process occurs in the following steps:
1. The BIOS performs a power-on self test. From a startup perspective, the BIOS enables a computer to
access peripherals such as hard disks, keyboards, and a computer display prior to loading an
operating system. If any critical hardware component is malfunctioning or is not present, you can
hear a sound and see an error if a display is connected.
2. The computer uses information in the BIOS to locate a startup device, for example, a DVD drive,
network adapter, or a hard disk. A computer can start from a hard disk only if it contains the MBR. A
computer calls and loads Bootmgr.exe, which then locates an active drive partition on sector 0 of the
discovered hard disk.
3. Bootmgr.exe reads the BCD file from the active partition, gathers information about the machines
installed operating systems, and then displays a boot menu if needed.
4. Bootmgr.exe transfers control to Winload.exe, or it calls Winresume.exe for a resume operation. If
Winload.exe selects a down-level operating system, such as Windows XP, Bootmgr.exe transfers
control to NTLDR.
5. Otherwise, Winload.exe initializes memory and loads drivers that are set to begin at startup. These
drivers are for fundamental hardware components such as disk controllers and peripheral bus drivers.
Winload.exe then transfers control to the kernel of the operating system, Ntoskrnl.exe.
6. The kernel initializes, and then device drivers and services with start values greater than 0 are loaded
in the order of their start value and dependency. During this phase, you will see the screen switch to
graphical mode as the Session Manager (Smss.exe) initializes the Windows subsystem.
7. The operating system displays the logon screen, and a user can sign in to Windows 8.1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-7
Securing the Startup Process
Windows 8.1 includes two technologies that enhance the security of the startup process. These
technologies help ensure that the boot environment is in a known and trusted state before antimalware
software that is installed on the computer becomes active. These technologies are:
Measured Boot. Measured Boot provides antimalware software that runs on Windows 8.1 with a
tamper-proof log of all startup components that were running before the antimalware software
started. This provides antimalware software with enough information to determine whether those
startup components are trustworthy, or whether they have been modified by a malware infection.
Measured Boot requires a client computer to have a trusted platform module chip.
Secure Boot. Secure Boot is a feature of the Windows 8.1 operating system that blocks unauthorized
firmware, operating systems, or Unified Extensible Firmware Interface (UEFI) drivers from running
during startup. Secure Boot functions by referring to a database of authorized software signatures
and software images. If the firmware is not trusted, trusted firmware must be restored before boot
can continue. If an untrusted version of Bootmgr.exe is found, the Secure Boot process will boot a
backup copy of Bootmgr.exe. If problems are found with drivers or Ntoskrnl.exe, Secure Boot
automatically loads Windows RE. Secure Boot requires UEFI and cannot be used with computers that
boot by using BIOS.
Question: Can you use the Last Known Good Configuration option in Windows 8.1 to use
the same startup configuration that was used during the last successful computer startup?
Windows Startup and Recovery Options
If your computer fails to start correctly, you can
use a number of tools to resolve the problem.
Windows RE
Windows RE is a recovery platform that is based
on the Windows Preinstallation Environment
(Windows PE). Windows RE provides three main
functions:
Diagnoses and repairs startup problems.
Enables you to repair computers by
performing push-button resets.
Provides a platform for additional advanced recovery tools.
Accessing Windows RE
To access Windows RE, perform the following procedure:
1. Insert a Windows 8.1 installation DVD, and then start the computer.
2. When prompted, run the Windows 8.1 DVD setup program.
3. After you configure language and keyboard settings, click the Repair your computer link.
4. Click the Troubleshoot option. After that, you can select if you want to Refresh your PC, Reset your
PC, or select from Advanced options, which includes Startup Repair and System Image Recovery.
Note: A setup disk is not provided on some computers, and therefore, the process of
accessing Windows RE might vary from the steps provided in this topic.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Automatic Failover to Recovery
Windows 8.1 provides an on-disk Windows RE. A computer that is running Windows 8.1 can fail over
automatically to the on-disk Windows RE if it detects a startup failure. Startup failure is detected when any
of following happens:
A Windows operating system startup fails for two times.
A Windows operating system is restarted unexpectedly two times in two minutes after the startup.
An error is detected during Secure Boot.
A BitLocker
Drive Encryption error is detected on a touch-only device.

During startup, the Windows loader sets a status flag that indicates when the boot process starts. The
Windows loader clears this flag before it displays the Windows logon screen. If the startup fails, the loader
does not clear the flag. Consequently, the next time the computer starts, Windows loader detects the flag,
assumes that a startup failure has occurred, and then presents to you an option to start Recovery instead
of Windows 8.1. A computer must start successfully for the Windows loader to remove the flag. If there is
an interruption to a computers power during the startup sequence, the Windows loader does not remove
the flag. Be aware that this automatic failover requires the presence of both the Windows Boot Manager
and the Windows loader. If either of these elements of the startup environment is missing or corrupted,
automatic failover cannot function, and you must initiate a manual diagnosis and repair of the computers
startup environment.
Windows Recovery Environment (Windows RE) Overview
Advanced Startup Settings
Windows 8.1 provides Advanced options for Startup Settings that you can use to change Windows startup
behavior. When you configure Startup Settings, after the computer starts, you can select one of the
following startup options:
Enable debugging
Enable boot logging
Enable Safe Mode
Enable Safe Mode with Networking
Enable Safe Mode with Command Prompt
Disable driver signature enforcement
Disable early launch anti-malware protection
Disable automatic restart after failure
Launch Recovery Environment
Question: How can you access Windows RE if a computer cannot start from a hard disk
because startup information is damaged?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-9
Overview of System Restore
Windows 8.1 enables the System Restore feature
automatically. System Restore takes a snapshot of
your Windows configuration and stores it as a
restore point. Restore points represent a point in
time of the computers configuration and do not
include user personal data. Windows 8.1 can
create restore points automatically before the
following changes occur:
Application installation, if the application uses
an installer that is System Restore-compliant.
Installation of Windows updates.
Restore points can be created in Windows 8.1:
Manually, whenever you choose to create them.
Based on a schedule. Windows 8.1 includes scheduled tasks, which can trigger restore point creation.
A restore point is created automatically if no restore point has been created for seven days.
Automatically, if you choose to use System Restore to restore to a previous restore point. In this
instance, System Restore creates a new restore point before it restores the system to a previous state.
This provides you with a recovery option should the restore operation fail or result in issues.
Windows RE does not create a restore point for the current state if you are in Safe mode and you
restore to a previous state.
You can access System Restore and revert Windows settings from Windows 8.1 environment or from
Windows RE. This means that you can restore your computer to an earlier restore point even if you cannot
start Windows 8.1. If you want to restore your computer to an earlier restore point from Windows RE, you
need to select a user and provide the users password before you can use System Restore.
Note: Windows 8.1 includes a System Restore scheduled task named SR, which you can
configure to automatically create restore points at scheduled intervals.
Perform Driver Rollbacks
If you install a device driver that results in a computer that is unstable or that fails to operate entirely, you
might use System Restore. Older versions of Windows operating systems had a mechanism for driver
rollbacks, but it required the computer to start successfully. With Windows 8.1, you can use System
Restore to perform driver rollbacks by accessing the restore points, even when the computer does not
start successfully.
Protect Against Accidental Deletion of Programs
System Restore also provides protection against accidental deletion of programs. System Restore creates
restore points when you add or remove programs, and it keeps copies of application programs (file names
with an .exe or .dll extension). If you accidentally delete an .exe file, you can use System Restore to recover
it by selecting a recent restore point prior to your deletion of the program.
Restore points
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Question: How can you configure Windows 8.1 to create restore points automatically more
often than every seven days?
What Is the BCD Store?
In the Windows operating system, the BCD store is
an extensible database of objects and elements
that can include information about a current
hibernation image, in addition to special
configuration options for starting Windows 8.1 or
an alternate operating system. BCD provides an
improved mechanism for describing boot
configuration data for new firmware models.
The boot sector loads Bootmgr.exe, which in turn
accesses BCD, and then uses that information to
display a boot menu to the user (if multiple boot
options exist) and to load the operating system.
These parameters were previously in the Boot.ini file (in BIOS-based operating systems) or in the
nonvolatile random access memory (NVRAM) entries in operating systems based on an EFI. However,
Windows 8.1 replaces the Boot.ini file and NVRAM entries with BCD. This file is more versatile than
Boot.ini, and it can apply to computer platforms that do not use BIOS to start a computer. You also can
apply it to firmware models such as computers that are based on EFI.
Windows 8.1 stores the BCD data in the same format as a registry hive. For BIOS-based systems, the BCD
data files are on the active partition, in Boot directory, which is marked as system and hidden. For UEFI-
based systems, BCD files are on the EFI system partition.
Question: One of your coworkers would like to modify Windows 8.1 startup settings, but he
is not able to find the Boot.ini file. How can you help him?
Understanding BCD Configuration Settings
Depending on what settings you want to change,
you can use the following tools to modify BCD:
Startup and Recovery Advanced system
settings. Select the default operating system if
you have multiple operating systems installed
on your computer. You also can change the
time-out value.
System Configuration utility (MSConfig.exe).
An advanced tool that enables you to select
the following startup options:
o Safe boot options include:
Minimal. Start Windows in safe mode, in which only critical system services are running and
networking is disabled.
Alternate shell. On startup, opens a command prompt in safe mode, in which only critical
system services are running. Networking and the GUI are disabled.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-11
Active Directory repair. On startup, opens the Windows GUI in safe mode, running critical
system services.
Network. On startup, opens the Windows GUI in safe mode, running only critical system
services. Networking is enabled.
o Boot log. Records startup information into a log file.
o No GUI boot. Does not display the Windows Welcome screen when starting.
o Base video. Uses a generic video display adapter driver.
o Advanced options:
Number of processors. Limits the number of processors that are used on a multiprocessor
system.
Maximum memory. Limits the amount of memory that is used on a system.
PCI Lock. Prevents reallocation of I/O and interrupt request (IRQ) resources on the Peripheral
Component Interconnect (PCI) bus.
Debug. Enables kernel-mode debugging for device driver development.
BCDEdit.exe. BCDEdit.exe is a command-line tool in Windows 8.1 that replaces Bootcfg.exe. This
advanced tool is for administrators and IT professionals. You can use BCDEdit.exe to change the BCD
and perform tasks such as removing entries from the list that displays operating systems. BCDEdit.exe
enables you to:
o Add entries to an existing BCD store.
o Modify existing entries in a BCD store.
o Delete entries from a BCD store.
o Export entries to a BCD store.
o Import entries from a BCD store.
o List currently active settings.
o Query a particular type of entry.
o Apply a global change (to all entries).
o Change the default time-out value.
Typical reasons to manipulate BCD with BCDEdit.exe include:
o Adding a new hard disk to your Windows 8.1 computer and changing the logical drive
numbering.
o Installing additional operating systems on your Windows 8.1 computer to create a multiboot
configuration.
o Deploying Windows 8.1 to a new computer with a blank hard disk, which requires you to
configure the appropriate boot store.
o Performing a backup of BCD.
o Restoring corrupted BCD.
BootRec.exe. Rebuild BCD by using the BootRec.exe tool with the /rebuildbcd option in Windows RE.
You must run BootRec.exe in Windows RE. If rebuilding BCD does not resolve startup issues, you can
export and delete BCD, and then run this option again. By doing this, you ensure that BCD rebuilds
completely.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
BCDedit.exe syntax and parameters
Question: Your coworker has a dual-boot computer and would like to configure the
computer to start Windows 8.1 automatically without showing the list of installed operating
systems for 30 seconds first. Is BCDEdit.exe the only tool your coworker can use to achieve
this goal?
Advanced Startup Settings
Windows 8.1 provides advanced startup settings
that you can use to start an operating system in
an advanced troubleshooting mode. If you want
to use advanced startup settings, you must
change advanced startup options. You can
change advanced startup options in several ways:
Change advanced startup options in
Windows 8.1.
Press the Shift key while selecting the Restart
option in the Settings charm.
Restart the computer by running the
shutdown.exe /r /o command.
Note: In Windows 8.1, you cannot access advanced startup settings by pressing F8 during
the startup process, as you were able to in older versions of Windows operating systems.
When the computer restarts, you are presented with the following options:
Enable debugging. By selecting the debugging mode, you can start Windows 8.1 in a special
troubleshooting mode. In this mode, you can monitor the behavior of device drivers and determine
whether a specific device driver is causing Windows 8.1 to stop unexpectedly.
Enable boot logging. When you use this mode, the Windows 8.1 start process creates and writes to a
file named Ntbtlog.txt. This file records the device drivers that Windows 8.1 installs and loads during
startup.
Enable low-resolution video. In this mode, you can start Windows 8.1 in a special low-resolution
mode of 640480. This mode can be necessary when you attempt to resolve incorrectly applied
graphics resolution settings.
Enable Safe Mode. In the safe mode, Windows 8.1 can start with a minimal set of drivers, services, and
applications. You can use safe mode to disable services and applications that might be causing the
Windows operating system to stop. Computers often start in the safe mode when they are unable to
start normally. Safe mode does not load network drivers, so network connectivity is not possible in
safe mode.
Enable Safe Mode with Networking. Safe mode with networking is similar to safe mode, except that it
allows network connectivity.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-13
Enable Safe Mode with Command Prompt. This version of safe mode starts with a Command Prompt
window rather than the Windows interface. In this mode, you can disable applications and services
from the command line if you are unable to perform this operation by using safe mode.
Disable driver signature enforcement. In this mode, you can load device drivers that are not digitally
signed. This might be necessary when testing device drivers with Windows 8.1 that have not been
formally released.
Disable early launch anti-malware protection. In this mode, you can start Windows 8.1 without the
early launch antimalware functionality running. This functionality might stop Windows 8.1 from
starting in certain circumstances, but it should be disabled only after other options have been tried.
Disable automatic restart after failure. Use this option to stop Windows 8.1 from automatically
restarting after a failure occurs. You might need to use this option if Windows 8.1 enters a reboot
cycle.
Launch Recovery Environment. Use this option to start Windows RE. You can use the recovery
environment to trigger the Refresh your PC or Reset your PC function.
Question: Can you access Startup Setting options by pressing F8 during computer startup?
Tools Available in Windows RE
Windows RE provides access to tools that you can
use to help recover your computers startup
environment.
Refresh your PC
This option enables you to retain your personal
data, apps, and settings, but replaces the
Windows 8.1 operating system. This is useful when
it is important to retain user-related files and
settings, but you do not have the time to
determine the specific cause of a startup problem
or to resolve it. You need Windows installation or
recovery media if you want to perform a refresh.
Note: Because it is quite likely that user settings might have created the startup problem
from which you are attempting to recover, the Refresh your PC option is careful about which
settings to restore. For instance, this option does not restore file associations, display settings, and
Windows Firewall settings during the refresh process.
Note: It is possible to use the Recimg.exe command-line tool to create a refresh image,
which enables you to refresh your computer to a specific point in time.
Reset your PC
This option removes all user data, user settings, and apps and then reinstalls Windows 8.1. You should
select this option when there is no need to retain user data or settings. By using this setting, you revert
your computer to the deployment defaults. You need Windows installation or recovery media if you want
to perform a reset.
Push-Button Reset Overview
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
System Restore
Windows 8.1 provides System Restore capabilities that you can access from the System Tools folder. If you
have a system failure or another significant problem with your computer, you can use System Restore to
return your computer to an earlier state.
The primary benefit of System Restore is that it restores your system to a workable state without
reinstalling the operating system or causing data loss. Additionally, if a computer does not start
successfully, you can use System Restore by starting Windows RE from Windows 8.1 media.
System Image Recovery
System Image Recovery replaces your computers current operating system with a complete computer
image that you created previously. You can use this tool only if you have made a recovery drive of your
computer. You should use this tool only if other recovery methods are unsuccessful. It is a very intrusive
recovery method that overwrites everything on a computer.
Startup Repair
The Startup Repair tool in Windows RE provides a simple and effective way for you to resolve most
common startup problems. Before you can use Startup Repair, you must provide the password of the
administrator account that previously signed in to the computer. Startup Repair detects most common
startup issues and automatically corrects them. It performs the following functions:
Replace or repair disk metadata. Disk metadata consists of several components, including the boot
sector and the MBR. If these files are missing or corrupted, the startup process fails. If you suspect that
an issue has damaged or deleted these files, use Startup Repair to check for problems with the disk
metadata. Startup Repair automatically checks and, if necessary, repairs the disk metadata.
Damage to disk metadata often occurs because of unsuccessful attempts to install multiple operating
systems on a single computer. Another possible cause of metadata corruption is a virus infection.
Repair boot configuration settings. Windows 8.1 uses a configuration store that is stored in a Boot
folder on an active partition. If the boot configuration data is damaged or deleted, the operating
system fails to start. The Startup Repair tool checks and, if necessary, rebuilds BCD by scanning for
Windows installations on the local hard disks, and then storing the necessary BCD.
Resolve incompatible driver issues. Installing a new hardware device and its associated device driver
often causes the Windows operating system to start incorrectly. The Startup Repair tool performs
device driver checks as part of its analysis of your computer. If Startup Repair detects a driver
problem, it uses System Restore points to attempt a resolution by rolling back the configuration to a
known working state.
Command Prompt
Windows 8.1 uses a Command Prompt tool from the Windows RE tool set as its command-line interface.
The Command Prompt tool is more powerful than the Recovery Console from older versions of Windows
operating systems, and its features are similar to the command prompt that is available when
Windows 8.1 is running normally. The Command Prompt tool performs the following functions:
Resolves problems with a service or device driver. If a computer that is running Windows 8.1
experiences problems with a device driver or Windows service, use the Command Prompt tool to
attempt a resolution. For example, if a device driver fails to start, use the Command Prompt tool to
install a replacement driver or disable the existing driver from the registry. For example, if the
Netlogon service fails to start, type Net Start Netlogon at the command prompt. You also can use
the SC tool (Sc.exe) command-line tool to start and stop services.
Recovers missing files. The Command Prompt tool enables you to copy missing files to your
computers hard disk from original source media, such as the Windows 8.1 installation DVD or USB
flash drive.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-15
Accesses and configure BCD. Windows 8.1 uses a BCD store to retain information about the operating
systems that you install on the computer. You can access this information by using the BCDEdit.exe
tool at the command prompt. You also can reconfigure the store if necessary. For example, you can
reconfigure the default operating system on a dual-boot computer with the BCDEdit.exe /default id
command.
Repairs the boot sector and MBR. If the boot sector or MBR on the local hard disk is damaged or
missing, a computer that is running Windows 8.1 will fail to start successfully. You can launch the
BootRec.exe command at the command prompt to resolve problems with the disk metadata.
Runs diagnostic and troubleshooting tools. The Command Prompt tool provides access to many
programs that you can access from Windows 8.1 during normal operations. These programs include
several troubleshooting and diagnostics tools, such as the Registry Editor (Regedit.exe), a disk and
partition management tool (Diskpart.exe), and several networking configuration tools (Net.exe,
Ipconfig.exe, and Netcfg.exe). Another option is to load Task Manager (Taskmgr.exe), which you can
use to determine which programs and services are running currently.
Note: Windows PE is not a complete operating system. Therefore, when you use the
Command Prompt tool in Windows RE, remember that not all programs that work in the
Windows operating system will work at the command prompt. Additionally, because there are no
logon requirements for Windows PE and Windows RE, Windows 8.1 restricts the use of some
programs for security reasons, including many that administrators typically run.
Question: Can you use System Image Recovery without any previous preparation?
Question: What is the main difference between the Refresh your PC and Reset your PC
options?
Demonstration: Resolving Startup-Related Problems
In this demonstration, you will see how to resolve startup-related problems by using the tools in
Windows RE.
Demonstration Steps
1. On 20687C-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files
\Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine.
2. Initialize setup from the DVD, and then click Repair your computer.
3. Click Troubleshoot from the available options, and then click Advanced options.
4. Click Command Prompt, and then run the following commands to view the startup environment:
Bcdedit /enum
Bootrec /scanos
Diskpart
5. In Diskpart, type the following commands to view information about the disks and volumes installed
on LON-CL1:
List disk
List volume
6. Close Diskpart, and then close the Command Prompt window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7. Perform Startup Repair from the Windows RE Troubleshoot menu.
8. Restart your computer normally.
9. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open an
elevated command prompt
10. Create a duplicate boot entry by running the following command at the elevated command prompt:
bcdedit /copy {current} /d Duplicate boot entry
11. Verify the presence of Duplicate boot entry in the store with the following command, and then
restart the computer:
Bcdedit /enum
12. When the Windows operating system restarts, wait until the Choose an operating system menu
appears, and then click Change defaults or choose other options. Select the following options in
turn:
o Choose other options
o Troubleshoot
o Advanced options
o Startup Settings
o Restart
13. Start Windows in Safe Mode, and then sign in as Adatum\Administrator with password Pa$$w0rd.
Configuring a Recovery Drive
You can use a recovery drive to run Windows RE
and troubleshoot a Windows 8.1 installation even
if the computer cannot start from the hard drive.
A recovery drive includes all the Windows RE
tools, and it can include a copy of the recovery
partition.
You can create a recovery drive by using the
Recovery Drive Wizard. A recovery drive is created
on a USB flash drive with a capacity of at least 256
Megabytes (MB). During creation of the recovery
drive, the USB flash drive is formatted, so all of its
previous content is lost. If your computer has a
recovery partition, the Recovery Drive Wizard can copy it to a USB flash drive, and you can later use it to
perform PC Refresh.
Note: If a Windows 8.1 computer does not have a recovery partition, you can create one by
running the recimg.exe command. A recovery partition is used during Refresh your PC, and it
contains a copy of desktop apps and Windows system files. A recovery partition does not contain
your documents, personal settings, user profiles, and Windows Store apps.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-17

Recovery Drive
Question: Can you create a recovery drive on a DVD?
Question: Which recovery tasks can you perform when you start a computer from a recovery
drive?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Recovering Windows 8.1
Scenario
You must demonstrate to your coworkers how you can configure and use File History to protect
documents. You also need to recover a Windows 8.1 computer that belongs to one of the employees at A.
Datum Corporation. To do this, you first will examine the recovery options available in Windows 8.1. You
then will attempt to resolve a startup issue, and you will document the solution that you used to resolve
the issue.
Objectives
Configure and use File History.
Explore Windows 8.1 recovery options.
Introduce a simulated problem.
Resolve a problem.
Lab Setup
Password: Pa$$w0rd
2. In Hyper-V

o Domain: Adatum
5. Repeat steps 2 through 4 for 20687C-LON-CL1.
Exercise 1: Configuring and Using File History
Scenario
A. Datum users are complaining that they cannot find any backup apps in Windows 8.1. You have been
asked to demonstrate to these users how they can use File History to protect files that are stored locally
on their computers.
1. Create a share for File History.
2. Configure and use File History.
3. Protect an additional folder with File History.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-19
Task 1: Create a share for File History
On LON-DC1, create a folder named FileHistory. Grant domain users Full Control permissions to the
Task 2: Configure and use File History
1. Create a new Word 2013 document named Recovery file in the Documents library.
2. Modify Recovery file contents, and then save the file.
3. Use File History to add \\LON-DC1\FileHistory as an available drive, and then turn on File History.
4. Delete the file named Recovery file in the Documents library.
5. Use the History option in File Explorer to recover the file.
Task 3: Protect an additional folder with File History
1. On LON-CL1, verify that three file folders and four libraries are protected by the File History feature.
Also, verify that only Recovery file.docx is protected currently by File History.
2. Use File Explorer to add the folder E:\Labfiles\Docs to the Documents library.
3. Use File History to run file copy.
4. Use File Explorer to delete the E:\Labfiles\Docs\Windows.docx file.
5. Use File History to restore the Windows.docx file to the E:\Labfiles folder.
6. Use File Explorer to verify that the Windows.docx file is restored to E:\Labfiles folder.

Results: After completing this exercise, you should have configured and used the File History feature.
Exercise 2: Exploring Windows 8.1 Recovery Options
Scenario
In this exercise, you will explore startup-recovery options, including accessing the advanced startup
options.
1. Configuring System Restore.
2. Using System Restore.
3. Access Windows RE tools.
4. Create a duplicate boot entry in the boot store.
5. Enable advanced boot options.
Task 1: Configuring System Restore
1. On LON-CL1, use System Properties to turn on System protection.
2. Create a restore point, and then name it Initial settings.
3. Use File Explorer to navigate to the E:\Labfiles\Mod14 folder, and then install XML Notepad. Verify
that XML Notepad 2007 shortcut is added to the desktop.
4. Create a new text document on the desktop and name it My document.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5. Use Device Manager to update the driver for Microsoft Hyper-V Virtual Keyboard with a driver for
Microsoft Wireless Keyboard 700 v2.0 (106/109).
Note: Be aware that you must clear the Show compatible hardware check box to be able
to select it.
6. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an
exclamation point (!).
Task 2: Using System Restore
1. Use System Restore to scan for programs that would be affected if you restored the Initial settings
restore point.
2. Use System Restore to restore the Initial settings restore point.
4. Verify that My document.txt is still on desktop and that the XML Notepad 2007 shortcut is no
longer present on the desktop.
5. Use Device Manager to verify that Microsoft Hyper-V Virtual Keyboard is present. Microsoft Wireless
Keyboard 700 v2.0 (106/109) was removed, as you added it after the restore point was created.
6. Use System Restore to verify that an additional restore point with the description Restore Operation
and Type of Undo was created.
7. Shut down LON-CL1 and wait until LON-CL1 is turned off.
Task 3: Access Windows RE tools
1. On 20687C-LON-CL1, mount the Windows 8.1 installation DVD from D:\Program Files
\Microsoft Learning\20687\Drives\ Win81Ent_Eval.iso, and then start the virtual machine.
2. Initialize setup from the DVD, and then select Repair your computer.
3. Select Troubleshoot from the available options, and then select Advanced options.
4. Use System Restore to verify that restore points that were created can be restored from Windows RE.
Verify which programs would be affected if you would restore the Restore Operation restore point.
Do not restore any restore point, and return to the Advanced options screen.
5. Click Command Prompt, and then run the following commands to view the startup environment:
o Bcdedit /enum
o Bootrec /scanos
o Diskpart
6. In Diskpart, type the following commands to view information about disks and volumes installed on
LON-CL1:
o List disk
o List volume
7. Close Diskpart, and then close the Command Prompt window.
8. Perform Startup Repair from the Windows RE Troubleshoot menu.
9. Restart your computer normally.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-21
Task 4: Create a duplicate boot entry in the boot store
1. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd, and then open command
prompt
2. Create a duplicate boot entry by running the following command at the elevated command prompt:
3. Verify the presence of Duplicate boot entry in the store with the following command, and then
restart the computer:
Bcdedit /enum
Task 5: Enable advanced boot options
appears, and then click Change defaults or choose other options. Select the following options in
turn:
o Choose other options
o Troubleshoot
o Advanced options
o Startup Settings
o Restart
2. Start the Windows operating system in safe mode, and then sign in as Adatum\Administrator with
password Pa$$w0rd.
3. Revert and restart the 20687C-LON-CL1 virtual machine in preparation for the next exercise.

Results: After completing this exercise, you should have used various Windows
8.1 operating system

startup-recovery tools.
Exercise 3: Introducing a Simulated Problem
Scenario
In this exercise, you will attempt to fix a computer that is running Windows 8.1. The computer does not
start successfully. You have an open help-desk ticket so that you can determine the likely cause of the
problem.
A. Datum Incident Record
Incident number: 161071
Date and time of call Jan 25 10:45am
User Adam Carter
Incident Details
Adam Carter has reported that his computer will not start properly.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Additional Information
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partway through
the process. Since then, his computer displays the following error message when it starts:
Windows Boot Manager.
File: \Boot\BCD
Status: 0xc0000034
Info: The Windows Boot Configuration Data (BCD) file is missing required information.
Plan of Action

1. Read the help-desk Incident Record for Incident 161071.
2. Update the Plan of Action section of the Incident Record.
3. Simulate the problem.
Task 1: Read the help-desk Incident Record for Incident 161071
Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident
161071.
Task 2: Update the Plan of Action section of the Incident Record
1. Read the Additional Information section of the Incident Record.
2. Update the Plan of Action section of the Incident Record with your recommendations.
1. Switch to LON-CL1, and then sign in by using the following credentials:
2. Open File Explorer, run the E:\Labfiles\Mod14\Scenario1.vbs script, and then wait while LON-CL1
restarts.

Results: After this exercise, you should have reproduced the reported startup problem on Adams
computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 14-23
Exercise 4: Resolving a Problem
Scenario
In this exercise, you must attempt to resolve the startup problem.
1. Attempt to resolve the problem.
Task 1: Attempt to resolve the problem
1. On LON-CL1, attempt to resolve the problem by using your knowledge of the startup architecture
and the tools available for troubleshooting the startup environment.
3. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you should have resolved the startup problem and documented
your solution.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Review Questions
Question: After installing a new video driver, your users computer becomes unstable and will
not start correctly. What would you try first to resolve this problem?
Question: The boot environment of a users computer is corrupted, and you suspect a virus.
Before you can run virus removal tools, you must repair the boot configuration. What command-
line tool or tools could you use?
Question: You add a new hard disk to the computer, which changes the computers partition
numbering. To enable the computer to start, you need to change the BCD. What tool can you
use to change the BCD?
Question: A user has reported a problem to the help desk. The user is experiencing problems
with starting a computer after a new device driver was added. You decide to start the computer
by using a minimal boot, but you want to configure that from the Windows operating system
before restarting. What tool could you use?
Question: A system service is causing startup problems, and your help-desk user has started the
problematic computer in Windows RE. What command-line tool can you use to modify service
startup type?
Question: The help desk recently installed a new device driver on a computer. A stop code is
generated and a blue screen is shown during computer startup. What recovery mechanism would
you try first?
Tools
Tool Use for Where to find it
BCDEdit.exe Viewing and configuring the
BCD store
Command-line
Sc.exe Managing services Command-line
MSConfig.exe Managing services and the
startup environment
Windows RE Troubleshooting Windows 8.1
computers
Elements available on hard disk
(automatic failover) and the
product installation DVD
Safe Mode Troubleshooting startup Accessible from the Startup
Settings page
BootRec.exe Managing the boot
environment
Command-line

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
15-1
Module 15
Configuring Client Hyper-V
Contents:
Lesson 1: Overview of Client Hyper-V 15-2
Lesson 2: Creating Virtual Machines 15-6
Lesson 3: Managing Virtual Hard Disks 15-13
Lesson 4: Managing Checkpoints 15-19
Lab: Configuring Client Hyper-V 15-24

Module Overview
Hyper-V
is the primary platform for infrastructure virtualization. Hyper-V enables multiple operating
systems to run in individual virtual machines that share the same physical platform. Virtual machines can
be isolated or connected to a network. This module will introduce you to Client Hyper-V in Windows
8.1
and explain the fundamentals of working with virtual machines in a Client Hyper-V environment.
Objectives
Describe the functionality and benefits of using Client Hyper-V.
Create virtual machines.
Manage virtual hard disks (VHDs).
Manage checkpoints.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
15-2 Configuring Client Hyper-V
Lesson 1
Overview of Client Hyper-V
Client Hyper-V is a Windows 8.1 feature that is available only in the 64-bit version of the operating
system. You can use Client Hyper-V to create and run multiple virtual machines on the same Windows 8.1
computer. You can isolate virtual machines or connect them to a network. You also can use them to
provide an additional environment, such as for running applications that are not compatible with
Windows 8.1.
This lesson introduces you to Client Hyper-V functionality in Windows 8.1, and it introduces scenarios that
might benefit from a virtual environment. Client Hyper-V provides the same core virtualization
technology that is included in Windows Server
2012 R2.
Lesson Objectives
Explain the purpose and functionality of Client Hyper-V.
Identify scenarios for using Client Hyper-V.
Purpose and Functionality of Client Hyper-V
At its most basic level, Client Hyper-V provides the
ability to share a computers physical hardware
with one or more isolated operating systems that
are running in virtualized environments or virtual
machines. Virtual machines are configured to
share physical resources from a physical
computer, and they represent those virtualized
resources as usable components to a virtual
machines operating system. For example, one
computer with one network adapter might have
five different virtual machines that run in Client
Hyper-V. In each of these virtual machines, a
virtualized network adapter is associated with the single physical network adapter, enabling five virtual
machines to have individual media access control (MAC) addresses, to be assigned individual IP addresses,
and to gain network access. Similar virtualization happens with other hardware components, such as
processors, memory, and hard disks.
Client Hyper-V Functionality
Client Hyper-V is a feature that enables virtualization within a Windows 8.1 environment. Client Hyper-V
uses the same virtualization engine as Hyper-V in Windows Server 2012 R2 and contains the same core
feature set. Client Hyper-V replaces the Windows XP Mode that was previously available in Windows 7,
and it has some significant differences in functionality:
Compatibility with Hyper-V in Windows Server. Client Hyper-V supports the same standard
functionality as Hyper-V in Windows Server. You can import and export virtual machines and virtual
hard disks between Hyper-V and Client Hyper-V without any requirement for conversion or
modification.
Support for 64-bit virtual machines. Client Hyper-V can provide both a 32-bit and a 64-bit virtualized
hardware environment for virtual machines. Windows XP Mode supported only 32-bit virtualized
hardware.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-3
No application-level virtualization. In Windows 7, the Windows XP Mode enabled a user to run an
application in a virtualized Windows XP environment while displaying it within a Windows 7
environment. In Windows 8.1, Client Hyper-V exposes the complete virtualized operating system in its
own window.
Hyper-V and Client Hyper-V Feature Comparison
The following table compares the availability of some features between Client Hyper-V and Hyper-V.
Feature
Client Hyper-V in
Windows 8.1
Hyper-V in
Sleep and hibernate for physical
computer and virtual machines
Yes
Hyper-V Replica Yes
Microsoft RemoteFX
graphics
virtualization
Yes
Single-root I/O virtualization (SR-IOV) Yes
Virtual Fibre Channel Yes
Virtual machine live migration Yes
Network virtualization Yes
Virtual wireless network adapters Yes Yes
Live storage move Yes Yes
Up to 64 terabytes (TB) per virtual
disk
Yes Yes
Client Hyper-V Requirements
To implement Client Hyper-V in Windows 8.1, a computer must meet the following requirements:
Memory. A computer must have at least 4 gigabytes (GB) of physical memory to support Client
Hyper-V. The memory in a computer is allocated and unallocated dynamically as required by the
virtual machines. You can run several virtual machines on a Windows 8.1 host if it meets the minimum
memory requirement. Depending on the specific requirements of virtual machines, you might need
to install more physical memory.
Storage. Client Hyper-V supports the same storage migration capability that is included in Hyper-V in
Windows Server 2012 R2. This means that you can store virtual machines independently of the
underlying storage. Additionally, you can move virtual machines storage between local drives, to a
USB drive, or to a remote file share without having to stop the virtual machines.
Processor. A computer must have an x64 processor that supports hardware-assisted virtualization and
Data Execution Prevention (DEP). Additionally, it must be running the 64-bit Windows 8.1 edition of
the operating system. Client Hyper-V requires a 64-bit processor architecture that supports second-
level address translation. Second-level address translation reduces the overhead incurred during the
virtual-to-physical address mapping process performed for virtual machines.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Hyper-V Management Tools
Hyper-V Manager is the primary tool for managing Client Hyper-V. It is a console based on Microsoft
Management Console (MMC). Hyper-V Manager provides complete access to Client Hyper-V functionality
in Windows 8.1. Windows Server 2012 R2 Hyper-V also uses Hyper-V Manager, so any experience in either
operating system will correspond directly to the other.
The other graphical tool that is installed with Client Hyper-V is the Virtual Machine Connection tool. You
can use the Virtual Machine Connection tool to connect to a virtual machine with an interface that is very
similar to Remote Desktop Protocol.
Note: Both Hyper-V Manager and the Virtual Machine Connection tool are installed if you
turn on the Hyper-V GUI Management Tools feature in Windows 8.1.
The Hyper-V module for the Windows PowerShell
command-line interface enables you to manage Client

Hyper-V by using Windows PowerShell cmdlets. The Hyper-V module can be useful for scripting Client
Hyper-V management or managing remote Hyper-V installations.
Note: You can view the entire list of cmdlets that are related to Hyper-V by running the
Get-Command -Module Hyper-V cmdlet at a Windows PowerShell command prompt.
Question: What must you do to enable administration of Client Hyper-V by using Windows
PowerShell?
Scenarios for Using Client Hyper-V
Hyper-V in Windows Server 2012 R2 and Client
Hyper-V share the same underlying platform,
which enables you to take advantage of the Client
Hyper-V features in your organization in many
different ways:
Using Client Hyper-V, you can build a test lab
infrastructure that is hosted entirely on a
laptop or PC, and you can export the virtual
machines that you create and test from your
laptop or PC into production.
You can create a Client Hyper-V virtual
machine and use it as a preproduction
environment for testing apps. You might be preparing to migrate a Windows client infrastructure to
Windows 8.1 and require testing of all line-of-business apps. You can employ a virtual machine that is
running Windows 8.1 to test the app and then revert the virtual machine back to its default state by
using checkpoints to test other apps.
You can create several virtual machines, each with a different installed version of a Windows
operating system, to test a new app. For example, you could install Windows 8.1 on the first virtual
machine, Windows 7 on the second virtual machine, and Windows XP on the third virtual machine.
You can configure each virtual machine to your testing specifications and then revert the machines
after testing is complete so that the machines are immediately ready for the next testing task.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-5
If you encounter problems with a virtual machine on Windows Server 2012 R2 in your production
Hyper-V environment, you can copy or export that virtual machine from the production environment,
import it into Client Hyper-V, perform the required troubleshooting, and then export it back into the
production environment.
With Client Hyper-V, you can use Hyper-V virtualization, wireless network adapters, and sleep states
on your desktop computer. For example, if you run Client Hyper-V on a laptop and close the lid, the
virtual machines that are running go into a saved state and resume when the machine wakes.
Virtual machine tools that are created for Hyper-V in Windows Server, such as Sysinternals Disk2VHD
tools, also work in Client Hyper-V.
Using virtual machine networking, you can create a multiple machine environment for test,
development, and demonstration. This environment is secure and does not affect a production
network.
You can use preconfigured virtual hard disks to test new Microsoft software. Microsoft.com hosts a
large number of ready-to-use .virtual hard disk files that you can use with Hyper-V or Client Hyper-V.
After you import a file, virtual hard disks provide a functional test version of the specific product for
evaluation. With virtual hard disk files, there is no need to upgrade or configure operating systems, or
to download and install apps. The entire environment is ready to go in the virtual hard disk file the
first time you start the virtual machine.
Question: Can you run two virtual machines with the same name and TCP/IP network
settings in the same Client Hyper-V environment?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lesson 2
Creating Virtual Machines
You can use Client Hyper-V for creating and running virtual machines. You can create virtual machines in
several different ways. This lesson explains how you can create virtual machines by using Hyper-V
Manager and Windows PowerShell. This lesson also explores hardware components of the virtual
machine, explains the differences between Generation 1 and Generation 2 virtual machines, and describes
the process for creating and managing virtual machines in Client Hyper-V.
Lesson Objectives
Describe how to create a virtual machine.
Explain how to configure virtual machine settings.
Describe how to run virtual machines.
Creating a Virtual Machine
A virtual machine represents a physical computer
in a virtualization environment. Virtual computers
have components similar to physical computers.
However, virtual computers can use only
components that are part of a Client Hyper-V
virtualization infrastructure. Client Hyper-V can
present devices to a virtual machine in the
following two ways:
Emulated devices. Client Hyper-V presents an
emulated device to a virtual machine as if it is
actual hardware. Emulated devices present
standard and well-known functionalities that
are universal to all devices of that type. This means that almost any operating system supports them.
Emulated devices are available when a virtual machine starts, and a virtual machine can start from
them. These emulated devices include integrated device electronics (IDE) controllers or legacy
network adapters.
Hyper-V specific devices. Client Hyper-V does not present synthetic components to the virtual
machine as actual hardware. It presents them to the operating system on the virtual machine as a
functionality that the device driver can use. Newer operating systems, such as Windows 8 and
Windows 8.1, support such functionality by default when running in virtual machines, and for other
operating systems, you need to install integration services to support them. Synthetic devices are not
available during startup, and you cannot start a virtual computer from them.
Creating a virtual machine in Hyper-Manager is a wizard-based process that prompts you for necessary
information to create the virtual machine. When creating a virtual machine, you must specify several
virtual machine settings at the time of creation:
Virtual machine name. The name that you specify identifies the virtual machine in Hyper-V Manager,
and also is used in the naming of various virtual machinerelated files.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-7

Virtual machine location. By default, a virtual machine is created and located on a computers system
drive. If your computer has multiple physical hard disks, you typically can increase the performance of
your virtual machine by placing it on a disk that is separate from the system disk. For computers with
solid-state drives (SSDs), this is not as effective.
Virtual machine generation. Before Client Hyper-V in Windows 8.1, Hyper-V only supported what
today is known as Generation 1 virtual machines. You now can create Generation 2 virtual machines,
which include support for secure boot and which can be started either from a SCSI virtual disk or by
using a network adapter. If you want to use a Generation 2 virtual machine, you must install at least
Windows Server 2012 or a 64-bit version of Windows 8 or newer to the virtual machine. After the
virtual machine is created, you cannot change its generation.
Memory. The amount of memory that you specify will be assigned to a virtual machine from the
available physical memory on your Windows 8.1 computer. You also can configure a virtual machine
to use Dynamic Memory.
Network connection. Your virtual machine can have one or more virtual network adapters. By default,
a new virtual machine is created with a single network adapter that can be connected to a virtual
switch. You can create a virtual switch that will connect virtual machines to an external network
through a physical network adapter, or you can create a self-contained virtual switch to provide an
isolated network environment. Alternatively, you might choose not to connect a virtual machine to
any virtual switch.
Virtual hard-disk location. By default, a single virtual hard disk is created in the same directory that is
specified for the virtual machine location. You also might choose to use a preexisting virtual hard disk
that has been created. For example, many Microsoft products are available for trial purposes in
preconfigured .vhd files.
Operating system installation media. Unless you are attaching a virtual hard disk that already has an
installed operating system, you will need to install an operating system on your virtual machine. You
can specify an .iso image CD/DVD file to use as installation media, or you can attach a physical
CD/DVD drive from the host machine to the virtual machine, and then install the operating system
from that media.
Creating a Virtual Machine in Hyper-V Manager
To create a virtual machine name, perform the following procedure:
1. Open Hyper-V Manager from the Start screen by typing Hyper-V Manager, and then press Enter.
2. In Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
3. The New Virtual Machine Wizard appears. Click Next.
4. On the Specify Name and Location page, in the Name field, type the name of your virtual machine.
Select where you want to store the virtual machine and its associated VHDs, and then click Next.
5. On the Specify Generation page, select if you want to create Generation 1 or Generation 2 virtual
machine, and then click Next.
6. On the Assign Memory page, in the Memory field, specify the amount of memory to assign the
virtual machine, select if you want to use Dynamic Memory, and then click Next.
7. On the Configure Networking page, in the Connection list, select the appropriate network switch,
and then click Next.
8. On the Connect Virtual Hard Disk page, create a new VHD or use an existing VHD file that you have
created already, and then click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

9. On the Installation Options page, select from where you want to install an operating system on the
virtual machine, and then click Next.
10. On the Completing the New Virtual Machine Wizard page, click Finish.
Creating a Virtual Machine in Windows PowerShell
If you want to create new virtual machine by using Windows PowerShell, you can run the New-VM
cmdlet. You should be aware that the New-VM cmdlet has a limited set of options, but you can modify
and customize a virtual machine after you create it. You can create a new virtual machine by performing
the following procedure:
1. On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog
box.
2. In the Administrator: Windows PowerShell window, run the following cmdlet to create a Generation
1 virtual machine named Windows 8.1 with 4 GB of memory, with its files stored in C:\VMs folder,
with a 100 GB virtual hard disk named Disk1.vhdx, and connected to a virtual switch named Private:
New-VM Name Windows 8.1 Generation 1 MemoryStartupBytes 4GB Path C:\VMs
NewVHDPath C:\VMs\Windows 8.1\Disk1.vhdx -NewVHDSizeBytes 100GB SwitchName Private
Question: Can you convert a Generation 1 virtual machine that has Windows Server 2012 R2
installed to a Generation 2 virtual machine?
Configuring Virtual Machine Settings
When you create a virtual machine by using the
New Virtual Machine Wizard or the Windows
PowerShell New-VM cmdlet, you only can
configure a limited number of options. For
example, you cannot adjust Dynamic Memory
settings, add more than one virtual hard disk to
the virtual machine, or configure the virtual
machine with a directly attached or differencing
virtual hard disk. However, after you create the
virtual machine, you have many more options that
you can configure. You can configure most of the
virtual machine settings and modifications to
hardware configuration only when the virtual machine is turned off (not paused or in saved state).
However, you can configure options such as the virtual switch to which a network adapter is connected, or
add a virtual hard disk to the SCSI controller while the virtual machine is running. Configuration options
also depend slightly on the virtual machine generation because some virtual hardware is available only for
Generation 1 virtual machines. You can enable safe boot for Generation 2 virtual machines, whereas
Generation 1 does not have such an option.
You can configure virtual machine settings in Hyper-V Manager or by using Windows PowerShell. In
Hyper-V Manager, you right-click the virtual machine, click Settings, and then modify the properties of
the hardware component that you want to configure. In Windows PowerShell, you can use several
different cmdlets to configure a virtual machine, depending on whether you want to configure virtual
machine settings (Set-VM), add virtual hardware components (Add-VMHardDiskDrive, Add-
VMNetworkAdapter), or modify existing hardware component settings (Set-VMHardDiskDrive, Set-
VMNetworkAdapter).
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-9
Generation 1 virtual machines contain the components that are listed in the following table.
Component Description
BIOS Specifies the startup order of boot devices.
Memory Configures the amount of memory that is assigned to a virtual
machine, the dynamic range of memory that can be used, and
memory weight. When a virtual machine is running, that memory is
allocated exclusively and cannot be used by other virtual machines
or by the Hyper-V host.
Processor Configures the number of processors that are available to a virtual
machine, the resource control, the processor compatibility settings,
and the non-uniform memory access settings.
IDE controller Connects IDE virtual disks and DVD to a virtual machine. Generation
1 virtual machines have two IDE controllers. Devices that are
connected to IDE controllers can be used to start a virtual machine.
SCSI controller Connects SCSI virtual disks to a virtual machine. SCSI controllers are
synthetic, which means that a Generation 1 virtual machine cannot
start from a virtual disk that is connected to it.
Network adapter Connects a virtual machine with a virtual switch. Network adapters
are synthetic, which means that Generation 1 virtual machines
cannot use it for Pre-Boot Execution Environment (PXE) boot.
Legacy network
adapter
Connects a virtual machine with a virtual switch. Legacy network
adapters are emulated, which means that they are available during
startup, and Generation 1 virtual machines can use them for PXE.
Fibre Channel
adapter
Accesses Fibre Channelbased storage directly from a virtual
machine. This is a synthetic device, which means that it is not
available during startup.
COM port Configures a virtual COM port to communicate with a physical server
through a named pipe.
Diskette drive Connects virtual floppy disks to a virtual machine.

As part of the virtual machine settings, you also can configure management settings. In the Management
section, you can configure the components that are listed in the following table.
Name Specify the name of a virtual machine and add comments
about it.
Integration Services Enable services that a Hyper-V host will offer to a virtual
machine. To use any of the services, Integration services must
be installed and supported on the virtual machine operating
system.
Checkpoint File
Location
Specify the folder in which checkpoint files for a virtual machine
will be stored. You can modify this location until the first
checkpoint is created.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Smart Paging File
Location
Specify the folder in which the Smart Paging file for a virtual
machine will be created, if necessary.
Automatic Start Action Specify whether to start a virtual machine automatically after
the Hyper-V host restarts, and how long after Hyper-V is
running to start them.
Automatic Stop Action Specify the state in which to place a virtual machine when the
Hyper-V host shuts down.

Windows 8.1 and Windows Server 2012 R2 fully support the existing type of virtual machines, and they
also provide support for the new type of virtual machines. Virtual machines that were created before
Windows 8.1 are automatically named as Generation 1 virtual machines, while newly created virtual
machines are called Generation 2 virtual machines. When you create a virtual machine in Windows 8.1,
you can decide if you want to create a Generation 1 or Generation 2 virtual machine. Generation 2 is built
on the assumption that operating systems are virtualization-aware. Generation 2 removes all legacy and
emulated virtual hardware devices and uses only synthetic devices. BIOS-based firmware is replaced with
advanced Unified Extensible Firmware Interface (UEFI) firmware that supports secure boot. Generation 2
virtual machines start from a SCSI controller or by using PXE from a network adapter. All legacy and
emulated devices are removed from Generation 2 virtual machines.
Question: Can you modify virtual machine memory settings while a virtual machine is
running?
Running Virtual Machines
Virtual machines maintain their own state within
Client Hyper-V. When a virtual machine is started,
its state is set to Running, and it performs the
startup process of a typical computer, including
loading an operating system. After the operating
system loads, it interacts with the virtual hardware
configured for the virtual machine, and you can
connect to it and work with it like you would a
physical computer.
You can connect to a virtual machine by selecting
the virtual machine and then clicking the Connect
button on the toolbar, or by right-clicking the
virtual machine and then clicking Connect in the shortcut menu. What is displayed in the virtual machine
window will depend on the state of the virtual machine. In Client Hyper-V, a virtual machine can be in five
different states:
Off. A virtual machine that is stopped does not consume any resources on the host machine, and it
exists in a state similar to a physical computer that is powered off.
Starting. When a virtual machine is first started, it remains in the starting state for a brief moment,
during which required resources are checked and assigned to the virtual machine. After this check
and assignment occurs, the starting state changes.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-11
Running. A virtual machine is in its normal operable state when Running is displayed. A running
virtual machine responds to keyboard and mouse input and shows whatever information is being sent
to the virtual machines display adapter when you are connected to the virtual machine.
Paused. When a virtual machine is paused, it still maintains its allocation of host-computer resources,
but it places the virtual machines operating system in a temporary sleep state.
Saved. When a virtual machine is in the saved state, its current operating state is saved to the hard
disk, and it stops consuming host computer resources until you start it and place it into a running
state. When a Client Hyper-V computer that supports hibernate and sleep modes enters one of these
modes, virtual machines that are running will enter the saved state.
When you connect to a virtual machine, the Enhanced Session Mode is used by default in Client Hyper-V
on Windows 8.1. Enhanced session mode uses the Remote Desktop Services (RDS) component in virtual
machines, and establishes a full Remote Desktop session to a virtual machine. This means that local
resources such as smart cards, printers, drives, USB devices, or any other supported Plug and Play devices
can be redirected to virtual machines. You also can use a shared Clipboard for copying content to virtual
machines, or even copy files to virtual machines, even if the virtual machine does not have network
connectivity. Enhanced Session Mode is available only if you connect to virtual machines that are running
Windows 8.1 or Windows Server 2012 R2. RDS must be running on the virtual machine, and the user
account that is used to log on to the virtual machine must be a member of the Remote Desktop Users
local group.
Exporting and Importing Virtual Machines
You can export and import virtual machines between computers that are running Client Hyper-V or
Hyper-V in Windows Server 2012 R2. Exporting and importing virtual machines enables multiple
troubleshooting and testing scenarios that might be impossible in a physical computing environment.
Exporting Virtual Machines
When you export a virtual machine, this exports all components that comprise the virtual machine to the
path that you specify. There are four parts to each exported virtual machine:
The Virtual Machines folder contains an .exp file that contains the GUID of the exported file.
The Virtual Hard Disks folder contains copies of each of virtual hard disk that is associated with the
virtual machine. If the VHD is a differencing virtual hard disk, all base images that are associated with
the VHD will be copied to the export folder.
The Snapshots folder contains a file with an .exp extension for each checkpoint of the virtual machine.
Config.xml is a configuration file that the import process uses.
Importing Virtual Machines
When you import a virtual machine, Client Hyper-V reads the configuration file (Config.xml) and then
creates a virtual machine by using the configuration information. As part of the import process, Hyper-V
deletes all of the .exp files, which prevents importing the virtual machine a second time, and then replaces
them with XML files. When you import a virtual machine, you have the following options:
Register the virtual machine in-place or Register the virtual machine. When you select either of these
options, Client Hyper-V creates a virtual machine that uses the same unique identifier (ID) as the
exported virtual machine.
Copy the virtual machine. When you select this option, Client Hyper-V copies the virtual machine and
replaces the unique ID for the virtual machine with a new ID.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

The process of importing a virtual machine is enhanced considerably in Windows 8.1, and the export
process is no longer required. You can simply copy virtual machine data files between Client Hyper-V
computers, and then run the Import Virtual Machine Wizard on the destination Windows 8.1 computer to
import virtual machines. The Import Virtual Machine Wizard detects and fixes more than 40 types of
incompatibilities between Client Hyper-V environments. It prompts you to provide missing information,
such as the location of a parent virtual hard disk or a virtual switch to which the virtual machine should be
connected, when the appropriate virtual switch is not available.
Question: Why would you rather import a virtual machine into Client Hyper-V than create
new virtual machine and configure it to use existing virtual hard disks?
Question: Can you use Enhanced Session Mode to start a virtual machine from a USB
device?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-13
Lesson 3
Managing Virtual Hard Disks
Just as physical computers store data on physical hard disks, virtual machines store data on virtual hard
disks, which are actually files that reside on physical hard disks. There are different types of virtual hard
disks available, and this lesson explains the differences between the various types. Virtual hard disks can
be in one of two formats: .vhd, and .vhdx. Windows 8.1 also can mount and access their content from
physical computers.
Lesson Objectives
Describe the purpose and functionality of virtual hard disks.
Describe how to configure a virtual hard disk.
Explain how to move virtual hard disk storage.
Overview of Virtual Hard Disks
Virtual machines have different options for storing
their data. Just as virtual machines are isolated
when running on a Hyper-V host, you also can
isolate their hard disks and encapsulate their
content in a single virtual hard disk file with the
.vhd or .vhdx extension. From inside a virtual
machine, virtual hard disks are seen as physical
disks, and virtual machines use them as if they
were physical disks.
You can connect storage to virtual machines by
using two different storage controller types: SCSI
and IDE. A virtual machine can access a disk either
as a virtual Advanced Technology Attachment (ATA) device on a virtual IDE controller or as a virtual SCSI
disk device on a virtual SCSI controller. Virtual storage controllers have the following characteristics:
IDE controllers are available only in Generation 1 virtual machines. Each virtual machine has two IDE
controllers and can have up to two devices, hard drives or DVD drives, attached to each controller.
While a virtual machine is running, you cannot add devices to or remove devices from an IDE
controller.
A Generation 1 virtual machine can start only from an IDE controller.
SCSI controllers are available in all virtual machines. Generation 1 virtual machines can use a SCSI
controller only as a data disk, whereas Generation 2 virtual machines start from SCSI controller
attached disks or DVD drives.
A SCSI controller is synthetic, and you can add disks to or remove disks from a SCSI controller while a
virtual machine is running. A virtual machine can have up to four SCSI controllers, and each SCSI
controller supports up to 64 devices, which means that each virtual machine can have as many as 256
virtual SCSI disks.
You can use different hard disk typessuch as fixed size, dynamically expanding, differencing, and
attached physical disks (pass-through disks)with both controller types.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
A virtual machine uses storage controllers for accessing storage. The type of storage controller that a
virtual machine uses does not have to be the same type that Client Hyper-V is using. For example, a
Windows 8.1 computer can have only physical SCSI storage, but you can configure virtual machines
with IDE controllers and use IDE-attached virtual hard disks that are stored on the SCSI storage of the
Windows 8.1 computer.
You can store virtual machine virtual hard disks locally on a Windows 8.1 computer, on Server Message
Block (SMB) 3.0 file shares, or on a storage area network (SAN) logical unit number (LUN).
Virtual Hard Disk Formats
The virtual hard disk format has evolved over time, and Client Hyper-V on Windows 8.1 supports two
virtual hard disk formats:
.vhd. This format supports virtual hard disks up to 2,048 GB in size. This format has been available
since Microsoft Virtual Server 2005 was released, which means that you can use the .vhd format with
older versions of Hyper-V and with traditional Microsoft virtualization products such as Windows
Virtual PC.
.vhdx. This format supports virtual hard disks up to 64 TB in size. This format has been available since
Windows 8 and Windows Server 2012 and is not compatible with older versions of Hyper-V.
Experience with the .vhd format guides .vhdx format improvements. The .vhdx format provides better
data corruption protection and optimizes structural alignments on large sector physical disks.
When you compare the .vhd and .vhdx formats, the .vhdx format provides the following benefits:
Support for larger virtual hard disk sizes, up to 64 TB.
Protection against data corruption by logging updates to.vhdx metadata structures, which can be
especially important during power failures.
Ability to store custom metadata about a file, such as which operating system is installed in .vhdx, or
which patches are applied to it.
Improved alignment of the virtual hard disk format to work better with large sector disks.
Larger block sizes for dynamic and differential disks, which improves their performance.
4 kilobytes (KB) logical sector virtual disk, which increases performance when used by applications
that are designed for 4 KB sectors.
Efficiency in data representation, which results in smaller file size so that an underlying physical
storage device can reclaim unused space (trim operation).
Virtual Hard Disk Types
You can create three types of virtual hard disks: fixed size, dynamically expanding, and differencing. After
you create a virtual hard disk, you can edit it and change its format. When selecting a virtual hard disk
format, you should be aware of the following factors:
Fixed size. When you create a fixed-size virtual hard disk, Client Hyper-V allocates space for the entire
virtual hard disk. For example, if you create a 100-GB fixed-size virtual hard disk, Client Hyper-V
creates a 100-GB file, even when it does not include any data. Creation of large fixed-size virtual hard
disks can take significant time because Client Hyper-V has to create the file to the entire specified size
and fill its content with zero values. The size of a fixed-size virtual hard disk does not change because
Client Hyper-V allocates all of the storage space when it creates the virtual hard disk. You cannot
create fixed-size virtual hard disks that require more space than is available on a physical disk. Fixed-
size virtual hard disks are larger than dynamically expanding virtual hard disks, and as such, moving
them can be more time-consuming.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-15
Dynamically expanding. When you create a dynamically expanding virtual hard disk, Client Hyper-V
only creates a small file. That file then grows as you write data to the virtual hard disk until it reaches
its fully allocated size. The size of the dynamically expanding disk only grows. It does not shrink, even
if you delete data. For example, if you create a 100-GB dynamically expanding virtual hard disk, Client
Hyper-V creates a file that is only a few megabytes (MB) in size. When you write to that virtual hard
disk file, it will grow; however, when you delete information from the virtual hard disk, it will not
shrink. When you start using a dynamically expanding virtual hard disk, such as formatting partitions
and installing an operating system on it, the virtual hard disk will start growing until it reaches its
maximum size of 100 GB. Client Hyper-V creates the dynamically expanding virtual hard disk much
faster because it does not allocate all the space at once. However, when you add data to a virtual
hard disk, it become fragmented in the same way that any file would on your volume. You can create
dynamically expanding virtual hard disks that would require more space on a physical disk than is
currently available. Dynamically expanding virtual hard disks are smaller than other virtual hard disk
types until their maximum size is reached.
Differencing. A differencing virtual hard disk is always linked to another virtual hard disk in a
parent/child relationship. It cannot exist on its own. The parent virtual hard disk can be fixed-size or
dynamically expanding, but as soon as it becomes a parent disk for a differencing virtual hard disk,
you cannot write to it, so it will neither grow nor shrink. A differencing virtual hard disk is always
dynamically expanding. You also can chain differencing virtual hard disks, as long as all base disks are
not written to. In this scenario, one differencing virtual hard disk uses another differencing virtual
hard disk as a base (parent) disk. The differencing virtual hard disk stores changes for the parent disk
and provides a way to isolate changes without altering the parent disk. When you use a differencing
virtual hard disk, you can access all the data from the parent disk, and changes you make are written
only to the differencing virtual hard disk, not to the parent disk. In other words, reads for modified
data are served from the differencing virtual hard disk, and reads of all other data are served from the
parent virtual hard disk. Metadata is used in both cases to determine from where data should be read,
which results in differencing virtual hard disks having slower performance than fixed-size or
dynamically expanding virtual hard disks. Differencing virtual hard disks must use the same format as
the parent diskseither .vhd or .vhdx. You cannot specify a size for a differencing virtual hard disk.
Differencing virtual hard disks can grow as large as the parent disk size limit. However, unlike
dynamically expanding disks, you cannot compact differencing virtual hard disks directly. You can
compact a differencing virtual hard disk only after it merges with its parent disk.
Note: Using differencing virtual hard disks can be beneficial in some scenarios. For
example, you could use as a parent a virtual hard disk that has a clean installation of the
Windows 8.1 operating system, and you could use a new differencing virtual hard disk as a virtual
machine hard disk. You could even create multiple differencing virtual hard disks for multiple
virtual machines that would use the same Windows 8.1 virtual disk as their parent disk.
Question: Is there any difference between connecting a virtual hard disk to a virtual machine
by using an IDE or SCSI virtual controller?
Question: Can Client Hyper-V allocate more storage space to a differencing virtual hard disk
than to the parent disk to which it is linked?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring a Virtual Hard Disk
Planning for and configuring virtual hard disks is
an important component in implementing virtual
machines on Client Hyper-V. When planning
storage requirements, you need to ensure that
enough resources are available to create new
machines, but also to accommodate any virtual
machines with dynamically expanding hard drives.
If you use a single drive on a Windows 8.1
computer for storing virtual machine hard disks,
your disk I/O performance will degrade quickly for
all virtual machines because of increasing disk
read/write times and disk activity. Increasing the
number of physical drives or spindles increases the performance of virtual machines greatly, as does using
an SSD.
Hard drive recommendations include:
Use hard drives that are at least 10,000 revolutions per minute (RPM).
Use SSDs where possible.
Consider using a SAN for virtual machine storage. SANs provide several benefits, such as high
performance and high availability. Also, you can assign additional space for virtual machines as long
as the SAN has storage available.
Client Hyper-V enables you to run virtual machines that use virtual hard disks that are stored locally
or on SMB 3.0 shares.
Internet SCSI SANs can provide relatively inexpensive storage for virtual machines. Using iSCSI also
enables you to configure virtual machines with direct access to storage.
Configure antivirus software on Windows 8.1 physical computers to exclude all .vhd, .avhd, .vfd, .vsv,
and .xml files that are stored on hard drives that are hosting virtual machines. Alternatively, you can
use virtualization-aware antivirus software.
Creating a VHD
You can create a virtual hard disk while you are creating a virtual machine or outside of the New Virtual
Machine Wizard. If you create a virtual hard disk as a separate task, it is not attached to a virtual machine,
and you must add it to a virtual IDE or a virtual SCSI controller before you can use it on a virtual machine.
You can create a new virtual hard disk in Hyper-V Manager or by using Windows PowerShell.
Create a virtual hard disk by using Hyper-V Manager
1. On the Windows 8.1 computer, in Hyper-V Manager, in the Actions pane, click New, and then click
Hard Disk.
2. On the Before You Begin page, click Next.
3. On the Choose Disk Type page, select a virtual disk typefor example, Dynamically expanding
4. On the Specify Name and Location page, in the Name field, type the name of the virtual hard disk
file, and in the Location field, type an appropriate location, and then click Next.
5. On the Configure Disk page, do not change the default values, and then click Next.
6. On the Completing the New Virtual Disk Wizard page, click Finish.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-17
Create a virtual hard disk by using Windows PowerShell
1. On the Windows 8.1 computer, on the Start screen, type powershell, right-click Windows
PowerShell, and then select Run as administrator. Click Yes in the User Account Control dialog
box.
2. In the Administrator: Windows PowerShell windows, run following cmdlet to create a 100-GB,
dynamically expanding virtual hard disk named Dynamic.vhdx in the C:\VHDs folder:
New-VHD Path C:\VHDs\Dynamic.vhdx -SizeBytes 100GB Dynamic
3. Run following cmdlet to add a virtual hard disk to a SCSI controller in the virtual machine named
Windows 8.1:
Add-VMHardDiskDrive VMName Windows 8.1 ControllerType SCSI Path
C:\VHDs\Dynamic.vhdx
Virtual Hard Disk Sharing and Quality of Service (QoS) Management
In older versions of Hyper-V, virtual machines used virtual hard disks exclusively. Therefore, while one
virtual machine was using a virtual hard disk, another virtual machine could not use the same virtual hard
disk. In Client Hyper-V on Windows 8.1, you can share virtual hard disks between multiple virtual
machines. This can be especially useful when you configure failover clustering in virtual machines. You can
enable virtual hard disk sharing only for .vhdx files that are connected to a virtual SCSI controller. You
cannot use virtual hard disk sharing for .vhd files that are connected to a virtual IDE controller. You can
enable virtual hard disk sharing only if the shared .vhdx is stored on a failover cluster.
In older versions of Hyper-V, it was not possible to limit I/O operations per second per virtual machine. If
a virtual machine had an application that was storage-intensive, and with a large number of read and
write operations to the storage, the virtual machine could monopolize Hyper-V, and other virtual
machines could have slower access to storage. In Windows 8.1, Client Hyper-V includes an option to
configure QoS parameters when virtual machines access storage so that you can provide enough I/O
operations per second to each virtual machine. You can configure the storage QoS for each virtual hard
disk. By specifying the maximum I/O operations per second value on advanced features of a virtual hard
disk, you can balance and throttle storage I/O between virtual machines. This prevents a virtual machine
from consuming excessive storage I/O operations, which could affect other virtual machines.
Question: When would you use shared virtual hard disks?
Moving Virtual Hard Disk Storage
You can use storage migration to move virtual
hard disks and other data files that a virtual
machine is using to different physical storage
while the virtual machine is running. You can
perform storage migration by using the Move
Wizard in Hyper-V Manager or by using the
Move-VMStorage cmdlet in Windows
PowerShell.
You can use Client Hyper-V to move a virtual
machines storage without downtime. For
example, you can use storage migration when you
need to move the virtual machine storage from a
local disk to an SMB 3.0 share. You also can use storage migration to move various virtual machine items,
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
such as virtual hard disks, configuration, checkpoints, and smart paging, to different locations while a
virtual machine is running. For example, after you create the first checkpoint for a virtual machine, you
cannot modify the checkpoint file location setting unless you delete all virtual machine checkpoints or use
storage migration.
You can perform storage migration by using the following procedure:
1. Before migration starts, all virtual machine read and write operations are performed at the source
virtual hard disk.
2. When storage migration starts, virtual hard disk content is copied over the network to the destination,
while all the read and write operations are still performed on the source virtual hard disk.
3. After the initial copy is complete, write operations for the virtual hard disks are mirrored to both the
source and destination virtual hard disks.
4. After the source and destination virtual hard disks are synchronized completely, the virtual machine
switches over and starts using the destination virtual hard disk.
5. The source virtual hard disk is deleted.
Storage migration is only supported for virtual hard disks, current virtual machine configurations,
checkpoints, and Smart Paging files. When you migrate virtual machine storage, you can move all the
data files to the same location or to different locations. During this storage migration process, the virtual
machine continues to run on the same Windows 8.1 computer with the Client Hyper-V feature.
Note: Use the Storage Migrations Hyper-V settings to specify how many storage
migrations you can perform simultaneously. By default, two simultaneous storage migrations are
configured, but you can increase this number.
Moving Virtual Machine Storage
When you move virtual machine storage, you have the option to move all virtual machine data to a single
location, to move the virtual machine data to different locations, or to move only virtual machine virtual
hard disks. If you choose to move virtual machine data to different locations, you can specify a new
location for each of the virtual machine data items, which includes virtual hard disks, current
configurations, checkpoints, and Smart Paging files. You can move virtual machine storage to other
folders on the same Hyper-V host or to an SMB 3.0 share. You then can complete the Move Wizard and
perform the move. For example, you can use the Move Wizard to modify the checkpoint file location
when a virtual machine already has checkpoints.
Note: In Hyper-V in Windows Server 2012 and Windows Server 2012 R2, you can move a
virtual machine between Hyper-V hosts while it is running. Client Hyper-V does not support this
feature, and you can move the virtual machine storage only, not the virtual machine itself.
Question: Can you use storage migration to move only virtual hard disks?
Question: Do you need to be a local administrator to use the Move Wizard?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-19
Lesson 4
Managing Checkpoints
Checkpoints are a Hyper-V feature that you can use to create a point-in-time snapshot of a virtual
machine, and then revert to it if needed. In previous versions of Hyper-V, this feature was called
Snapshots, and you can still see references to Snapshots in Windows 8.1. The primary benefit of
checkpoints in Client Hyper-V is that you can use them to create hierarchies of changes, and then you can
revert to them at any time. Checkpoints can be quite useful in some scenarios, such as when testing
Windows operating system updates. However, you must use checkpoints carefully to avoid issues,
especially when reverting virtual machines in distributed environments such as Active Directory
Domain
Services (AD DS). This lesson describes how to create and work with virtual machine checkpoints.
Lesson Objectives
Describe the purpose and functionality of checkpoints.
Describe how to create and manage checkpoints.
Explain the considerations for working with checkpoints.
What Are Checkpoints?
When a virtual machine is running, changes are
written to both its memory and virtual hard disk.
Checkpoints are a Hyper-V feature that you can
use to create a point-in-time snapshot of a virtual
machine, including its configuration, memory, and
disk state. You can create checkpoints when a
virtual machine is running, when it is turned off, or
when it is in a saved state, but not if it is in a
paused state. You can create multiple checkpoints
of a virtual machine and revert it to any of the
previous states for which checkpoints exist.
Checkpoints do not affect the running state of a
virtual machine, but they can affect virtual machine performance because they are implemented by using
differencing virtual hard disks.
Note: Do not edit or modify a virtual hard disk file when it is used by a virtual machine that
has checkpoints.
Checkpoints can be useful when you need to revert virtual machines to an earlier state. You can undo all
the changes that took place after a specified state, such as the changes that occurred during testing,
development, or in a training environment. Conversely, checkpoints in production environments can
cause serious issues, such as user data getting lost.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Creating Checkpoints
When you create a checkpoint, the result is always the same, irrespective of the method you choose. After
you create a checkpoint, you should not modify its files on a disk directly because this could cause
problems with the checkpoint or even with the running virtual machine. You can create checkpoints by
using one of the following procedures:
In Hyper-V Manager, you can right-click a virtual machine, and then click Checkpoint (or in the
Action pane, click Checkpoint).
You can use Virtual Machine Connection by clicking Checkpoint in the Action menu, or by using the
Checkpoint-VM Windows PowerShell cmdlet.
Factors to Consider
When you are considering checkpoints, you should be aware of the following factors:
When you create a checkpoint of a virtual machine, the virtual machine is configured with a
differencing virtual hard disk, even if it used a fixed-size virtual hard disk before. Differencing virtual
hard disks might perform slower than normal disks because the two files (base and differencing) need
to be read from.
Checkpoints require additional storage space. If you create a checkpoint of a running virtual machine,
it also contains a virtual machine memory snapshot. Creating multiple checkpoints can use up a large
amount of storage space.
Although you can use checkpoints to revert a virtual machine to an earlier point in time, you should
not consider them backups. Even if you use checkpoints, you should still make regular backups.
If you no longer need a checkpoint, you should delete it immediately. However, this can cause
merging of differencing virtual hard disks. In Windows 8.1, the merging process happens
asynchronously in the background while the virtual machine is running.
A virtual machine is limited to 50 checkpoints. The actual number of checkpoints might be lower and
depends on the available storage.
Question: Which checkpoint requires more space: a checkpoint of a running virtual machine,
or a checkpoint of a virtual machine that is turned off?
Creating and Managing Checkpoints
Checkpoints consist of several files that represent
the complete state of a virtual machine at a
certain moment in time. Because you cannot
modify a previous state, checkpoints are read-
only, and you cannot modify one after you create
it. You can only view a checkpoint, change its
name, or delete it. You can use checkpoints to
revert virtual machines back to the state they were
in when you created the checkpoints.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-21

Creating Checkpoints
When you create a checkpoint, Client Hyper-V performs the following procedure in the background:
1. Pauses the virtual machine.
2. For each virtual hard disk that the virtual machine is using, Client Hyper-V creates a differencing
virtual hard disk, configures it to use the virtual machine's virtual hard disk as a parent, and then
updates virtual machine settings to use the created differencing virtual hard disk.
3. Creates a copy of the virtual machine configuration file.
4. Resumes running the virtual machine.
5. Saves the content of the virtual machine memory to disk.
Because a virtual machine is paused before a checkpoint is created, you cannot create a checkpoint of a
virtual machine that is in a paused state. As the virtual machine resumes, while the memory is saving to
the disk, Client Hyper-V intercepts memory changes that have not yet been written to the disk, writes the
memory pages to the disk, and then modifies the virtual machine memory. Creating a checkpoint can take
considerable time, depending on the virtual machine memory, physical disk speed, and what is running
on the virtual machine. However, the process of checkpoint creation is transparent, and a virtual machine
does not experience any outage.
Virtual Machine Checkpoint Files
A virtual machine checkpoint can consist of the following files:
Virtual machine configuration file (*.xml)
Virtual machine saved state file (*.vsv)
Virtual machine memory content (*.bin)
Checkpoint differencing virtual hard disks (*.avhd)
Client Hyper-V creates a saved state file and a memory content file for a virtual machine only if a
checkpoint is created while the virtual machine is running, and not if the virtual machine is turned off.
The location of virtual machine checkpoint files is configured for each virtual machine, and by default, it is
the same location where the virtual machine configuration is stored. When you create the first checkpoint,
Client Hyper-V creates a Snapshots subfolder and stores checkpoint files there. You can modify the
location of the checkpoint files only until the first checkpoint is created. After this, the checkpoint file
location setting is read-only. You can modify this setting only after deleting all checkpoints, or by using
the Move Wizard.
Using Checkpoints
When you select a checkpoint, you have the following options available in the Actions pane:
Settings. This option opens the virtual machine settings that were in effect at the moment the
checkpoint was created. All of the settings are read-only because you cannot change the
configuration that was used in the past. The only settings that you can modify are the checkpoint
name and the notes associated with the checkpoint.
Apply. This option applies a checkpoint to a virtual machine, which means that you want to return the
virtual machine to the exact historical state it was in. When you apply a checkpoint, any change in the
virtual machine since the last checkpoint was made is lost. Before applying a checkpoint, Client
Hyper-V prompts you to create a new checkpoint to avoid possible data loss.
Export. This option exports a virtual machine checkpoint, which creates an exact copy of the virtual
machine as it existed at the moment in which you created the checkpoint.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Rename. This option renames a checkpoint to provide better information about the state of a virtual
machine when you created the checkpoint. The checkpoint name is independent of the checkpoint
content, and by default, it contains the date and time of checkpoint creation.
Delete Checkpoint. This option deletes a checkpoint if you no longer want to be able to revert a
virtual machine to the state it was in when you created the checkpoint.
Delete Checkpoint Subtree. This option deletes the selected checkpoint and any checkpoints that
originate from it. Checkpoints that originate from it are listed below it in the Checkpoint pane.
When you right-click a virtual machine with at least one checkpoint, you also can click the Revert option.
This returns a virtual machine to the last checkpoint.
Question: Can you modify the configuration of a virtual machine checkpoint if you created
that checkpoint when the virtual machine was turned off?
Question: How are multiple branches created in a checkpoint tree?
Considerations for Working with Checkpoints
When you apply a checkpoint, you effectively
revert a virtual machine back to the moment
when you created the checkpoint. Depending on
a virtual machines role and the applications that
are installed on it, reverting a virtual machine back
to a previous checkpoint can have disastrous
implications and might result in data loss or
corruption. The following two types of
applications can be affected negatively when you
revert a virtual machine back in time:
Cryptographic applications. Windows
operating systems provide application
programming interface (API) functions that generate random values with a high level of entropy. A
checkpoint captures the logic for creating these random values when you create a checkpoint, and
this can severely reduce the entropy of random data. For example, consider the generation of GUIDs.
When a GUID value is generated, it should be unique and never repeated. However, if you request a
GUID immediately after applying a checkpoint, there is a high probability that a duplicate GUID value
will be generated each time the checkpoint is applied.
Applications that use clock vector synchronization. Applying a checkpoint to a virtual machine can
corrupt applications that use vector-clock synchronization. Examples of such applications are AD DS,
Distributed File System (DFS) Replication, and Microsoft SQL Server
replication. For these

applications to work, each member of a replica set must maintain a monotonically increasing logical
clock. When you apply a checkpoint, it reverts back the logical clock on the virtual machine, causing
clock values to associate to different transactions. As a result, members of the replica set will not
converge to the same state, thereby causing data corruption.
Before using checkpoints in your Hyper-V environment, you should consider the following:
Checkpoints can be very useful for testing applications or deployments, but they typically are not
used regularly in a production environment. Using checkpoints might cause significant problems with
applications or services that are time sensitive or that use data replication, such as Microsoft Exchange
Server or SQL Server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-23
Checkpoints are not a replacement for a consistent backup strategy. However, you can use
checkpoints in scenarios such as operating system upgrades and other tasks where you might want to
revert back to the original state of a virtual machine should the task fail.
Hyper-V virtual machine checkpoints have multiple uses in your network, predominately in a test lab.
You can use checkpoints in a lab environment for testing a new deployment. When creating a new
server, you can use a checkpoint for each phase of a servers creation. In a training environment, you
can use checkpoints to revert a server to the previous lab.
If you are going to use checkpoints for testing or training, the primary consideration is hard drive
space. Checkpoints can use a large amount of hard drive space because each checkpoint creates a
new differencing virtual hard disk.
Note: Client Hyper-V in Windows 8.1 projects a 64-bit integer value that is named
Generation ID into a virtual machine through an emulated BIOS device that is named Microsoft
Hyper-V Generation Counter. The Generation ID changes each time you apply a checkpoint,
which enables an operating system in a virtual machine to detect that the checkpoint was
applied.
Virtual Machine Generation ID
Question: Can you prevent checkpoint creation from inside a virtual machine?
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Lab: Configuring Client Hyper-V
Scenario
The Information Technology (IT) department at A. Datum Corporation wants to test several apps in
different operating system environments prior to deploying the apps in production. Several members of
the application testing team have expressed interest in creating virtual environments on their
Windows 8.1 computers where they can create and configure virtual machines. You have been asked to
demonstrate the process of creating an environment where apps can be tested.
Objectives
Install Client Hyper-V.
Create a virtual switch, a virtual hard disk, and a virtual machine.
Lab Setup
Virtual machines: 20687C-LON-CL5
User name: Adatum\Admin
Password: Pa$$w0rd
To perform this lab, you must start the host computer to 20687C-LON-CL5. To do this, restart the host
computer and choose 20867C-LON-CL5 from the Start menu. Sign in as Admin with password
Pa$$w0rd.
Exercise 1: Installing Client Hyper-V
Scenario
You have been asked to turn on the Hyper-V feature on LON-CL5, a stand-alone Windows 8.1 computer
in the IT department. To ensure that the IT department has access to all options in the virtual
environment, you have been asked to install all of the management tools available for Client Hyper-V.
1. Install the Client Hyper-V feature.
Task 1: Install the Client Hyper-V feature
1. On LON-CL5, verify that no program that contains the word Hyper-V is installed.
2. Use the Get-Command cmdlet to verify that no cmdlets from the Hyper-V module is currently
available.
3. Use the Windows Features window to turn the Hyper-V feature on.
4. Restart the computer, and then select 20687C-LON-CL5 when prompted during startup to choose an
operating system.
6. After a second restart repeat steps 4 and 5.
7. Use the Get-Command cmdlet to verify that many cmdlets from the Hyper-V module are available.

Results: After completing this exercise, you should have installed the Client Hyper-V feature.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-25
Exercise 2: Creating a Virtual Switch, a Virtual Hard Disk, and a Virtual
Machine
Scenario
You have been asked to create a virtual network and virtual machine to accommodate app testing, and to
demonstrate the Client Hyper-V environment to the apps testing team. The virtual network and virtual
machine should adhere to the following specifications.
Virtual network:
Network type: Private
Network name: Private Network
Virtual machine:
Name: Windows 8.1 Test
Memory: 1,024 MB
Storage location: Default
Network connection: Private Network
Installation media: None
1. Create a virtual switch.
2. Create a virtual hard disk.
3. Create a virtual machine.
Task 1: Create a virtual switch
1. On LON-CL5, open Hyper-V Manager.
2. Create a new virtual switch with the following parameters:
o Connection type: Private
o Virtual switch name: Private Network
1. On LON-CL5, use Hyper-V Manager to create a new virtual hard disk with the following settings:
o Format: VHDX
o Type: Dynamically expanding
o Name: Dynamic.vhdx
o Location: C:\VM
o Size: 100 GB
2. Use Hyper-V Manager to create a new virtual hard disk with the following settings:
o Format: VHD
o Type: Differencing
o Name: Differencing.vhd
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

o Location: C:\VM
o Parent: F:\Program Files\Microsoft Learning\base\Base14C-W81-Office2013.vhd
3. In Windows PowerShell, use the New-VHD cmdlet to create a new virtual hard disk with the
following settings:
o Path: C:\VM\Fixed.vhdx
o Size: 1 GB
o Type: Fixed size
4. In File Explorer, browse to the C:\VM folder, and then confirm that Fixed.vhdx allocates 1 GB disk
space, while Dynamic.vhdx and Differencing.vhd allocates much less disk space.
Task 3: Create a virtual machine
1. On LON-CL5, use Hyper-V Manager to create a new virtual machine with the following settings:
o Name: LON-VM2
o Generation: Generation 2
o Startup Memory: 1024 MB
o Use Dynamic Memory: Enabled
2. Use the Windows PowerShell cmdlet New-VM to create a new virtual machine with the following
settings:
o Name: LON-VM1
o Generation: Generation 1
o Startup Memory: 1 GB
o Boot Device: IDE
3. Use the Windows PowerShell cmdlet Add-VMHardDiskDrive to add the C:\VM\Differencing.vhd
disk to the IDE Controller of LON-VM1.
4. Verify that you can start and connect to the LON-VM1 virtual machine.

Results: After completing this exercise, you should have created a virtual network and a virtual machine in
Client Hyper-V.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 15-27
Review Questions
Question: Why would you deploy Client Hyper-V to a Windows client computer in a
corporate environment?
Question: Why should you not use virtual machine checkpoints for backup and disaster
recovery?
Question: Can you create a checkpoint of a virtual machine that is turned off?
Question: When you open Windows PowerShell and run the New-VM cmdlet to create a
new virtual machine, you get an error that New-VM is not recognized as the name of a
cmdlet. What could be the most probable reason for such an error?
Tools
Tool Description Where to find it
Hyper-V Manager Management console for Client
Hyper-V
Start screen
Hyper-V Virtual Machine
Connection tool

Connect directly to local or
remote virtual machines without
opening Hyper-V Manager
Start screen
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Course Evaluation

Your evaluation of this course will help Microsoft
understand the quality of your learning experience.
Please work with your training provider to access
the course evaluation form.
Microsoft will keep your answers to this survey
private and confidential and will use your responses
to improve your future learning experience. Your
open and honest feedback is valuable and
appreciated.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L2-1
Module 2: Installing and Deploying Windows 8.1
Lab A: Installing Windows 8.1
Exercise 1: Planning to Install Windows 8.1
Scenario
Prior to installing Windows 8.1, establish an installation plan by reading the request.
A. Datum Wireless Network Requirements
Document reference: HD-02-05-13
Document author Holly Dickson
Date Dec 2, 2013
Requirements Overview
A. Datum Corporation wants to create a test environment for a new app that was developed internally.
Ideally, we would like to be able to test the app on several different operating systems, but we have
been provided with only one system. We have been told that Windows 8.1 supports the same
virtualization as the servers in our production environment with Hyper-V, so maybe we could do it that
way? We also need to be able to create Windows To Go UFD media.
The computer that we have been given has a quad-core, 2 gigahertz (GHz) processor and 4 gigabytes
(GB) of RAM. The processor supports Intel VT. It also has a 320 GB hard drive and a 512-megabyte (MB)
graphics processing unit (GPU).
The computer should be prepared for the Development team as soon as possible.

Task 1: Determine whether the customers computers meet the minimum
requirements for Windows 8.1
Questions
1. Does the customers computer meet the minimum
system requirements for Windows 8.1 in the
following areas:
a. Processor: 2GHz YES
b. RAM: 4GB YES
c. Hard-disk space: 320 GB YES
d. GPU: 512MB YES
requirements for the following features:
Client Hyper-V: 64-bit second level
address translation (SLAT) capable YES
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L2-2 Installing and Deploying Windows 8.1
Task 2: Select the appropriate Windows operating system edition to install on
LON-REF1
You should install a 64-bit version of Windows 8.1 Enterprise. Windows 8.1 Enterprise supports Client
Hyper-V, and is the only Windows 8.1 edition that supports creation of Windows To Go UFD media.
You should use the 64-bit version to be able to use Client Hyper-V.

Results: After completing this exercise, you should have evaluated the installation environment, and then
selected the appropriate Windows operating system edition to install.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L2-3
Exercise 2: Performing a Clean Installation of Windows 8.1
Task 1: Attach the Windows 8.1 DVD image file to LON-REF1
1. On the host computer, double-click the Hyper-V Manager icon on the desktop or click Start, click
Administrative Tools, and then click Hyper-V Manager.
2. In the Hyper-V Manager console, right-click 20687C-LON-REF1, and then click Settings.
3. In the Settings for 20687C-LON-REF1 window, under IDE Controller 1, click DVD Drive in the left-
hand column.
4. In the details pane, click Image file, and then click Browse.
5. In the Open window, browse to D:\Program Files\Microsoft Learning\20687\Drives, double-click
the Win81Ent_Eval.iso file, and then click OK to close the Settings for 20687C-LON-REF1 window.
Task 2: Install Windows 8.1 on LON-REF1
1. In Hyper-V Manager, right-click the 20687C-LON-REF1 virtual machine, and then click Start.
2. In Hyper-V Manager, right-click the 20687C-LON-REF1 virtual machine, and then click Connect.
3. When the Windows Setup screen appears, select the appropriate regional settings, and then click
Next.
4. In the Windows Setup window, click Install now.
5. On the License terms page, select the I accept the license terms check box, and then click Next.
6. On the Which type of installation do you want? page, click Custom: Install Windows only
(advanced).
7. On the Where do you want to install Windows page, click Next.
Note: Wait for Windows 8.1 to install. This process will take 1520 minutes.
8. On the Personalize screen, type LON-REF1 in the PC name field, and then click Next.
9. On the Settings page, click Use express settings.
10. On the Your account page, click Create a local account.
11. On the Your Account page, in the User name field, type User.
12. In the Password field and in the Reenter password field, type Pa$$w0rd.
13. In the Password hint field, type Forgot already?, click Finish, and then wait for the installation to
complete.
Task 3: Confirm the successful installation of Windows 8.1 on LON-REF1
1. Confirm that the Windows 8.1 Start screen appears.
2. On the Start screen, click the Desktop tile to view the desktop of LON-REF1.
3. Click the File Explorer icon on the taskbar. The This PC window opens.
4. In the This PC window, in the navigation pane, right-click This PC, and then click Properties.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5. In the System window, verify that:
o Windows 8.1 Enterprise Evaluation is installed
o The Computer name is LON-REF1
o Workgroup is WORKGROUP
6. Click the Start icon on the taskbar.
7. On the Start screen, click User, and then click Sign out.

Results: After completing this exercise, you should have performed a clean installation of Windows 8.1.
2. In the Virtual Machines list, right-click 20687C-LON-REF1, and then click Revert.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L2-5
Lab B: Customizing and Capturing a Windows 8.1 Image
Exercise 1: Creating an Answer File and Performing an Unattended
Windows 8.1 Installation
Scenario
In this exercise, you have been asked to configure an answer file to use with Windows 8.1 installations at
A. Datum. To modify this answer file, you have been given the following information by your IT
administrator to assist you in the process.
WinPE_neutral
InputLocale
SystemLocale
UILanguage
UserLocale
en-US
en-US
en-US
en-US
WinPE_neutral\SetupUILanguage
UILanguage en-US
amd64_Microsoft-Windows-
Setup_neutral\DiskConfiguration\Disk
DiskID
WillWipeDisk
0
True
Setup_neutral\DiskConfiguration\Disk\Create Partitions
\CreatePartition
Extend
Order
Type
True
1
Primary
Setup_neutral\DiskConfiguration\Disk\ModifyPartitions
\ModifyPartition
Active
Format
Order
PartitionID
True
NTFS
1
1
amd64_Microsoft-Windows-Setup_neutral\ImageInstall
\OSImage\InstallFrom\Metadata
Key
Value
/IMAGE/NAME
Windows 8.1
Enterprise
Evaluation
amd64_Microsoft-Windows-Setup_neutral\ImageInstall
\OSImage\InstallTo
DiskID
PartitionID
0
1
amd64_Microsoft-Windows-Setup_neutral\UserData AcceptEULA
FullName
Organization
True
Adatum User
Adatum
amd64_Microsoft-Windows-Shell-Setup_neutral\OOBE SkipMachineOOBE
SkipUserOOBE
True
True

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

\UserAccounts\LocalAccounts\LocalAccount
Description
DisplayName
Group
Name
Local Admin
Administrator
Administrators
Administrator
\UserAccounts\LocalAccounts\LocalAccount\Password
Value Pa$$w0rd

Task 1: Mount a virtual floppy drive on LON-CL1
1. On the host computer, double-click the Hyper-V Manager icon on the desktop, or click Start, click
2. In the Hyper-V Manager console, right-click 20687C-LON-CL1, and then click Settings.
3. In the Settings for 20687C-LON-CL1 window, click Diskette Drive.
4. In the details pane, click Virtual floppy disk (.vfd) file, browse to D:\Program Files\Microsoft
Learning\20687\Drives, double-click Lab2BEx1.vfd, and then click OK.
Task 2: Create an answer file
2. On Start screen, type Image Manager, and then press Enter. The Windows System Image Manager
starts.
3. In Windows System Image Manager, click File, and then click Select Windows Image.
4. In the Select a Windows Image dialog box, navigate to E:\Labfiles\mod02\Sources folder, select
Install.wim and click Open.
5. In Windows System Image Manager, click File, and then click New Answer File.
6. In the Windows Image pane, expand Components, scroll down, right-click amd64_Microsoft-
Windows-International-Core-WinPE_neutral, and then click Add Setting to Pass 1 windowsPE.
7. In the Answer File pane, verify that amd64_Microsoft-Windows-International-Core-
WinPE_neutral is selected. In the amd64_Microsoft-Windows-International-Core-WinPE pane,
double-click InputLocale, and then type en-US. Also, double-click SystemLocale, UILanguage, and
UserLocale, and then type en-US as a value for each of those three properties.
8. In the Answer File pane, expand amd64_Microsoft-Windows-International-Core-WinPE_neutral,
and then click SetupUILanguage.
9. In the SetupUILanguage Properties pane, double-click UILanguage, double-click UILanguage and
then type en-US.
10. In the Windows Image pane, expand the Components node and right-click amd64_Microsoft-
Windows-Setup_neutral\DiskConfiguration\Disk, and then click Add Setting to Pass 1
windowsPE.
11. In the Answer File pane, verify that Disk is selected.
12. In the Disk Properties pane, double-click DiskID, and then type 0.
13. In the Disk Properties pane, double-click WillWipeDisk, and then in the drop-down list, click True.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L2-7
Windows-Setup_neutral\DiskConfiguration\Disk\CreatePartitons\CreatePartition, and then
click Add Setting to Pass 1 windowsPE.
15. In the Answer File pane, verify that CreatePartition is selected.
16. In the CreatePartition Properties pane, double-click Extend, and then in the drop-down list, click
True.
17. In the CreatePartition Properties pane, double-click Order, and then type 1.
18. In the CreatePartition Properties pane, double-click Type, and then in the drop-down list, click
Primary.
Windows-Setup_neutral\DiskConfiguration\Disk\ModifyPartitions\ModifyPartition, and then
click Add Setting to Pass 1 windowsPE.
20. In the Answer File pane, verify that ModifyPartition is selected.
21. In the ModifyPartition Properties pane, double-click Active, and then in the drop-down list, click
True.
22. In the ModifyPartition Properties pane, double-click Format, and then in the drop-down list, click
NTFS.
23. In the ModifyPartition Properties pane, double-click Order, and then type 1.
24. In the ModifyPartition Properties pane, double-click PartitionID, and then type 1.
Windows-Setup_neutral\ImageInstall\OSImage\InstallFrom\Metadata, and then click Add
Setting to Pass 1 windowsPE.
26. In the Answer File pane, verify that Metadata is selected.
27. In the Metadata Properties pane, double-click Key, and then type /IMAGE/NAME.
28. In the Metadata Properties pane, double-click Value, and then type Windows 8.1 Enterprise
Evaluation.
Windows-Setup_neutral\ImageInstall\OSImage\InstallTo, and then click Add Setting to Pass 1
windowsPE.
30. In the Answer File pane, verify that InstallTo is selected.
31. In the InstallTo Properties pane, double-click DiskID, and then type 0.
32. In the InstallTo Properties pane, double-click PartitionID, and then type 1.
Windows-Setup_neutral\UserData, and then click Add Setting to Pass 1 windowsPE.
34. In the Answer File pane, verify that UserData is selected.
35. In the UserData Properties pane, double-click AcceptEULA, and then in the drop-down box, click
True.
36. In the UserData Properties pane, double-click FullName, and then type Adatum User.
37. In the UserData Properties pane, double-click Organization, and then type Adatum.
Windows-Shell-Setup_neutral\OOBE, and then click Add Setting to Pass 7 oobe System.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
39. In the Answer File pane, verify that OOBE is selected.
40. In the OOBE Properties pane, double-click SkipMachineOOBE, and then in the drop-down box, click
True.
41. In the OOBE Properties pane, double-click SkipUserOOBE, and then in the drop-down box, click
True.
Windows-Shell-Setup_neutral\UserAccounts\LocalAccounts\LocalAccount, and then click Add
Setting to Pass 7 oobe System.
43. In the Answer File pane, verify that LocalAccount is selected.
44. In the LocalAccount Properties pane, double-click Description, and then type Local Admin.
45. In the LocalAccount Properties pane, double-click DisplayName, and then type Administrator.
46. In the LocalAccount Properties pane, double-click Group, and then type Administrators.
47. In the LocalAccount Properties pane, double-click Name, and then type Administrator.
48. In the Answer File pane, expand LocalAccount and select Password.
49. In the Password Properties pane, double-click Value, and then type Pa$$w0rd.
Task 3: Save the answer file and remove the diskette drive
1. In Windows System Image Manager, click File, and then click Save Answer File As.
2. In the Save As window, in the navigation pane, click This PC.
3. In the details pane, double-click Floppy Disk Drive (A:).
4. In the File name field, type Autounattend.xml, and then click Save.
5. Close Windows System Image Manager.
8. In the Settings for 20687C-LON-CL1 window, click Diskette Drive.
9. In the details pane, select None, and then click OK.
Task 4: Configure LON-REF1 and start the Windows 8.1 unattended installation
3. In the Settings for 20687C-LON-REF1 window, click Diskette Drive.
4. In the details pane, select Virtual floppy disk (.vfd) file, browse to D:\Program Files
\Microsoft Learning\20687\Drives, and then double-click Lab2BEx1.vfd.
5. In the Settings for 20687C-LON-REF1 window, click DVD Drive.
6. In the details pane, click Image file, browse to D:\Program Files\Microsoft Learning
\20687\Drives, double-click Win81Ent_Eval.iso, and then click OK.
7. In Hyper-V Manager, right-click 20687C-LON-REF1, and then click Connect.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L2-9
8. In the 20687C-LON-REF1 on localhost window, click Actions, and then click Start.
9. Observe the Windows 8.1 installation process. Confirm that you are not prompted for any information
during installation. While Windows 8.1 is installing, continue with the next exercise.
Note: During installation LON-REF1 will restart two times. Do not press any key to start it
from DVD.

Results: After completing this exercise, you should have modified an unattended answer file to use for
automating the Windows 8.1 installation process.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Viewing Install.wim Information and Capturing a Windows 8.1
Image
Task 1: View the information of the Windows 8.1 image in the Install.wim file
2. In the Settings for 20687C-LON-CL1 window, click DVD Drive.
\20687\Drives, double-click Win81Ent_Eval.iso, and then click OK.
4. On LON-CL1, in File Explorer, open the D:\Sources folder, and then view the properties of the
Install.wim file.
Note: Note that the file is 2.99 GB (3.214.415.031 bytes) and that there is another .wim file
named Boot.wim in the folder.
5. On Start screen, type deployment, and then run Deployment and Imaging Tools Environment.
6. In Deployment and Imaging Tools Environment, run the following command to view the content of
the Install.wim file:
dism /Get-ImageInfo /ImageFile:d:\sources\install.wim
7. Verify that the .wim file has one image named Windows 8.1 Enterprise Evaluation and that image has
a size of more than 12 GB. This demonstrates how the .wim file format effectively compresses files.
8. You can view more details about the image by using the image index. For example, you can get more
extensive information about the Windows 8.1 Enterprise Evaluation image by running the following
command:
dism /Get-WimInfo /WimFile: d:\sources\install.wim /index:1
Task 2: Capturing an image
1. At the Deployment and Imaging Tools Environment command prompt, create a .wim file that
contains the contents of the C:\Windows\Inf folder by running the following command:
dism /Capture-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:First
Image
2. Open File Explorer, browse to C:\Windows, right-click the Inf folder, and then click Properties.
3. At the Deployment and Imaging Tools Environment command prompt, run the following command
to view the size of the .wim file that you created:
dir c:\image.wim
Note: You will see that image.wim is less than 5 MB in size, which shows how effectively the
initial files were compressed when they were added to the .wim file.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L2-11
4. To capture the same content in a second image in the image.wim file, run the following command:
dism /Append-Image /ImageFile:c:\image.wim /CaptureDir:c:\windows\inf /name:Second
Image
Note: Note that the second image, which has the same content as the first image, is added
much quicker.
5. Review the size of the .wim file that now contains two images.
6. At the Deployment and Imaging Tools Environment command prompt, run the following command:
dir c:\image.wim
Note: Note that image.wim is only slightly larger. The .wim file format uses single instance
store, so each file is stored only once. Because the files in both images of the .wim file are the
same, each file is contained only once.
7. Run the following command to verify which images are contained in the image.wim file:
dism /Get-ImageInfo /ImageFile:c:\image.wim
Task 3: Modifying an offline image
1. In File Explorer, view the size of the file C:\Image.wim and when the file was last modified.
2. At the Deployment and Imaging Tools Environment command prompt, run the following two
commands to create an empty folder and mount the second image in image.wim to the created
folder:
mkdir c:\mount
dism /mount-wim /wimfile:c:\image.wim /index:2 /mountdir:c:\mount
3. In File Explorer, view the properties of the C:\Mount folder. Note that the contents of the folder are
exactly the same as the contents of C:\Windows\inf folder
4. In File Explorer, navigate to the C:\Mount folder, and then create a subfolder named Folder1. Select
and delete any three files in the C:\Mount folder.
5. Close File Explorer.
6. Unmount the image by running the following command:
dism /unmount-wim /mountdir:c:\mount /commit
7. View the properties of the .wim file by running the following command:
dir c:\image.wim
8. View the contents of the .wim file by running the following command:
dism /Get-ImageInfo /ImageFile:c:\image.wim
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
9. Run the following commands to view the content of the second and first image in the image.wim file:
dism /Get-WimInfo /WimFile: c:\image.wim /index:2
dism /Get-WimInfo /WimFile: c:\image.wim /index:1
Note: Note that the second image has one more directory and three files less than the first
image. All those modifications were performed in the offline image.
Task 4: Capturing Windows 8.1 image
1. Sign in to LON-REF1 as user Admin with the password Pa$$w0rd. Verify that Windows 8.1 is
installed.
3. In the Settings for 20687C-LON-REF1 window, click DVD Drive.
\20687\Drives, double-click WindowsPE.iso, and then click OK.
5. In LON-REF1, open a command prompt as an Administrator, click Yes in User Account Control dialog
box, and then run the following command:
C:\Windows\System32\sysprep\sysprep.exe
6. In the System Preparation Tool 3.14 dialog box, click Generalize, and then click OK.
7. When LON-REF1 restarts, press any key to start it from the DVD media.
8. In the Administrator: X:\Windows\system32\cmd.exe window, run the following command:
Net use g: \\lon-cl1\share Pa$$w0rd /user:adatum\administrator
9. Run the following command to capture a Windows 8.1 image on LON-REF1:
dism /Capture-Image /ImageFile:g:\Win81.wim /CaptureDir:d:\ /name:CustomImage
Note: You can continue with the lecture while the capture is in progress.

Results: After completing this exercise, you should have viewed Windows image information and
captured a Windows 8.1 image.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L2-13
Lab C: Deploying a Windows 8.1 Image
Exercise 1: Performing Offline Servicing and Deploying a Windows 8.1
Image
Task 1: Perform offline servicing of the Windows image
2. Open File Explorer, navigate to the C:\Mount folder, and then verify that the folder is empty.
3. On Start screen, type command, and then click Command Prompt.
4. Mount the Windows 8.1 image by running the following command:
Dism.exe /mount-image /imagefile:e:\labfiles\mod02\share\win81.wim /index:1
/mountdir:c:\mount
Note: If image Win81.wim is not yet captured or you didnt capture it in Lab B, you can use
E:\labfiles\mod02\sources\install.wim instead.
5. View the driver packages in the mounted Windows 8.1 image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
6. Add a driver to the image by running the following command:
dism /image:c:\mount /Add-Driver /driver:E:\Labfiles\mod02\drivers\dc3dh.inf
7. Verify that the driver has been added to the offline image by running the following command:
dir /OD c:\mount\Windows\System32\DriverStore\FileRepository
8. List the Windows 8.1 features and their state in the mounted image by running the following
command:
dism /Image:c:\mount /Get-Features /format:Table
9. Enable the Telnet Client Windows feature by running the following command:
dism /Image:c:\mount /Enable-Feature:TelnetClient
10. Unmount the Windows 8.1 image, and then commit the changes by running the following command:
Dism.exe /13nmounts-wim /mountdir:c:\mount /commit
Wait until image is saved and unmounted.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Use Deployment Image Servicing and Management (DISM) to deploy a
Windows image
1. On LON-REF1, at the command prompt, run the following commands to partition and format the
disk. Press Enter after each command:
diskpart
select disk 0
clean
create partition primary
format fs=ntfs quick
assign letter c
exit
2. At the command prompt, apply the Windows 8.1 image by running the following command:
Dism.exe /apply-image /imagefile:g:\win81.wim /index:1 /applydir:c:\
3. Verify that the Windows 8.1 image has been applied to the drive C by running the following
command.
dir c:\

Results: After completing this exercise, you should have updated a Windows 8.1 installation image.
Manager.
4. Repeat steps 2 to 3 for 20687C-LON-DC1 and 20687C-LON-REF1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L3-15
Module 3: Managing Profiles and User State in Windows 8.1
Lab A: Configuring Profiles and User State
Virtualization
Exercise 1: Configuring Roaming User Profiles and Folder Redirection
Task 1: Create folders for roaming user profiles and Folder Redirection
1. On LON-DC1, on the taskbar, click File Explorer. In the navigation pane, click Local Disk (C:).
2. In File Explorer, in the details pane, right-click an empty space, point to New, and then click Folder.
Type Profiles as the folder name, and then press Enter.
3. Right-click the Profiles folder, and then click Properties.
4. In the Profiles Properties dialog box, on the Security tab, click Edit, and then click Add.
5. In the Enter the object names to select box, type Domain, click OK.
6. Click Domain Users, and then click OK.
7. In the Permissions for Domain Users section, click Full control in the Allow column, and then click
OK.
8. On the Sharing tab, click Advanced Sharing, select the Share this folder check box, and then click
Permissions.
9. In the Permissions for Everyone section, click Full Control in the Allow column, and then click OK
twice.
10. In the Profiles Properties dialog box, click Close.
Type Redirected as the folder name, and then press Enter.
12. Right-click the Redirected folder, and then click Properties.
13. In the Redirected Properties dialog box, on the Security tab, click Edit, click Add, and in the Enter
the object names to select box, enter Domain, and then click OK.
14. Click Domain Users, and click OK.
OK.
Permissions.
twice.
18. In the Redirected Properties dialog box, click Close.
Task 2: Configure roaming user profiles
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, in the navigation pane, expand Adatum.com, and then
click the Marketing organizational unit (OU). In the details pane, right-click Adam Barr, and then
click Properties.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L3-16 Managing Profiles and User State in Windows 8.1
3. On the Profile tab, in the Profile path box, type \\LON-DC1\Profiles\%username%, and then click
OK.
4. Minimize Active Directory Users and Computers.
Task 3: Configure Folder Redirection
1. On LON-DC1, in Server Manager, click Tools, and then click Group Policy Management.
2. In the Group Policy Management Console (GPMC), in the navigation pane, expand Forest:
Adatum.com, expand Domains, and then expand Adatum.com.
3. In the navigation pane, right-click the Marketing OU, and then click Create a GPO in this domain,
and Link it here.
4. In the Name field, type Folder Redirection, and then click OK.
5. In the GPMC, in the navigation pane, expand the Marketing OU, right-click Folder Redirection, and
then click Edit. The Group Policy Management Editor opens.
6. In the Group Policy Management Editor, under User Configuration in the navigation pane, expand
Policies, Windows Settings, and Folder Redirection.
7. Right-click Documents, and then click Properties.
8. In the Documents Properties dialog box, click the Basic Redirect everyones folder to the same
location option in the Setting drop-down box.
9. In the Target folder location section, in the Root Path box, type \\LON-DC1\Redirected, and then
click OK.
10. In the Warning dialog box, click Yes.
11. Close the Group Policy Management Editor and minimize the GPMC.
Task 4: Verify roaming user profiles and Folder Redirection
1. On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are empty.
2. Sign in to LON-CL1 as adatum\adam with password Pa$$w0rd.
3. On the Start screen, click the Desktop tile. Right-click anywhere on the desktop, point to New, and
then click Folder. Type Presentations as the folder name, and then press Enter.
4. On the desktop, right-click anywhere, and then click Personalize.
5. In the Personalization dialog box, click Change desktop icons, and then click Computer in the
Desktop icons section. Click OK and then close the Personalization dialog box.
6. On the desktop, right-click anywhere, point to New, and then click Shortcut. Click Browse, expand
This PC, click Local Disk (C:), click OK, click Next, and then click Finish. A shortcut to drive C is
added to the desktop.
7. On the toolbar, click the Start icon.
8. On the Start screen, type Notepad, and then press Enter. Type your name in Notepad. On the File
menu, click Save As, enter your name in the File Name box, and then click Save.
9. Close Notepad.
10. On the taskbar, click File Explorer, and then double-click Documents in the details pane. In the
details pane, right-click the file with your name, and then click Properties. Verify that the location of
that file points to the network, to \\LON-DC1\redirected\adam\Documents and that it is not
stored inside Adam Barrs local profile. Click OK.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L3-17
12. On LON-DC1, in File Explorer, verify that the Profiles and Redirected folders are no longer empty.
The Profiles folder contains the Adam Barr roaming user profile (Adam.V2), while the Redirected
folder contains Adam Barrs redirected Documents folder.
14. On the Start screen, click the Desktop tile. Verify the This PC icon is on the desktop, in addition to
the Presentations folder and the Local Disk (C:) shortcut.
15. On the toolbar, click the Start icon.
16. On the Start screen, type Notepad, and then press Enter. On the File menu, click Open, click the file
with your name, and then click Open. You verified that you can transparently access files that were
created on other computers and saved in a redirected folder.
Task 5: Configure primary computers for user Adam Barr
1. On LON-DC1, maximize Active Directory Users and Computers. On the View menu, click
Advanced Features.
2. In the navigation pane of Active Directory Users and Computers, click the Computers container,
right-click the LON-CL1 computer account in the details pane, and then click Properties.
3. On the Attribute Editor tab, in the Attributes section, double-click the distinguishedName
attribute, press Ctrl+C to copy its value to the clipboard, and then click OK twice.
Note: The distinguishedName attribute should look like the following: CN=LON-
CL1,CN=Computers,DC=adatum,DC=com.
4. In the navigation pane, click the Marketing OU, right-click Adam Barr in the details pane, and then
click Properties.
5. On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute,
and then click Edit.
6. Right-click in the Value to add box, click Paste, and then click Add.
7. Right-click in the Value to add box, and then click Paste again. Replace LON-CL1 with LON-CL2,
and then click Add.
8. In the Multi-valued String Editor dialog box, click OK.
9. In the Adam Barr Properties dialog box, click OK.
10. Minimize Active Directory Users and Computers.
11. Maximize the GPMC, right-click the Default Domain Policy group policy, and then click Edit.
12. In the Group Policy Management Editor, go to Computer Configuration\Policies
\Administrative Templates\System\User Profiles. Double-click the Download roaming profiles
on primary computers only policy setting, click Enabled, and then click OK.
13. In the Group Policy Management Editor, go to User Configuration\Policies
\Administrative Templates\System\Folder Redirection. Double-click the Redirect folders on
primary computers only policy setting, click Enabled, and then click OK.
14. Close the Group Policy Management Editor and the GPMC.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 6: Verify Primary Computer setting for user Adam Barr
1. Switch to LON-SVR1, and on the taskbar, click Windows PowerShell. Type gpupdate /force, and
then press Enter.
3. Sign in to LON-SVR1 as Adatum\Adam with password Pa$$w0rd.
4. Verify that the This PC icon, Presentations folder, and Local Disk (C:) shortcut are not on the
desktop. This is because LON-SVR1 is not set as one of Adam Barrs primary computers and his
roaming user profile is not available on LON-SVR1.
5. On the taskbar, click the Start icon.
6. On the Start screen, type Notepad, and then press Enter. On the File menu, click Open. Verify that
Documents is selected in the navigation pane, but the file with your name is not available. This is
because LON-SVR1 is not set as one of Adam Barrs primary computers and his redirected folders are
not available on LON-SVR1. Click Cancel and sign out of LON-SVR1.
7. On LON-DC1, maximize Active Directory Users and Computers. Click the Marketing OU in the
navigation pane. Right-click Adam Barr in the details pane, and then click Properties.
8. On the Attribute Editor tab, in the Attributes section, click the msDS-PrimaryComputer attribute,
and then click Edit.
9. In the Multi-valued String Editor dialog box, click the value that starts with CN=LON-CL2, and then
click Remove.
10. In the Value to add box, replace LON-CL2 with LON-SVR1, click Add, and then click OK twice.
11. Sign in to LON-SVR1 as Adatum\Adam with password Pa$$w0rd.
12. Verify that the Presentations folder is on the desktop, as well as Local Disk (C:) shortcut. This is
because you configured LON-SVR1 as Adam Barrs Primary Computer and roaming user profile is
effective.
13. On the taskbar, click the File Explorer icon. In This PC, in the details pane, double-click Documents.
Double-click the file with your name in the details pane. The file opens in Notepad. Because you
configured LON-SVR1 as Adam Barrs Primary Computer, redirected folders now are available.
14. In Notepad, on the File menu, click Exit, and then sign out of LON-SVR1.

Results: After completing this exercise, you should have configured roaming user profiles and Folder
Redirection. You also should have configured the user Adam Barr with the Primary Computer setting.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L3-19
Exercise 2: Implementing and Configuring UE-V
Task 1: Prepare the environment for deploying Microsoft User Experience
Type UEVdata as the folder name, and then press Enter. Right-click the UEVdata folder, and then
click Properties.
3. On the Security tab, click Edit. Click Add, enter Domain in the Enter the object names to select
box, and then click OK. Click Domain Users, and then click OK.
OK.
5. On the Sharing tab, click Advanced Sharing. Select the Share this folder check box, and then click
Permissions.
twice.
7. In the UEVdata Properties dialog box, click Close.
8. In File Explorer, in the details pane, right-click on an empty space, point to New, and then click
Folder. Type UEVTemplates as the folder name, and then press Enter. Right-click the UEVTemplates
folder, and then click Properties.
9. On the Security tab, click Edit. Click Add, enter Domain in Enter the object names to select box,
and then click OK. Click Domain Users, and then click OK.
OK.
Permissions.
twice.
13. In the UEVTemplates Properties dialog box, click Close.
14. Minimize File Explorer.
Task 2: Configure UE-V Group Policy settings
2. In the GPMC, in the navigation pane, expand Forest: Adatum.com, expand Domains, and then
expand Adatum.com. Right-click Default Domain Policy, and then click Edit.
Policies, Administrative Templates, and Windows Components. Verify that there is no Microsoft
User Experience Virtualization node.
4. Close the Group Policy Management Editor.
5. Use File Explorer to copy file UserExperienceVirtualization.admx from E:\Labfiles\Mod03 to folder
C:\Windows\PolicyDefinitions, and then copy file UserExperienceVirtualization.adml to folder
C:\Windows\PolicyDefinitions\en-US.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
6. In the GPMC, right-click the Adatum.com domain in the navigation pane, and then click Create a
GPO in this domain, and Link it here. In the Name field, type UE-V, and then click OK.
7. In the GPMC, in the navigation pane, right-click the UE-V Group Policy, and then click Edit.
Policies, Administrative Templates, Windows Components, and then click the Microsoft User
Experience Virtualization node.
9. In the details pane, right-click Settings storage path, click Edit, click Enabled, in the Settings
storage path, type \\LON-DC1\UEVData\%username%, and then click OK.
10. In the Group Policy Management Editor, under Computer Configuration in the navigation pane,
expand Policies, Administrative Templates, Windows Components, and then click the Microsoft
User Experience Virtualization node.
11. In the details pane, right-click Settings template catalog path, click Edit, click Enabled, in Settings
template catalog path, type \\LON-DC1\UEVTemplates, and then click OK.
12. Close the Group Policy Management Editor and the GPMC.
Task 3: Install UE-V agents
2. On Start screen, type Explorer and click File Explorer.
3. In File Explorer, navigate to E:\Labfiles\Mod03 folder and double-click AgentSetup.exe.
4. On the Welcome to the Microsoft User Experience Virtualization Agent Setup Wizard page,
click Next.
5. On the End-User License Agreement page, select the I accept the terms in the License
Agreement check box, and then click Next.
6. On the Microsoft Update page, select Do not use Microsoft Update, and then click Next.
7. On the Customer Experience Improvement Program page, select Do not join the program at
this time and click Next.
8. On the Begin Installation page, click Install.
9. On the Completed the Microsoft User Experience Virtualization Agent Setup Wizard page, click
Finish, and then click Restart.
11. On the Start screen, type PowerShell and click Windows PowerShell.
12. In Windows PowerShell command-line interface, run the following command:
E:\Labfiles\Mod03\AgentSetup.exe SyncMethod=None
13. Repeat steps 4 through 8 on LON-CL2.
Task 4: Configure UE-V to synchronize settings immediately
1. On LON-DC1, in File Explorer, verify that the C:\UEVdata folder is empty.
2. Sign in to LON-CL1 and LON-CL2 as Adatum\Brad with password Pa$$w0rd.
3. On LON-CL1, verify that the UE-V configuration is effective. On the Start screen, type Windows
PowerShell, and then press Enter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L3-21
4. In Windows PowerShell, run Get-UevConfiguration, and then press Enter. You will see that values for
SettingsStoragePath and SettingsTemplateCatalogPath are configured as you set them in Group
Policy. You also will see that current SyncMethod is set to SyncProvider.
5. You can view other UE-V Windows PowerShell cmdlets by running the Get-Command Module UEV
cmdlet.
6. Close the Windows PowerShell window.
7. On LON-CL2, on the Start screen, type Calculator. Verify that desktop app is selected and then press
Enter. On the View menu, click Date calculation. The Calculator is extended with options for date
calculation. Close Calculator.
Enter. Verify that the Calculator is not extended with options for date calculation, as the local cache is
used and it has not yet been synchronized with the settings storage location. Close Calculator.
9. On LON-CL1, on the Start screen, type Company, and the press Enter. Click Close in the dialog box.
10. In Company Settings Center, click Sync Now. By doing that, you manually trigger synchronization of
the local cache, which happens automatically every 30 minutes.
11. In Company Settings Center, click Close.
12. On LON-CL1, on the Start screen, type Calculator, and then press Enter. Verify that Calculator is now
extended with options for date calculation, as you configured it on LON-CL2.
13. On LON-CL1, on the Start screen, type PowerShell, and then press Enter.
14. In Windows PowerShell, disable the use of local cache by running the following cmdlet:
Set-UevConfiguration SyncMethod None
Task 5: Use UE-V to synchronize settings
1. On LON-CL2, on the Start screen, type WordPad, and then press Enter.
2. In WordPad, click the View tab, and then verify that the Ruler and Status bar check boxes are
selected by default. Clear the Ruler and Status bar check boxes, and then close WordPad.
3. On the desktop, right-click anywhere, point to New, and then select Shortcut. Click Browse, expand
This PC, click Local Disk (C:), click OK, click Next, and then click Finish.
Note: A shortcut to Local Disk (C:) is added to the desktop.
4. On the Start screen, type Notepad, and then press Enter. On the Format menu, select Font, select 20
as Size, and then click OK. Type your name in Notepad. On the File menu, click Save As, type your
name in the File Name box, and then click Save. Close Notepad.
5. On LON-DC1, in File Explorer, verify that the UEVdata folder now has a brad subfolder.
6. On the View tab, click Hidden items, double-click the brad folder, and then verify that it contains
the SettingsPackages subfolder. Double-click the SettingsPackages folder, and then verify that it
contains multiple subfolders for the applications and Windows settings that are synchronized by UE-
V.
Enter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8. In Calculator, on the View menu, click Programmer, and then click Unit Conversion. Close
Calculator.
9. Sign in to LON-CL1 as Adatum\Brad with password Pa$$w0rd.
10. On LON-CL1, from the Start screen, type Calculator. Verify that desktop app is selected and then
press Enter. The Calculator is in Programmer mode and extended with Unit Conversion, as you
configured it on LON-CL2. Close Calculator.
11. On LON-CL1, open WordPad.
12. On the View tab, verify that the Ruler and Status bar check boxes are not selected, which is not the
default configuration, but it is exactly as you configured it on LON-CL2. Close WordPad.
13. On LON-CL1, verify that a shortcut to Local Disk (C:) is not present on the desktop. You created it on
the desktop on LON-CL2, and it is stored in that user profile. Contents of the desktop are not
synchronized by UE-V; instead, you should use Folder Redirection or roaming user profiles to make
data roam between computers.
14. On LON-CL1, on the Start screen, open Notepad. On the Format menu, select Font, verify that font
size 20 is selected, and then click OK.
15. On the File menu, click Open. In the navigation pane, expand This PC and select Documents.
16. Verify that the file with your name is not available in the details pane. You created a file with your
name on LON-CL2, and it is stored in that user profile. UE-V synchronizes only settings, not data. You
should use Folder Redirection or roaming user profiles to make data roam between computers. Click
Cancel and close Notepad.
Task 6: Restore app settings
1. On LON-CL1, on the Start screen, open Calculator. Verify that Calculator is in Programmer view and
extended with Unit Conversion. Close Calculator.
2. On the Start screen, type and run Windows PowerShell.
3. At the Windows PowerShell command prompt, run Get-UevTemplate *calc* to view which settings
location template TemplateId is used for Calculator.
4. Restore initial Calculator settings by running following cmdlet: Restore-UevUserSetting
MicrosoftCalculator6.
5. On the Start screen, open Calculator, and verify that is in default, Standard mode, in which it was
before the first UE-V synchronization.
6. Sign out of LON-CL1 and LON-CL2.
Task 7: Create UE-V settings location template
2. On the Start screen, click Desktop tile.
3. Open File Explorer, and then double-click ToolsSetup.exe in the E:\Labfiles\Mod03 folder.
4. On the Welcome to the Microsoft User Experience Virtualization Generator Setup Wizard page,
click Next.
5. Select the I accept the terms in the License Agreement check box, and then click Next.
6. Select the Do not use Microsoft Update check box, and then click Next.
7. On the Customer Experience Improvement Program page, select Do not join the program at
this time and then click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L3-23
8. On the Begin Installation page, click Install.
9. On the Completed the Microsoft User Experience Virtualization Generator Setup Wizard page,
click Finish and then click Restart.
10. After LON-CL1 restarts, sign in as Adatum\Administrator with password Pa$$w0rd.
11. On the Start screen, type generator, and then click Microsoft User Experience Virtualization
Generator.
12. In Microsoft User Experience Virtualization Generator, click Create a settings location template.
13. Click Browse for the File path, browse to C:\Program files (x86)\Remote Desktop Connection
Manager, click RDCMan.exe, and then click Open.
14. On the Specify Application page, click Next.
Note: You will create settings location template for Remote Desktop Connection Manager.
15. After a few seconds, Remote Desktop Connection Manager will start. In Remote Desktop Connection
Manager, on the Tools menu, click Options.
16. In the Options dialog box, select Click to select gives focus to remote client, and then click OK.
Close Remote Desktop Connection Manager.
17. In the Discover Locations dialog box, click Next.
18. On the Review Locations page, select the Files tab, click Nonstandard (1), select File path, and
then click Next.
19. On Edit Template page, view settings location template properties. You could modify the registry
and files that are used for storing configuration data on this page. Click Create, and in the File name
box, type \\LON-DC1\UEVTemplates\RDCMan.xml, and then click Save.
20. In the Create a Settings Location Template Wizard, click Close, and then close the Microsoft User
Experience Virtualization (UE-V) Generator page.
Task 8: Using UE-V to synchronize custom app settings
1. On LON-CL1, on the Start screen, run Windows PowerShell.
2. At the Windows PowerShell command prompt, run the following cmdlet:
Get-UevTemplate *rdc*
Note: Output shows that no settings location template that contains string rdc is
registered.
3. Register the Remote Desktop Connection Manager settings location template by running following
cmdlet: Register-UevTemplate \\LON-DC1\UEVTemplates\RDCMan.xml.
Note: By default, settings location templates updates are registered once per day; by
running the cmdlet, you manually register the template.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
4. To verify that the template is registered, run following cmdlet: Get-UevTemplate *rdc*. You can see
that Remote Desktop Connection Manager (with TemplateId Remote-Desktop-RDCMan-v-2-2) is
listed.
6. On the Start screen, click the Desktop tile, and then click File Explorer on the taskbar.
7. In File Explorer, in the C:\Program Files\Microsoft User Experience Virtualization\Agent\x64
folder, double-click the ApplySettingsTemplateCatalog file.
8. On LON-CL1, on Start screen, type remote, and then run Remote Desktop Connection Manager.
9. In Remote Desktop Connection Manager, on the Tools menu, select Options.
10. In the Options dialog box, select Auto save interval and type 3 in the Minute(s) box. Click OK, and
then close Remote Desktop Connection Manager.
11. On LON-CL2, on the Start screen, type remote, and then run Remote Desktop Connection
Manager.
12. In Remote Desktop Connection Manager, on the Tools menu, select Options, and then verify that
Auto save interval is selected and configured to 3 Minute(s). Click OK, and then close Remote
Desktop Connection Manager.

Results: After completing this exercise, you should have successfully implemented and configured UE-V
for synchronizing apps and Windows settings.
following steps:
4. Repeat steps 2 through 3 for 20687C-LON-CL1, 20687C-LON-CL2, and 20687C-LON-SVR1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L3-25
Lab B: Migrating User State by Using USMT
Exercise 1: Creating and Customizing USMT XML Files
Scenario
Supporting Documentation
Email from Max Stevens:
Ed Meadows
From: Max Stevens [Max@adatum.com]
Sent: 10 January 2014 08:01
To: Ed@adatum.com
Subject: User State Migration for the new Windows 8.1 computers in the Research department

Hi Ed,
We have 10 new Windows 8.1 computers that are being deployed within the Research department. We
need to ensure that no user data stored on the old computers is lost in the migration, and that all user
data is migrated to the new computers. What I want you to do is use USMT to help with the user state
migration. Here are some additional things to consider:
The old computers have Windows 7 installed.
All computers have Microsoft Office 2010 installed.
The contents of the Shared Video, Shared Music, and Shared Pictures folders should not be migrated
from Windows 7 to the new Windows 8.1 computers.
We have a custom folder named ResearchApps that has to be migrated from all the old computers to
the new Windows 8.1 computers.
All domain profiles that are on each existing computer should be migrated to the new systems.
You can use \\LON-DC1\Data as a location to store the data store during the migration. The data
store should be compressed to minimize space. Because there is no confidential information on these
specific computers, we do not need the migration store to be encrypted.
Thanks,
Max
Your user state migration information states that several operating system features should not be
migrated. You also have to migrate an additional folder from the old computers to the new Windows 8.1
computers. Your first task is to create the custom XML files that address these requirements.
Task 1: Read the supporting documentation
Read the supporting documentation provided in the exercise scenario.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 2: Create a Config.xml file
2. Verify that Don has black desktop and that the Computer and Don Funk folders are shown on the
desktop.
3. On the desktop, right-click anywhere, select New, select Text Document, and then type your name.
4. Sign out of LON-CL3, and then sign back in to LON-CL3 as Adatum\Administrator with password
Pa$$w0rd.
5. Click Start, type cmd, and then press Enter.
7. At the command prompt, type F:, and then press Enter.
8. At the command prompt, type the following, and then press Enter.
scanstate /i:migapp.xml /i:miguser.xml /genconfig:config.xml
Note: The creation of the Config.xml file will begin. Wait until the command finishes.
9. At the command prompt, type notepad config.xml, and then press Enter.
10. To exclude Shared Video, under the Documents node, modify the line to match the following code:
component displayname="Shared Video" migrate="no"
11. Under the Documents node, modify the line to match the following code:
component displayname="Shared Music" migrate="no"
12. Under the Documents node, modify the line to match the following code:
component displayname="Shared Pictures" migrate="no"
13. Save your changes, and then close Notepad.
Task 3: Modify a custom migration XML file
1. At a command prompt, type notepad folders.xml, and then press Enter.
2. Maximize the Notepad window. This is a custom XML file that is used to migrate a specific folder
called ResearchApps to the new workstation.
3. Change the variable <Foldername> to ResearchApps. The entire line should read as follows.
<pattern type= "File">C:\ResearchApps\* [*]</pattern>
4. Save your changes, and then close Notepad.
5. On the taskbar, click the Windows Explorer icon.
6. In Windows Explorer, in the details pane, expand Computer, and then click Local Disk (C:). In the
details pane, double-click ResearchApps, and then verify that there are several files in the folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L3-27
7. In Windows Explorer, right-click in the details pane, select New, select Text Document, and then
type your name.
8. Close Windows Explorer.

Results: After completing this exercise, you should have created and customized XML files to use with the
User State Migration Tool (USMT).
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Capturing and Restoring User State to a Target Computer
Task 1: Capture user state on the source computer
1. On LON-CL3, switch to the command prompt.
2. Verify that there is no content on the \\LON-DC1\Data share by running the following command:
Dir \\lon-dc1\data
3. Capture the state of LON-CL3 by running the following command:
F:\Scanstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
/config:config.xml /o /efs:copyraw
4. Wait until the ScanState process completes, and then verify that the state is captured on the network
share by running the following command:
Dir \\lon-dc1\data /s
Task 2: Restore user state on the destination computer
2. From the Start screen, type cmd, and then press Enter.
3. Click the File Explorer icon on the taskbar. Go to C:\Users, and then verify that there is no subfolder
named Ed or Don.
4. In File Explorer, click Local disk (C:), and then verify that there is no ResearchApps folder on drive C.
1. At the command prompt, run the following command:
2. At the command prompt, type F:, and then press Enter.
Loadstate \\LON-DC1\Data /i:migapp.xml /i:miguser.xml /i:folders.xml
4. When the LoadState task completes, In File Explorer, in the C:\Users folder, verify that there are
subfolders named Ed and Don.
Task 3: Verify the user state migration
2. From the Start screen, click the Desktop tile.
3. Notice the Computer and Don Funk folders on the desktop, in addition to a text document with your
name.
4. On the taskbar, click the File Explorer icon.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L3-29
5. In File Explorer, in the details pane, double-click Local Disk (C:). In the details pane, double-click
ResearchApps, and then verify that all the files from LON-CL3 have migrated, including the file with
your name.

Results: After completing this exercise, you should have captured and restored user states by using USMT.
4. Repeat the steps for 20687C-LON-CL1 and 20687C-LON-CL3.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L4-31
Module 4: Tools Used for Configuring and Managing
Windows 8.1
Lab: Using Management Tools to Configure
Windows 8.1 Settings
Exercise 1: Planning Management of Windows 8.1 Computers
Task 1: Plan the management of Windows 8.1 computers
1. What tool will you use to apply the configuration changes to domain-joined computers?
Answer: You can use Group Policy to apply all of the necessary configuration settings to
domain-joined computers.
2. Are there any organizational unit (OU) structure requirements to meet the management needs on the
internal network?
Answer: Yes, the computers on the machine floor need to be managed separately from
other client computers. Also, the servers and domain controllers need to be managed
separately from the client computers. The simplest way to do this is to place the different
types of computers in different OUs and then link only appropriate Group Policy Objects
(GPOs) to the OUs.
3. Could you use security filtering as an alternative to a new OU structure?
Answer: Yes, you could use security filtering as an alternative to creating separate OUs. You
would need to create security groups that contain the appropriate computer accounts and
then specify Read and Apply permissions to specific GPOs. In general, it is easier to
implement OUs in this scenario.

Results: After completing this exercise, you will have planned the management of Windows
8.1
computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L4-32 Tools Used for Configuring and Managing Windows 8.1
Exercise 2: Managing Windows 8.1 by Using Group Policy
Task 1: Create an OU structure for managing computers
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Administrative
Center.
2. In the Active Directory
Administrative Center, in the navigation pane, click Adatum (local).

3. In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit.
4. In the Create Organizational Unit window, in the Name box, type MachineFloor, and then click OK.
5. In the Tasks pane, under Adatum (local), click New, and then click Organizational Unit.
6. In the Create Organizational Unit window, in the Name box, type CorpComputers, and then click
OK.
7. Double-click Computers, right-click LON-CL1, and then click Move.
8. In the Move window, click CorpComputers, and then click OK.
9. Right-click LON-CL2, and then click Move.
10. In the Move window, click MachineFloor, and then click OK.
11. Close Active Directory Administrative Center.
12. Restart LON-CL1 and LON-CL2, and then log on to both as Adatum\Administrator with password
Pa$$w0rd.
Task 2: Configure Group Policy for computers on the machine floor
2. In the Group Policy Management console, expand Forest: Adatum.com, expand Domains, expand
Adatum.com, and then click MachineFloor. Notice that no GPOs are linked.
3. Right-click MachineFloor, and then click Block Inheritance.
4. Right-click MachineFloor, and then click Create a GPO in this domain, and Link it here.
5. In the New GPO window, in the Name box, type MachineFloor, and then click OK.
6. On the Linked Group Policy Objects tab, right-click MachineFloor, and then click Edit.
7. In the Group Policy Management Editor window, under Computer Configuration, expand Policies,
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
8. Double-click Configure Automatic Updates.
9. In the Configure Automatic Updates window, click Disabled, and then click OK.
Task 3: Verify the application of Windows Update settings to LON-CL2
1. On LON-CL2, on the Start screen, type power, and then click Windows PowerShell.
2. At a command prompt in the Windows PowerShell
command-line interface, type gpupdate, and

then press Enter.
3. Type gpresult /h C:\results.htm, and then press Enter.
4. Type C:\results.htm, and then press Enter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L4-33
5. In Internet Explorer
, read the Summary and verify that Inheritance is blocking all non-enforced
GPOs linked above Adatum.com/MachineFloor.
6. In Computer Details\Settings, verify that Configure Automatic Updates is Disabled.
Task 4: Configure Group Policy for other client computers
1. On LON-DC1, in Group Policy Management, in the navigation pane, click CorpComputers.
2. Right-click CorpComputers, and then click Create a GPO in this domain, and Link it here.
3. In the New GPO window, in the Name box, type CorpComputers, and then click OK.
4. On the Linked Group Policy Objects tab, right-click CorpComputers, and then click Edit.
expand Administrative Templates, expand Windows Components, and then click Windows
Update.
6. Double-click Configure Automatic Updates.
7. In the Configure Automatic Updates window, click Enabled, and then click OK.
8. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand
Windows Firewall with Advanced Security, expand Windows Firewall with Advanced Security,
and then click Inbound Rules.
9. Right-click Inbound Rules, and click New Rule.
10. In the New Inbound Rule Wizard, on the Rule Type tab, click Predefined.
11. In the Predefined box, select COM+ Remote Administration, and then click Next.
12. On the Predefined Rules tab, click Next.
13. On the Action tab, click Allow the connection, and then click Finish.
14. Right-click Inbound Rules, and then click New Rule.
16. In the Predefined box, select Remote Event Log Management, and then click Next.
20. Close Group Policy Management.
21. On LON-CL1, on the Start screen, type Power, and then click Windows PowerShell.
22. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Task 5: Verify that remote administration is functional
1. On LON-DC1, in Server Manager, click Tools, and then click Computer Management.
2. In Computer Management, right-click Computer Management (Local), and then click Connect to
another computer.
3. In the Select Computer window, in the Another computer box, type LON-CL1, and then click OK.
4. Expand System Tools, and then click Event Viewer.
5. Right-click Computer Management (LON-CL1), and then click Connect to another computer.
6. In the Select Computer window, in the Another computer box, type LON-CL2, and then click OK.
This connection fails because remote management has not been configured for the computers in the
MachineFloor OU.
7. In the error window, read the message, and then click OK.
8. Close Computer Management.

Results: After completing this exercise, you should have implemented an OU structure and GPO structure
to support remote management of computers.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L4-35
Exercise 3: Implementing Windows PowerShell Remoting
Task 1: Configure Windows PowerShell remoting manually
1. On LON-DC1, on the taskbar, click Windows PowerShell.
2. At the Windows PowerShell command prompt, type Enable-PSRemoting, and then press Enter.
3. When prompted to configure Windows Remote Management (WinRM), type A, and then press Enter.
4. When prompted to configure the PSSession, type A, and then press Enter.
6. At the Windows PowerShell command prompt, type Get-ADUser, and then press Enter. This
command is not recognized because the cmdlets for AD DS administration are not installed on LON-
CL1.
7. Type Enter-PSSession ComputerName LON-DC1, and then press Enter.
8. Type Get-ADUser, and then press Enter.
9. When prompted for a filter, type *, and then press Enter.
10. Type exit, and then press Enter.
Task 2: Configure Windows PowerShell remoting by using Group Policy
2. In Group Policy Management, expand Forest: Adatum.com, expand Domains, and then click
Adatum.com.
3. Right-click Adatum.com, and then click Create a GPO in this domain, and Link it here.
4. In the New GPO window, in the Name box, type Enable PS Remoting, and then click OK.
5. Click the Linked Group Policy Objects tab, right-click Enable PS Remoting, and then click Edit.
expand Administrative Templates, expand Windows Components, expand Windows Remote
Management (WinRM), and then click WinRM Service.
7. Double-click Allow remote server management through WinRM.
8. In the Allow remote server management through WinRM window, click Enabled.
9. In the IPv4 filter box, type *.
10. In the IPv6 filter box, type *, and then click OK.
11. In the Group Policy Management Editor window, under Policies, expand Windows Settings, expand
Security Settings, and then click System Services.
12. In the details pane, scroll down and double-click Windows Remote Management (WS-
Management).
13. In the Windows Remote Management (WS-Management) Properties window, select the Define this
policy setting check box, click Automatic, and then click OK.
14. In the Group Policy Management Editor window, under Security Settings, expand Windows Firewall
with Advanced Security, expand Windows Firewall with Advanced Security, and then click
Inbound Rules.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
15. Right-click Inbound Rules, and then click New Rule.
17. In the Predefined box, select Windows Remote Management, and then click Next.
Task 3: Verify the configuration of Windows PowerShell remoting
2. At the Windows PowerShell command prompt, type gpupdate, and then press Enter.
3. Type Get-Service Winrm, and then press Enter to verify that the WinRM service is now running.
4. On LON-DC1, on the taskbar, click Windows PowerShell.
5. At the Windows PowerShell command prompt, type Get-Service Winrm ComputerName LON-
CL1, and then press Enter.
6. Type Invoke-Command ComputerName LON-CL1 {Get-ExecutionPolicy}, and then press Enter.
7. Type Invoke-Command ComputerName LON-CL1 {Set-ExecutionPolicy AllSigned}, and then
press Enter.

Results: After completing this exercise, you will have implemented Windows PowerShell remoting in the
Adatum.com domain.
following steps:
Manager.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L5-37
Module 5: Managing Disks and Device Drivers
Lab A: Managing Disks
Exercise 1: Creating Volumes
Task 1: Create a simple volume by using Disk Management
2. On the Start screen, type diskmgmt.msc, and then press Enter.
3. In the Initialize Disk dialog box, click OK.
4. Right-click the unallocated space on Disk 2, and then click New Simple Volume.
5. In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click
Next.
6. On the Specify Volume Size page, change the Simple volume size in MB value to 5103, and then
click Next.
7. On the Assign Drive Letter or Path page, click Next.
8. On the Format Partition page, in the Volume label text box, type Simple1, and then click Next.
9. On the Completing the New Simple Volume Wizard page, click Finish.
10. When the New Simple Volume Wizard is complete, close Disk Management and any open windows.
Task 2: Create a simple volume by using Windows PowerShell
4.0
1. Open the Start screen, type pow, in the Everywhere search screen, right-click Windows PowerShell,
and then select Run as administrator.
2. In the Administrator: Windows PowerShell window, type get-disk, and then press Enter.
3. In the Administrator: Windows PowerShell window, type get-disk -Number 3 | new-partition size
(5GB) | Format-Volume -Confirm:$false FileSystem NTFS NewFileSystemLabel Simple2, and
then press Enter.
4. In the Administrator: Windows PowerShell window, type Get-Partition, and then press Enter. Make
note of the PartitionNumber of the volume you just created on Disk Number 3. You will use this
information in the next step.
5. In the Administrator: Windows PowerShell window, type Set-Partition -DiskNumber 3 -
PartitionNumber x -NewDriveLetter H, (where x is the results of the previous step), and then press
Enter.
6. In File Explorer, verify the visibility of the volume that you created and then close File Explorer.
7. Minimize the Administrator: Windows PowerShell Command Prompt window.
Task 3: Resize a simple volume by using Disk Management
1. Open the Start screen, type diskmgmt.msc, and then press Enter.
2. Right-click Simple1 on Disk 2, and then click Extend Volume.
3. In the Extend Volume Wizard, on the Welcome to the Extend Volume Wizard page, click Next.
4. On the Select Disks page, select Disk 2, in the Select the amount of space in MB text box, type
500, and then click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L5-38 Managing Disks and Device Drivers
5. On the Completing the Extend Volume Wizard page, click Finish.
6. When the Extend Volume Wizard is complete, close Disk Management.
Task 4: Resize a simple volume by using Windows PowerShell version 4.0
1. Restore the Administrator: Windows PowerShell Command Prompt window.
2. At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press
Enter.
3. Note the disk number, partition number, and size for the H: drive.
4. At the Administrator: Windows PowerShell command prompt, type Resize-Partition -DiskNumber 3
PartitionNumber 1 Size (5.5GB), and then press Enter.
5. At the Administrator: Windows PowerShell command prompt, type Get-Partition, and then press
Enter.
7. Minimize the Administrator: Windows PowerShell Command Prompt window.
Task 5: Create a spanned volume by using Disk Management
2. Right-click the unallocated space on Disk 2, and then click New Spanned Volume.
3. In the New Spanned Volume Wizard, on the Welcome to the New Spanned Volume Wizard page,
click Next.
4. On the Select Disks page, select Disk 3. Hold down the Shift key, select Disk 4, and then click Add.
5. On the Select Disks page, select Disk 2, and in the Select the amount of space in MB text box,
type 2000.
6. On the Select Disks page, select Disk 3, and in the Select the amount of space in MB text box,
type 1500.
7. On the Select Disks page, with Disk 4 selected, in the Select the amount of space in MB text box,
type 4000, and then click Next.
9. On the Format Volume page, in the Volume label text box, type SpannedVol.
10. Select the Perform a quick format check box, and then click Next.
11. On the Completing the New Spanned Volume Wizard page, click Finish.
12. Review the Disk Management warning, and then click Yes.
Task 6: Create a striped volume by using Disk Management
1. Right-click the unallocated space on Disk 2, and then click New Striped Volume.
2. In the New Striped Volume Wizard, on the Welcome to the New Striped Volume Wizard page,
click Next.
3. On the Select Disks page, click Disk 3. Hold down the Shift key, click Disk 4, and then click Add.
4. On the Select Disks page, in the Select the amount of space in MB text box, type 2000, and then
click Next.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L5-39
6. On the Format Volume page, in the Volume label text box, type StripedVol.
7. Select the Perform a quick format check box, and then click Next.
8. On the Completing the New Striped Volume Wizard page, click Finish.

Results: After completing this exercise, you should have created several volumes on a client computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Configuring Disk Quotas
Task 1: Create disk quotas on a volume
1. On LON-CL2, click the File Explorer icon on the taskbar.
2. Click This PC, right-click StripedVol (I:), and then click Properties.
3. In the StripedVol (I:) Properties dialog box, click the Quota tab.
4. On the Quota tab, select the Enable quota management check box, and then select the Deny disk
space to users exceeding quota limit check box.
5. Click Limit disk space to, in the adjacent box, type 6, and then in the KB list, click MB.
6. In the Set warning level to box, type 4, and then in the KB list, click MB.
7. Select the Log event when a user exceeds their warning level check box, and then click OK.
8. In the Disk Quota dialog box, review the message, and then click OK.
Task 2: Create test files
1. Open the Start screen, type com, and in the Everywhere search screen, click Command Prompt.
2. At the command prompt, type I:, and then press Enter.
3. At the command prompt, type fsutil file createnew 2mb-file 2097152, and then press Enter.
4. At the command prompt, type fsutil file createnew 1kb-file 1024, and then press Enter.
6. Open the Start screen, click Administrator, and then click Sign out.
Task 3: Test the disk quota
1. Sign in to LON-CL2 as Adatum\Alan with password Pa$$w0rd.
2. Click the Desktop .
3. Click the File Explorer icon on the taskbar.
4. Click This PC, and then double-click StripedVol (I:).
5. On the toolbar, click Home, and then click New Folder.
6. Type Alans files, and then press Enter.
7. In File Explorer, in the right hand pane, copy the 2mb-file and the 1kb-file, and then paste both files
in Alans files.
8. Double-click the Alans files folder.
9. In the Alans files folder right-click 2mb-file, and then click Copy and then press Ctrl+V.
10. Repeat task 9.
11. In the Copy Item dialog box, review the message, and then click Cancel.
12. Open the Start screen, click Alan Steiner, and then click Sign out.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L5-41
Task 4: Review quota alerts and logging
2. Click the Desktop tile.
3. Click the File Explorer icon on the taskbar.
4. Click This PC, right-click StripedVol (I:), and then click Properties.
5. In the StripedVol (I:) Properties dialog box, click the Quota tab, and then click Quota Entries.
6. In the Quota Entries for StripedVol (I:) dialog box, in the Name column, double-click Alan Steiner.
7. Review the entries in the Quota Settings for Alan Steiner dialog box, and then click OK.
8. Close the Quota Entries for StripedVol (I:) and Striped Volume (I:) Properties dialog boxes.
10. Open the Start screen, type eventvwr, and then press Enter.
11. Maximize the Event Viewer desktop app window.
12. In the Event Viewer (Local) list, expand Windows Logs, and then click System.
13. Right-click System, and then click Filter Current Log.
14. In the <All Events IDs> box, type 36, and then click OK.
15. Examine the listed entry.

Results: After completing this exercise, you should have created and tested a disk quota.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Managing Virtual Hard Disks
1. If necessary, sign in to LON-CL2 as Adatum\Administrator with password Pa$$w0rd.
3. In Disk Management, click the Action menu, and then click Create VHD.
4. In the Create and Attach Virtual Hard Disk dialog box, in the Location text box, type
I:\DemoDisk.vhdx.
5. In the Virtual hard disk size section, type 100, and then select MB from the drop-down list.
6. Select the VHDX option in the Virtual hard disk format section.
7. Select the Dynamically expanding radio button in the Virtual hard disk type section.
8. Click OK.
9. Leave Disk Management open and proceed to the next Lab.
10. Open the Start screen, type com, in the Everywhere search screen, right-click Command Prompt,
and then click Run as administrator.
11. In the Administrator: Command Prompt window, type DiskPart, and then press Enter.
12. In the Administrator: Command Prompt window, type create vdisk file=I:\virtualdisk2.vhdx
maximum=1048 type=expandable, and then press Enter.
13. Leave the Administrator: Command Prompt window open, and then proceed to the next task.
Task 2: Mount the VHD file, browse to the VHD file, and create files on the drive
1. If Disk Management is still open, skip to step 4.
4. In Disk Management, next to Disk 5, right-click the Disk, and then click Initialize Disk.
5. In Initialize Disk select Disk 5, and then select the master boot record (Master Boot Record) option,
and then click OK.
6. Disk 5 is now online.
7. In Disk Management, right-click the unallocated space on Disk 5, and then click New Simple
Volume.
8. In the New Simple Volume Wizard, on the Welcome to the New Simple Volume Wizard page, click
Next.
9. On the Specify Volume Size page, change the Simple volume size in MB value to 97, and then
click Next.
11. On the Format Partition page, in the Volume label text box, type SimpleVHD1, and then click
Next.
12. On the Completing the New Simple Volume Wizard page, click Finish.
Note: When the New Simple Volume Wizard is complete, the drive is ready to be used.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L5-43
13. Close Disk Management.
14. Open File Explorer, and then verify that the new drive named SimpleVHD1 has been created.
15. Select the new virtual drive, and then click New Folder on the File Explorer ribbon.
16. Name the new folder Test.
19. If the Administrator: Command Prompt window is still open, skip to step 22.
22. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx, and
then press Enter.
23. In the Administrator: Command Prompt window, type attach vdisk, and then press Enter.
24. In the Administrator: Command Prompt window, type List Disk, and then press Enter. Make note of
the Disk### of the disk that has an asterisk (*) next to it and has a size of 1048MB. You will use this
information in the next step.
25. In the Administrator: Command Prompt window, type create partition primary, and then press
Enter.
26. In the Administrator: Command Prompt window, type format fs=ntfs label=SimpleVHD2 quick,
27. In the Administrator: Command Prompt window, type assign, and then press Enter.
28. Close the Administrator: Command Prompt window.
29. Open File Explore, and then verify the visibility of the new virtual drive volume that you created.
30. Select the new virtual drive, and then click New Folder on the File Explorer ribbon.
31. Name the new folder Test.
Task 3: Remove a mounted VHD file
3. In Disk Management, right click Disk 5, and then select Detach VHD.
4. Verify that the file name provided in the Detach Virtual Hard Disk dialog box is I:\DemoDisk.VHDX,
and then click OK.
5. Verify that the virtual disk is no longer mounted.
6. Open File Explorer, and then navigate to the I: drive.
7. Verify that I:\DemoDisk.VHDX is still present.
Note: Removing a mounted virtual disk does not delete the underlying VHD.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
10. In the Administrator: Command Prompt window, type List vdisk, then press Enter.
11. In the Administrator: Command Prompt window, type select vdisk file=I:\virtualdisk2.vhdx and
then press Enter.
12. In the Administrator: Command Prompt window, type detach vdisk, and then press Enter.
13. Open File Explorer, and then verify that the new virtual drive is no longer visible as a volume.
15. In Disk Management, verify that Disk 6 is no longer visible.
16. Close the Disk Management window.

Results: After completing this exercise, you should have created, mounted and then deleted a VHD file.
When you have finished the lab, leave the virtual machines running as they are needed for the next lab.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L5-45

Lab B: Configuring Device Drivers
Exercise 1: Installing Device Drivers
Task 1: Install a device driver into the protected store
3. In the Administrator: Command Prompt window, type pnputil a E:\Labfiles\Mod05\Intellipoint
\ipoint\setup64\files\driver\point64\point64.inf, and then press Enter.
4. In the Administrator: Command Prompt window, type pnputil e, and then press Enter. Take note of
the published name for the driver you just installed into the store.
5. Close the Administrator: Command Prompt window.

Results: After completing this exercise, you should have installed a driver into the protected Driver Store.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Managing Device Drivers
Task 1: Install a device driver
2. Select Device Manager from the Administrative menu by pressing Windows
logo key+X.
3. In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update
Driver Software.
4. In the Update Driver Software Standard PS/2 Keyboard dialog box, click Browse my computer
for driver software.
5. On the Browse for driver software on your computer page, click Let me pick from a list of
device drivers on my computer.
6. In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key), click
Next, and then click Close.
7. In the System Settings Change dialog box, click Yes to restart the computer.
Task 2: Roll back a device driver
2. Select Device Manager from the Administrative menu by pressing the Windows logo key+X.
3. In Device Manager, expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key),
and then click Properties.
4. In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab,
and then click Roll Back Driver.
5. In the Driver Package rollback dialog box, click Yes and then click Close.
6. When prompted to restart the computer, click Yes.
8. Select Device Manager from the Administrative menu by pressing the Windows logo key+X.
9. In Device Manager, expand Keyboards, right-click Standard PS/2 Keyboard, and then click
Properties.
10. In the Standard PS/2 Keyboard Properties dialog box, click the Driver tab and then verify that the
driver has been rolled back to the Standard PS/2 Keyboard version. Close Device Manager.

Results: After completing this exercise, you should have installed and rolled back a device driver.
Manager.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L6-47
Module 6: Configuring Network Connectivity
Lab A: Configuring a Network Connection
Exercise 1: Enabling Automatic IPv4 Configuration
Task 1: Verify the current IPv4 configuration
2. On the Start screen, click the down arrow in the bottom left of the screen to display Apps by name,
scroll to the far left and then click Command Prompt.
o What is the current Internet Protocol version 4 (IPv4) address?
172.16.0.50
255.255.0.0
172.16.0.0/16
o Is Dynamic Host Configuration Protocol (DHCP) enabled?
No
Task 2: Configure the computer to obtain an IPv4 address automatically
1. Right-click the Start charm and then click Network Connections.
2. In the Network Connections window, right-click Ethernet and click Properties.
3. In the Ethernet Properties window, click Internet Protocol Version 4 (TCP/IPv4), and then click
Properties.
4. Click Obtain an IP address automatically, click Obtain DNS server address automatically, click
OK, and then click OK to close the Ethernet Properties window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L6-48 Configuring Network Connectivity
Task 3: Verify the new IPv4 configuration
1. In the Network Connections window, right click Ethernet and click Status, and then click Details.
Answers will vary, but will be in the range of 172.16.0.x.
255.255.0.0
172.16.0.0/16
o Is DHCP enabled?
Yes
o When does the DHCP lease expire?
Eight days from now.
2. Click the Close button.

Results: After completing this exercise, you should have configured LON-CL1 to obtain an IPv4
configuration automatically from a DHCP server.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L6-49
Exercise 2: Configuring IPv4 Manually
Task 1: Deactivate the DHCP scope
1. On LON-DC1, sign in as Adatum\Administrator with password Pa$$w0rd.
2. In Server Manager, click Tools and then click DHCP.
3. Expand lon-dc1.adatum.com, expand IPv4, and then click Scope [172.16.0.0] A Datum Scope.
4. Right-click Scope [172.16.0.0] A Datum Scope, and then click Deactivate.
5. Click Yes to confirm deactivation of the scope.
6. Close the DHCP window.
Task 2: Obtain a new IPv4 address
1. On LON-CL1, switch to the Command Prompt window.
Note: This process can take some minutes to complete.
Answers will vary, but the address will be in the range of 169.254.x.x.
255.255.0.0
169.254.0.0
An Automatic Private IP Addressing (APIPA) address
Task 3: Configure an alternate IPv4 address
1. In the Ethernet Status window, click Properties.
Properties.
3. Click the Alternate Configuration tab, click User configured, and then enter the following:
o IP address: 172.16.16.10
4. Clear the Validate settings, if changed, upon exit check box, and then click OK to save the settings.
5. In the Ethernet Properties window, click Close.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
172.16.16.10
255.255.0.0
172.16.0.0/16
An alternate configuration address
Task 4: Configure a static IPv4 address
Properties.
3. Click Use the following IP address, type the following, and then click OK:
o IP address: 172.16.16.10

Results: After completing this exercise, you should have tested various scenarios for dynamic IP address
assignment and then configured a static IP address.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L6-51

Lab B: Resolving Network Connectivity
Issues
Exercise 1: Creating a Simulated Network Connectivity Problem
Task 1: Verify connectivity to LON-DC1
1. On LON-CL1, on the taskbar, click File Explorer.
2. In the navigation pane, right-click This PC, and then click Map network drive.
3. In the Drive box, select P:.
4. In the Folder box, type \\LON-DC1\Data, and then click Finish.
5. Close the Data window.
1. Point to the lower-right corner of the desktop, and then click Settings.
2. In the list, click Control Panel.
3. In Control Panel, click Network and Internet.
4. In Network and Internet, click View network status and tasks.
5. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
7. Clear the Internet Protocol Version 6 (TCP/IPv6) check box, and then click OK.
8. In the Ethernet Status window, click Close, and then close Network and Sharing Center.
9. In File Explorer, click This PC and then double-click Allfiles (E:).
10. Double-click Labfiles, double-click Mod06, and then double-click Mod6-Script.bat.
Task 3: Test connectivity to LON-DC1
1. In File Explorer, in the navigation pane, click This PC.
2. Double-click Data(\\lon-dc1)(P:).
3. Click OK to clear the error message.
4. Are you able to access mapped drive P?
No
Task 4: Gather information about the problem
1. On LON-CL1, click the Start charm.
2. On the Start screen, type CMD, and then click Command Prompt.
3. At the command prompt, type ping lon-dc1, and then press Enter.
4. At the command prompt, type ping 172.16.0.10, and then press Enter.
5. At the command prompt, type ipconfig /all, and then press Enter.
6. What IP address is the computer using?
172.16.16.50
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
7. What subnet mask is the computer using?
255.255.255.255
8. What network should the computer be on?
172.16.0.0/16

Results: After completing this exercise, you should have created a connectivity problem between LON-
CL1 and LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L6-53
Exercise 2: Resolving a Network Connectivity Problem
Task 1: Resolve the first problem
1. Right-click the Start charm and then click Network Connections.
2. Right-click Ethernet and then click Properties.
3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. In the Subnet mask box, type 255.255.0.0, and then click OK.
Task 2: Test the resolution
1. In the This PC window, double-click Data(\\lon-dc1)(P:).
2. Are you able to access mapped drive P?
Yes.
3. At the command prompt, type ping lon-dc1, and then press Enter.
4. At the command prompt, type ping 172.16.0.10, and then press Enter.
5. At the command prompt, type ipconfig /all, and then press Enter.
6. What Domain Name System (DNS) servers is the computer using?
172.16.16.10
172.16.0.10
Task 3: Resolve the DNS problem
1. Point to the lower-right corner of the display, and then click Settings.
2. In the list, click Control Panel.
3. In Control Panel, click Network and Internet.
4. In Network and Internet, click View network status and tasks.
5. In Network and Sharing Center, to the right of the Adatum.com Domain network, click Ethernet.
Properties.
8. In the Preferred DNS server box, type 172.16.0.10.
9. Delete the Alternate DNS Server setting IPv4 address, and then click OK.
11. In the Ethernet Status window click Close.

Results: After completing this exercise, you should have resolved the connectivity problem between LON-
CL1 and LON-DC1.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Manager.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L7-55
Module 7: Configuring Resource Access for Domain-Joined
and Non-Domain Joined Devices
Lab: Configuring Resource Access for Non-
Domain Joined Devices
Exercise 1: Implementing Workplace Join
Task 1: Verify Workplace Join prerequisites
1. On LON-DC1, on the Start screen, type users, and then run Active Directory Users and Computers.
2. In Active Directory Users and Computers, on the View menu, select Advanced Features.
3. In Active Directory Users and Computers, in the navigation pane, click Marketing. In the details pane,
right-click Adam Barr, and then select Properties.
4. In the Adam Barr Properties dialog box, click the Account tab. Verify that User logon name is
Adam@Adatum.com, and then click Cancel.
5. In Active Directory Users and Computers, in the navigation pane, click RegisteredDevices, and then
verify that in details pane no object is listed.
6. On the Start screen, type pkiview.msc, and then press Enter.
7. In the Pkiview [Enterprise PKI] console, in the navigation pane, click AdatumCA (V0.0). In the
details pane, verify that AIA Location #2, CDP Location #2, and DeltaCRL Location #2 have a
location that is accessible over http protocol.
Note: CDP Location and Delta CRL Location have short validity period and their status
could be shown as Expiring. You can ignore their value in Status column.
8. Close pkiview.
9. On the Start screen, type dns, and then click DNS console.
10. In DNS Manager, in the navigation pane, expand LON-DC1, expand Forward Lookup Zones, and
then click Adatum.com. In the details pane, verify that there is Enterpriseregistration CNAME record
that points to LON-SVR1.adatum.com.
11. Close DNS Manager.
12. On LON-SVR1, on the Start screen, type ad fs, and then run AD FS Management.
13. In AD FS Management, in the navigation pane, select Authentication Policies, right-click
Authentication Policies, and then select Edit Global Primary Authentication.
14. In the Edit Global Primary Authentication dialog box, on the Primary tab, verify that the Enable
device authentication check box is selected, and then click OK.
15. In AD FS Management, in the navigation pane, expand Services, and then click Certificates. In the
details pane, right-click CN-LON-SVR1.adatum.com under Service communications, and then select
View Certificate.
16. In the Certificate dialog box, click the Details tab. Select Subject Alternative Name, and then verify
that has values DNS Name=LON-SVR1.adatum.com and DNS
Name=Enterpriseregistration.adatum.com.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L7-56 Configuring Resource Access for Domain-Joined and Non-Domain Joined Devices
17. Select the CRL Distribution Points field, and then verify that one of the URLs is accessible over http
protocol.
18. Select the Authority Information Access field, and then verify that one of the URLs is accessible over
http protocol. Click OK.
19. Close AD FS Management.
Task 2: Workplace Join a Windows
8.1 computer
1. On LON-CL4, sign in as Admin with the password of Pa$$w0rd.
2. On LON-CL4, on the Start screen, type command, and then click Command Prompt.
3. At the command prompt, run nslookup enterpriseregistration.adatum.com. Verify that the name
is resolved to an IP address, and then close the Command Prompt window.
4. On LON-CL4, on the Start screen, type \\LON-DC1\certificate, and then press Enter.
5. In the Windows Security dialog box, in the User name field, type adatum\adam, in the Password
field, type Pa$$w0rd, and then click OK.
6. In Certificate, in the details pane, right-click Root-CA, and then click Install Certificate.
7. In the Certificate Import Wizard, select Local Machine, and then click Next. Click Yes in the User
Account Control dialog box.
8. On the Certificate Store page, select Place all certificates in the following store, click Browse,
select Trusted Root Certification Authorities, click OK, and then click Next.
9. In the Certificate Import Wizard, on Completing the Certificate Import Wizard page, click Finish,
and then click OK.
10. On the taskbar, click the Internet Explorer icon.
11. In Internet Explorer
, in the address box, type https://LON-SVR2.adatum.com/claimapp, and then

press Enter to access the internal company web app.
field, type Pa$$w0rd, and then click OK. Confirm that the webpage opens and Adams claims are
displayed.
13. Verify that no Claim Type starts with http://schemas.microsoft.com/2012/01/devicecontext.
15. On the taskbar, click the Internet Explorer icon. In the Internet Explorer address box, type
https://LON-SVR2.adatum.com/claimapp, and then press Enter.
16. Verify that the Windows Security dialog box opens again. In the Windows Security dialog box, in
the User name field, type adatum\adam, in the Password field, type Pa$$w0rd, and then click OK.
This confirms that you are asked for credentials each time you access the company web app from a
non-domain joined device.
18. On the Start screen, type settings, and then click PC settings.
19. On the PC settings bar, select Network.
20. On the Network bar, select Workplace. In Enter your user ID to get workplace access or turn
device management field, type adam@adatum.com, and then click Join.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L7-57
21. Under Connecting to Adatum, verify that adam@adatum.com is in the first textbox. Enter
Pa$$w0rd in the second textbox and click Sign in. Confirm that the device has joined your workplace
network and that the button label changed from Join to Leave.
22. Move the pointer to the upper-left edge of LON-CL4, and then click the desktop tile.
Task 3: Explore Workplace Join effects
1. On LON-DC1, in Active Directory Users and Computers, in the navigation pane, right-click
RegisteredDevices, and then select Refresh. Confirm that one object of type msDS-Device is listed
in the details pane. This object represents the LON-CL4 computer that you enabled for Workplace
Join. Make note of the name of the msDS-Device object.
2. On LON-CL4, on the taskbar, click the Internet Explorer icon.
3. In Internet Explorer, press the Alt key. On the Tools menu, select Internet options.
4. In the Internet Options dialog box, click the Content tab. In the Certificates section, click
Certificates.
5. In the Certificates dialog box, on the Personal tab, verify that one certificate is listed and that it has
a GUID in the Issued To field. This is the certificate that Device Registration Service provided to the
user when device was enabled for Workplace Join. Verify that the GUID is the same as the name of
the msDS-Device object from Active Directory Users and Computers. Click Close, and then click OK
in the Internet Options dialog box.
6. In Internet Explorer, in the address box, type https://LON-SVR2.adatum.com/claimapp, and then
press Enter to access the internal company web app.
field, type Pa$$w0rd, verify that the Remember my credentials check box is not selected, and then
click OK. Confirm that the webpage opens and that Adams claims are displayed.
Computers.
10. Open Internet Explorer, and then access the same company app at
https://LON-SVR2.adatum.com/claimapp.
11. Verify that this time, a webpage opens without asking you for credentials. You were not asked for
credentials because you accessed it from the device that was enabled for Workplace Join.

Results: After completing this exercise, you should have successfully implemented and tested the
Workplace Join feature.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Configuring Work Folders
Task 1: Install the Work Folders feature and create a sync share
1. On LON-DC1, on the taskbar, click the Windows PowerShell icon, and then run the following
cmdlet: Install-WindowsFeature FS-SyncShareService.
Note: After the feature is installed, you will get a warning because Windows automatic
updating is not enabled. You can ignore the warning.
2. Minimize the Windows PowerShell
window, and then click the Server Manager icon on the taskbar.
3. In Server Manager, in the navigation pane, click File and Storage Services, click Work Folders, click
TASKS in WORK FOLDERS section, and then select New Sync Share.
4. In the New Sync Share Wizard, on the Before you begin page, click Next.
5. On the Select the server and path page, in the Enter a local path field, type C:\syncshare1, click
Next, and then click OK.
6. On the Specify the structure for user folders page, verify that User alias is selected, and then click
Next.
7. On the Enter the sync share name page, click Next to accept the default sync share name.
8. On the Grant sync access to groups page, click Add, and in the Enter the object name to be
selected field, type Marketing, click OK, and then click Next.
9. On the Specify device policies page, verify two available options. Clear Automatically lock screen,
and require a password policy, and then click Next.
10. On the Confirm selections page, click Create.
11. On the View Results page, click Close.
12. In Server Manager, verify that Syncshare1 is listed in the WORK FOLDERS section and that user Adam
Barr is listed in the USERS section.
Task 2: Bind an SSL certificate for Work Folders
1. On LON-DC1, on Start screen, type iis, and then run Internet Information Services (IIS) Manager.
2. In Internet Information Services (IIS) Manager, in the navigation pane, expand LON-DC1
(ADATUM\Administrator).
3. Expand Sites, right-click Default Web Site, and then select Edit Bindings.
4. In Site Bindings, click Add.
5. In Add Site Bindings, select https as Type. In the SSL certificate box, select
LON-DC1.adatum.com, click OK, click Yes and then click Close.
6. Close Information Services (IIS) Manager.
Task 3: Configure Group Policy to deploy Work Folders
1. On LON-DC1, in Server Manager, click the Tools menu, and then select Group Policy Management.
2. In the Group Policy Management console, in the navigation pane, expand Forest: Adatum.com,
expand Domains, expand Adatum.com, and then select Marketing.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L7-59
3. Right-click Marketing, and then select Create a GPO in this domain, and Link it here. In the Name
field, type Deploy Work Folders, and then click OK.
4. Right-click Deploy Work Folders, and then select Edit.
Policies, Administrative Templates, Windows Components, and then click the Work Folders node.
6. In the details pane, right-click Specify Work Folder settings, and then select Edit.
7. In the Specify Work Folder settings dialog box, select Enabled. In the Work Folders URL field, type
https://lon-dc1.adatum.com, select the Force automatic setup check box, click OK, and then close
the Group Policy Management Editor.
8. On LON-CL1, sign out, and then sign in as adatum\adam with Pa$$w0rd.
9. On the Start screen, click the Desktop tile.
10. On the toolbar, click the File Explorer icon.
11. In This PC, in the navigation pane, click Work Folders. Right-click in the details pane, select New,
select Text Document, and then name the file On LON-CL1.
Task 4: Deploy Work Folders on a non-domain device
1. On LON-CL4, on taskbar, right-click on Start icon and click Control Panel.
2. In Control Panel, in the Search Control Panel field, type work, and then click Work Folders.
3. On the Manage Work Folders page, click Set up Work Folders. On the Enter your work email
address page, click Enter a Work Folders URL instead.
4. On the Enter a Work Folders URL page, in the Work Folders URL box, type
https://lon-dc1.adatum.com, and then click Next.
field, type Pa$$w0rd, and then click OK.
6. On the Introducing Work Folders page, review local Work Folders location and click Next.
7. On the Security policies page, select the I accept these policies on my PC check box, and then
click Set up Work Folders.
8. On the Work Folders has started syncing with this PC page, click Close.
9. On the Work Folders page, verify that the On LON-CL1.txt file is displayed.
Task 5: Use Work Folders to synchronize files
1. On LON-CL4, in Work Folders, right-click in the details pane, select New, select Text Document,
and then name the file On LON-CL4.
2. On LON-CL1, in Work Folders, verify that only the On LON-CL1 file is displayed.
Note: Work Folders synchronizes every 10 minutes automatically. You have also option to
manually trigger synchronization.
3. In File Explorer, in the navigation pane, right-click Work Folders and click Sync Now. Press F5 to
refresh view and verify that both files, On LON-CL1.txt and On LON-CL4.txt are displayed in the
details pane.
4. On the taskbar, right-click the Start button, and then select Control Panel.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
5. In Control Panel, in the Search Control Panel field, type network, and then click View network
connections. Right-click Ethernet, and then select Disable. In the User Account Control dialog box,
type Administrator as User name, Pa$$w0rd as Password, and then click Yes.
6. On LON-CL1, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
7. In Notepad, type Modified offline, close Notepad, and then click Save.
8. In Work Folders, right-click in the details pane, select New, select Text Document, and then name
the file Offline LON-CL1.
9. On LON-CL4, in Work Folders, double-click the On LON-CL1.txt file. The file opens in Notepad.
10. In Notepad, type Online modification, close Notepad, and then click Save.
11. On LON-CL1, in Network Connections, right-click Ethernet, and then select Enable. In the User
Account Control dialog box, type Administrator as User name, Pa$$w0rd as Password, and then
click Yes.
12. Switch to Work Folders. Verify that four files are displayed in the details pane, including
On LON-CL1 and On LON-CL1-LON-CL1. Because the file was modified at two locations, a conflict
occurred and one of the copies was renamed.
Task 6: To prepare for the next module
Manager.
4. Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, 20687C-LON-CL1, and 20687C-
LON-CL4.

Results: After completing this exercise, you should have successfully configure the Work Folders feature.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L8-61
Module 8: Implementing Network Security
Lab A: Configuring Inbound and Outbound
Firewall Rules
Exercise 1: Creating an Inbound Windows Firewall Rule
2. On the Start screen, type Remote, and then click Remote Desktop Connection.
3. In the Computer field, type LON-CL1, and then press Enter.
4. Sign in to LON-CL1 as Adatum\Administrator with the course password.
5. Open the Start screen on LON-CL1, click Administrator, and then click Sign out.
Task 2: Configure an inbound firewall rule
3. Open the Settings charm, and then click Control Panel.
4. Click System and Security, and then click Windows Firewall.
5. In the left pane, click Advanced settings, right-click Inbound Rules, and then click New Rule.
6. In the New Inbound Rule Wizard window, select Predefined, click the drop-down box, click Remote
Desktop, and then click Next.
7. On the Predefined Rules page, select all available rules, and then click Next.
8. On the Action page, select Block the connection, and then click Finish.
9. Minimize the Windows Firewall with Advanced Security window.
Task 3: Test the inbound firewall rule
2. From the Start screen, type Remote, and then click Remote Desktop Connection.
3. In the Computer field, type LON-CL1, and then press Enter.

Results: After completing this exercise, you should have created an inbound Windows
Firewall rule.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L8-62 Implementing Network Security
Exercise 2: Create an Outbound Firewall Rule
2. On the Start screen, type Remote, and then click Remote Desktop Connection.
3. In the Computer field, type LON-DC1, and then press Enter.
5. Open the Start screen on LON-DC1, click Administrator, and then click Sign out.
Task 2: Configure an outbound rule
1. On LON-CL1, on the taskbar, click the Windows Firewall with Advanced Security window, and then
click Outbound Rules.
2. In the Actions pane, click New Rule.
3. On the Rule Type page, verify that you are creating a Program rule, and then click Next.
4. On the Program page, browse and select C:\Windows\System32\mstsc.exe, click Open, and then
click Next.
5. On the Action page, verify the action is Block the Connection, and then click Next.
6. On the Profile page, verify that all profiles are selected, and then click Next.
7. On the Name page, type Block Outbound RDP to LON-DC1 in the Name field, and then click
Finish.
8. In the Windows Advanced Firewall with Advanced Security window, click the Block Outbound RDP
to LON-DC1 rule, and then in the Actions pane click Properties.
9. Click the Scope tab, and then under the Remote IP address heading, select the These IP addresses
option.
10. Under the Remote IP address heading, click Add, in the This IP address or subnet field, type
172.16.0.10, and then click OK.
11. On the Block Outbound RDP to LON-DC1 Properties, click OK.
Task 3: Test the outbound rule
1. From the Start screen, type Remote, and then click Remote Desktop Connection.
2. In the Computer field, type LON-DC1, and then press Enter.
3. In the Remote Desktop Connection dialog box, click OK.
Results: After completing this exercise, you should have configured and tested an outbound firewall rule.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L8-63

Lab B: Configuring IPsec Rules
Exercise 1: Creating and Configuring IPsec Rules
Task 1: Create an Internet Protocol security (IPsec) rule on LON-CL1
2. Open the Settings charm, and then on the Desktop menu, click Control Panel.
4. In the left pane, click Advanced settings, and then click Connection Security Rules.
5. In the Actions pane, click New Rule.
6. On the Rule Type page, verify that Isolation is selected, and then click Next.
7. On the Requirements page, select Require authentication for inbound connections and request
authentication for outbound connections, and then click Next.
8. On the Authentication Method page, select Computer and user (Kerberos V5), and then click
Next.
9. On the Profile page, click Next.
10. On the Name page, in the Name text box, type Authenticate all inbound connections, and then
click Finish.
11. Close the Windows Firewall with Advanced Security window.
2. Open a Command Prompt window, type ping LON-CL1, and then press Enter.
3. Verify that the ping generated four Request timed out messages.
Task 3: Create a IPsec rule on LON-CL2 by using the Windows PowerShell

command-line interface
1. On LON-CL2, from the Start screen, type Power, right-click Windows PowerShell, and then click
Run as Administrator.
2. Open an Administrator: Windows PowerShell window, type the following, and then press Enter:
UserKerberos
Note: The monitoring component for the newly created Connections Security Rule might
not be created in a timely fashion. To force the creation of the monitoring component, perform
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L8-64 Implementing Network Security
3. In the left pane, click Advanced settings.
4. Click Connection Security Rules.
5. Double-click Authenticate all inbound connections.
6. In the description field, type Requires inbound authentication, and then click OK.
1. In the Administrator: Windows PowerShell window, type ping LON-CL1, and then press Enter.
2. Verify that the ping generated four Reply from 172.16.0.50: bytes=32 time=xms TTL=128 messages
(your times might vary).
3. Open the Settings charm, click Control Panel, click System and Security, and then click Windows
Firewall.
4. In the left pane, click Advanced settings.
5. In the left pane, expand Monitoring, and then expand Security Associations.
6. Click Main Mode, and then examine the information in the center pane.
7. Click Quick Mode, and then examine the information in the center pane.
9. In the host system, click the 20687C-LON-CL1 window.
10. From the Start screen, type Power, right-click Windows PowerShell, and then click Run as
Administrator.
11. To examine the Main Mode Security Associations (SAs), run the following cmdlet:
12. To examine the Quick Mode SAs, run the following cmdlet:

Results: After completing this exercise, you should have created and tested IPsec rules.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L8-65

Lab C: Configuring Malware Protection
Exercise 1: Configuring Windows Defender
Task 1: Perform a quick scan
3. Click View by:, then select Large Icons, and then click Windows Defender.
4. On the Windows Defender Home tab, ensure that the Quick scan option is selected.
5. Click Scan now, and then review the results.
Task 2: Test malware detection
1. Open File Explorer, and then browse to E:\Labfiles\Mod08\Malware.
2. In the Malware folder, open sample.txt in Notepad. The sample.txt file contains a text string that is
used to test malware detection.
3. In the sample.txt file, delete both instances of <remove>, including the brackets.
4. Save and close the file. Immediately, Windows Defender detects a potential threat.
5. Shortly thereafter, the sample.txt will be removed from the Malware folder.
Task 3: Examine the Windows Defender history
2. Click Windows Defender.
3. In Windows Defender, click the History tab.
4. Click View details, and then review the results.
5. Select the check box for the Virus:DOS/EICAR_Test_File, and then click Remove.

Results: After completing this exercise, you should have configured and used Windows Defender.
When you finish the lab, revert the virtual machines to their initial state.
Manager.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L9-67
Module 9: Configuring File Access and Printers on
Windows
8.1 Clients
Lab A: Configuring File Access
Exercise 1: Creating a Shared Folder for the Marketing Group
Task 1: Create a Marketing folder
1. Sign on to LON-CL1 as Adatum\Administrator.
2. Click the Desktop tile, and then click the File Explorer icon on the taskbar.
3. Navigate to E:\Labfiles\Mod09.
4. In the Mod09 window, right-click, point to New, and then click Folder.
5. Name the folder Marketing.
Task 2: Share the Marketing folder for Everyone
1. Click the Marketing folder.
2. On the menu bar, click Share, and then click Specific people.
3. In the File Sharing Wizard, click the drop-down list, select Everyone, and then click Add.
4. Verify that the Permission Level for Everyone is Read, and then click Share.
5. In the File Sharing Wizard, click Done.
Task 3: Configure NTFS permissions for the Marketing folder
1. Right-click the Marketing folder, and then click Properties.
2. In the Marketing Properties dialog box, click the Security tab, and then click Advanced.
3. In the Advanced Security Settings for Marketing dialog box, click Add.
4. In the Permission Entry for Marketing dialog box, click the Select a principle link.
5. In the Enter the object name to select field, type Marketing, and then click OK.
6. In the Basic permissions section, select the Modify check box.
7. In the Permission Entry for Marketing dialog box, click OK.
8. In the Advanced Security Settings for Marketing dialog box, click OK.
9. In the Marketing Properties dialog box, click OK.
Task 4: Attempt to access the Marketing folder as Ed
1. On LON-CL2, sign in as Adatum\Ed with password Pa$$w0rd.
2. Click the Desktop tile, and then on the taskbar, click File Explorer.
3. In the Address bar, type \\LON-CL1\Marketing, and then press Enter.
4. In the Marketing window, right-click, point to New, and then click Text Document.
5. In the Destination Folder Access Denied window, click Cancel.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L9-68 Configuring File Access and Printers on Windows
8.1 Clients
6. Close the Marketing window.
7. Open the Start screen, click Ed Meadows, and then click Sign out.
Task 5: Sign in to LON-CL2 as Adam
Sign in to LON-CL2 as Adatum\Adam with password Pa$$w0rd.
Task 6: Attempt to access the Marketing folder as Adam
1. On the Start screen, click the Desktop tile, and then on the taskbar, click File Explorer.
2. In the Address bar, type \\LON-CL1\Marketing, and then press Enter.
3. In the Marketing window, right-click, point to New, and then click Text Document.
4. Name the file your name.
5. Close all windows, and then sign out.

Results: After completing this exercise, you should have created and shared a folder for the Marketing
department.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L9-69
Exercise 2: Configuring File and Folder Compression
Task 1: Compress a folder
2. In File Explorer, navigate to E:\Labfiles\Mod09.
3. Right-click the Windows8Docs folder, and then select Properties.
4. Note the Size and Size on disk attributes.
5. On the General tab, click Advanced.
6. Select the Compress contents to save disk space check box.
7. In the Advanced Attributes dialog box, click OK.
8. In the Windows8Docs Properties dialog box, click Apply.
9. In the Confirm Attribute Changes dialog box, ensure that the Apply changes to this folder,
subfolders and files option is selected, and then click OK.
10. Note the change in the Size on disk attribute.
11. Click OK to close the Windows8Docs Properties dialog box.
12. Note that the Windows8Docs folder has changed colors.
13. Double-click the Windows8Docs folder.
14. Note that all the files are now blue.

Results: After completing this exercise, you will have compressed a folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L9-70 Configuring File Access and Printers on Windows
8.1 Clients

Lab B: Configuring Printers
Exercise 1: Creating and Sharing a Local Printer
Task 1: Add and share a local printer
2. While on the Start screen, type control, and then click Control Panel in the search results.
3. In Control Panel, click the View devices and printers link.
4. In Devices and Printers, click the Add a printer link.
5. In the Add Printer Wizard, click The printer that I want isnt listed.
6. On the Find a printer by other options page, select the Add a local printer or network printer
with manual settings option, and then click Next.
7. On the Choose a printer page, select the drop-down list for Use an existing port, select nul: (Local
Port), and then click Next.
8. On the Install the printer driver page, in the Manufacturer list, select Microsoft.
9. In the Printers list, select Microsoft OpenXPS Class Driver, and then click Next.
10. On the Type a printer name page, in the Printer name field, type ManagersPrinter, and then click
Next.
11. Review the Printer Sharing page, and then click Next.
12. Review the Youve successfully added ManagersPrinter page, and then click Finish.
Task 2: Configure printer security
1. Open the Start screen.
2. Type Printmanagement.msc, and then press Enter.
3. In the navigation pane, click All Printers.
4. Right-click ManagersPrinter, and then select Properties.
5. In the ManagersPrinter Properties dialog box, click the Security tab.
6. Select Everyone, and then click Remove.
7. Click Add, and then in the Enter the object names to select field, type Managers, and then click
OK.
8. In the ManagersPrinter Properties dialog box, click OK.
9. Right-click ManagersPrinter, and then select Pause Printing.
10. Leave the Print Management program open.
Task 3: Sign in to LON-CL2 as Ed
Sign in to LON-CL2 as Adatum\Ed with password Pa$$w0rd.
Task 4: Connect to a network printer
1. On the Start screen, type control.
2. In the Apps search results, click Control Panel.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L9-71
3. In Control Panel, click the View devices and printers link.
4. In Devices and Printers, click the Add a printer link.
5. In the Add Printer Wizard, click The printer that I want isnt listed.
6. On the Find a printer by other options page, select the Select a shared printer by name option,
and then click Browse.
7. In the Printer field, type \\LON-CL1, and then press Enter.
8. Double-click ManagersPrinter.
9. On the Find a printer by other options page, click Next.
10. Review the Youve successfully added ManagersPrinter on LON-CL1 page, and then click Next.
11. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Print a test page.
12. Review the ManagersPrinter on LON-CL1 dialog box, and then click Close.
13. On the Youve successfully added ManagersPrinter on LON-CL1 page, click Finish.
14. Close Devices and Printers.
15. On LON-CL1, in the Print Management app, verify that the Jobs In Queue column displays 1 for
ManagersPrinter.
16. Right-click ManagersPrinter, and then select Resume Printing.
Task 5: Prepare for the next module
Manager.
4. Repeat steps 2 to 3 for 20687C-LON-CL1 and 20687C-LON-DC1.

Results: After completing this exercise, you should have created, shared, and tested a printer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L10-73
Module 10: Securing Windows 8.1 Devices
Lab A: Implementing Local GPOs
Exercise 1: Creating Multiple Local GPOs
Task 1: Create a management console for multiple local Group Policy settings
2. Select Run from the Administrative menu by pressing Windows logo key+X.
3. In the Open box, type mmc, and then press Enter.
4. In Console1 [Console Root], click File, and then click Add/Remove Snap-in.
5. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy
Object Editor, and then click Add.
6. In the Select Group Policy Object dialog box, click Finish.
8. In the Select Group Policy Object dialog box, click Browse.
9. In the Browse for a Group Policy Object dialog box, click the Users tab.
10. In the Local Users and Groups compatible with Local Group Policy list, click Administrators, and
then click OK.
13. In the Select Group Policy Object dialog box, click Browse.
14. In the Browse for a Group Policy Object dialog box, click the Users tab.
15. In the Local Users and Groups compatible with Local Group Policy list, click Non-Administrators,
and then click OK.
17. In the Add or Remove Snap-ins dialog box, click OK.
18. In Console1 [Console Root], click File, and then click Save.
19. In the Save As dialog box, click Desktop.
20. In the File name box, type Multiple Local Group Policy Editor, and then click Save.
Task 2: Configure the local computer settings
1. In Multiple Local Group Policy Editor [Console Root], in the console tree, expand Local Computer
Policy, expand User Configuration, expand Windows Settings, and then click Scripts
(Logon/Logoff).
2. In the results pane, double-click Logon.
3. In the Logon Properties dialog box, click Add.
4. In the Add a Script dialog box, click Browse.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L10-74 Securing Windows 8.1 Devices
5. In the Browse dialog box, right-click in the empty folder, point to New, click Text Document, and
then press Enter.
6. Right-click New Text Document, and then click Edit.
7. Type msgbox Warning. You are not connected to the A Datum Domain.
8. Click File, click Save As, type RoamingScript.vbs, change Save as type: to All Files, and then click
Save.
9. Close RoamingScript.vbs.
10. In the Browse dialog box, click the RoamingScript file, and then click Open.
11. In the Add a Script dialog box, click OK.
12. In the Logon Properties dialog box, click OK.
Task 3: Configure non-administrators security settings
1. In Multiple Local Group Policy Editor [Console Root], in the console tree, expand Local Computer,
expand Non-Administrators Policy, expand User Configuration, expand Administrative
Templates, and then click Control Panel.
2. In the results pane, double-click Prohibit access to Control Panel and PC settings.
3. In the Prohibit access to Control Panel and PC settings dialog box, click Enabled, and then click
OK.

Results: After completing this exercise, you should have created and configured multiple local Group
Policy Objects (MLGPOs) successfully.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L10-75
Exercise 2: Testing the Application of the Local GPOs
Task 1: Sign in as a standard user to test the policies
1. Sign out of LON-CL1. To sign out, on your host computer, in the 20687C-LON-CL1 on localhost
Virtual Machine Connection window, click the Action menu, press Ctrl+Alt+Delete, and then click
Sign out.
2. Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd. To sign in as a different user, click
Other user, type the required credentials, and then press Enter.
3. On the Start screen, click the Desktop tile, click OK when prompted by the message box, and then
click OK again.
Note: The message may not appear immediately.
4. Select Control Panel from the Administrative menu by pressing Windows logo key+X, and then click
Control Panel.
5. In the Restrictions dialog box, click OK.
Task 2: Sign in as administrator to test the policies
1. Sign out, and then sign in to LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
2. On the Start screen, click the Desktop tile, click OK when prompted by the message box, and then
click OK again.
Note: The message may not appear immediately.
3. Select Control Panel from the Administrative menu by pressing Windows logo key+X, and then click
Control Panel.

Results: After completing this exercise, you should have implemented and tested multiple local GPOs
successfully.
lab.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Lab B: Securing Data by Using BitLocker
Exercise 1: Protecting Files with BitLocker
Task 1: Configure GPO settings for BitLocker

3. In the Local Group Policy Editor, expand Computer Configuration, expand Administrative
Templates, expand Windows Components, and then expand BitLocker Drive Encryption.
4. Click Operating System Drives, and then double-click Require additional authentication at
startup.
5. In the Require additional authentication at startup dialog box, click Enabled, and then click OK.
7. On the Start screen, type cmd.exe, and then press Enter.
8. At the command prompt, type gpupdate /force, and then press Enter.
Task 2: Enable BitLocker
1. On LON-CL1, click the Desktop tile on the Start screen.
2. On the taskbar, click File Explorer.
3. In the navigation pane, click This PC, right-click Local Disk (C:), and then click Turn on BitLocker.
4. In the BitLocker Drive Encryption (C:) dialog box, click Enter a password. This is necessary because
the virtual machine does not support USB flash drives.
5. On the Create a password to unlock this drive page, in the Enter your password and Reenter
your password boxes, type Pa$$w0rd, and then click Next.
6. On the How do you want to back up your recovery key? page, click Save to a file.
7. In the Save BitLocker recovery key as dialog box, click Allfiles (E:),
8. On the File Explorer toolbar, click New folder, and type BitLocker, and then press Enter
9. In the Save BitLocker recovery key as dialog box, click Open, then click Save, and then click Yes,
10. On the BitLocker Drive Encryption (C:) page click Continue.
11. When prompted, click Restart now.
Task 3: Complete the process of enabling BitLocker
1. During the restart sequence, when the BitLocker screen displays, in the Enter the password to
unlock this drive box, type Pa$$w0rd, and then press Enter.
4. On the taskbar, click File Explorer.
5. In the navigation pane, click This PC.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L10-77
6. Right-click Local Disk (C:), and then click Manage BitLocker. The drive is being encrypted.

Results: After completing this exercise, you should have encrypted the hard drive successfully.
lab.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Lab C: Configuring and Testing UAC
Exercise 1: Modifying UAC Prompts
Task 1: Modify the User Account Control (UAC) prompts
expand Security Settings, expand Local Policies, and then click Security Options.
4. In the results pane, double-click User Account Control: Behavior of the elevation prompt for
standard users.
5. In the User Account Control: Behavior of the elevation prompt for standard users dialog box,
click Prompt for credentials on the secure desktop, and then click OK.
Task 2: Modify the UAC notification level
1. In the results pane, double-click User Account Control: Only elevate executables that are signed
and validated.
2. In the User Account Control: Only elevate executables that are signed and validated dialog box,
click Enabled, and then click OK.
3. In the results pane, double-click User Account Control: Behavior of the elevation prompt for
administrators in Admin Approval Mode.
4. In the User Account Control: Behavior of the elevation prompt for administrators in Admin
Approval Mode dialog box, click Prompt for consent on the secure desktop, and then click OK.
5. Close the Local Group Policy Editor, and then sign out.
Task 3: Test the UAC settings
3. Open the Administrative menu by pressing Windows logo key+X and click Command Prompt
(Admin). The Windows operating system displays the User Account Control prompt.
4. In the User name field, type Administrator.
5. In the Password field, type Pa$$w0rd, and then click Yes.
6. Close the Command Prompt (Admin) console.
7. Sign out.
9. Open the Administrative menu by pressing Windows logo key+X, and then click Control Panel.
10. In Control Panel, click System and Security.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L10-79
11. In System and Security, click Change User Account Control settings.
12. Verify that the slider is configured for Always notify.

Results: After completing this exercise, you should have reconfigured UAC notification behavior and
prompts.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L11-81
Module 11: Configuring Applications for Windows 8.1
Lab A: Configuring Internet Explorer
Security
Exercise 1: Configuring Internet Explorer
Task 1: Enable Compatibility View in Internet Explorer
1. Sign in to the LON-CL1 as Adatum\Administrator with password Pa$$w0rd.
3. On the taskbar, click Internet Explorer.
4. Right-click the bar to the left of the home symbol, and then click Menu bar.
5. On the menu bar, click Tools, and then click Compatibility View settings.
6. Verify that Internet Explorer uses Microsoft compatibility lists, and then click Close.
Task 2: Delete browsing history
1. On the Tools menu, click Internet options.
2. On the General tab, under Browsing history, click Delete.
3. In the Delete Browsing History dialog box, select the Preserve Favorites website data and History
check boxes. Clear all other options, click Delete, and then click OK.
4. Close Internet Explorer
.
5. On LON-CL1, click the Internet Explorer icon on the taskbar.
7. Click the Down Arrow next to the Address bar to confirm that the address you typed is stored.
8. In Internet Explorer, on the Tools menu, click Internet Options.
9. Click the General tab. Under Browsing History, click Delete.
10. In the Delete Browsing History dialog box, clear the Preserve Favorites website data check box,
select the Temporary Internet files and website files, Cookies and website data, and History
check boxes, and then click Delete.
11. Click OK to close the Internet options dialog box.
12. Confirm that there are no addresses stored in the Address bar by clicking on the Down Arrow next to
the Address bar.
Task 3: Configure InPrivate Browsing
1. On the Tools menu, click InPrivate Browsing.
3. Confirm that the address you typed is not stored by clicking the Down Arrow next to the Address bar.
4. Close the InPrivate
Browsing window.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L11-82 Configuring Applications for Windows 8.1
Task 4: Configure intranet security settings
1. On LON-CL1, click the Internet Explorer icon on the taskbar.
3. In Internet Explorer, on the Tools menu, click Internet options.
4. On the Security tab, click Local intranet, and then under Security level for this zone, move the
slider to High, and then click OK.
5. On the A. Datum intranet home page, click Current Projects.
6. Close the new tab.
7. In Internet Explorer, on the Tools menu, click Internet options.
8. On the Security tab, click Trusted sites, and then click Sites.
9. In the Trusted sites dialog box, clear the Require server verification (https:) for all sites in this
zone check box, click Add, and then click Close.
10. In the Internet options dialog box, click OK.
11. On the A. Datum intranet home page, click Current Projects.
Task 5: View the add-on management interface
2. In the left navigation pane, click Search Providers.
3. In the right navigation pane click Bing.
4. In the left navigation pane, click Accelerators.
5. In the left navigation pane click Tracking Protection.
6. Click Close.
Task 6: Download a file
1. In the Address bar, type http:// LON-DC1, and then press Enter.
2. Click Download Current Projects.
3. In the Internet Explorer dialog box, click Save.
4. In the banner, click View downloads.
5. In View Downloads Windows Internet Explorer, click Open.
6. The file opens in Microsoft Office Excel
.
7. Close Excel and Internet Explorer.

Results: After completing this exercise, you should have successfully configured security and compatibility
settings in Internet Explorer.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L11-83

Lab B: Configuring AppLocker
Exercise 1: Configuring AppLocker Rules
Task 1: Create a new executable rule
4. Right-click Executable Rules, and then click Create New Rule.
5. In the Create Executable Rules Wizard, click Next.
6. On the Permissions page, click Deny, and then click Select.
7. In the Select User or Group dialog box, in the Enter the object names to select (examples) box,
type IT, click Check Names, click OK, and then click Next.
8. On the Conditions page, click Path, and then click Next.
9. Click Browse Files, in the File name box, type C:\Program Files\Windows Media Player
\wmplayer.exe, and then click Open.
10. Click Next twice, and then click Create.
11. Click Yes when prompted to create default rules.
Task 2: Enforce AppLocker rules
1. In the Local Group Policy Editor, right-click AppLocker, and then click Properties.
2. On the Enforcement tab, under Executable rules, select the Configured check box, click Enforce
rules, and then click OK.
4. Select Windows PowerShell from the Administrative menu by pressing Windows logo key+X
5. At the Windows PowerShell command prompt, type gpupdate /force, and then press Enter. Wait for
the policy to update.

Results: After completing this exercise, you should have created the required AppLocker
rule
successfully.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L11-84 Configuring Applications for Windows 8.1
Exercise 2: Testing the AppLocker Rules
Task 1: Confirm the executable rule enforcement
2. Select Computer Management from the Administrative menu by pressing Windows logo key+X.
Expand Event Viewer, expand Windows Logs, and then click System.
3. In the results pane, locate and click the latest event with Event ID 1502.
4. Review event message details under the General tab.
5. Expand Services and Applications, and then click Services.
6. Right-click the Application Identity service, and then click Start.
Task 2: Test the enforcement
1. Sign in to LON-CL1 as Adatum\Holly with password Pa$$w0rd.
2. Type Media Player at the Start screen, and then click Windows Media Player.
3. Sign out, and then sign in as Adatum\Administrator with password Pa$$w0rd.
4. Select Event Viewer from the Administrative menu by pressing Windows logo key+X.
5. In Event Viewer, expand Application and Services Logs, expand Microsoft, expand Windows,
expand AppLocker, and then click EXE and DLL.
6. Review the entries in the results pane. Locate Event ID 8004. This shows that Holly attempted to run a
prohibited application
7. Close Event Viewer.
8. Sign out.

Results: After completing this exercise, you should have verified the function of your executable
AppLocker rule successfully.
When you have finished the lab, revert all virtual machines to their initial state:
Manager.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L12-85
Module 12: Optimizing and Maintaining Windows 8.1
Computers
Lab A: Optimizing Windows 8.1
Performance
Exercise 1: Creating a Performance Baseline
Task 1: Establish a performance baseline
2. At the bottom left corner, right-click the Windows icon and then click Control Panel.
3. Click System and Security, and then click Administrative Tools.
4. Double-click Performance Monitor.
5. In Performance Monitor, in the navigation pane, expand Data Collector Sets.
6. Expand User Defined, right-click User Defined, point to New, and then click Data Collector Set.
7. In the Create new Data Collector Set Wizard, on the How would you like to create this new data
collector set? page, in the Name box, type Adatum Baseline.
8. Click Create manually (Advanced), and then click Next.
9. On the What type of data do you want to include? page, select the Performance counter check
box, and then click Next.
10. On the Which performance counters would you like to log? page, in the Sample interval box,
type 1, and then click Add.
11. In the Available counters list, expand Memory, select Pages/sec, and then click Add.
12. In the Available counters list, expand Network Interface, select Packets/sec, and then click Add.
13. In the Available counters list, expand PhysicalDisk, select % Disk Time, and then click Add.
14. Under PhysicalDisk, select Avg. Disk Queue Length, and then click Add.
15. In the Available counters list, expand Processor, select % Processor Time, and then click Add.
16. In the Available counters list, expand System, select Processor Queue Length, click Add, and then
click OK.
17. On the Which performance counters would you like to log? page, click Next.
18. On the Where would you like the data to be saved? page, click Next.
19. On the Create the data collector set? page, click Finish.
20. In Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then click Start.
21. Pause the pointer over the lower-right corner of the desktop, and then click Start.
22. On the Start screen, click the down arrow, and then in Apps click Word 2013.
23. In the User Name dialog box, click OK.
24. In Microsoft
Word 2013, if prompted to Help Protect and Improve Microsoft Office, click Dont
make changes, and then click OK.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L12-86 Optimizing and Maintaining Windows 8.1 Computers
26. On the Start screen, click the down arrow and then in Apps click Excel 2013.
28. On the Start screen, click the down arrow and then in Apps click PowerPoint 2013.
29. Close all open Microsoft

Office apps, and then switch to Performance Monitor.
30. In the navigation pane, right-click Adatum Baseline, and then click Stop.
Task 2: View the baseline report
1. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the report that has a name that begins with LON-CL1.
2. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
3. Record the following values:
o Memory\Pages/sec

Results: After completing this exercise, you should have created a performance baseline.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L12-87
Exercise 2: Introducing Additional Workload
Task 1: Create a load on the computer
1. On LON-CL1, in Performance Monitor, in the navigation pane, right-click Adatum Baseline, and then
click Start.
2. From the Start screen, type cmd, and then click Command Prompt.
3. In the Administrator: Command Prompt window, type E:\Labfiles\Mod12\Load.cmd, and then press
Enter.

Results: After completing this exercise, you should have generated additional load on the computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 3: Measuring System Responsiveness Under Load
Task 1: Identify performance bottlenecks in the computer
1. Switch to the Administrative Tools window.
2. Double-click Resource Monitor.
3. In Resource Monitor, which components are under strain?
Answers will vary depending on the usage scenario and host configuration, although the central
processing unit (CPU) and network likely are being used heavily.
4. After a few minutes, click OK at the prompt, and then close the instance of
C:\Windows\System32\Cmd.exe that the script launched, if necessary.
5. Switch to Performance Monitor.
6. In the navigation pane, right-click Adatum Baseline, and then click Stop.
7. In Performance Monitor, in the navigation pane, expand Reports, expand User Defined, expand
Adatum Baseline, and then click the second report that has a name that begins with LON-CL1.
8. View the chart. On the menu bar, click the drop-down arrow, and then click Report.
9. Record the component details:
o Memory\Pages/sec
10. In your opinion, which components are affected the most?
The script is affecting the CPU and network. However, no resources are approaching limits.
11. Close all open windows and programs, and then go back to the Start screen.

Results: After completing this exercise, you should have identified the computers performance
bottleneck.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L12-89

Lab B: Maintaining Windows Updates
Exercise 1: Configuring Windows Update
Task 1: Verify that Automatic Updates are disabled
1. Switch to LON-CL1, and from the Start screen, click Desktop.
2. Pause the pointer in the lower-right corner of the display, and then click Settings.
3. Click Control Panel, and then click System and Security.
4. Click Windows Update, and then click Change settings.
5. Click Never check for updates (not recommended), and then click OK.
Task 2: Enable Automatic Updates in Group Policy
1. Switch to LON-DC1, and then sign in as Adatum\Administrator with password Pa$$w0rd.
2. Pause the pointer over the lower-right corner of the desktop display, and then click Start.
3. On the Start screen, click Administrative Tools, and then double-click Group Policy Management.
4. If necessary, expand Forest: Adatum.com, expand Domains, and then expand Adatum.com.
5. Right-click Default Domain Policy, and then click Edit.
6. Under Computer Configuration, expand Policies, expand Administrative Templates, expand
Windows Components, and then click Windows Update.
7. In the results pane, double-click Configure Automatic Updates.
8. In the Configure Automatic Updates window, click Enabled.
9. In the Configure automatic updating box, click 4 Auto download and schedule the install, and
then click OK.
11. Close the Group Policy Management window.
Task 3: Verify that the Automatic Updates setting from the Group Policy Object is
being applied
2. Pause the pointer in the lower-right corner of the display, and then click Start.
3. On the Start screen, type Command.
4. Click Command Prompt.
5. At the command prompt, type gpupdate /force, and then press Enter.
7. Switch to Windows Update.
8. Notice that your computer is now configured for Automatic Updates.

Results: After completing this exercise, you should have configured Windows Update settings by using
Group Policy Objects.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Manager.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L13-91
Module 13: Configuring Mobile Computing and Remote
Access
Lab A: Configuring a Power Plan
Exercise 1: Creating and Configuring a New Power Plan
Task 1: Create a power plan on Adams laptop computer
2. On the Start screen, type Control Panel.
3. Click Control Panel.
4. Click System and Security, and then click Power Options.
5. On the left, click Create a power plan.
6. On the Create a power plan page, click Power saver.
7. In the Plan name box, type Adams power-saving plan, and then click Next.
8. On the Change settings for the plan: Adams power-saving plan page, click Create.
Task 2: Configure the power plan
1. In Power Options, next to Adams power-saving plan, click Change plan settings.
2. On the Change settings for the plan: Adams power-saving plan page, click Change advanced
power settings.
3. Configure the following properties for the plan, and then click OK.
4. On the Change settings for the plan: Adams power-saving plan page, click Cancel.
5. Close Power Options.

Results: After completing this exercise, you should have successfully created and configured a suitable
power plan for Adams laptop computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L13-92 Configuring Mobile Computing and Remote Access

Lab B: Implementing DirectAccess by Using
the Getting Started Wizard
Exercise 1: Configuring DirectAccess
Task 1: Install the Remote Access server role
1. On LON-SVR2, in Server Manager, click Manage, and then click Add Roles and Features.
2. In the Add Roles and Features Wizard window, click Next.
3. On the Select installation type page, click Next.
4. On the Select destination server page, click Next.
5. On the Select server roles page, click Remote Access, and then click Next.
6. On the Select features page, click Next.
7. On the Remote Access page, click Next.
8. On the Select role services page, click DirectAccess and VPN (RAS), and then in the Add Roles and
Features Wizard window, click Add Features, and then click Next.
9. On the Confirm installation selections page, click Install.
10. After the install is finished, click Close.
Task 2: Create a security group for DirectAccess clients
1. On LON-DC1, in Server Manager, click Tools, and then click Active Directory Users and Computers.
2. In Active Directory Users and Computers, right-click the Users container, click New, and then click
Group.
3. In the New Object Group window, type DA_Clients in the Group name box, and then click OK.
4. Double-click the Users container.
5. Right-click DA_Clients, and then click Properties.
6. In the Properties window, click the Members tab, and then click Add.
7. Click Object Types, select Computers, and then click OK.
8. Type LON-CL1, and then click OK.
9. In the DA_Clients Properties window, click OK.
10. Close Active Directory Users and Computers.
Task 3: Configure DirectAccess by using the Getting Started Wizard
2. On LON-SVR2, in Server Manager, click Tools, and then select Remote Access Management.
3. In the Remote Access Management Console window, under Configuration, click DirectAccess and
VPN.
4. Click Run the Getting Started Wizard.
5. On the Configure Remote Access page, click Deploy DirectAccess only.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L13-93
6. Verify that Edge is selected, and in the Type the public name or IPv4 address used by clients to
connect to the Remote Access server box, type 131.107.0.2, and then click Next.
7. On the Configure Remote Access page, click the here link.
8. On the Remote Access Review page, verify that two GPO objects have been created: DirectAccess
Server Settings and DirectAccess Client Settings.
9. Next to Remote Clients, click Change.
10. In the Remote Access Setup window, click Domain Computers (ADATUM\Domain Computers),
and then click Remove.
11. Click Add.
12. In the Select Groups window, type DA_Clients, and then click OK.
13. Clear the Enable DirectAccess for mobile computers only check box, and then click Next.
14. On the DirectAccess Client Setup page, click Finish.
15. On the Remote Access Review page, click OK.
16. On the Configure Remote Access page, click Finish to finish the DirectAccess wizard.
17. In the Applying Getting Started Wizard Settings dialog box, click Close.
19. Wait for LON-SVR2 to restart, and then sign in as Adatum\Administrator with a password of
Pa$$w0rd.
20. In Server Manager, click Tools, and then click Remote Access.
21. In the Remote Access Management console, click Operations Status.
All components should have a Status of Working and a green check mark beside them. If this is not the
case, click Refresh to update the Operations Status view. You might have to do this several times.

Results: After completing this exercise, you should have successfully configured DirectAccess by using the
Getting Stared Wizard.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Exercise 2: Validating the DirectAccess Deployment
Task 1: Verify the DirectAccess GPO deployment
1. When you configured the DirectAccess server, the wizard created two Group Policies and linked them
to the domain.
2. Restart LON-CL1 and sign in as Adatum\Administrator with a password of Pa$$w0rd to apply the
GPOs.
3. On LON-CL1, from the Start screen, type cmd, and then press Enter.
gpresult /R
5. Under the Computer Settings section, verify that the DirectAccess Client Settings Group Policy
Object (GPO) is applied.
Note: If the DirectAccess Client Settings GPO is not applied, restart LON-CL1, sign in as
Adatum\Administrator with password Pa$$w0rd, and then repeat steps 3 and 4 on LON-CL1.
netsh name show effectivepolicy
7. Verify that following message is displayed: DNS Effective Name Resolution Policy Table Settings
Note: DirectAccess settings are inactive when this computer is inside a corporate network.
8. To move the client from the intranet to the public network, go to the Start screen, type ncpa.cpl, and
then press Enter.
9. In the Network Connections window, right-click the Ethernet connection, and then click Disable.
10. In the Network Connections window, right-click the Ethernet 2 connection, and then click Enable.
11. Close the Network Connections window.
Task 2: Test DirectAccess connectivity
2. Click the File Explorer icon on the taskbar, and in the This PC window, double-click Local Disk (C:).
3. In the Local Disk (C:) window, right-click in the empty space in the details pane, click New, click
Folder, type Data, and then press Enter.
4. In the Local Disk (C:) window, right-click Data, click Share with, and then click Specific people.
5. In the File Sharing window, from the drop-down list, select Everyone, click Add, click Share, and then
click Done.
7. On the Start screen, type \\LON-SVR1\Data, and then press Enter. Note that you are able to access
the folder content.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L13-95
9. Move the pointer to the lower-right corner of the screen, and in the notification area, click search,
and in the search box, type cmd.
10. At the command prompt, type ipconfig, and then press Enter.
Note: Notice the IP address for Tunnel adapter iphttpsinterface starts with 2002. This is an
Internet Protocol over Secure Hypertext Transfer Protocol (IP-HTTPS) address.
Netsh name show effectivepolicy
12. Verify that DNS Effective Name Resolution Policy Table Settings present two entries for
adatum.com and Directaccess-NLS.Adatum.com.
Powershell
14. At the command prompt in the Windows PowerShell
command-line interface, type the following

command, and then press Enter.
Get-DAClientExperienceConfiguration
Note: Notice the DirectAccess client settings.
16. Switch to the Remote Access Management console.
17. In the Remote Access Management console, click Remote Client Status.
Note: Notice that Client is connected via IPHttps. In the Connection Details pane, in the
bottom-right of the screen, note the use of the Kerberos version 5 protocol for the Machine and
the User.
Results: After completing this exercise, you should have successfully validated the DirectAccess
deployment.
Repeat steps 2 and 3 for 20687C-LON-SVR1, 20687C-LON-SVR2, and 20687C-LON-DC1.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

Lab C: Implementing Remote Desktop
Exercise 1: Configuring a Remote Desktop Connection
Task 1: Enable Remote Desktop through the firewall, and enable Remote Desktop on
Adams office computer
1. On LON-CL1, from the Start screen, type Control Panel, and then click the Control Panel tile.
2. Click System and Security.
3. Under Windows Firewall, click Allow an app through Windows Firewall.
4. In the Name list, select Remote Desktop, and then enable the application for each of the network
profiles: Domain, Private, and Public. Click OK.
5. In System and Security, click Allow remote access.
6. In the System Properties dialog box, under Remote Desktop, click Allow remote connections to
this computer.
7. Click Select Users and click Add.
8. In the Select Users or Groups dialog box, in the Enter the object names to select (examples) box,
type Adam, click Check Names, and then click OK.
9. In the Remote Desktop Users dialog box, click OK.
10. In the System Properties dialog box, click OK.
12. Switch to the LON-CL2 virtual machine, and then sign in as Adatum\Administrator with password
Pa$$w0rd.
13. On the Start screen, type mstsc, and then click Remote Desktop Connection.
14. In the Remote Desktop Connection dialog box, in the Computer box, type lon-cl1, and then click
Show Options.
15. Click the Advanced tab.
16. Under Server authentication, in the If server authentication fails drop-down list, click Connect
and dont warn me.
Task 2: Connect to the remote computer with Remote Desktop
1. On LON-CL2, in the Remote Desktop Connection dialog box, click Connect.
2. In the Windows Security dialog box, click Use another account.
3. In the User name box, type Adatum\Adam, and in the Password box, type Pa$$w0rd, and then
click OK.
4. When prompted, click Yes to proceed with the logon.
5. On the Start screen, type This PC, right-click This PC, and then click Properties.
6. Notice the computer name.
7. Close the Remote Desktop session. In the Remote Desktop Connection dialog box, click OK.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L13-97
9. Switch to the LON-CL1 virtual machine.
10. Notice that you have been signed out.

Results: After completing this exercise, you should have successfully verified that Remote Desktop is
functional.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L14-99
Module 14: Recovering Windows
8.1
Lab: Recovering Windows 8.1
Exercise 1: Configuring and Using File History
Task 1: Create a share for File History
Type FileHistory as the folder name, and then press Enter.
3. Right-click the FileHistory folder, and then click Properties.
4. In the FileHistory Properties dialog box, on the Security tab, click Edit. Click Add, enter Domain in
the Enter the object names to select box, and then click OK. Click Domain Users, and then click
OK.
5. In the Permissions for Domain Users section, in the Allow column, select the Full control check box,
and click OK.
6. On the Sharing tab, click Advanced Sharing.
7. Select the Share this folder check box, and then click Permissions. In the Permissions for Everyone
section, in the Allow column, click Full Control, and then click OK twice.
8. In the FileHistory Properties dialog box, click Close.
Task 2: Configure and use File History
1. On LON-CL1, on the Start screen, type file, and then click File Explorer.
2. In File Explorer, in the navigation pane, expand This PC, and then click Documents.
3. Right-click in the details pane, point to New, click Microsoft Word Document, and then name the
document Recovery file.
4. Double-click Recovery file.docx.
5. In the Microsoft Office Activation Wizard, click Close, select Ask me later, and then click Accept.
6. Close the Welcome to your new Office window.
7. In Word, type This document is modified.
8. In Word, save the file by pressing Ctrl+S, and then close Word.
9. On the desktop, right-click the Start icon, and then click Control Panel.
10. In Control Panel, in the Search Control Panel field, type history, and then click File History.
11. In the File History dialog box, in the navigation pane, click the Select drive link.
12. In Select Drive, click Add network location, in the Folder field, type \\LON-DC1\FileHistory, click
Select Folder, and then click OK.
13. In the File History dialog box, in the details pane, click Turn on.
14. In the File History dialog box, in the navigation pane, click Advanced settings. Review the options,
and then click Cancel.
15. In File Explorer, in the navigation pane, click Documents.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L14-100 Recovering Windows
8.1
16. In File Explorer, right-click Recovery file.docx, press the Shift key, and then select Delete. Click Yes
in the Delete File dialog box.
17. In File Explorer, click the Home tab, and then click History.
18. In Documents File History, right-click Recovery file.docx, and then click Restore.
19. In File Explorer, notice that the Word document has been recovered.
20. Double-click Recovery file.docx, and then verify that it has the content that you typed earlier.
21. Close File Explorer and the Documents File History window.
Task 3: Protect an additional folder with File History
1. On LON-CL1, In the File History dialog box, in the navigation pane, click Restore personal files.
2. In the Home File History window, verify that three file folders and four libraries are shown. Double-
click Documents, and then verify that only Recovery file is shown. Close Documents File History.
3. In File Explorer, click the View tab, select Options, and then select Change folder and search
options.
4. In the Folder Options dialog box, in the Navigation pane section, select Show libraries, and then
click OK.
5. In File Explorer, in the navigation pane, expand Libraries. Right-click the Documents library, and
then click Properties.
6. In the Documents Properties dialog box, click Add. In the Folder field, type E:\Labfiles\Docs, click
Include folder, and then click OK.
7. In the File History dialog box, in the details pane, click Run now.
8. In File Explorer, navigate to the E:\Labfiles\Docs folder. Right-click Windows.docx, press the Shift
key, and then select Delete. In the Delete File dialog box, click Yes.
9. In the File History dialog box, in the navigation pane, click Restore personal files.
10. In Home File History, double-click Documents. Right-click Windows.docx, select Restore to, in the
Folder field type E:\Labfiles, and then click Select Folder.
11. In File Explorer, verify that file Windows.docx is restored to the E:\Labfiles folder.
12. Close File Explorer, File History, and the Documents File History window.

Results: After completing this exercise, you should have configured and used the File History feature.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L14-101
Exercise 2: Exploring Windows 8.1 Recovery Options
Task 1: Configuring System Restore
1. On LON-CL1, open File Explorer, in the navigation pane, right-click This PC, and then click
Properties.
2. In the System window, in the navigation pane, click System protection.
3. In the System Properties dialog box, in the Protection Settings section, select Local Disk (C:)
(System), click Configure, select Turn on system protection, and then click OK.
4. In the System Properties dialog box, click Create. Type Initial settings in the System Protection
dialog, click Create, and then click Close.
5. In the System Properties dialog box, click OK.
6. In File Explorer, navigate to the E:\Labfiles\Mod14 folder, and then double-click XmlNotepad.msi.
7. In the XML Notepad 2007 Setup Wizard, click Next, select I accept the terms in the License
Agreement, click Next two times, click Install, and then click Finish.
9. Verify that an XML Notepad 2007 shortcut is on the desktop.
10. Right-click the desktop, point to New, click Text Document, type My document as its name, and
then press Enter.
11. On the toolbar, right-click the Start icon, and then click Device Manager.
12. In Device Manager, expand Keyboards, right-click Microsoft Hyper-V Virtual Keyboard, and then
select Update Driver Software.
13. In the Update Driver Software dialog box, select Browse my computer for driver software. Select
Let me pick from a list of device drivers on my computer, and then clear the Show compatible
hardware check box. In the Model section, select Microsoft Wireless Keyboard 700 v2.0
(106/109), click Next, click Yes in the Update Driver Warning box, and then click Close.
14. In Device Manager, verify that Microsoft Wireless Keyboard 700 v2.0 (106/109) is shown with an
exclamation point (!).
Task 2: Using System Restore
1. In File Explorer, in the navigation pane, right-click This PC, and select Properties.
3. In the System Properties dialog box, click System Restore.
4. In the System Restore dialog box, click Next.
5. Select the Initial settings restore point, and then click Scan for affected programs. Verify that XML
Notepad 2007 is shown, as you installed it after the restore point was created. Click Close.
6. In the System Restore dialog box, click Next, click Finish, and then click Yes. Wait until LON-CL1 is
restarted and System Restore is performed.
9. In the System Restore dialog box, click Close. Verify that My document.txt is still on desktop and
that the XML Notepad 2007 shortcut is no longer present on the desktop.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1
10. On the toolbar, right-click the Start icon, and then click Device Manager.
11. In Device Manager, expand Keyboards, and then verify that Microsoft Hyper-V Virtual Keyboard is
present. Microsoft Wireless Keyboard 700 v2.0 (106/109) was removed, as you add it after the restore
point was created.
12. On the toolbar, click the File Explorer icon.
13. In File Explorer, in the navigation pane, right-click This PC, and then click Properties.
15. In the System Properties dialog box, click System Restore.
16. In the System Restore dialog box, select Choose a different restore point, and then click Next.
17. In the System Restore dialog box, verify that the additional restore point with the description
Restore Operation and Type of Undo was created. Click Cancel.
18. On the toolbar, right-click the Start icon, select Shut down or sign out and then select Shut down.
Wait until LON-CL1 is turned off.
Task 3: Access Windows RE tools
1. On your host computer, in the 20687C-LON-CL1 on localhost Virtual Machine Connection
dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk.
2. In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning
\20687\Drives\Win81Ent_Eval.iso, and then click Open.
3. On the Action menu, click Start.
4. When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads.
5. When prompted, in the Windows Setup dialog box, click Next.
6. On the Windows Setup page, click Repair your computer.
7. On the Choose an option page, click Troubleshoot.
8. On the Troubleshoot page, click Advanced options.
9. On the Advanced options page, click System Restore.
10. On the System Restore page, select Windows 8.1.
11. In the System Restore dialog box, click Next. Select the Restore Operation restore point, and then
click Scan for affected programs. Verify that XML Notepad 2007 is listed as a program that might
be restored. Click Close, and then click Cancel.
Note: You can use System Restore from the Windows Recovery Environment (RE).
12. On the Choose an option page, click Troubleshoot, and then click Advanced options.
13. On the Advanced options page, click Command Prompt.
14. At the command prompt, type bcdedit /enum, and then press Enter. Review the output and verify
that Windows 8.1 is listed as the default Windows Boot Loader operating system.
15. At the command prompt, type Bootrec /scanos, and then press Enter.
16. At the command prompt, type diskpart, and then press Enter.
17. At the command prompt, type list disk, and then press Enter.
18. At the command prompt, type list volume, and then press Enter.
19. At the command prompt, type exit, and then press Enter.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L14-103
20. At the command prompt, type exit, and then press Enter.
23. On the Advanced options page, click Startup Repair.
24. On the Choose a target operating system page, click Windows 8.1. Startup Repair starts.
25. After a few seconds, the Startup Repair couldnt repair your PC page appears. This is because there
is nothing wrong with your computer. Click Advanced options.
26. On the Choose an option page, click Continue. Windows starts normally.
Task 4: Create a duplicate boot entry in the boot store
1. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd.
2. On the Start screen, type cmd and then click Command Prompt.
3. At the command prompt, type the following command, and then press Enter:
4. Verify the presence of Duplicate boot entry in the store by running the following command:
bcdedit /enum
5. At the command prompt, type shutdown /r, press Enter and then click Close.
Task 5: Enable advanced boot options
appears, and then click Change defaults or choose other options.
2. On the Options page, click Choose other options.
5. On the Advanced options page, click Startup Settings.
6. On the Startup Settings page, click Restart.
7. In the Startup Settings menu, type 4 to select and enable Safe Mode.
8. On LON-CL1, sign in as Adatum\Administrator with password Pa$$w0rd.
9. On your host computer, switch to Hyper-V
Manager.
12. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Start.
13. In the Virtual Machines list, right-click 20687C-LON-CL1, and then click Connect.

Results: After completing this exercise, you should have used various Windows
8.1 operating system

startup-recovery tools.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1
Exercise 3: Introducing a Simulated Problem
Scenario
In this exercise, you will attempt to fix a computer that is running Windows 8.1. The computer does not
start successfully. You have an open help-desk ticket so that you can determine the likely cause of the
problem.
Incident number: 161071
Date and time of call Jan 25 10:45am
User Adam Carter
Incident Details
Adam Carter has reported that his computer will not start properly.
Additional Information
Adam has been trying to install an additional operating system on his computer so that he can run a
specific line-of-business application. He abandoned the installation after getting only partway through
the process. Since then, his computer displays the following error message when it starts:
Windows Boot Manager.
File: \Boot\BCD
Status: 0xc0000034
Info: The Windows Boot Configuration Data (BCD) file is missing required information.

Plan of Action

Task 1: Read the help-desk Incident Record for Incident 161071
Read the help-desk Incident Record (in the exercise scenario in the student handbook) for Incident
161071.
Task 2: Update the Plan of Action section of the Incident Record
1. Read the Additional Information section of the Incident Record.
2. Update the Plan of Action section of the Incident Record with your recommendations.
Plan of Action:
Visit with the user, and then view the error on his computer.
Insert product installation DVD, and then restart the computer.
Use Windows RE to recover the startup environment by using the Command Prompt tool, and then
running Bootrec.exe /RebuildBCD to repair the boot store.
1. Switch to LON-CL1, and then sign in as Adatum\Administrator with password Pa$$w0rd.
3. From the taskbar, click File Explorer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L14-105
4. Browse to and run the E:\Labfiles\Mod14\Scenario1.vbs script.
5. Wait while LON-CL1 restarts.

Results: After this exercise, you should have reproduced the reported startup problem on Adams
computer.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
8.1
Exercise 4: Resolving a Problem
Task 1: Attempt to resolve the problem
2. On your host computer, in the 20687C-LON-CL1 on localhost Virtual Machine Connection
dialog box, on the Media menu, point to DVD Drive, and then click Insert Disk.
3. In the Open dialog box, in the File name box, type D:\Program Files\Microsoft Learning
\20687\Drives\ Win81Ent_Eval.iso, and then click Open.
4. On the Action menu, click Reset. In the dialog box, click Reset.
5. When you see the Press any key to boot from CD or DVD message, press Spacebar. Setup loads.
6. When prompted, in the Windows Setup dialog box, click Next.
7. On the Windows Setup page, click Repair your computer.
10. On the Advanced options page, click Command Prompt.
11. At the command prompt, type Bootrec /Scanos, and then press Enter.
12. At the command prompt, type Bootrec /RebuildBCD, and then press Enter.
13. At the command prompt, type A, and then press Enter.
14. At the command prompt, type exit, and then press Enter to restart LON-CL1. When LON-CL1 starts,
do not press any key.
15. Sign in to LON-CL1 by using the following credentials:
17. If you are unable to resolve the problem, escalate it by asking your instructor for additional guidance.
To repeat or exit the exercise, revert the virtual machine environment.

Results: After completing this exercise, you should have resolved the startup problem and documented
your solution.

M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L15-107
Module 15: Configuring Client Hyper-V
Lab: Configuring Client Hyper-V
Exercise 1: Installing Client Hyper-V
Task 1: Install the Client Hyper-V feature
1. On LON-CL5, from the Start screen, type Hyper-V, and then confirm that no match is found.
2. On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as
administrator. Click Yes in the User Account Control dialog box.
3. At the Windows PowerShell
command-line interface command prompt, run the following cmdlet,

and then verify that no cmdlet is listed:
Get-Command Module Hyper-V
4. From the Start screen, type features, and then click Turn Windows Features on or off.
5. In the Windows Features window, select the Hyper-V check box, and then click OK.
6. On the Windows completed the requested changes page, click Restart Now.
7. When prompted during startup, select 20687C-LON-CL5.
9. After a second restart, repeat steps 7 and 8.
10. On the Start screen, type powershell, right-click Windows PowerShell, and then select Run as
administrator. Click Yes in the User Account Control dialog box.
11. At the Windows PowerShell command prompt, run the following cmdlet:
Get-Command Module Hyper-V
Note: The output shows many cmdlets, which confirms that the Hyper-V
module is
installed and available.

Results: After completing this exercise, you should have installed the Client Hyper-V feature.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
L15-108 Configuring Client Hyper-V
Exercise 2: Creating a Virtual Switch, a Virtual Hard Disk, and a Virtual
Machine
Task 1: Create a virtual switch
1. On LON-CL5, from the Start screen, type Hyper-V, and then click Hyper-V Manager.
2. In Hyper-V Manager, right-click LON-CL5, and then click Virtual Switch Manager.
3. In the Virtual Switch Manager window, in the Create virtual switch section, click Private, and then
click Create Virtual Switch.
4. In the Virtual Switch Properties section, type Private Network in the Name field, and then click
OK.
Task 2: Create a virtual hard disk (VHD)
1. On LON-CL5, open Hyper-V Manager.
2. In Hyper-V Manager, select LON-CL5, and then in the Actions pane, click New, and then click Hard
disk.
3. In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next.
4. On the Choose Disk Format page, confirm that VHDX is selected, and then click Next.
5. On the Choose Disk Type page, confirm that the default disk type for VHD hard disk is Dynamically
expanding, and then click Next.
6. On the Specify Name and Location page, in Name field, type Dynamic.vhdx. In Location field,
type C:\VM, and then click Next.
7. On the Configure Disk page, confirm that Create a new blank virtual hard disk is selected, in the
Size field, type 100, and then click Next.
8. On the Completing the New Virtual Hard Disk Wizard page, click Finish.
9. On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Hard disk.
10. In the New Virtual Hard Disk Wizard, on the Before You Begin page, click Next.
11. On the Choose Disk Format page, select VHD, and then click Next.
12. On the Choose Disk Type page, click Differencing, and then click Next.
13. On the Specify Name and Location page, in the Name field, type Differencing.vhd. In the
Location field, type C:\VM, and then click Next.
14. On the Configure Disk page, click Browse, and then browse to F:\Program Files
\Microsoft Learning\base\.
15. In the Base folder, click Base14C-W81-Office2013.vhd, click Open, and then click Next.
16. On the Completing the New Virtual Hard Disk Wizard page, click Finish.
17. On LON-CL5, in Windows PowerShell, create a fixed size virtual hard disk by running the following
cmdlet:
New-VHD Path C:\VM\Fixed.vhdx -SizeBytes 1GB Fixed
18. On LON-CL5, on the taskbar, click the File Explorer icon.
19. In the This PC window, browse to the C:\VM folder.
M
C
T

U
S
E

O
N
L
Y
.

S
T
U
D
E
N
T

U
S
E

P
R
O
H
I
B
I
T
E
D
Configuring Windows
8.1 L15-109
20. In the VM folder, confirm that the three virtual hard disks that you created in the previous task
display.
21. In the VM folder, right-click Fixed.vhdx, select Properties, confirm that its size on the disk is 1.00
GB, and then click OK.
22. In the VM folder, verify that Dynamic.vhdx and Differencing.vhd are allocated much less space on
the disk, even though you configured Dynamic.vhdx with 100 GB.
Task 3: Create a virtual machine
1. On LON-CL5, in Hyper-V Manager, in the Actions pane, click New, and then click Virtual Machine.
2. In the New Virtual Machine Wizard, on the Before You Begin page, click Next.
3. On the Specify Name and Location page, in the Name field, type LON-VM2, and then click Next.
4. On the Specify Generation page, click Generation 2, and then click Next.
5. On the Assign Memory page, in the Startup Memory field, type 1024, select the Use Dynamic
Memory for this virtual machine check box, and then click Next four times.
6. On the Competing the Virtual Machine Wizard page, click Finish. A virtual machine named LON-
VM2 is created.
7. On LON-CL5, in Windows PowerShell, create a Generation 1 virtual machine, and then attach it to a
virtual hard disk by running the following cmdlets:
New-VM Name LON-VM1 MemoryStartupBytes 1GB Generation 1 BootDevice IDE
Add-VMHardDiskDrive VMName LON-VM1 ControllerType IDE Path C:\VM\Differencing.vhd
8. In Hyper-V Manager, double -lick the LON-VM1 virtual machine, and then from the Action menu,
select Start. Verify that the virtual machine starts.

Results: After completing this exercise, you should have created a virtual network and a virtual machine in
Client Hyper-V.

20687C ENU TrainerHandbook

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

20687C ENU TrainerHandbook

Transféré par

Droits d'auteur :

Formats disponibles

M

to perform the labs.

Domain Services (AD DS)

User Experience Virtualization (UE-V) to provide consistent and synchronized user

2012 R2 provide several

command-line interface and Group

from this screen.

Drive Encryption and DirectAccess. From a planning perspective, it is

Domain Services (AD DS) schema

to configure and manage Windows 8.1.

Management Console (MMC) configurations.

, Scripting Edition (VBScript). You can perform relatively complex

Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.

and Microsoft Windows NT

Server 4.0 operating

2008 and newer versions, Windows Vista

, which is discussed later in this course. You can

Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.

Domain Services (AD DS).

8.1 operating system, you first must sign

account. In an Active Directory

, Microsoft Office 365

11 uses Windows Defender to scan

controls) before potentially harmful content is run.

subscription. You should be

8.1 computers from

services you need to

command-line interface cmdlet.

Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.

8.1 operating system. Specifically, the module

Management Console (MMC)

Manager, click 20687B-LON-DC1, and in the Actions pane, click Start.

Save & Share feature to save search histories in a SkyDrive

Service Pack 2 (SP2) or newer

Drive Encryption, and User Account Control (UAC).

Domain Services (AD DS) implements Kerberos authentication.

2012, are apps that provide services to clients. Some examples of

. These tools help mitigate unauthorized data access by rendering

is updated, the Solution Accelerator

command-line interface or from a Command Prompt window.

. During the configuration of

, but all users were created as administrators by default. Additionally, a

8.1 operating system, you need

Office 2013. Most users and network

command-line interface to sideload and manage Windows Store

Domain Services (AD DS)

Service Pack 2 (SP2)

runtime files, prior to deploying a

and configure virtual machines for VDI can

Filter provides protection against social engineering

controls with per-site and per-user ActiveX features. The

SmartScreen Filter dialog box, click OK.

and other open windows.

Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.

Player. You decide to implement AppLocker to prevent members of

Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.

2012 R2 create a seamless experience. You can use

Manager, click 20687C-LON-DC1, and in the Actions pane, click Start.

, Windows Server 2008,

delivers a rich user experience for Virtual Desktop

Word 2013 document named Recovery file in the Documents library.

Drive Encryption error is detected on a touch-only device.