Académique Documents
Professionnel Documents
Culture Documents
6292A
Installing and Configuring
Windows® 7 Client
S E
L E A E
RE AR
R E W
P FT
SO
ii Installing and Configuring Windows® 7 Client
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, Aero, Aero Flip 3D,
AppLocker, Authenticode, BitLocker, BitLocker to Go, BizTalk, BrancheCache, Device Stage,
DirectX, ESP, Excel, Hyper-V, Intellisense, Internet Explorer, Microsoft Dynamics, MS, MSDN, MS-
DOS, OneCare, OneNote, Outlook, PowerPoint, ReadyBoost, Remote App and Desktop
Connections, SharePoint, SpyNet, SQL Server, Visual Basic, Visual C#, Visual Studio, Win32,
Windows, Windows Live, Windows Media Player, Windows Mobile, Windows NT, Windows
Defender, Windows PowerShell, Windows Server, and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Released: 06/2009
Installing and Configuring Windows® 7 Client iii
Contents
BETA COURSEWARE EXPIRES 11/15/2009
Course Description
This three-day instructor-led course is intended for IT professionals who are interested
in expanding their knowledge base and technical skills about Windows 7 Client. In this
course, students learn how to install, upgrade, and migrate to Windows 7 client.
Students then configure Windows 7 client for network connectivity, security,
maintenance, and mobile computing.
Audience
This course is intended for IT professionals who are interested in:
• Expanding their knowledge base and technical skills about Windows 7 Client.
• Acquiring deep technical knowledge of Windows 7.
• Learning the details of Windows 7 technologies.
• Focusing on the "how to" associated with Windows 7 technologies.
Most of these professionals use some version of Windows client at their work place
and are looking at new and better ways to perform some of the current functions.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Experience installing PC hardware and devices.
• Basic understanding of TCP/IP and networking concepts.
• Basic Windows and Active Directory knowledge.
• The skills to map network file shares.
• Experience working from a command prompt.
• Basic knowledge of the fundamentals of applications. For example, how client
computer applications communicate with the server.
• Basic understanding of security concepts such as authentication and authorization.
• An understanding of the fundamental principles of using printers.
About This Course vii
Course Objectives
After completing this course, students will be able to:
• Perform a clean installation of Windows 7, upgrade to Windows 7, and migrate
user-related data and settings from an earlier version of Windows.
• Configure disks, partitions, volumes, and device drivers to enable a Windows 7
client computer.
• Configure file access and printers on a Windows 7 client computer.
• Configure network connectivity on a Windows 7 client computer.
• Configure wireless network connectivity on a Windows 7 client computer.
• Secure Windows 7 client desktop computers.
• Optimize and maintain the performance and reliability of a Windows 7 client
computer.
• Configure mobile computing and remote access settings for a Windows 7 client
computer.
Course Outline
This section provides an outline of the course:
Module 1, Installing, Upgrading, and Migrating to Windows 7
Module 2, Configuring Disks and Device Drivers
Module 3, Configuring File Access and Printers on Windows 7 Client Computers
Module 4, Configuring Network Connectivity
Module 5, Configuring Wireless Network Connections
Module 6, Securing Windows 7 Desktops
Module 7, Optimizing and Maintaining Windows 7 Client Computers
Module 8, Configuring Mobile Computing and Remote Access in Windows 7
viii About This Course
Course Materials
The following materials are included with your kit:
• Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just right
for an effective in-class learning experience.
• Lessons: Guide you through the learning objectives and provide the key points
that are critical to the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge
and skills learned in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference
material to boost knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger
tips when it’s needed.
• Course Companion CD. Searchable, easy-to-navigate digital content with
integrated premium on-line resources designed to supplement the Course
Handbook.
• Lessons: Include detailed information for each topic, expanding on the content
in the Course Handbook.
• Labs: Include complete lab exercise information and answer keys in digital
form to use during lab time
• Resources: Include well-categorized additional resources that give you
immediate access to the most up-to-date premium content on TechNet,
MSDN®, Microsoft Press®
• Student Course Files: Include the Allfiles.exe, a self-extracting executable file
that contains all the files required for the labs and demonstrations.
Note To access the full course content, insert the Course Companion CD into the CD-ROM
drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training facility,
and instructor.
About This Course ix
Important: At the end of each lab, you must close the virtual machine and must
not save any changes. To close a virtual machine without saving the changes,
perform the following steps: 1. On the host computer, start Hyper-V Manager. 2.
Right-click the virtual machine name in the Virtual Machines list, and click Revert. 3.
In the Revert Virtual Machine dialog box, click Revert..
The following table shows the role of each virtual machine used in this course:
Software Configuration
The following software is installed on the VMs:
• Windows Server 2008 R2, Release Candidate
• Windows 7, Release Candidate
x About This Course
Classroom Setup
Each classroom computer will have the same virtual machines configured in the same
way.
Hardware Level 6
• Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V)
processor
• Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
• 4 GB RAM expandable to 8GB or higher
• DVD drive
• Network adapter
• Super video graphics array (SVGA) 17-inch monitor
• Microsoft Mouse or compatible pointing device
• Sound card with amplified speakers
*Striped
In addition, the instructor computer must be connected to a projection display device
that supports SVGA 800 x 600 pixels, 256 colors.
Installing, Upgrading, and Migrating to Windows 7 1-1
BETA COURSEWARE EXPIRES 11/15/2009
Module 1
Installing, Upgrading, and Migrating to Windows
7
Contents:
Lesson 1: Preparing to Install Windows 7 1-4
Lesson 2: Performing a Clean Installation of Windows 7 1-26
Lesson 3: Upgrading and Migrating to Windows 7 1-37
Lesson 4: Performing Image-based Installation of Windows 7 1-61
Lesson 5: Configuring Application Compatibility 1-97
1-2 Installing and Configuring Windows® 7 Client
Module Overview
Lesson 1
Preparing to Install Windows 7
BETA COURSEWARE EXPIRES 11/15/2009
Before installing Windows 7, ensure that your computer meets the minimum hardware
requirements. In addition, you must decide what edition of Windows 7 best suits your
organizational needs. You must also decide which architecture to use, either the 32 or
the 64-bit platform of Windows 7.
Once you have established your hardware requirements and decide which edition of
Windows 7 to install, you have several options to install and deploy Windows 7.
Depending on several factors, such as your organization’s deployment infrastructure,
policy and automation, you may want to select one or more installation options.
1-4 Installing and Configuring Windows® 7 Client
Usability
One of the main design goals of Windows 7 was to help users work more productively,
and to make it easier to carry out common tasks. Windows 7 includes tools to make it
easier for users to organize, search for, and view information. This enables them to
focus on the most important aspects of their job. In addition, Windows 7
communication, mobility, and networking features help users connect to people,
information, and devices by using simple tools.
Security
Windows 7 is built on a fundamentally secure platform based on the Windows Vista
foundation. It includes numerous security features and improvements that protect client
Installing, Upgrading, and Migrating to Windows 7 1-5
computers from the latest threats, including worms, viruses, and malicious software
(malware).
BETA COURSEWARE EXPIRES 11/15/2009
• Windows 7 helps detect and recover failing hard disks and memory.
• The auto-tuning network stack of Windows 7 provides improved performance by
analyzing the available bandwidth and using it more efficiently.
• Defragmentation runs in the background to help maintain disk performance.
Deployment
Manageability
In Windows 7, hundreds of new Group Policy settings make it easier to configure and
control the desktop environment centrally. The improved Task Scheduler increases the
IT Professionals ability to automate tasks, as it reduces the time required to manage the
desktop and decreases the likelihood of manual errors. Event Viewer has multiple
views and enables you to attach a task to an event. Also, by using features, such as the
Windows Eventing infrastructure and much clearer explanations for events, you can
troubleshoot problems by using the event logs more effectively.
In addition, Windows 7 introduces the following manageability improvements that can
reduce cost by increasing automation.
Installing, Upgrading, and Migrating to Windows 7 1-7
Productivity
Windows 7 improvements to the user interface help users and IT Professionals increase
their productivity. Users can find what they want easily, and they can optimize their
desktops by turning on necessary accessibility features.
Windows 7 includes an integrated search feature, known as Windows® Search. It
offers significant performance improvements, making it quicker and easier for users to
locate their documents.
Windows 7 also offers improvements for mobile and remote users by introducing the
following features:
1-8 Installing and Configuring Windows® 7 Client
Question: What are the key features of Windows 7 that will help your organization?
Answer: The answer may vary, but in general all the key features of Windows 7 will
help users in terms of usability, security, manageability, deployment and productivity.
Installing, Upgrading, and Migrating to Windows 7 1-9
Editions of Windows 7
BETA COURSEWARE EXPIRES 11/15/2009
There are six Windows 7 editions. Two editions for mainstream consumers and
business users and four specialized editions for enterprise customers, technical
enthusiasts, emerging markets, and entry level PCs. The design of each edition matches
the demands of particular user types. You may need more than one edition in your
environment, and therefore, it is important to understand each edition’s features.
Each edition requires activation to verify that your copy of Windows is genuine and
that it has not been used on more computers than the Microsoft Software License
Terms allow. In this way, activation helps prevent software counterfeiting. With an
activated copy of Windows, you can use every Windows feature for that specific
edition.
You have 30 days after installing Windows to activate it online or by telephone. If this
30-day period expires before you complete activation, Windows will stop working. If
this happens, you cannot create new files or save changes to existing ones. You can
regain full use of your computer by activating your Windows copy.
1-10 Installing and Configuring Windows® 7 Client
Windows 7 Starter
Windows 7 Starter is targeted specifically for small form factor PCs in all markets. It is
only available for the 32-bit platform. This edition features:
• Improved Windows Taskbar and Jump Lists
• Windows Search
Windows 7 Professional
Windows 7 Professional is the business-focused edition for small and lower mid-
market companies and users who have networking, backup, and security needs and
multiple PCs or servers. It includes all features available in Windows 7 Home Premium
in addition to the following:
• Core business features, such as Domain Join and Group Policy
• Data protection with advanced network backup and Encrypted File System
• Ability to print to the correct printer at home or work with Location Aware
Printing
• Remote Desktop host and Offline folders
Windows 7 Enterprise
Windows 7 Enterprise provides advanced data protection and information access for
businesses that use IT as a strategy asset. It is a business-focused edition, targeted for
managed environments, mainly large enterprises. This edition includes all features
available in Windows 7 Professional in addition to the following:
• BitLocker and BitLocker To Go data protection for internal and external drives
• AppLocker to prevent unauthorized software installation and execution
• DirectAccess, which provides seamless connectivity to a corporate network
• BranchCache, which decreases the amount of time for branch office workers to
access files across the corporate network
• All worldwide interface languages
• Enterprise Search Scopes
1-12 Installing and Configuring Windows® 7 Client
• Virtual Desktop Infrastructure (VDI) enhancements and the ability to boot from a
VHD
Note: All editions of Windows 7, with the exception of Windows 7 Starter, are available
for 32 and 64-bit platforms. Windows 7 Starter is only available as a 32-bit operating
system.
Question: Which edition of Windows 7 should you choose in the following scenarios?
Scenario 1: There are a few users in your organization. Currently, you do not have a
centralized file server and all of the computers are not joined to a domain.
Scenario 2: Your organization has more than one hundred users who are located in
several offices across the country. In addition, you have several users that travel
frequently.
Answer: You should choose Windows 7 Professional for Scenario 1 and Windows 7
Enterprise for Scenario 2.
Scenario 1: For a business environment, you should choose either Windows 7
Professional or Windows 7 Enterprise. Windows 7 Home Premium, Windows 7 Home
Basic, and Windows 7 Starter are targeted for home users. Because you only have few
users, Windows 7 Professional would be the best fit.
Scenario 2: You should choose Windows 7 Enterprise and take the advantage of
features such as BranchCache and DirectAccess to increase the productivity of your
mobile users.
Question: What is the difference between the Enterprise and the Ultimate edition of
Windows 7?
Answer: There is no difference in terms of features between the Enterprise and
Ultimate editions. Windows 7 Enterprise is available through Microsoft Software
Assurance with Volume Licensing and Windows 7 Ultimate is available through the
retail channel. There is no upgrade path between the two.
Installing, Upgrading, and Migrating to Windows 7 1-13
It is important that you understand the hardware requirements for Windows 7. Your
system must meet the minimum requirements for the edition that you are installing. If it
does not, you must know what components need to be upgraded to meet the
requirements.
Note: If you install Windows 7 on a computer that does not meet the minimum hardware
requirements, some features of Windows 7 may not work, or the system performance
level may be unacceptable.
In general, hardware requirements for Windows 7 are the same as Windows Vista. The
preceding table shows the minimum hardware requirements each edition of Windows 7.
Note: An Aero Capable GPU supports DirectX 9 with a WDDM driver, Pixel Shader 2.0,
and 32 bits per pixel.
1-14 Installing and Configuring Windows® 7 Client
Note: For more information on Windows 7 hardware requirements, please refer to:
http://go.microsoft.com/fwlink/?LinkID=154215
Although earlier versions of Windows operating systems, such as the Windows® XP®
Professional operating system, were available in 64-bit editions, these versions
provided limited application compatibility when compared with the 32-bit editions.
Additionally, the relative scarcity of 64-bit drivers for existing hardware made
selecting the 64-bit edition a significant compromise.
The 64-bit editions of Windows 7 overcome the application incompatibility issues that
affected the 64-bit edition of earlier versions of Windows. The 64-bit drivers are now
readily available for most commonly used devices in the 64-bit edition of Windows 7.
The features in the 64-bit editions of Windows 7 are identical to their 32-bit
counterparts. However, there are several advantages of using a 64-bit edition of
Windows 7.
Improved Performance
The fact that 64-bit processors can process more data per clock cycle enables your
applications to run faster or support more users. In workstation computers, faster
processing means that applications run more quickly, particularly those that are
1-16 Installing and Configuring Windows® 7 Client
processor intensive. To benefit from this improved processor capacity, you must install
a 64-bit edition of the operating system.
Enhanced Memory
The performance of a computer that runs a large number of programs, or runs programs
that require large amounts of memory, is affected adversely if there is insufficient
Note: The 32-bit editions of Windows 7 cannot access all of the 4 GB of memory to run
user programs. They are limited to approximately 3 GB of memory regardless of how
much memory you install on the computer. The 32-bit editions of Windows 7 use the
additional memory (up to 4 GB) to run system-related services and programs.
The following table lists the memory configurations supported by 64-bit editions of
Windows 7:
Home Premium 16 GB
Note: In theory, the maximum amount of memory a 64-bit computer can address is 16
Exabytes (16.8 million terabytes). However, most manufacturers impose artificial limits
considerably lower than this value.
If you anticipate the need to run several memory-intensive programs, deploying a 64-
bit edition of Windows 7 will improve your computer’s performance. If any computer
that you have has more than 4 GB of memory installed, you must install a 64-bit
edition of Windows 7 to access the memory beyond 4 GB.
scanners, and other common office equipment. Since Windows Vista first released, the
availability of drivers for these devices has improved greatly. Because Windows 7 is
BETA COURSEWARE EXPIRES 11/15/2009
built on the same kernel as Windows Vista, most of the drivers that work with
Windows Vista, also work with Windows 7.
Improved Security
The processor architecture of x64-based processors from Intel and AMD support the
following features that improve security:
• Kernel Patch Protection: this prevents software from modifying the operating
system kernel.
• Mandatory kernel-mode driver signing: signed drivers indicate that a driver has
been sourced from a safe and trusted vendor. In 64-bit editions of Windows 7, all
kernel-mode drivers must be signed digitally.
• Data Execution Prevention: this is implemented at the hardware level rather than
by software in the operating system, and helps prevent buffer overflows that
malicious software use to cause system failures.
Clean Installation
You perform a clean installation when installing Windows 7 on a new partition or
when replacing an existing operating system on a partition. To perform a clean
installation on a computer without an operating system, start the computer directly
from the CD/DVD. If the computer already has an operating system, run setup.exe to
start the installation. The setup.exe can be run from the following sources:
• CD/DVD
• Network share
You can also use an image to perform a clean installation.
Installing, Upgrading, and Migrating to Windows 7 1-19
Upgrade Installation
You perform an upgrade, which also is known as an in-place upgrade, when replacing
BETA COURSEWARE EXPIRES 11/15/2009
an existing version of Windows with Windows 7 and you need to retain all user
applications, files, and settings.
To perform an in-place upgrade to Windows 7, run the Windows 7 installation program
(setup.exe) and select Upgrade. You can run the setup.exe from the product CD/DVD
or from a network share. During an in-place upgrade, the Windows 7 installation
program retains all user settings, data, hardware device settings, applications, and other
configuration information automatically.
Always back up all of your important data before performing an upgrade.
Migration
You perform a migration when you have a computer already running Windows 7, and
need to move files and settings from your old operating system (source computer) to
the Windows 7 based computer (destination computer).
Perform a migration by doing the following:
• Backing up the user’s settings and data
• Performing a clean installation
• Reinstalling the applications
• Restoring the user’s settings and data
There are two migration scenarios: side-by-side and wipe and load. In side-by-side
migration, the source computer and the destination computer are two different
computers. In wipe and load migration, the target computer and the source computer
are the same. To perform wipe and load migration, you perform a clean installation of
Windows 7 on a computer that already has an operating system by running the
Windows 7 installation program and selecting Custom (advanced).
Question: Which type of installation should you use in the following scenarios?
Scenario 1: Your users have computers that are at least three years old and your
organization plans to deploy Windows 7 to many new computers.
Scenario 2: There are only a few users in your organization, their computers are mostly
new, but they have many applications installed and a lot of data stored in their
computers.
Answer: The answers may vary. Your selection of the type of installation may not be
decided by just these factors. In general, it is the recommended that you perform a
1-20 Installing and Configuring Windows® 7 Client
clean installation followed by migration of user settings and data. You should not
select upgrade, unless it only involves a few users or computers. In Scenario 1, you
may want to purchase new hardware for your organization, perform a clean installation
of Windows 7, and migrate the necessary user settings and data. In Scenario 2, you
may want to perform an in-place upgrade to Windows 7.
Lesson 2
Performing a Clean Installation of Windows 7
BETA COURSEWARE EXPIRES 11/15/2009
There are several ways to install Windows 7. The method you use may depend on
whether you are installing it on a new computer or on a computer that is running
another version of Windows. A clean installation is done when you install Windows 7
on a new partition or when you replace an existing operating system on a partition.
1-22 Installing and Configuring Windows® 7 Client
You can perform a clean installation of Windows 7 by running setup.exe from the
CD/DVD or from a network share. You can also perform a clean installation by
deploying an image.
Note: Windows PE is a minimal 32-bit or 64-bit operating system with limited services,
built on the Windows 7 kernel. Windows PE is used to install and repair Windows
operating system.
3. Run the Windows 7 installation program (setup.exe) from the network share.
• WDS
• Microsoft Deployment Toolkit (MDT)
Note: For more information about deploying Windows 7, read the “Step-by-Step: Basic
Windows Deployment for IT Professionals "on the Microsoft TechNet Web site.
Question: In what situation would you use each method of performing a clean
installation of Windows operating system?
Answer: Running Windows installation from the product CD/DVD is the most
straightforward. Generally this method is used in a home or small business
environment, or to install a reference computer. You can place the installation files in a
network share, so that you can run the Windows installation from the network to
computers that do not have a CD/DVD drive. Having the Windows installation in a
network share also saves you the trouble of keeping the installation media. If you are
installing Windows in a large organization and want to standardize the environment,
you should install Windows by using an image.
1-26 Installing and Configuring Windows® 7 Client
Four-Step Approach
You can use the following four-step approach in any troubleshooting environment:
1. Determine what has changed
2. Eliminate the possible causes to determine the probable cause
3. Identify a solution
4. Test the solution
If the problem persists, go back to step three and repeat the process
Question: What potential issues might you encounter when installing Windows?
Installing, Upgrading, and Migrating to Windows 7 1-27
Answer: The answer may vary. The following table describes several installation
problems and solutions that can be used to identify and solve specific problems.
BETA COURSEWARE EXPIRES 11/15/2009
Problem Solution
Installation media is damaged. Test the CD or DVD on another system.
Error messages appear during setup. Carefully note any messages, and search
the Microsoft Knowledge Base for an
explanation.
1-28 Installing and Configuring Windows® 7 Client
7. Click OK.
8. Click OK to acknowledge the warning.
9. Click OK to close the welcome message.
10. Click OK to close the message about restarting.
11. In the System Properties window, click the Change button. Note that the
Network ID button performs the same task with a wizard.
12. In the Computer Name/Domain Changes window, click Domain and type
“Contoso.com”. This is the name of the domain to be joined.
13. Click the More button. Use this primary DNS suffix to have the computer search
DNS domains other than the Active Directory® domain that it is joined to. The
NetBIOS name is used for backward compatibility with older applications.
14. Click the Cancel button.
15. In the Computer Name/Domain Changes window, click OK.
16. When prompted, in the Windows Security box, type “Administrator” with a
password of Pa$$w0rd.
17. Click OK three times and then click Close.
18. Click Restart Now.
19. After the system restarts, log on as Contoso\Administrator with a password of
Pa$$w0rd.
Question: When would you configure the primary DNS suffix to be different from the
Active Directory domain?
Answer: In most cases, you will not configure the primary DNS suffix to be different
from the Active Directory domain. This is typically done in large organizations with a
complex DNS structure that is independent of the Active Directory DNS structure. An
example of why you would configure a different primary DNS suffix is to support
applications that need to search in an alternate DNS domain.
1-30 Installing and Configuring Windows® 7 Client
Lesson 3
Upgrading and Migrating to Windows 7
Not all operating systems can be upgraded or migrated to Windows 7. While several
operating systems support in-place upgrades, others only support migration of user
settings and data after you perform a clean installation of Windows 7.
Upgrade Considerations
You must perform an in-place upgrade when you do not want to reinstall all your
applications. In addition, you can consider performing an upgrade when:
• You do not have storage space to your store user state.
• You are not replacing existing computer hardware.
• You plan to deploy Windows on only a few computers.
Note: If you are running setup.exe from the current operating system and an upgrade is
not possible, the Windows 7 installation program displays an error message. If you are
running setup.exe in Windows PE and your current operating system does not support
an upgrade to Windows 7, the Windows 7 installation program disables the selection of
Upgrade during the installation process.
1-32 Installing and Configuring Windows® 7 Client
Migration Considerations
You should perform a migration when:
• You want a standardized environment for all users running Windows. A migration
takes advantage of a clean installation. A clean installation ensures that all of your
systems begin with the same configuration, and that all applications, files, and
settings are reset. Migration ensures that you can retain user settings and data.
Question: You are deploying Windows 7 throughout your organization. Given the
following scenarios, which would you choose, upgrade or migration?
Scenario 1: Your organization has a standardized environment. You have several
servers dedicated as storage space and the computers in your organization are no later
than two years old.
Scenario 2: Your organization has a standardized environment. You have several
servers dedicated as storage space and plan to replace existing computers, which are
more than three years old.
Scenario 3: You do not have extra storage space and the computers in your
organization are less than two years old. In addition, there are only five users in your
organization and you do not want to reinstall existing applications to your user
computers.
Answer:
Installing, Upgrading, and Migrating to Windows 7 1-33
Scenario 1: You should perform a wipe and load migration. To achieve a standardized
environment, you must perform a clean installation, followed by a migration. In this
BETA COURSEWARE EXPIRES 11/15/2009
scenario, you have storage space, but you do not plan to replace the existing hardware.
Scenario 2: You should perform a side-by-side migration. To achieve a standardized
environment, you must perform a clean installation, followed by a migration. In this
scenario, you have storage space, and plan to replace the existing hardware.
Scenario 3: You should perform an in-place upgrade. In this scenario, you do not have
the storage space required to perform migration. Also, migration requires you to
reinstall all existing applications.
1-34 Installing and Configuring Windows® 7 Client
Supported
Windows Version Scenario Remarks
Earlier version than Clean Windows versions earlier than Windows
Windows XP® Installation XP do not support in-place upgrade or
migration to Windows 7.
Supported
Windows Version Scenario Remarks
BETA COURSEWARE EXPIRES 11/15/2009
Windows Vista SP1, SP2 In-place Windows Vista with Service Pack 1 or
upgrade later is required to support in-place
upgrades to Windows 7. There are
limitations on which edition you can
upgrade from and to.
Note: Windows Anytime Upgrade (WAU) provides a way to move to a more powerful
edition of Windows 7. WAU pack includes DVD media, the Windows product key, and
upgrade instructions.
Note: There are limitations on the editions of Windows that you can upgrade from and
to. For example, you can upgrade Windows Vista Home Basic with Service Pack 1 to
Windows 7 Home Basic, Windows 7 Home Premium, or Windows 7 Ultimate, but not to
Windows 7 Professional or Windows 7 Enterprise.
1-36 Installing and Configuring Windows® 7 Client
Upgrade Limitations
An in-place upgrade does not support cross architecture. This means that you cannot
upgrade from 32-bit to 64-bit or vice versa. You can only upgrade to the same
platform, even if your hardware supports both architectures.
An in-place upgrade does not support cross language. This means that you cannot
upgrade from an EN-US version of Windows to a DE-DE version of Windows.
Home Home
From\To Starter Basic Premium Professional Enterprise Ultimate
Starter NA X WAU WAU X WAU
Enterprise X X X X NA X
Ultimate X X X X X NA
Legend:
• X = In-place Upgrade is not supported.
• NA = Not applicable.
Installing, Upgrading, and Migrating to Windows 7 1-37
Windows Upgrade Advisor is an ideal tool if you only have a few computers. For
enterprise deployment, consider the Application Compatibility Toolkit and the
Microsoft Assessment and Planning Toolkit to prepare your organization readiness for
Windows 7.
The Microsoft Assessment and Planning (MAP) Toolkit is an agent-less toolkit that
finds computers on a network and performs a detailed inventory of the computers using
Windows Management Instrumentation (WMI), the Remote Registry Service, or the
Simple Network Management Protocol (SNMP). The data and analysis provided by
this toolkit can significantly simplify the planning process for migrating to Windows 7,
Microsoft® Office® 2007, and several other Microsoft products and technologies.
Assessments for Windows 7 also include device driver availability and
recommendations for hardware upgrades that may be required.
1-40 Installing and Configuring Windows® 7 Client
Evaluate
Before starting the upgrade, you must evaluate whether your computer meets the
requirements needed to run Windows 7. You can use the Windows Upgrade Advisor to
perform this evaluation. However, if you have many computers that you want to
upgrade, it may not be practical to run the Windows Upgrade Advisor on each one. In
this case, ensure that each computer meets at least the minimum hardware requirements
to run Windows 7, or consider using the Application Compatibility Toolkit (ACT) and
Microsoft Assessment and Planning (MAP) to assess your organization readiness.
You must also determine whether any installed application programs will have
compatibility problems running on Windows 7. Microsoft provides two tools to help
determine and resolve application compatibility issues:
Installing, Upgrading, and Migrating to Windows 7 1-41
• ACT: this is a set of tools to analyze and determine whether your existing
application will work with Windows 7. You can use the Application Compatibility
BETA COURSEWARE EXPIRES 11/15/2009
Backup
To protect against data loss during the upgrade process, back up any data and personal
settings before starting the upgrade. You can back up data to any appropriate media,
such as tape, removable storage, writable CD or DVD disc media, or a network shared
folder.
Upgrade
After evaluating your computer requirements and backing up your data and personal
settings, you are ready to perform the actual upgrade. To perform the upgrade, run the
Windows 7 installation program (setup.exe) from the product CD/DVD or a network
share.
If your computer supports an in-place upgrade to Windows 7, you can select Upgrade
during the installation process. The installation program prevents you from selecting
the upgrade option if an in-place upgrade is not possible. This might occur for several
reasons, such as your computer may lack sufficient disk space to perform the upgrade
or the version of Windows that you are running does not support a direct upgrade to the
edition of Windows 7 selected. If that is the case, stop the upgrade process and resolve
the indicated problem before attempting the upgrade again.
Verify
When the upgrade completes, log on to your computer and verify that all of the
applications and hardware devices function correctly. If the Windows Upgrade Advisor
made any recommendations relating to program compatibility or devices, follow those
recommendations to complete the upgrade process. For example, if the Windows
Upgrade Advisor detected a compatibility issue with your antivirus software, contact
the software vendor to obtain a version that is compatible with Windows 7.
1-42 Installing and Configuring Windows® 7 Client
Update
Finally, determine whether there are any relevant updates to the Windows 7 operating
system and apply them to your computer. It is important to keep the operating system
up-to-date to protect against security threats. You can also check for updates during the
upgrade process. Dynamic Update is a feature of Windows 7 Setup that works with
Windows Update to download any critical fixes and drivers that the setup process
be migrated. Your consideration must also include whether the account should be
enabled on the destination computer and how you will deal with password
requirements.
• Application settings: you must determine and locate the application settings that
you want to migrate. This information can be acquired when you are testing the
new applications for compatibility with the new operating system. Considerations
Tool Description
Windows Easy Use WET to perform a side-by-side migration for a single
Transfer (WET) computer, or a small number of computers. WET supports data
transfer to the destination computer by using the network, WET
Installing, Upgrading, and Migrating to Windows 7 1-45
Tool Description
cable, removable media, or a writable CD or DVD.
BETA COURSEWARE EXPIRES 11/15/2009
Backup
Before installing the new operating system, you must back up all user-related settings
and program settings. You can use either WET or USMT to assist with this process.
You should also consider backing up your user data. Although the installation program
will not destroy user data, it is good practice to back up your data to protect against
accidental loss or damage during installation.
Install Windows 7
Run the Windows 7 installation program (setup.exe) from the product CD/DVD or a
network share and perform a clean installation, by selecting Custom (advanced)
during the installation process, and then following the on-screen instructions to
complete the installation.
Installing, Upgrading, and Migrating to Windows 7 1-47
Update
If you chose not to check for updates during the installation process, it is important to
BETA COURSEWARE EXPIRES 11/15/2009
do so after verifying the installation. Keep your computer secure by keeping up with
the current patches and updates.
Install Applications
Performing an upgrade using a clean installation and migration process does not
migrate the installed applications. When you have completed the Windows 7
installation, you must reinstall all applications. Windows 7 may block the installation
of any incompatible programs. To install any of these programs, contact the software
vendor for an updated version of that program that is compatible with Windows 7.
Restore
After installing your application, use WET or USMT to migrate your application
settings and user-related settings to complete the migration process.
1-48 Installing and Configuring Windows® 7 Client
However, you cannot use WET to move program files. WET can only move data and
program settings. To transfer the settings of a program to Windows 7, you must install
BETA COURSEWARE EXPIRES 11/15/2009
Note: Windows Easy Transfer does not transfer any system files such as fonts and
drivers. To do this, install custom fonts and updated drivers in Windows 7.
If your source computer is running Windows Vista or later, you can find WET in the
System Tools program group folder. If your computer is running Windows XP, you
need to obtain WET first. WET can be obtained from a Windows 7 product CD/DVD
or from any computer running Windows 7.
If your source computer already has WET, you can skip the following procedure of
preparing for the migration on the destination computer.
Migrate Files and Settings from the Source Computer to the Destination
Computer
If you use WET, you can select one the following transfer methods to transfer files and
settings from a qualified operating system to Windows 7:
• Use an Easy Transfer Cable, which is a special USB cable designed to work with
Windows Easy Transfer by creating a direct link between the source computer and
Note: If your computer already has WET, you can run it from the System Tools
program group folder.
Note: If your computer already has WET, you can run it from the System Tools
program group folder.
2. Click Next.
Installing, Upgrading, and Migrating to Windows 7 1-51
3. Click A network.
BETA COURSEWARE EXPIRES 11/15/2009
Note: Both computers must support the transfer method you choose. For example, both
computers must be connected to the same network.
4. Click This is my old computer. WET creates Windows Easy Transfer key. This
key is used to link the source and destination computer.
5. Follow the steps to enter the Windows Easy Transfer key on your destination
computer to allow the network connection.
6. On your destination computer, after entering the Windows Easy Transfer key,
click Next. A connection is established and Windows Easy Transfer checks for
updates and compatibility.
7. Click Transfer to transfer all files and settings. You can also determine which
files should be migrated by selecting only the user profiles you want to transfer, or
by clicking Customize.
8. Click Close after Windows Easy Transfer has completed the migration of files and
settings to the destination computer.
Note: Both computers must support the transfer method you choose. For example, both
computers must be connected to the same network.
2. Click Next.
3. Click An external hard disk or USB flash drive.
Note: Both computers must support the transfer method you choose. For example, both
computers must support the same type of removable media.
4. Click This is my old computer. Windows Easy Transfer scans the computer.
1-52 Installing and Configuring Windows® 7 Client
5. Click Next. You can also determine which files should be migrated by selecting
only the user profiles you want to transfer, or by clicking Customize.
6. Enter a password to protect your Easy Transfer file, or leave the box blank, and
then click Save.
7. Browse to the location on the network or the removable media where you want to
Lesson 4
Performing Image-based Installation of
BETA COURSEWARE EXPIRES 11/15/2009
Windows 7
Benefits of WIM
WIM provides several benefits over other imaging formats, such as the following:
• A single WIM file can address many different hardware configurations. WIM does
not require that the destination hardware match the source hardware, so you need
only one image to address many different hardware configurations.
• WIM can store multiple images within a single file. For example, you can store
images with and without core applications in a single image file.
• WIM enables compression and single instancing, which reduces the size of image
files significantly. Single instancing is a technique that allows multiple images to
share a single copy of files that are common between the instances.
Installing, Upgrading, and Migrating to Windows 7 1-55
• WIM enables you to service an image offline. You can add or remove certain
operating system components, files, updates, and drivers without creating a new
BETA COURSEWARE EXPIRES 11/15/2009
• Span images.
• Provide messaging status and progress.
ImageX is an implementation of the Imaging API.
• Enabling technologies: this includes the Windows Imaging File System (WIM
FS) Filter and the WIM boot filter. The file system filter enables the ability to
There are several tools and technologies that you can use to perform image-based
installation of Windows. You must be aware of these tools and where to use them in
deployment situations.
• Windows Setup (setup.exe): this is the program that installs the Windows
operating system or upgrades previous versions of the Windows operating system.
Windows Setup supports both interactive installations and unattended installations.
• Answer File: this is an XML file that stores the answers for a series of graphical
user interface (GUI) dialog boxes. The answer file for Windows Setup is
commonly called Unattend.xml. You can create and modify this answer file by
using Windows System Image Manager (Windows SIM). The Oobe.xml answer
file is used to customize Windows Welcome, which starts after Windows Setup
and during the first system startup.
• Catalog: this binary file (.clg) contains the state of the settings and packages in a
Windows image. There must be a catalog for each Windows 7 version that the
image contains.
1-58 Installing and Configuring Windows® 7 Client
WDS is also provided as a built-in server role that can be configured for Windows
Server 2008.
BETA COURSEWARE EXPIRES 11/15/2009
• Virtual Hard Disk (VHD): the Microsoft Virtual Hard Disk file format (.vhd) is a
publicly available format specification that specifies a virtual hard disk
encapsulated in a single file, capable of hosting native file systems and supporting
standard disk operations. VHD files are used by Microsoft® Hyper-VTM server,
Microsoft® Virtual Server, and Microsoft® Virtual PC for virtual disks connected
to a virtual machine.
1-60 Installing and Configuring Windows® 7 Client
script. Windows PE enables you to start a computer for the purposes of deployment
and recovery. Windows PE starts the computer directly from memory, enabling you to
remove the Windows PE media after the computer starts. Once you have started the
computer in Windows PE, you can use the ImageX tool to capture, modify, and apply
file-based disk images.
Note: If a catalog file does not exist for this edition of Windows 7, then you will be
prompted to create a catalog file. The creation process takes several minutes. In this
Installing, Upgrading, and Migrating to Windows 7 1-63
demonstration, you are not prompted to create a catalog file because it has already
been created for you.
BETA COURSEWARE EXPIRES 11/15/2009
5. In the Answer File area, right-click Create or open an answer file, and then click
New Answer File.
6. In the Windows Image area, expand Components and scroll down and expand
x86_Microsoft-Windows-Setup. This group of settings is primarily used in the
windowsPE stage of an unattended installation. Notice that it includes Disk
Configuration.
7. Expand UserData and right-click ProductKey. You can see that this setting can
only be applied in the windowsPE stage. This would be used for an unattended
installation where Windows 7 is installed from the install.wim file on the Windows
7 installation DVD.
8. Scroll down and click x86_Microsoft-Windows-Shell-Setup. Notice that the
option for the product key is available here as well as shown in the Properties area.
9. Right-click x86_Microsoft-Windows-Shell-Setup and click Add setting to Pass
4 specialize. These settings are applied after an operating system has been
generalized by using Sysprep.
10. In the Microsoft-Windows-Shell-Setup Properties area, in the ProductKey box,
type “11111-22222-33333-44444-55555” and press Enter. Placing a product key
in this answer file prevents the need to enter the product key during the installation
of a new image.
11. Close Windows System Image Manager and do not save any changes.
Note: For more information, please refer to Windows SIM Technical Reference at
http://go.microsoft.com/fwlink/?LinkID=154216.
Question: Why would you use an answer file rather than manually completing the
installation of Windows 7?
Answer: An answer file is used to automate the installation process for speed and
consistency. When you use an answer file, you are assured that each installation is the
same. Automating the installation process is more efficient when multiple computers
are configured at once.
1-64 Installing and Configuring Windows® 7 Client
Sysprep Tasks
Sysprep can be used to perform the following tasks:
• Remove system-specific data from the Windows operating system.
• Configure Windows to start in audit mode.
• Configure the Windows operating system to start the Out-of-Box Experience
(OOBE).
• Reset Windows Product Activation.
Option Description
/audit Restarts the computer in audit mode. Audit mode enables you
to add drivers or applications to Windows. You can also test an
installation of Windows before it is sent to an end user.
If an unattended Windows setup file is specified, the audit
mode of Windows Setup runs the auditSystem and auditUser
configuration passes.
/reboot Restarts the computer. Use this option to audit the computer
and to verify that the first-run experience operates correctly.
/shutdown Shuts down the computer after the Sysprep command finishes
running.
/quit Closes the Sysprep tool after running the specified commands.
Note: For more information on copype, copy, and oscdimg, please refer to:
http://go.microsoft.com/fwlink/?LinkID=154217,
http://go.microsoft.com/fwlink/?LinkID=154218,
http://go.microsoft.com/fwlink/?LinkID=154219
Question: After you have created the iso file, what should you do with it?
Answer: Typically, the next step is to burn the iso file as a bootable CD or DVD. It
can then be used to perform imaging operations.
1-68 Installing and Configuring Windows® 7 Client
ImageX Tasks
ImageX can be used to perform the following tasks:
• View the contents of a WIM file: ImageX provides the ability to view the
contents of a WIM file. This is useful to see which images are available and can be
deployed from within the WIM file.
• Capture and apply images: you can capture an image of a source computer and
save it as a WIM file format. You can save the image to a distribution share, from
which users can use Windows 7 Setup to install the image, or you can push the
image out to the desktop by using various deployment techniques. You can also
use ImageX to apply the image to the destination computer.
Installing, Upgrading, and Migrating to Windows 7 1-69
• Mount images for offline image editing: a common scenario for ImageX is
customizing an existing image, including updating files and folders. You can
BETA COURSEWARE EXPIRES 11/15/2009
update and edit an offline image without creating a new image for distribution.
• Store multiple images in a single file: you can use ImageX to store multiple
images in a single WIM file to take advantage of single instancing, which
minimizes the size of the image file. This makes it much easier to deploy multiple
images by using removable media or across a slower network connection. When
Windows 7 is installed using a file with multiple images, users can select which
image to apply. For example, you can have a WIM file that contains several role-
based configurations, or images before and after certain updates.
• Compress the image files: ImageX supports two different compression
algorithms, Fast and Maximum, to further reduce the image size.
• Implement scripts for image creation: you can use scripting tools to create and
edit images.
Command Description
Flags “EditionID” Specifies the version of Windows that you need to capture. This
is required if you plan to re-deploy a custom Install.wim with
Windows Setup. The Quotes are also required. Valid EditionID
values include: HomeBasic, HomePremium, Starter, Ultimate,
Business, Enterprise, ServerDatacenter, ServerEnterprise, and
ServerStandard.
apply Applies a volume image to a specified drive. Note that you must
1-70 Installing and Configuring Windows® 7 Client
Command Description
create all hard disk partitions before beginning this process and
run this option from Windows PE.
mount/mountrw Mounts a .wim file with read or read/write permission. After the
file is mounted, you can view and modify all of the information
contained in the directory.
split Splits large .wim files into multiple read-only .wim files.
Note: The preceding table is only a subset of the tools and functionality provided by
ImageX. For a more detailed list of syntax commands, read the “ImageX Technical
Reference” included in the “Windows Automated Installation Kit User’s Guide.”
Installing, Upgrading, and Migrating to Windows 7 1-71
Deployment Image Servicing and Management (DISM) is a command line tool used to
service Windows images offline before deployment. You can use it to install, uninstall,
configure, and update Windows features, packages, drivers and international settings.
Subsets of the DISM servicing commands are also available for servicing a running
operating system.
DISM.exe /image:<path_to_offline_image_directory>
[/WinDir:<path_to_%WINDIR%>] [/LogPath:<path_to_log_file.log>]
[/LogLevel:<n>] [SysDriveDir:<path_to_bootMgr_file>] [/Quiet]
[/NoRestart] [/ScratchDir:<path_to_scratch_directory>]
The following DISM options are available for a running operating system:
The following table shows some of the more common command-line options available
for DISM:
Option Description
/Get-Help Displays information about available DISM command-line options
/? and arguments.
The options available for servicing an image depend on the
servicing technology that is available in your image. Specifying an
image, either an offline image or the running operating system will
generate information about specific options that are available for
the image you are servicing.
Example:
Dism /?
Dism /image:C:\test\offline /?
Dism /online /?
Dism /Mount-Wim
/WimFile:C:\test\offline\install.wim /name:"Windows
7 Enterprise" /MountDir:C:\test\offline
Installing, Upgrading, and Migrating to Windows 7 1-73
Option Description
/Get- Lists the images currently mounted and information about the
BETA COURSEWARE EXPIRES 11/15/2009
/Commit-Wim Applies the changes you have made to the mounted image. The
image remains mounted until the /unmount option is used.
Example:
Dism /Commit-Wim /MountDir:C:\test\offline
/Unmount-Wim Unmounts the WIM file and either commits or discards the
changes made while the image was mounted.
Example:
Dism /unmount-Wim /MountDir:C:\test\offline /commit
Dism /unmount-Wim /MountDir:C:\test\offline
/discard
In this demonstration, you will see how to modify an image by using DISM.
6. When the image mounting is complete, at the command prompt, type “dism /get-
mountedwiminfo” and press Enter. This displays information about the mounted
image. Notice that an index number is displayed instead of the name.
7. Type “cd C:\img” and press Enter.
8. At the command prompt, type “dir” and press Enter. You can see the installation
User State Migration Tool (USMT) is a scriptable command-line tool that provides a
highly-customizable user-profile migration experience for IT professionals. The
following table shows the components of USMT:
Component Explanation
ScanState.exe The ScanState tool scans the source computer, collects the files and
settings, and then creates a store. ScanState does not modify the
source computer. By default, it compresses the files and stores them
as a migration store. ScanState copies files into a temporary location
and then into the migration store.
LoadState.exe The LoadState tool migrates the files and settings, one at a time, from
the store to a temporary location on the destination computer. The files
are decompressed, and decrypted if necessary, during this process.
Next, LoadState transfers the file to the correct location, deletes the
temporary copy, and begins migrating the next file.
Compression improves performance by reducing network bandwidth
use as well as the required space in the store. However, for testing
purposes, you can choose to turn off compression with the
1-76 Installing and Configuring Windows® 7 Client
Component Explanation
/nocompress option.
Migration .xml files The .xml files used by USMT for migrations are the MigApp.xml,
MigUser.xml, or MigDocs.xml and any custom .xml files that you
create.
Config.xml If you want to exclude components from the migration, you can create
and modify the Config.xml file using the /genconfig option with the
ScanState tool. This optional file has a different format from the
migration .xml files because it does not contain migration rules. The
Config.xml file contains a list of the components that can be migrated.
You specify migrate = "no" for the components you want to
exclude from the migration. Additionally, this file can be used to control
some migration options new to USMT 4.0.
Component Explanation
or Windows 7, you will need to create and modify a Config.xml file.
BETA COURSEWARE EXPIRES 11/15/2009
USMT internal files All other .dll, .xml, .dat, .mui, and .inf files that are included with USMT
are for internal use. You cannot modify these files.
The ScanState tool provides various options related to specific categories. These
categories are explained in the following sections.
1-78 Installing and Configuring Windows® 7 Client
Option Description
StorePath Indicates the folder in which to save the files and settings (for
example, a network share; StorePath cannot be c:\). You must
/encrypt /key:KeyString Encrypts the store with the specified key (password). Encryption
or is disabled by default. When you use this option, you need to
specify the encryption key in one of the following ways:
/encrypt /key:"Key String"
/key:KeyString specifies the encryption key. If there is a space
or
in KeyString, you will need to enclose it in quotation marks.
/encrypt
/keyfile:FilePathAndName specifies a .txt file that contains the
/keyfile:[Path\]Filename
encryption key.
Option Description
/i:[Path\]Filename Specifies an .xml file that contains rules that define what state to
Installing, Upgrading, and Migrating to Windows 7 1-79
Option Description
migrate. You can specify this option multiple times to specify all
BETA COURSEWARE EXPIRES 11/15/2009
/config:[Path\]FileName Specifies the Config.xml file that ScanState should use to create
the store. You cannot specify this option more than once on the
command line.
Monitoring Options
USMT provides several options that you can use to analyze problems that occur during
migration.
Option Description
/l:[Path\]FileName Specifies the location and name of the ScanState log. You cannot
store any
of the log files in StorePath.
/v:VerbosityLevel Enables verbose output in the ScanState log. The default is 0. You
can specify any number from 0 to 15. For more information about the
verbosity levels, read the USMT Help files.
Option Description
/all Migrates all of the users on the computer. /all is the default option if
you do not specify other options.
1-80 Installing and Configuring Windows® 7 Client
Option Description
/ui:[DomainName\] Migrates the specified user(s). When you specify a UserName that
UserName contains spaces, you need to enclose it in quotation marks. You can
specify multiple /ui options.
Note: Extreme caution should be taken when migrating encrypted files. If you migrate
an encrypted file without also migrating the certificate, end users will not be able to
access the file after the migration.
Option Description
/efs:skip Causes ScanState to ignore Encrypting File System (EFS) files completely.
/efs:copyraw Causes ScanState to copy the files in the encrypted format. The files will be
inaccessible on the destination computer until the EFS certificates are
migrated.
The LoadState tool uses most of the same categories and options as the ScanState tool.
The following categories and options are specific to LoadState.
Option Description
decrypt /key:KeyString Decrypts the store with the specified key. When you use
or this option, you need to specify the encryption key in
one of the following ways:
Installing, Upgrading, and Migrating to Windows 7 1-81
Option Description
/decrypt /key:"Key String" /key:KeyString specifies the encryption key. If there is a
BETA COURSEWARE EXPIRES 11/15/2009
Option Description
/q Allows LoadState to run without administrator credentials. This option
will migrate only the user account and settings for the currently logged-
on user. Errors occur if you try to apply settings to a location for which
the user does not have sufficient credentials.
Configuring VHDs
Note: VDI is a desktop delivery model which allows client desktop workloads (operating
system, application, user data) to be hosted and executed on servers in the data center.
Native-boot VHD files are not intended to replace full image deployment on all client
or server systems. VHD boot is best used in a highly managed environment and used
with technologies such as Folder Redirection and Roaming User Profiles so that the
user state is not stored in the image. Native-boot VHD can also be used for dual boot
when you only have a single disk volume, as an alternative to running virtual
machines.
Installing, Upgrading, and Migrating to Windows 7 1-83
manage WIM and VHD image files. In Windows 7, VHD files can be attached from
the Disk Management Microsoft Management Console (MMC), assigned a drive letter,
and then viewed and modified as if it is a normal hard drive.
Windows 7 based VHD files can be treated similarly to WIM files with regards to
offline image servicing and image-based setup. In addition, IT professionals can
service VHD images by using DISM and deploy VHD files by using WDS and
multicast deployment options. This enables automatic deployment of Windows on
VHD files.
The following steps outline Windows 7 deployment on VHD:
1. Create the VHD: you can create a VHD by using the DiskPart tool or the Disk
Management MMC. The Disk Management MMC also enables you to attach the
VHD, so that it appears on the host computer as a drive and not as a static
file.VHD files can then be partitioned and formatted before you install an
operating system.
2. Prepare the VHD: install Windows 7 on the VHD. You can perform the capture
and apply method by using ImageX.
3. Deploy the VHD: the VHD file can then be copied to one or more systems, to be
run in a virtual machine or for native boot. To configure native-boot, add the
native-boot VHD to the boot menu by using BCDedit or BCDboot tool. BCDEdit
is a command-line tool for managing Boot Configuration Data (BCD) stores and
BCDboot is a command-line tool for initializing the BCD store and copying boot
environment files to the system partition. You can also automate the network
deployment of VHD by using WDS. WDS can be used to copy the VHD image to
a local partition and to configure the local Boot Configuration Data (BCD) for
native-boot from the VHD.
Question: Given a Windows 7-based VHD that is configured to run in a Virtual PC,
can the same VHD be configured to run in native boot?
Answer: Yes. However, before a Windows 7-based VHD that is configured to run in
Virtual PC can be used to run in native boot, you must remove system-specific data
from the Windows installation by using Sysprep.
1-84 Installing and Configuring Windows® 7 Client
Lesson 5
Configuring Application Compatibility
An application written for a specific operating system can cause problems when
installed on a computer with a different operating system for a number of reasons. To
troubleshoot and address the problems effectively, it is important to be aware of the
general areas that typically cause the most compatibility issues.
Generally, applications and hardware that worked on Windows Vista will continue to
work on Windows 7. The following shows several areas of concern with Windows 7
application compatibility.
message indicating that the resource could not be updated. This is because access
to these resources is denied.
BETA COURSEWARE EXPIRES 11/15/2009
• Applications that attempt to write new registry keys or values to protected registry
keys may fail with an error message that indicates that the change failed because
access was denied.
• Applications that attempt to write to protected resources may fail if they rely on
registry keys or values.
64-Bit architecture
Windows 7 fully supports the 64-bit architecture. The 64-bit version of Windows 7 can
run all 32-bit applications with the help of the WOW64 emulator. Considerations for
the 64-Bit Windows 7 include:
• Applications or components that use 16-bit executables, 16-bit installers, or 32-bit
kernel drivers will either fail to start or will function improperly on a 64-bit edition
Kernel-mode drivers
Kernel-mode drivers must support the Windows 7 operating system or be re-designed
to follow the User-Mode Driver Framework (UMDF). UMDF is a device driver
development platform that was introduced in Windows Vista. In addition, kernel mode
printer driver support has been removed from Windows 7 and Windows Server 2008
R2.
Note: For 64-bit versions of Windows 7, all drivers must be digitally signed by the
vendor to be installed.
Installing, Upgrading, and Migrating to Windows 7 1-89
Deprecated components
The release of Windows 7 has also introduced issues with deprecated APIs or DLLs
BETA COURSEWARE EXPIRES 11/15/2009
from Windows XP and Windows Vista, the new credential provider framework, and
service isolation.
• Deprecations: Windows 7 has deprecated many objects from earlier versions of
the operating system. The deprecation has occurred for .dll files, executable (.exe)
files, COM objects, registry keys, application-programming interfaces (APIs), and
various other files. This change affects any application that used the deprecated
APIs or DLLs, causing the applications to lose functionality or to fail to start.
• Graphical Identification and Authentication (GINA) DLL: Independent
Software Vendors (ISVs) were able to modify
Microsoft Windows® Authentication, by installing a GINA DLL. The GINA DLL
then performed all the identification and authentication of user interactions.
Windows 7 offers a new authentication model that no longer requires this DLL and
ignores all previous GINA DLLs. This change affects any application or hardware
component that attempts to log on by using customized logon applications,
including biometric devices (fingerprint readers), customized user interfaces, and
virtual private network (VPN) solutions for remote users with customized logon
user interfaces.
• Session 0: the first user who logged on to a computer ran in Session 0, which is
the same session that is used for all system services. Windows 7 requires all users
to run in Session 1 or later so that no user runs in the same session as the system
services. Because of this change, applications will fail to start if they depend on
interactive services. Interactive services include any service that attempts to send a
Windows message, any service that attempts to locate a window or additional
service, and any service that attempts to run any user processes that open the same
named object (unless it is a globally named object).
1-90 Installing and Configuring Windows® 7 Client
Mitigation Methods
Some of the more common mitigation methods include the following:
• Modifying the configuration of the existing application: there can be
compatibility issues that require a modification to the application configuration,
such as moving files to different folders, modifying registry entries, or changing
file or folder permissions. You can use tools such as the Compatibility
Administrator or the Standard User Analyzer (installed with ACT) to detect and
create application fixes (also called shims) to address the compatibility issues. You
should contact the software vendor for information about any additional
compatibility solutions.
• Applying updates or service packs to the application: updates or service packs
may be available to address many of the compatibility issues and help the
application to run with the new operating system environment. After applying the
update or service pack, additional application tests can ensure that the
compatibility issue has been mitigated.
• Upgrading the application to a compatible version: if a newer, compatible
version of the application exists, the best long-term mitigation is to upgrade to the
newer version. Using this approach, you must consider both the cost of the
upgrade and any potential problems that may arise with having two different
versions of the application.
• Modifying the security configuration: if your compatibility issues appear to be
permissions-related, a short-term solution is to modify the security configuration
of the application. Using this approach, you must be sure to conduct a full-risk
analysis and gain consensus from your organization’s security team regarding the
modifications. For example, Internet Explorer Protected mode can be mitigated by
adding the site to the trusted site list or by turning off Protected Mode (which is
not recommended).
• Running the application in a virtualized environment: if all other methods are
unavailable, you may be able to run the application in an earlier version of
Windows, using virtualization tools such as Microsoft Virtual PC and Microsoft
Virtual Server. There are a number of advantages to using a virtualized
environment such as the ability to support a large number of servers in a single
host environment and the ability to easily restore a virtualized configuration to a
previous state. However, performance issues and the lack of support for hardware-
specific drivers limit full production functionality for many organizations.
Another option is to provide the application to users using technologies such as
1-92 Installing and Configuring Windows® 7 Client
Updating Shims
BETA COURSEWARE EXPIRES 11/15/2009
messages are applied. Deploying your custom compatibility fix database into your
organization requires you to perform the following actions:
BETA COURSEWARE EXPIRES 11/15/2009
1. Store your compatibility fix database (.sdb file) in a location from which all of
your organization's computers can access it, either locally or on your network. You
can deploy your customized database files in several ways, including by using a
logon script, by using Group Policy, or by performing file copy operations.
2. After deploying and storing the customized databases on each of your local
computers, you must register the database files. Until you register the database
files, the operating system will be unable to identify the available compatibility
fixes when starting an application. Use the Sdbinst.exe command-line tool to
install the custom compatibility fix database locally.
Review Answers
1. In business scenarios, you should select either Windows 7 Professional or
BETA COURSEWARE EXPIRES 11/15/2009
Error messages appear during setup. Carefully note any messages, and search
the Microsoft Knowledge Base for an
Tools
BETA COURSEWARE EXPIRES 11/15/2009
User State Migrating user settings and data for a Windows AIK
Migration Tool large number of computers
Module 2
Configuring Disks and Device Drivers
Contents:
Lesson 1: Partitioning Disks in Windows 7 2-4
Lesson 2: Managing Disk Volumes 2-18
Lesson 3: Maintaining Disks in Windows 7 2-36
Lesson 4: Installing and Configuring Device Drivers 2-48
2-2 Installing and Configuring Windows® 7 Client
Module Overview
• Basic disk
• Dynamic disk
BETA COURSEWARE EXPIRES 11/15/2009
• Volume
• System volume
• Boot volume
• Partition
• Disk partitioning
• Logical Block Address (LBA)
Additional information about each term is included in the “Module Review and
Takeaways” section.
2-4 Installing and Configuring Windows® 7 Client
Lesson 1
Partitioning Disks in Windows 7
management tasks such as partitioning disks or converting disks from one partition
scheme to the other.
BETA COURSEWARE EXPIRES 11/15/2009
2-6 Installing and Configuring Windows® 7 Client
Note: You can install the rest of the operating system on another partition or disk. In
Windows 7, the active partition must contain the boot sector, boot manager, and related
BETA COURSEWARE EXPIRES 11/15/2009
files.
• Four partitions on each disk: MBR-based disks are limited to four partitions. All
of these can be primary partitions, or one can be an extended partition with logical
volumes inside. You can configure the extended partition to contain multiple
volumes.
• A 2 Terabyte (TB) maximum partition size: A partition cannot be larger than 2
TB.
• No redundancy provided: The MBR is a single point of failure, and if corrupted
or damaged, it can render the operating system non-bootable.
Question: What are three restrictions of an MBR partitioned disk? Have you
encountered these limitations in your organization, and if so, what did you do to work
around them?
Answer: The restrictions are that MBR partitioned disks are limited to four partitions,
a 2 TB maximum partition size, and there is no data redundancy provided.
2-8 Installing and Configuring Windows® 7 Client
• 128 partitions per disk: This is a vast improvement over MBR-based disks.
• 18 Exabyte (EB) volume size: This is a theoretical maximum because hard disk
hardware is not yet available that supports such vast volume sizes.
Configuring Disks and Device Drivers 2-9
You can implement GPT-based disks on Windows Server® 2008, Windows Vista, and
Windows 7. You cannot use the GPT partition style on removable disks.
GPT Architecture
On a GPT partitioned disk, the following sectors are defined:
• Sector 0 contains a legacy protective MBR. The protective MBR contains one
primary partition covering the entire disk.
• The protective MBR protects GPT disks from previously-released MBR
disk tools such as Microsoft MS-DOS FDISK or Microsoft Windows NT
Disk Administrator.
Question: How does a GPT partitioned disk on a 64-bit Windows 7 operating system
use an MBR?
Answer: On a GPT partitioned disk, Sector 0 contains a legacy protective MBR. The
protective MBR contains one primary partition covering the entire disk. The protective
MBR protects GPT disks from previously released MBR disk tools such as Microsoft
MS-DOS FDISK or Microsoft Windows NT Disk Administrator. These tools view a
GPT disk as having a single encompassing (possibly unrecognized) partition by
interpreting the protected MBR, rather than mistaking the disk for one that is
unpartitioned. Legacy software that does not know about GPT interprets only the
protected MBR when it accesses a GPT disk.
Configuring Disks and Device Drivers 2-11
Two tools that you can use to manage disks and the volumes or partitions that they
contain on Windows 7 are as follows:
• Disk Management: The graphical user interface for managing disks and volumes,
both basic and dynamic, locally or on remote computers. After you select the
remote computer to manage, perform the same tasks that you typically perform
while sitting at the local computer.
• Diskpart.exe: A scriptable command-line utility, with functionality similar to that
which can be done in Disk Management and some advanced features. You can
create scripts to automate disk-related tasks, such as creating volumes or
converting disks to dynamic. Diskpart.exe always runs locally.
Note: Remote connections in workgroups are not supported. Both the local computer
and the remote computer must be in a domain to use Disk Management to manage a
disk remotely.
Note: Do not use disk editing tools such as DiskProbe to make changes to GPT disks.
Any change that you make renders the checksums invalid, which might cause the disk
2-12 Installing and Configuring Windows® 7 Client
With either tool, you can initialize disks, create volumes, and format the volume file
system. Additional common tasks include moving disks between computers, changing
disks between basic and dynamic types, and changing the partition style of disks. Most
Disk Management
Using the Disk Management snap-in of the Microsoft Management Console (MMC),
administrators can quickly manage standard, fault tolerant, and volume sets and
confirm the health of each volume. Disk Management in Windows 7 provides the same
features you may already be familiar with from earlier versions, but also includes some
new features:
• Simpler partition creation: When you right-click a volume, choose whether to
create a basic, spanned, or striped partition directly from the menu.
• Disk conversion options. When you add more than four partitions to a basic disk,
you are prompted to convert the disk to dynamic or to the GPT partition style. You
can also convert basic disks to dynamic disks without data loss. However,
converting a dynamic disk to basic is not possible without deleting all the volumes
first.
• Extend and shrink partitions: You can extend and shrink partitions directly from
the Windows interface.
To open Disk Management, click Start, type “diskmgmt.msc” in the search box, and
then click diskmgmt.msc in the results list.
Diskpart.exe
Diskpart.exe allows you to manage fixed disks and volumes by using scripts or direct
input from the command line. At the command prompt, type “diskpart” and then enter
commands from the diskpart> prompt. The following are common diskpart actions:
• To view a list of diskpart commands, at the diskpart command prompt, type
“commands”.
• To create a diskpart script in a text file and then run the script, type a script similar
to “diskpart /s testscript.txt”.
• To create a log file of the diskpart session, type
“diskpart /s testscript.txt > logfile.txt”.
Configuring Disks and Device Drivers 2-13
Command Description
BETA COURSEWARE EXPIRES 11/15/2009
For additional information about diskpart.exe commands, start Disk Management and
then open the Help Topics from the Help menu.
Note: In a multi-boot scenario, if you are in one operating system and you convert a
basic MBR disk that contains an alternate operating system to a dynamic MBR disk, you
will not be able to boot into the alternate operating system.
Question: What is the effect on existing data when you convert a basic disk to a
dynamic disk and vice versa?
In this demonstration, you will see how to use both the diskpart command-line tool and
the Disk Management snap-in to manage disk types.
Start the LON-DC1 and the LON-CL1 virtual machines. Leave them running
throughout the duration of the module.
Question: Which tool do you prefer to use to convert a new disk to GPT, the Disk
Management snap-in or the diskpart.exe command-line tool?
Answer: Emphasize that both will work, but the students might express a preference.
Configuring Disks and Device Drivers 2-17
Lesson 2
Managing Disk Volumes
BETA COURSEWARE EXPIRES 11/15/2009
Before the Windows 7 operating system can access newly installed dynamic disks, you
must create and format one or more volumes on a disk. Dynamic disks use a private
region of the disk to maintain a Logical Disk Manager (LDM) database. The LDM
database contains volume types, offsets, memberships, and drive letters for each
volume. The LDM database is also replicated, so each dynamic disk knows about every
other dynamic disk configuration. This feature makes dynamic disks more reliable and
recoverable than basic disks.
You can configure volumes to use some or all the available space on a single disk, or
configure the volume to span multiple disks. The following are examples of the types
of dynamic volumes that can be created on dynamic disks:
• Simple
• Spanned
• Striped
• Mirrored
2-18 Installing and Configuring Windows® 7 Client
• RAID-5
You can configure volumes to use some or all the available space on a single disk, or
configure the volume to span multiple disks.
A volume is a contiguous, unallocated area of a physical hard disk that you format to
create a file system. You can then either assign a drive letter or mount in an existing
volume by using a volume mount-point.
Scenario Description
2-20 Installing and Configuring Windows® 7 Client
Scenario Description
Business desktop Most business users require a basic disk and one basic
computer with one disk volume for storage, and do not require a computer with
volumes that span multiple disks or that provide fault-
tolerance. This is the best choice for those who require
simplicity and ease of use.
A simple volume may provide better performance than striped data layout schemes.
For example, when serving multiple, lengthy, sequential streams, performance is best
when a single disk services each stream. Also, workloads that are composed of small,
random requests do not always result in performance benefits when they are moved
from a simple to a striped data layout.
As stated previously, when using simple volumes, any physical disk failure results in
data loss. However, the loss is limited to the failed drives. In some scenarios, this
provides a level of data isolation that can be interpreted as greater reliability.
Configuring Disks and Device Drivers 2-21
reserved for floppy disk drives. If the computer does not have a floppy disk drive, you
can assign drive letters A and B to removable drives, hard disk drives, or mapped
network drives. Hard disk drives are typically assigned drive letters C through Z, while
mapped network drives are assigned drive letters in reverse order (Z through C).
Volumes created after the 26th drive letter has been used must be accessed using
volume mount points. The path environment variable shows specific drive letters with
Value Description
In this demonstration, you will see how to create a simple volume. First a volume is
created by using the disk management snap-in, and then by using the diskpart
command-line tool.
Configuring Disks and Device Drivers 2-23
Manage.
2. In the Computer Management (Local) list, click Disk Management.
3. In Disk Management on Disk 2, right-click Unallocated, and then click New
Simple Volume.
4. In the New Simple Volume Wizard, click Next.
5. On the Specify Volume Size page, in the Simple volume size in MB box, type
“100” and then click Next.
6. On the Assign Drive Letter or Path page, click Next.
7. On the Format Partition page, in the Volume label box, type “Simple”, click
Next, and then click Finish.
Question: In what circumstances will you use less than all the available space on a
disk in a new volume?
Answer: Answers vary, but include partitioning a disk to support dual-boot scenarios.
2-24 Installing and Configuring Windows® 7 Client
also necessary to define how much space to allocate to the spanned volume from each
physical disk.
BETA COURSEWARE EXPIRES 11/15/2009
You can only create spanned volumes on dynamic disks. If you attempt to create a
spanned volume on basic disks, after you have defined the volume’s properties, and
confirmed the choices, Windows prompts you to convert the disk to dynamic.
It is possible to shrink a spanned volume; however, it is not possible to remove an area
from a specific disk. For example, if a spanned volume consists of three 100 MB
partitions on each of three disks, you cannot selectively delete the third element.
Depending on consumption of space in the volume, you can reduce the total size of the
volume.
Note: When you shrink a spanned volume, no data loss occurs; however, the number of
disks involved may decrease. If the spanned volume resides on a single disk, the
spanned volume is converted into a simple volume. If there is an empty dynamic disk(s)
that results from shrinking a spanned volume, the empty dynamic disk is implicitly
converted to a basic disk.
If you subsequently install additional hard disks, it is possible to extend the spanned
volume to include areas of unallocated space on the new disks, provided this does not
exceed the 32 disk limit for spanned volumes.
Because no capacity is allocated for redundant data, RAID 0 does not provide data
recovery mechanisms such as those in RAID 1 and RAID 5. The loss of any disk
results in data loss on a larger scale than a simple volume because the entire file system
spread across multiple physical disks is disrupted. The more disks that you combine,
the less reliable the volume becomes.
When you create a striped volume, after installing multiple disks, define the file
Configuration Changes
There are times when you may want to upgrade or in some way alter the configuration
of computer hardware or software, for example:
• When the addition of functionality adds value to your organization
• When a fault in software, hardware, or the combined architecture results in an
application failing
• When a change in the functionality or role of a server or workstation occurs
Other forms of volume management, with different types of fault tolerance and
recovery, are not covered in this module, using RAID-1 or RAID-5 volumes, hardware
mirroring, and disk duplexing. These forms of volume management must be considered
during times of change.
Question: Describe scenarios when you create a spanned volume and when you create
a striped volume.
Answer: Create a spanned volume when you want to encompass several areas of
unallocated space on two or more disks. Create a striped volume when you want to
improve the I/O performance of the computer.
Configuring Disks and Device Drivers 2-27
In this demonstration, you will see how to create both spanned and striped volumes.
Question: What is the advantage of using striped volumes, and conversely what is the
major disadvantage?
Answer: Performance is the advantage at the potential cost of reduced fault tolerance.
Configuring Disks and Device Drivers 2-29
You can shrink existing volumes to create additional, unallocated space to use for data
or programs on a new volume. On the new volume, you can:
• Install another operating system and then perform a dual boot.
• Save data separate from the operating system.
To perform the shrink operation, ensure that the disk is either unformatted or formatted
with the NTFS file system and that you are part of the Backup Operator or
Administrator group. When you shrink a volume, contiguous free space is relocated to
the end of the volume. There is no need to reformat the disk to perform a shrink. To
make available the maximum amount of space, before shrinking, make sure you
perform the following tasks:
• Defragment the disk if defragmentation is not regularly scheduled
• Reduce shadow copy disk space consumption
• Ensure that no page files are stored on the volume to be shrunk
When you shrink a volume, unmovable files (the page file or the shadow copy storage
area) are not automatically relocated. It is not possible to decrease the allocated space
2-30 Installing and Configuring Windows® 7 Client
beyond the point where the unmovable files are located. If you need to shrink the
partition further, move the page file to another disk, delete the stored shadow copies,
shrink the volume, and then move the page file back to the disk.
To view shadow copy storage information, use the Volume Shadow Copy Service
administrative command-line tool. Start an elevated Command Prompt and then type
“vssadmin list shadowstorage”. The used, allocated, and maximum shadow copy
Note: If the partition is a raw partition (that is, one without a file system) that contains
data (such as a database file), shrinking the partition may destroy the data. Remember
to make a backup prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Increase the size of
a simple volume in the following ways:
• Extend the simple volume on the same disk. The volume remains a simple volume.
• Extend a simple volume to include unallocated space on other disks on the same
computer. This creates a spanned volume.
Configuring Disks and Device Drivers 2-31
In this demonstration, you see how to resize a volume with the diskpart utility; then,
you use the Disk Management tool to extend a simple volume.
Question: When might you need to reduce the size of the system partition?
Answer: Answers will vary – but to enable BitLocker, a non-encrypted partition must
be available. In some circumstances, this might not be present on a computer and
reducing the system volume size might prove useful. It might be worth mentioning that
fragmentation and the placement of certain types of files on the disks (such as the
Master File Table (MFT)) can prevent you from realizing all the available free space as
a new volume.
Configuring Disks and Device Drivers 2-33
Lesson 3
Maintaining Disks in Windows 7
BETA COURSEWARE EXPIRES 11/15/2009
When you first create a volume, new files and folders are created on available free
space on the volume in contiguous blocks; this provides an optimized file system
environment. As the volume becomes full, the availability of contiguous blocks
diminishes; this can lead to sub-optimal performance. This lesson explores file system
fragmentation and the tools you can use to reduce fragmentation.
2-34 Installing and Configuring Windows® 7 Client
Defragmenting a Disk
BETA COURSEWARE EXPIRES 11/15/2009
When you are defragmenting a disk, files are optimally relocated. This ability to
relocate files benefits you when shrinking a volume, since it enables the system to free
up space that can be reclaimed as required.
Disk Defragmenter rearranges data and reunites fragmented files. It runs automatically
on a scheduled basis; however, you can perform a manual defragmentation at any time.
To manually defragment a volume or drive, or to change the automatic
defragmentation schedule, right-click the volume in Windows Explorer, click
Properties, click the Tools tab, and then click Defragment Now. You can then
perform the following tasks:
To verify that a disk requires defragmentation, in Disk Defragmenter select the disk
you want to defragment and then click Analyze disk. Once Windows is finished
analyzing the disk, check the percentage of fragmentation on the disk in the Last Run
column. If the number is high, defragment the disk.
Disk Defragmenter might take from several minutes to a few hours to finish depending
on the size and degree of fragmentation of the disk or USB device, for example an
Option Meaning
-r Performs a default defragmentation in which files larger than 64MB are not
defragmented
Over time, the amount of available disk space inevitably becomes less, so make sure
that you have a plan to increase storage capacity
Answer: The following are ideas to increase free disk space after exceeding the quota
allowance:
After you enable quotas, you can configure options shown in the following table.
Option Description
Deny disk space to users Prohibits users from exceeding their quota limit
exceeding quota limit
Do not limit disk space Enables tracking mode for quota management and does
usage not enforce disk space limits
Limit disk space to Enables you to specify a disk space limit for all users, in
Kilobytes (KB) through Exabytes (EB)
Set warning level to Enables you to configure a warning level at which point
a user receives a warning that they are about to exceed
his or her space limit
Log event when a user Generates an event in the System log of the local
exceeds their quota limit computer whenever a user exceeds his or her quota
limit
2-40 Installing and Configuring Windows® 7 Client
Option Description
Log event when a user Generates an event in the System log of the local
exceeds their warning computer whenever a user exceeds his or her warning
level limit
Quota Entries Enables you to configure specific quota limits for each
In this demonstration, you see how to create and manage disk quotas.
1. Log off, and then log on to the LON-CL1 virtual machine as Contoso\Alan with a
password of Pa$$w0rd.
2. Click Start, click Computer, and then double-click Striped (I:).
3. On the toolbar, click New Folder.
4. Type “Alan’s files”, and then press ENTER.
5. In the file list, right-click 2mb-file, drag it to Alan’s files, and then click Copy
here.
6. Double-click Alan’s files.
7. Right-click 2mb-file and then click Copy.
8. Press CTRL+V.
9. In the Address bar, click Striped (I:).
10. In the file list, right-click 1kb-file, drag it to Alan’s files, and then click Copy
here.
11. Double-click Alan’s files.
12. Right-click 2mb-file and then click Copy.
13. Press CTRL+V.
14. In the Copy Item dialog box, review the message and then click Cancel.
Answer: Answers will vary. In most cases there is no need to limit disk usage on
computers running Windows 7. However, it might be useful when multiple users share
the same computer or when peer-to-peer networking is performed in a workgroup. It is
more common to implement quotas on servers.
Configuring Disks and Device Drivers 2-43
Lesson 4
Installing and Configuring Device Drivers
BETA COURSEWARE EXPIRES 11/15/2009
such as faxing and scanning to enhance and simplify the customer experience with
a Windows 7-connected device.
• For some common devices such as multifunction printers, cell phones, portable
media players, and digital still cameras, Windows 7 provides an enhanced
experience called Device Stage™.
A driver is small software program that allows the computer to communicate with
hardware or devices. It is also specific to an operating system. Without drivers, the
hardware that you will connect to the computer does not work properly.
In most cases, drivers come with Windows or can be found by going to Windows
Update and checking for updates. If Windows does not have the required driver, look
for it on the disc that came with the hardware or device, or on the manufacturer's Web
site.
Driver Signing
The device drivers that Windows 7 includes have a Microsoft digital signature that
indicates whether a particular driver or file has met a certain level of testing, is stable
and reliable, and has not been altered since it was digitally signed. Windows 7 checks
2-46 Installing and Configuring Windows® 7 Client
for a driver’s digital signature during installation and prompts the user if no signature is
available.
Note: The signature file is stored as a .cat file in the same location as the driver file.
Note: You can use the Pnputil.exe tool to add a driver to the Windows 7 driver store
manually.
Configuring Disks and Device Drivers 2-47
BETA COURSEWARE EXPIRES 11/15/2009
2-48 Installing and Configuring Windows® 7 Client
• Media or a manufacturer’s Web site that is provided after the system prompts the
user
Windows also checks that the driver package has a valid digital signature. If the driver
package is signed by a certificate that is valid but is not found in the Trusted Publishers
store, Windows prompts the user for confirmation.
Note: Run the Pnputil.exe tool from an elevated command prompt. The tool cannot
invoke the User Account Control dialog box. If you attempt to use the PnPUtil tool from
a command prompt that is not running as administrator, the commands fail.
To add a driver, use the “-a” parameter to specify the path and name of the driver, for
example, “pnputil -a <PathToDriver>/<Driver>.inf”. Windows validates that the
signature attached to the package is valid, the files are unmodified, and the file
thumbprints match the signature.
After adding a driver, note the assigned number. Drivers are renamed oem*.inf during
the addition. This is to ensure unique naming. For example, the file MyDriver1.inf may
be renamed oem0.inf. You can view the published name by using the “-e” parameter,
for example “pnputil -e”.
Typically, you do not need to uninstall a Plug and Play device. Just disconnect or
unplug the device so that Windows does not load or use the driver.
Question: What are the steps to install a driver in the driver store by using the
Pnputil.exe tool?
Configuring Disks and Device Drivers 2-51
Device Manager
Device Manager helps you install and update the drivers for hardware devices, change
the hardware settings for those devices, and troubleshoot problems. You can perform
the following tasks in Device Manager:
• View a list of installed devices: View all devices that are currently installed based
on their type, by their connection to the computer, or by the resources they use.
This device list is re-created after every system restart or dynamic change.
Configuring Disks and Device Drivers 2-53
• Uninstall a device: Uninstall the device driver, and remove the driver software
from the computer.
BETA COURSEWARE EXPIRES 11/15/2009
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices and network
adapters. To view hidden devices in Device Manager, click View and then click Show
hidden devices.
2-54 Installing and Configuring Windows® 7 Client
Device Stage
Device Stage provides users with a new way to access devices and advanced options
for managing them. Devices in use are shown with a photo-realistic icon. This icon can
include quick access to common device tasks and status indicators that let users quickly
discern battery status, device synchronization status, remaining storage capacity, and so
on. Device makers can customize this experience to highlight device capabilities and
branding, and can include links to product manuals, additional applications, community
information and help, or additional products and services.
Configuring Disks and Device Drivers 2-55
The entire Device Stage experience remains current. Graphics, task definitions, status
information, and links to Web sites are distributed to computers by using the Windows
BETA COURSEWARE EXPIRES 11/15/2009
Note: At the time of the Windows 7 release, Device Stage experiences continue to be
implemented or tested. A list of the Device Stage experiences can be found at
http://go.microsoft.com/fwlink/?LinkID=144630&clcid=0x409
2-56 Installing and Configuring Windows® 7 Client
drivers, but you can obtain these by connecting to Windows Update after setup is
complete.
BETA COURSEWARE EXPIRES 11/15/2009
When updated device drivers are required, Microsoft is working to ensure that you can
get them directly from Windows Update or from device manufacturer Web sites. Look
to Windows Update first to update drivers after they are installed. If the updated device
driver is not available through Windows Update, find the latest version of the device
driver:
• Visit the computer manufacturer’s Web site for an updated driver.
• Visit the hardware manufacturer’s Web site.
• Search the Web using the device name.
Manual device updates can be performed in Device Manager. To manually update the
driver used for a device, follow these steps in Device Manager:
1. Double-click the type of device you want to update.
2. Right-click the device and then click Update Driver Software.
3. Follow the instructions in the Update Driver Software wizard.
Windows 7 also includes several enhancements to the upgrade experience including a
“load driver” feature that is provided so that, if an upgrade is blocked due to
incompatible or missing drivers that are required for the system to boot, you can load a
new or updated driver from the Compatibility Report and continue with the upgrade.
2-58 Installing and Configuring Windows® 7 Client
generates a code that can only be created by that file's contents. Changing a single bit
in the file changes the thumbprint. After the thumbprints are generated, they are
BETA COURSEWARE EXPIRES 11/15/2009
If your organization has a Software Publishing Certificate, you can use that to add your
own digital signature to drivers that you have tested and that you trust. If you
experience stability problems after you install a new hardware device, an unsigned
device driver could be the cause.
Note: Some hardware vendors use their own digital signatures so that drivers can have
a valid digital signature even if Microsoft has not tested them. The Sigverif report lists
the vendors for each signed driver. This can help you identify problem drivers issued by
particular vendors.
2-60 Installing and Configuring Windows® 7 Client
Note: For information about driver signing including requirements, review the “Driver
Signing Requirements for Windows” page in Windows Hardware Developer Central:
http://go.microsoft.com/fwlink/?LinkId=14507
Configuring Disks and Device Drivers 2-61
If your computer can start successfully, in Safe Mode if necessary, you can use driver
rollback to recover from a device problem. This is most useful in cases when a device
driver update has created a problem. Driver rollback reconfigures a device to use a
previously installed driver, overwriting a more recent driver.
To roll back a driver, restart the computer, if necessary, in Safe Mode. You can start
the computer in Safe Mode by pressing F8 during the boot sequence to access the
Advanced Boot Options menu, and then selecting Safe Mode from the list. After you
have started the computer successfully, as an administrative user, follow these steps to
roll back a device driver:
1. Open Device Manager.
2. Right-click the device to rollback and then click Properties.
3. In the Properties dialog box, click the Drivers tab and then click Roll Back
Driver.
4. In the Driver Package rollback dialog box, click Yes.
2-62 Installing and Configuring Windows® 7 Client
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce
problems that were addressed with the newer version.
Note: The Roll Back Driver button is only available if a previous version of the driver
was installed. If the current driver for the device is the only one that was ever installed
on this computer, then the Roll Back Driver button is not enabled.
When you make a device configuration change to the computer, the change is stored in
the CurrentControlSet key, in the appropriate registry folder and value. After you
BETA COURSEWARE EXPIRES 11/15/2009
restart the computer, and successfully log on, Windows synchronizes the
CurrentControlSet key and the LastKnownGood key.
However, if, after a device configuration change, you experience a startup problem, but
do not log on, the two control sets are out of sync, and the LastKnownGood key
contains the previous configuration set.
To use the Last Known Good Configuration, restart the computer without logging on,
and press F8 during the boot sequence to access the Advanced Boot Options menu.
Select Last Known Good Configuration (advanced) from the list.
If you have a hardware problem, it can be caused by hardware or a device driver.
Fortunately, the process to update device drivers to a newer version is straightforward.
Alternatively, device drivers can be rolled back to an older version, or reinstalled.
Troubleshooting hardware problems often starts by troubleshooting device drivers. To
identify a device driver problem, answer the following questions:
• Did you recently upgrade the device driver or other software related to the
hardware? If so, roll back the device driver to the previous version.
• Are you experiencing occasional problems, or is the device not compatible with
the current version of Windows? If so, upgrade the device driver.
• Did the hardware suddenly stop working? If so, upgrade the device driver. If that
does not solve the problem, reinstall the device driver. If the problem continues,
try troubleshooting the hardware problem.
2-64 Installing and Configuring Windows® 7 Client
8. In the System Settings Change dialog box, click Yes to restart the computer.
Question: If your computer does not startup normally due a device driver issue, what
options are there for performing driver roll back?
Answer: Try starting into Safe mode and then rolling the driver back.
2-66 Installing and Configuring Windows® 7 Client
Review Answers
1. Yes, you can format the disk for GPT rather than MBR. A GPT disk supports up to
128 volumes, each much larger than 2 TB. In addition, you can boot 64-bit
Windows 7 from a GPT disk.
2. The two commands are as follows:
assign
Common Issues
Identify the causes for the following common issues and fill in the troubleshooting tips.
For answers, refer to relevant lessons in the module and the course companion CD
content.
Configuring disk quotas on multiple Once a quota is created, you can export it and
volumes then import it for a different volume. In
addition to establishing quota settings on an
individual computer by using the methods
outlined above, you can also use Group
Exceeding the quota allowance To increase free disk space after exceeding
the quota allowance, the user can try the
following:
• Delete unnecessary files
• Have another user claim ownership of non-
user specific files
• Increase the quota allowance as volume
size and policy permits
Best Practices
Supplement or modify the following best practices for your own work situations:
• Every time a change is made to a computer, record it. It can be recorded in a
physical notebook attached to the computer, or in a spreadsheet or database
available on a centralized share that is backed up nightly.
If you keep a record of all changes made to a computer, you can trace the changes
in order to troubleshoot problems and offer support professionals correct
configuration information. The Reliability Monitor can be used to track changes to
the system such as application installs or uninstalls.
• When deciding what type of volume to create, consider the following questions:
• How critical is the data or information on the computer?
• Can automatic replication be set up quickly and easily?
• If the computer became unbootable, what will be the impact on your
business?
• Is the computer handling multiple functions?
• Is the data on the computer being backed up on a regular basis?
Use the information in the following table to assist as needed.
Task Reference
Add a new disk http://go.microsoft.com/fwlink/?LinkId=64100
Confirm that you are a member of the Search Help and Support for "standard
Backup Operators group or the account" and "administrator account".
Administrators group For information about groups:
2-70 Installing and Configuring Windows® 7 Client
Task Reference
http://go.microsoft.com/fwlink/?LinkId=64099
Tools
Basic disk A disk initialized for basic storage. A basic disk contains basic
volumes, such as primary partitions, extended partitions, and
logical drives.
Dynamic disk A disk initialized for dynamic storage. A dynamic disk contains
dynamic volumes, such as simple volumes, spanned volumes,
striped volumes, mirrored volumes, and RAID-5 volumes.
Volume A storage unit made from free space on one or more disks. It can
be formatted with a file system and assigned a drive letter.
Volumes on dynamic disks can have any of the following layouts:
simple, spanned, mirrored, striped, or RAID-5. All volumes on a
physical disk must be either basic or dynamic, and each disk must
be partitioned. You can view the contents of a volume by clicking
its icon in Windows Explorer or in My Computer. A single hard disk
can have multiple volumes, and volumes can also span multiple
disks.
Configuring Disks and Device Drivers 2-73
Term Definition
System volume The disk volume that contains the hardware-specific files that are
BETA COURSEWARE EXPIRES 11/15/2009
Boot volume The disk volume that contains the Windows operating system files
and the supporting files. The boot volume can be the same volume
as the system volume; this configuration is not required. There is
one boot volume for each operating system in a multi-boot system.
Disk partitioning The process of dividing the storage on a physical disk into
manageable sections that support the requirements of a computer
operating system.
Module 3
Configuring File Access and Printers on Windows
7 Clients
Contents:
Lesson 1: Overview of Authentication and Authorization 3-3
Lesson 2: Managing File Access in Windows 7 3-15
Lesson 3: Managing Shared Folders 3-41
Lesson 4: Configuring File Compression 3-62
Lesson 5: Managing Printing 3-75
3-2 Installing and Configuring Windows® 7 Client
Module Overview
Lesson 1
Overview of Authentication and Authorization
BETA COURSEWARE EXPIRES 11/15/2009
It is possible to have authorization and access without authentication. This is the case
when permissions are granted for anonymous users that are not authenticated.
Typically, these permissions are limited.
3-6 Installing and Configuring Windows® 7 Client
• Guest: This allows another person to have temporary access to your computer.
People using the guest account cannot install software or hardware, change
BETA COURSEWARE EXPIRES 11/15/2009
settings, or create a password. The guest account must be turned on before it can
be used.
Note: When setting up a computer, you are required to create an administrator user
account. This account provides the ability to set up your computer and install any
programs that you want to use. Once you are finished setting up your computer, it is
recommended to use a standard user account for your day-to-day computing. It is more
secure to use a standard user account instead of an administrator account because it
can prevent people from making changes that affect everyone who uses the computer,
especially if your user account logon credentials are stolen.
Kerberos Authentication
For Windows 7 clients, the Kerberos authentication protocol provides the mechanism
for mutual authentication between the client and a server before a network connection
is opened between them. In a client/server application model:
• Windows 7 clients are programs acting on behalf of users who need something
done: a file opened, a mailbox accessed, a database queried, a document printed.
• Servers (such as Windows Server 2008) are programs providing services to clients:
file storage, mail handling, query processing, print spooling, or any number of
other specialized tasks.
3-8 Installing and Configuring Windows® 7 Client
Clients initiate action, servers respond. Typically, this means that the server listens at a
communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with
authentication. Client and server, in turn, step through a sequence of actions designed
to verify to the party on each end of the connection that the party on the other end is
genuine. If authentication is successful, session setup completes and the client/server
Question: Which authentication method is used when a client computer running the
Windows 7 operating system logs on to Active Directory?
Answer: Kerberos version 5 protocol is used unless smart cards are being used. If
smart cards are being used, then certificate mapping is the authentication method.
Configuring File Access and Printers on Windows 7 Clients 3-9
For Windows 7, you must be familiar with the system’s new authentication
functionality incorporated by the following features:
• Smart cards
• Biometrics
• Online identity Integration
Smart Cards
Smart card usage is expanding rapidly. To encourage more organizations and users to
adopt smart cards for enhanced security, Windows 7 includes new features that make
smart cards easier to use and to deploy, and makes it possible to use smart cards to
complete a greater variety of tasks.
Windows 7 provides enhanced support for the following features:
• Smart card–related Plug and Play: Users of Windows 7 can employ smart cards
from vendors who have published their drivers through Windows Update without
needing special middleware. These drivers are downloaded in the same way as
drivers for other devices in Windows.
3-10 Installing and Configuring Windows® 7 Client
Biometrics
Biometrics is an increasingly popular technology that provides convenient access to
systems, services, and resources. Biometrics relies on measuring an unchanging
physical characteristic of a person to uniquely identify that person. Fingerprints are one
of the most frequently used biometric characteristics, with millions of fingerprint
biometric devices that are embedded in personal computers and peripherals.
Windows 7 allows administrators and users to use fingerprint biometric devices to:
• Log on to computers.
• Grant elevation privileges through User Account Control (UAC). When a standard
user performs a task that requires administrative permissions, UAC (which is
examined in module 6) allows the user to “elevate” his or her status from a
standard user account to an administrator account without logging off, switching
users, or using Run as.
Configuring File Access and Printers on Windows 7 Clients 3-11
Question: What are some of the ways that fingerprint biometric devices are used in
Windows 7?
Answer: Answers can vary, but the three primary uses include:
• Log on to computers.
• Grant elevation privileges through User Account Control (UAC).
• Perform basic management of fingerprint devices in Group Policy settings by
enabling, limiting, or blocking their use.
Configuring File Access and Printers on Windows 7 Clients 3-13
Lesson 2
Managing File Access in Windows 7
BETA COURSEWARE EXPIRES 11/15/2009
The most common way that users access data is from file shares on the network.
Controlling access to files shares is done with file share permissions and NTFS
permissions. Understanding how to determine effective permissions is essential to
securing your files.
NTFS file system permissions allow you to define the level of access that users have to
files that are available on the network, or locally on your Windows 7 computer. This
lesson explores NTFS file system permissions and the effect of various file and folder
activities on these permissions.
3-14 Installing and Configuring Windows® 7 Client
effect when a user accesses a resource from the network. This topic is covered in
greater detail in the next lesson.
BETA COURSEWARE EXPIRES 11/15/2009
• NTFS file system permissions: Are always in effect, whether connected across
the network or logged on to the local machine where the resource is located. You
grant NTFS permissions to a file or folder for a named group or user.
Each NTFS file and folder has an access control list (ACL) with a list of users and
groups that are assigned permissions to the file or folder. Each entry in the ACL is an
access control entry that specifies the specific permissions granted to a user or group.
as reading another user’s files or installing Trojan horse programs. Therefore, the
backup operators group must be limited to only highly trusted user accounts that
require the ability to back up and restore computers.
The ability to take ownership of files and other objects is another case where an
administrator’s need to maintain the system takes priority over an owner’s right to
control access. Normally, you can take ownership of an object only if its current owner
Read and Execute File can be read and programs can be started.
Folder content can be seen and programs can be started.
•
BETA COURSEWARE EXPIRES 11/15/2009
Note: Groups or users granted Full Control on a folder can delete any files in that folder
regardless of the permissions protecting the file.
To modify NTFS permissions, you must be given the Full Control NTFS permission
for a folder or file. The one exception is for file and folder owners. The owner of a file
or folder can modify NTFS permissions even if they do not have any current NTFS
permissions. Administrators can take ownership of files and folders to make
modifications to NTFS permissions.
List Folder/Read Data The List Folder permission allows or denies the user from
viewing file names and subfolder names in the folder. The
List Folder permission applies only to folders and affects
only the contents of that folder. This permission is not
affected if the folder that you are setting the permission on
Read Attributes The Read Attributes permission allows or denies the user
from viewing the attributes of a file or folder, such as read-
only and hidden attributes. Attributes are defined by
NTFS.
Create Files/Write Data The Create Files permission applies only to folders and
allows or denies the user from creating files in the folder.
Created Folders/Append The Create Folders permission applies only to folders and
Data allows or denies the user from creating folders in the
folder.
Write Attributes The Write Attributes permission allows or denies the user
BETA COURSEWARE EXPIRES 11/15/2009
Delete Subfolders and The Delete Subfolders and Files permission applies only
Files to folders and allows or denies the user from deleting
subfolders and files, even if the Delete permission is not
granted on the subfolder or file.
Take Ownership The Take Ownership permission allows or denies the user
from taking ownership of the file or folder. The owner of a
file or folder can change permissions on it, regardless of
any existing permissions that protect the file or folder.
Note: Groups or users granted Full Control on a folder can delete any files in that folder
regardless of the permissions protecting the file.
Question: Do you have to apply permissions to keep other people from accessing your
files?
Answer: No. The default NTFS permissions do not allow standard users to read the
documents that other users have stored in their my documents folder. However,
administrators are able to access all files on the system. If you need to prevent
administrators from accessing a file, you must use an additional security measure such
as encryption.
Configuring File Access and Printers on Windows 7 Clients 3-21
Permissions can also be added to files and folders below the initial point of inheritance,
without modifying the original permissions assignment. This is done to grant a specific
user or group a different file access than the inherited permissions.
Note: Inherited Deny permissions do not prevent access to an object if the object has
an explicit Allow permission entry. Explicit permissions take precedence over inherited
permissions, even inherited Deny permissions.
Only inheritable permissions are inherited by child objects. When setting permissions
on the parent object, you can decide whether folders , subfolders, and files can inherit
permissions. Perform the following steps to assign permissions that can be inherited:
Configuring File Access and Printers on Windows 7 Clients 3-23
1. In Windows Explorer, right-click the file or subfolder, click Properties, click the
Security tab, and then click Advanced.
BETA COURSEWARE EXPIRES 11/15/2009
2. In the Advanced Security Settings for <file or folder> page, click Change
Permissions. The Apply to column lists what folders, subfolders, or files the
permissions are applied to. The Inherited From column lists where the
permissions are inherited from.
3. In the Apply to column, click the user or group that you want to adjust
permissions for.
4. On the Permissions Entry page, click the Apply to field and select one of the
following options:
• This folder only
• This folder, subfolders, and files
• This folder and subfolder
• This folder and files
• Subfolders and files only
• Subfolders only
• Files only
5. Click OK on the Advanced Security Settings window, click OK on the Advanced
Security Settings window a second time, and then click OK on the Properties
page.
If the Special Permissions entry in Permissions for <User or Group> is shaded, it
does not imply that this permission is inherited; rather, this means that a special
permission is selected.
Note: When permissions inheritance is blocked, you have the option to copy existing
permissions or begin with blank permissions. If you only want to restrict a particular
group or user, then copying existing permissions simplifies the configuration process.
3-24 Installing and Configuring Windows® 7 Client
To block permission inheritance, select This folder only in the Apply onto box when
you set up special permissions for the parent folder. Special permissions are accessible
through the Permissions tab. Perform the following steps when you want to prevent a
file or subfolder from inheriting permissions:
1. In Windows Explorer, right-click the file or subfolder, click Properties, click the
Security tab, and then click Advanced.
Answer: Administrators can change permissions at the parent level and have the same
permissions propagate throughout all the sub-folders without having to reassign
permissions to each of those folders individually.
This demonstration shows how to secure files and folders by updating their NTFS
permissions. This demonstration also shows how to:
• Set permissions, such as a Read, Write, and Full Control to provide access for a
specific user.
• Set the Deny permission for a user to restrict his or her ability to modify a file.
• Verify the set permissions.
Start the LON-DC1 and the LON-CL1 virtual machines. Leave them running
throughout the duration of the module.
2. Click Start, click Computer, and then double-click Local Disk (C:).
3-26 Installing and Configuring Windows® 7 Client
6. Right-click an empty space in the Name column, point to New, and then click
2. In the Deliverables Properties dialog box, on the Security tab, click Edit.
4. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) box, type “Contoso\Adam”, click
Check Names, and then click OK.
6. In the Permissions for Deliverables dialog box, next to Write, select the Allow
check box, and then click OK.
2. In the Deliverables Properties dialog box, on the Security tab, click Edit.
4. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) box, type “Contoso\Martin”, click
Check Names, and then click OK.
6. In the Permissions for Deliverables dialog box, next to Modify, select the Deny
check box, and then click OK.
BETA COURSEWARE EXPIRES 11/15/2009
2. In the Deliverables Properties dialog box, on the Security tab, click Advanced.
3. In the Advanced Security Settings for Deliverables dialog box, on the Effective
Permissions tab, click Select.
4. In the Select User, Computer, Service Account or Group dialog box, type
“Contoso\Martin”, click Check Names, and then click OK.
6. In the Advanced Security Settings for Deliverables dialog box, click OK.
Note: When copying a file or folder within a single NTFS partition or between NTFS
partitions, you must have Read permission for the source folder and Write permission
BETA COURSEWARE EXPIRES 11/15/2009
Note: Most files do not have explicitly assigned permissions. Instead, they inherit
permissions from their parent folder. If you move files that have only inherited
permissions, they do not retain these inherited permissions during the move.
• When moving a file or folder to a different NTFS partition, the folder or file
inherits the permissions of the destination folder. When you move a folder or file
between partitions, Windows 7 copies the folder or file to the new location and
then deletes it from the old location.
• When moving a file or folder to a non-NTFS partition, the folder or file loses its
NTFS file system permissions, because non-NTFS partitions do not support NTFS
file system permissions.
Note: When moving a file or folder within an NTFS partition or between NTFS partitions,
you must have both Write permission for the destination folder and Modify permission
for the source file or folder. Modify permission is required to move a folder or file
because Windows 7 deletes the folder or file from the source folder after it copies it to
the destination folder.
Question: Why is administration time reduced when files and folders are moved
within the same partition?
Answer: Answers can vary. Possible answers include: Administrators do not need to
be concerned about permissions being changed or altered because the permissions are
kept if files and folders are moved within the same partition. Likewise, administrators
3-30 Installing and Configuring Windows® 7 Client
do not need to change the permissions of the destination folder, which can have
ramifications on other files and subfolders within the folder.
>
Each file and folder contains user and group permissions. Windows 7 determines a file
or folder’s effective permissions by combining its user and group permissions. For
example, if a user is assigned Read permission and a group the user is a member of is
assigned Modify permission, the effective permissions of the user are Modify.
Note: When permissions are combined, Deny permission takes precedence and
overrides Allow permission.
Note: The Effective Permissions feature always includes the Everyone group when
calculating effective permissions, as long as the selected user or group is not a member
of the Anonymous Logon group.
This discussion includes a scenario and three underlying situations in which you are
asked to apply NTFS permissions. You and your classmates will discuss possible
solutions to each situation.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the slide,
which shows folders and files on the NTFS partition, includes three situations, each of
which has a corresponding discussion question.
Question 1: The Users group has Write permission, and the Sales group has Read
permission for Folder1. What permissions does User1 have for Folder1?
Answer: User1 has Write and Read permissions for Folder1, because User1 is a
member of the Users group, which has Write permission, and the Sales group, which
has Read permission.
3-34 Installing and Configuring Windows® 7 Client
Question 2: The Users group has Read permission for Folder1. The Sales group has
Write permission for Folder2. What permissions does User1 have for File2?
Answer: User1 has Read and Write permissions for File2, because User1 is a member
of the Users group, which has Read permission for Folder1, and the Sales group, which
Question 3: The Users group has Modify permission for Folder1. File2 is accessible
only to the Sales group, and they are only able to read File2. What do you do to ensure
that the Sales group has only Read permission for File2?
Lesson 3
Managing Shared Folders
BETA COURSEWARE EXPIRES 11/15/2009
Collaboration is an important part of your job. Your team might create documents that
are only shared by its members, or you may work with a remote team member who
needs access to your team’s files. Because of collaboration requirements, it is
important to understand how to manage shared folders in a network environment.
Sharing folders gives users access to those folders over a network. Users can connect to
the shared folder over the network to access the folders and files that are contained in
the shared folder.
Shared folders can contain applications, public data, or a user’s personal data. It is
important to understand how to manage shared folders to provide a central location for
users to access common files and make it easier to back up data that is contained in
those files. This module examines various methods of sharing folders, along with the
affect this has on file and folder permissions when shared folders are created on a
partition formatted with the NTFS file system.
3-36 Installing and Configuring Windows® 7 Client
There are several different ways in which you can share folders with others on the
network:
BETA COURSEWARE EXPIRES 11/15/2009
Note: By default, only share permissions are set on this folder. To control local access
permissions to this folder or objects within the folder, click the Customize permissions
For example, to share a folder named myshare located on the C drive in the path
\Users\Myname, type “net share myshare=C:\Users\Myname”.
Answer: Sharing folders across a network keeps information up-to-date for a group of
users and decreases the chance of file duplication because all files for a user account
can be stored in a shared central repository.
3-40 Installing and Configuring Windows® 7 Client
• Read: The "look, but do not touch" option. Recipients can open, but not modify or
delete a file.
BETA COURSEWARE EXPIRES 11/15/2009
• Read/Write: The "full control" option. Recipients can open, modify, or delete a
file.
To use Advanced Sharing, right-click the folder you want to share, and then click
Properties, click the Sharing tab, and then click Advanced Sharing.
3-42 Installing and Configuring Windows® 7 Client
When you do this, users who have an account on the computer or network can connect
to this folder both locally and remotely to access shared files.
Public folder sharing does not allow you to fine-tune sharing permissions, but it does
provide a simple way to make your files available to others. When you enable public
folder sharing and select one of the two permissions levels previously mentioned, the
following share and NTFS file system permissions are configured for the System group
Everyone.
You can select one of these two Public folder permission options through the Network
and Sharing Center, which is a topic discussed later in this lesson.
BETA COURSEWARE EXPIRES 11/15/2009
Note: If the guest user account is enabled on your computer, the Everyone group
includes anyone. In practice, remove the Everyone group from any permission lists, and
BETA COURSEWARE EXPIRES 11/15/2009
The following analogy can be helpful in understanding what happens when you
combine NTFS and share permissions. When dealing with a shared folder, you must
always go through the shared folder to access its files over the network. Therefore, you
can think of the shared folder permissions as a filter that only allows users to perform
actions on its contents that are acceptable to the share permissions. All NTFS
permissions that are less restrictive than the share permissions are filtered out so that
only the share permission remains.
For example, if the share permission is set to Read, then the most you can do is read
through the shared folder, even if individual NTFS file permission is set to Full
Control. If configuring the share permission to Modify, then you are allowed to read or
modify the shared folder contents. If the NTFS permission is set to Full Control, then
the share permissions filter the effective permission down to just Modify.
Question: If a user is assigned Full Control NTFS permission to a file but is accessing
the file through a share with Read permission, what will be the effective permission the
user will have on the file?
Answer: The user will have only Read access to the file when accessing it over the
network through the share (because Read access is more restrictive than Full Control).
If the user is logged on to the console of the computer storing the file and accessing it
locally, then the user has Full Control.
Question: If you want a user to view all files in a shared folder but can modify only
certain files in the folder, what permissions do you give the user?
Answer: The share permissions will have to allow the user to Modify all files (this
opens the folder window wide, but it will get locked down with NTFS permissions).
You must set the NTFS permissions for the folder to allow the user Read access only
(which flows to all the files). Then on the individual files in the folder that you want
the user to modify, assign the Modify NTFS permission.
With earlier versions of Windows, many different graphical interfaces and commands
were required to fully configure networking and network sharing. Windows 7 makes
this significantly easier by providing all the required tools in one central location, the
Network and Sharing Center. The Network and Sharing Center can be accessed
through the Windows Control Panel, or by typing “Network and Sharing Center” in the
search box on the Start menu.
It is important to be familiar with all aspects of the Network and Sharing Center, and
be able to use it to configure all types of network connections. This topic focuses on
the network sharing aspect of the Center, while the network configuration topics are
covered later in the Networking module.
The Network and Sharing Center provides the following tools:
• View a Network Map
• Set Up a New Connection or Network
• Change Advanced Sharing Options
• Choose Homegroup and Sharing Options
3-48 Installing and Configuring Windows® 7 Client
details from them by switching to a list view. By default the See full map option is
disabled on domains for end-users; it is available for network administrators.
BETA COURSEWARE EXPIRES 11/15/2009
Note: The Network Map is not just a topology; it shows active network devices that you
can configure or troubleshoot.
Note: You can change the network location profile between private and public. This
changes firewall and visibility settings for that network connection.
Public folder sharing Off Only local users can access the Public
folder.
Network Discovery
When you first install Windows 7, the computer is not visible on the network map, and
BETA COURSEWARE EXPIRES 11/15/2009
it is not able to map other hardware devices on the network. If you enable Network
Discovery, Windows 7 queries the network and discovers each of the devices
connected to the network. Each device is queried to discover its capabilities, and
version control is used to keep this information up-to-date on subsequent queries.
Additionally, each icon in the network map is clickable, and you can double-click the
icon to carry out a task. For example, when you double-click the icon for your
computer, Windows Explorer opens. When you double-click an internetworking
device, a device configuration Web page appears.
Lesson 4
Configuring File Compression
The NTFS file system supports file compression on an individual file basis. The file
compression algorithm is a lossless compression algorithm, which means that no data
is lost when compressing and decompressing the file, as opposed to lossy compression
algorithms, where some data is lost each time data compression and decompression
occur.
NTFS compression, which is available on volumes that use the NTFS file system, has
the following features and limitations:
• Compression is an attribute of a file or folder.
• Volumes, folders, and files on an NTFS volume are either compressed or
uncompressed.
• New files created in a compressed folder are compressed by default.
• The compression state of a folder does not necessarily reflect the compression
state of the files within that folder. For example, a folder can be compressed
without compressing its contents, and some or all of the files in a compressed
folder can be uncompressed.
3-54 Installing and Configuring Windows® 7 Client
Note: You can use the compact command-line tool to manage NTFS compression.
Configuring File Access and Printers on Windows 7 Clients 3-55
Moving and copying compressed files and folders can change their compression state.
This discussion presents five situations in which you are asked to identify the impact of
copying and moving compressed files and folders. You and your classmates will
discuss the possible solutions to each situation.
When you move a file or folder within an NTFS partition, the file or folder retains its
original compression state. For example, if you move a compressed file or folder to an
uncompressed folder, the file remains compressed.
In Windows 7, several files and folders can be combined into a single compressed
folder by using the Compressed (zipped) Folders feature. This feature is used to share a
group of files and folders with others without being concerned about sending them
individual files and folders.
Files and folders that are compressed by using the Compressed (zipped) Folders
feature can be compressed on FAT and NTFS file system drives. A zipper icon
identifies files and folders that are compressed by using this feature.
Files can be opened directly from these compressed folders, and some programs can be
run directly from these compressed folders without uncompressing them. Files in the
compressed folders are compatible with other file-compression programs and files.
These compressed files and folders can also be moved to any drive or folder on your
computer, the Internet, or your network.
Compressing folders by using Compressed (zipped) Folders does not affect the
overall performance of your computer. CPU utilization increases only when
Compressed (zipped) Folders is used to compress a file. Compressed files take up
less storage space and can be transferred to other computers more quickly than
3-58 Installing and Configuring Windows® 7 Client
uncompressed files. Work with compressed files and folders the same way you work
with uncompressed files and folders.
Note: Unlike NTFS compressed folders and files, Compressed (zipped) Folders can be
moved and copied without change between volumes, drives, and file systems.
Configuring File Access and Printers on Windows 7 Clients 3-59
This demonstration shows how to compress a folder and a file, and also examines the
impact of moving and copying a compressed file.
2. Select the following files, right-click on them, and then click Copy:
• AG00004_
• AG00011_
8. Click Advanced
9. Click Cancel, then click Cancel again to close the properties dialog box.
5. Right-click the Taskbar, and then click Show Windows Side by Side.
BETA COURSEWARE EXPIRES 11/15/2009
4. Right-click Uncompressed Files, click Send To, and then click Compressed
(zipped) Folder.
9. Click the left arrow in the menu bar to go back to the Project Documents folder
10. Right-click Zipped Data, and then drag it to the Compressed Files folder.
Lesson 5
Managing Printing
When a printer is installed and shared in Windows 7, you must define the relationship
between the printer and two printer components, the printer port and the printer driver.
Installing a Driver
The printer driver is a software interface that allows your computer to communicate
with the printer device. Without a printer driver, the printer that is connected to your
computer will not work properly.
In most cases, drivers come with the Windows application, or you can find them by
going to Windows Update in Control Panel and checking for updates. If the Windows
application does not have the driver needed, you can find it on the disc that came with
the printer, or on the manufacturer's Web site.
3-64 Installing and Configuring Windows® 7 Client
If the Windows operating system does not recognize your printer automatically, you
must configure the printer type during the installation process. The printer setup wizard
presents you with an exhaustive list of currently installed printer types. However, if
your printer is not listed, you must obtain and install the necessary driver.
You can preinstall printer drivers into the driver store, thereby making them available
in the printer list, by using the pnputil.exe command-line tool.
This demonstration examines how to install and share a printer through Devices and
Printers. It also sets several permissions, including Share the Printer permission.
Advanced options that can be set for the printer are also be discussed.
Installing Printers
The most common, and easiest, way to install a printer is to connect it directly to your
computer (known as a local printer.) If your printer is a USB model, Windows
automatically detects and installs it when you plug it in. If your printer is an older
model that connects using the serial or parallel port, you might need to install it
manually.
In the workplace, many printers are network printers. These connect directly to a
network as a stand-alone device. Network printers typically connect through an
Ethernet cable or wireless technologies such as Wi-Fi or Bluetooth.
Note: Available network printers can include all printers on a network, such as
Bluetooth and wireless printers, or printers that are plugged into another computer and
3-66 Installing and Configuring Windows® 7 Client
shared on the network. Ensure that you have permission to use these printers before
adding them to the computer.
This demonstration shows how to install and share a printer through Devices and
Printers. It also sets several permissions, including Share the Printer permission.
Advanced options that can be set for the printer are also discussed.
4. On the Choose a printer port page, in the Use an existing port list, click LPT1:
(Printer Port), and then click Next.
5. On the Install the printer driver page, in the Manufacturer list, click Epson, in
the Printers list, click Epson Stylus Photo RX630 (M), and then click Next.
7. On the Printer Sharing page, accept the defaults and click Next.
3. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) box, type “Contoso\IT”, click
Check Names, and then click OK.
5. In the Permissions for IT dialog box, next to Manage this printer, select the
Allow check box.
BETA COURSEWARE EXPIRES 11/15/2009
6. In the Permissions for IT dialog box, next to Manage documents, select the
Allow check box, and then click Apply.
13. Click OK, then click OK again to close the dialog box.
14. Click OK to close the Epson Stylus Photo RX630 (M) Properties box.
Print Management provides a single interface used to administer multiple printers and
print servers. Print Management (or the Printbrm.exe command-line tool) can also be
used to export printers and settings from one computer and import them on another
computer.
To open the Microsoft Management Console (MMC) snap-in for Print Management,
click Start, click Control Panel, click System and Maintenance, click
Administrative Tools, and then click Print Management.
The Print Management MMC snap-in is used to perform all the basic management
tasks for a printer. Printers can also be managed from the Devices and Printers page in
the Control Panel.
3-70 Installing and Configuring Windows® 7 Client
Tip: To quickly view the print queue, just double-click the printer icon in the
notification area.
Note: To view your printer permissions, right-click the printer you are using, click
Printer properties, click the Security tab, and then click your user name. If your
computer is on a domain, printer permissions might be controlled by an administrator.
You can pause and resume a single print job or multiple jobs in the queue. To pause or
resume a print job:
BETA COURSEWARE EXPIRES 11/15/2009
1. Open the print queue for the specific printer by performing the steps outlined
previously.
2. To pause or resume an individual print job, right-click the print job, and then click
Pause or Resume.
3. To pause all print jobs, click the Printer menu, and then click Pause Printing. To
resume printing, click Pause Printing again.
Note: To pause someone else's print job, you must have permission.
4. Click the Select printer list, select a corresponding default network printer, and
then click Add.
BETA COURSEWARE EXPIRES 11/15/2009
Note: Location-aware printing does not work when connecting to a network through
Remote Desktop (Terminal Services).
3-74 Installing and Configuring Windows® 7 Client
Answer: You must configure the caching options, which determine how offline
versions of shared files will be made available, if at all. By default, users must
specify which files and programs are available offline.
2. Question: Contoso is installing Microsoft Dynamics® GP and they have
contracted with a vendor to provide some custom programming work. Contoso
asked Joseph, their senior IT desktop specialist, to configure the NTFS
permissions for the GP planning files it will be accumulating. Contoso has asked
that all IT users be assigned Modify permissions to the GP Implementation
Planning folder. However, Contoso only wants the subfolder titled Vendor
Contracts to be available for viewing by a select group of managers. How can
Configuring File Access and Printers on Windows 7 Clients 3-75
Answer: Joseph can take a three step approach. First, he can assign the IT user
group the Modify permission for the GP Implementation Planning folder. Next, he
can block inherited permissions on the Vendor Contract subfolder. Third, he can
restrict access to the subfolder by providing Read access to the selected list of
managers identified by Contoso.
3. Question: Peter is an IT professional working at Fabrikam. He is having trouble
accessing a particular file and suspects it has something to do with his NTFS
permissions associated with the file. How can he view his effective file
permissions?
Answer: From the file’s property sheet, Peter can click the Security tab, and then
click Advanced. From the Effective Permissions tab, he can enter his user alias
and then view his effective permissions.
4. Question: Robin recently created a spreadsheet in which she explicitly assigned it
NTFS file permissions that restricted file access to just herself. Following the
system reorganization, the file moved to a folder on another NTFS partition, and
Robin discovered that other users were able to access the spreadsheet. What is the
probable cause of this situation?
Answer: When moving a file to a folder on a different NTFS partition, the file
inherits the new folder’s permissions. In this case, the new folder the spreadsheet
moved to allowed access by other user groups.
5. Question: Contoso recently installed Windows 7 on its client computers. Because
many of their sales staff travel and work from various branch offices throughout
any given month, Contoso decided to take advantage of the location-aware
printing functionality in Windows 7. Michael, a sales representative, was pleased
he no longer had to configure printers each time he needed to print a document at a
branch office. However, to Michael’s dismay, on his last trip he tried to connect to
the company network using Terminal Services and found that he still had to
manually select the printer when he wanted to print a file. Why did the system not
automatically recognize the printer for Michael?
Answer: Because location-aware printing does not work when you connect to a
network through Remote Desktop (Terminal Services).
• When setting up a computer, you are required to create a user account. This
account is an administrator account used to set up your computer and install any
required programs. Once finished setting up your computer, it is recommended to
use a standard user account for your day-to-day computing. It is more secure to use
a standard user account instead of an administrator account because it can prevent
users from making changes that affect everyone who uses the computer, especially
Tools
Use the following Command Prompt tools to manage file and printer sharing:
Configuring File Access and Printers on Windows 7 Clients 3-77
BETA COURSEWARE EXPIRES 11/15/2009
Tool Description
Net share Share folders from the Command Prompt
Module 4
Configuring Network Connectivity
Contents:
Lesson 1: Configuring IPv4 Network Connectivity 4-3
Lesson 2: Configuring IPv6 Network Connectivity 4-22
Lesson 3: Implementing Automatic IP Address Allocation 4-37
Lesson 4: Troubleshooting Network Issues 4-48
4-2 Installing and Configuring Windows® 7 Client
Module Overview
Lesson 1
Configuring IPv4 Network Connectivity
BETA COURSEWARE EXPIRES 11/15/2009
11000000101010000000000111001000
11000000.10101000.00000001.11001000
Configuring Network Connectivity 4-5
192.168.1.200
Number of
Default Subnet Number of Hosts per
Class First Octet Mask networks Network
Number of
Default Subnet Number of Hosts per
BETA COURSEWARE EXPIRES 11/15/2009
172.16.16.1/255.255.240.0
172.16.16.1/20
The /20 represents how many subnet bits are in the mask.
This notation style is called Variable Length Subnet
Masking.
What Is a Subnet?
A subnet is a network’s segment. A router or routers
separates the subnet from the rest of the network. When
your Internet service provider (ISP) assigns a network a
Class A, B, or C address range, you often must subdivide
the range to match the network’s physical layout.
Subdivide a large network into logical subnets.
When you subdivide a network into subnets, create a unique
ID for each subnet derived from the main network ID. To
create subnets, you must allocate some of the bits in the
host ID to the network ID. This enables you to create more
networks.
4-8 Installing and Configuring Windows® 7 Client
2 4
3 8
4 16
5 32
6 64
Configuring Network Connectivity 4-9
2 62
3 30
4 14
5 6
6 2
172.16.00100000.00000000 172.16.32.0
4-10 Installing and Configuring Windows® 7 Client
172.16.01000000.00000000 172.16.64.0
172.16.01100000.00000000 172.16.96.0
172.16.10000000.00000000 172.16.128.0
172.16.11000000.00000000 172.16.192.0
172.16.11100000.00000000 172.16.224.0
a. 171.16.16.254
b. 192.16.18.5
c. 192.168.1.1
d. 10.255.255.254
Answer: A and B.
Configuring Network Connectivity 4-15
Host Name
A host name is a user-friendly name that is associated
with a host’s IP address and identifies it as a TCP/IP
host. A host name can be no more than 255 characters in
length and contains alphanumeric characters, periods, and
hyphens.
NetBIOS Name
Applications use the 16-character NetBIOS name to identify
a NetBIOS resource on a network. A NetBIOS name represents
a single computer or a group of computers. NetBIOS uses
the first 15 characters for a specific computer’s name and
the final sixteenth character to identify a resource or
service on that computer. An example of a NetBIOS name is
ADATUM-SVR1[20h].
Configuring Network Connectivity 4-19
Lesson 2
Configuring IPv6 Network Connectivity
IPv6 Syntax
IPv6 does not use a dotted decimal notation to compress
the addresses. Instead, IPv6 uses hexadecimal notation,
with a colon between each set of four digits. Each
hexadecimal digit represents four bits.
To shorten IPv6 addresses further, you can drop leading
zeros and use zero compression. Within each group of four
digits, drop leading zeros and include a single grouping
of four zeros as a single zero. By using zero compression,
Configuring Network Connectivity 4-29
Description Example
A full IPv6 address 2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A/64
ISP.
An ISP can subnet the network address that IANA
assigns by using the next 16 bits, which are the
site topology. The 16 bits of site topology allow an
ISP to create up to 65,536 subnets in the most
efficient manner applicable to that ISP’s customer
base.
• Link-Local Addresses: Hosts use link-local addresses
when communicating with neighboring hosts on the
same link. For example, on a single-link IPv6
network with no router, hosts communicate by using
link-local addresses. IPv6 link-local addresses are
equivalent to IPv4 Automatic Private IP Addressing
(APIPA) addresses.. When a DHCP server fails, APIPA
allocates addresses in the private range 169.254.0.1
to 169.254.255.254. Clients verify their address is
unique on the LAN using ARP. When the DHCP server is
again able to service requests, clients update their
addresses automatically
Other characteristics of link-local addresses
include:
• Link-local addresses always begin with FE80.
• An IPv6 router never forwards link-local traffic
beyond the link.
• An APIPA address is assigned automatically to an
IPv4 host. Use of this address restricts
communication to the local subnet, and it is
generally used when other suitable addresses are not
available.
• Unique local unicast addresses: These are the
equivalent to IPv4 private address spaces, such as
10.0.0.0/8. All unique local unicast addresses have
the prefix FD00::/8.
• A global ID uses the next 40 bits. The global ID is
an identifier that uniquely represents an
organization. Randomly generate this ID to maximize
4-32 Installing and Configuring Windows® 7 Client
Interface Identifiers
The last 64-bits of an IPv6 address are the interface
identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a
unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses the
Interface Identifier rather than media access control
(MAC) addresses to identify hosts uniquely.
Within the Windows 7 environment, Windows Server 2008 uses
an Extended Unique Identifier (EUI)-64 addresses, which
the Institute of Electrical and Electronics Engineers,
Inc. (IEEE) defines. Gigabit adapters use an EIU-64
address in place of a MAC address. Network adapters using
a MAC address generate a EUI-64 address by padding the 48-
bit MAC address with additional information.
Configuring Network Connectivity 4-33
3.
8. In the Local Area Connection 3 Status window, click
Details. This window shows the same configuration
information for this adapter and the ipconfig command.
9. In the Network Connection Details windows, click Close.
10. In the Local Area Connection 3 Status window, click
Properties. This window allows you to configure
protocols.
11. Click Internet Protocol Version 6 (TCP/IPv6) and
then click Properties. You can configure the IPv6
address, subnet prefix length, default gateway and DNS
servers in this window.
12. Click Use the following IPv6 address and enter the
following:
• IPv6 address:
2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A
• Subnet prefix length: 64
13. Click Advanced. The Advanced TCP/IP Settings window
allows you to configure additional setting such as
additional IP addresses and DNS settings.
14. In the Advanced TCP/IP Settings window, click
Cancel.
15. In the Internet Protocol Version 6 (TCP/IPv6)
Properties window, click OK.
16. In the Local Area Connection 3 Properties window,
click Close.
17. In the Local Area Connection 3 Status window, click
Details. Verify that the new IPv6 address has been
added.
18. Close all open windows.
4-36 Installing and Configuring Windows® 7 Client
Lesson 3
Implementing Automatic IP Address Allocation
BETA COURSEWARE EXPIRES 11/15/2009
Static Configuration
You can configure static IPv4 configuration manually for
each of your network’s computers. IPv4 configuration
includes the following:
• IPv4 address
• Subnet mask
• Default gateway
• DNS server
Static configuration requires that you visit each computer
and input the IPv4 configuration. This method of computer
management is time-consuming if your network has more than
Configuring Network Connectivity 4-39
DHCPv4
DHCPv4 enables you to assign automatic IPv4 configurations
for large numbers of computers without having to assign
each one individually. The DHCP service receives requests
for IPv4 configuration from computers that you configure
to obtain an IPv4 address automatically. It also assigns
IPv4 information from scopes that you define for each of
your network’s subnets. The DHCP service identifies the
subnet from which the request originated, and assigns IP
configuration from the relevant scope.
DHCP helps simplify the IP configuration process, but you
must be aware that if you use DHCP to assign IPv4
information and the service is business-critical, you must
do the following:
• Include resilience into your DHCP service design so
that the failure of a single server does not prevent
the service from functioning.
• Configure the scopes on the DHCP server carefully. If
you make a mistake, it can affect the whole network and
prevent communication.
DHCPv6
DHCPv6 is a service that provides stateful auto-
configuration of IPv6 hosts. It can configure IPv6 hosts
automatically with an IPv6 address and other configuration
information such as DNS servers. This is equivalent to
DHCPv4 for IPv4 networks.
When a host obtains an IPv6 address from a DHCPv6 server,
the following occurs:
Configuring Network Connectivity 4-43
Note: On large networks, you can DHCPv6 relay agents instead of placing a DHCP
server on each subnet.
4-44 Installing and Configuring Windows® 7 Client
3.
8. In the Local Area Connection 3 Status window, click
Properties. This window allows you to configure
protocols.
9. Click Internet Protocol Version (TCP/IPv4) and then
click Properties.
10. Click Obtain an IP address automatically. Notice
that the Alternate Configuration tab becomes available
when you do this.
11. Click Obtain DNS server address automatically.
12. Click the Alternate Configuration tab. Configuration
information on this tab is used when no DHCP server is
available.
13. Click OK to save the changes.
14. In the Local Area Connection 3 Properties window,
click Close.
15. In the Local Area Connection 3 Status window, click
Details. Notice that DHCP is enabled and the IP address
of the DHCP server is displayed.
16. Close all open windows.
4-46 Installing and Configuring Windows® 7 Client
Using IPConfig
If the computer is experiencing connectivity problems, you
can use IPConfig to determine the computer’s IP address.
If the address is in the range 169.254.0.1 to
169.254.255.254, the computer is using an APIPA address.
This might indicate a DHCP-related problem. From the
client computer, open an elevated command prompt, and then
use the IPConfig options in the table below to diagnose
the problem.
Option Description
/all This option displays all IP address configuration information.
If the computer uses DHCP, verify the DHCP Server option
in the output. This indicates the server from which the client
Configuring Network Connectivity 4-47
Option Description
is attempting to obtain an address. Also, verify the Lease
BETA COURSEWARE EXPIRES 11/15/2009
/renew This option forces the client computer to renew its DHCP
lease. This is useful when you think that the DHCP-related
issue is resolved, and you want to obtain a new lease
without restarting the computer.
Note: You can use the IPConfig /release6 and /renew6 options to perform these same
tasks on IPv6-configured computers.
4-48 Installing and Configuring Windows® 7 Client
Lesson 4
Troubleshooting Network Issues
Event Viewer
Event logs are files that record significant events on a
computer, such as when a process encounters an error. IP
conflicts will be reflected in the system log and might
4-50 Installing and Configuring Windows® 7 Client
IPConfig
IPConfig displays the current TCP/IP network
configuration. Additionally, you can use IPConfig to
refresh DHCP and DNS settings as discussed in the previous
topic. For example you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP
computer. Ping sends and receives Internet Control Message
Protocol (ICMP) Echo Request messages and displays the
receipt of corresponding Echo Reply messages. Ping is the
primary TCP/IP command used to troubleshoot connectivity.
However firewalls might block the ICMP requests.
Tracert
Tracert determines the path taken to a destination
computer by sending ICMP Echo Requests. The path displayed
is the list of router interfaces between a source and a
destination. This tool also determines which router has
Configuring Network Connectivity 4-51
Pathping
Pathping traces a route through the network in a manner
similar to Tracert. However, Pathping provides more
detailed statistics on the individual steps, or hops,
through the network. Pathping can provide greater detail
because it sends 100 packets per router which enables it
to establish trends. Tracert only sends packets at a time.
NSlookup
NSlookup displays information that you can use to diagnose
the DNS infrastructure. You can use NSlookup to confirm
connection to the DNS server and that the required records
exist.
Unified Tracing
The unified tracing feature is intended to help you
simplify the process of gathering relevant data to assist
in troubleshooting and debugging network connectivity
problems. Data is collected across all layers of the
networking stack and grouped into activities across the
following individual components:
• Configuration information
• State information
• Event or Trace Logs
• Network traffic packets
4-52 Installing and Configuring Windows® 7 Client
and then retest name resolution. You must purge the host-
name resolution cache by using ipconfig /flushdns before
BETA COURSEWARE EXPIRES 11/15/2009
cache.
6. At the command prompt, type “ping 127.0.0.1” and then
press ENTER. This pings the local host.
7. At the command prompt, type “ping 10.10.0.10” and then
press ENTER. This verifies connectivity to LON-DC1 by
using an IPv4 address.
8. At the command prompt, type “ping LON-DC1” and then
press ENTER. This verifies connectivity to LON-DC1 by
using a host name.
9. At the command prompt, type “nslookup –d1 LON-DC1” and
then press ENTER. This provides detailed information
about the host name resolution. You can use the –d2
option for even more detail.
10. Close the command prompt.
Review Answers
Windows 7 host cannot access the Use IPConfig tool to view, renew or release
database server an IP Address
Windows 7 Host cannot connect to Use Ping to test the connectivity to the DNS
the internet, Server
DNS server is not resolving FQDNS Use the flushdns option with IPConfig
correctly
Tools
You can use the following tools to troubleshoot network
connectivity issues.
4-60 Installing and Configuring Windows® 7 Client
Tool Description
Module 5
Configuring Wireless Network Connections
Contents:
Lesson 1: Overview of Wireless Networks 5-3
Lesson 2: Configuring a Wireless Network 5-13
5-2 Installing and Configuring Windows® 7 Client
Module Overview
Lesson 1
Overview of Wireless Networks
BETA COURSEWARE EXPIRES 11/15/2009
More and more organizations prefer wireless networks over the traditional wired
networks. A wireless network gives users flexibility and mobility around the office.
Users can have internal meetings or presentations while maintaining connectivity and
productivity. With a wireless network, you can create a public network that enables
your guests to have internet connection without creating security issues to your
corporate network. The wireless network technologies have evolved tremendously over
the years. Many mobile computers have built-in wireless network adapters and there
are numerous hardware that support wireless networks with high stability and
reliability.
5-4 Installing and Configuring Windows® 7 Client
• Provides easy access to the Internet in public places. You can create a public
network that enables your guests to have internet connection without causing
BETA COURSEWARE EXPIRES 11/15/2009
Windows 7 provides built-in support for all 802.11 wireless networks, but the wireless
components of Windows are dependent upon the following:
• The capabilities of the wireless network adapter: the installed wireless network
adapter must support the wireless network or wireless security standards that you
require.
Wireless Broadband
Wireless broadband is a wireless technology, which provides high-speed wireless
internet and data network access. Wireless broadband has high internet speed that is
comparable to wired broadband, such as ADSL or cable modems. Wireless broadband
is used mostly for organizations that want their employees to have constant
connectivity to internet or their corporate network. To connect to a wireless
broadband, you need to have a wireless modem.
Windows 7 provides a driver-based model for mobile broadband devices. Earlier
versions of Windows require users of mobile broadband devices to install third-party
software, which is difficult for IT professionals to manage because each mobile
broadband device and provider has different software. Users also have to be trained to
use the software and must have administrative access to install it, preventing standard
users from easily adding a mobile broadband device. With Windows 7, users can
simply connect a mobile broadband device and immediately begin using it. The
interface in Windows 7 is the same regardless of the mobile broadband provider. You
can connect to a wireless broadband just as you connect to any other wireless network.
This reduces the need for training and management efforts.
Configuring Wireless Network Connections 5-9
The sudden widespread implementation of wireless LANs preceded any real security
planning. Wireless devices create many opportunities for unauthorized users to access
private networks. Unlike the closed cabling system of an Ethernet network that can be
physically secured, wireless frames are sent as radio transmissions that propagate
beyond the physical confines of your office or home. Any computer within range of the
wireless network can receive wireless frames and send its own. Without protecting
your wireless network, malicious users can use your wireless network to access your
private information or launch attacks against your computers or other computers across
the Internet.
To protect your wireless network, you must configure authentication and encryption
options:
• Authentication requires that computers provide either valid account credentials
(such as a user name and password) or proof that they have been configured with
an authentication key before being allowed to send data frames on the wireless
network. Authentication prevents malicious users from joining your wireless
network.
5-10 Installing and Configuring Windows® 7 Client
• Encryption requires that the content of all wireless data frames be encrypted so
that only the receiver can interpret its contents. Encryption prevents malicious
users from capturing wireless frames sent on your wireless network and
determining sensitive data. Encryption also helps prevent malicious users from
sending valid frames and accessing your private resources or the Internet.
Wireless LAN supports the following security standards:
IEEE 802.1X
The IEEE 802.1X was a standard that existed for Ethernet switches and was adapted to
wireless LANs to provide much stronger authentication than the original 802.11
standard. IEEE 802.1X authentication is designed for medium and large wireless LANs
that contain an authentication infrastructure consisting of Remote Authentication Dial-
In User Service (RADIUS) servers and account databases such as the Active
Directory® directory service.
IEEE 802.1X prevents a wireless node from joining a wireless network until the node
has performed a successful authentication. IEEE 802.1X uses the Extensible
Authentication Protocol (EAP). Wireless network authentication can be based on
different EAP authentication methods such as those using user name and password
credentials or a digital certificate.
Configuring Wireless Network Connections 5-11
The 802.1X requires clients to provide computer authentication when they connect to
the network and provides user authentication when a user logs on. If either
BETA COURSEWARE EXPIRES 11/15/2009
authentication phase fails, the data-link layer access device—including a wireless AP,
bridge, or switch—will not forward packets to the network. This prevents an attacker
from exploiting the network layer or reaching other network servers or clients.
You must ensure that the client, the data-link device, and the authentication server all
support the 802.1X protocol. The data-link device, which could be a wireless AP or a
switch, detects new clients, passes the authentication to an authentication server, and
locks out the client out if the authentication fails. The authentication server checks the
client’s credentials and reports the authentication status to the data-link device.
support the additional mandatory security features of the IEEE 802.11i standard that
are not already included for products that support WPA. For example, WPA2 requires
support for both TKIP and AES encryption.
Similar to WPA, WPA2 is available in two different modes: WPA2-Enterprise and
WPA2-Personal.
Lesson 2
Configuring a Wireless Network
BETA COURSEWARE EXPIRES 11/15/2009
In an organization that has a wireless network; users may choose to use the wireless
network as the main connectivity to network resources. You must understand how to
create and connect to a wireless network from a Windows 7-based computer. You
should also know how to improve the wireless signal strength for your users and how
to troubleshoot common wireless connection problems. This troubleshooting process
uses the new network diagnostics included with Windows 7. You should be familiar
with the new network diagnostics so that you can assist your users.
5-14 Installing and Configuring Windows® 7 Client
you should change the SSID to something unique, such that client
computers that are configured to connect automatically will not
BETA COURSEWARE EXPIRES 11/15/2009
have conflict with other wireless APs that are using their
default SSID.
General Settings
The following settings are mandatory for every wireless network profile.
Configuring Wireless Network Connections 5-17
• SSID: every wireless network has an SSID. If you are configuring the wireless
network profile manually, you must know the exact SSID of the wireless network
BETA COURSEWARE EXPIRES 11/15/2009
Connection Settings
The following settings configure how the Windows 7 client connects to a wireless
network.
• Connect automatically when this network is in range: the computer will try to
connect to this particular wireless network whenever it is in range.
• Connect to a more preferred network if available: if this is selected, when there
are multiple wireless networks in range, the computer will try to connect to one of
the others instead of this particular wireless network.
• Connect even if the network is not broadcasting its name (SSID): select this if
the wireless AP is configured to not advertise its SSID.
Security Types
The following settings determine the type of authentication and encryption used to
connect to a wireless network.
• No authentication (open): typically, you select this security type when
connecting to a public wireless network. If you select this security type, two
options are available for the encryption type: None and WEP.
• Shared: select this security type if the wireless network is using a shared network
security key. If you select this security type, only WEP is available for the
encryption type.
• WPA (Personal and Enterprise): select this if the wireless network is using
WPA authentication. In the personal mode, you provide the same network security
key to each user. In the enterprise mode, an authentication server distributes an
individual key to the users. If you select this security type, two options are
available for the encryption type: TKIP and AES.
• WPA2 (Personal and Enterprise): select this if the wireless network is using
WPA2 authentication. It also has the Personal and Enterprise mode, as well as two
options for the encryption type: TKIP and AES.
5-18 Installing and Configuring Windows® 7 Client
• 802.1X: select this security type if your wireless network is using 802.1X
authentication. If you select this security type, only WEP is available for the
encryption type.
The demonstrations are prerecorded. There are no steps to perform. Click the camera
links to launch the demonstrations.
6. You can change the channel to avoid interference from other devices.
7. Select g only for mode to configure the 802.11 mode. If you have older 802.11b
devices, you can enable support for them.
8. Clear Allow Broadcast of Name (SSIS) to prevent the wireless AP to broadcast
its SSID.
Key/Passphrase to define the appropriate SSID and the security settings that
correspond to those defined on the wireless AP.
BETA COURSEWARE EXPIRES 11/15/2009
4. Windows prompts the user to define the network location profile. Select public.
5. Click Close and then close the Network and Sharing Center.
Question: What are possible issues that arise when connecting to unsecured networks?
Answer: Your information can be viewed by other parties on the network.
Connecting to the wireless AP on a network with the strongest signal will provide the
best wireless performance. To assist users, the available networks list in Windows 7
includes a symbol that designates signal strength. A strong signal has five bars, and
indicates a close wireless network with no interference.
If a wireless network has low signal strength, the transfer of information across the
network could be slow or you might be unable to access certain parts of the network.
The following table shows several common problems and solutions with regards to low
signal strength.
Windows 7 includes the Network Diagnostic tool, which can be used to troubleshoot
network problems. Use this tool to diagnose the issues that might prevent you from
connecting to any network, including wireless networks. This tool can reduce the time
you spend diagnosing wireless network problems.
4. Identify the problem from the list of problems found. Use the list from the
Windows Network Diagnostic tool to help identify the problem.
5. Resolve the problem that was identified. Use the information in the previous step
to implement a resolution.
Common issues related to finding wireless networks and improving signal strength:
Problem Troubleshooting Tips
Proximity or physical • Ensure that your client computer is as
obstruction close as possible to the wireless AP.
• If you are unable to get closer to the
wireless AP, consider installing an
external antenna to your wireless
network adapter.
• Check for physical objects that may
cause interference, such as a thick
wall or metal cabinet and consider
removing the physical objects or
repositioning the wireless AP or the
client.
• Add wireless APs to the wireless
network whenever applicable.
5-28 Installing and Configuring Windows® 7 Client
Tools
Module 6
Securing Windows 7 Desktops
Contents:
Lesson 1: Overview of Security Management in Windows 7 6-4
Lesson 2: Securing a Windows 7 Client Computer by Using
Local Security Policy Settings 6-13
Lesson 3: Securing Data by Using EFS and BitLocker 6-38
Lesson 4: Configuring Application Restrictions 6-81
Lesson 5: Configuring User Account Control 6-102
Lesson 6: Configuring Windows Firewall 6-123
Lesson 7: Configuring Security Settings in Internet Explorer 8 6-145
Lesson 8: Configuring Windows Defender 6-164
6-2 Installing and Configuring Windows® 7 Client
Module Overview
drives.
• Desktop management is streamlined, so it takes less work
to deploy Windows 7 and keep it running smoothly.
Because Windows 7 is based on the Windows Vista®
foundation, companies that have already deployed Windows
Vista will find that the new Windows 7 security features
are highly compatible with existing hardware, software,
and tools.
This module describes how to make your computer more
secure by using new Windows 7 security features, while
ensuring that you do not sacrifice usability in the
process. Built upon the security foundations of Windows
Vista, Windows 7 helps make the system more usable and
manageable, and contains the right security enhancements
to combat the continually evolving threat landscape.
This module introduces the following new security features
in Windows 7:
• Fundamentally Secure Platform: The Windows 7 operating
system provides an assortment of tools and features
designed to maximize platform and client security.
• Helping Secure Anywhere Access: Windows 7 provides the
appropriate security controls so that users can access
the information they need to be productive whenever
they need it whether they are in the office or not.
• Protecting Users and Infrastructure: Windows 7 provides
flexible security protection against malware and
intrusions so that users can achieve their desired
balance between security, control, and productivity.
• Protecting Data from Unauthorized Viewing: Windows 7
extends BitLocker™ Drive Encryption to help protect
data stored on portable media (for example, USB Flash
Drives and USB Portable Hard Drives) so that only
authorized users can read the data, even if the media
is lost, stolen, or misused.
6-4 Installing and Configuring Windows® 7 Client
Lesson 1
Overview of Security Management in Windows 7
Firewall
Windows Action Center verifies that your computer has a
suitable firewall product and notifies you if there are
any issues with the firewall configuration or status. If
there is an issue with the firewall, Windows Action Center
provides guidance, where appropriate, on how to remedy the
Automatic Updating
To ensure that your computer is as secure as possible,
install security updates the moment they become available.
By enabling automatic updates, you can ensure that your
computer will receive the necessary security updates.
Windows Action Center determines your computer’s
automatic-updating status, and provides alerts and
instructions to help you enable automatic updating.
Malware Protection
Windows Action Center determines whether your computer is
running Windows Defender or a third-party antispyware
product. If your antispyware product definitions are out-
of-date, or if you do not enable scanning, Windows Action
Center alerts you and provides guidance on how to resolve
the problem.
The Malware protection feature also verifies the presence
and functionality of your computer’s antivirus software.
If there is no antivirus software, or the antivirus
signatures are out-of-date, Windows Action Center alerts
you and recommends solutions.
Note: You are not required to use an antivirus, antispyware, or firewall software
program that is compliant with Windows Action Center. If using software that is not
BETA COURSEWARE EXPIRES 11/15/2009
detectable, you may select Windows Action Center options that let you monitor the
security status. This scenario causes a “yellow” caution state, but you will not receive
messages that prompt you to change the configuration.
Note: You can access Windows Action Center from Control Panel. Windows Action
Center is a Windows service that starts automatically by default. You can configure this
behavior by using Group Policy objects for domain-joined computers.
User Alerts
Action Center notifies you when items about security and
maintenance settings need your attention. A red item in
Action Center indicates an important issue that must be
addressed soon, such as an outdated antivirus program that
needs updating. Yellow items are suggested tasks for you
to consider addressing, like recommended maintenance
tasks.
You can quickly view whether there are any new messages in
Action Center by placing your mouse over the Action Center
icon in the notification area on the taskbar. Click the
icon to view more detail, and open Action Center to view
the message in its entirety.
If you are having a problem with your computer, check
Action Center to determine if the issue has been
identified. If it has not been addressed, you can find
helpful links to troubleshooters and other tools that can
help fix problems.
If you prefer to keep track of an item yourself (for
example, you use a backup program other than the one
included in Windows 7, or you manuall back up your files),
and you do not want to see notifications or receive
messages about its status, you can turn off notifications
and messages for the item.
6-10 Installing and Configuring Windows® 7 Client
Note: To change how solutions to problems appear in Action Center, click Change
Action Center Settings and then click Problem report settings. On the settings page,
BETA COURSEWARE EXPIRES 11/15/2009
you can choose how much information is sent, and how often to check for new
solutions.
2. Move the slide bar down by one setting and then click
OK.
Lesson 2
Securing a Windows 7 Client Computer by Using
BETA COURSEWARE EXPIRES 11/15/2009
• Deploy software
• Enforce security settings
• Enforce a consistent desktop environment
You can use Group Policy to restrict certain actions that
may pose potential security risks, such as restricting
access to registry editing tools or restricting the use of
removable storage devices. You enable these restrictions
with Group Policy settings. A collection of Group Policy
settings is called a Group Policy object (GPO).
One GPO can be applied simultaneously to many different
containers in Active Directory’s Directory Service.
Conversely, a container can have multiple GPOs
simultaneously applied to it. In this case, users and
computers receive the cumulative effect of all policy
settings applied to them.
With Group Policy, you can define the state of users' work
environments once and rely on the system to enforce the
policies that you define. With the Group Policy snap-in
you can specify policy settings for the following:
• Registry-based policies: include Group Policy for the
Windows 7 operating system and its components and for
Note: If no policy is defined for the selected item, right-click the folder that you want
and then on the shortcut menu that appears, point to All Tasks and then click the
command that you want. The commands that are displayed on the All Tasks submenu
are context sensitive. Only those commands that are applicable to the selected policy
folder appear on the menu.
Note: When you work with policy items in the Administrative Templates folder, click
the Extended tab in the right pane of the MMC if you want to view more information
about the selected policy item.
Introduction to MLGPO
Local Group Policy is a subset of a broader technology
BETA COURSEWARE EXPIRES 11/15/2009
Processing Order
The benefits of Multiple Local Group Policy objects come
from the processing order of the three separate layers.
The layers are processed as follows:
• The Local Group Policy object applies first. This Local
Group Policy object may contain both computer and user
settings. User settings contained in this policy apply
to all users, including the local administrator.
• The Administrators and Non-Administrators Local Group
Policy objects are applied next. These two Local Group
Policy objects represent a single layer in the
processing order, and the user receives one or the
other. Neither of these Local Group Policy objects
contains computer settings.
• User-specific Local Group Policy is applied last. This
layer of Local Group Policy objects contains only user
6-24 Installing and Configuring Windows® 7 Client
3. Log off.
6-32 Installing and Configuring Windows® 7 Client
Setting Meaning
Password Policy A subcomponent of Account Policies that enables you to
configure password history, maximum and minimum
password age, password complexity, and password length.
Note: This only applies to local accounts.
Securing Windows 7 Desktops 6-35
Setting Meaning
Network List Manager Enables you to configure user options for configuring new
Policies network locations.
Public Key Policies Include settings for Certificate Auto-Enrollment and the
Encrypting File System (EFS) Data Recovery Agents.
Software Restrictions Enables you to identify and control which applications can
Policies run on the local computer.
IP Security Policies Enables you to create, manage, and assign IPSec polices.
After you configure the local policy, you can export the
security-related settings to a policy file and save them
6-36 Installing and Configuring Windows® 7 Client
Lesson 3
Securing Data by Using EFS and BitLocker
What is EFS?
Note: When users encrypt files in remote shared folders, their keys are stored on the file
server.
Note: EFS certificates are only issued to individual users, not to groups.
Backing Up Certificates
CA Administrators can archive and recover CA-issued EFS
certificates. Users must manually back up their self-
generated EFS certificates and private keys. To do this,
they can export the certificate and private key to a
Personal Information Exchange (PFX) file. These PFX files
are password protected during the export process. The
password is then required to import the certificate into a
user’s certificate store.
If you need to distribute only your public key, you can
export the client EFS certificate without the private key
to Canonical Encoding Rules (CER) files.
A user’s private key is stored in the user’s profile in
the RSA folder, which is accessed by expanding AppData,
expanding Roaming, expanding Microsoft, and then expanding
Crypto. Because there is only one instance of the key, it
is vulnerable to hard disk failure or data corruption.
The Certificate Manager MMC exports certificates and
private keys. EFS certificates are located in the Personal
Certificates store.
6-44 Installing and Configuring Windows® 7 Client
EFS in Windows 7
Windows 7 includes a number of new EFS features,
including:
• Support for Storing Private Keys on Smart Cards: Windows
7 includes full support for storing users’ private keys
5. Double-click Private.
9. Log off.
8. Log off.
5. Double-click Private.
8. Log off.
Securing Windows 7 Desktops 6-49
What Is BitLocker?
BETA COURSEWARE EXPIRES 11/15/2009
BitLocker Requirements
Hardware Requirements
To turn on BitLocker Drive Encryption, the computer's hard
drive must meet the following requirements:
• Have the space necessary for Windows 7 to create the
two disk partitions: one for the system volume and one
for the operating system volume.
• System volume: This partition includes the drive on
which Windows is installed; BitLocker encrypts this
drive, which no longer needs a drive letter.
• Operating system volume: A second partition is
created as needed when BitLocker is enabled in
6-56 Installing and Configuring Windows® 7 Client
BitLocker Modes
BETA COURSEWARE EXPIRES 11/15/2009
Note: If you want to use BitLocker to protect an operating system drive on a computer
that does not have a Trusted Platform Module (TPM), you must enable the Require
additional authentication at startup Group Policy setting, and then within that setting,
click Allow BitLocker without a compatible TPM.
Control Panel Setup: None (User This policy setting specifies a default
Configure recovery folder selects) location that is shown to the user to save
recovery keys. This can be a local or
network location. The user is free to
choose other locations.
Control Panel Setup: None (User This policy setting allows you to configure
Configure recovery options selects) whether the BitLocker Drive Encryption
setup wizard will ask the user to save
BitLocker recovery options.
Two recovery options can unlock access to
BitLocker-encrypted data. The user can
type a random 48-digit numerical recovery
password, or insert a USB flash drive
containing a random 256-bit recovery key.
Each of these can be required or
disallowed. If you disallow both options,
6-64 Installing and Configuring Windows® 7 Client
Control Panel Setup: Disabled This policy setting allows you to configure
Enable advanced startup whether BitLocker can be enabled on
options computers without a TPM, and whether
Configure encryption AES 128 bit This policy setting configures the length of
method with Diffuser the AES encryption key and whether the
Diffuser is used or not.
Configure the list of None This policy allows specific TPM functions
BETA COURSEWARE EXPIRES 11/15/2009
Ignore the default list of Disabled By default, certain TPM commands are
blocked TPM commands blocked. To enable these commands, this
policy setting must be enabled.
Ignore the local list of Disabled By default, a local administrator can block
blocked TPM commands commands in the TPM Management
console. This setting can be used to
prevent that behavior.
6-66 Installing and Configuring Windows® 7 Client
Configuring BitLocker
Administration
IT Professionals can manage BitLocker using the BitLocker
control panel, accessible from the Security item in the
Windows 7 Control Panel. A command-line management tool,
manage-bde.wsf, is also available for IT Professionals to
perform scripting functionality remotely.
Once the volume has been encrypted and protected with
BitLocker, the Manage Keys page in the BitLocker control
panel enables local and domain administrators to duplicate
keys and reset the PIN.
Securing Windows 7 Desktops 6-67
Note: Exposing the volume master key even for a brief period is a security risk because
it is possible that an attacker might have accessed the volume master key and full
volume encryption key when these keys were exposed by the clear key.
Note: Perform the procedures described in this section only if you do not want or need
the data in the future. The data in the encrypted volume will not be recoverable.
the volume
Once the BitLocker keys have been removed from the volume,
follow-up tasks are needed to complete the decommissioning
process. For example, reset the TPM to its factory
defaults by clearing the TPM, and discard saved recovery
information for the volume such as printouts, files stored
on USB devices, and information stored in Active
Directory.
Configuring BitLocker to Go
BitLocker To Go Scenario
Consider the following scenario. An administrator
configures Group Policy to require that data can only be
saved on data volumes protected by BitLocker.
Specifically, the administrator enables the Deny write
access to removable data drives not protected by BitLocker
policy and deploys it to the domain.
Meanwhile, an end user inserts a USB flash drive. Since
the USB flash drive is not protected with BitLocker,
Windows 7 displays an informational dialog indicating that
the device must be encrypted with BitLocker. From this
dialog, the user chooses to launch the BitLocker Wizard to
encrypt the volume or continues working with the device as
read-only.
If the user decides to implement the device as read-only
and then attempts to save a document to the flash drive,
an access denied error message appears. At this time, the
user can enable BitLocker by right-clicking the drive in
Windows Explorer, and then clicking Turn On BitLocker.
Configuring BitLocker To Go
When you select the Turn On BitLocker menu option, the
ensuing wizard requires that you specify how you want to
unlock the drive. You can select one of the following
methods:
• A Recovery Password or passphrase (complexity is
configurable in Group Policy)
• A Smart Card
• Always auto-unlock this device on this PC
Once the device is configured to use BitLocker, the user
saves documents to the external drive without error. When
the user inserts the USB flash drive on a different PC,
the computer detects that the portable device is BitLocker
protected; the user is prompted to specify the passphrase.
6-76 Installing and Configuring Windows® 7 Client
• Password ID
When you are searching by drive label, after locating the
BETA COURSEWARE EXPIRES 11/15/2009
Lesson 4
Configuring Application Restrictions
BETA COURSEWARE EXPIRES 11/15/2009
What is AppLocker?
AppLocker Benefits
IT professionals can use AppLocker to specify exactly what
is allowed to run on user desktops. This allows users to
run the applications, installation programs, and scripts
they need to be productive while still providing the
security, operational, and compliance benefits of
application standardization.
AppLocker can help organizations that want to:
• Limit the number and type of files that are allowed to
run by preventing unlicensed or malicious software from
running and by restricting the ActiveX controls that are
installed.
• Reduce the total cost of ownership by ensuring that
workstations are homogeneous across their enterprise and
that users are running only the software and
applications that are approved by the enterprise.
• Reduce the possibility of information leaks from
unauthorized software.
AppLocker Rules
You can review the files analyzed and remove them from the
list before rules are created for them. You can even get
useful statistics about how often a file has been blocked
or test AppLocker policy for a given computer.
Accessing AppLocker
To access AppLocker, click Start and type “Gpedit.msc.”
Then navigate to Computer Configuration, Windows Settings,
Security Settings, and then Application Control Policies.
Expand the Application Control Policies node and highlight
AppLocker.
In AppLocker you can configure Executable Rules, Windows
Installer Rules, and Script Rules. For example, highlight
the Executable Rules node and right-click to select Create
New Rule. You can then create a rule allowing or denying
access to an executable based on such criteria as the file
path or publisher.
And in case you are in a hurry, AppLocker will let you
apply both default and automatically generated rules.
Note: Before you manually create new rules or automatically generate rules for a
specific folder, you must create the default AppLocker rules.
Note: Without the default rules, critical system files might not run. Once you have
created one or more rules in a rule collection, only applications that are affected by
those rules are allowed to run. If the default rules are not created and you are blocked
from performing administrative tasks, restart the computer in safe mode, add the
default rules and delete any deny rules that are preventing access, and then refresh the
computer policy.
Note: After you create one or more rules in a rule collection, only applications that are
affected by those rules are allowed to run. For this reason, always create the default
AppLocker rules for a rule collection first. If you did not create the default rules and are
prevented from performing administrative tasks, restart the computer in Safe Mode, add
the default rules, delete any deny rules that are preventing access, and then refresh the
computer policy.
You can create exceptions for .exe files. For example, you
can create a rule that allows all Windows processes to run
except regedit.exe and then use audit-only mode to
identify files that will not be allowed to run if the
policy is in effect.
You can automatically create rules by running the wizard
and specifying a folder that contains the .exe files for
applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. Creating rules to
allow .exe files in user profiles might not be secure.
Note: Before performing the following procedure, ensure that you created the default
rules.
Note: This rule prevents unsigned applications from running. Before implementing this
rule, ensure that all of the files that you want to run in your organization are digitally
signed. If any applications are not signed, consider implementing an internal signing
process to sign unsigned applications with an internal signing key.
6-90 Installing and Configuring Windows® 7 Client
6. Click Next.
9. Click Next.
11. Click the Browse Files… button and then click Local
Disk (C:).
2. Click Next.
Open.
7. Click Next.
4. Click Create.
6. Close the Local Group Policy Editor and then log off.
6-94 Installing and Configuring Windows® 7 Client
Enforce rules with Group Policy Default setting. If linked GPOs contain a
inheritance different setting, that setting is used. If any
rules are present in the corresponding rule
collection, they are enforced.
Demonstration
This demonstration will show the different enforcement
options, in addition to how to configure the enforcement
for the rule that was created in the previous
demonstration. The demonstration will then verify the
enforcement with gpupdate.
8. Click OK.
Note: When you add a single AppLocker rule in Windows 7, all processing of SRP rules
stops. Therefore, if you are replacing SRP rules with AppLocker rules, then you must
implement all AppLocker rules that you require at one time. If you implement the
AppLocker rules incrementally, then you will lose the functionality provided by SRP rules
that have not yet been replaced with corresponding AppLocker rules.
Lesson 5
Configuring User Account Control
What is UAC?
UAC in Windows 7
Windows 7 includes a number of new features to improve the
BETA COURSEWARE EXPIRES 11/15/2009
Standard Users
In previous Windows versions, many users were configured
to use administrative privileges rather than standard user
permissions. This was done because previous Windows
versions required administrator permissions to perform
basic system tasks such as adding a printer, or
configuring the time zone. In Windows 7, many of these
tasks no longer require administrative privileges.
When users have administrative permissions to their
computers, they are able to install additional software.
Securing Windows 7 Desktops 6-107
Administrative Users
Administrative users automatically have:
• Read/Write/Execute permissions to all resources
• All Windows privileges
While it may seem clear that all users will not be able to
read, alter, and delete any Windows resource, many
enterprise IT departments that are running earlier Windows
versions had no other option but to assign all of their
users to the local Administrators group.
One of the benefits of UAC is that it allows users with
administrative privileges to run as standard users most of
the time. When users with administrative privileges
perform a task that requires administrative privileges,
UAC prompts the user for permission to complete the task.
6-108 Installing and Configuring Windows® 7 Client
Burn CD/DVD media (configurable with Open the Windows Firewall Control Panel
Group Policy)
Change the desktop background for the Change a user's account type
current user
Open the Date and Time Control Panel Modify UAC settings in the Security Policy
and change the time zone Editor snap-in (secpol.msc)
Securing Windows 7 Desktops 6-109
another computer
Configure battery power options Copy or move files into the Program Files
or Windows directory
installations and
upgrades on
domain-joined
computers.
User Account Control: • Elevate without prompting (all Prompt for consent for
Behavior of the applications elevate silently) non-windows signed
elevation prompt for • Prompt for credentials on the binaries
administrators in desktop
Admin Approval
Mode
• Prompt for consent on the desktop
• Prompt for credentials without the
secure desktop
• Prompt for consent without the
desktop
• Prompt for consent for non-
Windows signed binaries
Note: Modifying the "User Account Control: Run all administrators in Admin Approval
Mode" setting requires a computer restart before the setting becomes effective. All
other UAC Group Policy settings are dynamic and do not require a restart.
Demonstration
7. Log off.
4. Log off.
7. Log off.
5. Click Yes.
7. Log off.
Prompt Description
Prompt Description
Lesson 6
Configuring Windows Firewall
BETA COURSEWARE EXPIRES 11/15/2009
Host-based Firewalls
Network perimeter firewalls cannot provide protection for
traffic generated inside a trusted network. For this
reason, host-based firewalls that run on individual
computers are needed. Host-based firewalls, such as
Windows Firewall with Advanced Security, protect a host
from unauthorized access and attack, and can often be
configured to block specific types of outgoing traffic.
Host-based firewalls provide an extra layer of security in
a network and function as integral components in a
complete defense strategy.
Question: What type of firewall does your organization
currently use?
Question: What are the reasons that it was selected?
Answer: Answers will vary.
6-126 Installing and Configuring Windows® 7 Client
Firewall Exceptions
When you add a program to the list of allowed programs or
open a firewall port, you are allowing that program to
send information to or from the computer. Continuing with
6-128 Installing and Configuring Windows® 7 Client
Inbound Rules
Inbound rules explicitly allow or block traffic that
matches criteria in the rule. For example, you can
configure a rule to allow traffic secured by IPsec for
Remote Desktop through the firewall, but block the same
traffic if it is not secured by IPsec.
When Windows is first installed, all unsolicited inbound
traffic is blocked. To allow a certain type of unsolicited
inbound traffic, you must create an inbound rule that
describes that traffic. For example, if you want to run a
Web server, then you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You
can configure the default action that Windows Firewall
with Advanced Security takes whether connections are
allowed or blocked when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule
blocks it. Outbound rules explicitly allow or deny traffic
originating from the computer that matches the criteria in
the rule. For example, you can configure a rule to
explicitly block outbound traffic to a computer (by IP
address) through the firewall, but allow the same traffic
for other computers.
Monitoring
Windows Firewall uses the monitoring interface to display
information about current firewall rules, connection
security rules, and security associations. The Monitoring
overview page shows which profiles are active (domain,
private, or public) and the settings for the active
profiles.
Note: When you view the Windows Firewall with Advanced Security snap-in within the
Group Policy Editor snap-in, the Monitoring node does not display.
• Predefined rules
• Custom rules
BETA COURSEWARE EXPIRES 11/15/2009
Well-Known Ports
Well-known ports are assigned by the Internet Assigned
BETA COURSEWARE EXPIRES 11/15/2009
110 TCP Post Office Protocol version 3 (POP3) used for e-mail retrieval
from e-mail clients
25 TCP Simple Mail Transfer Protocol (SMTP) that e-mail servers and
clients use to send e-mail
53 TCP DNS
13. Type “HTTP – TCP 80” in the Name field and then
click Finish.
Lesson 7
Configuring Security Settings in Windows
BETA COURSEWARE EXPIRES 11/15/2009
Internet Explorer 8
Compatibility View
• Intranet integrity
• Codepage sniffing
• Web Proxy handling changes
• AJAX navigation
InPrivate Browsing
InPrivate Browsing helps protect data and privacy by
preventing browsing history, temporary Internet files,
form data, cookies, usernames, and passwords from being
stored or retained locally by the browser. This leaves
virtually no evidence of browsing or search history as the
browsing session does not store session data.
6-152 Installing and Configuring Windows® 7 Client
InPrivate Filtering
Most Web sites today contain content from several
different sites; the combination of these sites is
sometimes referred to as a mashup. People begin to expect
this type of integration, from something like an embedded
map from a mapping site, to greater integration of ads, or
multi-media elements. Organizations try to offer more of
these experiences because it draws customers to their
site. This capability is making the Web more robust, but
it also provides an opportunity for malicious users to
create and exploit vulnerabilities.
Every piece of content that a browser requests from a Web
site discloses information to that site, sometimes even if
the user has blocked all cookies. Often, users are not
fully aware that their Web browsing activities are tracked
by Web sites other than those they have consciously chosen
to visit.
InPrivate Filtering is designed to monitor the frequency
of all third-party content as it appears across all Web
sites visited by the user. An alert or frequency level is
configurable and is initially set to three. Third-party
content that appears with high incidence is blocked when
the frequency level is reached. InPrivate Filtering does
not discriminate between different types of third-party
Securing Windows 7 Desktops 6-153
Note: To prevent users from disabling the filter and to enforce a SmartScreen mode,
enable the Turn off Managing SmartScreen Filter policy setting in Group Policy
Administrative Templates.
Per-Site ActiveX
When a user navigates to a Web site containing an ActiveX
control, Internet Explorer 8 performs a number of checks,
including a determination of where a control is permitted
to run. If a control is installed but is not permitted to
run on a specific site, an Information Bar appears asking
the user’s permission to run on the current Web site or on
all Web sites.
Securing Windows 7 Desktops 6-159
Lesson 8
Configuring Windows Defender
Antispyware Definitions
Antispyware definitions are files that act like an ever-
growing encyclopedia of potential software threats.
Windows Defender uses definitions to determine if software
it detects is unwanted and to alert you to potential
risks. To help keep definitions up to date, Windows
Defender works with Windows Update to automatically
install new definitions as they are released. You can set
Windows Defender to check online for updated definitions
Securing Windows 7 Desktops 6-169
Scan Options
In Windows Defender, run a quick, full, or custom scan. If
you suspect spyware has infected a specific area of the
computer, customize a scan by selecting specific drives
and folders. Additional information about scan options is
available in the “Scanning Options in Windows Defender”
topic.
Monitoring Agents
You can choose the software and settings that Windows
Defender monitors, including real-time protection options,
called agents. When an agent detects potential spyware
activity, it stops the activity and raises an alert. The
following table identifies Windows Defender monitoring
agents.
Real-time protection
agent Purpose
Downloaded files and Monitors files and programs that work with Internet
attachments Explorer, such as ActiveX controls and software installation
programs. These files can be downloaded, installed, or run
by the browser itself. Unwanted software can be included
with these files and installed without your knowledge.
Widespread or exceptionally
malicious programs, similar to
viruses or worms, which negatively
Severe Remove this software immediately.
affect your privacy and the security
of the computer, and can damage
Programs that might affect your Review the alert details to see why
privacy or make changes to the the software was detected. If you do
computer that can negatively not like what the software does or if
Medium
impact your computing experience, you do not recognize and trust the
for example, by collecting personal publisher, consider blocking or
information or changing settings. removing the software.
Action Description
Quarantine When software is quarantined, it is moved to another location on the
computer, and is then prevented from running until you choose to
restore it or remove it from the computer.
Remove Windows Defender permanently removes the item from the computer.
Allow This action adds the software to the allowed list and allows it to run on
Securing Windows 7 Desktops 6-171
Action Description
the computer. Windows Defender stops alerting you to risks that the
BETA COURSEWARE EXPIRES 11/15/2009
Configuration Options
To help prevent spyware and other unwanted software from
running on the computer, turn on Windows Defender real-
time protection and select all real-time protection
options. You are alerted if programs attempt to install,
run on the computer, or change important Windows settings.
Turn on real-time protections by clicking Tools, clicking
Options, and then clicking Real-time protection. In the
Options area, perform the following additional tasks:
• Configure automatic scanning
• Specify default actions for specific alert levels
• Customize a scan by excluding files, folders, and file
types
• Use the Advanced options to scan archived files, email,
and removable drives, and to use heuristics and create
a restore point.
• Select whether to use Windows Defender and what
information to display to all users of the computer.
History, Allowed items, and Quarantined items are
hidden by default to protect user privacy.
Question: List the four Windows Defender alert levels.
What are the possible responses?
6-172 Installing and Configuring Windows® 7 Client
Scanning
Option Description
Quick Scan Checks areas on a hard disk that spyware is most likely to infect.
Full Scan Checks all critical areas, including all files, the registry, and all
applications that are currently running.
Note: Do not restore software with severe or high alert ratings because it can put your
privacy and the security of the computer at risk.
Microsoft SpyNet
1. In Tools and Settings, click Microsoft SpyNet.
2. Select Join with a basic membership.
3. Click Save.
6-178 Installing and Configuring Windows® 7 Client
Review Questions
1. Question: When User Account Control is implemented,
what happens to standard users and administrative users
when they perform a task requiring administrative
privileges?
Note: Unless you enable the Group Policy setting titled “Internet Explorer Maintenance
Note: To prevent users from using the RIES feature, enable the Do not allow resetting
Internet Explorer settings policy in Group Policy Administrative Templates.
view.
BETA COURSEWARE EXPIRES 11/15/2009
Task Reference
Task Reference
Module 7
Optimizing and Maintaining Windows 7
Client Computers
Contents:
Lesson 1: Maintaining Performance Using the Windows 7 Performance
Tools 7-3
Lesson 2: Maintaining Reliability by Using the Windows 7 Diagnostic
Tools 7 -6
Lesson 3: Backing Up and Restoring Data by Using Windows Backup7-42
Lesson 4: Restoring a Windows 7 System by Using System Restore
Points 7-52
Lesson 5: Configuring Windows Update 7-57
7-2 Installing and Configuring Windows® 7 Client
Module Overview
Lesson 1
Maintaining Performance by Using the
BETA COURSEWARE EXPIRES 11/15/2009
Note You can also use the WinSAT command line to perform this assessment. Windows
stores the WEI reports as XML files in the C:\Windows\Performance\WinSAT\DataStore
folder. When you run WinSAT the first time on a computer, Windows creates a report
that uses the name ending as (Initial).
7-10 Installing and Configuring Windows® 7 Client
Monitoring Tool
Monitoring Tools contains the Performance Monitor. It
provides a visual display of built-in Windows performance
counters, either in real time or as a way to review
historical data.
The Performance Monitor includes the following features:
• Multiple graph views
• Custom views that you can export as data collector sets
Performance Monitor uses performance counters to measure
the system state or activity.
Performance Counters can be included in the operating
system or can be part of individual applications.
Performance Monitor requests the current value of
performance counters at specified time intervals.
You can add performance counters to the Performance
Monitor by dragging and dropping the counters or by
creating a custom data collector set.
Performance Monitor features multiple graph views that
enable you to visually review performance log data. You
can create custom views in Performance Monitor that can be
exported as Data Collector Sets for use with performance
and logging features.
Reports
Use reports to view and create reports from a set of
counters that you create by using Data Collector Sets.
Resource Monitor
Use this view to monitor the use and performance of CPU,
disk, network, and memory resources in real time. This
allows for resource conflicts and bottlenecks to be
identified and resolved.
By expanding the monitored elements, system administrators
can identify which processes are using which resources. In
previous Windows versions, this real-time process-specific
data was available only in a limited form in Task Manager.
19. Click the Task tab. This tab lets you to run a
scheduled task when the data collector set stops. This
could be used to process the collected data.
20. Click Cancel.
21. Notice that there are three kinds of logs listed in
system can use, how much it is used currently and how much
is reserved for hardware. From the Disk view, you can see
BETA COURSEWARE EXPIRES 11/15/2009
Counter Usage
LogicalDisk\% Free Space This measures the percentage of free space on the
selected logical disk drive. Take note if this falls
PhysicalDisk\% Idle Time This measures the percentage of time the disk was
idle during the sample interval. If this counter falls
below 20 percent, the disk system is saturated. You
may consider replacing the current disk system with
a faster disk system.
PhysicalDisk\Avg. Disk Sec/Read This measures the average time, in seconds, to read
data from the disk. If the number is larger than 25
milliseconds (ms), that means the disk system is
experiencing latency when reading from the disk.
PhysicalDisk\Avg. Disk Sec/Write This measures the average time, in seconds, it takes
to write data to the disk. If the number is larger
than 25 ms, the disk system experiences latency
when writing to the disk.
PhysicalDisk\Avg. Disk Queue This indicates how many I/O operations are waiting
Length for the hard drive to become available. If the value
here is larger than the two times the number of
spindles, that means the disk itself may be the
bottleneck.
Memory\% Committed Bytes in This measures the ratio of Committed Bytes to the
Use Commit Limit—in other words, the amount of
virtual memory in use. This indicates insufficient
memory if the number is greater than 80 percent.
Optimizing and Maintaining Windows 7 Client Computers 7-23
Counter Usage
Memory\Free System Page Table This indicates the number of page table entries not
Entries currently in use by the system. If the number is less
than 5,000, there may well be a memory leak.
Memory\Pool Non-Paged Bytes This measures the size, in bytes, of the non-paged
pool. This is an area of system memory for objects
that cannot be written to disk but instead must
remain in physical memory as long as they are
allocated. There is a possible memory leak if the
value is greater than 175MB (or 100MB with the
/3GB switch).
Memory\Pool Paged Bytes This measures the size, in bytes, of the paged pool.
This is an area of system memory used for objects
that can be written to disk when they are not being
used. There may be a memory leak if this value is
greater than 250MB (or 170MB with the /3GB
switch).
Memory\Pages per Second This measures the rate at which pages are read
from or written to disk to resolve hard page faults.
If the value is greater than 1,000, as a result of
excessive paging, there may be a memory leak.
Processor\% Processor Time This measures the percentage of elapsed time the
processor spends executing a non-idle thread. If
the percentage is greater than 85 percent, the
processor is overwhelmed and the server may
require a faster processor.
Processor\% User Time This measures the percentage of elapsed time the
processor spends in user mode. If this value is high,
the server is busy with the application.
7-24 Installing and Configuring Windows® 7 Client
Counter Usage
Processor\% Interrupt Time This measures the time the processor spends
receiving and servicing hardware interruptions
during specific sample intervals. This counter
indicates a possible hardware issue if the value is
greater than 15 percent.
Network Interface\Bytes This measures the rate at which bytes are sent and
Total/Sec received over each network adapter, including
framing characters. The network is saturated if you
discover that more than 70 percent of the interface
is consumed.
Network Interface\Output Queue This measures the length of the output packet
Length queue, in packets. There is network saturation if the
value is more than 2.
Process\Handle Count This measures the total number of handles that are
currently open by a process. This counter indicates
a possible handle leak if the number is greater than
10,000.
Lesson 2
Maintaining Reliability by Using the
Windows 7 Diagnostic Tools
Memory
Memory problems are especially frustrating to troubleshoot
because they frequently manifest themselves as application
issues. Failing memory can cause application failures,
operating system faults, and stop errors. Failing memory
can be difficult to identify because problems can be
7-28 Installing and Configuring Windows® 7 Client
Network
Network errors frequently cause an inability to access
network resources and can be difficult to diagnose.
Network interfaces that you do not configure correctly,
incorrect IP addresses, hardware failures, and many other
problems can affect connectivity. Operating-system
features, such as cached credentials, enable users to log
on as domain users even when a network connection is not
present. This feature can make it appear as if the user
has successfully logged on to the domain even when they
have not. Although this feature is useful, it does add
another layer to the process of troubleshooting network
connections.
Startup
Diagnosing startup problems is especially difficult
because you do not have access to Windows 7
troubleshooting and monitoring tools when your computer
does not start. Malfunctioning memory, incompatible or
corrupted device drivers, missing or corrupted startup
files or a corrupted disk data can all cause startup
failures.
Optimizing and Maintaining Windows 7 Client Computers 7-29
Advanced Options
To access advanced diagnostic options, press F1 while the
test is running. Advanced options include the following:
• Test mix: select what kind of test to run.
• Cache: select the cache setting for each test.
• Pass Count: type the number of times the test mix
repeats the tests.
Press the Tab key to move between the advanced options.
When you finish selecting your options, press F10 to start
the test.
Optimizing and Maintaining Windows 7 Client Computers 7-31
You also select the number of seconds that you want the
list of recovery options to be display before the default
recovery option is automatically selected.
Under System Failure you can specify what happens when the
system stops unexpectedly:
You can start the Startup Repair tool manually from the
Windows 7 installation DVD. After you start the computer
BETA COURSEWARE EXPIRES 11/15/2009
from the DVD, you can access the manual repair tools from
the menus that display.
7-40 Installing and Configuring Windows® 7 Client
Lesson 3
Backing Up and Restoring Data by Using
Windows Backup
Image Backup
The Windows Backup option does not back up system files,
program files, files that are on File Allocation Table
(FAT) volumes, temporary files, and user profile files. If
you want to protect these file types, you must use the
Image Backup.
A System Image Backup is a copy of the system drivers
required for Windows to run. It can also include
additional drives. A system image can be used to restore
your computer if your hard disk or computer stops working.
However, you cannot select individual items to restore.
Optimizing and Maintaining Windows 7 Client Computers 7-47
8. Click Finish.
9. Close the Backup and Restore.
BETA COURSEWARE EXPIRES 11/15/2009
Lesson 4
Restoring a Windows 7 System by Using
System Restore Points
Note System Restore does not affect any of your documents, pictures, or other personal
data. However, recently installed programs and drivers may be uninstalled.
BETA COURSEWARE EXPIRES 11/15/2009
Note: If you modify a file several times in one day, only the version that was current
when the restore point or backup was made is saved as a previous version.
Lesson 5
Configuring Windows Update
BETA COURSEWARE EXPIRES 11/15/2009
and solutions
Windows Update provides two types of updates:
• Important updates, including security updates and
critical performance updates.
• Recommended updates that help fix or prevent problems.
Important updates can be downloaded and installed
automatically or manually. Recommended are optional
updates and have to be selected manually.
Change Settings
From the Windows Update page, you also have access to the
Change settings features. On the Change Settings page, you
select three settings:
• Install updates automatically (recommended)
• Download updates but let me choose whether to install
them
7-68 Installing and Configuring Windows® 7 Client
Note: This setting is sometimes used on critical system that cannot be rebooted or
changed without first being scheduled. If this setting is enabled another method of
patch delivery should be implemented to make sure these systems are kept up to date.
Optimizing and Maintaining Windows 7 Client Computers 7-71
Panel?
Answer: Using a group policy allows you to apply the configuration settings to multiple
computers by performing a single action. It also prevent users from overriding the settings.
7-72 Installing and Configuring Windows® 7 Client
Review Answers
1. You can create a Data Collector Set from counters in
BETA COURSEWARE EXPIRES 11/15/2009
Tools
Image Backup • A copy of the drivers required for Backup and Restore
Windows to run
System Repair Disc • Used to boot the computer Backup and Restore
Disk Space Usage • Adjust maximum disk space used System Properties
for system protection
Module 8
Configuring Mobile Computers and Remote
Access in Windows 7
Contents:
Lesson 1: Configuring Mobile Computer and Device Settings 8-4
Lesson 2: Configuring Remote Desktop and Remote Assistance for
Remote Access 8-26
Lesson 3: Configuring DirectAccess for Remote Access 8-35
Lesson 4: Configuring BranchCache for Remote Access 8-50
8-2 Installing and Configuring Windows 7
Module Overview
Lesson 1
Configuring Mobile Computer and Device
Settings
Tablet PCs
The Tablet PC is a fully functional laptop computer with a
sensitive screen designed to interact with a complementary
pen-shaped stylus. Tablet PC screens turn and fold onto
the keyboard and you can use the stylus directly on the
screen just as you use a mouse to select, drag, and open
files. You can use the stylus in place of a keyboard to
hand write notes and communications. Unlike a touch
screen, the Tablet PC screen only receives information
from the stylus. It will not take information from your
finger or your shirtsleeve. Therefore, you can rest your
wrist on the screen and write naturally.
The Tablet PC uses a digitizer device that interprets the
movements of the stylus and converts those into mouse or
cursor movements. Many organizations are replacing
traditional clipboards, jotters, and other forms of paper
and pen input with the several applications that are now
available for the Tablet PC. For example, the Writing
Tools option in Microsoft Office® OneNote® 2007 let you
use any pointing device, such as a drawing pad stylus or a
Tablet PC pen, to add handwritten text or freehand
drawings to your notes.
Configuring Mobile Computers and Remote Access in Windows 7 8-7
Ultra-Mobile Computers
A typical Ultra-Mobile computer features a 7-inch diagonal
BETA COURSEWARE EXPIRES 11/15/2009
Mobile Devices
You must be able to assist users with connecting their
mobile devices to computers running Windows 7. A mobile
device is a computing device optimized for specific mobile
computing tasks. Mobile devices typically synchronize with
desktop or mobile computers to obtain data. The following
types of mobile devices are available.
Mobile Phone
A mobile phone, also known as a cellular phone, is a
portable telephone that uses a form of radio connectivity.
Many mobile phones now have some PDA and media player
functionality. You typically use a numerical keypad as the
input for this device.
Configuring Mobile Computers and Remote Access in Windows 7 8-9
Power Management
Windows 7 power management includes an updated, easy-to-
find battery meter that tells you at a glance how much
battery life is remaining and what the current power plan
is. With the battery meter, you can easily access and
change the power plan to meet your needs. For example, you
might want to conserve power by limiting the CPU or
8-10 Installing and Configuring Windows 7
Sync Center
The Windows 7 Sync Center provides a single interface to
manage data synchronization in several scenarios: between
multiple computers, between corporate network servers and
computers, and with devices you connect to the computer,
such as a PDA, a mobile phone, and a music player.
Because different devices synchronize by using different
procedures depending on the data source, there is no easy
way to manage all of the individual sync relationships in
earlier versions of Windows. The Sync Center enables you
to initiate a manual synchronization, stop in-progress
synchronizations, see the status of current
Configuring Mobile Computers and Remote Access in Windows 7 8-11
Presentation Settings
Mobile users often have to reconfigure their computer
settings for meeting or conference presentations, such as
changing the screen saver timeouts or desktop wallpaper.
8-12 Installing and Configuring Windows 7
click Calendar.
2. Click tomorrow’s date. Is the Quarterly Meeting
showing?
3. Click Start, and then click Contacts. Are there
contacts listed?
4. Close all open Windows. Do not save changes.
8-20 Installing and Configuring Windows 7
• CPU speed
• Display brightness
By using the CPU speed option, you can lower the speed of
the computer processor which reduces its power
Configuring Mobile Computers and Remote Access in Windows 7 8-21
Power Plans
In Windows 7, Power Plans help you maximize computer and
battery performance. By using power plans, with a single
click, you can change a variety of system settings to
optimize power or battery usage, depending on the
scenario. There are three default power plans
• Power saver: This plan saves power on a mobile
computer by reducing system performance. Its primary
purpose is to maximize battery life.
• High performance: This plan provides the highest
level of performance on a mobile computer by
adapting processor speed to your work or activity
and by maximizing system performance.
• Balanced: This plan balances energy consumption and
system performance by adapting the computer’s
processor speed to your activity.
The balanced plan provides the best balance between power
and performance. The power saver plan reduces power usage
by lowering the performance. The high performance plan
consumes more power by increasing system performance. Each
plan provides alternate settings for AC or DC power.
You can customize or create additional power plans by
using Power Options in Control Panel. Some hardware
manufacturers supply additional power plans and power
options. When you create additional power plans, be aware
that the more power the computer consumes, the less time
it runs on a single battery charge. By using Power Options
you can configure settings such as Choose what closing the
lid does.
In addition to considering power usage and performance, as
a Windows 7 Technology Specialist, you must also consider
the following three options for turning a computer on and
off:
• Shut down
8-22 Installing and Configuring Windows 7
• Hibernate
• Sleep
Shut Down
When you shut down the computer, Windows 7 does the
following:
Hibernate
When you put the computer in hibernate mode, Windows 7
saves the system state, along with the system memory
contents to a file on the hard disk, and then shuts down
the computer. No power is required to maintain this state
because the data is stored on the hard disk.
Windows 7 supports hibernation at the operating system
level without any additional drivers from the hardware
manufacturer. The hibernation data is stored on a hidden
system file called Hiberfil.sys. This file is the same
size as the physical memory contained in the computer and
is normally located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open
programs to memory. This provides very fast resume
capability, typically within several seconds. Sleep does
consume a small amount of power to maintain.
Windows 7 automatically goes into Sleep mode when you
click the Shut Down button on the Start menu. If the
battery power of the computer is low, Windows 7 puts the
computer in hibernate mode.
Configuring Mobile Computers and Remote Access in Windows 7 8-23
settings.
2. On the Change settings for the plan: Amy’s plan page,
click Change advanced power settings.
3. Configure the following properties for the plan, and
then click OK.
• Turn off hard disk after: 10 minutes
• Wireless Adapter Settings, Power Saving Mode:
Maximum Power Saving
• Power buttons and lid, Power button action: Shut
down
4. On the Change settings for the plan: Amy’s plan page,
click Cancel.
5. Close Power Options.
Lesson 2
Configuring Remote Desktop and Remote
Assistance for Remote Access
Remote Assistance
Remote Assistance allows a user to request help from a
remote administrator. To access Remote Assistance, run the
Windows Remote Assistance tool. Using this tool, you can
do the following actions:
•
Windows Firewall
Windows 7 prevents remote troubleshooting tools from
connecting to the local computer by using Windows
Firewall. However, Windows Firewall will allow remote
access and remote assistance traversal of the Windows
Firewall by default.
To enable support for other applications complete the
following steps:
1. Open Windows Firewall from Control Panel.
2. Click Allow a program or feature through the Windows
Firewall and select what you want to enable an
exception for.
Configuring Mobile Computers and Remote Access in Windows 7 8-29
15. In the Chat window, type “Does that help?”, and then
press ENTER.
16. Switch to the LON-CL1 virtual machine.
17. Observe the message.
18. Type “Yes, thanks”, press ENTER, and then in the
Lesson 3
Configuring DirectAccess for Remote Access
BETA COURSEWARE EXPIRES 11/15/2009
Authentication
There are three types of VPN connection authentication:
• User authentication
8-38 Installing and Configuring Windows 7
• Computer authentication
• Data authentication and integrity
With user authentication, the VPN server authenticates the
connecting VPN client and verifies that the client has the
appropriate permissions. If mutual authentication is used,
Tunneling Protocols
VPN connections use either a Point-to-Point Tunneling
Protocol (PPTP) or L2TP/IPsec over an intermediate
network, such as the Internet.
Tunneling is a method of using a network infrastructure to
transfer data for one network over another network. The
Configuring Mobile Computers and Remote Access in Windows 7 8-39
PPTP
PPTP allows multiple types of protocol traffic to be
encrypted and then encapsulated in an IP header that is
sent across an IP network such as the Internet. PPTP
encapsulates PPP frames in IP datagrams for transmission
over the network. The PPTP uses PPP authentication methods
to authenticate the VPN session.
PPTP uses a TCP connection for tunnel management, and a
modified version of Generic Routing Encapsulation (GRE) to
encapsulate PPP frames for tunneled data. The encapsulated
PPP frame payloads can be encrypted, compressed, or both.
For VPN connections, the Routing and Remote Access service
uses Microsoft Point-to-Point Encryption (MPPE) with PPTP.
The following figure shows the structure of a PPTP packet
containing an IP datagram.
8-40 Installing and Configuring Windows 7
L2TP
L2TP encapsulates PPP frames to be sent over IP, X.25
packet-switching protocol, frame relay, or asynchronous
transfer mode (ATM) networks. When configured to use IP as
its datagram transport, you can use L2TP as a tunneling
protocol over the Internet. L2TP uses PPP authentication.
What is DirectAccess?
BETA COURSEWARE EXPIRES 11/15/2009
DirectAccess Requirements
Lesson 4
Configuring BranchCache for Remote Access
What is BranchCache?
Protocol Description
Hypertext Transfer Protocol The communication protocols used to transfer
(HTTP) and Hypertext Transfer information on intranets and the Internet.
BranchCache Requirements
BETA COURSEWARE EXPIRES 11/15/2009
Network Requirements
BranchCache supports Secure Sockets Layer (SSL) as
available through HTTPS and IPv6 IPsec.
If client computers are configured to use the Distributed
Cache mode, the cached content is distributed among client
computers on the branch office network. No infrastructure
or services are required in the branch office beyond
client computers running Windows 7.
Client Configuration
BranchCache is disabled by default on client computers.
Take the following steps to enable BranchCache on client
computers:
1. Turn on BranchCache.
2. Enable either the Distributed Cache mode or Hosted
Cache mode.
Configuring Mobile Computers and Remote Access in Windows 7 8-59
Review Answers
Common Issues
Issue Troubleshooting tip
BytesAddedToCache does • The client computer may be
not increase on the
retrieving content from the
first client when
accessing the Internet Explorer cache. Be
BranchCache-enabled sure to clear the IE cache by
server. selecting Internet Options
8-66 Installing and Configuring Windows 7
Course Evaluation
3. In the Open an Easy Transfer File window, in the File name box, type \\LON-
DC1\Data\DonProfile.MIG and then click Open.
BETA COURSEWARE EXPIRES 11/15/2009
3. At the command prompt, type ipconfig and the press Enter. Verify that an IP
address in the 10.10.0.0 range is assigned. This confirms that Windows PE
BETA COURSEWARE EXPIRES 11/15/2009
1. Restart LON-CL3 by closing the command prompt. Do not start from CD or DVD.
2. If prompted, select Start Windows normally and press Enter. The computer will
restart before asking for any input.
3. In the Set Up Windows box, click Next to accept the default country, time and
currency format, and keyboard layout.
4. In the Type a user name box, type LocalAdmin.
5. In the Type a computer name box, type LON-CL3 and then click Next.
6. In the Type a password and Retype your password boxes, type Pa$$w0rd.
7. In the Type a password hint box, type Local Admin and then click Next.
8. Clear the Automatically activate Windows when I’m online checkbox and then
click Next.
8. Select the I accept the license terms checkbox and then click Next.
9. Click Ask me later to delay the implementation of Windows updates.
10. Click Next to accept the default settings for time zone and date.
11. Click Work network to select your computer’s current location.
12. Click Start, right-click Computer, and click Properties.
13. Under Computer name, domain, and workgroup settings, click Change
settings.
14. In the System Properties window, click Change.
15. In the Computer Name/Domain Changes window, click Domain, type
contoso.com, and then click OK.
16. Authenticate as Administrator with a password of Pa$$w0rd.
17. Click OK to close the welcome message.
18. Click OK to close the message about restarting.
19. In the System Properties window, click Close.
20. Click Restart Now.
L1-8 Module 1: Installing and Configuring Windows 7
7. On the Specify Volume Size page, in the Simple volume size in MB box, type
100, and then click Next.
L2-2 Module 2: Configuring Disks and Device Drivers
9. On the Format Partition page, in the Volume label box, type Simple, click Next,
and then click Finish.
3. At the DISKPART> prompt, type list disk, and then press ENTER.
5. At the DISKPART> prompt, type create partition primary size=100, and press
ENTER.
8. At the DISKPART> prompt, type format fs=ntfs label=simple2 quick , and press
ENTER.
2. In Disk Management, on Disk 2, right-click Simple (F:), and then click Extend
Volume.
4. On the Select Disks page, in the Select the amount of space in MB box, type
100, click Next, and then click Finish.
6. At the DISKPART> prompt, type shrink desired = 100, and press ENTER.
2. In Disk Management, on Disk 2, right-click Simple (F:), and then click Delete
Volume.
4. In Disk Management, on Disk 3, right-click simple2 (G:), and then click Delete
Volume.
8. On the Select Disks page, in the Select the amount of space in MB box, type 100
9. In the Available list, click Disk 3, and then click Add >.
10. In the Selected list, click Disk 3, and in the Select the amount of space in MB
box, type 150, and then click Next.
12. On the Format Partition page, in the Volume label box, type Spanned, click
Next, and then click Finish.
3. On the Select Disks page, in the Available list, click Disk 3, and then click Add
4. On the Select Disks page, in the Select the amount of space in MB box, type
1024, and then click Next.
6. On the Format Partition page, in the Volume label box, type Striped, click
Next, and then click Finish.
3. In the Striped (G:) Properties dialog box, click the Quota tab.
4. On the Quota tab, select the Enable quota management check box.
5. Select the Deny disk space to users exceeding quota limit check box.
6. Click Limit disk space to, in the adjacent box, type 10, and in the KB list, click
MB.
7. In the Set warning level to box, type 5, and in the KB list, click MB.
8. Select the Log event when a user exceeds their warning level check box, and
then click OK.
9. In the Disk Quota dialog box, review the message, and then click OK.
Lab: Configuring Disks and Device Drivers L2-5
3. At the command prompt, type fsutil file createnew 1mb-file 1048576, and then
press ENTER.
4. At the command prompt, type fsutil file createnew 1kb-file 1024, and then press
ENTER.
These filenames enable you to identify them later as being 1 megabyte (MB) and 1
kilobyte (KB), respectively.
5. In the file list, right-click 1mb-file and drag it to Amy’s files, and then click Copy
here.
10. In the file list, right-click 1kb-file and drag it to Amy’s files, and then click Copy
here.
L2-6 Module 2: Configuring Disks and Device Drivers
4. In the Striped (G:) Properties dialog box, click the Quota tab, and then click
Quota Entries.
5. In the Quota Entries for Striped (G:), in the Logon Name column, double-click
contoso\amy.
6. In the Quota Settings for Amy Rusko (CONTOSO\amy) dialog box, click OK.
11. In the Event Viewer (Local) list, expand Windows Logs, and then click System.
13. In the <All Events IDs> box, type 36, and then click OK.
3. Expand Mice and other pointing devices, right-click Microsoft PS/2 Mouse, and
then click Update Driver Software.
4. In the Update Driver Software – Microsoft PS/2 Mouse dialog box, click
Browse my computer for driver software.
5. On the Browse for driver software on your computer page, click Let me pick
from a list of device drivers on my computer.
6. In the Show compatible hardware list, click PS/2 Compatible Mouse, and then
click Next.
7. Click Close.
8. In the System Settings Change dialog box, click Yes to restart the computer.
4. Expand Mice and other pointing devices, right-click PS/2 Compatible Mouse,
and then click Properties.
5. In the PS/2 Compatible Mouse Properties dialog box, click the Driver tab.
8. Click Close, and then in the System Settings Change dialog box, click Yes to
restart the computer.
L2-8 Module 2: Configuring Disks and Device Drivers
13. Verify that you have successfully rolled back the driver.
2. In the File Sharing box, click the arrow beside the text box, and then click Find
people.
BETA COURSEWARE EXPIRES 11/15/2009
3. In the Select Users or Groups dialog box, type Contoso\Terri, click Check
Names, and then click OK.
4. Under Permission Level, click the down arrow and select Read/Write. Click
Share.
5. Click Done to close the File Sharing dialog box.
19. Once again review all permissions. Notice that they are no longer inherited.
20. In Permission entries, click Terri Chudzik, then click Edit.
21. Uncheck all permissions under Allow, except the following: Traverse
folder/execute file, List folder/read data, Read attributes, Read extended attributes,
Read permissions. Click OK.
Connectivity
Computers in this lab
Before you begin the lab, you must start the virtual
machines. The virtual machines used at the start of this
lab are:
• 6292-LON-DC1
• 6292-LON-CL1
255.255.0.0
6. To which IPv4 network does this host belong?
10.10.0.0
7. Is DHCP enabled?
Yes
6. When does the DHCP lease expire?
BETA COURSEWARE EXPIRES 11/15/2009
An APIPA address
Properties.
2. Click Internet Protocol Version 4 (TCP/IPv4) and then
click Properties.
3. Click Use the following IP address and type the
following:
• IP address: 10.10.0.50
• Subnet mask: 255.255.0.0
• Preferred DNS server: 10.10.0.10
4. Click OK.
5. In the Local Area Connection 3 Properties window, click
Close.
6. Close all open windows.
Properties.
2. Click Internet Protocol Version 6 (TCP/IPv6) and then
click Properties.
3. Click Obtain an IPv6 address automatically, click
Obtain DNS server address automatically, and then click
OK.
4. In the Local Area Connection 3 Properties window, click
Close.
Requirement Overview
I would like to deploy wireless networks across all of the production plants in the UK,
starting with the largest in Slough.
Security is critical, and we must deploy the strongest security measures available.
Some of our older computer equipment supports earlier wireless standards only.
Cordless telephones are in use at the plants.
Some of the production plants are located in busy trading districts with other commercial
organizations located nearby – again, it is important that the Contoso network is not
compromised.
Additional Information
What technical factors will influence the purchasing decision for the WAPs that Amy
should consider?
Answers will vary, but should include at least the following points:
Coverage of a WAP
Use of overlapping coverage and the same Service Set Identifier (SSID)
Security options:
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)/Wi-Fi Protect Access version 2 (WPA2)
802.1x
Wireless technology 802.11b or 802.11g
L5-2 Module 5: Configuring Wireless Network Connections
Incident Record
Additional Information
BETA COURSEWARE EXPIRES 11/15/2009
Plan of action
Answers will vary, but here is a suggested proposal:
Check the placement of all WAPs to ensure that they are not adjacent to any
forms of interference.
BETA COURSEWARE EXPIRES 11/15/2009
Lab A: Configuring UAC, Local Security Policies, EFS, and AppLocker L6-1
Security Settings.
18. Expand Application Control Policies.
19. Click AppLocker, and then right-click and select
Properties.
20. On the Enforcement tab, under Executable rules,
click the Configured checkbox and select Enforce rules.
21. Click OK.
22. Click Start, in the Search programs and files box,
type cmd, and then press ENTER.
23. In the Command Prompt window, type gpupdate /force
and press ENTER. Wait for the policy to be updated.
24. Click Start, right-click Computer and click Manage.
25. Expand Services and Applications, and then click
Services.
26. Right-click Application Identity service in the main
window pane, then click Properties.
27. Set the Startup type to Automatic, and then click
Start.
28. Click OK once the service starts.
29. Log off.
6. Log off.
4. Log off
selected.
10. In the Limits area, select the Maximum size
checkbox, type 10 and then click OK.
Task 3: Verify that the automatic updates setting from the group
policy is being applied
Incident Record
Incident Reference Number: 502509
Date of Call November 5th
Time of Call 08:45
User Amy Rusko (Production Department)
Status OPEN
Incident Details
Amy would like you to establish a sync partnership with her Windows Mobile device.
Amy needs the power options to be configured for optimal battery life when she is
traveling.
Amy wants to enable remote desktop on her desktop computer in the office for her own
user account so she can connect remotely to her desktop from her laptop.
Amy wants to be able to access documents from the head-office and enable others at
the plant to access those files without delay.
Additional Information
Amy’s laptop is running Windows 7 Enterprise.
The Slough plant has no file-server at present.
Resolution
1. You have synchronized the Windows Mobile device with Windows 7.
2. Amy’s laptop has an appropriate power plan.
3. Amy’s laptop has Remote Desktop enabled for Contoso\Amy.
4. BranchCache Distributed Cache mode configured and enabled on the Slough Plant
shared folder. Amy’s computer tested – BranchCache successfully enabled.
LX-2 Module 8: Configuring Mobile Computing and Remote Access in Windows 7
7. In the Plan name box, type Amy’s plan, and then click
Next.
6. Click Connect.
OK.
Appendix
Starting Out in Windows PowerShell™ 2.0
Contents:
Lesson 1: Introduction to Windows PowerShell 2.0 A-3
Lesson 2: Remoting with Windows Power Shell 2.0 A-17
Lesson 3: Using Windows PowerShell Cmdlets for Group Policy A-27
A-2 Installing and Configuring Windows 7
Appendix Overview
Lesson 1
Introduction to Windows PowerShell 2.0
get-help about_commonparameters
• CommandType
• Name
• Definition
The Definition column displays the syntax of the cmdlet.
Note: Windows PowerShell 2.0 is fully backward compatible. Cmdlets, providers, snap-
ins, scripts, functions, and profiles designed for Windows PowerShell 1.0 work on
Windows PowerShell 2.0 without changes.
A-12 Installing and Configuring Windows 7
Lesson 2
Remoting with Windows PowerShell 2.0
Remoting Requirements
The remoting features of Windows PowerShell are built on
Windows Remote Management (WinRM), the Microsoft
implementation of the WS-Management protocol. WinRM is a
standard SOAP-based, firewall-compatible communications
protocol. It uses the WS-Management protocol with a
special SOAP payload designed specifically for Windows
PowerShell commands.
To work remotely, the local and remote computers must have
Windows PowerShell 2.0, Microsoft .NET Framework 2.0 or
Appendix: Starting Out in Windows PowerShell™ 2.0 A-21
Types of Remoting
Two types of remoting are supported:
• Fan-out remoting provides one-to-many capabilities that
allow IT professionals to run management scripts across
multiple computers from a single console.
• One-to-one interactive remoting enables IT
professionals to remotely troubleshoot a specific
computer.
A-22 Installing and Configuring Windows 7
Enter-PSSession server01
Server01\PS>
Command Description
get-help * -parameter Finds cmdlets that use the ComputerName
ComputerName parameter.
Lesson 3
Using Windows PowerShell Cmdlets for
Group Policy
Default
Setting name Location value Possible value
Run Windows Computer Not Not Configured, enabled, disabled
PowerShell Configuration\ Configured • This policy setting determines
scripts first at Administrative whether Windows PowerShell
computer Templates\ scripts will run before non-
startup, System\Scripts\ PowerShell scripts during
shutdown computer startup and shutdown.
By default, PowerShell scripts
run after non-PowerShell scripts.
• If you enable this policy setting,
within each applicable Group
Policy object (GPO), PowerShell
scripts will run before non-
PowerShell scripts during
computer startup and shutdown.
Default
Setting name Location value Possible value
Startup Computer Not Not Configured, Run Windows
(PowerShell Configuration\ Configured PowerShell scripts first, Run
Scripts tab) Windows Windows PowerShell scripts last
Settings\Scripts
(Startup/Shutdo
wn)\