6292A-En - Student Companion Content

OFF IC IAL M ICRO SOFT LE ARNING PRO DUCT
6292A
Installing and Configuring
Windows® 7 Client
S E
L E A E
RE AR
R E W
P FT
SO
ii Installing and Configuring Windows® 7 Client
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
The names of manufacturers, products, or URLs are provided for informational purposes only and
Microsoft makes no representations and warranties, either expressed, implied, or statutory,
regarding these manufacturers or the use of the products with any Microsoft technologies. The
inclusion of a manufacturer or product does not imply endorsement of Microsoft of the
manufacturer or product. Links may be provided to third party sites. Such sites are not under the
control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for
webcasting or any other form of transmission received from any linked site. Microsoft is providing
these links to you only as a convenience, and the inclusion of any link does not imply endorsement
of Microsoft of the site or the products contained therein.
© 2009 Microsoft Corporation. All rights reserved.
Microsoft, Microsoft Press, Access, Active Directory, ActiveSync, ActiveX, Aero, Aero Flip 3D,
AppLocker, Authenticode, BitLocker, BitLocker to Go, BizTalk, BrancheCache, Device Stage,
DirectX, ESP, Excel, Hyper-V, Intellisense, Internet Explorer, Microsoft Dynamics, MS, MSDN, MS-
DOS, OneCare, OneNote, Outlook, PowerPoint, ReadyBoost, Remote App and Desktop
Connections, SharePoint, SpyNet, SQL Server, Visual Basic, Visual C#, Visual Studio, Win32,
Windows, Windows Live, Windows Media Player, Windows Mobile, Windows NT, Windows
Defender, Windows PowerShell, Windows Server, and Windows Vista are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.
Product Number: 6292A
Part Number: 6292A
Released: 06/2009
Installing and Configuring Windows® 7 Client iii
Contents
BETA COURSEWARE EXPIRES 11/15/2009
Module 1: Installing, Upgrading, and Migrating to Windows 7

Lesson 1: Preparing to Install Windows 7 1-4
Lesson 2: Performing a Clean Installation of Windows 7 1-26
Lesson 3: Upgrading and Migrating to Windows 7 1-37
Lesson 4: Performing Image-based Installation of Windows 7 1-61
Lesson 5: Configuring Application Compatibility 1-97
Module 2: Configuring Disks and Device Drivers

Lesson 1: Partitioning Disks in Windows 7 2-4
Lesson 2: Managing Disk Volumes 2-18
Lesson 3: Maintaining Disks in Windows 7 2-36
Lesson 4: Installing and Configuring Device Drivers 2-48
Module 3: Configuring File Access and Printers on Windows 7 Clients

Lesson 1: Overview of Authentication and Authorization 3-3
Lesson 2: Managing File Access in Windows 7 3-15
Lesson 3: Managing Shared Folders 3-41
Lesson 4: Configuring File Compression 3-62
Lesson 5: Managing Printing 3-75
Module 4: Configuring Network Connectivity

Lesson 1: Configuring IPv4 Network Connectivity 4-3
Lesson 3: Implementing Automatic IP Address Allocation 4-37
Lesson 4: Troubleshooting Network Issues 4-48
Module 5: Configuring Network Connections

Lesson 1: Overview of Wireless Networks 5-3
Lesson 2: Configuring a Wireless Network 5-13
iv Installing and Configuring Windows® 7 Client
Module 6: Securing Windows 7 Desktops

Lesson 1: Overview of Security Management in Windows 7 6-4
Lesson 2: Securing a Windows 7 Client Computer by Using
Local Security Policy Settings 6-13
Lesson 3: Securing Data by Using EFS and BitLocker 6-38

Lesson 4: Configuring Application Restrictions 6-81
Lesson 5: Configuring User Account Control 6-102
Lesson 6: Configuring Windows Firewall 6-123
Lesson 7: Configuring Security Settings in Internet Explorer 8 6-145
Lesson 8: Configuring Windows Defender 6-164
Module 7: Optimizing and Maintaining Windows 7 Client Computers

Lesson 1: Maintaining Performance Using the Windows 7
Performance Tools 7-3
Lesson 2: Maintaining Reliability by Using the Windows 7
Diagnostic Tools 7 -6
Lesson 3: Backing Up and Restoring Data by Using Windows
Backup 7-42
Lesson 4: Restoring a Windows 7 System by Using System
Restore Points 7-52
Lesson 5: Configuring Windows Update 7-57
Module 8: Configuring Mobile Computing and Remote Access in

Windows 7
Lesson 1: Configuring Mobile Computer and Device Settings 8-4
Lesson 2: Configuring Remote Desktop and Remote Assistance for
Remote Access 8-26
Lesson 3: Configuring DirectAccess for Remote Access 8-35
Lesson 4: Configuring BranchCache for Remote Access 8-50
Lab Answer Keys
Appendix: Starting Out in Windows PowerShell™ 2.0

Installing and Configuring Windows® 7 Client v
Lesson 1: Introduction to Windows PowerShell 2.0 A-3

Lesson 2: Remoting with Windows Power Shell 2.0 A-17
Lesson 3: Using Windows PowerShell Cmdlets for Group Policy A-27

vi About This Course
About This Course

This section provides you with a brief description of the course, audience, suggested
prerequisites, and course objectives.
Course Description
This three-day instructor-led course is intended for IT professionals who are interested
in expanding their knowledge base and technical skills about Windows 7 Client. In this
course, students learn how to install, upgrade, and migrate to Windows 7 client.
Students then configure Windows 7 client for network connectivity, security,
maintenance, and mobile computing.
Audience
This course is intended for IT professionals who are interested in:
• Expanding their knowledge base and technical skills about Windows 7 Client.
• Acquiring deep technical knowledge of Windows 7.
• Learning the details of Windows 7 technologies.
• Focusing on the "how to" associated with Windows 7 technologies.
Most of these professionals use some version of Windows client at their work place
and are looking at new and better ways to perform some of the current functions.
Student Prerequisites
This course requires that you meet the following prerequisites:
• Experience installing PC hardware and devices.
• Basic understanding of TCP/IP and networking concepts.
• Basic Windows and Active Directory knowledge.
• The skills to map network file shares.
• Experience working from a command prompt.
• Basic knowledge of the fundamentals of applications. For example, how client
computer applications communicate with the server.
• Basic understanding of security concepts such as authentication and authorization.
• An understanding of the fundamental principles of using printers.
About This Course vii
Course Objectives
After completing this course, students will be able to:
• Perform a clean installation of Windows 7, upgrade to Windows 7, and migrate
user-related data and settings from an earlier version of Windows.
• Configure disks, partitions, volumes, and device drivers to enable a Windows 7
client computer.
• Configure file access and printers on a Windows 7 client computer.
• Configure network connectivity on a Windows 7 client computer.
• Configure wireless network connectivity on a Windows 7 client computer.
• Secure Windows 7 client desktop computers.
• Optimize and maintain the performance and reliability of a Windows 7 client
computer.
• Configure mobile computing and remote access settings for a Windows 7 client
computer.
Course Outline
This section provides an outline of the course:
Module 1, Installing, Upgrading, and Migrating to Windows 7
Module 2, Configuring Disks and Device Drivers
Module 3, Configuring File Access and Printers on Windows 7 Client Computers
Module 4, Configuring Network Connectivity
Module 5, Configuring Wireless Network Connections
Module 6, Securing Windows 7 Desktops
Module 7, Optimizing and Maintaining Windows 7 Client Computers
Module 8, Configuring Mobile Computing and Remote Access in Windows 7
viii About This Course
Course Materials
The following materials are included with your kit:
• Course Handbook. A succinct classroom learning guide that provides all the
critical technical information in a crisp, tightly-focused format, which is just right
for an effective in-class learning experience.
• Lessons: Guide you through the learning objectives and provide the key points
that are critical to the success of the in-class learning experience.
• Labs: Provide a real-world, hands-on platform for you to apply the knowledge
and skills learned in the module.
• Module Reviews and Takeaways: Provide improved on-the-job reference
material to boost knowledge and skills retention.
• Lab Answer Keys: Provide step-by-step lab solution guidance at your finger
tips when it’s needed.
• Course Companion CD. Searchable, easy-to-navigate digital content with
integrated premium on-line resources designed to supplement the Course
Handbook.
• Lessons: Include detailed information for each topic, expanding on the content
in the Course Handbook.
• Labs: Include complete lab exercise information and answer keys in digital
form to use during lab time
• Resources: Include well-categorized additional resources that give you
immediate access to the most up-to-date premium content on TechNet,
MSDN®, Microsoft Press®
• Student Course Files: Include the Allfiles.exe, a self-extracting executable file
that contains all the files required for the labs and demonstrations.
Note To access the full course content, insert the Course Companion CD into the CD-ROM
drive, and then in the root directory of the CD, double-click StartCD.exe.
• Course evaluation. At the end of the course, you will have the opportunity to
complete an online evaluation to provide feedback on the course, training facility,
and instructor.
About This Course ix
To provide additional comments or feedback on the course, send e-mail to

support@mscourseware.com. To inquire about the Microsoft Certification Program,
send e-mail to mcphelp@microsoft.com.
Virtual Machine Environment

This section provides the information for setting up the classroom environment to
support the business scenario of the course.
Virtual Machine Configuration

In this course, you will use Hyper-V to perform the labs.
Important: At the end of each lab, you must close the virtual machine and must
not save any changes. To close a virtual machine without saving the changes,
perform the following steps: 1. On the host computer, start Hyper-V Manager. 2.
Right-click the virtual machine name in the Virtual Machines list, and click Revert. 3.
In the Revert Virtual Machine dialog box, click Revert..
The following table shows the role of each virtual machine used in this course:
Virtual machine Role

6292A-LON-DC1 Domain controller in the Contoso.com domain
6292A-LON-CL1 Windows® 7 computer in the Contoso.com domain
6292A-LON-CL2 Windows® 7 computer in the Contoso.com domain
6292A-LON-CL3 Virtual machine with no operating system installed
6292A-LON-VS1 Windows Vista computer in the Contoso.com

domain
Software Configuration
The following software is installed on the VMs:
• Windows Server 2008 R2, Release Candidate
• Windows 7, Release Candidate
x About This Course
• Windows Vista, SP1

• Office 2007, SP1
Classroom Setup
Each classroom computer will have the same virtual machines configured in the same
way.
Course Hardware Level

To ensure a satisfactory student experience, Microsoft Learning requires a minimum
equipment configuration for trainer and student computers in all Microsoft Certified
Partner for Learning Solutions (CPLS) classrooms in which Official Microsoft
Learning Product courseware are taught.
Hardware Level 6
• Intel Virtualization Technology (Intel VT) or AMD Virtualization (AMD-V)
processor
• Dual 120 gigabyte (GB) hard disks 7200 RM SATA or better*
• 4 GB RAM expandable to 8GB or higher
• DVD drive
• Network adapter
• Super video graphics array (SVGA) 17-inch monitor
• Microsoft Mouse or compatible pointing device
• Sound card with amplified speakers
*Striped
In addition, the instructor computer must be connected to a projection display device
that supports SVGA 800 x 600 pixels, 256 colors.
Installing, Upgrading, and Migrating to Windows 7 1-1
Module 1
Installing, Upgrading, and Migrating to Windows
7
Contents:
Lesson 1: Preparing to Install Windows 7 1-4
Lesson 2: Performing a Clean Installation of Windows 7 1-26
Lesson 3: Upgrading and Migrating to Windows 7 1-37
Lesson 4: Performing Image-based Installation of Windows 7 1-61
Lesson 5: Configuring Application Compatibility 1-97
1-2 Installing and Configuring Windows® 7 Client
Module Overview

Windows® 7 is the latest version of the Windows operating system from Microsoft®.
It is built on the same kernel as Windows Vista®. Windows 7 ships in several editions
to specifically meet customer needs.
Windows 7 enhances user productivity, security, and reduces IT overhead for
deployment. It provides additional manageability with several key features, such as
BitLockerTM, BitLocker To GoTM, AppLockerTM and improvements in the Windows®
Taskbar. Windows 7 also enhances the end-user experience with improvements on how
users organize, manage, search, and view information.
There are several ways to install Windows 7, but before you start, verify that the
hardware platform meets the requirements of the edition you want to install. If
necessary, plan for hardware upgrades. It is also recommended that you test your
applications for compatibility and prepare for any necessary mitigation plan.
Depending on the version of your current operating system, you may be able to
upgrade directly to Windows 7, or you may need to perform a clean installation of
Windows 7 and migrate the necessary settings and data.
Lesson 1
Preparing to Install Windows 7
Before installing Windows 7, ensure that your computer meets the minimum hardware
requirements. In addition, you must decide what edition of Windows 7 best suits your
organizational needs. You must also decide which architecture to use, either the 32 or
the 64-bit platform of Windows 7.
Once you have established your hardware requirements and decide which edition of
Windows 7 to install, you have several options to install and deploy Windows 7.
Depending on several factors, such as your organization’s deployment infrastructure,
policy and automation, you may want to select one or more installation options.
Key Features of Windows 7

Windows 7 includes many features that enable users to be more productive. It also
provides a more secure desktop environment and a higher level of reliability when
compared to the previous versions of Windows.
The key features of Windows 7 are categorized by usability, security, multi-tiered data
protection, reliability and performance, deployment, manageability, and productivity.
Usability
One of the main design goals of Windows 7 was to help users work more productively,
and to make it easier to carry out common tasks. Windows 7 includes tools to make it
easier for users to organize, search for, and view information. This enables them to
focus on the most important aspects of their job. In addition, Windows 7
communication, mobility, and networking features help users connect to people,
information, and devices by using simple tools.
Security
Windows 7 is built on a fundamentally secure platform based on the Windows Vista
foundation. It includes numerous security features and improvements that protect client
computers from the latest threats, including worms, viruses, and malicious software
(malware).
User Account Control (UAC) in Windows 7 adds security by limiting administrator-

level access to the computer. All users in Windows 7, including administrators, work at
the standard user level unless they need a higher privilege level to perform a particular
task. Windows 7 introduces streamlined UAC. Streamlined UAC reduces the number
of operating system applications and tasks that require elevation of privileges. It also
provides flexible prompt behavior for administrators, allowing standard users to do
more, and administrators to see fewer UAC elevation prompts.
Multi-tiered Data Protection

Windows 7 supports data-protection at multiple levels, such as document, file,
directory, computer, and network levels.
• Rights Management Services (RMS): RMS enables organizations to enforce
policies regarding document usage. It enables policy definition and enforcement,
protects information wherever it travels and provides policy-based protection of
document libraries on a SharePoint site.
• Encrypting File System (EFS): EFS provides user-based file and directory
encryption. It enables storage of encryption keys on smart cards, providing better
protection of encryption keys.
• Windows® BitLockerTM Drive Encryption: BitLocker adds computer-level data
protection. It provides full-volume encryption of the system volume, including
Windows system files. Windows 7 introduces BitLocker To GoTM, which extends
the BitLocker drive encryption to removable devices.
• Internet Protocol Security (IPsec): IPsec isolates network resources from
unauthenticated computers and encrypts network communication.
Reliability and Performance

Windows 7 takes advantage of modern computing hardware, running more reliably and
providing more consistent performance than previous versions of Windows. Some of
the reasons for reliability and performance improvements include:
• Applications are more reliable because they can recover from deadlocked
situations, and improved error reporting enables developers to fix common
problems.
• Windows 7 includes the Startup Repair tool, which fixes many common problems
automatically. Additionally, you can use it to diagnose and repair more complex
startup failures.
• Windows 7 helps detect and recover failing hard disks and memory.
• The auto-tuning network stack of Windows 7 provides improved performance by
analyzing the available bandwidth and using it more efficiently.
• Defragmentation runs in the background to help maintain disk performance.
Deployment

Windows 7 is deployed by using an image, which makes the deployment process more
efficient due to the following factors:
• Windows 7 installation is based on the Windows Imaging (WIM), which is a file-
based, disk-imaging format. This results in much faster deployments than
traditional installation mechanisms.
• Windows 7 is modularized, which makes customization and deployment of the
images easier.
• Windows 7 uses Extensible Markup Language (XML)-based, unattended setup
answer files to enable remote and unattended installations. The same XML answer
file format is also used during image preparation.
• Deploying Windows 7 by using Windows Deployment Services in Windows
Server® 2008 R2 is optimized with Multicast with Multiple Stream Transfer and
Dynamic Driver Provisioning.
• Consolidated tool for servicing and managing image in Deployment Image
Servicing and Management (DISM). DISM enables you to add / remove drivers
and packages and treat Virtual Hard Disk (VHD) image in the same manner as
WIM file.
• Improvements in the User State Migration Tool (USMT). Migrating the user state
is made more efficient with hard-link migration, offline user state capture, volume
shadow copy, and improved file discovery in USMT 4.0.
Manageability
In Windows 7, hundreds of new Group Policy settings make it easier to configure and
control the desktop environment centrally. The improved Task Scheduler increases the
IT Professionals ability to automate tasks, as it reduces the time required to manage the
desktop and decreases the likelihood of manual errors. Event Viewer has multiple
views and enables you to attach a task to an event. Also, by using features, such as the
Windows Eventing infrastructure and much clearer explanations for events, you can
troubleshoot problems by using the event logs more effectively.
In addition, Windows 7 introduces the following manageability improvements that can
reduce cost by increasing automation.
• Microsoft Windows PowerShellTM 2.0, which enables IT professionals to easily

create and run scripts on a local PC or on remote PCs across the network.
• Group Policy scripting, which enables IT professionals to manage Group Policy

Objects (GPOs) and registry-based settings in an automated manner.
Windows 7 improves the support tools to keep users productive and reduce help desk
calls, including:
• Built-in Windows Troubleshooting Packs, which enable end-users to solve many
common problems on their own. IT professionals can create custom
Troubleshooting Packs and extend this capability to internal applications.
• Improvements to the System Restore tool, which informs users of applications that
might be affected when returning Windows to an earlier state.
• The new Problem Steps Recorder, which enables users to record screenshots,
click-by-click, to reproduce a problem so the help desk can troubleshoot solutions.
• Improvements to the Resource Monitor and Reliability Monitor, which enable IT
Professionals to more quickly diagnose performance, compatibility, and resource
limitation problems.
Windows 7 also provides flexible administrative control with the following features:
• AppLocker, which enables IT professionals to more flexibly set policy on which
applications and scripts users can run or install, providing a more secure and
manageable desktop.
• Auditing improvements, which enable IT professionals to use Group Policy to
configure more comprehensive auditing of files and registry access.
• Group Policy Preferences that define the default configuration, which users can
change, and provide centralized management of mapped network drives, scheduled
tasks, and other Windows components that are not Group Policy-aware.
Productivity
Windows 7 improvements to the user interface help users and IT Professionals increase
their productivity. Users can find what they want easily, and they can optimize their
desktops by turning on necessary accessibility features.
Windows 7 includes an integrated search feature, known as Windows® Search. It
offers significant performance improvements, making it quicker and easier for users to
locate their documents.
Windows 7 also offers improvements for mobile and remote users by introducing the
following features:
• BranchCacheTM, which increases network responsiveness of applications and gives

users in remote offices an experience like working in the head office.
• DirectAccess, which connects mobile workers seamlessly and securely to their
corporate network any time they have Internet access, without using a Virtual
Private Network (VPN).

• VPN Reconnect, which provides seamless and consistent VPN connectivity by
automatically re-establishing a VPN when users temporarily lose their Internet
connections.
Question: What are the key features of Windows 7 that will help your organization?
Answer: The answer may vary, but in general all the key features of Windows 7 will
help users in terms of usability, security, manageability, deployment and productivity.
Editions of Windows 7
There are six Windows 7 editions. Two editions for mainstream consumers and
business users and four specialized editions for enterprise customers, technical
enthusiasts, emerging markets, and entry level PCs. The design of each edition matches
the demands of particular user types. You may need more than one edition in your
environment, and therefore, it is important to understand each edition’s features.
Each edition requires activation to verify that your copy of Windows is genuine and
that it has not been used on more computers than the Microsoft Software License
Terms allow. In this way, activation helps prevent software counterfeiting. With an
activated copy of Windows, you can use every Windows feature for that specific
edition.
You have 30 days after installing Windows to activate it online or by telephone. If this
30-day period expires before you complete activation, Windows will stop working. If
this happens, you cannot create new files or save changes to existing ones. You can
regain full use of your computer by activating your Windows copy.
Windows 7 Starter
Windows 7 Starter is targeted specifically for small form factor PCs in all markets. It is
only available for the 32-bit platform. This edition features:
• Improved Windows Taskbar and Jump Lists
• Windows Search

• Ability to join a HomeGroup
• Action Center, Device StageTM, and Windows® Fax and Scan
• Enhanced media streaming, including Play To
• Broad applications and device compatibility, with up to three concurrent programs
• Secured, reliable, and supported operating system
Note: Microsoft also produces an N edition of Windows 7 Starter. Windows 7 Starter N

includes all of the same features as Windows 7 Starter, but does not include Microsoft®
Windows Media® Player and related technologies.
Windows 7 Home Basic

Windows 7 Home Basic is targeted for value PCs in emerging markets, meant for
accessing the internet and running basic productivity applications. This edition includes
all of the features available in Windows 7 Starter. Additionally, it includes:
• No limit on the number of programs you can run
• Live Thumbnail previews and enhanced visual experiences
• Advanced networking support (ad hoc wireless networks and internet connection
sharing)
Note: Similar to Windows 7 Starter N, Windows 7 Home Basic N excludes Windows

Media player and related technologies.
Windows 7 Home Premium

Windows 7 Home Premium is the standard edition for customers. It provides full
functionality on the latest hardware, easy ways to connect, and a visually rich
environment. This edition includes all features available in Windows 7 Home Basic in
addition to the following:
• Windows® Aero®, advanced Windows navigation and Aero background
• Windows® Touch (Multi-touch and handwriting support)

• Ability to create a HomeGroup, which eases sharing across all PCs and devices
• DVD Video playback and authoring

• Windows® Media Center, Snipping Tool, Sticky Notes, Windows Journal, and
Windows® SideshowTM
Windows 7 Professional
Windows 7 Professional is the business-focused edition for small and lower mid-
market companies and users who have networking, backup, and security needs and
multiple PCs or servers. It includes all features available in Windows 7 Home Premium
in addition to the following:
• Core business features, such as Domain Join and Group Policy
• Data protection with advanced network backup and Encrypted File System
• Ability to print to the correct printer at home or work with Location Aware
Printing
• Remote Desktop host and Offline folders
Note: Similar to Windows 7 Starter N, Windows 7 Professional N excludes Windows

Media player and related technologies.
Windows 7 Enterprise
Windows 7 Enterprise provides advanced data protection and information access for
businesses that use IT as a strategy asset. It is a business-focused edition, targeted for
managed environments, mainly large enterprises. This edition includes all features
available in Windows 7 Professional in addition to the following:
• BitLocker and BitLocker To Go data protection for internal and external drives
• AppLocker to prevent unauthorized software installation and execution
• DirectAccess, which provides seamless connectivity to a corporate network
• BranchCache, which decreases the amount of time for branch office workers to
access files across the corporate network
• All worldwide interface languages
• Enterprise Search Scopes
• Virtual Desktop Infrastructure (VDI) enhancements and the ability to boot from a
VHD
Note: Windows 7 Enterprise is available exclusively to Microsoft Software Assurance

customers.

Windows 7 Ultimate
Windows 7 Ultimate is targeted for technical enthusiasts who want all Windows 7
features, without a Volume License agreement. It includes all of the same features as
the Windows 7 Enterprise. Windows 7 Ultimate is not licensed for VDI scenarios.
Note: All editions of Windows 7, with the exception of Windows 7 Starter, are available
for 32 and 64-bit platforms. Windows 7 Starter is only available as a 32-bit operating
system.
Question: Which edition of Windows 7 should you choose in the following scenarios?
Scenario 1: There are a few users in your organization. Currently, you do not have a
centralized file server and all of the computers are not joined to a domain.
Scenario 2: Your organization has more than one hundred users who are located in
several offices across the country. In addition, you have several users that travel
frequently.
Answer: You should choose Windows 7 Professional for Scenario 1 and Windows 7
Enterprise for Scenario 2.
Scenario 1: For a business environment, you should choose either Windows 7
Professional or Windows 7 Enterprise. Windows 7 Home Premium, Windows 7 Home
Basic, and Windows 7 Starter are targeted for home users. Because you only have few
users, Windows 7 Professional would be the best fit.
Scenario 2: You should choose Windows 7 Enterprise and take the advantage of
features such as BranchCache and DirectAccess to increase the productivity of your
mobile users.
Question: What is the difference between the Enterprise and the Ultimate edition of
Windows 7?
Answer: There is no difference in terms of features between the Enterprise and
Ultimate editions. Windows 7 Enterprise is available through Microsoft Software
Assurance with Volume Licensing and Windows 7 Ultimate is available through the
retail channel. There is no upgrade path between the two.
Hardware Requirements for Installing Windows 7

It is important that you understand the hardware requirements for Windows 7. Your
system must meet the minimum requirements for the edition that you are installing. If it
does not, you must know what components need to be upgraded to meet the
requirements.
Note: If you install Windows 7 on a computer that does not meet the minimum hardware
requirements, some features of Windows 7 may not work, or the system performance
level may be unacceptable.
In general, hardware requirements for Windows 7 are the same as Windows Vista. The
preceding table shows the minimum hardware requirements each edition of Windows 7.
Note: An Aero Capable GPU supports DirectX 9 with a WDDM driver, Pixel Shader 2.0,
and 32 bits per pixel.
Hardware Requirements for Specific Features

Actual requirements and product functionality may vary based on your system
configuration. For example:
• While all editions of Windows 7 can support multiple core CPUs, only Windows 7
Professional, Ultimate, and Enterprise can support dual processors.

• A TV tuner card is required for TV functionality (compatible remote control
optional).
• Windows® Tablet and Touch Technology requires a Tablet PC or a touch screen.
• Windows BitLocker Drive Encryption requires a Universal Serial Bus (USB)
Flash Drive or a system with a Trusted Platform Module (TPM) 1.2 chip.
If you plan to implement BitLocker to protect your computer’s system drive, you must
create two partitions on your hard disk when installing the operating system. Both
partitions must be formatted for the NTFS file system. One partition is encrypted while
the other remains unencrypted. The unencrypted partition contains the necessary boot
files to initialize the operating system. The unencrypted partition contains the BOOT
folder and the bootmgr file.
When considering the deployment of Windows 7, use the previous table as a guideline
for minimum hardware standards, but consider the level or performance that you want
to achieve as this table only specifies the minimum requirements. To achieve optimum
performance, you should consider hardware that is more powerful.
Note: For more information on Windows 7 hardware requirements, please refer to:
http://go.microsoft.com/fwlink/?LinkID=154215
Question: What is the typical computer specification within your organization

currently? Contrast that specification to what was typically available when Windows
Vista was released. Do you think Windows 7 can be deployed to the computers within
your organization as they currently are?
Answer: The answer may vary. Several years ago, when Windows Vista was released,
the hardware requirements were considered quite high. Since Windows 7 hardware
requirements are the same with Windows Vista, computers in most organizations will
be able to install Windows 7.
Advantages of Using 64-bit Editions of Windows 7

Although earlier versions of Windows operating systems, such as the Windows® XP®
Professional operating system, were available in 64-bit editions, these versions
provided limited application compatibility when compared with the 32-bit editions.
Additionally, the relative scarcity of 64-bit drivers for existing hardware made
selecting the 64-bit edition a significant compromise.
The 64-bit editions of Windows 7 overcome the application incompatibility issues that
affected the 64-bit edition of earlier versions of Windows. The 64-bit drivers are now
readily available for most commonly used devices in the 64-bit edition of Windows 7.
The features in the 64-bit editions of Windows 7 are identical to their 32-bit
counterparts. However, there are several advantages of using a 64-bit edition of
Windows 7.
Improved Performance
The fact that 64-bit processors can process more data per clock cycle enables your
applications to run faster or support more users. In workstation computers, faster
processing means that applications run more quickly, particularly those that are
processor intensive. To benefit from this improved processor capacity, you must install
a 64-bit edition of the operating system.
Enhanced Memory
The performance of a computer that runs a large number of programs, or runs programs
that require large amounts of memory, is affected adversely if there is insufficient

physical memory available to the operating system. A 64-bit operating system can
address memory above 4GB. This is unlike all 32-bit operating systems, including all
32-bit editions of Windows 7, which are limited to 4 GB of addressable memory.
Note: The 32-bit editions of Windows 7 cannot access all of the 4 GB of memory to run
user programs. They are limited to approximately 3 GB of memory regardless of how
much memory you install on the computer. The 32-bit editions of Windows 7 use the
additional memory (up to 4 GB) to run system-related services and programs.
The following table lists the memory configurations supported by 64-bit editions of
Windows 7:
Windows 7 Edition Memory

Home Basic / Home Basic N 8 GB
Home Premium 16 GB
Professional / Professional N 128 GB or more
Enterprise / Ultimate 128 GB or more
Note: In theory, the maximum amount of memory a 64-bit computer can address is 16
Exabytes (16.8 million terabytes). However, most manufacturers impose artificial limits
considerably lower than this value.
If you anticipate the need to run several memory-intensive programs, deploying a 64-
bit edition of Windows 7 will improve your computer’s performance. If any computer
that you have has more than 4 GB of memory installed, you must install a 64-bit
edition of Windows 7 to access the memory beyond 4 GB.
Improved Device Support

Although 64-bit processors have been available for some time, in the past it was
difficult to obtain third-party drivers for commonly used devices, such as printers,
scanners, and other common office equipment. Since Windows Vista first released, the
availability of drivers for these devices has improved greatly. Because Windows 7 is
built on the same kernel as Windows Vista, most of the drivers that work with
Windows Vista, also work with Windows 7.
Improved Security
The processor architecture of x64-based processors from Intel and AMD support the
following features that improve security:
• Kernel Patch Protection: this prevents software from modifying the operating
system kernel.
• Mandatory kernel-mode driver signing: signed drivers indicate that a driver has
been sourced from a safe and trusted vendor. In 64-bit editions of Windows 7, all
kernel-mode drivers must be signed digitally.
• Data Execution Prevention: this is implemented at the hardware level rather than
by software in the operating system, and helps prevent buffer overflows that
malicious software use to cause system failures.
Limitations of the 64-bit Editions

Although there are many reasons to consider implementing 64-bit editions of Windows
7, there are also some limitations.
• The 64-bit editions of Windows 7 do not support the 16-bit Windows on Windows
(WOW) environment. WOW enables the operating system to run early Windows
and DOS applications. If your organization requires legacy 16-bit applications, one
solution is to run the application within a virtual environment by using one of the
many Microsoft virtualization technologies available.
• Another limitation is with the WIM file. Although several images can be contained
in a single WIM image file, each WIM file can contain either 32 or 64-bit images,
but not both. However, you can use the 32-bit version of Windows Preinstallation
Environment (Windows PE) to deploy either 32 or 64-bit WIM images.
Options for Installing Windows 7

Windows 7 supports the following types of installation:
• Clean
• Upgrade
• Migration
Clean Installation
You perform a clean installation when installing Windows 7 on a new partition or
when replacing an existing operating system on a partition. To perform a clean
installation on a computer without an operating system, start the computer directly
from the CD/DVD. If the computer already has an operating system, run setup.exe to
start the installation. The setup.exe can be run from the following sources:
• CD/DVD
• Network share
You can also use an image to perform a clean installation.
Upgrade Installation
You perform an upgrade, which also is known as an in-place upgrade, when replacing
an existing version of Windows with Windows 7 and you need to retain all user
applications, files, and settings.
To perform an in-place upgrade to Windows 7, run the Windows 7 installation program
(setup.exe) and select Upgrade. You can run the setup.exe from the product CD/DVD
or from a network share. During an in-place upgrade, the Windows 7 installation
program retains all user settings, data, hardware device settings, applications, and other
configuration information automatically.
Always back up all of your important data before performing an upgrade.
Migration
You perform a migration when you have a computer already running Windows 7, and
need to move files and settings from your old operating system (source computer) to
the Windows 7 based computer (destination computer).
Perform a migration by doing the following:
• Backing up the user’s settings and data
• Performing a clean installation
• Reinstalling the applications
• Restoring the user’s settings and data
There are two migration scenarios: side-by-side and wipe and load. In side-by-side
migration, the source computer and the destination computer are two different
computers. In wipe and load migration, the target computer and the source computer
are the same. To perform wipe and load migration, you perform a clean installation of
Windows 7 on a computer that already has an operating system by running the
Windows 7 installation program and selecting Custom (advanced).
Question: Which type of installation should you use in the following scenarios?
Scenario 1: Your users have computers that are at least three years old and your
organization plans to deploy Windows 7 to many new computers.
Scenario 2: There are only a few users in your organization, their computers are mostly
new, but they have many applications installed and a lot of data stored in their
computers.
Answer: The answers may vary. Your selection of the type of installation may not be
decided by just these factors. In general, it is the recommended that you perform a
clean installation followed by migration of user settings and data. You should not
select upgrade, unless it only involves a few users or computers. In Scenario 1, you
may want to purchase new hardware for your organization, perform a clean installation
of Windows 7, and migrate the necessary user settings and data. In Scenario 2, you
may want to perform an in-place upgrade to Windows 7.

Lesson 2
Performing a Clean Installation of Windows 7
There are several ways to install Windows 7. The method you use may depend on
whether you are installing it on a new computer or on a computer that is running
another version of Windows. A clean installation is done when you install Windows 7
on a new partition or when you replace an existing operating system on a partition.
Discussion: Considerations for a Clean Installation

Question: When would you typically perform a clean installation of Windows?
Answer: The answer may vary, but in general you should consider the following
circumstances.
Clean installation considerations

You must perform a clean installation in the following circumstances:
• No operating system is installed on the computer.
• The installed operating system does not support an upgrade to Windows 7.
• The computer has more than one partition and needs to support a multiple-boot
configuration that uses Windows 7 and the current operating system.
A clean installation is the preferred installation method. Performing a clean installation
ensures that all of your systems begin with the same configuration and all applications,
files, and settings are reset.
Methods for Performing Clean Installation

You can perform a clean installation of Windows 7 by running setup.exe from the
CD/DVD or from a network share. You can also perform a clean installation by
deploying an image.
Running Windows 7 installation from CD/DVD

Installing from the product CD/DVD is the simplest way to install Windows 7. This is
done by performing the following steps:
1. Insert the Windows 7 CD/DVD.
2. If your computer does not currently have an operating system, start the computer
by using the product CD/DVD. If your computer already has an operating system,
you can also start the computer with the old operating system and run the
Windows 7 installation from the product CD/DVD on that operating system.
3. Complete the wizard.
Running Windows 7 installation from a Network Share

Instead of a CD/DVD, the Windows 7 installation files can be stored in a network
share. Generally, the network source is a shared folder on a file server. Perform the
following steps to install Windows 7 from a network share:
1. If your computer does not currently have an operating system, start the computer
by using Windows PE. You can start Windows PE from bootable media, such as a

CD/DVD or a USB flash drive, or from a network PXE boot, by using Windows
Deployment Services (WDS). If your computer already has an operating system,
you can start the computer with the old operating system.
Note: Windows PE is a minimal 32-bit or 64-bit operating system with limited services,
built on the Windows 7 kernel. Windows PE is used to install and repair Windows
operating system.
2. Connect to the network share that contains the Windows 7 files.
3. Run the Windows 7 installation program (setup.exe) from the network share.
4. Complete the wizard.
Installing Windows 7 by Using an Image

Perform the following steps to install Windows 7 by using an image:
1. Install Windows 7 to a reference computer and prepare the reference computer for
duplication.
2. Create a WIM image of the reference computer by using ImageX. You can run
ImageX from a command prompt or from Windows PE. ImageX captures a
volume image to a WIM file. WIM files are not tied to a particular hardware
configuration, and can be modified after capture to add new drivers, patches, or
applications.
3. Use one of the following tools to deploy the image:

• ImageX
• WDS
• Microsoft Deployment Toolkit (MDT)
Note: For more information about deploying Windows 7, read the “Step-by-Step: Basic
Windows Deployment for IT Professionals "on the Microsoft TechNet Web site.
Question: In what situation would you use each method of performing a clean
installation of Windows operating system?
Answer: Running Windows installation from the product CD/DVD is the most
straightforward. Generally this method is used in a home or small business
environment, or to install a reference computer. You can place the installation files in a
network share, so that you can run the Windows installation from the network to
computers that do not have a CD/DVD drive. Having the Windows installation in a
network share also saves you the trouble of keeping the installation media. If you are
installing Windows in a large organization and want to standardize the environment,
you should install Windows by using an image.
Discussion: Common Installation Errors

The installation of Windows 7 is robust, and should be trouble free if your hardware
meets the minimum requirements. However, a variety of problems can occur during an
installation, and a methodical approach helps solve them.
Four-Step Approach
You can use the following four-step approach in any troubleshooting environment:
1. Determine what has changed
2. Eliminate the possible causes to determine the probable cause
3. Identify a solution
4. Test the solution
If the problem persists, go back to step three and repeat the process
Question: What potential issues might you encounter when installing Windows?
Answer: The answer may vary. The following table describes several installation
problems and solutions that can be used to identify and solve specific problems.
Problem Solution
Installation media is damaged. Test the CD or DVD on another system.
BIOS upgrade is needed. Check your computer supplier’s Internet

site to see whether a basic input/output
system (BIOS) upgrade is available for
Windows 7.
Hardware is installed improperly. Check any messages that appear during

the boot phase. Install add-on hardware
properly, such as video cards and
memory modules.
Hardware fails to meet minimum Use Windows Catalog to locate products

requirements. designed for Microsoft Windows and
ensure that your hardware meets the
minimum requirements for the edition of
Windows 7 that you want to install.
Error messages appear during setup. Carefully note any messages, and search
the Microsoft Knowledge Base for an
explanation.
Demonstration: Configuring the Computer Name and

Domain/Work Group Settings

You typically configure the Computer Name and Domain/Work Group settings after
installing Windows.
In this demonstration, you will see how to configure domain and workgroup settings.
Configure the Computer Name and Domain/Work Group Settings

1. Log on to the LON-CL1 virtual machine as CONTOSO\Administrator with a
password of Pa$$w0rd.
2. Click Start and then click Control Panel.
3. Click System and Security and then click System.

4. In the Computer name, domain, and workgroup settings area, click Change
settings.
5. In the System Properties window, click the Change button. Note that the
Network ID button performs the same task with a wizard.
6. In the Computer Name/Domain Changes window, click Workgroup and type

“WORKGROUP”. This is the name of the workgroup to be joined.
7. Click OK.
8. Click OK to acknowledge the warning.
9. Click OK to close the welcome message.
10. Click OK to close the message about restarting.
11. In the System Properties window, click the Change button. Note that the
Network ID button performs the same task with a wizard.
12. In the Computer Name/Domain Changes window, click Domain and type
“Contoso.com”. This is the name of the domain to be joined.
13. Click the More button. Use this primary DNS suffix to have the computer search
DNS domains other than the Active Directory® domain that it is joined to. The
NetBIOS name is used for backward compatibility with older applications.
14. Click the Cancel button.
15. In the Computer Name/Domain Changes window, click OK.
16. When prompted, in the Windows Security box, type “Administrator” with a
17. Click OK three times and then click Close.
18. Click Restart Now.
19. After the system restarts, log on as Contoso\Administrator with a password of
Pa$$w0rd.
Question: When would you configure the primary DNS suffix to be different from the
Active Directory domain?
Answer: In most cases, you will not configure the primary DNS suffix to be different
from the Active Directory domain. This is typically done in large organizations with a
complex DNS structure that is independent of the Active Directory DNS structure. An
example of why you would configure a different primary DNS suffix is to support
applications that need to search in an alternate DNS domain.
Lesson 3
Upgrading and Migrating to Windows 7

When you perform a clean installation of Windows 7, the installation process does not
transfer user settings from the legacy operating system. If you need to retain user
settings, consider performing an upgrade or a migration to Windows 7 instead.
Depending on the version of your current operating system, you may not be able to
upgrade directly to Windows 7. You can install Windows Upgrade Advisor to provide
upgrade guidance for Windows 7. If your current operating system does not support
direct upgrade to Windows 7, consider performing a clean installation and migrating
user settings and data by using migration tools.
Considerations for Upgrading and Migrating to Windows 7

Not all operating systems can be upgraded or migrated to Windows 7. While several
operating systems support in-place upgrades, others only support migration of user
settings and data after you perform a clean installation of Windows 7.
Upgrade Considerations
You must perform an in-place upgrade when you do not want to reinstall all your
applications. In addition, you can consider performing an upgrade when:
• You do not have storage space to your store user state.
• You are not replacing existing computer hardware.
• You plan to deploy Windows on only a few computers.
Note: If you are running setup.exe from the current operating system and an upgrade is
not possible, the Windows 7 installation program displays an error message. If you are
running setup.exe in Windows PE and your current operating system does not support
an upgrade to Windows 7, the Windows 7 installation program disables the selection of
Upgrade during the installation process.
Migration Considerations
You should perform a migration when:
• You want a standardized environment for all users running Windows. A migration
takes advantage of a clean installation. A clean installation ensures that all of your
systems begin with the same configuration, and that all applications, files, and
settings are reset. Migration ensures that you can retain user settings and data.

• You have storage space to store the user state. Typically, you will need storage
space to store the user state when performing migration. User State Migration Tool
4.0 introduces hard-link migration, in which you do not need extra storage space.
This is only applicable to wipe and load migration.
• You plan to replace existing computer hardware. If you do not plan to replace the
existing computers, you can still perform a migration by doing a wipe and load
migration.
• You plan to deploy Windows to many computers.
An upgrade scenario is suitable in small organizations or in the home environment,
while in large enterprises when significant numbers of computers are involved, clean
installation followed by migration is the recommended solution. The most common
method of deploying Windows 7 in large enterprises is by performing a clean
installation by using images, followed by migrating user settings and data.
Question: You are deploying Windows 7 throughout your organization. Given the
following scenarios, which would you choose, upgrade or migration?
Scenario 1: Your organization has a standardized environment. You have several
servers dedicated as storage space and the computers in your organization are no later
than two years old.
Scenario 2: Your organization has a standardized environment. You have several
servers dedicated as storage space and plan to replace existing computers, which are
more than three years old.
Scenario 3: You do not have extra storage space and the computers in your
organization are less than two years old. In addition, there are only five users in your
organization and you do not want to reinstall existing applications to your user
computers.
Answer:
Scenario 1: You should perform a wipe and load migration. To achieve a standardized
environment, you must perform a clean installation, followed by a migration. In this
scenario, you have storage space, but you do not plan to replace the existing hardware.
Scenario 2: You should perform a side-by-side migration. To achieve a standardized
environment, you must perform a clean installation, followed by a migration. In this
scenario, you have storage space, and plan to replace the existing hardware.
Scenario 3: You should perform an in-place upgrade. In this scenario, you do not have
the storage space required to perform migration. Also, migration requires you to
reinstall all existing applications.
Identifying the Valid Upgrade Paths

Supported Windows Versions
The following table identifies the Windows operating systems that you can upgrade
directly to or migrate to Windows 7:
Supported
Windows Version Scenario Remarks
Earlier version than Clean Windows versions earlier than Windows
Windows XP® Installation XP do not support in-place upgrade or
migration to Windows 7.
Windows XP, Windows Migration Windows XP and Windows Vista

Vista (without any Service Pack) do not
support in-place upgrade to Windows 7.
You can use WET or USMT to migrate
the user state from these versions of
Windows to any editions of Windows 7
with the exception to the Starter edition.
Supported
Windows Version Scenario Remarks
Windows Vista SP1, SP2 In-place Windows Vista with Service Pack 1 or
upgrade later is required to support in-place
upgrades to Windows 7. There are
limitations on which edition you can
upgrade from and to.
Windows 7 Windows Windows 7 supports upgrades to higher

Anytime editions with Windows Anytime
Upgrade Upgrade. There are limitations on which
edition you can upgrade from and to.
Note: Windows Anytime Upgrade (WAU) provides a way to move to a more powerful
edition of Windows 7. WAU pack includes DVD media, the Windows product key, and
upgrade instructions.
Unsupported Windows Versions

Earlier versions of Windows lack the architectural similarity to Windows 7.
Consequently, there is no direct mechanism for an in-place upgrade or migration to
Windows 7 from earlier Windows operating systems.
You cannot directly upgrade to Windows 7 from an operating system earlier than
Windows Vista with Service Pack 1. Instead, you can perform a clean installation of
Windows 7 on a computer that is running an earlier version of Windows, and then
migrate any user-related settings and user data. If your current operating system is
earlier than Windows XP, such as Windows 2000 or Windows 98, you must migrate
the user-related settings and data manually, because neither USMT nor WET supports
these earlier versions of Windows.
Also be aware that computers running these earlier versions of Windows may not meet
the minimum Windows 7 hardware requirements.
Note: There are limitations on the editions of Windows that you can upgrade from and
to. For example, you can upgrade Windows Vista Home Basic with Service Pack 1 to
Windows 7 Home Basic, Windows 7 Home Premium, or Windows 7 Ultimate, but not to
Windows 7 Professional or Windows 7 Enterprise.
Upgrade Limitations
An in-place upgrade does not support cross architecture. This means that you cannot
upgrade from 32-bit to 64-bit or vice versa. You can only upgrade to the same
platform, even if your hardware supports both architectures.
An in-place upgrade does not support cross language. This means that you cannot
upgrade from an EN-US version of Windows to a DE-DE version of Windows.

In both cases, you need to perform a clean installation and the necessary migration.
Options for Upgrading Between Editions of Windows 7

You can perform an upgrade between two editions of Windows 7 by purchasing
Windows Anytime Upgrade. The Windows Anytime Upgrade Pack contains the
product key, a Windows Anytime Upgrade DVD, and upgrade instructions.
To initiate the upgrade process, insert your Windows Anytime Upgrade DVD. The
target edition of Windows 7 is included on the Windows Anytime Upgrade DVD. The
product key included with your Windows Anytime Upgrade Pack determines the
edition of Windows 7 that you can install.
Before you start the upgrade, save all open files and close all open programs. The
upgrade setup program will reboot your computer several times, so any unsaved work
will be lost. The upgrade preserves your settings, applications, and files.
The following table identifies the upgrade options between editions of Windows 7.
Home Home
From\To Starter Basic Premium Professional Enterprise Ultimate
Starter NA X WAU WAU X WAU
Home Basic X NA WAU WAU X WAU
Home X X NA WAU X WAU

Premium
Professional X X X NA X WAU
Enterprise X X X X NA X
Ultimate X X X X X NA
Legend:
• X = In-place Upgrade is not supported.
• NA = Not applicable.
• WAU = Windows Anytime Upgrade is supported.

Determining the Feasibility of an Upgrade by Using Windows

Upgrade Advisor

Windows Upgrade Advisor is a downloadable Web application you can use to identify
which edition of Windows 7 meets your needs, whether your computers are ready for
an upgrade to Windows 7, and which features of Windows 7 will run on your
computers. The end result is a report that provides upgrade guidance to Windows 7 and
suggestions about what, if any, hardware updates are necessary to install and run the
appropriate edition and features of Windows 7.
You can download and install Windows Upgrade Advisor from the Microsoft website.
This software tool scans your computer and creates an easy-to-understand report of all
known system, device, and program compatibility issues, and recommends ways to
resolve them. Windows Upgrade Advisor can also help you select the edition of
Windows 7 that best fits your needs.
To install and run the Windows Upgrade Advisor, you need the following:
• Administrator privileges
• .NET 2.0
• MSXML6
• 20 MB of free hard disk space

• An internet connection
Windows Upgrade Advisor is an ideal tool if you only have a few computers. For
enterprise deployment, consider the Application Compatibility Toolkit and the
Microsoft Assessment and Planning Toolkit to prepare your organization readiness for
Windows 7.
The Microsoft Assessment and Planning (MAP) Toolkit is an agent-less toolkit that
finds computers on a network and performs a detailed inventory of the computers using
Windows Management Instrumentation (WMI), the Remote Registry Service, or the
Simple Network Management Protocol (SNMP). The data and analysis provided by
this toolkit can significantly simplify the planning process for migrating to Windows 7,
Microsoft® Office® 2007, and several other Microsoft products and technologies.
Assessments for Windows 7 also include device driver availability and
recommendations for hardware upgrades that may be required.
Process for Upgrading to Windows 7

An in-place upgrade replaces the operating system on your computer while retaining all
programs, program settings, user-related settings, and user data. Performing an in-place
upgrade from Windows Vista with Service Pack 1 is the easiest way to upgrade to
Windows 7. The process for upgrading to Windows 7 is described in the following
steps.
Evaluate
Before starting the upgrade, you must evaluate whether your computer meets the
requirements needed to run Windows 7. You can use the Windows Upgrade Advisor to
perform this evaluation. However, if you have many computers that you want to
upgrade, it may not be practical to run the Windows Upgrade Advisor on each one. In
this case, ensure that each computer meets at least the minimum hardware requirements
to run Windows 7, or consider using the Application Compatibility Toolkit (ACT) and
Microsoft Assessment and Planning (MAP) to assess your organization readiness.
You must also determine whether any installed application programs will have
compatibility problems running on Windows 7. Microsoft provides two tools to help
determine and resolve application compatibility issues:
• ACT: this is a set of tools to analyze and determine whether your existing
application will work with Windows 7. You can use the Application Compatibility
Manager, which is part of the ACT, to perform an inventory of all installed

applications on your networked computers, and to assist in the process of fixing
programs so that they will work correctly with Windows 7.
• Standard User Analyzer Tool: this tool is installed together with ACT. You can
use this tool to launch a program that has potential compatibility issues, and
perform some typical tasks using the suspect program. The Standard User
Analyzer Tool produces a report that enables you to pinpoint compatibility issues.
Backup
To protect against data loss during the upgrade process, back up any data and personal
settings before starting the upgrade. You can back up data to any appropriate media,
such as tape, removable storage, writable CD or DVD disc media, or a network shared
folder.
Upgrade
After evaluating your computer requirements and backing up your data and personal
settings, you are ready to perform the actual upgrade. To perform the upgrade, run the
Windows 7 installation program (setup.exe) from the product CD/DVD or a network
share.
If your computer supports an in-place upgrade to Windows 7, you can select Upgrade
during the installation process. The installation program prevents you from selecting
the upgrade option if an in-place upgrade is not possible. This might occur for several
reasons, such as your computer may lack sufficient disk space to perform the upgrade
or the version of Windows that you are running does not support a direct upgrade to the
edition of Windows 7 selected. If that is the case, stop the upgrade process and resolve
the indicated problem before attempting the upgrade again.
Note: It is recommended that you disable antivirus programs before attempting an

upgrade.
Verify
When the upgrade completes, log on to your computer and verify that all of the
applications and hardware devices function correctly. If the Windows Upgrade Advisor
made any recommendations relating to program compatibility or devices, follow those
recommendations to complete the upgrade process. For example, if the Windows
Upgrade Advisor detected a compatibility issue with your antivirus software, contact
the software vendor to obtain a version that is compatible with Windows 7.
Update
Finally, determine whether there are any relevant updates to the Windows 7 operating
system and apply them to your computer. It is important to keep the operating system
up-to-date to protect against security threats. You can also check for updates during the
upgrade process. Dynamic Update is a feature of Windows 7 Setup that works with
Windows Update to download any critical fixes and drivers that the setup process

requires.
Tools for Migrating User Data and Settings

Before performing an upgrade, migration, or clean installation of Windows 7, back up

important computer configuration settings and user data. You can use the Windows
Backup Utility to perform the necessary backup. If you intend to perform an in-place
upgrade, this backup helps safeguard against an unrecoverable problem occurring
during the upgrade. If the upgrade fails and you cannot start the computer, then you
must reinstall the old operating system or perform a clean installation of Windows 7. If
you have to reinstall the old operating system, you can use the backup to restore all of
the computer’s configuration settings, applications settings, and user data.
If you choose to do a clean installation followed by migration to Windows 7, you must
back up user-related settings, applications settings, and user data that you will restore
after the Windows 7 installation.
Identifying Which Components to Migrate

When planning your migration, it is important to identify which components you need
to migrate to the new operating system platform. These components may include:
• User accounts: computer workstations may have settings related to both domain
and local user accounts. You must determine if local user accounts must
be migrated. Your consideration must also include whether the account should be
enabled on the destination computer and how you will deal with password
requirements.
• Application settings: you must determine and locate the application settings that
you want to migrate. This information can be acquired when you are testing the
new applications for compatibility with the new operating system. Considerations

include whether the destination version of the application is newer than the source
version and where the specific application settings are stored. Settings may be
stored in the registry, .ini files, or a text or binary file. To determine the location of
a setting, begin by reviewing the vendor’s documentation or Web site. Migration
does not include migrating the actual application itself.
• Operating system settings: when planning for your migration, you need to
identify which operating system settings to migrate and to what extent you want to
create a new standard environment on each of the computers. Operating system
settings may include appearance, mouse actions (for example, single-click or
double-click) and keyboard settings, Internet settings, E-mail account settings,
dial-up connections, accessibility settings and fonts.
• File types, files, folders, and settings: when planning your migration, identify the
file types, files, folders, and settings to migrate. For example, you need to
determine and locate the standard file locations on each computer, such as the My
Documents folder and company-specified locations. You also must determine and
locate the nonstandard file locations. For nonstandard locations, consider the
following:
• File types: consider which file types must be included and excluded in the
migration.
• Excluded locations: consider the locations on the computer that should be
excluded from the migration (for example, %windir% and the Program Files
folder).
• New locations: decide where to migrate files on the destination computer (for
example, the Documents folder, a designated folder, or the original location).
Tools for Migration

You can use the following tools to perform migration.
Tool Description
Windows Easy Use WET to perform a side-by-side migration for a single
Transfer (WET) computer, or a small number of computers. WET supports data
transfer to the destination computer by using the network, WET
Tool Description
cable, removable media, or a writable CD or DVD.
User State Use USMT to perform a side-by-side migration for many

Migration Tool computers and to automate the process as much as possible, or to
(USMT) perform a wipe-and-load migration on the same computer. USMT
uses a two-stage process to migrate files and settings. In the first
stage, USMT captures files and settings to appropriate media,
such as a network shared folder. During the second stage, USMT
restores the files and settings to the destination computer.
Question: How do you migrate applications to Windows 7?

Answer: You can migrate application settings but not the application itself. You have
to re-install your application before restoring the application settings in your
destination computer.
Process for Migrating to Windows 7

If you cannot, or prefer not, to perform an in-place upgrade, you can perform a clean
installation of Windows 7 and then migrate the user-related settings. The process for
migrating to Windows 7 is described in the following steps.
Backup
Before installing the new operating system, you must back up all user-related settings
and program settings. You can use either WET or USMT to assist with this process.
You should also consider backing up your user data. Although the installation program
will not destroy user data, it is good practice to back up your data to protect against
accidental loss or damage during installation.
Install Windows 7
Run the Windows 7 installation program (setup.exe) from the product CD/DVD or a
network share and perform a clean installation, by selecting Custom (advanced)
during the installation process, and then following the on-screen instructions to
complete the installation.
Update
If you chose not to check for updates during the installation process, it is important to
do so after verifying the installation. Keep your computer secure by keeping up with
the current patches and updates.
Install Applications
Performing an upgrade using a clean installation and migration process does not
migrate the installed applications. When you have completed the Windows 7
installation, you must reinstall all applications. Windows 7 may block the installation
of any incompatible programs. To install any of these programs, contact the software
vendor for an updated version of that program that is compatible with Windows 7.
Restore
After installing your application, use WET or USMT to migrate your application
settings and user-related settings to complete the migration process.
Migrating User Settings and Data by Using WET

Windows Easy Transfer (WET) is the recommended tool for scenarios in which you
have a small number of computers to migrate. You can decide what to transfer and
select the transfer method to use. You can use WET to transfer the following files and
settings:
• Files and folders
• E-mail settings
• Contacts and messages
• Program settings
• User accounts and settings
• Internet settings and favorites
• Music
• Pictures and videos
However, you cannot use WET to move program files. WET can only move data and
program settings. To transfer the settings of a program to Windows 7, you must install
the program on the Windows 7 computer before you run WET.
Note: Windows Easy Transfer does not transfer any system files such as fonts and
drivers. To do this, install custom fonts and updated drivers in Windows 7.
If your source computer is running Windows Vista or later, you can find WET in the
System Tools program group folder. If your computer is running Windows XP, you
need to obtain WET first. WET can be obtained from a Windows 7 product CD/DVD
or from any computer running Windows 7.
If your source computer already has WET, you can skip the following procedure of
preparing for the migration on the destination computer.
Prepare for the migration on the destination computer

To start Windows Easy Transfer on the destination computer, perform the following
steps:
1. Close all active programs.
2. Click Start, All Programs, Accessories, System Tools, and then Windows Easy
Transfer. The Windows Easy Transfer window opens.
3. Click Next.
4. Select the method you want to use to transfer files and settings from your source
computer.
5. Click This is my new computer.
6. Click I need to install it now.
7. Select the destination media where you want to store the Windows Easy Transfer
wizard files. You can store the wizard files to an external hard drive or network
drive, or you can store them on a USB flash drive. A Browse to Folder window
opens.
8. Type the path and folder name where you want to store the Windows Easy
Transfer wizard files, and then click Next.
You must now start your source computer to install Windows Easy Transfer.
Migrate Files and Settings from the Source Computer to the Destination
Computer
If you use WET, you can select one the following transfer methods to transfer files and
settings from a qualified operating system to Windows 7:
• Use an Easy Transfer Cable, which is a special USB cable designed to work with
Windows Easy Transfer by creating a direct link between the source computer and

the destination computer. Using one of these cables is the easiest and fastest
method for transfer and recommended if you do not have access to a network. You
cannot use a regular USB cable to transfer files and settings using Windows Easy
Transfer.
• Establish a network connection between the source computer and the destination
computer.
• Use removable media such as a USB flash drive or an external hard disk. You can
connect either of these to the source computer and to the destination computer.
Method 1: Transfer files and settings using a WET cable

1. Connect the two computers with the Windows Easy Transfer cable, and install the
drivers for that cable.
2. Start Windows Easy Transfer on the computer from which you want to migrate
settings and files by browsing to the removable media or network drive containing
the wizard files, and then double clicking migsetup.exe. The program may also
start automatically when you insert the removable media.
Note: If your computer already has WET, you can run it from the System Tools
program group folder.
Method 2: Transfer files and settings using a network

the wizard files, and then double-clicking migestup.exe. The program may also
start automatically when you insert the removable media.
Note: If your computer already has WET, you can run it from the System Tools
program group folder.
2. Click Next.
3. Click A network.
Note: Both computers must support the transfer method you choose. For example, both
computers must be connected to the same network.
4. Click This is my old computer. WET creates Windows Easy Transfer key. This
key is used to link the source and destination computer.
5. Follow the steps to enter the Windows Easy Transfer key on your destination
computer to allow the network connection.
6. On your destination computer, after entering the Windows Easy Transfer key,
click Next. A connection is established and Windows Easy Transfer checks for
updates and compatibility.
7. Click Transfer to transfer all files and settings. You can also determine which
files should be migrated by selecting only the user profiles you want to transfer, or
by clicking Customize.
8. Click Close after Windows Easy Transfer has completed the migration of files and
settings to the destination computer.
Method 3: Transfer files and settings using removable media or a network

share
First, copy files from the source computer.
the wizard files, and then double-clicking migsetup.exe.
computers must be connected to the same network.
2. Click Next.
3. Click An external hard disk or USB flash drive.
computers must support the same type of removable media.
4. Click This is my old computer. Windows Easy Transfer scans the computer.
5. Click Next. You can also determine which files should be migrated by selecting
only the user profiles you want to transfer, or by clicking Customize.
6. Enter a password to protect your Easy Transfer file, or leave the box blank, and
then click Save.
7. Browse to the location on the network or the removable media where you want to

save your Easy Transfer file, and then click Save.
8. Click Next. Windows Easy Transfer displays the file name and location of the
Easy Transfer file you just created.
Then, copy files to the destination computer.
1. Connect the removable media to the destination computer.
2. Start Windows Easy Transfer, and then click Next.
5. Click Yes, open the file.
6. Browse to the location where the Easy Transfer file was saved. Click the file
name, and then click Open.
7. Click Transfer to transfer all files and settings. You can also determine which
files should be migrated by selecting only the user profiles you want to transfer, or
by clicking Customize.
8. Click Close after Windows Easy Transfer has completed moving your files.
Lesson 4
Performing Image-based Installation of
Windows 7
Many medium to large-sized organizations use an image-based deployment model to

deploy desktop operating systems. After installing and configuring a reference
computer, most imaging solutions capture an image based on a sector-by-sector copy
of the reference computer. This technology, although effective in some situations, has a
number of disadvantages to the overall efficiency of your imaging system.
Windows 7 setup process relies upon image-based installation architecture. This
architecture consists of deployment tools and technologies to assist with customizing
and deploying Windows 7 throughout the organization. Using these tools,
organizations can configure an effective computer imaging and deployment
methodology that will ensure a secure and standardized Microsoft Windows desktop
environment.
What is Windows Imaging File Format?

The Windows Imaging (WIM) file is a file-based disk image format that was
introduced in Windows Vista. WIM files are compressed packages that contain a
number of related files. WIM addresses many challenges experienced with other
imaging formats. All Windows 7 installations use this image file. When installing
Windows 7, you are applying an image to the hard disk. This is done at a file level
instead of at a hard disk sector level.
Benefits of WIM
WIM provides several benefits over other imaging formats, such as the following:
• A single WIM file can address many different hardware configurations. WIM does
not require that the destination hardware match the source hardware, so you need
only one image to address many different hardware configurations.
• WIM can store multiple images within a single file. For example, you can store
images with and without core applications in a single image file.
• WIM enables compression and single instancing, which reduces the size of image
files significantly. Single instancing is a technique that allows multiple images to
share a single copy of files that are common between the instances.
• WIM enables you to service an image offline. You can add or remove certain
operating system components, files, updates, and drivers without creating a new
image. For example, to add an update to a Microsoft Windows XP image, you

must boot the master image, add the update, and then prepare the image again.
With Windows 7, you can simply mount the image file and then slipstream the
update into the image file without having to boot or recapture the master image.
• WIM enables you to install a disk image on partitions of any size, unlike sector-
based image formats that require you to deploy a disk image to a partition that is
the same size or larger than the source disk.
• Windows 7 provides an API for the WIM image format called WIMGAPI that
developers can use to work with WIM image files.
• WIM allows for nondestructive application of images. This means that you can
leave data on the volume to which you apply the image because the application of
the image does not erase the disk’s existing contents.
• WIM provides the ability to start Windows Preinstallation Environment (Windows
PE) from a WIM file. The Windows 7 setup process uses Windows PE. The
Windows PE image is started from a WIM file. The WIM file is actually never
expanded but is loaded into a random access memory (RAM) disk and run directly
from memory.
Windows 7 Imaging Components

Deploying a Windows 7 image is based upon four major components. These
components include:
• The WIM format: the imaging format used for the creation and management of
images.
• Tools to create and manage the WIM: Windows 7 uses a tool called ImageX to
provide most of the functions needed to create and manage a WIM file.
• Imaging application programming interface (API): Windows 7 uses an API
called WIMGAPI that provides the layer to programmatically access and
manipulate WIM files. The API provides the ability for tools to access various
functions, such as:
• Add, update, and remove file data.
• Add, update, and remove image data.
• Extract image data.
• Mount an image by using the WIM file system filter.
• Span images.
• Provide messaging status and progress.
ImageX is an implementation of the Imaging API.
• Enabling technologies: this includes the Windows Imaging File System (WIM
FS) Filter and the WIM boot filter. The file system filter enables the ability to

mount and browse the WIM as a file system. The WIM boot filter enables booting
a Windows Preinstallation Environment (Windows PE) image within a WIM file.
Tools for Performing Image-based Installation

There are several tools and technologies that you can use to perform image-based
installation of Windows. You must be aware of these tools and where to use them in
deployment situations.
• Windows Setup (setup.exe): this is the program that installs the Windows
operating system or upgrades previous versions of the Windows operating system.
Windows Setup supports both interactive installations and unattended installations.
• Answer File: this is an XML file that stores the answers for a series of graphical
user interface (GUI) dialog boxes. The answer file for Windows Setup is
commonly called Unattend.xml. You can create and modify this answer file by
using Windows System Image Manager (Windows SIM). The Oobe.xml answer
file is used to customize Windows Welcome, which starts after Windows Setup
and during the first system startup.
• Catalog: this binary file (.clg) contains the state of the settings and packages in a
Windows image. There must be a catalog for each Windows 7 version that the
image contains.
• Windows Automated Installation Kit (Windows AIK): this is a collection of

tools and documentation that you can use to automate the deployment of Windows
operating systems. The core tools used in most Windows deployment scenarios
include the following:
• Windows System Image Manager (Windows SIM): this tool enables you to
create unattended installation answer files and distribution shares, or modify

the files contained in a configuration set.
• Windows Preinstallation Environment (Windows PE): this is a minimal 32
or 64-bit operating system with limited services, built on the Windows 7
kernel. Use Windows PE in Windows installation and deployment. Windows
PE provides read and write access to Windows file systems, and supports a
range of hardware drivers, including network connectivity, which makes it
useful for troubleshooting and system recovery. You can run Windows PE
from the CD/DVD, USB flash drive, or a network using Pre-Boot eXecution
Environment (PXE). Windows AIK includes several tools used to build and
configure Windows PE.
• ImageX: this command-line tool captures, modifies, and applies installation
images for deployment.
• User State Migration Tool (USMT): this tool is used to migrate user settings
from a previous Windows operating system to Windows 7.
• Deployment Image Servicing and Management (DISM): this tool is used to
service and manage Windows images. It can be used to apply updates, drivers and
language packs to a Windows image, offline or online. DISM is available in all
installations of Windows 7 and Windows Server 2008 R2.
• System Preparation (Sysprep): Sysprep prepares a Windows image for disk
imaging, system testing, or delivery to a customer. Sysprep can be used to remove
any system-specific data from a Windows image, such as the security identifier
(SID). After removing unique system information from an image, you can capture
that Windows image and use it for deployment on multiple systems. Sysprep is
also used to configure the Windows operating system to start Windows Welcome
the next time the system is started. Sysprep is available in all installations of
Windows.
• Diskpart: this is a command-line tool for hard disk configuration.
• Windows Deployment Services (WDS): WDS is a server-based deployment
solution that enables an administrator to set up new client computers over the
network, without having to visit each client. This component is an update to the
Microsoft Windows Server® 2003 Remote Installation Services (RIS) server role.
WDS is also provided as a built-in server role that can be configured for Windows
Server 2008.
• Virtual Hard Disk (VHD): the Microsoft Virtual Hard Disk file format (.vhd) is a
publicly available format specification that specifies a virtual hard disk
encapsulated in a single file, capable of hosting native file systems and supporting
standard disk operations. VHD files are used by Microsoft® Hyper-VTM server,
Microsoft® Virtual Server, and Microsoft® Virtual PC for virtual disks connected
to a virtual machine.
Image-based Installation Process

The image-based installation process consists of five high-level steps. These steps
Build an Answer File

You use an answer file to configure Windows settings during installation. For example,
you can configure the default Internet Explorer® settings, networking configurations,
and other customizations. Additionally, the answer file contains all of the settings
required for an unattended installation. During installation, you will not be prompted
with user interface pages. You can use Windows System Image Manager (Windows
SIM) to assist in creating an answer file, although in principle you can use any text
editor to create an answer file.
Build a reference installation

A reference computer has a customized installation of Windows that you plan to
duplicate onto one or more destination computers. You can create a reference
installation by using the Windows product CD/DVD and an answer file.
Create a Bootable Windows PE media

You can create a bootable Windows PE disk on a CD/DVD by using the Copype.cmd
script. Windows PE enables you to start a computer for the purposes of deployment
and recovery. Windows PE starts the computer directly from memory, enabling you to
remove the Windows PE media after the computer starts. Once you have started the
computer in Windows PE, you can use the ImageX tool to capture, modify, and apply
file-based disk images.
Capture the Installation Image

You capture an image of your reference computer by using Windows PE and the
ImageX tool. You can store the captured image on a network share.
Deploy the Installation Image

After you have an image of your reference installation, you can deploy the image to the
destination computer. You can use the DiskPart tool to format the hard drive, and copy
the image from the network share. Use ImageX to apply the image to the destination
computer. For high-volume deployments, you can store the image of the new
installation to your distribution share and deploy the image to destination computers by
using deployment tools, such as Windows Deployment Services (WDS) or Microsoft
Deployment Toolkit (MDT).
Demonstration: Building an Answer File by Using Windows

SIM

In this demonstration, you will see how to create an answer file by using Windows
SIM.
Build an Answer File by Using Windows SIM

1. Log on to the LON-CL1 virtual machine as Contoso\Administrator with a
2. Click Start, point to All Programs, click Microsoft Windows AIK, and then
click Windows System Image Manager.
3. In the Windows Image area, right-click Select a Windows image or catalog file
and then click Select Windows Image.
4. Browse to E:\6292\Labfiles\Mod01\Sources\, click install_Windows 7
PROFESSIONAL.clg, and then click Open.
Note: If a catalog file does not exist for this edition of Windows 7, then you will be
prompted to create a catalog file. The creation process takes several minutes. In this
demonstration, you are not prompted to create a catalog file because it has already
been created for you.
5. In the Answer File area, right-click Create or open an answer file, and then click
New Answer File.
6. In the Windows Image area, expand Components and scroll down and expand
x86_Microsoft-Windows-Setup. This group of settings is primarily used in the
windowsPE stage of an unattended installation. Notice that it includes Disk
Configuration.
7. Expand UserData and right-click ProductKey. You can see that this setting can
only be applied in the windowsPE stage. This would be used for an unattended
installation where Windows 7 is installed from the install.wim file on the Windows
7 installation DVD.
8. Scroll down and click x86_Microsoft-Windows-Shell-Setup. Notice that the
option for the product key is available here as well as shown in the Properties area.
9. Right-click x86_Microsoft-Windows-Shell-Setup and click Add setting to Pass
4 specialize. These settings are applied after an operating system has been
generalized by using Sysprep.
10. In the Microsoft-Windows-Shell-Setup Properties area, in the ProductKey box,
type “11111-22222-33333-44444-55555” and press Enter. Placing a product key
in this answer file prevents the need to enter the product key during the installation
of a new image.
11. Close Windows System Image Manager and do not save any changes.
Note: For more information, please refer to Windows SIM Technical Reference at
http://go.microsoft.com/fwlink/?LinkID=154216.
Question: Why would you use an answer file rather than manually completing the
installation of Windows 7?
Answer: An answer file is used to automate the installation process for speed and
consistency. When you use an answer file, you are assured that each installation is the
same. Automating the installation process is more efficient when multiple computers
are configured at once.
Building a Reference Installation by Using Sysprep

The Sysprep tool prepares an installation of the Windows operating system for
duplication, auditing, and end-user delivery. Duplication enables you to capture a
customized Windows image that you can reuse throughout an organization.
Sysprep Tasks
Sysprep can be used to perform the following tasks:
• Remove system-specific data from the Windows operating system.
• Configure Windows to start in audit mode.
• Configure the Windows operating system to start the Out-of-Box Experience
(OOBE).
• Reset Windows Product Activation.
Sysprep Command-Line Options

The following shows the syntax and some of the more common command-line options
available for Sysprep:
sysprep.exe [/oobe | /audit] [/generalize] [/reboot | /shutdown |

/quit] [/quiet] [/unattend:answerfile]
Option Description
/audit Restarts the computer in audit mode. Audit mode enables you
to add drivers or applications to Windows. You can also test an
installation of Windows before it is sent to an end user.
If an unattended Windows setup file is specified, the audit
mode of Windows Setup runs the auditSystem and auditUser
configuration passes.
/generalize Prepares the Windows installation to be imaged. If this option

is specified, all unique system information is removed from the
Windows installation. The security ID (SID) resets, any system
restore points are cleared, and event logs are deleted.
The next time the computer starts, the specialize configuration
pass runs. A new security ID (SID) is created, and the clock for
Windows activation resets, if the clock has not already been
reset three times.
/oobe Restarts the computer in Windows Welcome mode.

Windows Welcome enables end users to customize their
Windows operating system, create user accounts, name the
computer, and other tasks. Any settings in the oobeSystem
configuration pass in an answer file are processed immediately
before Windows Welcome starts.
/reboot Restarts the computer. Use this option to audit the computer
and to verify that the first-run experience operates correctly.
/shutdown Shuts down the computer after the Sysprep command finishes
running.
/quiet Runs the Sysprep tool without displaying on-screen

confirmation messages. Use this option if you automate the
Sysprep tool.
/quit Closes the Sysprep tool after running the specified commands.
/unattend:answerfile Applies settings in an answer file to Windows during

unattended installation.
answerfile
Specifies the path and file name of the answer file to use.
Demonstration: Creating a Bootable Windows PE Media

In this demonstration, you will see how to create bootable Windows PE media that can
be used for imaging computers.
f Task: Create a Bootable Windows PE Media

click Deployment Tools Command Prompt.
3. At the command prompt, type “copype.cmd amd64 E:\winpe_amd64” and press
Enter. This command copies the necessary files to the E:\winpe_amd64 folder. If
the folder does not exist, it is created.
4. At the command prompt, type “copy “C:\Program Files\Windows
AIK\Tools\amd64\imagex.exe” E:\winpe_amd64\iso” and then press Enter. This
adds the ImageX tool to the files that will be added to the iso.
5. At the command prompt, type “oscdimg –n –bE:\winpe_amd64\etfsboot.com

E:\winpe_amd64\iso E:\winpe_amd64\winpe_amd64.iso”. This command creates
the iso file with Windows PE.
Note: For more information on copype, copy, and oscdimg, please refer to:
http://go.microsoft.com/fwlink/?LinkID=154217,
http://go.microsoft.com/fwlink/?LinkID=154218,
Question: After you have created the iso file, what should you do with it?
Answer: Typically, the next step is to burn the iso file as a bootable CD or DVD. It
can then be used to perform imaging operations.
Capturing and Applying the Installation Image by Using

ImageX

ImageX is a command-line tool that enables you to capture, modify, and apply file-
based WIM images.
ImageX Tasks
ImageX can be used to perform the following tasks:
• View the contents of a WIM file: ImageX provides the ability to view the
contents of a WIM file. This is useful to see which images are available and can be
deployed from within the WIM file.
• Capture and apply images: you can capture an image of a source computer and
save it as a WIM file format. You can save the image to a distribution share, from
which users can use Windows 7 Setup to install the image, or you can push the
image out to the desktop by using various deployment techniques. You can also
use ImageX to apply the image to the destination computer.
• Mount images for offline image editing: a common scenario for ImageX is
customizing an existing image, including updating files and folders. You can
update and edit an offline image without creating a new image for distribution.
• Store multiple images in a single file: you can use ImageX to store multiple
images in a single WIM file to take advantage of single instancing, which
minimizes the size of the image file. This makes it much easier to deploy multiple
images by using removable media or across a slower network connection. When
Windows 7 is installed using a file with multiple images, users can select which
image to apply. For example, you can have a WIM file that contains several role-
based configurations, or images before and after certain updates.
• Compress the image files: ImageX supports two different compression
algorithms, Fast and Maximum, to further reduce the image size.
• Implement scripts for image creation: you can use scripting tools to create and
edit images.
ImageX Command-Line Options

The following shows the syntax and some of the more common command-line options
available for ImageX:
ImageX [/flags “EditionID”] [{/dir | /info | /capture | /apply |

/append | /delete | /export | /mount | /mountrw | /unmount | /split}
[Parameters]
Command Description
Flags “EditionID” Specifies the version of Windows that you need to capture. This
is required if you plan to re-deploy a custom Install.wim with
Windows Setup. The Quotes are also required. Valid EditionID
values include: HomeBasic, HomePremium, Starter, Ultimate,
Business, Enterprise, ServerDatacenter, ServerEnterprise, and
ServerStandard.
dir Display a list of files and folders within a volume image.
info Returns information about the .wim file. Information includes

total file size, the image index number, the directory count, file
count, and a description.
capture Captures a volume image from a drive to a new .wim file.

Captured directories include all subfolders and data.
apply Applies a volume image to a specified drive. Note that you must
Command Description
create all hard disk partitions before beginning this process and
run this option from Windows PE.
append Adds a volume image to an existing .wim file. Creates a single

instance of the file, comparing it against the resources that

already exist in the .wim file, so you do not capture the same
file twice.
delete Removes the specified volume image from a .wim file.
export Exports a copy of a .wim file to another .wim file.
mount/mountrw Mounts a .wim file with read or read/write permission. After the
file is mounted, you can view and modify all of the information
contained in the directory.
unmount Unmounts a mounted image from a specified directory. If you

have modified a mounted image, you must apply the /commit
option to save your changes.
split Splits large .wim files into multiple read-only .wim files.
Note: The preceding table is only a subset of the tools and functionality provided by
ImageX. For a more detailed list of syntax commands, read the “ImageX Technical
Reference” included in the “Windows Automated Installation Kit User’s Guide.”
Demonstration: Modifying Images by Using DISM

Deployment Image Servicing and Management (DISM) is a command line tool used to
service Windows images offline before deployment. You can use it to install, uninstall,
configure, and update Windows features, packages, drivers and international settings.
Subsets of the DISM servicing commands are also available for servicing a running
operating system.
Common DISM Command Line Options

The base syntax for nearly all DISM commands is the same. After you have mounted
or applied your Windows image so that it is available offline as a flat file structure, you
can specify any DISM options, the servicing command that will update your image,
and the location of the offline image. You can use only one servicing command per
command line. If you are servicing a running computer, you can use the /Online option
instead of specifying the location of the offline Windows Image.
The base syntax for DISM is as follows:
DISM.exe {/Image:<path_to_image> | /Online} [dism_options]

{servicing_command} [<servicing_argument>]
The following DISM options are available for an offline image:

DISM.exe /image:<path_to_offline_image_directory>
[/WinDir:<path_to_%WINDIR%>] [/LogPath:<path_to_log_file.log>]
[/LogLevel:<n>] [SysDriveDir:<path_to_bootMgr_file>] [/Quiet]
[/NoRestart] [/ScratchDir:<path_to_scratch_directory>]
The following DISM options are available for a running operating system:

DISM.exe /online [/LogPath:<path_to_log_file>] [/LogLevel:<n>]
[/Quiet] [/NoRestart] [/ScratchDir:<path_to_scratch_directory>]
The following table shows some of the more common command-line options available
for DISM:
Option Description
/Get-Help Displays information about available DISM command-line options
/? and arguments.
The options available for servicing an image depend on the
servicing technology that is available in your image. Specifying an
image, either an offline image or the running operating system will
generate information about specific options that are available for
the image you are servicing.
Example:
Dism /?
Dism /image:C:\test\offline /?
Dism /online /?
/Mount-Wim Mounts the WIM file to the specified directory so that it is

available for servicing.
/ReadOnly sets the mounted image with read-only permissions.
Optional.
An index or name value is required for most operations that
specify a WIM file.
Example:
Dism /Mount-Wim /WimFile:C:\test\images\install.wim
/index:1 /MountDir:C:\test\offline /ReadOnly
Dism /Mount-Wim
/WimFile:C:\test\offline\install.wim /name:"Windows
7 Enterprise" /MountDir:C:\test\offline
Option Description
/Get- Lists the images currently mounted and information about the
MountedWimInfo mounted image such as read/write permissions, mount location,

mounted file path, and mounted image index.
Example:
Dism /Get-MountedWimInfo
/Commit-Wim Applies the changes you have made to the mounted image. The
image remains mounted until the /unmount option is used.
Example:
Dism /Commit-Wim /MountDir:C:\test\offline
/Unmount-Wim Unmounts the WIM file and either commits or discards the
changes made while the image was mounted.
Example:
Dism /unmount-Wim /MountDir:C:\test\offline /commit
Dism /unmount-Wim /MountDir:C:\test\offline
/discard
In this demonstration, you will see how to modify an image by using DISM.
Modify Images by using DISM

click Deployment Tools Command Prompt.
3. At the command prompt, type “dism” and press Enter. This displays help
information for the command.
4. At the command prompt, type “md C:\img” and then press Enter.
5. At the command prompt, type “dism /mount-wim
/wimfile:E:\6292\Labfiles\Mod01\Sources\install.wim /name:”Windows 7
PROFESSIONAL” /mountdir:C:\img” and press Enter.
6. When the image mounting is complete, at the command prompt, type “dism /get-
mountedwiminfo” and press Enter. This displays information about the mounted
image. Notice that an index number is displayed instead of the name.
7. Type “cd C:\img” and press Enter.
8. At the command prompt, type “dir” and press Enter. You can see the installation

files for Windows 7 PROFESSIONAL and modify them.
9. At the command prompt, type “cd \” and press Enter.
10. At the command prompt, type “dism /image:C:\img /?” and press Enter. This
displays the available options for servicing an image such as adding a driver or
adding a feature.
11. At the command prompt, type “dism /image:C:\img /add-driver
/driver:E:\6292\LabFiles\Mod01\vx6000\vx6000.inf” and press Enter. This adds
the driver for the VX6000 Lifecam to the image so that it is available for all
computers configured with this image.
12. At the command prompt, type “dism /unmount-wim /mountdir:C:\img /discard”
and press Enter. Use the /commit option to save changes.
13. Close all open Windows.
Migrating User Settings and Data by Using USMT 4.0

User State Migration Tool (USMT) is a scriptable command-line tool that provides a
highly-customizable user-profile migration experience for IT professionals. The
following table shows the components of USMT:
Component Explanation
ScanState.exe The ScanState tool scans the source computer, collects the files and
settings, and then creates a store. ScanState does not modify the
source computer. By default, it compresses the files and stores them
as a migration store. ScanState copies files into a temporary location
and then into the migration store.
LoadState.exe The LoadState tool migrates the files and settings, one at a time, from
the store to a temporary location on the destination computer. The files
are decompressed, and decrypted if necessary, during this process.
Next, LoadState transfers the file to the correct location, deletes the
temporary copy, and begins migrating the next file.
Compression improves performance by reducing network bandwidth
use as well as the required space in the store. However, for testing
purposes, you can choose to turn off compression with the
/nocompress option.
Migration .xml files The .xml files used by USMT for migrations are the MigApp.xml,
MigUser.xml, or MigDocs.xml and any custom .xml files that you
create.

• The MigApp.xml file. Specify this file with both the ScanState and
LoadState commands to migrate application settings to computers
running Windows 7.
• The MigUser.xml file. Specify this file with both the ScanState and
LoadState commands to migrate user folders, files, and file types to
computers running Windows 7. You can modify the MigUser.xml file.
This file does not contain rules that migrates specific user accounts.
The only way to specify which user accounts to migrate is on the
command line using the ScanState and LoadState user options.
• The MigDocs.xml file. Specify this file with both the ScanState and
LoadState tools to migrate all user folders and files that are found by
the MigXmlHelper.GenerateDocPatterns helper function. This helper
function finds user data that resides on the root of any drive and in
the Users directory. However, it does not find and migrate any
application data, program files, or any files in the Windows directory.
You can modify the MigDocs.xml file.
• Custom .xml files. You can create custom .xml files to customize the
migration for your unique needs. For example, you may want to
create a custom file to migrate a line-of-business application or to
modify the default migration behavior. If you want ScanState and
LoadState to use this file, specify it with both commands.
Config.xml If you want to exclude components from the migration, you can create
and modify the Config.xml file using the /genconfig option with the
ScanState tool. This optional file has a different format from the
migration .xml files because it does not contain migration rules. The
Config.xml file contains a list of the components that can be migrated.
You specify migrate = "no" for the components you want to
exclude from the migration. Additionally, this file can be used to control
some migration options new to USMT 4.0.
Component When the source or destination computer is running Windows Vista or

Manifests for Windows 7, the component-manifest files control which operating
Windows Vista and system settings are migrated and how they are migrated. These files
Windows 7 are located on computers running Windows Vista and Windows 7, and
you cannot modify them. If you want to exclude certain operating
system settings when the source computer is running Windows Vista
or Windows 7, you will need to create and modify a Config.xml file.
Down-level When the source computer is running a supported version of

Manifest files Windows XP, these manifest files control which operating-system and
Internet Explorer settings are migrated and how they are migrated. For
example, when the destination computer is running Windows 7, the
ScanState tool collects the data using the down-level manifest files,
and then the LoadState tool migrates the data using the corresponding
component manifest files for Windows Vista or Windows 7. The down-
level manifest files are not used with the LoadState tool.
The down-level manifest files are located in the USMT\Dlmanifests
directory. You cannot modify these files. If you want to exclude certain
operating-system settings when the source computer is running
Windows XP and the destination computer is running Windows 7, you
will need to create and modify a Config.xml file on the Windows XP
machine.
USMT internal files All other .dll, .xml, .dat, .mui, and .inf files that are included with USMT
are for internal use. You cannot modify these files.
USMT is intended for administrators who are performing large-scale automated

deployments. For example, you can automate USMT by scripting it in the logon script.
If you are only migrating the user states of a few computers, you can use Windows
Easy Transfer.
Hard-link Migration Store

The new hard-link migration store is for use only in wipe and load migration. Hard-link
migration stores are stored locally on the computer that is being refreshed and can
migrate user accounts, files, and settings in less time using megabytes of disk space
instead of gigabytes.
Using ScanState to Capture User State

You run ScanState on the source computer. The general syntax for the command is as
follows:
Scanstate [StorePath] [/i:[path\]FileName] [Options]
The ScanState tool provides various options related to specific categories. These
categories are explained in the following sections.
ScanState Storage Options

The following table describes the storage options that can be configured using USMT:
Option Description
StorePath Indicates the folder in which to save the files and settings (for
example, a network share; StorePath cannot be c:\). You must

specify StorePath on the ScanState command line except when
using the /genconfig option. You cannot specify more than one
StorePath.
/o Overwrites any existing data in the store. If this option is not

specified, ScanState will fail if the store already contains data.
You cannot specify this option more than once on a command
line.
/encrypt /key:KeyString Encrypts the store with the specified key (password). Encryption
or is disabled by default. When you use this option, you need to
specify the encryption key in one of the following ways:
/encrypt /key:"Key String"
/key:KeyString specifies the encryption key. If there is a space
or
in KeyString, you will need to enclose it in quotation marks.
/encrypt
/keyfile:FilePathAndName specifies a .txt file that contains the
/keyfile:[Path\]Filename
encryption key.
/nocompress Disables compression of data and saves the files to a hidden

folder named File at StorePath\USMT3. Compression is
enabled by default. You should use this option only in testing
environments.
/hardlink Enables the creation of a hard-link migration store at the

specified location. The /nocompress option must be specified
with the /hardlink option. Additionally, the
<HardLinkStoreControl> element can be used in the Config.xml
file to change how the ScanState command creates hard-links
to files that are locked by another application.
ScanState Migration Rule Options

The following table describes the migration rule options that can be configured using
USMT:
Option Description
/i:[Path\]Filename Specifies an .xml file that contains rules that define what state to
Option Description
migrate. You can specify this option multiple times to specify all
of your .xml files.
/genconfig:[Path\]FileName Generates a Config.xml file, but does not create a store.
/config:[Path\]FileName Specifies the Config.xml file that ScanState should use to create
the store. You cannot specify this option more than once on the
command line.
Monitoring Options
USMT provides several options that you can use to analyze problems that occur during
migration.
Option Description
/l:[Path\]FileName Specifies the location and name of the ScanState log. You cannot
store any
of the log files in StorePath.
/v:VerbosityLevel Enables verbose output in the ScanState log. The default is 0. You
can specify any number from 0 to 15. For more information about the
verbosity levels, read the USMT Help files.
/p Generates a space-estimate file called Usmtsize.txt that is saved to

StorePath. This option does not collect the user state.
You must also specify /nocompress. The estimates are applicable
for
both compressed and uncompressed stores because the
compressed store will always be smaller. Therefore, you can make
decisions based on the estimate, and then turn compression back on
for the final scan.
ScanState User Options

USMT provides several options that you can use to migrate multiple users on a single
computer. You can use the following command-line options to specify which users to
migrate.
Option Description
/all Migrates all of the users on the computer. /all is the default option if
you do not specify other options.
Option Description
/ui:[DomainName\] Migrates the specified user(s). When you specify a UserName that
UserName contains spaces, you need to enclose it in quotation marks. You can
specify multiple /ui options.
/ue:[DomainName\] Excludes the specified user(s) from being migrated.

UserName
ScanState Encrypted File Options

You can use the following options to migrate encrypted files. In all cases, by default,
USMT fails if an encrypted file is found unless you specify an /efs option.
Note: Extreme caution should be taken when migrating encrypted files. If you migrate
an encrypted file without also migrating the certificate, end users will not be able to
access the file after the migration.
Option Description
/efs:skip Causes ScanState to ignore Encrypting File System (EFS) files completely.
/efs:copyraw Causes ScanState to copy the files in the encrypted format. The files will be
inaccessible on the destination computer until the EFS certificates are
migrated.
Using LoadState to Migrate User State

You run LoadState on the destination computer. The general syntax for the command
is as follows:
Loadstate [StorePath] [/i:[path\]FileName] [Options]
The LoadState tool uses most of the same categories and options as the ScanState tool.
The following categories and options are specific to LoadState.
LoadState Storage Options

The following table describes the storage options that can be configured using USMT:
Option Description
decrypt /key:KeyString Decrypts the store with the specified key. When you use
or this option, you need to specify the encryption key in
one of the following ways:
Option Description
/decrypt /key:"Key String" /key:KeyString specifies the encryption key. If there is a
or space in KeyString, you will need to enclose it in

quotation marks.
/decrypt /keyfile:[Path\]FileName
/keyfile:FilePathAndName specifies a .txt file that
contains the encryption key.
LoadState Migration Rule and User Options

The following table describes the migration rule and user options that can be
configured using USMT:
Option Description
/q Allows LoadState to run without administrator credentials. This option
will migrate only the user account and settings for the currently logged-
on user. Errors occur if you try to apply settings to a location for which
the user does not have sufficient credentials.
/lac: [Password] (local account create)

Specifies that if a user account is a local (non-domain) account, and it
does not exist on the destination computer, USMT will create the
account on the destination computer but it will be disabled. To enable
the account, you must also specify /lae.
If /lac is not specified, any local user accounts (that do not already exist
on the destination computer) will not be migrated. Password is the
password for the new created account. An empty password is used by
default.
/lae (local account enable)

Enables the account that was created with /lac. You must specify /lac
with this option.
Configuring VHDs

In Windows 7, a VHD can be used to store an operating system on a computer without
a parent operating system, virtual machine, or hypervisor. This feature, called VHD
boot, is a new feature in Windows 7 that eases the transition between virtual and
physical environments, enabling enterprises to reuse the same master image within a
Virtual Desktop Infrastructure (VDI) and on physical PCs. For example, a call center
that has hundreds of users working remotely through VDI, but also needs the same
desktop images as the users who are working onsite using physical PCs.
Note: VDI is a desktop delivery model which allows client desktop workloads (operating
system, application, user data) to be hosted and executed on servers in the data center.
Native-boot VHD files are not intended to replace full image deployment on all client
or server systems. VHD boot is best used in a highly managed environment and used
with technologies such as Folder Redirection and Roaming User Profiles so that the
user state is not stored in the image. Native-boot VHD can also be used for dual boot
when you only have a single disk volume, as an alternative to running virtual
machines.
VHD Image Management and Deployment

Windows 7 also enables IT professionals to use the same processes and tools to
manage WIM and VHD image files. In Windows 7, VHD files can be attached from
the Disk Management Microsoft Management Console (MMC), assigned a drive letter,
and then viewed and modified as if it is a normal hard drive.
Windows 7 based VHD files can be treated similarly to WIM files with regards to
offline image servicing and image-based setup. In addition, IT professionals can
service VHD images by using DISM and deploy VHD files by using WDS and
multicast deployment options. This enables automatic deployment of Windows on
VHD files.
The following steps outline Windows 7 deployment on VHD:
1. Create the VHD: you can create a VHD by using the DiskPart tool or the Disk
Management MMC. The Disk Management MMC also enables you to attach the
VHD, so that it appears on the host computer as a drive and not as a static
file.VHD files can then be partitioned and formatted before you install an
operating system.
2. Prepare the VHD: install Windows 7 on the VHD. You can perform the capture
and apply method by using ImageX.
3. Deploy the VHD: the VHD file can then be copied to one or more systems, to be
run in a virtual machine or for native boot. To configure native-boot, add the
native-boot VHD to the boot menu by using BCDedit or BCDboot tool. BCDEdit
is a command-line tool for managing Boot Configuration Data (BCD) stores and
BCDboot is a command-line tool for initializing the BCD store and copying boot
environment files to the system partition. You can also automate the network
deployment of VHD by using WDS. WDS can be used to copy the VHD image to
a local partition and to configure the local Boot Configuration Data (BCD) for
native-boot from the VHD.
Question: Given a Windows 7-based VHD that is configured to run in a Virtual PC,
can the same VHD be configured to run in native boot?
Answer: Yes. However, before a Windows 7-based VHD that is configured to run in
Virtual PC can be used to run in native boot, you must remove system-specific data
from the Windows installation by using Sysprep.
Lesson 5
Configuring Application Compatibility

Application compatibility is a huge factor that determines the success of an operating
system deployment project. Application compatibility issues can affect core business
functions by preventing users from performing their work. You must plan for these
issues by understanding common problems that can occur. You must also understand
common application compatibility issues that may be experienced during a typical
operating system deployment, and how to mitigate and resolve these issues.
Common Application Compatibility Problems

An application written for a specific operating system can cause problems when
installed on a computer with a different operating system for a number of reasons. To
troubleshoot and address the problems effectively, it is important to be aware of the
general areas that typically cause the most compatibility issues.
Generally, applications and hardware that worked on Windows Vista will continue to
work on Windows 7. The following shows several areas of concern with Windows 7
application compatibility.
Setup and Installation of Applications

During application setup and installation, two common issues can prevent the
application from installing properly or even installing at all:
• An application tries to copy files and shortcuts to folders that existed in a previous
Windows operating system, but no longer exist for the new operating system.
• An application tries to refer to a Windows feature, which has been renamed in
Windows 7. For example, Microsoft® Outlook® Express is called Windows Mail
in Windows Vista. Windows 7 does not ship with a default mail client. MAPI
dependant applications need to be aware of this change. Other related removals

include Messenger, Address Book, Photo Gallery, and Movie Maker.
User Account Control (UAC)

UAC adds security to Windows by limiting administrator-level access to the computer,
restricting most users to run as Standard Users. When users attempt to launch an

application that requires administrator permissions, the system prompts them to
confirm their intention to do so.
UAC also limits the context in which a process executes, to minimize the ability of
users to inadvertently expose their computer to viruses or other malware. This change
affects any application installer or update that requires Administrator permissions to
run, performs unnecessary Administrator checks or actions, or attempts to write to a
non-virtualized registry location.
UAC may result in the following compatibility issues:
• Custom installers, uninstallers, and updaters may not be detected and elevated to
run as administrator.
• Standard user applications that require administrative privileges to perform their
tasks may fail or not make this task available to standard users.
• Applications that attempt to perform tasks for which the current user does not have
the necessary permissions, may fail. How the failure manifests itself is dependent
upon how the application was written.
• Control panel applications that perform administrative tasks and make global
changes may not function properly and may fail.
• DLL applications that run using RunDLL32.exe may not function properly if they
perform global operations.
• Standard user applications writing to global locations will be redirected to per-user
locations through virtualization.
Windows Resource Protection (WRP)

WRP is designed to protect Windows resources (files, folders, registries) in a read-only
state. This will affect specific files, folders, and registry keys. Updates to protected
resources are restricted to the operating system trusted installers, such as Windows
Servicing. This enables components and applications that ship with the operating
system to be better protected from the impact of other applications and administrators.
WRP may result in the following compatibility issues:
• Application installers that attempt to replace, modify, or delete operating system
files and/or registry keys that are protected by WRP may fail with an error
message indicating that the resource could not be updated. This is because access
to these resources is denied.
• Applications that attempt to write new registry keys or values to protected registry
keys may fail with an error message that indicates that the change failed because
access was denied.
• Applications that attempt to write to protected resources may fail if they rely on
registry keys or values.
Internet Explorer Protected Mode

Internet Explorer Protected Mode helps to defend against elevation-of-privilege attacks
by restricting the ability to write to any local computer zone resources other than
temporary Internet files. This change affects any Web site or Web application that
attempts to modify user files or registry keys, or that attempts to open a new window in
another domain.
Internet Explorer Protected Mode reduces the ability of an attack to write, alter, or
destroy data on the user’s machine or to install malicious code. It can help protect a
user from malicious code installing itself without authorization.
Internet Explorer Protected Mode may result in the following compatibility issues:
• Applications that use Internet Explorer cannot write directly to the disk while in
the Internet or Intranet zone. Protected Mode builds on the new integrity
mechanism to restrict write access to securable objects, such as processes, files,
and registry keys with higher integrity levels. When run in Protected Mode,
Internet Explorer is a low-integrity process; it cannot gain write access to files and
registry keys in a user’s profile or system locations. Low-integrity processes can
only write to folders, files, and registry keys that have been assigned a low-
integrity mandatory label. As a result, Internet Explorer and its extensions run in
Protected Mode, which can only write to low-integrity locations, such as the new
low-integrity Temporary Internet Files folder, the History folder, the Cookies
folder, the Favorites folder, and the Windows Temporary Files folders.
• Applications may not know how to handle new prompts. The Protected Mode
process runs with a low desktop integrity level, which prevents it from sending
specific window messages to higher integrity processes
In addition, Internet Explorer enables Data Execution Prevention (NX) by default.
Plug-ins that have issues with DEP may cause Internet Explorer to crash.
64-Bit architecture
Windows 7 fully supports the 64-bit architecture. The 64-bit version of Windows 7 can
run all 32-bit applications with the help of the WOW64 emulator. Considerations for
the 64-Bit Windows 7 include:
• Applications or components that use 16-bit executables, 16-bit installers, or 32-bit
kernel drivers will either fail to start or will function improperly on a 64-bit edition

of Windows 7.
• Installation of 32-bit kernel drivers will fail on the 64-bit system. If an installer
manually adds a driver by editing the registry, the system will not load this driver
and this action could cause the system to fail.
• Installation of 64-bit unsigned drivers will fail on the 64-bit system. If an installer
manually adds a driver by editing the registry, the system will not load the driver
during load time if it is not signed.
Windows Filtering Platform (WFP)

WFP is an application program interface (API) that enables developers to create code
that interacts with the filtering that occurs at several layers in the networking stack and
throughout the operating system. If you are using a previous version of this API in your
environment, you may experience failures when running security class applications,
such as network-scanning, antivirus programs, or firewall applications.
Operating System Version Changes

The operating system version number changes with each operating system release. For
Windows Vista, the internal version number is 6, whereas for Windows 7, the internal
version number is 6.1. The GetVersion function returns this value when queried by an
application. This change affects any application or application installer that specifically
checks for the operating system version and might prevent the installation from
occurring or the application from running.
Kernel-mode drivers
Kernel-mode drivers must support the Windows 7 operating system or be re-designed
to follow the User-Mode Driver Framework (UMDF). UMDF is a device driver
development platform that was introduced in Windows Vista. In addition, kernel mode
printer driver support has been removed from Windows 7 and Windows Server 2008
R2.
Note: For 64-bit versions of Windows 7, all drivers must be digitally signed by the
vendor to be installed.
Deprecated components
The release of Windows 7 has also introduced issues with deprecated APIs or DLLs
from Windows XP and Windows Vista, the new credential provider framework, and
service isolation.
• Deprecations: Windows 7 has deprecated many objects from earlier versions of
the operating system. The deprecation has occurred for .dll files, executable (.exe)
files, COM objects, registry keys, application-programming interfaces (APIs), and
various other files. This change affects any application that used the deprecated
APIs or DLLs, causing the applications to lose functionality or to fail to start.
• Graphical Identification and Authentication (GINA) DLL: Independent
Software Vendors (ISVs) were able to modify
Microsoft Windows® Authentication, by installing a GINA DLL. The GINA DLL
then performed all the identification and authentication of user interactions.
Windows 7 offers a new authentication model that no longer requires this DLL and
ignores all previous GINA DLLs. This change affects any application or hardware
component that attempts to log on by using customized logon applications,
including biometric devices (fingerprint readers), customized user interfaces, and
virtual private network (VPN) solutions for remote users with customized logon
user interfaces.
• Session 0: the first user who logged on to a computer ran in Session 0, which is
the same session that is used for all system services. Windows 7 requires all users
to run in Session 1 or later so that no user runs in the same session as the system
services. Because of this change, applications will fail to start if they depend on
interactive services. Interactive services include any service that attempts to send a
Windows message, any service that attempts to locate a window or additional
service, and any service that attempts to run any user processes that open the same
named object (unless it is a globally named object).
Common Mitigation Methods

The Application Compatibility Toolkit (ACT) 5.5 enables you to determine whether
your applications are compatible with Windows 7. ACT also helps you determine how
an update to the new version will affect your applications. You can use the ACT
features to:
• Verify your application, device, and computer compatibility with a new version of
the Windows operating system
• Verify a Windows update's compatibility
• Become involved in the ACT community and share your risk assessment with
other ACT users
• Test your Web applications and Web sites for compatibility with new releases and
security updates to Internet Explorer
Note: For more information on ACT 5.5, please refer to:

Mitigating an application compatibility issue typically depends on various factors, such

as the type of application and current support for the application.
Mitigation Methods
Some of the more common mitigation methods include the following:
• Modifying the configuration of the existing application: there can be
compatibility issues that require a modification to the application configuration,
such as moving files to different folders, modifying registry entries, or changing
file or folder permissions. You can use tools such as the Compatibility
Administrator or the Standard User Analyzer (installed with ACT) to detect and
create application fixes (also called shims) to address the compatibility issues. You
should contact the software vendor for information about any additional
compatibility solutions.
• Applying updates or service packs to the application: updates or service packs
may be available to address many of the compatibility issues and help the
application to run with the new operating system environment. After applying the
update or service pack, additional application tests can ensure that the
compatibility issue has been mitigated.
• Upgrading the application to a compatible version: if a newer, compatible
version of the application exists, the best long-term mitigation is to upgrade to the
newer version. Using this approach, you must consider both the cost of the
upgrade and any potential problems that may arise with having two different
versions of the application.
• Modifying the security configuration: if your compatibility issues appear to be
permissions-related, a short-term solution is to modify the security configuration
of the application. Using this approach, you must be sure to conduct a full-risk
analysis and gain consensus from your organization’s security team regarding the
modifications. For example, Internet Explorer Protected mode can be mitigated by
adding the site to the trusted site list or by turning off Protected Mode (which is
not recommended).
• Running the application in a virtualized environment: if all other methods are
unavailable, you may be able to run the application in an earlier version of
Windows, using virtualization tools such as Microsoft Virtual PC and Microsoft
Virtual Server. There are a number of advantages to using a virtualized
environment such as the ability to support a large number of servers in a single
host environment and the ability to easily restore a virtualized configuration to a
previous state. However, performance issues and the lack of support for hardware-
specific drivers limit full production functionality for many organizations.
Another option is to provide the application to users using technologies such as
Microsoft Application Virtualization (App-V) or Microsoft Enterprise Desktop

Virtualization (MED-V). App-V enables you to deploy applications to users
without installing the application on the client’s workstation. The application runs
on the client in a virtual “bubble” that is isolated from other applications installed
on the client. MED-V deploys a virtual machine to a client workstation, and
provides you with the ability to seamlessly access the applications from within the

virtual machine.
• Using application compatibility features: application issues, such as operating
system versioning, can be mitigated by running the application in compatibility
mode. This mode can be accessed by right-clicking the shortcut or .exe file and
applying Windows Vista compatibility mode from the Compatibility tab. You can
also use the Program Compatibility Wizard to assist in configuring compatibility
mode with an application. The Program Compatibility Wizard is found in the
Control Panel under Programs and Features.
• Selecting another application that performs the same business function: if
another compatible application is available, consider switching to the compatible
application. Using this approach, you must consider both the cost of
the application and the cost of employee support and training.
Updating Shims
A shim is a software program, added to an existing application or other program to

provide enhancement or stability. In the application compatibility context, shim refers
to a compatibility fix, which is a small piece of code that intercepts API calls from
applications, transforming them so Windows 7 will provide the same product support
for the application as earlier versions of Windows. This can mean anything from
disabling a new feature in Windows 7 to emulating a particular behavior of an earlier
version of Win32® API set.
The Compatibility Administrator Tool, installed with ACT, can be used to create a new
compatibility fix. This tool has preloaded many common applications, including any
known compatibility fixes, compatibility modes, or AppHelp messages. Before you
create a new compatibility fix, search for an existing application and then copy and
paste the known fixes into your customized database.
Searching for Existing Compatibility Fixes

To search for a compatibility fix for an existing application, perform the following
steps:
1. In the left pane of the Compatibility Administrator, expand the Applications

folder and search for your application name.
2. Click the application name to view the preloaded compatibility fixes, compatibility
modes, or AppHelp messages.
Creating a New Compatibility Fix

If you do not find a preloaded compatibility fix for your application, you can create a
new one to use by your customized database. To create a new compatibility fix,
perform the following steps:
1. In the left pane of the Compatibility Administrator, under the Custom Databases
heading, right-click the name of the database to which you will apply the
compatibility fix. Click Create New, and then click Application Fix. The Create
new Application Fix Wizard appears.
2. Type the name of the application to which this compatibility fix applies, type the
name of the application vendor, browse to the location of the application file (.exe)
on your computer, and then click Next. The wizard shows the available
Compatibility Modes.
3. Select the operating system for which your compatibility fix applies, click any
applicable compatibility modes to apply to your compatibility fix, and then click
Next. The wizard alters to show the available Compatibility Fixes.
4. Select any additional compatibility fixes to apply to your compatibility fix, and
then click Next. The wizard alters to show the known Matching Information,
used for program identification.
5. Select any additional criteria to use to match your applications to the AppHelp
message, and then click Finish.
6. Save the compatibility fix as a compatibility fix database (.sdb file).
Note: By default, the Compatibility Administrator automatically selects the basic

matching criteria for your application. As a best practice, use a limited set of matching
information to represent your application, as it reduces the size of the database.
However, you must also make sure you have enough information to correctly identify
your application.
Deploying a Compatibility Fix

You must deploy your compatibility fix database (.sdb) files to other computers in your
organization before your compatibility fixes, compatibility modes, and AppHelp
messages are applied. Deploying your custom compatibility fix database into your
organization requires you to perform the following actions:
1. Store your compatibility fix database (.sdb file) in a location from which all of
your organization's computers can access it, either locally or on your network. You
can deploy your customized database files in several ways, including by using a
logon script, by using Group Policy, or by performing file copy operations.
2. After deploying and storing the customized databases on each of your local
computers, you must register the database files. Until you register the database
files, the operating system will be unable to identify the available compatibility
fixes when starting an application. Use the Sdbinst.exe command-line tool to
install the custom compatibility fix database locally.
Question: When would you use compatibility fix?

Answer: The answer may vary. You use compatibility fix in several scenarios, such as
when a compatibility issue exists on an application from a vendor that no longer exists,
on an internally created application, on an application for which a compatible version is
to be released in the near future, or an application that is non-critical to the
organization, regardless of its version.
Module Review and Takeaways

Review Questions
You have decided to deploy Windows 7 in your organization. You are working from
your organization head office. Your organization has five branch offices in the same
country. Each branch office has less than ten users. In total, there are one hundred users
in your organization’s head office. In addition, there are several users that work from
home or on-the-go, all over the country. Your organization also has plans to grow to
neighboring countries in the near future. This introduces languages that differ from
your organization head office.
Your organization has a standardized and managed IT environment with Windows
Servers 2008 R2 and Active Directory in place. Almost all of the users are running
Windows XP with Service Pack 3 and a few are running Windows Vista with Service
Pack 2.
1. Which edition of Windows 7 is best suited your organization?
2. Which installation method should you choose?
3. If migration is involved, which migration tool should you use?
Review Answers
1. In business scenarios, you should select either Windows 7 Professional or
Windows 7 Enterprise. These two editions are business-focused and support

domain join and Active Directory. You have several branch offices and several
mobile employees. In this scenario, you should select Windows 7 Enterprise to
take advantage of features such as DirectAccess, BranchCache and VPN
Reconnect that will increase the productivity of your branch office and mobile
employees. Also, Windows 7 Enterprise supports all worldwide interface
languages, which may come handy when your organization expands to the
neighboring countries.
2. Your organization has a standardized and managed IT environment and there are
significant numbers of computers involved in this deployment. Although some of
your users, who are running Windows Vista with Service Pack 2, can upgrade
directly to Windows 7, you should still perform a clean installation of Windows 7
followed by migration to preserve user settings and data. This ensures that all of
your users begin with the same configuration, and all applications, files, and
settings are reset. You should consider performing the clean installation by using a
standard image and follow the image-based installation of Windows. You can
deploy the image by using deployment tools such as Windows Deployment
Services (WDS) or Microsoft Deployment Toolkit (MDT).
3. You are dealing with significant numbers of computers in this scenario. You
should select User State Migration Tool (USMT) to help you migrate user settings
and data.
Common Issues related to installing Windows 7

Problem Troubleshooting Tips
Installation media is damaged. Test the CD or DVD on another system.
BIOS upgrade is needed. Check your computer supplier’s Internet

site to see whether a basic input/output
system (BIOS) upgrade is available for
Windows 7.
Hardware is installed improperly. Check any messages that appear during

the boot phase. Install add-on hardware
properly, such as video cards and
memory modules.
Hardware fails to meet minimum Use Windows Catalog to locate products

requirements. designed for Microsoft Windows and
ensure that your hardware meets the

minimum requirements for the edition of
Windows 7 that you want to install.
Error messages appear during setup. Carefully note any messages, and search
the Microsoft Knowledge Base for an

explanation.
Common Issues related to Application Compatibility Problems

Application cannot be installed or run in • Upgrade the application to a

Windows 7. compatible version.
• Apply updates or service packs to the
application.
Application can be installed and run, but • Use application compatibility features.
does not perform as it should be.
• Modify the application configuration by
creating application fixes.
• Run the application in a virtualized
environment.
• Select another application that
performs the same business function.
Best Practices related to installing, upgrading, and migrating to Windows

7.
• Always back up your data before performing an upgrade of operating system.
• Install Windows by using an image to achieve a standardized computer
environment.
• Evaluate system requirements and application compatibility before upgrading the
operating system.
• Run Sysprep /generalize before transferring a Windows image to another
computer.
• When capturing an image, use the ImageX /flags option to create the Metadata to
apply to the image.
• Create architecture-specific sections for each configuration pass in an answer file.
Tools
Tool Use for Where to find it

Windows Setup Installing Windows or upgrading previous Windows 7 Product
Windows versions DVD
Windows Assessing the feasibility of an upgrade to Microsoft Download

Upgrade Windows 7 Center
Advisor
Microsoft Assessing organization readiness for Microsoft Download

Assessment Windows 7 Center
and Planning
Toolkit
Windows Easy Migrating user settings and data in side- Windows 7

Transfer by-side migration for a single or few Windows 7 Product
computers DVD
Windows Supporting the deployment of Windows Microsoft Download

Automated operating system Center
Installation Kit
(Windows AIK)
User State Migrating user settings and data for a Windows AIK
Migration Tool large number of computers
Windows SIM Creating unattended installation answer Windows AIK

files
ImageX Capturing, creating, modifying, and Windows AIK

applying the WIM file
Windows PE Installing and deploying Windows Windows 7 Product

operating system DVD
Sysprep Preparing Windows installation for disk

imaging, system testing, or delivery Windows AIK
Diskpart Configuring the hard disk Windows 7
WDS Deploying Windows over the network Microsoft Download

Center for Windows
Server 2003 SP1
Server Role in

Windows Server 2008
and Windows Server
2008 R2
DISM Servicing and managing Windows images Windows 7

Windows AIK
Application Inventorying and analyzing organization Microsoft Download

Compatibility application compatibility Center
Toolkit
Compatibility Creating application fixes ACT

Administrator
Tool
Configuring Disks and Device Drivers 2-1
Module 2
Configuring Disks and Device Drivers
Contents:
Lesson 1: Partitioning Disks in Windows 7 2-4
Lesson 2: Managing Disk Volumes 2-18
Lesson 3: Maintaining Disks in Windows 7 2-36
Lesson 4: Installing and Configuring Device Drivers 2-48
Module Overview

Whether IT professionals manage and deploy desktops, laptops, or virtual
environments, the Windows® 7 operating system simplifies common tasks and helps
IT professionals leverage tools and skills similar to those they used with Windows
Vista®.
To help ensure that previously installed devices continue to work in Windows 7,
Microsoft is working to ensure that you can get them directly from Windows Update or
from device manufacturer Web sites.
Although most computers running Windows 7 have a single physical disk configured
as a single volume, this is not always the case. For example, there may be times when
you want to have multiple operating systems on a single computer or to have the virtual
memory on a different volume. Therefore, it is important that you understand how to
create and manage simple, spanned, and striped volumes. To help optimize file system
performance, you must be familiar with file system fragmentation and the tools used to
help defragment a volume. In addition, a good understanding of disk quotas helps you
manage available disk space on installed volumes.
Throughout the remainder of this module, keep the following terms, their definitions,
and descriptions in mind:
• Basic disk
• Dynamic disk
• Volume
• System volume
• Boot volume
• Partition
• Disk partitioning
• Logical Block Address (LBA)
Additional information about each term is included in the “Module Review and
Takeaways” section.
Lesson 1
Partitioning Disks in Windows 7

When you install a disk in a computer that is running Windows 7, you can choose to
select one of two partitioning schemes:
• Master Boot Record (MBR)-based partitioning scheme
• Globally unique identifier (GUID) partition table (GPT)-based partitioning scheme
The following are common reasons to partition a disk:
• Separate operating system files from data and user files
• Place applications and data files in the same location
• Put cache, log, and paging files in a location separate from other files
• Create multiboot setup environments
You can use Disk Management to perform disk-related tasks such as creating and
formatting partitions and volumes, and assigning drive letters. In addition, you can use
the diskpart command, along with other command-line utilities, to perform disk
management tasks such as partitioning disks or converting disks from one partition
scheme to the other.
What is an MBR Disk?

The MBR contains the partition table for the disk and a small amount of executable
code called the master boot code. A bootable hard disk that contains an MBR is an
MBR disk. The MBR is created when the disk is partitioned, is on the first sector of the
hard disk, and contains a four-partition entry table describing the size and location of a
partition on a disk using 32-bit Logical Block Address (LBA) fields. The size of the
partition cannot exceed 2 TB. Most Windows 7 platforms, such as 32-bit and 64-bit
SKUs running on motherboards with Basic Input/Output System (BIOS) firmware,
require an MBR partitioned system disk and are not bootable with a larger capacity
disk.
How MBR-Based Disks Work

The MBR is stored at a consistent location on a physical disk, enabling the computer
BIOS to reference it. During the startup process, the computer examines the MBR to
determine which partition on the installed disks is marked as active. The active
partition contains the operating system startup files.
Note: You can install the rest of the operating system on another partition or disk. In
Windows 7, the active partition must contain the boot sector, boot manager, and related
files.
Features of MBR-Based Disks

The MBR partition scheme has been around for a long time, and supports both current
and early desktop operating systems, such as the MS-DOS and the Microsoft®
Windows NT® Server 4.0 operating system. Consequently, the MBR partition scheme
is widely supported. However, the MBR partition scheme imposes certain restrictions.
These include:
• Four partitions on each disk: MBR-based disks are limited to four partitions. All
of these can be primary partitions, or one can be an extended partition with logical
volumes inside. You can configure the extended partition to contain multiple
volumes.
• A 2 Terabyte (TB) maximum partition size: A partition cannot be larger than 2
TB.
• No redundancy provided: The MBR is a single point of failure, and if corrupted
or damaged, it can render the operating system non-bootable.
Question: What are three restrictions of an MBR partitioned disk? Have you
encountered these limitations in your organization, and if so, what did you do to work
around them?
Answer: The restrictions are that MBR partitioned disks are limited to four partitions,
a 2 TB maximum partition size, and there is no data redundancy provided.
What is a GPT Disk?

As operating systems evolve and hard disks grow larger, the inherent restrictions of an
MBR partitioned disk limit the viability of this partitioning scheme as an option in
many scenarios. Consequently, a new disk partitioning system has been developed:
Globally unique identifier (GUID) partition table or GPT.
GPT contains an array of partition entries describing the start and end LBA of each
partition on disk. Each GPT partition has a unique identification GUID and a partition
content type. Also, each LBA described in the partition table is 64-bits in length. The
GPT format is specified by the Unified Extensible Firmware Interface (UEFI), but is
not exclusive to UEFI systems. Both 32-bit and 64-bit Windows operating systems
support GPT for data disks on BIOS systems, but they cannot boot from them. The 64-
bit Windows operating systems support GPT for boot disks on UEFI systems.
GPT Disks Features

GPT-based disks address the limitations of MBR-based disks. GPT disks support:
• 128 partitions per disk: This is a vast improvement over MBR-based disks.
• 18 Exabyte (EB) volume size: This is a theoretical maximum because hard disk
hardware is not yet available that supports such vast volume sizes.
• Redundancy: The GPT is duplicated and protected by Cyclic Redundancy Checks

(CRC).
You can implement GPT-based disks on Windows Server® 2008, Windows Vista, and
Windows 7. You cannot use the GPT partition style on removable disks.
GPT Architecture
On a GPT partitioned disk, the following sectors are defined:
• Sector 0 contains a legacy protective MBR. The protective MBR contains one
primary partition covering the entire disk.
• The protective MBR protects GPT disks from previously-released MBR
disk tools such as Microsoft MS-DOS FDISK or Microsoft Windows NT
Disk Administrator.
These tools view a GPT disk as having a single encompassing (possibly

unrecognized) partition by interpreting the protected MBR, rather than
mistaking the disk for one that is unpartitioned.
• Legacy software that does not know about GPT interprets only the
protected MBR when it accesses a GPT disk.
• Sector 1 contains a partition table header. The partition table header contains the
unique disk GUID, the number of partition entries (usually 128), and pointers to
the partition table.
• The partition table starts at sector 2. Each partition entry contains a unique
partition GUID, the partition offset, length, type (also a GUID), attributes, and a
36 character name.
The following table describes the partitions.
Partition Type Size Description

A EFI System 100 MB Contains the boot manager, the files that are
Partition required for booting an operating system, the
(ESP) platform tools that run before operating system
boot, or the files that must be accessed before
operating a system boot.
The ESP must be first on the disk. The primary
reason for this is that it is impossible to span
volumes when the ESP is logically between
what you are attempting to span.
B Microsoft 128 MB Reserved for Windows components.

Partition Type Size Description

Reserved This partition is hidden in Disk Management
(MSR) and does not receive a drive letter.
Usage example: When you convert a basic
GPT disk to dynamic, the system decreases
the size of the MSR partition and uses that

space to create the Logical Disk Manager
(LDM) Metadata partition.
C Operating Remaining Contains the OS and is the size of the

System disk remaining disk.
(OS)
Question: How does a GPT partitioned disk on a 64-bit Windows 7 operating system
use an MBR?
Answer: On a GPT partitioned disk, Sector 0 contains a legacy protective MBR. The
protective MBR contains one primary partition covering the entire disk. The protective
MBR protects GPT disks from previously released MBR disk tools such as Microsoft
MS-DOS FDISK or Microsoft Windows NT Disk Administrator. These tools view a
GPT disk as having a single encompassing (possibly unrecognized) partition by
interpreting the protected MBR, rather than mistaking the disk for one that is
unpartitioned. Legacy software that does not know about GPT interprets only the
protected MBR when it accesses a GPT disk.
Disk Management Tools

Two tools that you can use to manage disks and the volumes or partitions that they
contain on Windows 7 are as follows:
• Disk Management: The graphical user interface for managing disks and volumes,
both basic and dynamic, locally or on remote computers. After you select the
remote computer to manage, perform the same tasks that you typically perform
while sitting at the local computer.
• Diskpart.exe: A scriptable command-line utility, with functionality similar to that
which can be done in Disk Management and some advanced features. You can
create scripts to automate disk-related tasks, such as creating volumes or
converting disks to dynamic. Diskpart.exe always runs locally.
Note: Remote connections in workgroups are not supported. Both the local computer
and the remote computer must be in a domain to use Disk Management to manage a
disk remotely.
Note: Do not use disk editing tools such as DiskProbe to make changes to GPT disks.
Any change that you make renders the checksums invalid, which might cause the disk
to become inaccessible. To make changes to GPT disks, use diskpart or Disk

Management.
With either tool, you can initialize disks, create volumes, and format the volume file
system. Additional common tasks include moving disks between computers, changing
disks between basic and dynamic types, and changing the partition style of disks. Most

disk-related tasks can be performed without restarting the system or interrupting users,
and most configuration changes take effect immediately.
Disk Management
Using the Disk Management snap-in of the Microsoft Management Console (MMC),
administrators can quickly manage standard, fault tolerant, and volume sets and
confirm the health of each volume. Disk Management in Windows 7 provides the same
features you may already be familiar with from earlier versions, but also includes some
new features:
• Simpler partition creation: When you right-click a volume, choose whether to
create a basic, spanned, or striped partition directly from the menu.
• Disk conversion options. When you add more than four partitions to a basic disk,
you are prompted to convert the disk to dynamic or to the GPT partition style. You
can also convert basic disks to dynamic disks without data loss. However,
converting a dynamic disk to basic is not possible without deleting all the volumes
first.
• Extend and shrink partitions: You can extend and shrink partitions directly from
the Windows interface.
To open Disk Management, click Start, type “diskmgmt.msc” in the search box, and
then click diskmgmt.msc in the results list.
Diskpart.exe
Diskpart.exe allows you to manage fixed disks and volumes by using scripts or direct
input from the command line. At the command prompt, type “diskpart” and then enter
commands from the diskpart> prompt. The following are common diskpart actions:
• To view a list of diskpart commands, at the diskpart command prompt, type
“commands”.
• To create a diskpart script in a text file and then run the script, type a script similar
to “diskpart /s testscript.txt”.
• To create a log file of the diskpart session, type
“diskpart /s testscript.txt > logfile.txt”.
Frequently used diskpart commands are included in the following table.
Command Description
Displays a list of disks and information about them, such

as their size, amount of available free space, whether the
list disk disk is a basic or dynamic disk, and whether the disk
uses the MBR or GPT partition style. The disk marked
with an asterisk (*) has focus.
Selects the specified disk, where <disknumber> is the

select disk <disknumber>
disk number, and gives it focus.
Converts an empty, basic disk with the MBR partition

convert gpt
style into a basic disk with the GPT partition style.
For additional information about diskpart.exe commands, start Disk Management and
then open the Help Topics from the Help menu.
Converting Disk Types

When you add a new hard disk to a computer and then start Disk Management, a
wizard steps you through the initialization process during which you select whether to
have an MBR or a GPT partition style. Although you can change between partition
styles at a later time, some of the operations are irreversible unless the drive is
reformatted. You must carefully consider the disk type and partition style that is most
appropriate for the situation. Before you change the partition style, consider the
following items:
• You must be a member of the Backup Operators or Administrators group.
• As with any major change to disk contents, you must back up the entire contents of
the hard disk before making a change.
• Disks must be online before you can initialize them or create new partitions or
volumes. To bring a disk online or take it offline in Disk Management, right-click
the disk name and then click the appropriate action.
• You can only convert from GPT to MBR if the disk does not contain any volumes
or partitions.
• Use Event Viewer to check the system log for disk-related messages.
Note: In a multi-boot scenario, if you are in one operating system and you convert a
basic MBR disk that contains an alternate operating system to a dynamic MBR disk, you
will not be able to boot into the alternate operating system.
Question: What is the effect on existing data when you convert a basic disk to a
dynamic disk and vice versa?

Answer: Basic disks can be converted to dynamic disks without data loss. However,
converting a dynamic disk to basic is not possible without deleting all the volumes
first.
Demonstration: Converting an MBR Partition to a GPT

Partition
In this demonstration, you will see how to use both the diskpart command-line tool and
the Disk Management snap-in to manage disk types.
Start the LON-DC1 and the LON-CL1 virtual machines. Leave them running
throughout the duration of the module.
Convert a Disk to GPT by using Diskpart.exe

password, Pa$$w0rd.
2. Click Start, point to All Programs, click Accessories, right-click Command
Prompt, and then click Run as administrator.
3. At the command prompt, type “diskpart” and then press ENTER.
4. At the DISKPART> prompt, type “list disk” and then press ENTER.
5. At the DISKPART> prompt, type “select disk 2” and then press ENTER.
6. At the DISKPART> prompt, type “convert gpt” and then press ENTER.
7. At the DISKPART> prompt, type “exit” and then press ENTER.
Convert Disk 2 to GPT by using Disk Management

1. Click Start, right-click Computer, and then click Manage.
2. In the Computer Management (Local) list, click Disk Management.

3. In the Initialize Disk dialog box, click GPT (GUID Partition Table) and then
click OK.
Verify the Disk Type

1. In Disk Management, right-click Disk 2 and verify its type.
2. In Disk Management, right-click Disk 3 and verify its type.
3. Click outside the context menu.
Question: Which tool do you prefer to use to convert a new disk to GPT, the Disk
Management snap-in or the diskpart.exe command-line tool?
Answer: Emphasize that both will work, but the students might express a preference.
Lesson 2
Managing Disk Volumes
Before the Windows 7 operating system can access newly installed dynamic disks, you
must create and format one or more volumes on a disk. Dynamic disks use a private
region of the disk to maintain a Logical Disk Manager (LDM) database. The LDM
database contains volume types, offsets, memberships, and drive letters for each
volume. The LDM database is also replicated, so each dynamic disk knows about every
other dynamic disk configuration. This feature makes dynamic disks more reliable and
recoverable than basic disks.
You can configure volumes to use some or all the available space on a single disk, or
configure the volume to span multiple disks. The following are examples of the types
of dynamic volumes that can be created on dynamic disks:
• Simple
• Spanned
• Striped
• Mirrored
• RAID-5
You can configure volumes to use some or all the available space on a single disk, or
configure the volume to span multiple disks.

What is a Simple Volume?

A volume is a contiguous, unallocated area of a physical hard disk that you format to
create a file system. You can then either assign a drive letter or mount in an existing
volume by using a volume mount-point.
Simple Volume Characteristics

A simple volume is a dynamic volume that encompasses available free-space from a
single, dynamic, hard disk drive. It is a portion of a physical disk that functions as
though it were a physically separate unit. A simple volume can consist of a single
region on a disk or multiple regions of the same disk that are linked together. Simple
volumes have the following characteristics:
• Not fault tolerant, disk failure leads to volume failure.
• Volume Input/Output (I/O) performance is the same as disk I/O performance.
Simple Volume Scenarios

The table contains some sample disk and volume scenarios:
Scenario Description
Scenario Description
Business desktop Most business users require a basic disk and one basic
computer with one disk volume for storage, and do not require a computer with
volumes that span multiple disks or that provide fault-
tolerance. This is the best choice for those who require
simplicity and ease of use.

Business desktop If a small business user wants to upgrade the operating
computer with one disk system and reduce the impact on their business data, they
and more than one must store the operating system in a separate location from
volume business data.
In this scenario, a basic disk with two or more basic volumes
is required. The user can install the operating system on the
first volume, creating a boot volume or system volume, and
use the second volume to store data.
When a new version of the operating system is released, the
user can reformat the boot or system volume and install the
new operating system. The business data, located on the
second volume, remains untouched.
A simple volume may provide better performance than striped data layout schemes.
For example, when serving multiple, lengthy, sequential streams, performance is best
when a single disk services each stream. Also, workloads that are composed of small,
random requests do not always result in performance benefits when they are moved
from a simple to a striped data layout.
As stated previously, when using simple volumes, any physical disk failure results in
data loss. However, the loss is limited to the failed drives. In some scenarios, this
provides a level of data isolation that can be interpreted as greater reliability.
Demonstration: Creating a Simple Volume

Use the following information as guidance when creating or modifying simple

volumes:
• You must be a member of the Backup Operator or Administrator group.
• Either diskpart.exe or Disk Management can be used.
• You can shrink or extend a simple volume. If you extend the volume to encompass
areas of unallocated space on additional disks, the volume is no longer a simple
volume, but becomes a spanned volume.
• Before you can store files and directories on the volumes, you must first format
each volume for use with the file system.
• Before you can access and place data on a volume, you must assign it either a
drive letter or a mount point if it does not already have one.
• Before deleting volumes, make sure that the information on them has been backed
up onto another storage medium and verified, or that the data is no longer needed.
You can create more than 26 volumes on Windows 7, but you cannot assign more than
26 drive letters for accessing these volumes. Drive letters A and B are typically
reserved for floppy disk drives. If the computer does not have a floppy disk drive, you
can assign drive letters A and B to removable drives, hard disk drives, or mapped
network drives. Hard disk drives are typically assigned drive letters C through Z, while
mapped network drives are assigned drive letters in reverse order (Z through C).
Volumes created after the 26th drive letter has been used must be accessed using
volume mount points. The path environment variable shows specific drive letters with

program names.
You must know how to use commands shown in the following table when creating a
simple volume by using diskpart.exe.
Value Description
Displays a list of disks and information about them, such

as their size, amount of available free space, whether the
list disk disk is a basic or dynamic disk, and whether the disk
uses the MBR or GPT partition style. The disk marked
with an asterisk (*) has focus.
Creates a simple volume. After you create the volume,

create volume simple
the focus automatically shifts to the new volume.
Specifies or assigns the size of the volume in MB. If no

size=<size> size is given, the new volume takes up the remaining
free space on the disk.
Specifies the dynamic disk on which to create the

disk=<disknumber>
volume. If no disk is given, the current disk is used.
Specifies or assigns a drive letter to the volume with

focus. If no drive letter or mount point is specified, the
assign letter=<driveletter>
next available drive letter is assigned. If the drive letter or
mount point is already in use, an error is generated.
Specifies the type of file system. If no file system is

fs=<ntfs|fat|fat32> specified, the default file system is used. The default file
system is displayed by the filesystems command.
label=<label> Specifies the volume label.
In this demonstration, you will see how to create a simple volume. First a volume is
created by using the disk management snap-in, and then by using the diskpart
command-line tool.
Create a Simple Volume by using Disk Management

1. If necessary, on LON-CL1 click Start, right-click Computer, and then click
Manage.
3. In Disk Management on Disk 2, right-click Unallocated, and then click New
Simple Volume.
4. In the New Simple Volume Wizard, click Next.
5. On the Specify Volume Size page, in the Simple volume size in MB box, type
“100” and then click Next.
6. On the Assign Drive Letter or Path page, click Next.
7. On the Format Partition page, in the Volume label box, type “Simple”, click
Next, and then click Finish.
Create a Simple Volume by using Diskpart.exe

1. If necessary, click Start, point to All Programs, click Accessories, right-click
Command Prompt, and then click Run as administrator.
2. At the command prompt, type “diskpart” and then press ENTER.
3. At the DISKPART> prompt, type “list disk” and then press ENTER.
4. At the DISKPART> prompt, type “select disk 3” and then press ENTER.
5. At the DISKPART> prompt, type “create partition primary size=100” and then
press ENTER.
6. At the DISKPART> prompt, type “list partition” and then press ENTER.
7. At the DISKPART> prompt, type “select partition 2” and then press ENTER.
8. At the DISKPART> prompt, type “format fs=ntfs label=simple2 quick” and then
press ENTER.
9. At the DISKPART> prompt, type “Assign”, and then press ENTER.
Question: In what circumstances will you use less than all the available space on a
disk in a new volume?
Answer: Answers vary, but include partitioning a disk to support dual-boot scenarios.
What are Spanned and Striped Volumes?

A spanned volume joins areas of unallocated space on at least 2, and at most 32, disks
into a single logical disk. Similar to a spanned volume, a striped volume also requires
two or more disks; however, striped volumes map stripes of data cyclically across the
disks.
Characteristics of Spanned Volumes

A spanned volume allows users to gather non-contiguous free space from one or many
disks into the same volume. A spanned volume does not provide any fault tolerance. In
addition, because the areas that you combine are not necessarily equally distributed
across the participating disks, there is no performance benefit to implementing spanned
volumes; I/O performance is comparable to simple volumes.
You can create a spanned volume by either extending a simple volume to an area of
unallocated space on a second disk, or you can designate multiple disks during the
volume creation process. The benefits of using spanned volumes include
uncomplicated capacity planning and straightforward performance analysis.
If you are creating a new spanned volume, you must define the same properties as
when you create a simple volume in terms of size, file system, and drive letter. It is
also necessary to define how much space to allocate to the spanned volume from each
physical disk.
You can only create spanned volumes on dynamic disks. If you attempt to create a
spanned volume on basic disks, after you have defined the volume’s properties, and
confirmed the choices, Windows prompts you to convert the disk to dynamic.
It is possible to shrink a spanned volume; however, it is not possible to remove an area
from a specific disk. For example, if a spanned volume consists of three 100 MB
partitions on each of three disks, you cannot selectively delete the third element.
Depending on consumption of space in the volume, you can reduce the total size of the
volume.
Note: When you shrink a spanned volume, no data loss occurs; however, the number of
disks involved may decrease. If the spanned volume resides on a single disk, the
spanned volume is converted into a simple volume. If there is an empty dynamic disk(s)
that results from shrinking a spanned volume, the empty dynamic disk is implicitly
converted to a basic disk.
If you subsequently install additional hard disks, it is possible to extend the spanned
volume to include areas of unallocated space on the new disks, provided this does not
exceed the 32 disk limit for spanned volumes.
Characteristics of Striped Volumes

A striped volume is also known as a redundant array of independent disks (RAID) 0; a
striped volume combines equally sized areas of unallocated space from multiple disks.
Create a striped volume when you want to improve the I/O performance of the
computer. Striped volumes provide for higher throughput by distributing I/O across all
disks configured as part of the set. The more physical disks that you combine, the faster
the potential throughput is.
For most workloads, a striped data layout provides better performance than simple or
spanned volumes if the stripe unit is appropriately selected based on workload and
storage hardware characteristics. The overall storage load is balanced across all
physical drives.
Striped volumes are also well suited for isolating the paging file. By creating a volume
where PAGEFILE.SYS is the only file on the entire volume, the paging file is less
likely to become fragmented, which helps improve performance. Redundancy is not
normally required for the paging file. Striped volumes provide a better solution than
RAID 5 for paging file isolation because paging file activity is write intensive and
RAID 5 is better suited for read performance than write performance.
Because no capacity is allocated for redundant data, RAID 0 does not provide data
recovery mechanisms such as those in RAID 1 and RAID 5. The loss of any disk
results in data loss on a larger scale than a simple volume because the entire file system
spread across multiple physical disks is disrupted. The more disks that you combine,
the less reliable the volume becomes.
When you create a striped volume, after installing multiple disks, define the file

system, drive letter, and other standard volume properties. Additionally, you must
define the disks from which to allocate free space. The allocated space from each disk
must be identical.
It is possible to delete a striped volume, but it is not possible to extend or to shrink the
volume.
Configuration Changes
There are times when you may want to upgrade or in some way alter the configuration
of computer hardware or software, for example:
• When the addition of functionality adds value to your organization
• When a fault in software, hardware, or the combined architecture results in an
application failing
• When a change in the functionality or role of a server or workstation occurs
Other forms of volume management, with different types of fault tolerance and
recovery, are not covered in this module, using RAID-1 or RAID-5 volumes, hardware
mirroring, and disk duplexing. These forms of volume management must be considered
during times of change.
Question: Describe scenarios when you create a spanned volume and when you create
a striped volume.
Answer: Create a spanned volume when you want to encompass several areas of
unallocated space on two or more disks. Create a striped volume when you want to
improve the I/O performance of the computer.
Demonstration: Creating Spanned and Striped Volumes

In this demonstration, you will see how to create both spanned and striped volumes.
Create a Spanned Volume

1. On LON-CL1 in Disk Management on Disk 2, right-click Unallocated, and then
click New Spanned Volume.
2. In the New Spanned Volume wizard, click Next.
3. On the Select Disks page, in the Select the amount of space in MB box, type
“100”.
4. In the Available list, click Disk 3 and then click Add >.
5. In the Selected list, click Disk 3, and in the Select the amount of space in MB
box, type “250” and then click Next.
7. On the Format Partition page, in the Volume label box, type “Spanned”, click
8. In the Disk Management dialog box, click Yes.
Create a Striped Volume

1. In Disk Management, right-click Disk 2 and then click New Striped Volume.
2. In the New Striped Volume wizard, click Next.
3. On the Select Disks page, in the Available list, click Disk 3 and then click Add >.

“512” and then click Next.
6. On the Format Partition page, in the Volume label box, type “Striped”, click
Question: What is the advantage of using striped volumes, and conversely what is the
major disadvantage?
Answer: Performance is the advantage at the potential cost of reduced fault tolerance.
Purpose of Resizing a Volume

You can shrink existing volumes to create additional, unallocated space to use for data
or programs on a new volume. On the new volume, you can:
• Install another operating system and then perform a dual boot.
• Save data separate from the operating system.
To perform the shrink operation, ensure that the disk is either unformatted or formatted
with the NTFS file system and that you are part of the Backup Operator or
Administrator group. When you shrink a volume, contiguous free space is relocated to
the end of the volume. There is no need to reformat the disk to perform a shrink. To
make available the maximum amount of space, before shrinking, make sure you
perform the following tasks:
• Defragment the disk if defragmentation is not regularly scheduled
• Reduce shadow copy disk space consumption
• Ensure that no page files are stored on the volume to be shrunk
When you shrink a volume, unmovable files (the page file or the shadow copy storage
area) are not automatically relocated. It is not possible to decrease the allocated space
beyond the point where the unmovable files are located. If you need to shrink the
partition further, move the page file to another disk, delete the stored shadow copies,
shrink the volume, and then move the page file back to the disk.
To view shadow copy storage information, use the Volume Shadow Copy Service
administrative command-line tool. Start an elevated Command Prompt and then type
“vssadmin list shadowstorage”. The used, allocated, and maximum shadow copy

storage space is listed for each volume.
Defragmentation in Windows 7 is more comprehensive in that some files that were not
able to be relocated in Windows Vista or earlier versions can now be optimally
replaced. Additional information about defragmenting is discussed in a later topic.
Note: If the partition is a raw partition (that is, one without a file system) that contains
data (such as a database file), shrinking the partition may destroy the data. Remember
to make a backup prior to extending or shrinking a partition or volume.
You can shrink simple and spanned dynamic disks, but not others. Increase the size of
a simple volume in the following ways:
• Extend the simple volume on the same disk. The volume remains a simple volume.
• Extend a simple volume to include unallocated space on other disks on the same
computer. This creates a spanned volume.
Demonstration: Resizing a Volume

In this demonstration, you see how to resize a volume with the diskpart utility; then,
you use the Disk Management tool to extend a simple volume.
Shrink a Volume by using Diskpart.exe

1. On LON-CL1, switch to the Command Prompt window.
2. At the DISKPART> prompt, type “list disk”, and then press ENTER.
3. At the DISKPART> prompt, type “select disk 2”, and then press ENTER.
4. At the DISKPART> prompt, type “list volume”, and then press ENTER.
5. At the DISKPART> prompt, type “select volume 6”, and then press ENTER.
6. At the DISKPART> prompt, type “shrink desired = 50”, and then press ENTER.
7. At the DISKPART> prompt, type “exit”, and then press ENTER.
8. Switch to Disk Management, and view the new volume size.
Extend a Volume by Disk Management

1. In Disk 2, right-click Simple (F:), and then click Extend Volume.
2. In the Extend Volume Wizard, click Next.

3. In the Select the amount of disk space in MB box, type “50”, click Next, and
then click Finish.
4. Close all open windows.

Note: For more information about diskpart, refer to
http://go.microsoft.com/fwlink/?LinkId=153231
Question: When might you need to reduce the size of the system partition?
Answer: Answers will vary – but to enable BitLocker, a non-encrypted partition must
be available. In some circumstances, this might not be present on a computer and
reducing the system volume size might prove useful. It might be worth mentioning that
fragmentation and the placement of certain types of files on the disks (such as the
Master File Table (MFT)) can prevent you from realizing all the available free space as
a new volume.
Lesson 3
Maintaining Disks in Windows 7
When you first create a volume, new files and folders are created on available free
space on the volume in contiguous blocks; this provides an optimized file system
environment. As the volume becomes full, the availability of contiguous blocks
diminishes; this can lead to sub-optimal performance. This lesson explores file system
fragmentation and the tools you can use to reduce fragmentation.
What is Disk Fragmentation?

Fragmentation of the file system occurs over time as you save, change, and delete files.
Initially, the Windows I/O manager saves files in contiguous areas on a given volume.
This is efficient for the physical disk as the read/write heads are able to access these
contiguous blocks quickly.
As the volume fills up with data and other files, contiguous areas of free space are
harder to find. File deletion also causes fragmentation of available free space. In
addition, when a file is extended, there may not be contiguous free space following the
existing file blocks. This forces the I/O manager to save the remainder of the file in a
non-contiguous area. Over time, contiguous free space becomes harder to find, leading
to fragmentation of newly stored content. The incidence and extent of fragmentation
varies depending on available disk capacity, disk consumption, and usage patterns.
Although the NTFS file system is more efficient than earlier file systems at handling
disk fragmentation, this fragmentation still presents a potential performance problem.
Combined hardware and software advances in Windows helps to mitigate the impact of
fragmentation and deliver better responsiveness.
Defragmenting a Disk
When you are defragmenting a disk, files are optimally relocated. This ability to
relocate files benefits you when shrinking a volume, since it enables the system to free
up space that can be reclaimed as required.
Disk Defragmenter rearranges data and reunites fragmented files. It runs automatically
on a scheduled basis; however, you can perform a manual defragmentation at any time.
To manually defragment a volume or drive, or to change the automatic
defragmentation schedule, right-click the volume in Windows Explorer, click
Properties, click the Tools tab, and then click Defragment Now. You can then
perform the following tasks:
• Disable automatic defragmentation

• Modify the defragmentation schedule
• Select which volumes you want to defragment
• Analyze the disk to determine whether it requires defragmentation
• Launch a manual defragmentation
To verify that a disk requires defragmentation, in Disk Defragmenter select the disk
you want to defragment and then click Analyze disk. Once Windows is finished
analyzing the disk, check the percentage of fragmentation on the disk in the Last Run
column. If the number is high, defragment the disk.
Disk Defragmenter might take from several minutes to a few hours to finish depending
on the size and degree of fragmentation of the disk or USB device, for example an

external hard drive. You can use the computer during the defragmentation process.
You can configure and run disk defragmentation from an elevated Command Prompt
by using the defrag command-line utility. Use the following table for guidance.
Option Meaning
-c Defragments all volumes
-a Performs an analysis rather than an actual defragmentation
-r Performs a default defragmentation in which files larger than 64MB are not
defragmented
-w Performs a defragmentation in which all files are defragmented
-f Forces defragmentation of the volume when free space is low
-v Provides more detailed output of the analysis or defragmentation processes

There are several ways to help prevent file system fragmentation:
• Partition the disk in such a way that static files are isolated from those that are
created and deleted frequently (such as some user profile and temporary internet
files).
• Use the Disk Cleanup feature to free disk space consumed by each user’s
preferences for console files that are saved in the profile.
• Use Disk Defragmenter to help reduce the impact of disk fragmentation on disk
volumes, including USB drives. Disk Defragmenter rearranges fragmented data so
that disks and drives can work more efficiently.
What are Disk Quotas?

It is important to manage the storage space that is consumed on Windows 7 computers.

With ever-increasing demands on available storage, you must consider methods that
can help you to manage these demands. A disk quota is a way for you to limit each
person’s use of disk space on a volume. Disk quotas enable you to track and restrict
disk consumption. You can enable quotas on any NTFS-formatted volume, including
local volumes, network volumes, and removable storage.
You can use quotas to only track disk space consumption and determine who is
consuming available space; it is not required to restrict disk consumption at the same
time.
You can also manage quotas by using the fsutil quota and fsutil behavior commands
from the Command Prompt.
Once a quota is created, you can export it and then import it for a different volume. In
addition to establishing quota settings on an individual computer by using the methods
previously outlined, you can also use Group Policy settings to configure quotas. This
enables administrators to configure multiple computers with the same quota settings.
Over time, the amount of available disk space inevitably becomes less, so make sure
that you have a plan to increase storage capacity
Note: Quotas are tracked for each volume.

Question: How do you increase free disk space after exceeding the quota allowance?
Answer: The following are ideas to increase free disk space after exceeding the quota
allowance:
• Delete unnecessary files

• Have another user claim ownership of non-user specific files
• Increase the quota allowance as volume size and policy permits
Demonstration: Configuring Disk Quotas

After you enable quotas, you can configure options shown in the following table.
Option Description
Deny disk space to users Prohibits users from exceeding their quota limit
exceeding quota limit
Do not limit disk space Enables tracking mode for quota management and does
usage not enforce disk space limits
Limit disk space to Enables you to specify a disk space limit for all users, in
Kilobytes (KB) through Exabytes (EB)
Set warning level to Enables you to configure a warning level at which point
a user receives a warning that they are about to exceed
his or her space limit
Log event when a user Generates an event in the System log of the local
exceeds their quota limit computer whenever a user exceeds his or her quota
limit
Option Description
Log event when a user Generates an event in the System log of the local
exceeds their warning computer whenever a user exceeds his or her warning
level limit
Quota Entries Enables you to configure specific quota limits for each

user
In this demonstration, you see how to create and manage disk quotas.
Create Quotas on a Volume

1. On LON-CL1, click Start and then click Computer.
2. Right-click Striped (I:) and then click Properties.
3. In the Striped (I:) Properties dialog box, click the Quota tab.
4. On the Quota tab, select the Enable quota management check box.
5. Select the Deny disk space to users exceeding quota limit check box.
6. Click Limit disk space to, in the adjacent box type “6”, and then in the KB list
click MB.
7. In the Set warning level to box, type “4”, and then in the KB list click MB.
8. Select the Log event when a user exceeds their warning level check box, and
then click OK.
9. In the Disk Quota dialog box, review the message, and then click OK.
Create Test Files

1. Open a Command Prompt.
2. At the command prompt, type “I:” and then press ENTER.
3. At the command prompt, type “fsutil file createnew 2mb-file 2097152” and then
press ENTER.
4. At the command prompt, type “fsutil file createnew 1kb-file 1024” and then press
ENTER.
5. Close the Command Prompt window.
Test the Configured Quotas by using a Standard User Account to Create

Files
1. Log off, and then log on to the LON-CL1 virtual machine as Contoso\Alan with a
2. Click Start, click Computer, and then double-click Striped (I:).
3. On the toolbar, click New Folder.
4. Type “Alan’s files”, and then press ENTER.
5. In the file list, right-click 2mb-file, drag it to Alan’s files, and then click Copy
here.
6. Double-click Alan’s files.
7. Right-click 2mb-file and then click Copy.
8. Press CTRL+V.
9. In the Address bar, click Striped (I:).
10. In the file list, right-click 1kb-file, drag it to Alan’s files, and then click Copy
here.
11. Double-click Alan’s files.
12. Right-click 2mb-file and then click Copy.
13. Press CTRL+V.
14. In the Copy Item dialog box, review the message and then click Cancel.
Review Quota Alerts and Event Log Messages

1. Log off, and then log on to the LON-CL1 virtual machine as
Contoso\Administrator with a password of Pa$$w0rd.
2. Click Start and then click Computer.
3. Right-click Striped (I:) and then click Properties.
4. In the Striped (I:) Properties dialog box, click the Quota tab and then click
Quota Entries.
5. In the Quota Entries for Striped (I:), in the Logon Name column, double-click
Contoso\Alan.
6. In the Quota Settings for Alan Brewer (CONTOSO\alan) dialog box, click OK.
7. Close Quota Entries for Striped (I:).
8. Close Striped (I:) Properties.

9. Click Start, and in the Search box, type “event”.
10. In the Programs list, click Event Viewer.
11. In the Event Viewer (Local) list, expand Windows Logs and then click System.

12. Right-click System and then click Filter Current Log.
13. In the <All Events IDs> box, type “36” and then click OK.
14. Examine the listed entry.
Question: Will Quota management be useful in your organizations?
Answer: Answers will vary. In most cases there is no need to limit disk usage on
computers running Windows 7. However, it might be useful when multiple users share
the same computer or when peer-to-peer networking is performed in a workgroup. It is
more common to implement quotas on servers.
Lesson 4
Installing and Configuring Device Drivers
Devices have changed from being single-function peripherals to complex,

multifunction devices with a large amount of local storage and the ability to run
applications. They have evolved from a single type of connection, such as USB, to
multi-transport devices that support USB, Bluetooth, and WiFi.
Many of today’s devices are often integrated and sold with services that are delivered
over the Internet, which has simplified a computer’s ability to recognize and use
devices. Microsoft has expanded the list of devices and peripherals that are being tested
for compatibility with Windows 7.
The device experience in Windows 7 is designed on existing connectivity protocols
and driver models to maximize compatibility with existing devices. The following are
areas in Windows 7 that you can use to manage devices:
• The Devices and Printers control panel gives users a single location to find and
manage all the devices connected to their Windows 7-based computers, and
provides quick access to device status, product information, and key functions
such as faxing and scanning to enhance and simplify the customer experience with
a Windows 7-connected device.
• For some common devices such as multifunction printers, cell phones, portable
media players, and digital still cameras, Windows 7 provides an enhanced
experience called Device Stage™.

• Device Manager is used to view and update hardware settings, and driver software
for devices such as internal hard drives, disc drives, sound cards, video or graphics
cards, memory, processors, and other internal computer components.
Seamless user experiences begin with the ability to effortlessly connect devices.
Additional drivers are retrieved automatically from Windows Update™, and when
appropriate, users are given an option to download and install additional applications
for the device. All of this helps reduce support calls and increase customer satisfaction.
Overview of Device Drivers in Windows 7

A driver is small software program that allows the computer to communicate with
hardware or devices. It is also specific to an operating system. Without drivers, the
hardware that you will connect to the computer does not work properly.
In most cases, drivers come with Windows or can be found by going to Windows
Update and checking for updates. If Windows does not have the required driver, look
for it on the disc that came with the hardware or device, or on the manufacturer's Web
site.
32-bit and 64-bit Drivers

Windows 7 is available in 32-bit and 64-bit versions. Drivers developed for the 32-bit
versions do not work with the 64-bit versions, and vice versa. You must make sure that
you obtain the appropriate device drivers before you install Windows 7.
Driver Signing
The device drivers that Windows 7 includes have a Microsoft digital signature that
indicates whether a particular driver or file has met a certain level of testing, is stable
and reliable, and has not been altered since it was digitally signed. Windows 7 checks
for a driver’s digital signature during installation and prompts the user if no signature is
available.
Note: The signature file is stored as a .cat file in the same location as the driver file.

Driver Store and Driver Packages
The driver store is the driver repository in Windows 7. A driver package is a set of files
that make up a driver. It includes the .inf file, any files that the .inf file references, and
the .cat file that contains the digital signature for the device driver. You can preload the
driver store with drivers for commonly used peripheral devices. The driver store is
located in systemroot\System32\DriverStore.
Installing a driver is a two-stage process. First, you install the driver package into the
driver store. You must use administrator credentials to install the driver package into
the driver store. The second step is to attach the device and install the driver. A
standard user can perform this second step.
During hardware installation, if the appropriate driver is not available, Windows 7 uses
Windows Error Reporting to report an unknown device. This enables OEMs to work in
conjunction with Microsoft to provide additional information to the user, such as a
statement of nonsupport for a particular device or a link to a Web site with additional
support information.
In Windows 7, the Device Metadata System provides an end-to-end process for
defining and distributing device metadata packages. These packages contain device
experience XML documents that represent the properties of the device and its
functions, together with applications and services that support the device. Through
these XML documents, the Devices and Printers folder and Device Stage present users
with an interface that is specific to the device as defined by the device maker.
Windows Online Quality Services (Winqual) validates device experience XML
documents and signs device metadata packages. Windows Metadata and Internet
Services (WMIS) distributes new or revised device metadata packages that device
makers submit through Winqual.
Windows 7 uses WMIS to discover, index, and match device metadata packages to
specific devices that are connected to the computer. Device makers can also distribute
device metadata packages directly to the computer through their own Setup
applications.
Note: You can use the Pnputil.exe tool to add a driver to the Windows 7 driver store
manually.
Installing Devices and Drivers

Windows has supported Plug and Play for device and driver installation since
Windows 9x. When you install a new device, typically Windows 7 recognizes and
configures it. To support Plug and Play, devices contain configuration and driver
information. Each Plug and Play device must meet the following requirements:
• Be uniquely identified
• State the services it provides and resources it requires
• Identify the driver that supports it
• Allow software to configure it
Windows 7 reads this information when the device is attached to the computer and
completes the configuration so that the device works properly with the other installed
devices. Properly implemented, Plug and Play provides automatic configuration of PC
hardware and devices. The driver architecture for Windows supports comprehensive,
operating system-controlled Plug and Play. Plug and Play technologies are defined for
IEEE 1394, PCI, PC Card/CardBus, USB, SCSI, ATA, ISA, LPT, and COM. Non-Plug
and Play-compliant device drivers can still be installed manually in Device Manager.
Improved End User Experience

The success of driver installation depends on several factors. Two key factors are when
the device is supported by a driver package included with Windows or available on

Windows Update and when the user has media with the driver package provided by the
vendor. Windows 7 includes several features that help an administrator make device
driver installation more straightforward for users:
• Staging driver packages in the protected driver store. A standard user, without any
special privileges or permissions, can install a driver package that is in the driver
store.
• Configuring client computers to automatically search a specified list of folders
when a new device is attached to the computer. These folders can be hosted on a
network share. When a device driver is accessible in this manner, Windows does
not need to prompt the user to insert media.
• Rebooting the system is rarely necessary when installing Plug and Play devices or
software applications. This is true because of the following reasons:
• The Plug and Play Manager installs and configures drivers for Plug and
Play devices while the operating system is running.
• Applications can use side-by-side components instead of replacing
shared, in-use dynamic-link libraries (DLLs).
These features help improve the user experience and reduce help desk support costs by
allowing standard users to install approved driver packages without requiring
additional permissions or the administrator assistance. These features also help increase
computer security by ensuring that standard users can only install driver packages that
you authorize and trust.
Driver Detection Process

When a user inserts a device, Windows detects it and then signals the Plug and Play
service to make the device operational. Plug and Play queries the device for
identification strings and searches the driver store for a driver package that matches the
identification strings. If a matching package is found, Plug and Play copies the device
driver files from the driver store to their operational locations, typically
%systemroot%\windows32\drivers, and then updates the registry as needed. Finally,
Plug and Play starts the newly installed device driver.
If a matching package is not found in the driver store, Windows searches for a
matching driver package by looking in the following locations:
• Folders specified by the DevicePath registry entry
• The Windows Update Web site
• Media or a manufacturer’s Web site that is provided after the system prompts the
user
Windows also checks that the driver package has a valid digital signature. If the driver
package is signed by a certificate that is valid but is not found in the Trusted Publishers
store, Windows prompts the user for confirmation.

Staging the device driver packages in this manner provides significant benefit. After a
driver package has been successfully staged, any user that logs on to that computer can
install the drivers by simply plugging in the appropriate device.
Add a Driver to the Driver Store from a Command Prompt

You can use the Pnputil.exe tool to add drivers to the driver store manually. After the
signed driver package is in the driver store, Windows considers the package trusted.
Note: Run the Pnputil.exe tool from an elevated command prompt. The tool cannot
invoke the User Account Control dialog box. If you attempt to use the PnPUtil tool from
a command prompt that is not running as administrator, the commands fail.
To add a driver, use the “-a” parameter to specify the path and name of the driver, for
example, “pnputil -a <PathToDriver>/<Driver>.inf”. Windows validates that the
signature attached to the package is valid, the files are unmodified, and the file
thumbprints match the signature.
After adding a driver, note the assigned number. Drivers are renamed oem*.inf during
the addition. This is to ensure unique naming. For example, the file MyDriver1.inf may
be renamed oem0.inf. You can view the published name by using the “-e” parameter,
for example “pnputil -e”.
Typically, you do not need to uninstall a Plug and Play device. Just disconnect or
unplug the device so that Windows does not load or use the driver.
Non-Plug and Play Devices

Non-Plug and Play devices are becoming increasingly rare as manufacturers stop
producing them in favor of Plug and Play devices. The term non-Plug and Play
typically applies to older pieces of equipment with devices that require manual
configuration of hardware settings before use. To view non-Plug and Play devices, in
Device Manager, click the View menu, click Show hidden devices, and expand Non-
Plug and Play Drivers.
Question: What are the steps to install a driver in the driver store by using the
Pnputil.exe tool?
Answer: The steps are as follows:

1. Identify the name of the device driver.

2. Start the Pnputil.exe tool from an elevated command prompt.
3. Use the –a parameter along with the path to the driver and name of the driver to
perform the addition to the driver store.
4. Make note of the newly assigned driver name, including the number.
Device Driver Management Tools

There are several areas in Windows 7 where you can manage devices and their related
drivers:
• Device Manager
• Devices and Printers
• Device Stage
• The Pnputil tool run from an elevated command prompt
Device Manager
Device Manager helps you install and update the drivers for hardware devices, change
the hardware settings for those devices, and troubleshoot problems. You can perform
the following tasks in Device Manager:
• View a list of installed devices: View all devices that are currently installed based
on their type, by their connection to the computer, or by the resources they use.
This device list is re-created after every system restart or dynamic change.
• Uninstall a device: Uninstall the device driver, and remove the driver software
from the computer.
• Enable or disable devices: If you want a device to remain attached to a computer

without being enabled, you can disable the device instead of uninstalling it.
Disable is different from uninstall because only the drivers are disabled; the
hardware configuration is not changed.
• Troubleshoot devices: Determine whether the hardware on your computer is
working properly. If a device is not operating correctly, it may be listed as
Unknown Device next to a yellow question mark.
• Update device drivers: If you have an updated driver for a device, you can use
Device Manager to apply the updated driver.
• Roll back drivers: If you experience system problems after updating a driver, you
can roll back to the previous driver by using driver rollback. This feature enables
you to reinstall the last device driver that was functioning before the installation of
the current device driver.
You can use Device Manager to manage devices only on a local computer. On a remote
computer, Device Manager works in read-only mode, allowing you to view, but not
change the hardware configuration of that computer. Device Manager is accessible in
the All Items category in Control Panel.
View the status of a device

The status of a device shows whether the device has drivers installed and whether
Windows is able to communicate with the device. To view the status of a device,
follow these steps in Device Manager:
1. Right-click the device and then click Properties.
2. On the General tab, the Device status area shows a description of the current
status.
Hidden Devices
The most common type of hidden device is for non-Plug and Play devices and network
adapters. To view hidden devices in Device Manager, click View and then click Show
hidden devices.
Devices and Printers

The Devices and Printers category in Control Panel provides an additional place to
manage devices. Wizards guide you through the setup process which reduces complex
configuration tasks. Windows 7 recognizes new devices and attempts to automatically
download and install any drivers required for that device.
After the device is connected, it appears in the Devices and Printers folder. Devices

that display in this location are usually external ones that you connect or disconnect
from the computer through a port or network connection. These devices include, but
are not limited to the following:
• Portable devices such as mobile phones, music players, and digital cameras
• All devices plugged into a USB port on the computer such as flash drives,
webcams, keyboards, and mice
• All printers whether they are connected by USB cable, the network, or wirelessly
• Bluetooth and Wireless USB devices
• The computer itself
• Network enabled scanners or media extenders
Devices and Printers do not include the following:
• Devices such as internal hard drives, disc drives, sound cards, video or graphics
cards, memory, processors, and other internal computer components
• Speakers connected to the computer with conventional speaker wires
• Older devices such as mice and keyboards that connect to the computer through a
PS/2 or serial port.
In Devices and Printers, a multifunction printer shows and can be managed as one
device instead of individual printer, scanner, or fax devices. In Device Manager, each
individual component of multifunction printer is displayed and managed separately.
Device Stage
Device Stage provides users with a new way to access devices and advanced options
for managing them. Devices in use are shown with a photo-realistic icon. This icon can
include quick access to common device tasks and status indicators that let users quickly
discern battery status, device synchronization status, remaining storage capacity, and so
on. Device makers can customize this experience to highlight device capabilities and
branding, and can include links to product manuals, additional applications, community
information and help, or additional products and services.
The entire Device Stage experience remains current. Graphics, task definitions, status
information, and links to Web sites are distributed to computers by using the Windows
Metadata Information Service (WMIS).
Note: At the time of the Windows 7 release, Device Stage experiences continue to be
implemented or tested. A list of the Device Stage experiences can be found at
http://go.microsoft.com/fwlink/?LinkID=144630&clcid=0x409
Options for Updating Drivers

A newer version of a device driver often adds functionality and fixes problems that
were discovered in earlier versions; many hardware problems can be resolved by
installing updated device drivers. Also, device driver updates often help resolve
security problems and improve performance.
Dynamic Update is a feature that works with Windows Update to download any critical
fixes and device drivers that are required during the setup process. Dynamic Update
downloads new drivers for devices that are connected to the computer and are required
to run Setup. This feature updates the required Setup files and improves the process so
you can successfully get started with Windows 7.
Dynamic Update downloads the following types of files:
• Critical Updates: Dynamic Update replaces files from the Windows 7 operating
system DVD that require critical fixes or updates. Dynamic Update also replaces
DLLs that setup requires. The only files that are downloaded are those that replace
existing files: no new files are downloaded.
• Device drivers: Dynamic Update only downloads drivers that are not included on
the operating system CD or DVD. Dynamic Update does not update existing
drivers, but you can obtain these by connecting to Windows Update after setup is
complete.
When updated device drivers are required, Microsoft is working to ensure that you can
get them directly from Windows Update or from device manufacturer Web sites. Look
to Windows Update first to update drivers after they are installed. If the updated device
driver is not available through Windows Update, find the latest version of the device
driver:
• Visit the computer manufacturer’s Web site for an updated driver.
• Visit the hardware manufacturer’s Web site.
• Search the Web using the device name.
Manual device updates can be performed in Device Manager. To manually update the
driver used for a device, follow these steps in Device Manager:
1. Double-click the type of device you want to update.
2. Right-click the device and then click Update Driver Software.
3. Follow the instructions in the Update Driver Software wizard.
Windows 7 also includes several enhancements to the upgrade experience including a
“load driver” feature that is provided so that, if an upgrade is blocked due to
incompatible or missing drivers that are required for the system to boot, you can load a
new or updated driver from the Compatibility Report and continue with the upgrade.
Managing Signed Drivers

Because device drivers run with system-level privileges and can access anything on the
computer, it is critical to trust device drivers that are installed. Trust, in this context,
includes two main principles:
• Authenticity: A guarantee that the package came from its claimed source.
• Integrity: An assurance that the package is completely intact and has not been
modified after its release.
Digital signatures allow administrators and end users who are installing Windows-
based software to know that a legitimate publisher has provided the software package.
It is an electronic security mark that indicates the publisher of the software and if
someone has changed the original contents of the driver package. If a driver has been
signed by a publisher, you can be confident that the driver comes from that publisher
and has not been altered.
A digital signature uses the organization's digital certificate to encrypt specific details
about the package. The encrypted information in a digital signature includes a
thumbprint for each file included with the package. The thumbprint is generated by a
special cryptographic algorithm referred to as a hashing algorithm. The algorithm
generates a code that can only be created by that file's contents. Changing a single bit
in the file changes the thumbprint. After the thumbprints are generated, they are
combined together into a catalog, and then encrypted.
Note: 64-bit Windows 7 versions require that all drivers be signed.
If your organization has a Software Publishing Certificate, you can use that to add your
own digital signature to drivers that you have tested and that you trust. If you
experience stability problems after you install a new hardware device, an unsigned
device driver could be the cause.
Signature Verification Tool

You can use Sigverif.exe to check if unsigned device drivers are in the system area of a
computer. Sigverif.exe writes the results of the scan to a log file that includes the
system file, the signature file, and the signature file’s publisher. The log file shows any
unsigned device drivers as unsigned. You then can choose whether to remove the
unsigned drivers.
To remove an unsigned device driver, follow these steps:
1. Run Sigverif to scan for unsigned drivers, and then review the resulting log file.
2. Create a temporary folder for the storage of unsigned drivers.
3. Manually move any unsigned drivers from systemroot\System32\Drivers into the
temporary folder.
4. Disable or uninstall the associated hardware devices.
5. Restart the computer.
If this resolves the problem, try to obtain a signed driver from the hardware vendor or
replace the hardware with a device that is Windows 7 capable.
You can obtain a basic list of signed and unsigned device drivers from a command
prompt by running the driverquery command with the /si switch.
Note: Some hardware vendors use their own digital signatures so that drivers can have
a valid digital signature even if Microsoft has not tested them. The Sigverif report lists
the vendors for each signed driver. This can help you identify problem drivers issued by
particular vendors.
Benefits of Signing and Staging Driver Packages

Because device driver software runs as a part of the operating system, it is critical that
only known and authorized device drivers are permitted to run. Signing and staging
device driver packages on client computers provide the following benefits:
• Improved security: You can allow standard users to install approved device
drivers without compromising computer security or requiring help desk assistance.

• Reduced support costs: Users can only install devices that your organization has
tested and is prepared to support. Therefore, you will maintain the security of the
computer while simultaneously reducing the demands on the helpdesk.
• Better user experience: A driver package that is staged in the driver store works
automatically when the user plugs in the device. Alternatively, driver packages
placed on a shared network folder can be discovered whenever the operating
system detects a new hardware device. In both cases, the user is not prompted
before installation.
Configuring the Certificate Store to Support an Unknown Certificate

Authority
On each computer, Windows maintains a store for digital certificates. As the computer
administrator, you can add certificates from trusted publishers. If a package is received
for which a matching certificate cannot be found, Windows requires confirmation that
the publisher is trusted. By placing a certificate in the certificate store, you inform
Windows that packages signed by that certificate are trusted.
You can use Group Policy to deploy the certificates to client computers. Group Policy
allows you to have the certificate automatically installed to all managed computers in a
domain, organizational unit, or site.
Note: For information about driver signing including requirements, review the “Driver
Signing Requirements for Windows” page in Windows Hardware Developer Central:
Discussion: Options for Recovering from a Driver Problem

If your computer can start successfully, in Safe Mode if necessary, you can use driver
rollback to recover from a device problem. This is most useful in cases when a device
driver update has created a problem. Driver rollback reconfigures a device to use a
previously installed driver, overwriting a more recent driver.
To roll back a driver, restart the computer, if necessary, in Safe Mode. You can start
the computer in Safe Mode by pressing F8 during the boot sequence to access the
Advanced Boot Options menu, and then selecting Safe Mode from the list. After you
have started the computer successfully, as an administrative user, follow these steps to
roll back a device driver:
1. Open Device Manager.
2. Right-click the device to rollback and then click Properties.
3. In the Properties dialog box, click the Drivers tab and then click Roll Back
Driver.
4. In the Driver Package rollback dialog box, click Yes.
Note: Rolling back a driver can cause the loss of new functionality, and can reintroduce
problems that were addressed with the newer version.
Note: The Roll Back Driver button is only available if a previous version of the driver
was installed. If the current driver for the device is the only one that was ever installed
on this computer, then the Roll Back Driver button is not enabled.

System Restore
It is rare that after you install a device or update a driver for a device, the computer
may not start. This problem may occur in the following situations:
• The new device or the driver causes conflicts with other drivers that are installed
on the computer.
• A hardware-specific issue occurs.
• The driver that is installed is damaged.
Sometimes, performing a driver rollback is not sufficient to recover from a computer
problem. If you are unable to recover the computer by using driver rollback, consider
using System Restore.
System Restore can be used when you want to retain all new data and changes to
existing files, but still perform a restore of the system from when it was running well.
Windows 7 enables you to return your PC to the way it was at a previous point in time,
without deleting any personal files. System Restore is reversible because an undo
restore point is created before the restore operations are completed. During the
restoration, a list of files appears showing applications that will be removed or added.
To restore a computer to a previous configuration by using System Restore, you can:
• Use Safe Mode.

• Use Windows Recovery Environment (RE)
Last Known Good Configuration

Even the earliest versions of the Microsoft Windows NT® operating system provided
the Last Known Good Configuration option as a way of rolling the system back to a
previous configuration. In Windows 7, some startup-related configuration and device-
related configuration information is stored in the registry database; specifically, in the
HKLM\SYSTEM hive. A series of Control Sets are stored beneath this registry hive,
most notably CurrentControlSet and LastKnownGood. The latter is located in the
HKLM\SYSTEM\Select node.
When you make a device configuration change to the computer, the change is stored in
the CurrentControlSet key, in the appropriate registry folder and value. After you
restart the computer, and successfully log on, Windows synchronizes the
CurrentControlSet key and the LastKnownGood key.
However, if, after a device configuration change, you experience a startup problem, but
do not log on, the two control sets are out of sync, and the LastKnownGood key
contains the previous configuration set.
To use the Last Known Good Configuration, restart the computer without logging on,
and press F8 during the boot sequence to access the Advanced Boot Options menu.
Select Last Known Good Configuration (advanced) from the list.
If you have a hardware problem, it can be caused by hardware or a device driver.
Fortunately, the process to update device drivers to a newer version is straightforward.
Alternatively, device drivers can be rolled back to an older version, or reinstalled.
Troubleshooting hardware problems often starts by troubleshooting device drivers. To
identify a device driver problem, answer the following questions:
• Did you recently upgrade the device driver or other software related to the
hardware? If so, roll back the device driver to the previous version.
• Are you experiencing occasional problems, or is the device not compatible with
the current version of Windows? If so, upgrade the device driver.
• Did the hardware suddenly stop working? If so, upgrade the device driver. If that
does not solve the problem, reinstall the device driver. If the problem continues,
try troubleshooting the hardware problem.
Demonstration: Managing Drivers by Using Device Manager

In this demonstration, you see how to update a device driver, and then rollback that
driver update. This demonstration requires two machine restarts.
Update a Device Driver

1. On LON-CL1 click Start, right-click Computer and then click Manage.
2. In Computer Management, click Device Manager.
3. Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update
Driver Software.
4. In the Update Driver Software – Standard PS/2 Keyboard dialog box, click
Browse my computer for driver software.
5. On the Browse for driver software on your computer page, click Let me pick
from a list of device drivers on my computer.
6. In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard
(101/102 Key) and then click Next.
7. Click Close.
8. In the System Settings Change dialog box, click Yes to restart the computer.
Rollback a Device Driver


4. Expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102
Key) and then click Properties.
5. In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box,
click the Driver tab.
6. Click Roll Back Driver.
8. Click Close, and then in the System Settings Change dialog box, click Yes to
restart the computer.
12. Expand Keyboards and then click Standard PS/2 Keyboard.
13. Verify that you have successfully rolled back the driver.
14. Close Computer Management.
Question: If your computer does not startup normally due a device driver issue, what
options are there for performing driver roll back?
Answer: Try starting into Safe mode and then rolling the driver back.

Review Questions
1. You are implementing 64-bit Windows 7 and need to partition the disk to support
25 volumes, some of which will be larger than 2 TB. Can you implement this
configuration using a single hard disk?
2. You have created a volume on a newly installed hard disk by using diskpart.exe.
Now, you want to continue using diskpart.exe to perform the following tasks:
• Format the volume for NTFS
• Assign the next available drive letter.
• Assign a volume label of “sales-data”
What two commands must you use for these tasks?
3. Your organization has recently configured Windows Update to automatically

update the Accounting department’s computers at 03:00. This conflicts with the
weekly defragmentation of the computers on Wednesday mornings. You must
reconfigure the scheduled defragmentation task to occur at midnight on Tuesdays

instead. List the steps to modify the defragmentation schedule.
4. You recently upgraded to Windows 7 and are experiencing occasional problems

with the shortcut keys on your keyboard. Describe the first action you might take
to the resolve the issue and list the steps to perform the action.
Review Answers
1. Yes, you can format the disk for GPT rather than MBR. A GPT disk supports up to
128 volumes, each much larger than 2 TB. In addition, you can boot 64-bit
Windows 7 from a GPT disk.
2. The two commands are as follows:
format fs=ntfs label=sales-data
assign
3. Follow these steps to modify the defragmentation schedule:

a. Right-click the volume in Windows Explorer, click Properties, click the
Tools tab, and then click Defragment Now.
b. In the Disk Defragmenter window, click Configure schedule.
c. In the Disk Defragmenter: Modify Schedule window, change Choose day
to Tuesday, and change Choose time to 12:00 AM (midnight). Click OK.
d. Click Close on the Disk Defragmenter window, and OK on the Properties
window.
4. Update the device driver for the keyboard. To manually update the driver used for
the keyboard, follow these steps in Device Manager:
a. Double-click the Keyboard category of devices.
b. Right-click the device and then click Update Driver Software.
c. Follow the instructions in the Update Driver Software wizard.
Common Issues
Identify the causes for the following common issues and fill in the troubleshooting tips.
For answers, refer to relevant lessons in the module and the course companion CD
content.
Issue Troubleshooting tip

Configuring disk quotas on multiple Once a quota is created, you can export it and
volumes then import it for a different volume. In
addition to establishing quota settings on an
individual computer by using the methods
outlined above, you can also use Group

Policy settings to configure quotas. This
enables administrators to configure multiple
computers with the same quota settings.
Exceeding the quota allowance To increase free disk space after exceeding
the quota allowance, the user can try the
following:
• Delete unnecessary files
• Have another user claim ownership of non-
user specific files
• Increase the quota allowance as volume
size and policy permits
If you have a hardware problem, it To identify a device driver problem, answer

can be caused by hardware or a the questions:
device driver. Troubleshooting • Did you recently upgrade the device driver
hardware problems often starts by or other software related to the hardware? If
troubleshooting device drivers. so, roll back the device driver to the
previous version.
• Are you experiencing occasional problems,
or is the device not compatible with the
current version of Windows? If so, upgrade
the device driver.
• Did the hardware suddenly stop working? If
so, upgrade the device driver. If that does
not solve the problem, reinstall the device
driver. If the problem continues, try
troubleshooting the hardware problem.
Verify a disk requires To verify that a disk requires defragmentation,

defragmentation in Disk Defragmenter select the disk you want
to defragment and then click Analyze disk.
Once Windows is finished analyzing the disk,
check the percentage of fragmentation on the
disk in the Last Run column. If the number is
high, defragment the disk.
View shadow copy storage To view shadow copy storage information,

information use the Volume Shadow Copy Service

administrative command-line tool. Start an
elevated Command Prompt and then type
“vssadmin list shadowstorage”. The used,
allocated, and maximum shadow copy
storage space is listed for each volume.
Best Practices
Supplement or modify the following best practices for your own work situations:
• Every time a change is made to a computer, record it. It can be recorded in a
physical notebook attached to the computer, or in a spreadsheet or database
available on a centralized share that is backed up nightly.
If you keep a record of all changes made to a computer, you can trace the changes
in order to troubleshoot problems and offer support professionals correct
configuration information. The Reliability Monitor can be used to track changes to
the system such as application installs or uninstalls.
• When deciding what type of volume to create, consider the following questions:
• How critical is the data or information on the computer?
• Can automatic replication be set up quickly and easily?
• If the computer became unbootable, what will be the impact on your
business?
• Is the computer handling multiple functions?
• Is the data on the computer being backed up on a regular basis?
Use the information in the following table to assist as needed.
Task Reference
Add a new disk http://go.microsoft.com/fwlink/?LinkId=64100
Best Practices for Disk Management http://go.microsoft.com/fwlink/?LinkId=153231
Confirm that you are a member of the Search Help and Support for "standard
Backup Operators group or the account" and "administrator account".
Administrators group For information about groups:
Task Reference
Create partitions or volumes http://go.microsoft.com/fwlink/?LinkId=64106;


Device Management and Installation http://go.microsoft.com/fwlink/?LinkId=143990
For information about driver signing,

including requirements, review the
“Driver Signing Requirements for http://go.microsoft.com/fwlink/?LinkId=14507
Windows” page in Windows
Hardware Developer Central
Format volumes on the disk http://go.microsoft.com/fwlink/?LinkId=64101;

http://go.microsoft.com/fwlink/?LinkId=64104;
Overview of Disk Management http://go.microsoft.com/fwlink/?LinkId=64098
Performance tuning guidelines http://go.microsoft.com/fwlink/?LinkId=121171
Windows 7 Springboard Series http://go.microsoft.com/fwlink/?LinkId=147459
Windows Device Experience http://go.microsoft.com/fwlink/?LinkId=132146
Tools

Defrag.exe Performing disk defragmentation Command Prompt
tasks from the command-line
Device Manager Viewing and updating hardware Control Panel

settings, and driver software for
devices such as internal hard
drives, disc drives, sound cards,
video or graphics cards, memory,
processors, and other internal
computer components
Device Stage Help when interacting with any Taskbar

compatible device connected to
the computer. From Device Stage
you can view the device’s status

and run common tasks from a

single window. There are pictures
of the devices which helps make
it simpler to view what is there.
Devices and Printers Provides users a single location Control Panel

to find and manage all the
devices connected to their
Windows 7 -based computers.
Also provides quick access to
device status, product
information, and key functions
such as faxing and scanning to
enhance and simplify the
customer experience with a
Windows 7 - connected device.
Disk Defragmenter Rearranging fragmented data so In Windows Explorer,

that disks and drives can work right-click a volume,
more efficiently click Properties, click
the Tools tab, and
then click Defragment
Now.
Disk Management Managing disks and volumes, Click Start, type

both basic and dynamic, locally or “diskmgmt.msc” in the
on remote computers. search box, and then
click diskmgmt.msc
in the results list.
Diskpart.exe Managing disks, volumes, and Open a command

partitions from the command-line prompt and then type
or from Windows PE “diskpart”
Fsutil.exe Performing tasks that are related Command Prompt

to file allocation table (FAT) and (elevated)
NTFS file systems, such as
managing reparse points,
managing sparse files, or
dismounting a volume
Pnputil.exe Adding drivers to and managing Command Prompt

drivers in the device store (elevated)

Quota Settings Tracking and restricting disk In Windows Explorer,
consumption right-click a volume,
click Properties, click
Quota, and then click
Show Quota

Settings.
File Signature Use to check if unsigned device Start menu

Verification (Sigverf.exe) drivers are in the system area of
a computer
Volume Shadow Copy Viewing and managing shadow Command Prompt

Service (Vssadmin.exe) copy storage space (elevated)
Windows Update Automatically applying updates Online

that are additions to software that
can help prevent or fix problems,
improve how your computer
works, or enhance your
computing experience.
Common Terms, Definitions, and Descriptions

Term Definition
Basic disk A disk initialized for basic storage. A basic disk contains basic
volumes, such as primary partitions, extended partitions, and
logical drives.
Dynamic disk A disk initialized for dynamic storage. A dynamic disk contains
dynamic volumes, such as simple volumes, spanned volumes,
striped volumes, mirrored volumes, and RAID-5 volumes.
Volume A storage unit made from free space on one or more disks. It can
be formatted with a file system and assigned a drive letter.
Volumes on dynamic disks can have any of the following layouts:
simple, spanned, mirrored, striped, or RAID-5. All volumes on a
physical disk must be either basic or dynamic, and each disk must
be partitioned. You can view the contents of a volume by clicking
its icon in Windows Explorer or in My Computer. A single hard disk
can have multiple volumes, and volumes can also span multiple
disks.
Term Definition
System volume The disk volume that contains the hardware-specific files that are
needed to start Windows. On x86 computers, the system volume

must be a primary volume that is marked as active. This
requirement can be fulfilled on any drive on the computer that the
system BIOS searches when the operating system starts. The
system volume can be the same volume as the boot volume; this
configuration is not required. There is only one system volume.
Boot volume The disk volume that contains the Windows operating system files
and the supporting files. The boot volume can be the same volume
as the system volume; this configuration is not required. There is
one boot volume for each operating system in a multi-boot system.
Partition A contiguous space of storage on a physical or logical disk that

functions as though it were a physically separate disk.
Disk partitioning The process of dividing the storage on a physical disk into
manageable sections that support the requirements of a computer
operating system.
Logical Block A method of expressing a data address on a storage medium.

Address (LBA) Used with SCSI and IDE disk drives to translate specifications of
the drive into addresses that can be used by enhanced BIOS. LBA
is used with drives that are larger than 528MB.
Configuring File Access and Printers on Windows 7 Clients 3-1
Module 3
Configuring File Access and Printers on Windows
7 Clients
Contents:
Lesson 1: Overview of Authentication and Authorization 3-3
Lesson 2: Managing File Access in Windows 7 3-15
Lesson 3: Managing Shared Folders 3-41
Lesson 4: Configuring File Compression 3-62
Lesson 5: Managing Printing 3-75
Module Overview

This module provides the skills and knowledge needed to manage access to shared
folders and printers on a computer running the Windows® 7 operating system.
Specifically, the module describes how to share and secure folders, configure folder
compression, and how to install, configure, and administer printing.
To maintain network or local file and printer systems, it is essential to understand how
to secure these systems and make them operate as efficiently and effectively as
possible. This includes setting up NTFS folder permissions, compressing and
managing shared folders and files, and configuring printers.
Lesson 1
Overview of Authentication and Authorization
The Windows 7 operating system provides a new generation of security technologies

for the desktop. Some of these security technologies are aimed at strengthening the
overall Windows infrastructure, and others are aimed at helping to control both your
system and your data.
Before effectively defining Windows 7 security measures such as NTFS permissions
and file and folder sharing properties, it is essential to understand the user account
types that are used during security configuration, and how the Kerberos protocol
authenticates and authorizes user logons. This lesson examines these features, which
provide the foundation upon which the Windows security infrastructure is built.
What are Authentication and Authorization?

Authentication is the process used to confirm a user’s identity when he or she accesses
a computer system or an additional system resource. In private and public computer
networks (including the Internet), the most common authentication method used to
control access to resources involves verification of a user’s credentials; that is, a
username and password. However, for critical transaction types, such as payment
processing, username/password authentication has an inherent weakness given its
susceptibility to passwords that can be stolen or accidentally revealed. Because of this
weakness, most Internet businesses implement digital certificates that are issued and
verified by a Certification Authority.
Authentication logically precedes authorization. Authorization allows a system to
determine whether an authenticated user can access and possibly update secured
system resources. Examples of authorized permissions include file and file directory
access, hours of access, amount of allocated storage space, and so on. There are two
components to authorization:
• The initial definition of permissions for system resources by a system
administrator.
• The subsequent checking of permission values by the system or application when a

user attempts to access or update a system resource.
It is possible to have authorization and access without authentication. This is the case
when permissions are granted for anonymous users that are not authenticated.
Typically, these permissions are limited.
Authentication and Authorization Process

User Account Types and Rights
To understand the authentication and authorization process, you must first understand
the role of user accounts. A user account is a collection of information that tells
Windows which user rights and access permissions a person has on a computer. A user
account records the user name, password, and a unique number that identifies that
account. The following user account types are available on Windows 7:
• Standard: This allows you to use most of the capabilities of the computer. A
person logged in with a standard user account can use most programs that are
installed on the computer and change settings that affect his or her user account.
However, the user cannot install or uninstall some software and hardware, delete
files that are required for the computer to work, or change settings that affect other
users or the security of the computer. A standard user might be prompted for an
administrator password before he or she can perform certain tasks.
• Administrator: This allows you to make changes that affect other users.
Administrators can change security settings, install software and hardware, and
access all files on the computer. Administrators can also make changes to other
user accounts.
• Guest: This allows another person to have temporary access to your computer.
People using the guest account cannot install software or hardware, change
settings, or create a password. The guest account must be turned on before it can
be used.
Note: When setting up a computer, you are required to create an administrator user
account. This account provides the ability to set up your computer and install any
programs that you want to use. Once you are finished setting up your computer, it is
recommended to use a standard user account for your day-to-day computing. It is more
secure to use a standard user account instead of an administrator account because it
can prevent people from making changes that affect everyone who uses the computer,
especially if your user account logon credentials are stolen.
Windows Authentication Methods

Users must be authenticated to verify their identity when accessing files over the
network. This is done during the network logon process. The Windows 7 operating
system includes the following authentication methods for network logons:
• Kerberos version 5 protocol: The main logon authentication methods used by
clients and servers running Microsoft Windows® operating systems. It is used to
authenticate both user accounts and computer accounts.
• Windows NT LAN Manager (NTLM): Used for backward compatibility with
pre-Windows 2000 operating systems and some applications. It is less flexible,
efficient, and secure than the Kerberos version 5 protocol.
• Certificate mapping: Typically used in conjunction with smart cards for logon
authentication. The certificate stored on a smart card is linked to a user account for
authentication. A smart card reader is used to read the smart cards and authenticate
the user.
Kerberos Authentication
For Windows 7 clients, the Kerberos authentication protocol provides the mechanism
for mutual authentication between the client and a server before a network connection
is opened between them. In a client/server application model:
• Windows 7 clients are programs acting on behalf of users who need something
done: a file opened, a mailbox accessed, a database queried, a document printed.
• Servers (such as Windows Server 2008) are programs providing services to clients:
file storage, mail handling, query processing, print spooling, or any number of
other specialized tasks.
Clients initiate action, servers respond. Typically, this means that the server listens at a
communications port, waiting for clients to connect and ask for service.
In the Kerberos security model, every client/server connection begins with
authentication. Client and server, in turn, step through a sequence of actions designed
to verify to the party on each end of the connection that the party on the other end is
genuine. If authentication is successful, session setup completes and the client/server

application is free to start working.
Benefits of Kerberos Authentication for Windows 7 Clients

Kerberos version 5 allows administrators to turn off NTLM authentication once all
network clients are capable of Kerberos authentication. The Kerberos protocol is more
flexible and efficient than NTLM, and more secure. The benefits gained by using
Kerberos authentication are:
• Faster connections: With NTLM authentication, an application server must
connect to a domain controller to authenticate each client. With Kerberos
authentication, the server does not need to go to a domain controller. It can
authenticate the Windows 7 client by examining credentials presented by the
client. Clients can obtain credentials for a particular server once and reuse them
throughout a network logon session.
• Mutual authentication: NTLM allows servers to verify the identities of their
clients. It does not allow clients to verify a server’s identity, or one server to verify
the identity of another. NTLM authentication was designed for a network
environment in which servers were assumed to be genuine. The Kerberos protocol
makes no such assumption. Parties at both ends of a network connection can know
that the party on the other end is who it claims to be.
Question: Which authentication method is used when a client computer running the
Windows 7 operating system logs on to Active Directory?
Answer: Kerberos version 5 protocol is used unless smart cards are being used. If
smart cards are being used, then certificate mapping is the authentication method.
New Authentication Features in Windows 7

For Windows 7, you must be familiar with the system’s new authentication
functionality incorporated by the following features:
• Smart cards
• Biometrics
• Online identity Integration
Smart Cards
Smart card usage is expanding rapidly. To encourage more organizations and users to
adopt smart cards for enhanced security, Windows 7 includes new features that make
smart cards easier to use and to deploy, and makes it possible to use smart cards to
complete a greater variety of tasks.
Windows 7 provides enhanced support for the following features:
• Smart card–related Plug and Play: Users of Windows 7 can employ smart cards
from vendors who have published their drivers through Windows Update without
needing special middleware. These drivers are downloaded in the same way as
drivers for other devices in Windows.
• Personal Identity Verification (PIV) standard from the National Institute of

Standards and Technology (NIST): When a PIV-compliant smart card is
inserted into a smart card reader, Windows attempts to download the driver from
Windows Update. If an appropriate driver is not available from Windows Update,
a PIV-compliant mini-driver that is included with Windows 7 is used for the card.
• Kerberos support for smart card logon: In Windows 7 and Windows

Server 2008 R2, Kerberos supports elliptic curve cryptography (ECC) for smart
card logon. Although this change is not visible to end users, they will benefit from
stronger cryptography for their smart card logons. There is no configuration
required to obtain ECC support in Kerberos. However, smart cards and readers
must support ECC.
• Encrypting drives with BitLocker Drive Encryption: In the Windows 7
Enterprise and Windows 7 Ultimate operating systems, users can choose to
encrypt their removable media by turning on BitLocker and then choosing the
smart card option to unlock the drive. At run time, Windows retrieves the correct
mini-driver for the smart card and allows the operation to complete.
• Document and e-mail signing: Windows 7 users can rely on Windows to retrieve
the correct mini-driver for a smart card at run time to sign an e-mail or document.
In addition, XML Paper Specification (XPS) documents can be signed without the
need for additional software.
• Use with line-of-business applications: In Windows 7, any application that uses
Cryptography Next Generation (CNG) or CryptoAPI to enable the application to
use certificates can rely on Windows to retrieve the correct mini-driver for a smart
card at run time so that no additional middleware is needed.
Biometrics
Biometrics is an increasingly popular technology that provides convenient access to
systems, services, and resources. Biometrics relies on measuring an unchanging
physical characteristic of a person to uniquely identify that person. Fingerprints are one
of the most frequently used biometric characteristics, with millions of fingerprint
biometric devices that are embedded in personal computers and peripherals.
Windows 7 allows administrators and users to use fingerprint biometric devices to:
• Log on to computers.
• Grant elevation privileges through User Account Control (UAC). When a standard
user performs a task that requires administrative permissions, UAC (which is
examined in module 6) allows the user to “elevate” his or her status from a
standard user account to an administrator account without logging off, switching
users, or using Run as.
• Perform basic management of fingerprint devices in Group Policy settings by

enabling, limiting, or blocking their use.
A growing number of computers, particularly portable computers, include embedded

fingerprint readers. Fingerprint readers can be used for identification and authentication
of users in Windows. Until now, there has been no standard support for biometric
devices or for biometric-enabled applications in Windows. Computer manufacturers
had to provide software to support biometric devices in their products. This made it
more difficult for users to use the devices and administrators to manage the use of
biometric devices.
To address this issue, Windows 7 introduces the Windows Biometric Framework
(WBF), which provides support for fingerprint biometric devices through a new set of
components. These components improve the quality, reliability, and consistency of the
user experience for customers who have fingerprint biometric devices. WBF provides
the following benefits:
• Makes integration easier and more consistent to help deliver enhanced reliability,
compatibility and usability of fingerprint-based solutions.
• Makes it easier for developers to include biometrics in their applications by
providing a common API that can be added independently with each biometric
fingerprint solution.
WBF includes the following features:
• A Biometric Devices Control Panel item that allows users to control the
availability of biometric devices and whether they can be used to log on to a local
computer or domain.
• Device Manager support for managing drivers for biometric devices.
• Credential provider support to enable and configure the use of biometric data to
log on to a local computer and perform UAC elevation.
• Group Policy settings to enable, disable, or limit the use of biometric data for a
local computer or domain. Group Policy settings can also prevent installation of
biometric device driver software or force the biometric device driver software to
be uninstalled.
• Biometric device driver software available from Windows Update.
These new biometric features provide a consistent way to implement fingerprint
biometric–enabled applications and manage fingerprint biometric devices on stand-
alone computers or on a network. The Windows Biometric Framework makes
biometric devices easier for users and administrators to configure and control on a local
computer or in a domain.
Online Identity Integration

Account management is an important security strategy. Group Policy is used to allow
or prevent online IDs from authenticating to specific computers or all computers that
you manage.
In Windows 7, users in a small network can elect to share data between selected
computers and individual users. This feature complements the Homegroup feature in

Windows 7 by using online IDs to identify individuals within the network. Users must
explicitly link their Windows user account to an online ID to allow this authentication.
The inclusion of the Public Key Cryptography Based User-to-User (PKU2U) protocol
in Windows permits the authentication to occur by using certificates.
The PKU2U protocol in Windows 7 and Windows Server 2008 R2 is implemented as a
Security Support Provider (SSP). The SSP enables peer-to-peer authentication,
particularly through the Windows 7 media and file sharing feature called Homegroup,
which permits sharing between computers that are not members of a domain.
The policy setting titled “Network security: Allow PKU2U authentication requests
to this computer to use online IDs” controls the ability of online IDs to authenticate
to this computer by using the PKU2U protocol. This policy setting does not affect the
ability of domain accounts or local user accounts to be used to log on to this computer.
Question: What are some of the ways that fingerprint biometric devices are used in
Windows 7?
Answer: Answers can vary, but the three primary uses include:
• Log on to computers.
• Grant elevation privileges through User Account Control (UAC).
• Perform basic management of fingerprint devices in Group Policy settings by
enabling, limiting, or blocking their use.
Lesson 2
Managing File Access in Windows 7
The most common way that users access data is from file shares on the network.
Controlling access to files shares is done with file share permissions and NTFS
permissions. Understanding how to determine effective permissions is essential to
securing your files.
NTFS file system permissions allow you to define the level of access that users have to
files that are available on the network, or locally on your Windows 7 computer. This
lesson explores NTFS file system permissions and the effect of various file and folder
activities on these permissions.
What are NTFS Permissions?

Permission is the authorization to perform an operation on a specific object, such as a
file. Permissions can be granted by owners and by anyone with the permission to grant
permissions. Normally this includes administrators on the system. If you own an
object, you can grant any user or security group any permission on that object,
including the permission to take ownership.
Every container and object on the network has a set of access control information
attached to it. Known as a security descriptor, this information controls the type of
access allowed to users and groups. Permissions, which are defined within an object’s
security descriptor, are associated with, or assigned to, specific users and groups.
File and folder permissions define the type of access that you grant to a user, group, or
computer on a file or folder. For example, you can let one user read the contents of a
file, let another user make changes to the file, or prevent all other users from accessing
the file. You can set similar permissions on folders.
There are two levels of permissions:
• Shared folder permissions: Allow security principals, such as users, to access
shared resources from across the network. Shared folder permissions are only in
effect when a user accesses a resource from the network. This topic is covered in
greater detail in the next lesson.
• NTFS file system permissions: Are always in effect, whether connected across
the network or logged on to the local machine where the resource is located. You
grant NTFS permissions to a file or folder for a named group or user.
Each NTFS file and folder has an access control list (ACL) with a list of users and
groups that are assigned permissions to the file or folder. Each entry in the ACL is an
access control entry that specifies the specific permissions granted to a user or group.
Conflicts between User Rights and Permissions

User rights allow administrators to assign specific privileges and logon rights to groups
or users. These rights authorize users to perform specific actions, such as logging on to
a system interactively or backing up files and directories. User rights are different from
permissions because user rights apply to user accounts and permissions are attached to
objects.
Administrators can use user rights to manage who has the authority to perform
operations that span an entire computer, rather than a particular object. Administrators
assign user rights (also known as privileges) to individual users or groups as part of the
security settings for the computer. Although user rights can be managed centrally
through Group Policy, they are applied locally. Users can (and usually do) have
different user rights on different computers.
Unlike permissions, which are granted by an object’s owner, user rights are assigned as
part of the local security policy for the computer.
There are two types of user rights: privileges, such as the right to back up files and
directories, and logon rights, such as the right to log on to a system locally.
Conflicts between privileges and permissions normally occur only in situations where
the rights that are required to administer a system overlap the rights of resource
ownership. When rights conflict, a privilege overrides a permission.
For example, to create a backup of files and folders, backup software must be able to
traverse all folders in an NTFS volume, list the contents of each folder, read the
attributes of every file, and read data in any file that has its archive attribute set. It is
impractical to arrange this access by coordinating with the owner of every file and
folder; therefore, the required rights are included in the Back up files and directories
privilege, which is assigned by default to two built-in groups: Administrators and
Backup Operators. Any user who has this privilege can access all files and folders on
the computer for the purpose of backing up the system. The same default permissions
granted to Backup Operators that allow them to back up and restore files also make it
possible for Backup Operators to use the group’s permissions for other purposes, such
as reading another user’s files or installing Trojan horse programs. Therefore, the
backup operators group must be limited to only highly trusted user accounts that
require the ability to back up and restore computers.
The ability to take ownership of files and other objects is another case where an
administrator’s need to maintain the system takes priority over an owner’s right to
control access. Normally, you can take ownership of an object only if its current owner

gives you permission to do so. Owners of NTFS objects can allow another user to take
ownership by granting the other user Take Ownership permission; owners of
Active Directory objects can grant another user Modify Owner permission. A user who
has this privilege can take ownership of an object without the current owner’s
permission. By default, the privilege is assigned only to the built-in Administrators
group. It is normally used by administrators to take and reassign ownership of
resources when their current owner is no longer available.
Types of NTFS Permissions

There are two types of NTFS permissions – standard and special.
• Standard permissions are the most commonly used permissions.
• Special permissions provide a finer degree of control for assigning access to files
and folders; however, special permissions are more complex to manage than
standard permissions.
Standard File and Folder Permissions

The following table lists the standard NTFS file and folder permissions. You can
choose whether to allow or deny each of the permissions.
File Permissions Description

Full Control This gives complete control of the file/folder and control of
permissions.
Modify Read and write access.
Read and Execute File can be read and programs can be started.
Folder content can be seen and programs can be started.
Read Read only access.
Write File content can be changed and file can be deleted.

Folder content can be changed and files can be deleted.
Special permissions A custom configuration.

•
Note: Groups or users granted Full Control on a folder can delete any files in that folder
regardless of the permissions protecting the file.
To modify NTFS permissions, you must be given the Full Control NTFS permission
for a folder or file. The one exception is for file and folder owners. The owner of a file
or folder can modify NTFS permissions even if they do not have any current NTFS
permissions. Administrators can take ownership of files and folders to make
modifications to NTFS permissions.
Special File and Folder Permissions

Special permissions give you a finer degree of control for assigning access to files and
folders; however, special permissions are more complex to manage than standard
permissions. The following table defines the special permissions that can be custom
configured for each file and folder.
Traverse Folder/Execute The Traverse Folder permission applies only to folders.

File This permission allows or denies the user from moving
through folders to reach other files or folders, even if the
user has no permissions for the traversed folders.
Traverse Folder takes effect only when the group or user
is not granted the Bypass Traverse Checking user right.
The Bypass Traverse Checking user right checks user
rights in the Group Policy snap-in. By default, the
Everyone group is given the Bypass Traverse Checking
user right.
The Execute File permission allows or denies access to
program files that are running.
If you set the Traverse Folder permission on a folder, the

Execute File permission is not automatically set on all files
in that folder.
List Folder/Read Data The List Folder permission allows or denies the user from
viewing file names and subfolder names in the folder. The
List Folder permission applies only to folders and affects
only the contents of that folder. This permission is not
affected if the folder that you are setting the permission on

is listed in the folder list.
The Read Data permission applies only to files and allows

or denies the user from viewing data in files.
Read Attributes The Read Attributes permission allows or denies the user
from viewing the attributes of a file or folder, such as read-
only and hidden attributes. Attributes are defined by
NTFS.
Read Extended Attributes The Read Extended Attributes permission allows or

denies the user from viewing the extended attributes of a
file or folder. Extended attributes are defined by programs
and they can vary by program.
Create Files/Write Data The Create Files permission applies only to folders and
allows or denies the user from creating files in the folder.
The Write Data permission applies only to files and allows

or denies the user from making changes to the file and
overwriting existing content by NTFS.
Created Folders/Append The Create Folders permission applies only to folders and
Data allows or denies the user from creating folders in the
folder.
The Append Data permission applies only to files and

allows or denies the user from making changes to the end
of the file but not from changing, deleting, or overwriting
existing data.
Write Attributes The Write Attributes permission allows or denies the user
from changing the attributes of a file or folder, such as

read-only or hidden. Attributes are defined by NTFS.
The Write Attributes permission does not imply that you

can create or delete files or folders,. It includes only the
permission to make changes to the attributes of a file or
folder. To allow or to deny Create or Delete operations,
see Create Files/Write Data, Create Folders/Append
Data, Delete Subfolders and Files, and Delete.
Write Extended Attributes The Write Extended Attributes permission allows or

denies the user from changing the extended attributes of
a file or folder. Extended attributes are defined by
programs and can vary by program.
The Write Extended Attributes permission does not imply

that the user can create or delete files or folders, it
includes only the permission to make changes to the
attributes of a file or folder. To allow or to deny Create or
Delete operations, view the Create Files/Write Data,
Create Folders/Append Data, Delete Subfolders and
Files, and Delete sections in this article.
Delete Subfolders and The Delete Subfolders and Files permission applies only
Files to folders and allows or denies the user from deleting
subfolders and files, even if the Delete permission is not
granted on the subfolder or file.
Delete The Delete permission allows or denies the user from

deleting the file or folder. If you have not been assigned
Delete permission on a file or folder, you can still delete
the file or folder if you are granted Delete Subfolders and
Files permissions on the parent folder.
Read Permissions The Read Permissions permission allows or denies the

user from reading permissions about the file or folder,
such as Full Control, Read, and Write.
Change Permissions The Change Permissions permission allows or denies the

user from changing permissions on the file or folder, such
as Full Control, Read, and Write.
Take Ownership The Take Ownership permission allows or denies the user
from taking ownership of the file or folder. The owner of a
file or folder can change permissions on it, regardless of
any existing permissions that protect the file or folder.

Synchronize The Synchronize permission allows or denies different
threads to wait on the handle for the file or folder and
synchronize with another thread that may signal it. This
permission applies only to multiple-threaded, multiple-
process programs.
Note: Groups or users granted Full Control on a folder can delete any files in that folder
regardless of the permissions protecting the file.
Question: Do you have to apply permissions to keep other people from accessing your
files?
Answer: No. The default NTFS permissions do not allow standard users to read the
documents that other users have stored in their my documents folder. However,
administrators are able to access all files on the system. If you need to prevent
administrators from accessing a file, you must use an additional security measure such
as encryption.
What is Permission Inheritance?

There are two types of permissions:

• Explicit permissions: Permissions that are set by default on non-child objects
when the object is created, or by user action on non-child, parent, or child objects.
• Inherited permissions: Permissions that are propagated to an object from a parent
object. Inherited permissions ease the task of managing permissions and ensure
consistency of permissions among all objects within a given container.
Permissions inheritance allows the NTFS permissions that are set on a folder to be
applied automatically to files that are created in that folder and its subfolders. This
means that NTFS permissions for an entire folder structure can be set at a single point.
If modification is required, it needs to be done only at that single point.
For example, when you create a folder called MyFolder, all subfolders and files created
within MyFolder automatically inherit the permissions from that folder. Therefore,
MyFolder has explicit permissions, while all subfolders and files within it have
inherited permissions.
Permissions can also be added to files and folders below the initial point of inheritance,
without modifying the original permissions assignment. This is done to grant a specific
user or group a different file access than the inherited permissions.
Inheritance for All Objects

If the Allow or Deny check boxes associated with each of the permissions appear

shaded, the file or folder has inherited permissions from the parent folder. There are
three ways to make changes to inherited permissions:
• Make the changes to the parent folder, and then the file or folder will inherit these
permissions.
• Select the opposite permission (Allow or Deny) to override the inherited
permission.
• Choose not to inherit permissions from the parent object. You can then make
changes to the permissions or remove the user or group from the Permissions list
of the file or folder.
Permissions can be explicitly denied. For example, Alice might not want Bob to be
able to read her file, even though he is a member of the Marketing group. She can
exclude Bob by explicitly denying him permission to read the file. This is normally
how explicit denies are used — to exclude a subset (such as Bob) from a larger group
(such as Marketing) that is given permission to perform an operation.
Note that use of explicit denials, while possible, increases the complexity of the
authorization policy and can create unexpected errors. For example, you might want to
allow domain administrators to perform an action but deny domain users. If you
attempt to implement this by explicitly denying domain users, you also deny any
domain administrators who are also domain users. Though it is sometimes necessary,
you can and should avoid the use of explicit denies in most cases.
In most cases, Deny overrides Allow unless a folder is inheriting conflicting settings
from different parents. In that case, the setting inherited from the parent closest to the
object in the sub tree will have precedence.
Note: Inherited Deny permissions do not prevent access to an object if the object has
an explicit Allow permission entry. Explicit permissions take precedence over inherited
permissions, even inherited Deny permissions.
Only inheritable permissions are inherited by child objects. When setting permissions
on the parent object, you can decide whether folders , subfolders, and files can inherit
permissions. Perform the following steps to assign permissions that can be inherited:
1. In Windows Explorer, right-click the file or subfolder, click Properties, click the
Security tab, and then click Advanced.
2. In the Advanced Security Settings for <file or folder> page, click Change
Permissions. The Apply to column lists what folders, subfolders, or files the
permissions are applied to. The Inherited From column lists where the
permissions are inherited from.
3. In the Apply to column, click the user or group that you want to adjust
permissions for.
4. On the Permissions Entry page, click the Apply to field and select one of the
following options:
• This folder only
• This folder, subfolders, and files
• This folder and subfolder
• This folder and files
• Subfolders and files only
• Subfolders only
• Files only
5. Click OK on the Advanced Security Settings window, click OK on the Advanced
Security Settings window a second time, and then click OK on the Properties
page.
If the Special Permissions entry in Permissions for <User or Group> is shaded, it
does not imply that this permission is inherited; rather, this means that a special
permission is selected.
Blocking Permission Inheritance

After you set permissions on a parent folder, new files and subfolders that are created
in the folder inherit these permissions. You can block permission inheritance to restrict
access to these files and subfolders. For example, all accounting users may be assigned
Modify permission to the ACCT folder. On the subfolder WAGES, inherited
permissions can be blocked with only a few specific users given access to the folder.
Note: When permissions inheritance is blocked, you have the option to copy existing
permissions or begin with blank permissions. If you only want to restrict a particular
group or user, then copying existing permissions simplifies the configuration process.
To block permission inheritance, select This folder only in the Apply onto box when
you set up special permissions for the parent folder. Special permissions are accessible
through the Permissions tab. Perform the following steps when you want to prevent a
file or subfolder from inheriting permissions:
1. In Windows Explorer, right-click the file or subfolder, click Properties, click the
Security tab, and then click Advanced.

2. In the Advanced Security Settings for <file or folder> page, click Change
Permissions.
3. Clear the check box labeled Include inheritable permissions from this object’s
parent.
4. In the Windows Security dialog box, select Add, Remove, or Cancel.
• Click Add to convert and add inherited parent permissions as explicit
permissions on this object.
• Click Remove to remove inherited permissions from this object
• Click Cancel if you do not want to modify inheritance settings at this time.
5. Click OK on the Advanced Security Settings window, click OK on the Advanced
Security Settings window a second time, and then click OK on the Properties
page.
Question: Why does permission inheritance reduce administration time?
Answer: Administrators can change permissions at the parent level and have the same
permissions propagate throughout all the sub-folders without having to reassign
permissions to each of those folders individually.
Question: If NTFS permission is denied to a group for a particular resource while

allowing the same permission to another group for that resource, what will happen to
the permissions of an individual who is a member of both groups?
Answer: The user will be denied access.

Demonstration: Configuring NTFS Permissions for Files and

Folders
This demonstration shows how to secure files and folders by updating their NTFS
permissions. This demonstration also shows how to:
• Set permissions, such as a Read, Write, and Full Control to provide access for a
specific user.
• Set the Deny permission for a user to restrict his or her ability to modify a file.
• Verify the set permissions.
Start the LON-DC1 and the LON-CL1 virtual machines. Leave them running
throughout the duration of the module.
Create a folder and a document file

1. Log on to the LON-CL1 as Contoso\Administrator with a password of
Pa$$w0rd.
2. Click Start, click Computer, and then double-click Local Disk (C:).
3. On the toolbar, click New folder.
4. Type “Project Documents” in the folder name.
5. Double-click to open the Project Documents folder.
6. Right-click an empty space in the Name column, point to New, and then click

Microsoft Office Word Document.
7. Type “Deliverables” and then press ENTER.
Grant selected users write access to the file

1. Right-click the Deliverables file, and then click Properties.
2. In the Deliverables Properties dialog box, on the Security tab, click Edit.
3. In the Permissions for Deliverables dialog box, click Add.
4. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the
Enter the object names to select (examples) box, type “Contoso\Adam”, click
Check Names, and then click OK.
5. In the Group or user names box, click Adam Carter (Contoso\Adam).
6. In the Permissions for Deliverables dialog box, next to Write, select the Allow
check box, and then click OK.
7. In the Deliverables Properties dialog box, click OK.
Deny Selected Users the Ability to Modify the File

1. Right-click the Deliverables file, and then click Properties.
2. In the Deliverables Properties dialog box, on the Security tab, click Edit.
3. In the Permissions for Deliverables dialog box, click Add.
Enter the object names to select (examples) box, type “Contoso\Martin”, click
5. In the Group or user names box, click Martin Berka (Contoso\Martin).

6. In the Permissions for Deliverables dialog box, next to Modify, select the Deny
check box, and then click OK.
7. In the Windows Security dialog box, click Yes.
8. In the Deliverables Properties dialog box, click OK.
Verify the deny permissions on the file

1. In the Project Documents folder, right-click Deliverables, and then click
Properties.
2. In the Deliverables Properties dialog box, on the Security tab, click Advanced.
3. In the Advanced Security Settings for Deliverables dialog box, on the Effective
Permissions tab, click Select.
4. In the Select User, Computer, Service Account or Group dialog box, type
“Contoso\Martin”, click Check Names, and then click OK.
5. Verify that none of the attributes are available as permissions.
6. In the Advanced Security Settings for Deliverables dialog box, click OK.
7. In the Deliverables Properties dialog box, click OK
8. Close the Project Documents window.

Impact of Copying and Moving Files and Folders on Set

Permissions

When copying or moving a file or folder, the permissions might change, depending on
where you move the file or folder. It is important to understand the impact on
permissions when you copy or move files.
Effects of Copying Files and Folders

When you copy a file or folder from one folder to another folder, or from one partition
to another partition, permissions for the files or folders might change. Copying a file or
folder has the following effects on the NTFS file system permissions:
• When copying a file or folder within a single NTFS partition, the copy of the
folder or file inherits the permissions of the destination folder.
• When copying a file or folder to a different NTFS partition, the copy of the folder
or file inherits the permissions of the destination folder.
• When copying a file or folder to a non-NTFS partition, such as a FAT partition,
the copy of the folder or file loses its NTFS file system permissions because non-
NTFS partitions do not support NTFS file system permissions.
Note: When copying a file or folder within a single NTFS partition or between NTFS
partitions, you must have Read permission for the source folder and Write permission
for the destination folder.
Effects of Moving Files and Folders

When moving a file or folder, permissions might change depending on the permissions
of the destination folder. Moving a file or folder has the following effects on NTFS file
system permissions:
• When moving a file or folder within an NTFS partition, the file or folder inherits
the permissions of the new parent folder. If the file or folder has explicitly
assigned permissions, those permissions are retained in addition to the newly
inherited permissions.
Note: Most files do not have explicitly assigned permissions. Instead, they inherit
permissions from their parent folder. If you move files that have only inherited
permissions, they do not retain these inherited permissions during the move.
• When moving a file or folder to a different NTFS partition, the folder or file
inherits the permissions of the destination folder. When you move a folder or file
between partitions, Windows 7 copies the folder or file to the new location and
then deletes it from the old location.
• When moving a file or folder to a non-NTFS partition, the folder or file loses its
NTFS file system permissions, because non-NTFS partitions do not support NTFS
file system permissions.
Note: When moving a file or folder within an NTFS partition or between NTFS partitions,
you must have both Write permission for the destination folder and Modify permission
for the source file or folder. Modify permission is required to move a folder or file
because Windows 7 deletes the folder or file from the source folder after it copies it to
the destination folder.
Question: Why is administration time reduced when files and folders are moved
within the same partition?
Answer: Answers can vary. Possible answers include: Administrators do not need to
be concerned about permissions being changed or altered because the permissions are
kept if files and folders are moved within the same partition. Likewise, administrators
do not need to change the permissions of the destination folder, which can have
ramifications on other files and subfolders within the folder.

What are Effective Permissions?

>
Each file and folder contains user and group permissions. Windows 7 determines a file
or folder’s effective permissions by combining its user and group permissions. For
example, if a user is assigned Read permission and a group the user is a member of is
assigned Modify permission, the effective permissions of the user are Modify.
Note: When permissions are combined, Deny permission takes precedence and
overrides Allow permission.
Effective Permissions Feature

The Effective Permissions feature determines the permissions a user or group has on an
object by calculating the permissions that are granted to the user or group. The
calculation takes the permissions in effect from group membership into account, and
any of the permissions inherited from the parent object. It looks up all domain and
local groups in which the user or group is a member.
Note: The Effective Permissions feature always includes the Everyone group when
calculating effective permissions, as long as the selected user or group is not a member
of the Anonymous Logon group.
The Effective Permissions feature only produces an approximation of the permissions

that a user has. The actual permissions the user has may be different, since permissions

can be granted or denied based on how a user logs on. This logon-specific information
cannot be determined by the Effective Permissions feature, since the user may not log
on. Therefore, the effective permissions it displays reflect only those permissions
specified by the user or group and not the permissions specified by the logon.
For example, if a user is connected to a computer through a file share, then the logon
for that user is marked as a Network Logon. Permissions can be granted or denied to
the well-known security ID (SID) Network which the connected user receives, so a
user has different permissions when logged on locally than when logged on over a
network.
Perform the following steps to view the effective permissions on files and folders:
1. Open Windows Explorer and then locate the file or folder to view its effective
permissions.
2. Right click the file or folder, click Properties, and then click the Security tab.
3. Click Advanced, click the Effective Permissions tab, and then click Select.
4. In the Enter the object name to select (examples), type the name of a user or
group, and then click OK. The selected check boxes indicate the effective
permissions of the user or group for that file or folder.
Question: If a group is assigned Modify permission to a folder and a user that is a
member of that group is denied Modify permission for the same folder, what is the
user’s effective permission for the folder?
Answer: Because the Deny permission takes precedence over the Allow permission,
the user is denied the Modify permission for the folder.
Discussion: Determining Effective Permissions

This discussion includes a scenario and three underlying situations in which you are
asked to apply NTFS permissions. You and your classmates will discuss possible
solutions to each situation.
Scenario
User1 is a member of the Users group and the Sales group. The graphic on the slide,
which shows folders and files on the NTFS partition, includes three situations, each of
which has a corresponding discussion question.
Question 1: The Users group has Write permission, and the Sales group has Read
permission for Folder1. What permissions does User1 have for Folder1?
Answer: User1 has Write and Read permissions for Folder1, because User1 is a
member of the Users group, which has Write permission, and the Sales group, which
has Read permission.
Question 2: The Users group has Read permission for Folder1. The Sales group has
Write permission for Folder2. What permissions does User1 have for File2?
Answer: User1 has Read and Write permissions for File2, because User1 is a member
of the Users group, which has Read permission for Folder1, and the Sales group, which

has Write permission for Folder2. File2 inherits permissions from both Folder2 and
Folder1.
Question 3: The Users group has Modify permission for Folder1. File2 is accessible
only to the Sales group, and they are only able to read File2. What do you do to ensure
that the Sales group has only Read permission for File2?
Answer: Prevent permissions inheritance for Folder2 or File2. Remove the

permissions for Folder2 or File2 that Folder2 has inherited from Folder1. Grant only
Read permission to the Sales group for Folder2 or File2.
Lesson 3
Managing Shared Folders
Collaboration is an important part of your job. Your team might create documents that
are only shared by its members, or you may work with a remote team member who
needs access to your team’s files. Because of collaboration requirements, it is
important to understand how to manage shared folders in a network environment.
Sharing folders gives users access to those folders over a network. Users can connect to
the shared folder over the network to access the folders and files that are contained in
the shared folder.
Shared folders can contain applications, public data, or a user’s personal data. It is
important to understand how to manage shared folders to provide a central location for
users to access common files and make it easier to back up data that is contained in
those files. This module examines various methods of sharing folders, along with the
affect this has on file and folder permissions when shared folders are created on a
partition formatted with the NTFS file system.
What are Shared Folders?

Sharing a folder makes it available to multiple users simultaneously over the network.
When sharing a folder, you can identify specific users to share the folder with, or share
it with all the users on the network. Sharing is limited to folders; therefore, you cannot
share specific files within a non-shared folder.
Most organizations deploy dedicated file servers to host shared folders. You can store
files in shared folders according to categories or functions. For example, you can put
shared files for the Sales Department in one shared folder and shared files for
executives in another.
Windows 7 uses the Public folder to simplify file sharing. With Public folder sharing
enabled, the public folders and all the folders within the Public folder are automatically
shared with the name Public. You do not have to configure file sharing on separate
folders; just move or copy the file or folder you want to share on the network to the
Public folder on your Windows 7 client.
In Windows 7, members of the Administrators, Power Users, and Server Operators
groups can share folders. Other users who are granted the Create Permanent Shared
Objects user right can also share folders. If a folder resides on an NTFS volume, you
must have at least Read permission to share the folder.
There are several different ways in which you can share folders with others on the
network:
• In the Microsoft Management Console (MMC) snap-in titled Shares

• In Windows Explorer
• Through the command line
• Through Computer Management
Sharing through the MMC Snap-in Titled Shares

You can use the MMC snap-in titled Shares to centrally manage all file shares on a
computer. Use this snap-in to create file shares and set permissions, and to view and
manage open files and users connected to file shares on the computer.
Perform the following steps to install the Shares snap-in and to share a folder:
1. Click Start, click in the Start Search text box, type “mmc”, and then press
ENTER.
2. If a UAC prompt appears, click Continue.
3. In the MMC, click File, and then click Add/Remove Snap-in.
4. In the Add/Remove Snap-ins dialog box, select the Shares snap-in from the list
of Available snap-ins in the left-hand column. Click Add.
5. In the Shares dialog box, select the computer this snap-in needs to manage. Then
click Finish.
6. In the Add or Remove Snap-ins page, click OK.
7. In the MMC, expand Shared Folders, and click Shares. This lists the existing
shared folders and files.
8. To share a folder, click Action on the menu bar, and then click New Share. This
initiates the Create a Shared Folder Wizard. Click Next.
9. On the Folder Path page, either type the path to the folder to share, or click
Browse and select the path from the folder tree or add a new folder. Click Next.
10. Enter a value in the Description field. Click Next.
11. On the Shared Folder Permissions page, select the option for the kind of
permissions to be assigned to the shared folder. The options include:
• All users have read-only access
• Administrators have full access; other users have read-only access
• Administrators have full access; other users have no access

• Customize permissions
Note: By default, only share permissions are set on this folder. To control local access
permissions to this folder or objects within the folder, click the Customize permissions

option, click Custom, and then modify the permissions on the Security tab to assign
specific permission to the folder.
12. Click Finish on the Shared Folder Permissions page.

13. Once the folder is shared, click Finish to close the wizard.
The folder being shared appears in the list of shared folders (under Shares) in the
MMC.
14. Locate the folder in Windows Explorer. The shared folders icon (two users)
appears next to the folder icon for this shared folder.
Sharing Through Windows Explorer

You can share a folder through Windows Explorer, although this method does not
allow configuring share permissions for the folder. Perform the following steps to share
a folder through Windows Explorer:
1. In Windows Explorer, right-click on the folder to share, click Share with, and
then click either Nobody or Specific people. For this example, click Specific
people.
2. On the Choose people on your network to share with page, click the drop-down
arrow and select either Everyone or Find. For this example, click Everyone.
3. Click Share.
4. When the folder is shared, click Done.
The shared folders icon (two users) appears next to the folder icon for this shared
folder.
Sharing through the Command Line

You can share a folder through the command line by using the Net Share command.
Perform the following steps to share a folder through the command line:
1. To open an elevated Command Prompt window, click Start, point to All
Programs, click Accessories, right-click Command Prompt, and then click Run
as Administrator.
2. At the command prompt, type “net share <sharename=drive:path>

For example, to share a folder named myshare located on the C drive in the path
\Users\Myname, type “net share myshare=C:\Users\Myname”.
Sharing through the Computer Management

You can share a folder through the Computer Management Windows interface by
performing the following steps:
1. Click Start, click Control Panel, click All Control Panel Items, click
Administrative Tools, and then double click Computer Management.
2. In the Computer Management console tree, click System Tools, and then click
Shares.
3. Click Action on the menu bar, and then click New Share (alternatively, click the
Share a Folder icon on the toolbar).
4. This initiates the same Create a Shared Folder Wizard mentioned earlier (refer
to Sharing through the Shared Folder MMC snap-in). Follow the instructions
mentioned there to share a folder.
Question: What is a benefit of sharing folders across a network?
Answer: Sharing folders across a network keeps information up-to-date for a group of
users and decreases the chance of file duplication because all files for a user account
can be stored in a shared central repository.
Methods of Sharing Folders

Windows 7 provides two methods for sharing folders directly from your computer:
• Any folder sharing: Allows sharing of music, photos, and other files from any
folder on your computer without having to move them from their current location.
There are two types of any folder sharing - basic and advanced.
• Public folder sharing: Public folders serve as open drop boxes. Copying a file
into a public folder makes it immediately available to other users on your
computer or network.
Any Folder Sharing - Basic

Basic folder sharing is the simplest form of Any Folder sharing because it enables
sharing a folder quickly and easily. To share a folder by using basic sharing, right-click
the folder, and then click Share with.
Although Windows creates the share name automatically, you must manually define
the NTFS and Share permissions. Windows 7 allows you to choose not only who gets
to view a file, but what recipients can do with it. This is called sharing permissions.
Sharing permissions are greatly simplified in Windows 7, which offers two basic
choices:
• Read: The "look, but do not touch" option. Recipients can open, but not modify or
delete a file.
• Read/Write: The "full control" option. Recipients can open, modify, or delete a
file.
Share with Nobody

The Share with command includes two options. As previously mentioned, the first
option allows you to share a folder with a specific user. The second option is Share
with Nobody, which is designed for home groups. With home groups, you only have
the option to share entire libraries. However, if there are folders in a library that you
do not want to share, then the Share with Nobody command must be used to identify
the folder exceptions that will not be shared with the rest of the library contents.
For example, you want to share the All Documents library on your home network with
the rest of your family, except for your personal finance folder. However, you do want
to include that folder in your personal library so it can be searchable when you are on
your own computer. By setting the Share with Nobody option on your personal
finance folder, it is still searchable on your own computer, but it is not accessible by
other family members when they search the All Documents library.
Any Folder Sharing - Advanced

Advanced Sharing is used to exert more control over the Any Folder sharing process.
When Advanced Sharing is used to share a folder, you must specify the following
information:
• A share name: The default name is the folder name.
• The maximum number of concurrent connections to the folder: The default
number is 10 concurrent connections.
• Shared folder permissions: The default permissions are Read permissions for the
special group Everyone. The permissions set here are only share permissions, and
the underlying NTFS permissions are not modified.
• Caching options: The default caching option allows files and programs that users
select to be available offline. You can disable offline files and programs, or
configure files and programs to be available offline automatically.
To use Advanced Sharing, right-click the folder you want to share, and then click
Properties, click the Sharing tab, and then click Advanced Sharing.
Public Folder Sharing

When you turn on Public folder sharing in Windows 7, anyone with an account on your
computer, or a PC on your network, can access the contents of these folders. To share
something, copy or move it into one of these public folders.
By default, Windows 7 provides the following Public folders:

• Public Documents
• Public Downloads
• Public Music
• Public Pictures
• Public Videos
You can view these folders by clicking the Start button, clicking your user account
name, and then clicking the arrow beside Libraries to expand the folders.
By default, Public folder sharing is not enabled. However, files stored in the Public
folder hierarchy are available to all users who have an account on a given computer
and can log on to it locally. You can configure Windows 7 to allow access to the Public
folder from the network in two ways:
• Turn on sharing so anyone with network access can open files.

• Turn on sharing so anyone with network access can open, change, and create files.
When you do this, users who have an account on the computer or network can connect
to this folder both locally and remotely to access shared files.
Public folder sharing does not allow you to fine-tune sharing permissions, but it does
provide a simple way to make your files available to others. When you enable public
folder sharing and select one of the two permissions levels previously mentioned, the
following share and NTFS file system permissions are configured for the System group
Everyone.
Access Type Share Permission NTFS File System Permissions

Open files Read Read and execute, List folder contents,
Read
Open, change, Read/Write All (Full control, Modify, Read and

and create files execute, List folder contents, Read/Write)
You can select one of these two Public folder permission options through the Network
and Sharing Center, which is a topic discussed later in this lesson.
Question: When is it necessary to avoid using Public folder sharing?

Answer: Avoid using Public folder sharing when security or privacy is a concern.
Remember, you cannot restrict people to viewing just some of the files in the Public
folder. Because it is an all or nothing situation, users can access all files in a public
share.
Question: Do you have to apply permissions to share your files with other users on
your computer?
Answer: No. A recommended method of sharing files is to share from an individual
folder or by moving files to the Public folder. Depending on how you choose to share
the file or folder, you might be able to apply permissions to some of your files.
Discussion: Combining NTFS and Share Permissions

When you create a shared folder on a partition formatted with the NTFS file system,
both the shared folder permissions and the NTFS file system permissions are combined
to secure file resources. NTFS file system permissions apply whether the resource is
accessed locally or over a network, but they are filtered against the share folder
permissions.
When you grant shared folder permissions on an NTFS volume, the following rules
apply:
• By default, the Everyone group is granted the shared folder permission Read.
• Users must have the appropriate NTFS file system permissions for each file and
subfolder in a shared folder, in addition to the appropriate shared folder
permissions, to access those resources.
• When NTFS file system permissions and shared folder permissions are combined,
the resulting permission is the most restrictive permission of the effective shared
folder permissions or the effective NTFS file system permissions.
• The share permissions on a folder apply to that folder, to all files in that folder, to
sub folders, and to all files in those subfolders.
Note: If the guest user account is enabled on your computer, the Everyone group
includes anyone. In practice, remove the Everyone group from any permission lists, and
replace it with the Authenticated Users group.
The following analogy can be helpful in understanding what happens when you
combine NTFS and share permissions. When dealing with a shared folder, you must
always go through the shared folder to access its files over the network. Therefore, you
can think of the shared folder permissions as a filter that only allows users to perform
actions on its contents that are acceptable to the share permissions. All NTFS
permissions that are less restrictive than the share permissions are filtered out so that
only the share permission remains.
For example, if the share permission is set to Read, then the most you can do is read
through the shared folder, even if individual NTFS file permission is set to Full
Control. If configuring the share permission to Modify, then you are allowed to read or
modify the shared folder contents. If the NTFS permission is set to Full Control, then
the share permissions filter the effective permission down to just Modify.
Question: If a user is assigned Full Control NTFS permission to a file but is accessing
the file through a share with Read permission, what will be the effective permission the
user will have on the file?
Answer: The user will have only Read access to the file when accessing it over the
network through the share (because Read access is more restrictive than Full Control).
If the user is logged on to the console of the computer storing the file and accessing it
locally, then the user has Full Control.
Question: If you want a user to view all files in a shared folder but can modify only
certain files in the folder, what permissions do you give the user?
Answer: The share permissions will have to allow the user to Modify all files (this
opens the folder window wide, but it will get locked down with NTFS permissions).
You must set the NTFS permissions for the folder to allow the user Read access only
(which flows to all the files). Then on the individual files in the folder that you want
the user to modify, assign the Modify NTFS permission.
Discussion Question: Identify a scenario at your organization where it might be

necessary to combine NTFS and Share permissions. What is the reason for combining
permissions?
Answer: Answers will vary based on the experiences of each student.

The Network and Sharing Center

With earlier versions of Windows, many different graphical interfaces and commands
were required to fully configure networking and network sharing. Windows 7 makes
this significantly easier by providing all the required tools in one central location, the
Network and Sharing Center. The Network and Sharing Center can be accessed
through the Windows Control Panel, or by typing “Network and Sharing Center” in the
search box on the Start menu.
It is important to be familiar with all aspects of the Network and Sharing Center, and
be able to use it to configure all types of network connections. This topic focuses on
the network sharing aspect of the Center, while the network configuration topics are
covered later in the Networking module.
The Network and Sharing Center provides the following tools:
• View a Network Map
• Set Up a New Connection or Network
• Change Advanced Sharing Options
• Choose Homegroup and Sharing Options
• Fix a Network Problem
View a Network Map

The Network Map is a tool that graphically displays the computers and other network
devices that are present on your network. The Network Map:
• Is used to view the path from your computer through the network to the Internet,

and to determine whether the Internet is currently available.
• Is used to view the path between your computer and the problems that are being
experienced while connecting to a local device, and invokes diagnostics to
determine the cause of the connection problem.
• Supports being connected to multiple networks, such as a home network, and to a
remote network through a dial-up connection; both networks are displayed in the
map.
• Uses discovery protocols, such as Link-Layer Topology Discovery (LLTD) and
the Function Discovery service in Windows to determine the devices that are
attached to the network, and how they are interconnected.
The following items can appear on a Network Map diagram:
• Device: This is an endpoint on a network. It can be a computer or another
hardware device, such a TCP/IP-connected camera or printer.
• Link: This is the physical connection between two or more devices. It can be the
Ethernet cable or the wireless association between a computer and a hub.
• Infrastructure component: This is a piece in the middle of the network that
connects other components and devices together, such as a hub, switch, or router.
Your computer, the one from which you requested the map, is always displayed in the
upper-left corner; other devices appear underneath. Infrastructure components are to
the right, and lines show the connections from the devices to the network infrastructure
components and from there to other devices on the network.
Information for each piece includes a description, an icon, and an indication of the
current connectivity state. For wireless connections, the connectivity state indicator
includes a representation of the wireless signal strength. If the mouse hovers over the
device, additional information displays. Depending on the device type, this can include
the TCP/IP configuration of the device, the SSID and security type of the wireless
network it is connected to, and the status of that device's network connectivity.
You can view the full map by clicking the See full map link. Because all devices might
not return connectivity information, the topology map might not display all devices
correctly. These devices are placed at the bottom of the map and you can obtain more
details from them by switching to a list view. By default the See full map option is
disabled on domains for end-users; it is available for network administrators.
Note: The Network Map is not just a topology; it shows active network devices that you
can configure or troubleshoot.
Set Up a New Connection or Network

You can customize the currently active network connections and set up a new
connection. Use the graphical view of your current network to optionally change the
description and icon appearance of network components to include more information.
View and change network connection properties by clicking View Status on the right
side of the connection listing.
You can maintain the following network connections in this section:
• Connect to the Internet: Set up a wireless, broadband, or dial-up connection to
the Internet.
• Set up a Network: Configure a new router or access point.
• Set up a Dial-up Connection: Connect to the Internet using a dial-up connection.
• Connect to a Workplace: Set up a dial-up or VPN connection to your workplace.
Note: You can change the network location profile between private and public. This
changes firewall and visibility settings for that network connection.
Change Advanced Sharing Settings

The Network and Sharing Center includes a Change advanced sharing settings link
that is used to enable, disable, and change the way that various network services
behave. There are three network profiles that you can configure:
• Home or Work
• Public
• Domain
For each of these network profiles, you can configure the settings found in the
following table.
Features Settings Result

Features Settings Result
Network Discovery On Turns on Network Discovery.
Off Turns off Network Discovery.
File sharing On Shares created on this computer can be

accessed from the network.
Off Shares created on this computer cannot

be accessed from the network.
Public folder sharing Off Only local users can access the Public
folder.
On Local and network users can read the

(open files) contents of the Public folder, but cannot
change them.
On Local and network users can change the

(open, change, contents of the Public folder.
and create files)
Printer sharing On Printers directly connected to this

computer can be shared.
Off Printers directly connected to this

computer cannot be shared.
Media sharing On Users and devices on the network can

access media stored on this computer,
and local users can find media stored on
network devices.
Off Users and devices on the network cannot

access media stored on this computer,
and local users cannot find media stored
on network devices.
Note: Because Windows 7 is configured by default to use Windows Firewall with

Advanced Security, using another firewall might interfere with the Network Discovery
and file-sharing features.
Network Discovery
When you first install Windows 7, the computer is not visible on the network map, and
it is not able to map other hardware devices on the network. If you enable Network
Discovery, Windows 7 queries the network and discovers each of the devices
connected to the network. Each device is queried to discover its capabilities, and
version control is used to keep this information up-to-date on subsequent queries.
Additionally, each icon in the network map is clickable, and you can double-click the
icon to carry out a task. For example, when you double-click the icon for your
computer, Windows Explorer opens. When you double-click an internetworking
device, a device configuration Web page appears.
Choose Homegroup and Sharing Options

This feature is available if a homegroup is defined on your network, or if you
connected to a homegroup from a domain-joined computer. In either case, you can use
this feature to link computers on your home network to share pictures, music, video,
documents, and printers.
Fix a Network Problem

This feature is used to diagnose and repair network problems, and to get
troubleshooting information for the following network components:
• Internet connections
• Connection to a shared folder
• Homegroup
• Network adapter
• Incoming connections to this computer
• Printers
Lesson 4
Configuring File Compression

It is important for you to understand the benefits of file and folder compression, and
how to compress files and folders using the two methods available in Windows 7:
• NTFS file compression
• Compressed (zipped) Folders
Data compression reduces the size of a file by minimizing redundant data. In a text file,
redundant data can be frequently occurring characters, such as the space character, or
common vowels, such as the letters e and a; it can also be frequently occurring
character strings. Data compression creates a compressed version of a file by
minimizing this redundant data.
This lesson explores and contrasts these two methods of compression. In addition, the
lesson examines the impact of various file and folder activities on compressed files and
folders.
What is NTFS File Compression?

The NTFS file system supports file compression on an individual file basis. The file
compression algorithm is a lossless compression algorithm, which means that no data
is lost when compressing and decompressing the file, as opposed to lossy compression
algorithms, where some data is lost each time data compression and decompression
occur.
NTFS compression, which is available on volumes that use the NTFS file system, has
the following features and limitations:
• Compression is an attribute of a file or folder.
• Volumes, folders, and files on an NTFS volume are either compressed or
uncompressed.
• New files created in a compressed folder are compressed by default.
• The compression state of a folder does not necessarily reflect the compression
state of the files within that folder. For example, a folder can be compressed
without compressing its contents, and some or all of the files in a compressed
folder can be uncompressed.
• It works with NTFS-compressed files without decompressing them, because they

are decompressed and recompressed without user intervention.
• When a compressed file is opened, Windows automatically decompresses it
for you.
• When the file closes, Windows compresses it again.

• NTFS-compressed file and folder names are displayed in a different color to make
them easier to identify.
• NTFS-compressed files and folders only remain compressed while they are stored
on an NTFS Volume.
• A NTFS-compressed file cannot be encrypted.
• The compressed bytes of a file are not accessible to applications; they see only the
uncompressed data.
• Applications that open a compressed file can operate on it as if it were not
compressed.
• These compressed files cannot be copied to another file system.
Note: You can use the compact command-line tool to manage NTFS compression.
Discussion: Impact of Moving and Copying Compressed

Files and Folders
Moving and copying compressed files and folders can change their compression state.
This discussion presents five situations in which you are asked to identify the impact of
copying and moving compressed files and folders. You and your classmates will
discuss the possible solutions to each situation.
Copy Within an NTFS Partition

What happens to the compression state of a file or folder when you copy it within an
NTFS partition?
When you copy a file or folder within an NTFS partition, the file or folder inherits the
compression state of the target folder. For example, if you copy a compressed file or
folder to an uncompressed folder, the file or folder is automatically uncompressed.
Move Within an NTFS Partition

What happens to the compression state of a file or folder when you move it within an
NTFS partition?
When you move a file or folder within an NTFS partition, the file or folder retains its
original compression state. For example, if you move a compressed file or folder to an
uncompressed folder, the file remains compressed.
Copy or Move between NTFS Partitions

What happens to the compression state of a file or folder when you copy or move it

between NTFS partitions?
When you move a file or folder between NTFS partitions, the file or folder inherits the
compression state of the target folder. Because Windows 7 treats a move between
partitions as a copy followed by a delete operation, the files inherit the compression
state of the target folder.
When you copy a file to a folder that already contains a file of the same name, the
copied file takes on the compression attribute of the target file, regardless of the
compression state of the folder.
Copy or Move between FAT or NTFS Volumes

What happens to the compression state of a file that you copy or move between FAT
and NTFS volumes?
Compressed files that you copy to a FAT partition are uncompressed because FAT
volumes do not support compression. However, when you copy or move files from a
FAT partition to an NTFS partition, they inherit the compression attribute of the folder
into which you copy them.
When you copy files, the NTFS file system calculates disk space based on the size of
the uncompressed file. This is important because files are uncompressed during the
copy process and the system must ensure there is sufficient space. If you copy a
compressed file to an NTFS partition that does not have sufficient space for the
uncompressed file, an error message notifies you that there is not sufficient disk space
for the file.
What are Compressed (Zipped) Folders?

In Windows 7, several files and folders can be combined into a single compressed
folder by using the Compressed (zipped) Folders feature. This feature is used to share a
group of files and folders with others without being concerned about sending them
individual files and folders.
Files and folders that are compressed by using the Compressed (zipped) Folders
feature can be compressed on FAT and NTFS file system drives. A zipper icon
identifies files and folders that are compressed by using this feature.
Files can be opened directly from these compressed folders, and some programs can be
run directly from these compressed folders without uncompressing them. Files in the
compressed folders are compatible with other file-compression programs and files.
These compressed files and folders can also be moved to any drive or folder on your
computer, the Internet, or your network.
Compressing folders by using Compressed (zipped) Folders does not affect the
overall performance of your computer. CPU utilization increases only when
Compressed (zipped) Folders is used to compress a file. Compressed files take up
less storage space and can be transferred to other computers more quickly than
uncompressed files. Work with compressed files and folders the same way you work
with uncompressed files and folders.
Send To Compressed (zipped) Folder

By using the Send To > Compressed (zipped) Folder command in Windows
Explorer, you can quickly:

• Create a compressed version of a file.
• Send a file to a compressed (zipped) folder.
Alternatively, if a compressed folder is already created and now a new file or folder
needs to be added to it, drag the desired file to the compressed folder in lieu of using
the Send To > Compressed (zipped) Folder command.
Comparing Zipped Folder Compression and NTFS Folder Compression

There are differences to be aware of between zipped folder compression and NTFS
folder compression. A zipped folder is a single file that Windows allows you to browse
inside of. Some applications can access data directly from a zipped folder, while other
applications require that you first unzip the folder contents before the application can
access the data.
In contrast, NTFS compression compresses the content of individual files within a
folder, so data access issues such as this are not an issue because compression occurs at
the individual file system level. Additionally, zipped folders are useful for combining
multiple files into a single e-mail attachment; NTFS compression is not.
File and folder compression that uses the Send To > Compressed (zipped) Folder
command is different from NTFS file and folder compression discussed earlier.
• For selected files or folders, the Send To > Compressed (zipped) Folder
command compresses the selected content into a portable zip file. The original file
or folder is left unchanged, but a new, compressed zip file is created.
• NTFS compression does not create a second, compressed zip-type file; instead, it
actually reduces the size of the selected file, folder, or volume by compressing its
content.
Note: Unlike NTFS compressed folders and files, Compressed (zipped) Folders can be
moved and copied without change between volumes, drives, and file systems.
Demonstration: Compressing Files and Folders

This demonstration shows how to compress a folder and a file, and also examines the
impact of moving and copying a compressed file.
Create Folders in the Project Documents Folder

1. On LON-CL1, click Start, and then click Computer.
2. In the Computer folder, double-click Local Disk (C:).
3. In the Local Disk (C:) folder, double-click Project Documents.
4. On the Project Documents folder menu, click New Folder.
5. Type “Compressed Files”, and then press ENTER.
6. On the Project Documents folder menu, click New Folder.
7. Type “Uncompressed Files”, and then press ENTER.

Compress the C:\Project Documents\Compressed Files Folder

1. In the Project Documents folder, right-click Compressed Files, and then click
Properties.
2. In the Compressed Files Properties dialog box, click Advanced.

3. Select the Compress contents to save disk space check box, and then click OK.
4. In the Compressed Files Properties dialog box, click OK.
Copy Files into the C:\Project Documents\Compressed Files Folder

1. Click Start, and, in the Search programs and files box, type “C:\Program
Files\Microsoft Office\CLIPART\PUB60COR”, and then press ENTER.
2. Select the following files, right-click on them, and then click Copy:
• AG00004_
• AG00011_
3. Close the PUB60COR folder.
4. Switch back to the C:\Project Documents folder.
5. Right-click Compressed Files folder, and then click Paste.
6. Double-click Compressed Files folder.
7. Right-click AG00004_, and then click Properties.
8. Click Advanced
9. Click Cancel, then click Cancel again to close the properties dialog box.
Move Compressed Files into the C:\Project Documents\Uncompressed

Files Folder
1. Click Start, and then click Computer.
4. In the Project Documents folder, double-click Uncompressed Files.

5. Right-click the Taskbar, and then click Show Windows Side by Side.
6. In the Compressed Files folder, drag AG00004_ to the Uncompressed Files

folder.
Copy Compressed Files into the C:\Project Documents\Uncompressed

Files Folder
1. In the Compressed Files folder, right-click and then drag AG00011_ to the
Uncompressed Files folder.
2. Click Copy Here.
Compress a Folder by Using the Compressed (zipped) Folder Feature

4. Right-click Uncompressed Files, click Send To, and then click Compressed
(zipped) Folder.
5. Type “Zipped Data”, and then press ENTER.
6. Drag the Zipped Data file to the Compressed Files folder.
7. Double-click the Compressed Files folder.
8. Press CTRL+Z to undo the move operation.
9. Click the left arrow in the menu bar to go back to the Project Documents folder
10. Right-click Zipped Data, and then drag it to the Compressed Files folder.
11. Click Copy Here.
12. Double-click Compressed Files.

Lesson 5
Managing Printing

To set up a shared printing strategy to meet the needs of your users you must
understand what the Windows 7 printing components are, and how to manage them.
This lesson examines the printing components in a Windows 7 environment, including
printer ports and drivers.
The instructor will demonstrate how to install and share a printer, and you will review
how to use the Print Management tool to administer multiple printers and print servers.
Printing Components in Windows 7

When a printer is installed and shared in Windows 7, you must define the relationship
between the printer and two printer components, the printer port and the printer driver.
Defining the Printer Port

Windows 7 detects printers that you connect to your computer, and it automatically
installs the driver for the printer if the driver is available in the driver store. However,
Windows might not detect printers that connect by using older ports, such as serial or
parallel ports. In these cases, you must manually configure the printer port.
Installing a Driver
The printer driver is a software interface that allows your computer to communicate
with the printer device. Without a printer driver, the printer that is connected to your
computer will not work properly.
In most cases, drivers come with the Windows application, or you can find them by
going to Windows Update in Control Panel and checking for updates. If the Windows
application does not have the driver needed, you can find it on the disc that came with
the printer, or on the manufacturer's Web site.
If the Windows operating system does not recognize your printer automatically, you
must configure the printer type during the installation process. The printer setup wizard
presents you with an exhaustive list of currently installed printer types. However, if
your printer is not listed, you must obtain and install the necessary driver.
You can preinstall printer drivers into the driver store, thereby making them available
in the printer list, by using the pnputil.exe command-line tool.

When you connect a new printer to your computer, the Windows application tries to
find and install a software driver for the printer. Occasionally, you might see a
notification that a driver is unsigned or is altered or that Windows cannot install it. You
have a choice whether to install a driver that is unsigned or is altered since it was
signed.
Demonstration: Installing and Sharing a Printer

This demonstration examines how to install and share a printer through Devices and
Printers. It also sets several permissions, including Share the Printer permission.
Advanced options that can be set for the printer are also be discussed.
Installing Printers
The most common, and easiest, way to install a printer is to connect it directly to your
computer (known as a local printer.) If your printer is a USB model, Windows
automatically detects and installs it when you plug it in. If your printer is an older
model that connects using the serial or parallel port, you might need to install it
manually.
In the workplace, many printers are network printers. These connect directly to a
network as a stand-alone device. Network printers typically connect through an
Ethernet cable or wireless technologies such as Wi-Fi or Bluetooth.
Note: Available network printers can include all printers on a network, such as
Bluetooth and wireless printers, or printers that are plugged into another computer and
shared on the network. Ensure that you have permission to use these printers before
adding them to the computer.
This demonstration shows how to install and share a printer through Devices and
Printers. It also sets several permissions, including Share the Printer permission.
Advanced options that can be set for the printer are also discussed.

Create and Share a Local Printer
1. On LON-CL1, click Start, click Control Panel, and then click View devices or
printers.
2. In the menu, click Add a printer.
3. In the Add Printer wizard, click Add a local printer.
4. On the Choose a printer port page, in the Use an existing port list, click LPT1:
(Printer Port), and then click Next.
5. On the Install the printer driver page, in the Manufacturer list, click Epson, in
the Printers list, click Epson Stylus Photo RX630 (M), and then click Next.
6. On the Type a printer name page, click Next.
7. On the Printer Sharing page, accept the defaults and click Next.
8. Click Finish to complete the wizard.
Set Permissions and Advanced Options for the Printer

1. In Devices and Printers, right-click Epson Stylus Photo RX630 (M), then click
Printer properties.
2. Click the Security tab, then click Add.
Enter the object names to select (examples) box, type “Contoso\IT”, click
4. In the Group or user names box, click IT (Contoso\IT).

5. In the Permissions for IT dialog box, next to Manage this printer, select the
Allow check box.
6. In the Permissions for IT dialog box, next to Manage documents, select the
Allow check box, and then click Apply.
7. Click the Advanced tab.
8. Select the Hold mismatched documents check box.
9. Click the General tab.
10. In the Location field type “Headquarters”.
11. Click Preferences.
12. Set Quality Option to Best Photo.
13. Click OK, then click OK again to close the dialog box.
14. Click OK to close the Epson Stylus Photo RX630 (M) Properties box.
Maintaining Printer Properties

In the Printer Properties dialog box updated in this demonstration, the following
permissions can be maintained:
• Print
• Manage this printer
• Manage documents
The Printer Properties dialog box also included the following printer options that can
be maintained:
Location Printer Option

General tab Printing Preferences, such as
portrait/landscape orientation option and
print quality
Ports tab Configure Printer Port
Advanced tab Assign printer driver
Advanced tab Print spooling options

Location Printer Option
Advanced tab Hold mismatch documents option
Advanced tab Enable advanced printing features

Managing Client-Side Printing

Print Management provides a single interface used to administer multiple printers and
print servers. Print Management (or the Printbrm.exe command-line tool) can also be
used to export printers and settings from one computer and import them on another
computer.
To open the Microsoft Management Console (MMC) snap-in for Print Management,
click Start, click Control Panel, click System and Maintenance, click
Administrative Tools, and then click Print Management.
The Print Management MMC snap-in is used to perform all the basic management
tasks for a printer. Printers can also be managed from the Devices and Printers page in
the Control Panel.
View the Print Queue

Once a print job is initiated, you can view, pause, and cancel your print job through
the print queue. The print queue shows you what is printing or waiting to print. It also
displays handy information such as job status, who is printing what, and how many
unprinted pages remain. From the print queue, you can view and maintain the print
jobs for each printer.

The print queue can be accessed from the Print Management MMC snap-in, and
through the See what’s printing option on the Devices and Printers control panel page.
This is used to view what is printing and what is waiting to print for a specific printer.
Documents that are listed first will be the first to print.
To view the print queue for a printer from the See what’s printing option:
1. In the Control Panel, click Hardware and Sound, and then click Devices and
Printers.
2. In the notification area, select your printer's icon and then click See what's
printing on the command bar.
Tip: To quickly view the print queue, just double-click the printer icon in the
notification area.
Cancel Print Jobs

If a print job is started by mistake, it is easy to cancel the print job, even if printing is
underway. To cancel a print job:
1. Open the print queue for the specific printer by performing the steps outlined
previously.
2. To cancel an individual print job, right-click the print job you want to remove, and
then click Cancel.
3. To cancel all print jobs, click the Printer menu, and then click Cancel All
Documents. The item currently printing might finish, but the remaining items will
be cancelled.
Note: To view your printer permissions, right-click the printer you are using, click
Printer properties, click the Security tab, and then click your user name. If your
computer is on a domain, printer permissions might be controlled by an administrator.
Pause or Resume a Print Job

You can pause and resume a single print job or multiple jobs in the queue. To pause or
resume a print job:
previously.
2. To pause or resume an individual print job, right-click the print job, and then click
Pause or Resume.
3. To pause all print jobs, click the Printer menu, and then click Pause Printing. To
resume printing, click Pause Printing again.
Note: To pause someone else's print job, you must have permission.
Restart a Print Job

If a print job is printing in the wrong color ink or wrong size paper, start over from the
beginning. To restart a print job:
previously.
2. Right-click the print job to be reprinted, and then click Restart.
Reorder the Print Queue

If printing multiple items, you can change the order they print in. To reorder the jobs in
the print queue:
previously.
2. Right-click the print job to be reordered, and then click Properties.
3. Click the General tab, and then drag the Priority tab left or right to change its print
order. Items with higher priority print first.
Configuring Location-aware Printing

Windows 7 offers the ability to automatically switch your laptop's default printer when
it detects that you have moved from one network location to another, such as from
public to domain. This feature, called location-aware printing, is only found on laptops
and other portable devices that use a battery.
Configure Location-aware Printing

To configure location-aware printing, you must first set a printer as your default. That
printer then becomes the default for the network you are connected to. To set a default
printer in Devices and Printers, right-click a printer, and then click Set as default
printer.
Once the default printer is set for your computer, you must then perform the following
steps to manage the location-aware printing settings:
1. In Devices and Printers, click Manage default printers on the toolbar.
2. In the Manage Default Printers dialog box, click Change my default printer
when I change networks.
3. Click the Select network list, and then choose a network.
4. Click the Select printer list, select a corresponding default network printer, and
then click Add.
5. Repeat steps 3 and 4 as necessary.

If you do not want Windows to change your default printer settings when moving from
place to place, click Always use the same printer as my default printer in the
Manage Default Printers dialog box. If you want a wireless network to appear in the
Manage Default Printers dialog box, it is necessary to have successfully connected to
that wireless network at least once.
Note: Location-aware printing does not work when connecting to a network through
Remote Desktop (Terminal Services).

Review Questions
1. Question: You decided to share a folder containing the Scoping Assessment
document and other planning files created for your upcoming Microsoft
Dynamics® CRM implementation at Fabrikam, Inc. However, now you do not
want any of these planning files available offline. Which advanced sharing options
must you configure to enforce this requirement?
Answer: You must configure the caching options, which determine how offline
versions of shared files will be made available, if at all. By default, users must
specify which files and programs are available offline.
2. Question: Contoso is installing Microsoft Dynamics® GP and they have
contracted with a vendor to provide some custom programming work. Contoso
asked Joseph, their senior IT desktop specialist, to configure the NTFS
permissions for the GP planning files it will be accumulating. Contoso has asked
that all IT users be assigned Modify permissions to the GP Implementation
Planning folder. However, Contoso only wants the subfolder titled Vendor
Contracts to be available for viewing by a select group of managers. How can
Joseph accomplish this by taking into account permission inheritance?

Answer: Joseph can take a three step approach. First, he can assign the IT user
group the Modify permission for the GP Implementation Planning folder. Next, he
can block inherited permissions on the Vendor Contract subfolder. Third, he can
restrict access to the subfolder by providing Read access to the selected list of
managers identified by Contoso.
3. Question: Peter is an IT professional working at Fabrikam. He is having trouble
accessing a particular file and suspects it has something to do with his NTFS
permissions associated with the file. How can he view his effective file
permissions?
Answer: From the file’s property sheet, Peter can click the Security tab, and then
click Advanced. From the Effective Permissions tab, he can enter his user alias
and then view his effective permissions.
4. Question: Robin recently created a spreadsheet in which she explicitly assigned it
NTFS file permissions that restricted file access to just herself. Following the
system reorganization, the file moved to a folder on another NTFS partition, and
Robin discovered that other users were able to access the spreadsheet. What is the
probable cause of this situation?
Answer: When moving a file to a folder on a different NTFS partition, the file
inherits the new folder’s permissions. In this case, the new folder the spreadsheet
moved to allowed access by other user groups.
5. Question: Contoso recently installed Windows 7 on its client computers. Because
many of their sales staff travel and work from various branch offices throughout
any given month, Contoso decided to take advantage of the location-aware
printing functionality in Windows 7. Michael, a sales representative, was pleased
he no longer had to configure printers each time he needed to print a document at a
branch office. However, to Michael’s dismay, on his last trip he tried to connect to
the company network using Terminal Services and found that he still had to
manually select the printer when he wanted to print a file. Why did the system not
automatically recognize the printer for Michael?
Answer: Because location-aware printing does not work when you connect to a
network through Remote Desktop (Terminal Services).
Best Practices Related to Authentication and Authorization

• When setting up a computer, you are required to create a user account. This
account is an administrator account used to set up your computer and install any
required programs. Once finished setting up your computer, it is recommended to
use a standard user account for your day-to-day computing. It is more secure to use
a standard user account instead of an administrator account because it can prevent
users from making changes that affect everyone who uses the computer, especially

if your user account logon credentials are stolen.
• Considerations to take into account when taking ownership of a file or folder
include:
• An administrator can take ownership of any file on the computer.
• Assigning ownership of a file or folder might require elevating your
permissions through User Access Control.
• The Everyone group no longer includes the Anonymous Logon group.
Best Practices Related to NTFS Permissions

• To simplify the assignment of permissions, you can grant the Everyone group Full
Control share permission to all shares and use only NTFS permissions to control
access. Restrict share permissions to the minimum required to provide an extra
layer of security in case NTFS permissions are configured incorrectly.
• When permissions inheritance is blocked, you have the option to copy existing
permissions or begin with blank permissions. If you only want to restrict a
particular group or user, then copy existing permissions to simplify the
configuration process.
Best Practices Related to Managing Shared Folders

• If the guest user account is enabled on your computer, the Everyone group
includes anyone. In practice, remove the Everyone group from any permission
lists, and replace it with the Authenticated Users group.
• Using a firewall other than that supplied with Windows 7 can interfere with the
Network Discovery and file-sharing features.
Tools
Use the following Command Prompt tools to manage file and printer sharing:
Tool Description
Net share Share folders from the Command Prompt
Net use Connect to shared resources from the Command Prompt
Cacls.exe Configure NTFS file and folder permissions from the

Command Prompt
Compact.exe Compress NTFS files and folders from the Command

Prompt
Pnputil.exe Preinstall printer drivers into the driver store

Configuring Network Connectivity 4-1
Module 4
Configuring Network Connectivity
Contents:
Lesson 3: Implementing Automatic IP Address Allocation 4-37
Lesson 4: Troubleshooting Network Issues 4-48
Module Overview

Network connectivity is essential in today’s business
environment and is also becoming critical in home
environments. Whether you are part of a business network
infrastructure, operate a home office, or need to share
files and access the Internet, an increasing number of
computer users want to connect their computers to a
network. The Windows® 7 operating system provides enhanced
networking functionality as compared to the previous
Microsoft® Windows desktop operating systems, and it
introduces support for newer technologies.
Windows 7 has both TCP/IP version 4 and TCP/IP version 6
installed and enabled by default. An understanding of both
IPv4 and IPv6, and the operating system’s access
capabilities, help you configure and troubleshoot Windows
7 networking features.
Lesson 1
Configuring IPv4 Network Connectivity
IPv4 uses a specific addressing scheme and name-resolution

mechanism to transmit data between connected systems. To
connect computers running Windows 7 to a network, you must
understand the concepts of IPv4 addressing, Domain Name
System (DNS), and Windows Internet Naming Service (WINS)
name resolution.
What is an IPv4 Address?

To troubleshoot network connectivity problems for your
users, you must be familiar with IP addresses and how they
work. You assign a unique IPv4 address to each networked
computer. The IPv4 address identifies the computer to
other computers on the network.
Components of an IPv4 Address

IPv4 uses 32-bit addresses, so if you view the address in
its binary format, it has 32 characters, as the following
example shows:
11000000101010000000000111001000
IPv4 divides the address into four octets, as the

following address shows:
11000000.10101000.00000001.11001000
To make the IP addresses more readable, binary

representation of the address typically shows it in
decimal form. For example:
192.168.1.200
The address, in conjunction with a subnet mask,

identifies:
• The unique identity of the computer, which is the host
ID.
• The subnet on which the computer resides, which is the
network ID.
This enables a networked computer to communicate with
other networked computers in a routed environment.
IPv4 Address Classes

The Internet Assigned Numbers Authority (IANA) organizes
IPv4 addresses into classes. The number of hosts that a
network has determines the class of addresses that is
required. IANA has named the IPv4 address classes from
Class A through Class E.
Classes A, B, and C are IP addresses that you can assign
to hostcomputers as unique IP addresses. You can use Class
D for multicasting. The IANA reserves Class E for
experimental use
What is a Subnet Mask?

A subnet mask specifies which part of an IPv4 address is
the network ID and which part of the IPv4 address is the
host ID. A subnet mask has four octets, similar to an IPv4
address.
Simple IPv4 Networks

In simple IPv4 networks, the subnet mask defines full
octets as part of the network ID and host ID. A 255
represents an octet that is part of the network ID, and a
0 represents an octet that is part of the host ID. Class
A, B, and C networks use a default subnet mask. The
following table lists the characteristics of each IP
address class.
Number of
Default Subnet Number of Hosts per
Class First Octet Mask networks Network
A 1-127 255.0.0.0 126 16,777,214

Number of
Default Subnet Number of Hosts per
Class First Octet Mask networks Network

B 128-191 255.255.0.0 16,384 65,534
C 192-223 255.255.255.0 2,097,152 254
Complex IPv4 Networks

In complex networks, subnet masks might not be simple
combinations of 255 and 0. Rather, you might subdivide one
octet with some bits that are for the network ID and some
for the host ID. Classless addressing, or Classless Inter-
Domain Routing (CIDR), is when you do not use an octet for
subnetting. You use either more of the octet or less of
the octet. This type of subnetting uses a different
notation, which the following example shows:
172.16.16.1/255.255.240.0
The following example shows the more common representation

of classless IPv4 addressing:
172.16.16.1/20
The /20 represents how many subnet bits are in the mask.
This notation style is called Variable Length Subnet
Masking.
What Is a Subnet?
A subnet is a network’s segment. A router or routers
separates the subnet from the rest of the network. When
your Internet service provider (ISP) assigns a network a
Class A, B, or C address range, you often must subdivide
the range to match the network’s physical layout.
Subdivide a large network into logical subnets.
When you subdivide a network into subnets, create a unique
ID for each subnet derived from the main network ID. To
create subnets, you must allocate some of the bits in the
host ID to the network ID. This enables you to create more
networks.
By using subnets, you can:

• Use a single Class A, B, or C network across multiple
physical locations
• Reduce network congestion by segmenting traffic and
reducing broadcasts on each segment

• Overcome limitations of current technologies, such as
exceeding the maximum number of hosts that each segment
can have.
Subnet Bits in the Mask

Before you define a subnet mask, estimate how many
segments and hosts per segment you may require. This
enables you to use the appropriate number of bits for the
subnet mask.
When you use more bits for the subnet mask, you can have
more subnets, but fewer hosts on each subnet. Using more
bits than you need allows for subnet growth, but limits
growth for hosts. Using fewer bits than you need allows
for growth in the number of hosts you can have, but limits
growth in subnets.
You can calculate the number of subnet bits you need in
the network. Use the formula 2^n, where n is the number of
bits. The result is the number of subnets that your
network requires.
The table below indicates the number of subnets that you
can create by using a specific number of bits.
Number of bits Number of Subnets

1 2
2 4
3 8
4 16
5 32
6 64
Host Bits in the Mask

To host bits in the mask, determine the required number of
bits for the supporting hosts on a subnet. Calculate the

number of host bits required by using the formula 2^n-2,
where n is the number of bits. This result must is the
least the number of hosts that you need for your network,
and it is also the maximum number of hosts that you can
configure on that subnet.
The table below shows how many hosts a class C network has
available based on the number of host bits.
Number of bits Number of hosts

1 126
2 62
3 30
4 14
5 6
6 2
Calculating Subnet Addresses

To determine subnet addresses quickly, you can use the
lowest value bit in the subnet mask. For example, if you
choose to subnet the network 172.16.0.0 by using 3 bits,
this mean the subnet mask is 255.255.224.0. The decimal
224 is 11100000 in binary, and the lowest bit has a value
of 32, so that is the increment between each subnet
address.
The following table shows examples of calculating subnet
addresses.
Binary network number Decimal network number

172.16.00000000.00000000 172.16.0.0
172.16.00100000.00000000 172.16.32.0
Binary network number Decimal network number
172.16.01000000.00000000 172.16.64.0
172.16.01100000.00000000 172.16.96.0
172.16.10000000.00000000 172.16.128.0

172.16.10100000.00000000 172.16.160.0
172.16.11000000.00000000 172.16.192.0
172.16.11100000.00000000 172.16.224.0
Calculating Host Addresses

You can calculate each subnet’s range of host addresses by
using the following process:
• The first host is one binary digit higher than the
current subnet ID
• The last host is two binary digits lower than the next
subnet ID
The following table shows examples of calculating host
addresses.
Decimal network number Host range

172.16.64.0 172.16.64.1 - 172.16.95.254
172.16.96.0 172.16.96.1 - 172.16.127.254
172.16.128.0 172.16.128.1 - 172.16.159.254

What is the Default Gateway?

A default gateway is a device, usually a router, on a

TCP/IP internet that forwards IP packets to other subnets.
A router connects groups of subnets to create an intranet.
In an intranet any given subnet might have several routers
that connect it to other subnets, both local and remote.
You must configure one of the routers as the default
gateway for local hosts. This enables the local hosts to
transmit with hosts on remote networks.
When a host delivers an IPv4 packet, it uses the subnet
mask to determine whether the destination host is on the
same network or on a remote network. If the destination
host is on the same network, the local host delivers the
packet. If the destination host is on a different network,
the host transmits the packet to a router for delivery.
When a host on the network uses IPv4 to transmit a packet
to a destination subnet, IPv4 consults the internal
routing table to determine the appropriate router for the

packet to reach the destination subnet. If the routing
table does not contain any routing information about the
destination subnet, IPv4 forwards the packet to the
default gateway. The host assumes that the default gateway
contains the required routing information.

In most cases, you use a Dynamic Host Configuration
Protocol (DHCP) server to assign the default gateway
automatically to a DHCP client. This is more
straightforward than manually assigning a default gateway
on each host.
What are Public and Private IPv4 Addresses?

Devices and hosts that connect directly to the Internet

require a public IPv4 address. Hosts and devices that do
not connect directly to the Internet do not require a
public IPv4 address.
Public IPv4 Addresses

Public IPv4 addresses must be unique. IANA assigns public
IPv4 addresses. Usually, your ISP allocates you one or
more public addresses from its address pool. The number of
addresses that your ISP allocates to you depends upon how
many devices and hosts that you have to connect to the
Internet.
Private IPv4 Addresses

The pool of IPv4 addresses is becoming smaller, so IANA is
reluctant to allocate superfluous IPv4 addresses.
Technologies such as Network Address Translation (NAT)
enable administrators to use a relatively small number of
public IPv4 addresses, and at the same time, enable local

hosts to connect to remote hosts and services on the
Internet.
IANA defines the following address ranges as private.
Internet-based routers do not forward packets originating
from, or destined to, these ranges.

Class Mask Range
A 10.0.0.0/8 10.0.0.0 - 10.255.255.255
B 172.16.0.0/12 172.16.0.0 - 172.31.255.255
C 192.168.0.0/16 192.168.0.0 - 192.168.255.255
Note: RFC3330 defines these private address ranges.
Question: Which of the following is not a private IP

address?
a. 171.16.16.254
b. 192.16.18.5
c. 192.168.1.1
d. 10.255.255.254
Answer: A and B.
Demonstration: Configuring an IPv4 Address

Start the LON-DC1 and the LON-CL1 virtual machines. Leave

them running throughout the duration of the module.
In this demonstration, you will see how to configure an
IPv4 address manually.
1. Log on to the LON-CL1 virtual machine as
2. Click Start, point to All Programs, click Accessories,

and then click Command Prompt.
3. At the command prompt, type “ipconfig /all”, and then
press ENTER. This displays the configuration for all
network connections on the computer.
4. Close the command prompt.
6. Under Network and Internet, click View network status
and tasks.
7. In Network and Sharing Center, to the right of the

Contoso.com Domain network, click Local Area Connection
3.
8. In the Local Area Connection 3 Status window, click
Details. This window shows the same configuration
information for this adapter as the ipconfig command.

9. In the Network Connection Details windows, click Close.
Properties. This window allows you to configure
protocols.
11. Click Internet Protocol Version 4 (TCP/IPv4) and
then click Properties. You can configure the IP
address, subnet mask, default gateway and DNS servers
in this window.
12. Click Advanced. The Advanced TCP/IP Settings window
allows you to configure additional settings such as
additional IP addresses, DNS settings, and WINS servers
for NetBIOS name resolution.
13. Close all open windows without modifying any
settings.
Question: When might you need to change the IPv4 address

of a computer?
Answer: You must ensure that all computers on your network

have a unique IPv4 address. If two computers have the same
IPv4 address then you must change the IPv4 address on one
of the two computers.
Types of Computer Names

Name resolution is the process of converting computer

names to IP addresses. Name resolution is an essential
part of computer networking because it is easier for users
to remember names than abstract numbers such as an IPv4
address.
The application developer determines an application’s
name. In Windows operating systems, applications can
request network services through Windows Sockets, Winsock
Kernel, or NetBIOS. If an application requests network
services through Windows Sockets or Winsock Kernel, it
uses host names. If an application requests services
through NetBIOS, it uses a NetBIOS name.
Many current applications, including Internet
applications, use Windows Sockets to access network
services. Newer applications designed for Windows 7 and
the Windows Server® 2008 operating system use Winsock
Kernel. Earlier applications use NetBIOS.
Host Name
A host name is a user-friendly name that is associated
with a host’s IP address and identifies it as a TCP/IP
host. A host name can be no more than 255 characters in
length and contains alphanumeric characters, periods, and
hyphens.

• Host names are an alias or a fully qualified domain
name (FQDN)
• An alias is a single name associated with an IP
address.
• The IP address combines an alias with a domain name to
create the FQDN
• The elements of the name include periods as separators.
Applications use the structured FQDN on the Internet.
• An example of an FQDN is payroll.adatum.com.
NetBIOS Name
Applications use the 16-character NetBIOS name to identify
a NetBIOS resource on a network. A NetBIOS name represents
a single computer or a group of computers. NetBIOS uses
the first 15 characters for a specific computer’s name and
the final sixteenth character to identify a resource or
service on that computer. An example of a NetBIOS name is
ADATUM-SVR1[20h].
Methods for Resolving Computer Names

Windows supports a number of different methods for

resolving computer names, such as the domain name system,
Windows Internet naming service, and host name resolution
process.
Domain Name System

Domain Name System, or DNS, is a service that manages the
resolution of host names to IP addresses. TCP/IPv4
identifies source and destination computers by their IPv4
addresses. However, since it is easier for users to
remember names than numbers, DNS assigns common or user-
friendly names to the computer’s IPv4 address. A host name
is the most common name type that DNS uses.
DNS is the Microsoft standard for resolving host names to
IP Addresses. Windows Server 2008 has DNS features such
as Global Domain Names that can eliminate the need for
WINS Servers
Applications also use DNS to do the following:

• Locate domain controllers and global catalog servers:
This is used when logging on to the Active Directory®
directory service.
• Resolve IP addresses to host names: This is useful when

a log file contains only a host’s IP address.
• Locate mail server for e-mail delivery: This is used
for the delivery of all Internet e-mail.
• Locate other services using SRV records such as auto-
configure for Outlook.
Windows Internet Naming Service

WINS is a NetBIOS name server that you can use to resolve
NetBIOS names to IPv4 addresses. WINS provides a
centralized database for registering dynamic mappings of a
network’s NetBIOS names. Support is retained for WINS to
provide backward compatibility
You can resolve NetBIOS names by using:
• Broadcast messages. Broadcast messages do not work
well on large networks because routers do not propagate
broadcasts.
• LMHOSTS file on all computers. Using an LMHOSTS file
for NetBIOS name resolution is a high-maintenance
solution because you must maintain the file manually on
all computers.
WINS is built on a protocol that registers, resolves, and
releases NetBIOS names by using unicast transmissions
rather than repeated transmissions of broadcast messages.
This protocol allows the system to work across routers,
and eliminates the need for an LMHOSTS file. The protocol
also restores the dynamic nature of NetBIOS name
resolution and enables the system to work seamlessly with
DHCP. For example, when DHCP assigns new IPv4 addresses to
computers that move between subnets, the WINS database
tracks the changes automatically.
WINS uses a flat name space, unlike DNS which uses a

hierarchal name space. Consequently the names that WINS
uses must be unique.
The Host Name Resolution Process

When an application specifies a host name and uses Windows
Sockets, TCP/IP uses the DNS resolver cache and DNS when
attempting to resolve the host name. The hosts file is
loaded into the DNS resolver cache. If you enable NetBIOS
over TCP/IP, TCP/IP also uses NetBIOS name-resolution
methods when resolving host names.
Windows resolves host names by:
1. Checking whether the host name is the same as the local

host name.
2. Searching the DNS resolver cache.
3. Sending a DNS request to its configured DNS servers.
4. Converting the host name to a NetBIOS name, and

checking the local NetBIOS name cache.
5. Contacting the hosts configured WINS servers.
6. Broadcasting as many as three NetBIOS Name Query

Request messages on subnet that is directly attached.
7. Searching the LMHOSTS file.

Lesson 2
Configuring IPv6 Network Connectivity

While most networks to which you connect Windows 7-based
computers currently provide IPv4 support, many also
support IPv6. To connect computers running Windows 7 to
IPv6-based networks, you must understand the IPv6
addressing scheme, and the differences between IPv4 and
IPv6.
Benefits of Using IPv6

The new features and functionality in IPv6 address many

IPv4 limitations. RFC 791 defined IPv4 in 1981. Since
then, limitations to future network connectivity have
arisen. These limitations include the following:
• Limited address space: IPv4 uses only 32-bits to
represent addresses. IANA has allocated the majority of
these addresses.
• Difficult routing management: IANA has not provisioned
allocated IPv4 addresses for efficient route
management. As a result, Internet backbone routers have
over 85,000 routes in their routing tables.
• Complex host configuration: Automatic configuration of
IPv4 hosts requires that you implement DHCP.
• No built-in security - IPv4 does not include any method
for securing network data. You must implement Internet
Protocol Security (IPSec) and other protocols to secure
data on IPv4 networks, but this requires significant

configuration and can be complex to implement.
• Limited Quality of Service (QoS): The implementation of
QoS in IPv4 relies on the use of TCP and User Datagram
Protocol (UDP) ports to identify data. This may not be
appropriate in all circumstances.

IPv6 Improvements
IPv6 enhancements help enable secure communication on the
Internet and over corporate networks. Some IPv6 features
• Larger address space: IPv6 uses a 128-bit address
space, which provides significantly more addresses than
IPv4.
• More efficient routing: IANA provisions global
addresses for the Internet to support hierarchical
routing. This reduces how many routes that Internet
backbone routers must process, and improves routing
efficiency.
• Simpler host configuration: IPv6 supports dynamic
client configuration by using DHCPv6. IPv6 also enables
routers to configure hosts dynamically.
• Built-in security: IPv6 includes native IPSec support.
This ensures that all hosts encrypt data in transit.
• Better prioritized delivery support: IPv6 includes a
Flow Label in the packet header to provide prioritized
delivery support. This designates the communication
between computers with a priority level, rather than
relying on port numbers that applications use. It also
assigns a priority to the packets in which IPSec
encrypts the data.
• Redesigned header: The design of the header for IPv6
packets is more efficient in processing and
extensibility. IPv6 moves nonessential and optional
fields to extension headers for more efficient
processing. Extension headers are no more than the full
size of the IPv6 packet, which accommodates more
information than possible in the 40 bytes that the IPv4

packet header allocates.
Windows 7 Support for IPv6

Windows 7 is designed to use IPv6 by default and includes
several features that support IPv6.
DirectAccess requires IPv6
DirectAccess enables remote users to access the corporate
network anytime they have an Internet connection; it does
not require virtual private networking (VPN). DirectAccess
provides a flexible corporate network infrastructure to
help you remotely manage and update user PCs both on and
off the network. With DirectAccess, the end user
experience of accessing corporate resources over an
Internet connection is almost indistinguishable from the
experience of accessing these resources from a computer at
work. DirectAccess uses IPv6 to provide globally routable
IP addresses for remote access clients.
Windows 7 Dual Stack
Both IPv6 and IPv4 are supported in a dual stack

configuration. The dual IP stack provides a shared
transport and framing layer, shared filtering for

firewalls and IPSec, and consistent performance, security,
and support for both IPv6 and IPv4. These items help lower
maintenance costs.
Windows Services can use IPv6
Windows 7 services such as File Sharing and Remote Access
use IPv6 features such as IP security. This includes VPN
Reconnect which uses Internet Key Exchange Version 2
(IKEv2) which is an authentication component of IPv6
The Windows 7 operating system supports remote
troubleshooting capabilities, such as Remote Desktop.
Remote Desktop uses the Remote Desktop Protocol (RDP) to
allow users to access files on their office computer from
another computer, such as one located at their home.
Additionally, Remote Desktop allows administrators to
connect to multiple Windows Server sessions for remote
administration purposes. IPv6 addresses can be used to
make remote desktop connections.”
What is the IPv6 Address Space

The IPv6 address space uses 128-bits compared to the 32-
bits that the IPv4 address space uses. Therefore, a
significantly larger number of addresses are possible with
IPv6 than with IPv4. An IPv6 address allocates 64-bits for
the network ID and 64-bits for the host ID. However, for
hierarchical routing, IPv6 may allocate less than 64-bits
to the network ID.
IPv6 Syntax
IPv6 does not use a dotted decimal notation to compress
the addresses. Instead, IPv6 uses hexadecimal notation,
with a colon between each set of four digits. Each
hexadecimal digit represents four bits.
To shorten IPv6 addresses further, you can drop leading
zeros and use zero compression. Within each group of four
digits, drop leading zeros and include a single grouping
of four zeros as a single zero. By using zero compression,
you represent multiple contiguous groupings of zeros as a

set of double colons.
Description Example
A full IPv6 address 2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A/64
An IPv6 with leading zeros 2001:DB8:0:0:2AA:FF:FE28:9C5A/64

dropped
An IPv6 address with contiguous 2001:DB8::2AA:FF:FE28:9C5A/64

groupings of zeros and leading
zeros dropped
Each IPv6 address uses a prefix to define the network ID.

You use this prefix in place of a subnet mask similar to
using Classless Inter-Domain Routing (CIDR) in IPv4. The
prefix is a forward slash followed by the number of bits
that the network ID includes. In the preceding examples,
the prefix defines 64-bits in the network ID.
IPv6 Address Types

IPv6 address types are similar to IPv4 address types.
IPv6 Address Types

The IPv6 address types are:
• Unicast: An IPv6 unicast address is equivalent to an
IPv4 unicast address. You can use this for one-to-one
communication between hosts. Each IPv6 host has
multiple unicast addresses. There are three types of
unicast address.
• Global Unicast Address: These are equivalent to
public IPv4 addresses. They are globally routable
and reachable on the IPv6 portion of the Internet.
Refer to the first 48 bits of a global unicast
address as the public topology. The public topology
is unique over the entire Internet. It is the
collection of larger and smaller ISPs that provide
access to the IPv6 Internet. IANA assigns a single

unique address in the global routing prefix to an
ISP.
An ISP can subnet the network address that IANA
assigns by using the next 16 bits, which are the
site topology. The 16 bits of site topology allow an
ISP to create up to 65,536 subnets in the most
efficient manner applicable to that ISP’s customer
base.
• Link-Local Addresses: Hosts use link-local addresses
when communicating with neighboring hosts on the
same link. For example, on a single-link IPv6
network with no router, hosts communicate by using
link-local addresses. IPv6 link-local addresses are
equivalent to IPv4 Automatic Private IP Addressing
(APIPA) addresses.. When a DHCP server fails, APIPA
allocates addresses in the private range 169.254.0.1
to 169.254.255.254. Clients verify their address is
unique on the LAN using ARP. When the DHCP server is
again able to service requests, clients update their
addresses automatically
Other characteristics of link-local addresses
include:
• Link-local addresses always begin with FE80.
• An IPv6 router never forwards link-local traffic
beyond the link.
• An APIPA address is assigned automatically to an
IPv4 host. Use of this address restricts
communication to the local subnet, and it is
generally used when other suitable addresses are not
available.
• Unique local unicast addresses: These are the
equivalent to IPv4 private address spaces, such as
10.0.0.0/8. All unique local unicast addresses have
the prefix FD00::/8.
• A global ID uses the next 40 bits. The global ID is
an identifier that uniquely represents an
organization. Randomly generate this ID to maximize
uniqueness between organizations. This is useful

when two organizations merge.
• When you use unique global IDs, routing occurs
between organizations without network
reconfiguration. You use the next 16 bits within the
organization to generate subnets for routing between

and within locations. The allocated 16 bits allow an
organization to create up to 65,536 subnets for
internal use.
• Multicast: An IPv6 multicast is equivalent to an IPv4
multicast address. You use this for one-to-many
communication between computers that you define as
using the same multicast address.
• Anycast: An anycast address is an IPv6 unicast address
that is assigned to multiple computers. When IPv6
addresses communication to an anycast address, only the
closest host responds. You typically use this for
locating services or the nearest router.
In IPv4, you typically assign a single host with a single
unicast address. However, in IPv6, you can assign multiple
unicast addresses to each host. To verify communication
processes on a network, know for what purposes IPv6 use
each of these addresses.
Interface Identifiers
The last 64-bits of an IPv6 address are the interface
identifier. This is equivalent to the host ID in an IPv4
address. Each interface on an IPv6 network must have a
unique interface identifier. Because the interface
identifier is unique to each interface, IPv6 uses the
Interface Identifier rather than media access control
(MAC) addresses to identify hosts uniquely.
Within the Windows 7 environment, Windows Server 2008 uses
an Extended Unique Identifier (EUI)-64 addresses, which
the Institute of Electrical and Electronics Engineers,
Inc. (IEEE) defines. Gigabit adapters use an EIU-64
address in place of a MAC address. Network adapters using
a MAC address generate a EUI-64 address by padding the 48-
bit MAC address with additional information.
To preserve privacy in network communication, generate an

interface identifier rather than use the network adapter’s
hardware address. To assign an interface identifier, IPv6

hosts can use the following:
• A randomly generated temporary identifier
• A randomly generated permanent identifier
• A manually assigned identifier
Windows 7 uses randomly generated permanent interface

identifiers by default but this can be disabled with the
netsh tool.
Demonstration: Configuring an IPv6 Address

In this demonstration, you will see how to configure an
IPv6 address manually.

press ENTER. This displays all network connections for
the computer. Notice that a link-local IPv6 address has
been assigned.
and tasks.

3.
Details. This window shows the same configuration
information for this adapter and the ipconfig command.
9. In the Network Connection Details windows, click Close.
protocols.
11. Click Internet Protocol Version 6 (TCP/IPv6) and
then click Properties. You can configure the IPv6
address, subnet prefix length, default gateway and DNS
servers in this window.
12. Click Use the following IPv6 address and enter the
following:
• IPv6 address:
2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A
• Subnet prefix length: 64
13. Click Advanced. The Advanced TCP/IP Settings window
allows you to configure additional setting such as
additional IP addresses and DNS settings.
14. In the Advanced TCP/IP Settings window, click
Cancel.
15. In the Internet Protocol Version 6 (TCP/IPv6)
Properties window, click OK.
16. In the Local Area Connection 3 Properties window,
click Close.
Details. Verify that the new IPv6 address has been
added.
Question: Should you typically manually assign IPv6

addresses to a computer?
Answer: IPv6 is designed so that in most circumstances it

should be configured dynamically. Link-local addresses

allow communication on the same IPv6 network without any
configuration. However, to control access to resources
based on IPv6 addresses, you may need to assign a static
IPv6 address.
Lesson 3
Implementing Automatic IP Address Allocation
Windows 7 enables both the IPv4 and IPv6 protocols to

obtain configuration automatically. This means you can
deploy IP-based computers running Windows 7 efficiently.
Automatic IPv4 Configuration Process

As a Windows 7 Technology Specialist, you must know how to
assign static IP addresses manually and be able to support
computers that use DHCP to assign IP addresses
dynamically.
Static Configuration
You can configure static IPv4 configuration manually for
each of your network’s computers. IPv4 configuration
includes the following:
• IPv4 address
• Subnet mask
• Default gateway
• DNS server
Static configuration requires that you visit each computer
and input the IPv4 configuration. This method of computer
management is time-consuming if your network has more than
20 users. Additionally, making a large number of manual

configurations heightens the risk of mistakes.
DHCPv4
DHCPv4 enables you to assign automatic IPv4 configurations
for large numbers of computers without having to assign
each one individually. The DHCP service receives requests
for IPv4 configuration from computers that you configure
to obtain an IPv4 address automatically. It also assigns
IPv4 information from scopes that you define for each of
your network’s subnets. The DHCP service identifies the
subnet from which the request originated, and assigns IP
configuration from the relevant scope.
DHCP helps simplify the IP configuration process, but you
must be aware that if you use DHCP to assign IPv4
information and the service is business-critical, you must
do the following:
• Include resilience into your DHCP service design so
that the failure of a single server does not prevent
the service from functioning.
• Configure the scopes on the DHCP server carefully. If
you make a mistake, it can affect the whole network and
prevent communication.
IPv4 Alternate Configuration

If you use a laptop to connect to multiple networks, such
as at work and at home, each network may require a
different IP configuration. Windows 7 supports the use of
APIPA and an alternate static IP address for this
situation.
When you configure Windows 7 computers to obtain an IPv4
address from DHCP, use the Alternate Configuration tab to
control the behavior if a DHCP server is not available. By
default, Windows 7 uses APIPA to assign itself an IP
address automatically from the 169.254.0.0 to
169.254.255.255 address range. This enables you to use a
DHCP server at work and the APIPA address range at home
without reconfiguring IP settings. Additionally, this is
useful for troubleshooting DHCP. If the computer has an
address from the APIPA range, it is an indication that the

computer cannot communicate with a DHCP server.

Automatic IPv6 Configuration

In addition to IPv4 automatic IP addressing, you must also

understand how IPv6 addresses are dynamically assigned.
IPv6 Address Auto-configuration

Auto-configuration is a method of assigning an IPv6
address to an interface automatically. Auto-configuration
can be stateful or stateless. DHCPv6 performs stateful
auto-configuration while router advertisements perform
stateless configuration.
A stateful address is so called because this address is
assigned from a service on a server or other device, which
records the assigned address. The service that allocated
the address to the client manages the stateful address.
Stateless addresses are configured by the client and are
not maintained by a service. The record of the address
assignment is not maintained.
The first step in auto-configuration generates a link-

local address with which the host communicates with other
hosts on the local network. This communication is
necessary to perform further auto-configuration tasks.
1. When the host generates the link-local address, the

host also performs duplicate address detection to
ensure that it is unique.
2. An IPv6 host will send up to three router solicitations

on each interface to obtain IPv6 configuration
information. The configuration process that IPv6 uses
varies depending on the response it receives to router
solicitations:
• If IPv6 receives no router advertisement, it uses
DHCPv6 to configure the interface.
• If IPv6 receives a router advertisement with the
autonomous flag on, then the client uses stateless
auto-configuration, and obtains the routing prefix
from the router.
managed address configuration flag on, then it uses
DHCPv6 to obtain and IPv6 address.
managed address configuration flag off and the other
stateful configuration flag on, it obtains
additional IPv6 configuration options from DHCPv6.
However, it obtains the IPv6 address by using
stateless configuration.
DHCPv6
DHCPv6 is a service that provides stateful auto-
configuration of IPv6 hosts. It can configure IPv6 hosts
automatically with an IPv6 address and other configuration
information such as DNS servers. This is equivalent to
DHCPv4 for IPv4 networks.
When a host obtains an IPv6 address from a DHCPv6 server,
the following occurs:
• The client sends a Solicit message to locate DHCPv6

servers.
• The server sends an Advertise message to indicate that

it offers IPv6 addresses and configuration options.
• The client sends a Request message to a specific DHCPv6
server to request configuration information.
• The selected server sends a Reply message to the client
that contains the address and configuration settings.
• When a client requests configuration information only,
the following occurs:
• The client sends an Information-request message.
• A DHCPv6 server sends a Reply message to the client
with the requested configuration settings.
Note: On large networks, you can DHCPv6 relay agents instead of placing a DHCP
server on each subnet.
Demonstration: Configuring a Computer to Obtain an IPv4

Address Dynamically

In this demonstration, you will see how to configure a
computer to obtain an IPv4 address dynamically.

the computer.
and tasks.

3.
protocols.
9. Click Internet Protocol Version (TCP/IPv4) and then
click Properties.
10. Click Obtain an IP address automatically. Notice
that the Alternate Configuration tab becomes available
when you do this.
11. Click Obtain DNS server address automatically.
12. Click the Alternate Configuration tab. Configuration
information on this tab is used when no DHCP server is
available.
13. Click OK to save the changes.
14. In the Local Area Connection 3 Properties window,
click Close.
Details. Notice that DHCP is enabled and the IP address
of the DHCP server is displayed.
Troubleshooting Client–Side DHCP Issues

The IPConfig tool is the primary client-side DHCP
troubleshooting tool.
Using IPConfig
If the computer is experiencing connectivity problems, you
can use IPConfig to determine the computer’s IP address.
If the address is in the range 169.254.0.1 to
169.254.255.254, the computer is using an APIPA address.
This might indicate a DHCP-related problem. From the
client computer, open an elevated command prompt, and then
use the IPConfig options in the table below to diagnose
the problem.
Option Description
/all This option displays all IP address configuration information.
If the computer uses DHCP, verify the DHCP Server option
in the output. This indicates the server from which the client
Option Description
is attempting to obtain an address. Also, verify the Lease
Obtained and Lease Expires values to determine when the

client last obtained an address.
/release It sometimes is necessary to force the computer to release

an IP address.
/renew This option forces the client computer to renew its DHCP
lease. This is useful when you think that the DHCP-related
issue is resolved, and you want to obtain a new lease
without restarting the computer.
/release6 The IPv6 version of the /release command
/renew6 The IPv6 version of the /renew command
Note: You can use the IPConfig /release6 and /renew6 options to perform these same
tasks on IPv6-configured computers.
Lesson 4
Troubleshooting Network Issues

The tools and utilities included in this lesson help IT
professionals better manage computers and troubleshoot
problems, enabling them to keep users productive while
working to reduce costs, maintain compliance, and improve
operational efficiency.
Tools for Troubleshooting Networks

Windows 7 includes a number of utilities that help you to

diagnose network problems. These tools include:
• Event Viewer
• Windows Network Diagnostics
• IPConfig
• Ping
• Tracert
• NSlookup
• Pathping
• Unified Tracing
Event Viewer
Event logs are files that record significant events on a
computer, such as when a process encounters an error. IP
conflicts will be reflected in the system log and might
prevent services form starting. When these events occur,

Windows records the event in an appropriate event log. You
can use Event Viewer to read the log. When you
troubleshoot errors on Windows 7, view the events in the
Event Logs to determine the cause of the problem.
Event Viewer enables you to access the Application,

Security, Setup, and System logs under the Windows Logs
node. When you select a log and then select an event, a
preview pane under the event list contains details of the
specified event. To help diagnose network problems, look
for errors or warnings in the System log related to
network services.
Windows Network Diagnostics

Use Windows Network Diagnostics to diagnose and correct
networking problems. In the event of a Windows 7
networking problem, the Diagnose Connection Problems
option helps diagnose and repair the problem. A possible
description of the problem and a potential remedy are
presented. The solution may need manual intervention from
the user.
IPConfig
IPConfig displays the current TCP/IP network
configuration. Additionally, you can use IPConfig to
refresh DHCP and DNS settings as discussed in the previous
topic. For example you might need to flush the DNS cache.
Ping
Ping might verify IP-level connectivity to another TCP/IP
computer. Ping sends and receives Internet Control Message
Protocol (ICMP) Echo Request messages and displays the
receipt of corresponding Echo Reply messages. Ping is the
primary TCP/IP command used to troubleshoot connectivity.
However firewalls might block the ICMP requests.
Tracert
Tracert determines the path taken to a destination
computer by sending ICMP Echo Requests. The path displayed
is the list of router interfaces between a source and a
destination. This tool also determines which router has
failed and what the latency is (speed). These results may

not be accurate if the router is busy as the packets are
assigned a low priority by the router.
Pathping
Pathping traces a route through the network in a manner
similar to Tracert. However, Pathping provides more
detailed statistics on the individual steps, or hops,
through the network. Pathping can provide greater detail
because it sends 100 packets per router which enables it
to establish trends. Tracert only sends packets at a time.
NSlookup
NSlookup displays information that you can use to diagnose
the DNS infrastructure. You can use NSlookup to confirm
connection to the DNS server and that the required records
exist.
Unified Tracing
The unified tracing feature is intended to help you
simplify the process of gathering relevant data to assist
in troubleshooting and debugging network connectivity
problems. Data is collected across all layers of the
networking stack and grouped into activities across the
following individual components:
• Configuration information
• State information
• Event or Trace Logs
• Network traffic packets
Process for Troubleshooting Networks

If you experience network connectivity problems while
using Windows 7, use Window Network Diagnostics to start
the troubleshooting process. If Windows Network
Diagnostics cannot resolve the problem, follow a
troubleshooting process using the available Windows 7
tools consisting of the following steps:
1. Consult Windows Network Diagnostics.
2. Use IPConfig to check local IP configuration.
3. Use Ping to diagnose two-way communication with a

remote system.
4. Use Tracert to identify each hop, or router, between

two systems.
5. Use NSlookup to verify DNS configuration.

General Network Diagnostics

When Windows 7 encounters a network-connection problem,
use Windows Network Diagnostics to perform diagnostic

procedures. Windows Network Diagnostics analyzes the
problem and, if possible, presents a solution or a list of
possible causes.
Windows Network Diagnostics either completes the solution
automatically or requires that the user perform steps to
resolve the problem. These steps may require the user to
complete several configuration changes to the computer. In
many cases, this capability may resolve network problems
without the user requiring additional support.
If Windows Network Diagnostics cannot fix the problem, you
may need to use additional diagnostic tools.
Checking Local IP Configuration

You can use IPConfig with the /all switch to display the
computer’s IP configuration. Study the configuration
carefully and remember the following:
• If the IP address is invalid, transmission can fail.
• If the subnet mask is incorrect, the computer has an
incorrect Network ID, and therefore, transmission
fails, especially to remote subnets.
• If the default gateway is incorrect or missing, the
computer cannot transmit data with remote subnets.
• If the DNS server is incorrect or missing, the computer
might not be able to resolve names and communication
can fail.
Diagnosing Two-Way Communication with Remote Systems

The Ping utility confirms two-way communication between
two computers. This means that if the Ping utility fails,
the local computer’s configuration may not be the cause of
the problem. Use Ping to ensure transmission using a
logical process, such as:
1. Ping the remote computer.
2. Ping the local gateway.

3. Ping the local IP address.
4. Ping the loopback address 127.0.0.1.

When using the Ping utility, remember:
• You can Ping both the name and the computer’s IP

address.
• If you successfully Ping the IP address, but not the
name, name resolution is failing.
• If you successfully Ping the computer name, but the
response does not resolve the FQDN name, resolution has
not used DNS. This means a process such as broadcasts
or WINS has been used to resolve the name and
applications that require DNS may fail.
• “Request Timed Out” indicates that there is a known
route to the destination computer, but one or more
computers or routers along the path, including the
source and destination, are not configured correctly.
• “Destination Host Unreachable” indicates that the
system cannot find a route to the destination system,
and therefore, does not know where to transmit the
packet to, on the next hop.
• Ping can be blocked by a firewall on the network or at
a windows computer.
Identify Each Hop between Two Systems

You can use Tracert to identify each hop between the
source and destination systems. If communication fails,
use Tracert to identify how many hops are successful and
at which hop system communication fails.
Verify DNS Configuration

NSlookup enables you to ensure that the DNS server is
available and contains a record for the computer with
which you are attempting to transmit data. This
functionality is vital because even if the computer is
available, if DNS is not working correctly, you might not
be able to transmit using names. If you suspect that name
resolution is the problem, add an entry to the hosts file,
and then retest name resolution. You must purge the host-
name resolution cache by using ipconfig /flushdns before
rerunning The name resolution test.

Demonstration: Troubleshooting Common Network Related

Problems

In this demonstration, you will see how to resolve common
network related problems.

the computer. This shows all network adapter
configuration information.
4. At the command prompt, type “ipconfig /displaydns” and
then press ENTER. This displays the contents of the DNS
cache.
5. At the command prompt, type “ipconfig /flushdns” and

then press ENTER. This clears the contents of the DNS
cache.
6. At the command prompt, type “ping 127.0.0.1” and then
press ENTER. This pings the local host.
7. At the command prompt, type “ping 10.10.0.10” and then
press ENTER. This verifies connectivity to LON-DC1 by
using an IPv4 address.
8. At the command prompt, type “ping LON-DC1” and then
press ENTER. This verifies connectivity to LON-DC1 by
using a host name.
9. At the command prompt, type “nslookup –d1 LON-DC1” and
then press ENTER. This provides detailed information
about the host name resolution. You can use the –d2
option for even more detail.
Question: How is the ping command useful for

troubleshooting?
Answer: The ping command can be used to verify

connectivity between hosts. However, you should be aware
that firewall can block ping packets but still allow the
packets for other applications. If you obtain a response
to a ping attempt, the host is definitely running.
However, if you do not obtain a response to a ping attempt
the host may still be functional.

Review Questions
1. After booting her computer Amy notices that she is
unable to access her normal Enterprise Resources. What
tool can she use to determine if she has a valid IP
address?
2. When transmitting Accounts Receivable updates to the
billing partner in China, Amy notices that the files
are being transmitted very slowly. What tool can she
use to determine the network path and latency of the
network?
3. Amy notices that she cannot access normal Enterprise
websites. She knows that she has a valid IP address
but wants to troubleshoot the DNS access of her
computer. What tool should she use?
4. What is the IPv6 equivalent of an IPv4 APIPA address?
5. You are troubleshooting a network-related problem and

you suspect a name resolution issue. Before conducting
tests, you want to purge the DNS resolver cache. How do

you do that?
6. You are troubleshooting a network-related problem. The
IP address of the host you are troubleshooting is
169.254.16.17. What is a possible cause of the problem?
Review Answers
1. Run IPConfig /All or Ping your domain controller’s IP

Address
2. Use Windows Diagnostics to identify the problem or use
Pathping.exe to check for latency.
3. Use NSLookup.exe to troubleshoot DNS access issues
4. IPv6 link-local addresses
5. Use IPCongfig /flushdns to clear the DNS Resolver
Cache
6. The DHCP server is unavailable to the host
Common Issues related to network connectivity

Window 7 host cannot connect to a Use Windows Diagnostics to Identify the
SharePoint site problem
Windows 7 host cannot access the Use IPConfig tool to view, renew or release
database server an IP Address
Windows 7 Host cannot connect to Use Ping to test the connectivity to the DNS
the internet, Server
DNS server is not resolving FQDNS Use the flushdns option with IPConfig
correctly
Tools
You can use the following tools to troubleshoot network
connectivity issues.
Tool Description
Netsh.exe A command that you can use to configure network

properties from the command-line.
Pathping.exe A command-line tool that combines the functionality of

Ping and Tracert, and that you can use to troubleshoot

network latency and provide information about path
data.
Nslookup.exe A command-line tool that you can use to test and

troubleshoot DNS and name resolution issues.
IPConfig.exe A general IP configuration and troubleshooting tool
Ping.exe A basic command-line tool that you can use for

verifying IP connectivity
Tracert.exe Similar to Pathping, which provides information about

network routes
Configuring Wireless Network Connections 5-1
Module 5
Configuring Wireless Network Connections
Contents:
Lesson 1: Overview of Wireless Networks 5-3
Lesson 2: Configuring a Wireless Network 5-13
Module Overview

The definition of a wireless network is very broad. It can refer to any type of wireless
devices which are interconnected between nodes without the use of wires or cables.
The wireless network discussed in this module refers to wireless local area network
(wireless LAN), which is a type of wireless network that uses radio waves instead of
cables to transmit and receive data between computers. A wireless network enables you
to access network resources from a computer that is not physically attached to the
network by cables.
Wireless network technologies have grown tremendously over the past few years. The
security and speed of wireless networks have become very reliable, such that more and
more organizations prefer the use of wireless networks over the traditional wired
networks. Windows® 7 provides a simple, intuitive, and straight forward user interface
for connecting to wireless networks.
Lesson 1
Overview of Wireless Networks
More and more organizations prefer wireless networks over the traditional wired
networks. A wireless network gives users flexibility and mobility around the office.
Users can have internal meetings or presentations while maintaining connectivity and
productivity. With a wireless network, you can create a public network that enables
your guests to have internet connection without creating security issues to your
corporate network. The wireless network technologies have evolved tremendously over
the years. Many mobile computers have built-in wireless network adapters and there
are numerous hardware that support wireless networks with high stability and
reliability.
What is a Wireless Network?

A wireless network is a network of interconnected devices that are connected by radio
signals, instead of wires or cables. The majority of large organizations, and a
significant percentage of small-businesses and homes, use wireless networks. By using
a wireless network, computers can connect to the network without a physical
connection.
Advantages and Disadvantages of Wireless Networks

Wireless networking provides the following benefits:
• Extends or replaces a wired infrastructure in situations where it is costly,
inconvenient, or impossible to lay cables. The wiring-free aspect of wireless LAN
networking is also very attractive to homeowners who want to connect the various
computers in their home without having to drill holes and pull network cables
through walls and ceilings.
• Increases productivity for mobile employees. A wireless network enables users to
work in various locations without having to disconnect and reconnect network
cables.
• Provides easy access to the Internet in public places. You can create a public
network that enables your guests to have internet connection without causing
possible security issues on your corporate network.

Although wireless networks make roaming convenient, and remove unsightly wires
from your network, they also have disadvantages, such as possible interference and
increased security costs, and they pose security risks that you may have to spend time
mitigating.
Wireless Network Modes

There are two operating modes of wireless network, they are as follows:
• Ad hoc mode: in an ad hoc network, a wireless network adapter connects directly
to another wireless network adapter. This mode enables peer-to-peer
communication, where computers and devices are connected directly to each other,
instead of to a router or a wireless access point (wireless AP). Ad hoc networks are
generally used to temporarily share files, presentations, or an Internet connection
among multiple computers and devices. To reach the Internet or another network,
you must configure one of the peer computers as a router that connects to the
network.
• Infrastructure mode: in this mode, wireless network adapters connect only to
special radio bridges, or wireless AP that connect directly to the wired network. To
build an infrastructure wireless network, you place wireless APs throughout your
organization. Users can connect their computers, including laptops, to the network
by connecting to the nearest wireless AP. This is the commonly used mode in
home or business environments.
Regardless of the operating mode, a Service Set Identifier (SSID), also known as the
wireless network name, identifies a specific wireless network by name. The SSID is
configured on the wireless AP for infrastructure mode or the initial wireless client for
ad hoc mode. The wireless AP or the initial wireless client periodically advertises the
SSID so that other wireless nodes can discover and join the wireless network.
Wireless Network Technologies

Researchers at the University of Hawaii developed the wireless-network prototype in
the early 1970s. This prototype is the basis for Ethernet. In 1999, the Institute of
Electrical and Electronics Engineers (IEEE) released the 802.11b protocol standard for
communications across a shared WLAN, which operates at 11 megabits per second
(Mbps). The 802.11b protocol standard was instrumental in elevating wireless
networking from relative obscurity to widespread implementation.
Wireless Network Technology Standards

The following table summarizes the IEEE 802.11 standards for wireless network
technology:
Standard Advantages Disadvantages Remarks

802.11a • Fast speed • Expensive Not widely used due

• Many • Short signal to cost and limited
simultaneous range range.
users • Not compatible
• Not prone to with 802.11b
interference
802.11b • Inexpensive • Slower speed Widely used,

• Good signal • Fewer especially in
range simultaneous public places such
users as airports, coffee
shops.
• Prone to
interference
802.11g • Fast speed Prone to Gaining popularity

• More interference due to its faster
simultaneous speed, backward
users compatibility and
cheaper cost.
• Good signal
range
• Compatible
with 802.11 b
802.11n • Fastest speed Cost more than Gaining popularity,

• Not prone to 802.11g even though
interference standard is still
under development.
• Compatible
with 802.11 a,
b, g
Note: 802.11n is a proposed 802.11 standard. The operating

frequency is in both the 5 GHz and 2.4 GHz bands, providing more
scope that enables networks to avoid interference with other
wireless devices. This standard’s speed should be 600 Mbps, with
a range of approximately 300 meters. The IEEE likely will not
finalize 802.11n until late 2009. Even so, more and more
organizations have begun migrating to 802.11n based on the Draft
2 proposal.
Windows 7 provides built-in support for all 802.11 wireless networks, but the wireless
components of Windows are dependent upon the following:
• The capabilities of the wireless network adapter: the installed wireless network
adapter must support the wireless network or wireless security standards that you
require.

• The capabilities of the wireless network adapter driver: to enable you to
configure wireless network options, the driver for the wireless network adapter
must support the reporting of all of its capabilities to Windows.
Wireless Broadband
Wireless broadband is a wireless technology, which provides high-speed wireless
internet and data network access. Wireless broadband has high internet speed that is
comparable to wired broadband, such as ADSL or cable modems. Wireless broadband
is used mostly for organizations that want their employees to have constant
connectivity to internet or their corporate network. To connect to a wireless
broadband, you need to have a wireless modem.
Windows 7 provides a driver-based model for mobile broadband devices. Earlier
versions of Windows require users of mobile broadband devices to install third-party
software, which is difficult for IT professionals to manage because each mobile
broadband device and provider has different software. Users also have to be trained to
use the software and must have administrative access to install it, preventing standard
users from easily adding a mobile broadband device. With Windows 7, users can
simply connect a mobile broadband device and immediately begin using it. The
interface in Windows 7 is the same regardless of the mobile broadband provider. You
can connect to a wireless broadband just as you connect to any other wireless network.
This reduces the need for training and management efforts.
Security Protocols for a Wireless Network

The sudden widespread implementation of wireless LANs preceded any real security
planning. Wireless devices create many opportunities for unauthorized users to access
private networks. Unlike the closed cabling system of an Ethernet network that can be
physically secured, wireless frames are sent as radio transmissions that propagate
beyond the physical confines of your office or home. Any computer within range of the
wireless network can receive wireless frames and send its own. Without protecting
your wireless network, malicious users can use your wireless network to access your
private information or launch attacks against your computers or other computers across
the Internet.
To protect your wireless network, you must configure authentication and encryption
options:
• Authentication requires that computers provide either valid account credentials
(such as a user name and password) or proof that they have been configured with
an authentication key before being allowed to send data frames on the wireless
network. Authentication prevents malicious users from joining your wireless
network.
• Encryption requires that the content of all wireless data frames be encrypted so
that only the receiver can interpret its contents. Encryption prevents malicious
users from capturing wireless frames sent on your wireless network and
determining sensitive data. Encryption also helps prevent malicious users from
sending valid frames and accessing your private resources or the Internet.
Wireless LAN supports the following security standards:

IEEE 802.11
The original IEEE 802.11 standard defined the open system and shared key
authentication methods for authentication and Wired Equivalent Privacy (WEP) for
encryption. WEP can use either 40 or 104-bit encryption keys. However, the original
IEEE 802.11 security standard has proved to be relatively weak and cumbersome for
widespread public and private deployment. Because of its security flaws, the IEEE has
declared that WEP has been deprecated as it fails to meet the security goals, although
despite its weaknesses, WEP is still widely used.
To establish WEP encryption for shared key authentication, you must install the same
secret key in each of your enterprise’s wireless APs. You can do this individually or by
using manufacturer-supplied management software. Then you must install that key in
each client. There is no standard mechanism for distributing secret WEP keys to clients
or wireless APs. Wireless APs automatically deny access to any client that does not
have the correct secret key and prevent unauthorized users from connecting.
Note: In shared-key authentication mode, the wireless AP and the

client go through a challenge-response cycle, similar to the NT
LAN Manager (NTLM) authentication, which uses the WEP encryption
key as the shared secret key.
IEEE 802.1X
The IEEE 802.1X was a standard that existed for Ethernet switches and was adapted to
wireless LANs to provide much stronger authentication than the original 802.11
standard. IEEE 802.1X authentication is designed for medium and large wireless LANs
that contain an authentication infrastructure consisting of Remote Authentication Dial-
In User Service (RADIUS) servers and account databases such as the Active
Directory® directory service.
IEEE 802.1X prevents a wireless node from joining a wireless network until the node
has performed a successful authentication. IEEE 802.1X uses the Extensible
Authentication Protocol (EAP). Wireless network authentication can be based on
different EAP authentication methods such as those using user name and password
credentials or a digital certificate.
The 802.1X requires clients to provide computer authentication when they connect to
the network and provides user authentication when a user logs on. If either
authentication phase fails, the data-link layer access device—including a wireless AP,
bridge, or switch—will not forward packets to the network. This prevents an attacker
from exploiting the network layer or reaching other network servers or clients.
You must ensure that the client, the data-link device, and the authentication server all
support the 802.1X protocol. The data-link device, which could be a wireless AP or a
switch, detects new clients, passes the authentication to an authentication server, and
locks out the client out if the authentication fails. The authentication server checks the
client’s credentials and reports the authentication status to the data-link device.
Note: In the Windows Server® 2008 operating system, the Network

Policy and Access Services (NPAS) role enables secure wireless
and wired solutions for which 802.1X enforcement is the basis.
In Windows Server 2008, NPAS performs the role of a RADIUS
server.
Wi-Fi Protected Access

Although 802.1X addresses the weak authentication of the original 802.11 standard, it
provides no solution to the weaknesses of WEP. While the IEEE 802.11i wireless LAN
security standard was being finalized, the Wi-Fi Alliance, an organization of wireless
equipment vendors, created an interim standard known as Wi-Fi Protected Access
(WPA). WPA replaces WEP with a much stronger encryption method known as the
Temporal Key Integrity Protocol (TKIP). WPA also allows the optional use of the
Advanced Encryption Standard (AES) for encryption.
WPA is available in two different modes:
• WPA-Enterprise: in the Enterprise mode, an 802.1X authentication server
distributes individual keys to users that have a “wireless” designation. It is
designed for medium and large infrastructure mode networks
• WPA-Personal: in the Personal mode, a pre-shared key (PSK) is used for
authentication and you provide the same key to each user. It is designed for small
office/home office (SOHO) infrastructure mode networks.
Wi-Fi Protected Access 2

The IEEE 802.11i standard formally replaces WEP and the other security features of
the original IEEE 802.11 standard. Wi-Fi Protected Access 2 (WPA2) is a product
certification available through the Wi-Fi Alliance that certifies wireless equipment as
being compatible with the IEEE 802.11i standard. The goal of WPA2 certification is to
support the additional mandatory security features of the IEEE 802.11i standard that
are not already included for products that support WPA. For example, WPA2 requires
support for both TKIP and AES encryption.
Similar to WPA, WPA2 is available in two different modes: WPA2-Enterprise and
WPA2-Personal.

Securing Wireless Networks
Because a wireless AP broadcasts its SSID on the network, it is inherently insecure.
War Driving is a hacking technique whereby users from outside your facility use
wireless client hardware and software to discover any wireless APs that are
broadcasting in the local area.
In addition to implementing authentication and encryption, you can also use the
following methods to mitigate risks to your wireless network:
• Firewalls: you can address the wireless AP vulnerability by placing the wireless
APs outside your network firewalls. You then can force valid users to authenticate
with the firewall or use virtual private network (VPN) connections to reach the
internal network. This does not prevent unauthorized users from exploiting the
wireless APs for Internet access, but it does prevent them from exploiting the
internal network. This method is commonly used by organizations to give visitors
access to the internet.
• Closed networks: some wireless APs support a closed network mode in which the
wireless AP does not advertise its SSID. Users have to know the SSID to be able
to connect to the wireless network. Disabling SSID broadcasting does not stop
hackers because even though the SSID is not shown in a typical client, hackers can
still detect the wireless signal and identify the SSID.
• SSID spoofing: you can use special software that generates numerous wireless AP
packets, which broadcast false SSIDs. This causes hackers to receive so many
SSIDs that when they scan for a wireless network, they cannot separate the valid
SSID from the false ones.
• Media access control (MAC) address filtering: most wireless APs support MAC
address restrictions. These restrictions limit the clients with which the wireless AP
can communicate by using their MAC address. This works well in smaller
environments, but creates excessive administrative overhead in larger
environments.
Lesson 2
Configuring a Wireless Network
In an organization that has a wireless network; users may choose to use the wireless
network as the main connectivity to network resources. You must understand how to
create and connect to a wireless network from a Windows 7-based computer. You
should also know how to improve the wireless signal strength for your users and how
to troubleshoot common wireless connection problems. This troubleshooting process
uses the new network diagnostics included with Windows 7. You should be familiar
with the new network diagnostics so that you can assist your users.
Configuring Hardware for Connecting to a Wireless Network

To configure a wireless network, you must have a wireless AP that physically connects
to your network and a wireless network adapter in your client computers. You may
have to set up a wireless network or provide technical information to your
organization’s team or person that deploys a wireless network.
A wireless AP uses radio waves to broadcast its SSID. Computers or other devices with
a wireless network adapter can find, and then connect to the wireless AP by using the
SSID, which typically is a character string, for example: ‘OFFICE-AP’ or
‘HomeNetwork’.
To configure a wireless AP, you must enter its SSID and configure a valid TCP/IP
address on your network. Typically, a wireless AP has an administrator page that can
be accessed by an internet browser, by using its default IP address. Depending on the
manufacturer, different wireless APs have different default IP address to start with.
Several wireless APs can also be configured from command prompt by using telnet
command-line tool.
Note: Most wireless APs have a default SSID. When implementing a

wireless network, you should not use the default SSID. Instead,
you should change the SSID to something unique, such that client
computers that are configured to connect automatically will not
have conflict with other wireless APs that are using their
default SSID.
Configuring Client Computers

To connect to a wireless network, you attach a wireless network adapter to your
computer and install its driver. These adapters may be internal or external wireless
adapters. Many mobile computers have built-in adapters that can be enabled by using a
hardware switch. External adapters are typically attached through a USB or other
externally accessible hardware port.
After attaching the hardware and installing the appropriate hardware device driver, you
can use the following methods to configure a Windows 7-based client to connect to a
wireless network:
• Connect to a Network dialog box: this dialog box is available from many
locations in Windows 7, such as from the Control Panel. The Connect to a
Network dialog box enables you to see all wireless networks in your area to which
you can connect or disconnect from.
• Command line: the new netsh wlan commands in the netsh.exe tool enable you
to configure wireless networks and their settings manually.
• Group Policy: network administrators in an Active Directory directory service
environment can use Group Policy to configure and deploy wireless network
settings centrally to domain member computers. The Wireless Network Policies
Extension is a Group Policy extension that you can use to automate configuration
of Wireless Network Group Policy settings.
Wireless Network Settings

With Windows 7, connecting to a wireless network has never been easier. If the
Wireless Access Point (wireless AP) is configured to advertise its Service Set Identifier
(SSID), the Windows 7 client can detect the signal and automatically create a wireless
network profile and set the configuration to connect to the wireless network.
If you choose to add a wireless network manually, there are several settings that you
can configure in Windows 7 when creating a wireless network profile. You have to
configure these settings to match the wireless AP that you want to connect to.
The Manage Wireless Networks window is used to configure wireless network
connections. It can be accessed from the Network and Sharing Center. The Network
and Sharing Center tool can be accessed from the Control Panel or from the network
icon on the System Tray. To view the settings of a wireless network, from the Manage
Wireless Networks windows, right click the wireless network profile and then click
Properties.
General Settings
The following settings are mandatory for every wireless network profile.
• SSID: every wireless network has an SSID. If you are configuring the wireless
network profile manually, you must know the exact SSID of the wireless network
that you want to connect to.

• Network Type: there are two options: Access point and Adhoc network. Select
Access point to connect to a wireless AP, which means configuring the wireless
network to operate as the infrastructure mode, and select Adhoc network to
connect to another wireless network adapter, which means configuring the wireless
network to operate as the Ad hoc mode.
Connection Settings
The following settings configure how the Windows 7 client connects to a wireless
network.
• Connect automatically when this network is in range: the computer will try to
connect to this particular wireless network whenever it is in range.
• Connect to a more preferred network if available: if this is selected, when there
are multiple wireless networks in range, the computer will try to connect to one of
the others instead of this particular wireless network.
• Connect even if the network is not broadcasting its name (SSID): select this if
the wireless AP is configured to not advertise its SSID.
Security Types
The following settings determine the type of authentication and encryption used to
connect to a wireless network.
• No authentication (open): typically, you select this security type when
connecting to a public wireless network. If you select this security type, two
options are available for the encryption type: None and WEP.
• Shared: select this security type if the wireless network is using a shared network
security key. If you select this security type, only WEP is available for the
encryption type.
• WPA (Personal and Enterprise): select this if the wireless network is using
WPA authentication. In the personal mode, you provide the same network security
key to each user. In the enterprise mode, an authentication server distributes an
individual key to the users. If you select this security type, two options are
available for the encryption type: TKIP and AES.
• WPA2 (Personal and Enterprise): select this if the wireless network is using
WPA2 authentication. It also has the Personal and Enterprise mode, as well as two
options for the encryption type: TKIP and AES.
• 802.1X: select this security type if your wireless network is using 802.1X
authentication. If you select this security type, only WEP is available for the
encryption type.

Demonstration: Connecting to a Wireless Network

The demonstrations are prerecorded. There are no steps to perform. Click the camera
links to launch the demonstrations.
How to Configure a WAP

The following text describes the various steps in the demonstration:
1. Click Start and then click Network to view a list of devices available.
2. Right click the wireless AP, and click View device webpage to configure the
device.
3. Enter the required credentials. These usually come from the device’s
manufacturer. It is recommended to change these credentials after the initial
configuration of the wireless AP.
4. Click Wireless Settings. This is a Netgear router. Note that other devices may
have different administrative interfaces, but they contain similar settings.
5. Enter ADATUM in Name (SSID) to change the default SSID to something
relevant to your organization.
6. You can change the channel to avoid interference from other devices.
7. Select g only for mode to configure the 802.11 mode. If you have older 802.11b
devices, you can enable support for them.
8. Clear Allow Broadcast of Name (SSIS) to prevent the wireless AP to broadcast
its SSID.

9. Select WPA2 with PSK. The particular security options vary between
manufacturers, but typically include the ones offered here: WEP, WPA and
WPA2, and support for both PSK and Enterprise options.
Note: If you select an enterprise option, you must provide

additional information about how authentication is handled
within our organization. For example, the name of a RADIUS
server and other settings.
10. Enter Pa$$w0rd in the Network Key.

11. Click Apply to save the settings. Most wireless APs have a separate persistent
save which means that the device remembers the settings even after power down
and back up.
12. Most wireless APs also provide options for more advanced settings. These include
MAC address filtering and bridging and are out of the scope of this demonstration.
13. Close all opened Windows.
Question: What advanced wireless settings would you consider that improve security?
Answer: A list of MAC addresses allowed connecting to the WAP.
How to Connect to an Unlisted Wireless Network

1. Right click the wireless network icon on the system tray and click Open Network
and Sharing Center.
2. Click Manage wireless networks.
3. Click Add to launch the wizard to guide you through the process of defining the
properties of the network.
4. Click Manually create a network profile to configure an infrastructure network.
5. Enter ADATUM in Network name, select WPA2-Personal for Security type,
select AES for Encryption type, and enter Pa$$w0rd for Security
Key/Passphrase to define the appropriate SSID and the security settings that
correspond to those defined on the wireless AP.
Note: The specifics of the settings vary from network to

network. In addition, the options available may be restricted by
Group Policy. Your ability to create a network connection may be
restricted.
6. Click Next to connect to the network and then click Close.

and Sharing Center. Click Wireless Network Connection (ADATUM) to view
the status of the network.
8. Click Close to close the Wireless Network Connection Status dialog box.
9. By default, all networks are placed in the Public network profile – which is the
most restrictive. From the Network and Sharing Center, click Public network.
10. Click Work Network and then click Close. Once you define a network location
profile for a network connection, Windows remembers it for subsequent
connections to that network.
11. Close all opened Windows.
Question: Can a user connect their computer to an unlisted network if they do not
know the SSID?
Answer: Yes, they can scan for networks, and some tools provide information about
unlisted networks. Hiding, or not broadcasting, the SSID only provides basic
protection.
How to Connect to a Public Wireless Network

and Sharing Center to view the available networks. You can also click the
wireless network icon on the system tray to view the available networks.
2. Notice that there is a wireless network available; the shield icon next to the
wireless signal icon denotes that the wireless network is open. This is can cause a
possible security issue. Always be careful when connecting to public networks.
3. Click the wireless network, select Connect Automatically and then click
Connect. This connects you to the wireless network.
4. Windows prompts the user to define the network location profile. Select public.
5. Click Close and then close the Network and Sharing Center.
Question: What are possible issues that arise when connecting to unsecured networks?
Answer: Your information can be viewed by other parties on the network.

Improving the Wireless Signal Strength

Connecting to the wireless AP on a network with the strongest signal will provide the
best wireless performance. To assist users, the available networks list in Windows 7
includes a symbol that designates signal strength. A strong signal has five bars, and
indicates a close wireless network with no interference.
If a wireless network has low signal strength, the transfer of information across the
network could be slow or you might be unable to access certain parts of the network.
The following table shows several common problems and solutions with regards to low
signal strength.
Proximity or physical • Ensure that your client computer is as

obstruction close as possible to the wireless AP.
• If you are unable to get closer to the
wireless AP, consider installing an
external antenna to your wireless
network adapter.
• Check for physical objects that may

cause interference, such as a thick
wall or metal cabinet and consider
removing the physical objects or
repositioning the wireless AP or the
client.

• Add wireless APs to the wireless
network whenever applicable.
Interference from • Check for devices that may cause

other signal interference, such as cordless phones,
Bluetooth devices or any other
wireless devices. Turn them off or
move them farther away.
• Consider changing the wireless AP
settings to use a different wireless
channel, or set the channel to be
selected automatically if it is set to
a fixed channel number.
In cases where you cannot even see the wireless network, consider the following
troubleshooting steps:
• Check that your wireless network adapter has the correct driver and is working
properly
• Check your computer for an external switch for the wireless network adapter
• Check that the wireless AP is turned on and working properly
• Check whether the wireless AP is configured to advertise its SSID
Question: What devices can interfere with wireless network signal?
Answer: The IEEE 802.11b and the IEEE 802.11g standard use the S-Band Industrial,
Scientific and Medical (ISM) frequency range, which ranges from 2.4 to 2.5 GHz. This
frequency range is also used by devices such as microwave ovens, cordless phones,
baby monitors, wireless video cameras and Bluetooth adapters, which may cause
interference to the wireless network signal.
The IEEE 802.11a uses the C-Band ISM, which ranges from 5.725 to 5.875 GHz.
Therefore, fewer devices will cause interference with a wireless network using this
standard.
Process for Troubleshooting a Wireless Network Connection

Windows 7 includes the Network Diagnostic tool, which can be used to troubleshoot
network problems. Use this tool to diagnose the issues that might prevent you from
connecting to any network, including wireless networks. This tool can reduce the time
you spend diagnosing wireless network problems.
Troubleshooting Access to Wireless Networks

To troubleshoot access to wireless networks, perform the following steps:
1. Attempt to connect to a wireless network. Use the Connect to a network tool in
Windows 7 to list each available wireless network and attempt network
connections. The Connect to a network tool can be accessed from the Network
and Sharing Center or from the network icon on the System Tray.
2. Run the Windows Network Diagnostics tool. You can run the tool by right-
clicking the Network icon on the System Tray, and then clicking Troubleshoot
problems.
3. Review the diagnostic information. The Windows Network Diagnostics tool in
Windows 7 will attempt to correct any problems. If this is not possible, the tool
provides a list of possible problems.
4. Identify the problem from the list of problems found. Use the list from the
Windows Network Diagnostic tool to help identify the problem.
5. Resolve the problem that was identified. Use the information in the previous step
to implement a resolution.


Common issues related to finding wireless networks and improving signal strength:
Proximity or physical • Ensure that your client computer is as
obstruction close as possible to the wireless AP.
• If you are unable to get closer to the
wireless AP, consider installing an
external antenna to your wireless
network adapter.
• Check for physical objects that may
cause interference, such as a thick
wall or metal cabinet and consider
removing the physical objects or
repositioning the wireless AP or the
client.
• Add wireless APs to the wireless
network whenever applicable.
Interference from • Check for devices that may cause

other signal interference, such as cordless phones,
Bluetooth devices or any other
wireless devices. Turn them off or
move them farther away.

• Consider changing the wireless AP
settings to use a different wireless
channel, or set the channel to be
selected automatically if it is set to
a fixed channel number.
Cannot detect • Check that your wireless network

wireless network adapter has the correct driver and its
working properly.
• Check your computer for an external
switch for the wireless network
adapter.
• Check that the wireless AP is turned
on and working properly.
• Check whether the wireless AP is
configured to advertise its SSID.
Windows is not Check the information that came with

configured to connect the router or access point to find out
to the right type of what connection mode the device is set
network to. The mode should be either ad hoc
(when devices communicate directly
without going through a router or
access point) or infrastructure (when
devices communicate by going through a
router or access point). Make sure the
setting in Windows for this network
matches the setting on the device.
The router or If you have other computers that are

wireless AP is busy connecting to the network, try
temporarily disconnecting them.

The wireless network If a network monitoring program is

adapter is in monitor running on your computer, the wireless
mode network adapter will be set to monitor
mode, which prevents Windows from
connecting to wireless networks. To
connect to a wireless network, close
the network monitoring program or
follow the instructions in the program
to exit monitor mode.
Real-world Issues and Scenarios

1. You are implementing wireless networking in your organization. Which wireless
network technology standards and which type of security (authentication and
encryption) will you choose?
There are two main considerations that you should take into account when choose
a wireless network technology standard. They are speed and cost. If possible you
should choose the latest standard, which is 802.11n, because it gives you the best
signal strength and the highest maximum speed. One of the drawbacks of this
standard is that it is still under development. Even so, many devices already
support this standard based on the Draft 2 proposal. Another consideration is that
devices that support this standard tend to be more expensive that the ones that
support 802.11g.
You should always choose the highest level of security available. In this case,
WPA and WPA2 both enable secure authentication and encryption. You should
select the Enterprise mode for WPA/WPA2; because it offers centralize
management of authentication with RADIUS servers.
2. Your organization already has a wireless network in-place. Your users are
complaining that the performance of the wireless network is not as good as the
wired network. What can you do to increase the performance of the wireless
network?
You should consider three main areas that you can improve the performance of
your wireless network: proximity, obstruction and interference. Based on these
areas, you can implement one or more solutions, such as adding wireless APs or
removing obstruction and interference. Refer to the topic on Improving the
Wireless Signal Strength for more information.
Tools
Tool Use to Where to find it

Network and Configure network Control Panel
Sharing Center settings Systray

Connect to a Configure Windows 7- Network and
Network based client to connect Sharing Center
to a wireless network Systray
Netsh Configure local or Command prompt

remote network settings
Windows Network Troubleshoot access to Network and

Diagnostics wireless networks Sharing Center
Systray
Securing Windows 7 Desktops 6-1
Module 6
Securing Windows 7 Desktops
Contents:
Lesson 1: Overview of Security Management in Windows 7 6-4
Lesson 2: Securing a Windows 7 Client Computer by Using
Local Security Policy Settings 6-13
Lesson 3: Securing Data by Using EFS and BitLocker 6-38
Lesson 4: Configuring Application Restrictions 6-81
Lesson 5: Configuring User Account Control 6-102
Lesson 6: Configuring Windows Firewall 6-123
Lesson 7: Configuring Security Settings in Internet Explorer 8 6-145
Lesson 8: Configuring Windows Defender 6-164
Module Overview

Users are becoming increasingly computer-savvy, and they
expect more from the technology that they use at work.
They expect to be able to work from home, from branch
offices, and on the road, without a decrease in
productivity. As the needs of users have changed, the
demands on IT professionals have increased. Today, IT
professionals are being asked to provide more capabilities
and support greater flexibility, while continuing to
minimize cost and security risks.
With Windows 7®, IT professionals can meet users’ diverse
needs in a way that is more manageable.
• Businesses can enable employees to work more
productively at their desks, at home, on the road, or
in a branch office.
• Security and control are enhanced, reducing the risk

associated with data on lost computers or external hard
drives.
• Desktop management is streamlined, so it takes less work
to deploy Windows 7 and keep it running smoothly.
Because Windows 7 is based on the Windows Vista®
foundation, companies that have already deployed Windows
Vista will find that the new Windows 7 security features
are highly compatible with existing hardware, software,
and tools.
This module describes how to make your computer more
secure by using new Windows 7 security features, while
ensuring that you do not sacrifice usability in the
process. Built upon the security foundations of Windows
Vista, Windows 7 helps make the system more usable and
manageable, and contains the right security enhancements
to combat the continually evolving threat landscape.
This module introduces the following new security features
in Windows 7:
• Fundamentally Secure Platform: The Windows 7 operating
system provides an assortment of tools and features
designed to maximize platform and client security.
• Helping Secure Anywhere Access: Windows 7 provides the
appropriate security controls so that users can access
the information they need to be productive whenever
they need it whether they are in the office or not.
• Protecting Users and Infrastructure: Windows 7 provides
flexible security protection against malware and
intrusions so that users can achieve their desired
balance between security, control, and productivity.
• Protecting Data from Unauthorized Viewing: Windows 7
extends BitLocker™ Drive Encryption to help protect
data stored on portable media (for example, USB Flash
Drives and USB Portable Hard Drives) so that only
authorized users can read the data, even if the media
is lost, stolen, or misused.
Lesson 1
Overview of Security Management in Windows 7

The Windows 7 operating system provides a robust, secure
platform through the provision of a number of programs
that help simplify balancing security and usability. You
need to understand how the new Windows 7 security features
work so that you can quickly and effectively diagnose and
fix any problems whenever there is the need to
troubleshoot a security-related issue.
This lesson introduces the security management topics
covered in the remainder of the module. It then introduces
the Windows 7 Action Center, which provides a central
location for managing your security configuration.
Key Security Features in Windows 7

The Windows 7 operating system provides the following

assortment of tools and features designed to maximize
platform and client security while balancing security and
usability.
• Windows 7 Action Center: A central location for users to
deal with messages about their local computer and the
starting point for diagnosing and solving issues with
their system.
• Encrypting File System (EFS): The built-in encryption
tool for Windows file systems.
• Windows BitLocker™ and BitLocker To Go™: Helps mitigate
unauthorized data access by rendering data inaccessible
when BitLocker-protected computers are decommissioned or
recycled. BitLocker To Go provides similar protection to
data on removable data drives.
• Windows AppLocker™: Allows administrators to specify

exactly what is allowed to run on user desktops.
• User Account Control: Simplifies the ability of users to
run as standard users and perform all necessary daily
tasks

• Windows® Firewall with Advanced Security: Helps provide
protection from malicious users and programs that rely
on unsolicited incoming traffic to attack computers.
• Windows Defender™: Helps protect you from spyware and
other forms of malicious software.
These security features are covered in greater detail
throughout the remainder of this module.
What is Action Center?

Action Center is a central location for dealing with

messages about your system and the starting point for
diagnosing and solving issues with your system. You can
think of Action Center as a message queue that displays
the items that require your attention and need to be
managed according to your schedule.
Windows Action Center consolidates the Windows 7 security-
related tools in one location, simplifying your ability to
access and use the specific tool that you need. Windows
Action Center includes access to the following four
essential security features:
• Firewall
• Automatic updating
• Malware protection
• Other security settings
Firewall
Windows Action Center verifies that your computer has a
suitable firewall product and notifies you if there are
any issues with the firewall configuration or status. If
there is an issue with the firewall, Windows Action Center
provides guidance, where appropriate, on how to remedy the

reported issue.
Automatic Updating
To ensure that your computer is as secure as possible,
install security updates the moment they become available.
By enabling automatic updates, you can ensure that your
computer will receive the necessary security updates.
Windows Action Center determines your computer’s
automatic-updating status, and provides alerts and
instructions to help you enable automatic updating.
Malware Protection
Windows Action Center determines whether your computer is
running Windows Defender or a third-party antispyware
product. If your antispyware product definitions are out-
of-date, or if you do not enable scanning, Windows Action
Center alerts you and provides guidance on how to resolve
the problem.
The Malware protection feature also verifies the presence
and functionality of your computer’s antivirus software.
If there is no antivirus software, or the antivirus
signatures are out-of-date, Windows Action Center alerts
you and recommends solutions.
Other Security Settings

Windows Action Center monitors your Microsoft Internet
Explorer® settings and alerts you if the settings can
compromise your computer’s security when you are online.
Windows Action Center also verifies that you enable and
configure UAC appropriately and it provides guidance, if
necessary, to help secure your computer.
Note: You are not required to use an antivirus, antispyware, or firewall software
program that is compliant with Windows Action Center. If using software that is not
detectable, you may select Windows Action Center options that let you monitor the
security status. This scenario causes a “yellow” caution state, but you will not receive
messages that prompt you to change the configuration.
Note: You can access Windows Action Center from Control Panel. Windows Action
Center is a Windows service that starts automatically by default. You can configure this
behavior by using Group Policy objects for domain-joined computers.
User Alerts
Action Center notifies you when items about security and
maintenance settings need your attention. A red item in
Action Center indicates an important issue that must be
addressed soon, such as an outdated antivirus program that
needs updating. Yellow items are suggested tasks for you
to consider addressing, like recommended maintenance
tasks.
You can quickly view whether there are any new messages in
Action Center by placing your mouse over the Action Center
icon in the notification area on the taskbar. Click the
icon to view more detail, and open Action Center to view
the message in its entirety.
If you are having a problem with your computer, check
Action Center to determine if the issue has been
identified. If it has not been addressed, you can find
helpful links to troubleshooters and other tools that can
help fix problems.
If you prefer to keep track of an item yourself (for
example, you use a backup program other than the one
included in Windows 7, or you manuall back up your files),
and you do not want to see notifications or receive
messages about its status, you can turn off notifications
and messages for the item.
Demonstration: Configuring Action Center Settings

Action Center checks several of your computer’s security
and maintenance-related items that help indicate its
computer's overall performance.
When the status of a monitored item changes (for example,
your antivirus software becomes out of date) Action Center
notifies you with a message in the notification area on
the taskbar. There, the status of the item in Action
Center changes color to reflect the severity of the
message, and an action is recommended.
When you clear the check box for an item on the Change
Action Center Settings page, you will not receive any
messages, and you will not see the item's status in Action
Center. It is recommended that you check the status of all
items listed, since many can help warn you about security
issues. However, if you decide to turn off messages for an
item, you can always turn messages back on.
Note: To change how solutions to problems appear in Action Center, click Change
Action Center Settings and then click Problem report settings. On the settings page,
you can choose how much information is sent, and how often to check for new
solutions.
This demonstration shows how to configure the Action

Center Settings and User Control Settings in Windows 7.
Change Action Center Settings

1. Log on to the LON-CL1 as Contoso\Administrator with a
3. In Control Panel, click System and Security and then

click Action Center.
4. Click the down arrow next to Security and scroll down

to review the settings.
5. Click Change Action Center Settings in the left window

pane.
6. Under Maintenance Messages, clear the Windows

Troubleshooting and Windows Backup check boxes and then
click OK.
Change User Control Settings

1. Click Change User Account Control Settings in the left
window pane.
2. Move the slide bar down by one setting and then click
OK.
View Archived Messages

1. Select View archived messages in the left window pane.
2. View any archived messages about computer problems and

then click OK.
3. Close the Action Center window.

Lesson 2
Securing a Windows 7 Client Computer by Using
Local Security Policy Settings
Group Policy provides an infrastructure for centralized

configuration management of the operating system and
applications that run on the operating system. This lesson
discusses Group Policy fundamentals such as the difference
between local and domain-based policy settings and
introduces you to how Group Policy can simplify managing
computers and users in an Active Directory environment.
This lesson also discusses Group Policy features that are
included with the Windows Server® 2008 operating system
and are available with the Windows 7 client.
What is Group Policy?

Group Policy is a technology that allows you to
efficiently manage a large number of computer and user
accounts through a centralized model. Group policies are
popular in the corporate environment where several
computers and users are part of the same domain.
Group policies enable you to impose certain behaviors on
several features for the computers and the users belonging
to the Active Directory. Group policies can define
computer settings ranging from the computer desktop to
screen saver timeouts. The group policy changes are
configured on the server and they propagate themselves to
each client computer in the domain.
Group Policy in Windows 7 uses new XML-based templates to
describe registry settings. When you enable settings in
these templates, Group Policy allows you to apply computer
and user settings either on a local computer or centrally
through Active Directory.
IT professionals typically use Group Policy to:
• Apply standard configurations

• Deploy software
• Enforce security settings
• Enforce a consistent desktop environment
You can use Group Policy to restrict certain actions that
may pose potential security risks, such as restricting
access to registry editing tools or restricting the use of
removable storage devices. You enable these restrictions
with Group Policy settings. A collection of Group Policy
settings is called a Group Policy object (GPO).
One GPO can be applied simultaneously to many different
containers in Active Directory’s Directory Service.
Conversely, a container can have multiple GPOs
simultaneously applied to it. In this case, users and
computers receive the cumulative effect of all policy
settings applied to them.
Local Group Policy in Windows 7

Because its settings can be overwritten by Group Policy
objects that are associated with sites, domains, and
organizational units, the local Group Policy object is the
least influential object in an Active Directory
environment. In a non-networked environment, or in a
networked environment that does not have a domain
controller, the local GPO settings are more important
because they are not overwritten by other Group Policy
objects. Standalone computers only use local group
policies to control the environment.
Each Windows 7 computer has one local GPO that contains
default computer and user settings, regardless of whether
the computer is part of an Active Directory environment or
not. In addition to this default local GPO, you can create
custom local user group policy objects. You can maintain
these local GPOs using the Group Policy Object Editor
snap-in.
With Group Policy, you can define the state of users' work
environments once and rely on the system to enforce the
policies that you define. With the Group Policy snap-in
you can specify policy settings for the following:
• Registry-based policies: include Group Policy for the
Windows 7 operating system and its components and for

programs. To manage these settings, use the
Administrative Templates node of the Group Policy
Editor snap-in.
• Security options: include options for local computer
security settings.
• Software installation and maintenance options: are used
to centrally manage program installation, updates, and
removal.
• Scripts options: include scripts for computer startup
and shutdown, and user logon and logoff.
Using the Group Policy Object Editor

The Group Policy Object Editor is a Microsoft Management
Console (MMC) snap-in that contains the following major
branches:
• Computer Configuration: This section enables
administrators to set policies that are applied to a
computer, regardless of who logs on to the computers.
Computer Configuration typically contains sub-items for
software settings, Windows settings, and administrative
templates.
• User Configuration: This section enables administrators
to set policies that apply to users, regardless of
which computer they log on to. User Configuration
typically contains sub-items for software settings,
Windows settings, and administrative templates.
To use the group policy editor, follow these steps:
1. Expand the GPO that you want (for example, Local
Computer Policy).
2. Expand the configuration item that you want (for
example, Computer Configuration).
3. Expand the sub-item that you want (for example,

Windows Settings).
4. Navigate to the folder that contains the policy

setting that you want. The policy items are
displayed in the right pane on the Group Policy
Editor snap-in.
Note: If no policy is defined for the selected item, right-click the folder that you want
and then on the shortcut menu that appears, point to All Tasks and then click the
command that you want. The commands that are displayed on the All Tasks submenu
are context sensitive. Only those commands that are applicable to the selected policy
folder appear on the menu.
5. In the Setting list, double-click the policy item

that you want.
Note: When you work with policy items in the Administrative Templates folder, click
the Extended tab in the right pane of the MMC if you want to view more information
about the selected policy item.
6. Edit the settings of the policy in the dialog box

that appears and then click OK.
7. When you are finished, quit the MMC.
How are Group Policy Objects Applied?

Client components known as Group Policy client-side
extensions (CSEs) initiate Group Policy by requesting GPOs
from the domain controller that authenticated them. The
CSEs interpret and apply the policy settings.
Windows 7 applies computer settings when the computer
starts and user settings when you log on to the computer.
Both computer and user settings are refreshed at regular,
configurable intervals. The default refresh interval is
every 90 minutes.
Group Policy is processed in the following order:
• Local computer policy settings

• Site-level policy settings
• Domain-level policy settings
• Organizational Unit (OU) policy settings
Policy settings applied to higher level containers pass

through to all sub-containers in that part of the Active
Directory tree. For example, a policy setting applied to

an OU also applies to any child OUs below it.
If policy settings are applied at multiple levels, the
user or computer receives the effects of all policy
settings. In case of a conflict between policy settings,
the policy setting applied last is the effective policy,
though you can change this behavior as needed.
How Multiple Local Group Policies Work

Securing computers and users' desktops is an important
responsibility of the IT professional. Today's computing
environment provides users with hundreds, if not
thousands, of configurable settings. Domain administrators
manage these settings using Group Policy. For Microsoft
Windows 7 client computers, IT professionals can address
this issue through Multiple Local Group Policy objects.
(MLGPO).
Multiple Local Group Policy objects improve previous Local
Group Policy technology by allowing an administrator to
apply different levels of Local Group Policy to local
users on a stand-alone computer. This technology is ideal
for shared computing environments where domain-based
management is not available, such as shared library
computers or public Internet kiosks.
Introduction to MLGPO
Local Group Policy is a subset of a broader technology
known as Group Policy. Group Policy is domain based while

Local Group Policy is specific to the local computer. Both
technologies allow administrators to configure specific
settings in the operating system and then force those
settings to computers and users.
Local Group Policy is not as robust as Group Policy. For
example, Group Policy allows administrators to configure
any number of policies that might affect some, all, or
none of the users of a domain-joined computer. Group
Policy can even apply policies to users that have specific
group memberships.
However, prior to Windows Vista, Local Group Policy was
only able to apply one policy to the computer and all the
local users of the computer, even the local administrator.
This made managing the stand-alone computer difficult
because the same policy applied to the administrator and
the users.
Windows 7 gives stand-alone computer administrators the
ability to apply different Group Policy objects to stand-
alone users. Windows 7 provides this ability with three
layers of Local Group Policy objects:
• Local Group Policy
• Administrator and Non-Administrators Group Policy
• User specific Local Group Policy
There is only one local GPO stored on each individual
computer that contains default computer and user settings.
This policy is stored in the hidden %systemroot%\System32\
GroupPolicy directory. Custom administrator, non-
administrator, and user policies that you create are
stored in: %systemroot%\System32\GroupPolicyUsers.
These layers of Local Group Policy objects are processed
in order, starting with Local Group Policy, continuing
with Administrators and Non-Administrators Group Policy,
and finishing with user-specific Local Group Policy.
Local Group Policy

The Local Group Policy (also known as Local Computer
Policy) layer is the topmost layer in the list of Multiple
Local Group Policy objects. Local Group Policy is the only
Local Group Policy object that allows computer settings.
Besides computer settings, you can select user settings.

However, user settings contained in the Local Group Policy
apply to all users of the computer, even the local
administrator. Local Group Policy behaves the same as it
did in previous Windows versions.
An example of some of the more commonly used local group
policies includes:
• Disable the Advanced page
• Disable the Connections page
• Disable the Content page
• Disable the General page
• Disable the Privacy page
• Disable the Programs page
Administrators and Non-Administrators Local Group

Policy
The Administrators and Non-Administrators Local Group
Policy objects do not exist by default. They must be
created if you want to use them on your Windows 7 client.
These group policies act as a single layer and logically
sort all local users into two groups when a user logs on
to the computer. The user is either an administrator or a
non-administrator. Users that are members of the
administrators group receive policy settings assigned in
the Administrators Local Group Policy object. All other
users receive policy settings assigned in the Non-
Administrators Local Group Policy objects.
An example of some of the more commonly used administrator
and non-administrator local group policies includes:
• Remove user’s folder form the Start Menu
• Remove links and access to Windows Update
• Turn off personalized menus

• Remove Balloon Tips on Start Menu items
• Remove My Computer icon from the desktop

• Hide My Network Places icon on the desktop
User-Specific Group Policy

Local administrators can use the last layer of the Local
Group Policy object, Per-User Local Group Policy objects,
to apply specific policy settings to a specific local
user.
An example of some of the more commonly used local group
policies includes:
• Disable the Advanced page
• Disable the Connections page
• Disable the Content page
• Disable the General page
• Disable the Privacy page
• Disable the Programs page
Processing Order
The benefits of Multiple Local Group Policy objects come
from the processing order of the three separate layers.
The layers are processed as follows:
• The Local Group Policy object applies first. This Local
Group Policy object may contain both computer and user
settings. User settings contained in this policy apply
to all users, including the local administrator.
• The Administrators and Non-Administrators Local Group
Policy objects are applied next. These two Local Group
Policy objects represent a single layer in the
processing order, and the user receives one or the
other. Neither of these Local Group Policy objects
contains computer settings.
• User-specific Local Group Policy is applied last. This
layer of Local Group Policy objects contains only user
settings, and you apply it to one specific user on the

local computer.
Conflict Resolution between Policy Settings

Available user settings are the same between all Local
Group Policy objects. It is conceivable that a policy

setting in one Local Group Policy object can contradict
the same setting in another Local Group Policy object.
Windows 7 resolves these conflicts by using the "Last
Writer Wins" method. This method resolves the conflict by
overwriting any previous setting with the last read (most
current) setting. The final setting is the one Windows
uses.
For example, an administrator enables a setting in the
Local Group Policy object. The administrator then disables
the same setting in a user-specific Local Group Policy
object. The user logging on to the computer is not an
administrator. Windows reads the Local Group Policy object
first, followed by the Non-Administrators Local Group
Policy object, and then the user-specific Local Group
Policy object.
The state of the policy setting is enabled when Windows
reads the Local Group Policy object. The policy setting is
not configured in the Non-Administrators Local Group
Policy object. This has no affect on the state of the
setting, so it remains enabled. The policy setting is
disabled in the user-specific Local Group Policy object.
This changes the state of the setting to disabled. Windows
reads the user-specific Local Group Policy object last;
therefore, it has the highest precedence. The Local
Computer Policy has a lower precedence.
Domain Member Computers

Stand-alone computers benefit the most from Multiple Local
Group Policy objects, wherein managing each computer is
local. Domain-based computers apply Local Group Policy
first and then domain-based policy. Windows 7 continues to
use the "Last Writer Wins" method for conflict resolution.
Therefore, policy settings originating from domain Group
Policy overwrite any conflicting policy settings found in
any Local Group Policy to include administrative, non-

administrative, and user specific Local Group Policy.
Domain administrators can disable the processing of Local

Group Policy objects on clients that are running Windows 7
by enabling the "Turn off Local Group Policy objects
processing" policy setting in a domain Group Policy
object.
Creating Multiple Local GPOs

MLGPOs are created by adding the snap-in for the Group
Policy Object Editor to a Microsoft Management Console
(MMC), and then performing the following steps:
• Click Browse in the Select Group Policy dialog box.
• Click the Users tab.
• Select the object you for which you want to create a
special GPO. You must add a separate instance of the
snap-in for each instance of the local GPO that you want
to create.
Disabling Local GPOs

You can disable the processing of local GPOs on clients
that are running Windows 7 by enabling the "Turn off Local
Group Policy objects processing" policy setting in a
domain GPO. You can find this setting by expanding
Computer Configuration, expanding Administrative
Templates, expanding System, and then expanding Group
Policy.
Question: An administrator disables the setting titled

“Disable the Security page” in the Local Group Policy
object. The administrator then enables the same setting in
a user-specific Local Group Policy object. The user
logging on to the computer is not an administrator. Which
policy setting will be applied to this Local Group Policy
object?
Answer: Windows reads the Local Group Policy object

first, followed by the Non-Administrators Local Group
Policy object, and then the user-specific Local Group

Policy object. The state of the policy setting is disabled
when Windows reads the Local Group Policy object. The
policy setting is not configured in the Non-Administrators
Local Group Policy object. This has no affect on the state
of the setting, so it remains enabled. The policy setting

is enabled in the user-specific Local Group Policy object.
This changes the state of the setting to enabled. Windows
reads the user-specific Local Group Policy object last;
therefore, it has the highest precedence. The Local
Computer Policy has a lower precedence.
Demonstration: Creating Multiple Local Group Policies

This demonstration will cover creating and verifying

settings of multiple local group policies in Windows 7.
Create a Custom Management Console

1. Log on to LON-CL1 as Contoso\Administrator with a
2. Click Start, in the Search programs and files box, type

“mmc”, and then press ENTER.
3. In Console1 – [Console Root], click File and then click

Add/Remove Snap-in.
4. In the Add or Remove Snap-ins dialog box, in the

Available snap-ins list, click Group Policy Object
Editor and then click Add.
5. In the Select Group Policy Object dialog box, click

Finish.


Browse.
8. In the Browse for a Group Policy Object dialog box,

click the Users tab.
9. In the Local Users and Groups compatible with Local

Group Policy list, click Administrators and then click
OK.

Finish.


Browse.


Group Policy list, click Non-Administrators and then
click OK.

Finish.
16. In the Add or Remove Snap-ins dialog box, click OK.

17. In Console1 – [Console Root], on the menu, click

File and then click Save.
18. In the Save As dialog box, click Desktop.
19. In the File name box, type “Multiple Local Group

Policy Editor”, and then click Save.
Configure the Local Computer Policy

1. In Multiple Local Group Policy Editor – [Console Root],
in the tree, expand Local Computer Policy.
2. Expand User Configuration, expand Windows Settings, and

then click Scripts (Logon/Logoff).
3. In the results pane, double-click Logon.
4. In the Logon Properties dialog box, click Add.
5. In the Add a Script dialog box, click Browse.
6. In the Browse dialog box, right-click in the empty

folder, point to New, click Text Document, and then
press ENTER.
7. Right click New Text Document, and then click Edit..
8. Type “msgbox “Default Computer Policy” ”, click File,

click Save As.
9. Type “ComputerScript.vbs”, change Save as type: to All

Files, and then click Save.
10. Close ComputerScript.vbs.
11. In the Browse dialog box, click on the

ComputerScript file and then click Open.
12. In the Add a Script dialog box, click OK.
13. In the Logon Properties dialog box, click OK.

Configure the Local Computer Administrators Policy

in the tree, expand Local Computer\Administrators
Policy.


folder, click New, click Text Document, and then press
ENTER.
7. Right-click New Text Document, and then click Edit.
8. Type “msgbox “Default Administrator’s Policy” ”, click

File, and then click SaveAs.
9. Type “AdminScript.vbs”, change Save as type: to All

10. Close AdminScript.vbs.
11. In the Browse dialog box, click on the AdminScript

file and then click Open.
Configure the Local Computer Non-Administrators

Policy
in the tree, expand Local Computer\Non-Administrators
Policy.


folder, click New, click Text Document, and then press
ENTER.
7. Right-click New Text Document, and then click Edit.
8. Type “msgbox “Default User’s Policy” ”, click File, and

then click SaveAs.
9. Type “UserScript.vbs”, change Save as type: to All

10. Close UserScript.vbs.
11. In the Browse dialog box, click on the UserScript

file, and then click Open.
14. Log off of LON-CL1.
Test Multiple Local Group Policies

1. Log on to LON-CL1 as Contoso\Adam with a password of
Pa$$w0rd.
2. Click OK when prompted by the message box, and then

click OK again.
3. Log off.

5. Click OK when prompted by the message box and then

click OK again.

6. On the desktop, right click Multiple Local Group Policy
Policy Editor, and then click Open.

in the tree, expand Local Computer\Non-Administrators
Policy.

10. In the Logon Properties dialog box, click Remove,

then click OK.
11. In Multiple Local Group Policy Editor – [Console

Root], in the tree, expand Local
Computer\Administrators Policy.
12. Expand User Configuration, expand Windows Settings,

and then click Scripts (Logon/Logoff).

then click OK.
15. In Multiple Local Group Policy Editor – [Console

Root], in the tree, expand Local Computer Policy.
16. Expand User Configuration, expand Windows Settings,

and then click Scripts (Logon/Logoff).


then click OK.
19. Close the Multiple Local Group Policy Editor –

[Console Root] snap-in.
20. Click Yes if prompted to save.
21. Log off.

Demonstration: Configuring Local Security Policy

Settings

Security Related Group Policy Settings
A computer that belongs to an Active Directory® domain
service receives many of its security-related
configuration settings through a GPO. You can use the
Local Group Policy Editor to configure the same settings
on a standalone workstation that is running Windows 7.
To configure local Group Policy, run gpedit.msc from the
Search box with elevated privileges. You can then use the
local Group Policy Object Editor to configure the
security-related settings that the following table lists.
Setting Meaning
Password Policy A subcomponent of Account Policies that enables you to
configure password history, maximum and minimum
password age, password complexity, and password length.
Note: This only applies to local accounts.
Setting Meaning
Account Lockout Policy A subcomponent of Account Policies that enables you to

define settings related to the action you want Windows 7 to

take when a user enters an incorrect password at logon.
Note: This only applies to local accounts.
Audit Policy A subcomponent of Local Policies that enables you to define

audit behavior for various system activities, including logon
events and object access.
User Rights Assignment A subcomponent of Local Policies that enables you to

configure user rights, including the ability to log on locally,
access the computer from the network, and shut down the
system.
Security Options A subcomponent of Local Policies that enables you to

configure many settings, including Interactive logon settings,
User Account Control settings, and Shutdown settings.
Windows Firewall with Enables you to configure the firewall settings.

Advanced Security
Network List Manager Enables you to configure user options for configuring new
Policies network locations.
Public Key Policies Include settings for Certificate Auto-Enrollment and the
Encrypting File System (EFS) Data Recovery Agents.
Software Restrictions Enables you to identify and control which applications can
Policies run on the local computer.
IP Security Policies Enables you to create, manage, and assign IPSec polices.
Windows Update Enables you to configure Automatic updating. Located

under Administrative Templates\Windows Components.
Disk Quotas Enables you to configure disk quotas. Located under

Administrative Templates\System.
Driver Installation Enables you to configure driver installation behavior.

Located under Administrative Templates\System.
After you configure the local policy, you can export the
security-related settings to a policy file and save them
in a security template file with an .INF extension. You

can then import the template into the Local Group Policy
Editor to use these templates to configure additional
computers.
This demonstration shows different security settings in
Windows 7 Local Group Policy Editor and then changes some

of these settings.
Review the Local Security Group Policy Settings

2. Click Start, and in the Search programs and files box,

type “gpedit.msc”, and then press ENTER.
3. In the Local Group Policy Editor, expand Computer

Configuration, expand Windows Settings, and then expand
Security Settings.
4. Expand Account Policies and then click Password Policy.
5. Click Account Lockout Policy.
6. In the left pane, click and expand Local Policies and

then click Audit Policy.
7. In the main window, right-click Audit account

management and then select Properties.
8. In the Audit account management Properties dialog box,

select Success and Failure and then click OK.
9. Click User Rights Assignments.
10. Click Security Options.
11. In the left pane, click and expand Windows Firewall

with Advanced Security and then click Windows Firewall
with Advanced Security – Local Group Policy Object.
12. In the left pane, click Network List Manager

Policies.
13. In the left pane, click and expand Public Key

Policies and then click Encrypting File System.
14. Click BitLocker Drive Encryption.
15. In the left pane, click Software Restriction

Policies.
16. In the left pane, click and expand Application

Control Policies.
17. Click and expand AppLocker.
18. In the left pane, click IP Security Policies on

Local Computer.
19. In the left pane, click and expand Advanced Audit

Policy Configuration.
20. Click and expand System Audit Policies – Local Group

Policy Object.
21. Close the Local Group Policy Editor.
22. Log off LON-CL1.

Lesson 3
Securing Data by Using EFS and BitLocker

Laptops and desktop hard drives can be stolen, which poses
a risk for confidential data. You can secure data against
these risks by using a two-phased defensive strategy, one
that incorporates both Encrypting File System (EFS) and
Windows BitLocker™ Drive Encryption.
This lesson provides a brief overview of EFS. However, IT
professionals interested in implementing EFS must research
this topic thoroughly before making a decision. If you
implement EFS while lacking proper recovery operations or
misunderstanding how the feature works, you can cause your
data to be unnecessarily exposed. To implement a secure
and recoverable EFS policy, you must have a more
comprehensive understanding of EFS.
Another defensive strategy to complement EFS is Windows
BitLocker™ Drive Encryption. BitLocker protects against
data theft or exposure on computers that are lost or
stolen, and offers more secure data deletion when

computers are decommissioned. Data on a lost or stolen
computer is vulnerable to unauthorized access, either by

running a software attack tool against it or by
transferring the computer's hard disk to a different
computer. BitLocker helps mitigate unauthorized data
access on lost or stolen computers by combining two major
data-protection procedures: encrypting the entire Windows
operating system volume on the hard disk, and encrypting
multiple fixed volumes.
What is EFS?

The Encrypting File System (EFS) is the built-in file
encryption tool for Windows file systems. A component of
the NTFS file system, EFS enables transparent encryption
and decryption of files by using advanced, standard
cryptographic algorithms. Any individual or program that
does not possess the appropriate cryptographic key cannot
read the encrypted data. Encrypted files can be protected
even from those who gain physical possession of the
computer that the files reside on. Even persons who are
authorized to access the computer and its file system
cannot view the data.
IT professionals must understand that while encryption is
a powerful addition to any defensive plan, other defensive
strategies must be used because encryption is not the
correct countermeasure for every threat. However, every
defensive weapon, if used incorrectly, carries the
potential for harm. EFS must be understood, implemented
appropriately, and managed effectively to ensure that your
experience, the experience of those to whom you provide

support, and the data you want to protect are not harmed.
The following are important basic facts about EFS:

• EFS encryption does not occur at the application level
but rather at the file-system level; therefore, the
encryption and decryption process is transparent to the
user and to the application.
If a folder is marked for encryption, every file created

in or moved to the folder will be encrypted.
Applications do not have to understand EFS or manage
EFS-encrypted files any differently than unencrypted
files.
• If a user attempts to open a file and possesses the key
to do so, the file opens without additional effort on
the user's part. If the user does not possess the key,
he or she receives an "Access denied" error message.
• File encryption uses a symmetric key that is encrypted
with the user’s public key and stored in the file
header. A certificate with the user’s public and private
keys (knows as asymmetric keys) is stored in the user’s
profile.
This key pair is bound to a user identity and made

available to the user who has possession of the user ID
and password. The user’s private key must be available
for the file to be decrypted.
• If the private key is damaged or missing, even the user
that encrypted the file cannot decrypt it. If a recovery
agent exists, then the file may be recoverable. If key
archival has been implemented, then the key may be
recovered, and the file decrypted; otherwise, the file
may be lost. This encryption system is commonly referred
to as Public Key Infrastructure (PKI).
• The user’s certificate that contains his or her public
and private keys can be archived (for example, exported
to a floppy disk) and kept in a safe place to ensure
recovery, if keys become damaged.
• The user’s public and private keys are protected by the

user's password. Any user who can obtain the user ID and
password can log on as that user and decrypt that user's
files.
Therefore, a strong password policy and strong user

education must be a component of each organization's
security practices to ensure the protection of EFS-
encrypted files.
• EFS-encrypted files do not remain encrypted during
transport if saved to or opened from a folder on a
remote server. The file is decrypted, traverses the
network in plaintext, and if saved to a folder on the
local drive that is marked for encryption, is encrypted
locally. EFS-encrypted files can remain encrypted while
traversing the network if they are being saved to a Web
folder using WebDAV.
• EFS is only supported on the NTFS file system. If a user
moves or copies an encrypted file to a non-NTFS file
system, like a floppy disk or USB flash drive formatted
with the file allocation table 32-bit (FAT32) file
system, the file will no longer be encrypted.
Note: When users encrypt files in remote shared folders, their keys are stored on the file
server.
Obtaining Key Pairs

Users need asymmetric key pairs to encrypt data. They can
obtain these keys as follows:
• From a Certificate Authority (CA). An internal or third
party CA can issue EFS certificates. This method allows
keys to be centrally managed and backed up.
• By self-generating them. If a CA is unavailable, users
can generate a key pair. These keys have a lifespan of
one hundred years.
This method is more cumbersome than using a CA because

there is no centralized management and users become
responsible for managing their own keys (plus it is more

difficult to manage for recovery); however, it is still
a popular method because no setup is required.
Managing EFS Certificates

EFS uses public key cryptography to allow the encryption
of files. The keys are obtained from the user’s EFS
certificate. Because the EFS certificates may also contain
private key information, they must be managed correctly.
Users can make encrypted files accessible to other users’
EFS certificates. If you grant access to another user’s
EFS certificate, that user can, in turn, make the file
available to other user’s EFS certificates.
Note: EFS certificates are only issued to individual users, not to groups.
Backing Up Certificates
CA Administrators can archive and recover CA-issued EFS
certificates. Users must manually back up their self-
generated EFS certificates and private keys. To do this,
they can export the certificate and private key to a
Personal Information Exchange (PFX) file. These PFX files
are password protected during the export process. The
password is then required to import the certificate into a
user’s certificate store.
If you need to distribute only your public key, you can
export the client EFS certificate without the private key
to Canonical Encoding Rules (CER) files.
A user’s private key is stored in the user’s profile in
the RSA folder, which is accessed by expanding AppData,
expanding Roaming, expanding Microsoft, and then expanding
Crypto. Because there is only one instance of the key, it
is vulnerable to hard disk failure or data corruption.
The Certificate Manager MMC exports certificates and
private keys. EFS certificates are located in the Personal
Certificates store.
EFS in Windows 7
Windows 7 includes a number of new EFS features,
including:
• Support for Storing Private Keys on Smart Cards: Windows
7 includes full support for storing users’ private keys

on smart cards. If a user logs onto Windows 7 with a
smart card, EFS can also use the smart card for file
encryption.
Administrators can store their domain’s recovery keys on

a smart card. Recovering files is then as simple as
logging on to the affected machine, either locally or
using Remote Desktop, and using the recovery smart card
to access the files.
• Encrypting File System Rekeying Wizard: The Encrypting
File System rekeying wizard allows users to choose an
EFS certificate and then select and migrate existing
files that will use the newly chosen EFS certificate.
They can also use the wizard to migrate users in

existing installations from software certificates to
smart cards. The wizard is also helpful in recovery
situations because it is more efficient than decrypting
and re-encrypting files.
• New Group Policy Settings for EFS: You can use Group
Policy to centrally control and configure EFS protection
policies for the entire enterprise. A number of Group
Policy options were added to help administrators define
and implement EFS organizational policies.
• Encryption of the System Page File: Windows 7 allows
page file encryption through the local security policy
or Group Policy
• Per-User Encryption of Offline Files: You can use EFS to
encrypt offline copies of files from remote servers.
When this option is enabled, each file in the offline
cache is encrypted with a public key from the user who
cached the file. Thus, only that user has access to the
file, and even local administrators cannot read the file
without access to the user's private keys.
• Support for AES 256-Bit Encryption: EFS supports

industry-standard encryption algorithms including
Advanced Encryption Standard (AES). AES uses a 256-bit

symmetric encryption key and is the default EFS
algorithm.
Question: Explain why system folders cannot be marked for

encryption.
Answer: EFS keys are not available during the startup

process; therefore, if system files are encrypted, the
system file cannot start.
Demonstration: Encrypting and Decrypting Files and

Folders by Using EFS

This demonstration shows how to encrypt and decrypt files
and folders by using EFS.
Encrypt Files and Folders

3. Double-click Local Disk (C:).
4. Right-click an empty space in the Name column, point to

New, and then click Folder.
5. Type “Encrypted” in the folder name and then press

ENTER.
6. Double-click Encrypted, and then right-click an empty

space in the Name column, point to New, and then click
7. Type “Private”, and then press ENTER.
8. Click the left arrow in the menu bar to return to Local

Disk (C:).
9. Right-click the Encrypted folder, and then click

Properties.
10. On the General tab, click Advanced.
11. Select the Encrypt contents to secure data check

box, and then click OK.
12. In the Encrypted Properties dialog box, click OK,

and then in the Confirm Attribute Changes dialog box,
click Apply changes to this folder, subfolders and
files.
13. Click OK.
14. Click OK to close the Encrypted Properties dialog

box and then log off.
Confirm the Files and Folders are Encrypted

1. Log on to the LON-CL1 as Contoso\Adam with a password
of Pa$$w0rd.
4. Double-click the Encrypted folder.
5. Double-click Private.
6. Click OK when prompted with a message.
7. Click OK to close the User Name box.

8. Close the file.
9. Log off.
Decrypt Files and Folders


2. Click Start, click Computer, and then double-click

Local Disk (C:).
3. Right-click the Encrypted folder and then click

Properties.
5. Clear the Encrypt contents to secure data check box and

then click OK.
6. Click OK to close the Encrypted Properties dialog box.
7. In the Confirm Attribute Changes dialog box, click OK.
8. Log off.
Confirm the Files and Folders are Decrypted

of Pa$$w0rd.
4. Double-click the Encrypted folder.
5. Double-click Private.
6. Type “decrypted” in the file.
7. Save and close the file.
8. Log off.
What Is BitLocker?
Windows BitLocker™ Drive Encryption provides protection

for the computer operating system and data stored on the
operating system volume by ensuring that data stored on a
computer remains encrypted, even if the computer is
tampered with when the operating system is not running.
BitLocker provides a closely integrated solution in
Windows 7 to address the threats of data theft or exposure
from lost, stolen, or inappropriately decommissioned
personal computers.
Data on a lost or stolen computer can become vulnerable to
unauthorized access when a user either runs a software
attack tool against it or transfers the computer’s hard
disk to a different computer. BitLocker helps mitigate
unauthorized data access by enhancing Windows file and
system protections. BitLocker also helps render data
inaccessible when BitLocker-protected computers are
decommissioned or recycled.
BitLocker Drive Encryption performs two functions to

provides both offline data protection and system integrity
verification:
• BitLocker encrypts all data stored on the Windows
operating system volume (and configured data volumes).
This includes the Windows operating system, hibernation

and paging files, applications, and data used by
applications. BitLocker also provides an umbrella
protection for non-Microsoft applications, which
benefits the applications automatically when they are
installed on the encrypted volume
• BitLocker is configured by default to use a Trusted
Platform Module (TPM) to help ensure the integrity of
early startup components (components used in the earlier
stages of the startup process), and "locks" any
BitLocker-protected volumes so that they remain
protected even if the computer is tampered with when the
operating system is not running.
System Integrity Verification

BitLocker uses the TPM to verify the integrity of the
startup process by:
• Providing a method to check that early boot file
integrity has been maintained, and to help ensure that
there has been no adverse modification of those files,
such as with boot sector viruses or root kits.
• Enhancing protection to mitigate offline software-based
attacks. Any alternative software that might start the
system does not have access to the decryption keys for
the Windows operating system volume.
• Locking the system when tampered with. If any monitored
files have been tampered with, the system does not
start. This alerts the user to the tampering since the
system fails to start as usual. In the event that system
lockout occurs, BitLocker offers a simple recovery
process.
In conjunction with the TPM, BitLocker verifies the
integrity of early startup components, which helps prevent
additional offline attacks, such as attempts to insert

malicious code into those components. This functionality
is important because the components in the earliest part

of the startup process must be available unencrypted so
that the computer can start.
As a result, an attacker can change the code in those
early startup components and then gain access to the
computer, even though the data on the disk was encrypted.
Then, if the attacker gains access to confidential
information such as the BitLocker keys or user passwords,
BitLocker and other Windows security protections can be
circumvented.
BitLocker in Windows 7
The core functionality in Windows 7 BitLocker has been
enhanced to provide a better experience for IT
professionals and for end users, from simple enhancements
like the ability to right-click a drive to enable
BitLocker protection to the automatic creation of the
required hidden boot partition.
For customers who deployed Windows Vista, BitLocker
required a two partition disk configuration.
Repartitioning the operating system (OS) drive to enable
BitLocker protection was more cumbersome than it needed to
be. This problem has been addressed with two enhancements
found in Windows 7. First, by default during Windows 7
setup, users will get a separate active system partition,
which is required for BitLocker to work on OS drives. This
eliminates a second step that was required in many
environments. In addition, you can partition a drive for
BitLocker as part of BitLocker setup if you do not already
have a separate system partition.
Additionally, BitLocker Drive Encryption technology in
Windows 7 is extended from operating system drives and
fixed data drives to include removable storage devices
such as portable hard drives and USB flash drives. This
enables you to take your protected data with you when
traveling and use it with any computer that is running
Windows 7.
Using BitLocker To Go with Removable Drives

When a Laptop is lost or stolen, the loss of data
typically has more impact than the loss of the computer
asset. As more people use removable storage devices, they
can lose data without losing a PC. BitLocker To Go
provides enhanced protection against data theft and

exposure by extending BitLocker drive encryption support
to removable storage devices such as USB flash drives, and
is manageable through Group Policy.
In Windows 7, users can encrypt their removable media by
opening Windows Explorer, right-clicking the drive, and
clicking Turn On BitLocker. They will then be asked to
choose a method to unlock the drive. These options
include:
• Password: This is a combination of letters, symbols, and
numbers the user will enter to unlock the drive.
• Smart card: In most cases, a smart card is issued by
your organization and a user enters a smart card PIN to
unlock the drive.
After choosing the unlock methods, users will be asked to
print or save their recovery password. This is a 48-digit
password that can also be stored in Active Directory
Domain Services and used if other unlock methods fail (for
example, when a password is forgotten). Finally, users
will be asked to confirm their unlock selections and to
begin encryption.
When you insert a BitLocker-protected drive into your
computer, Windows will automatically detect that the drive
is encrypted and prompt you to unlock it.
Comparing BitLocker and EFS

The following table compares BitLocker and EFS encryption
functionality.
BitLocker functionality EFS functionality
Encrypts volumes (the entire Encrypts files

operating system volume,
including Windows system
BitLocker functionality EFS functionality

files and the hibernation

file)
Does not require user Requires user certificates

certificates
Protects the operating Does not protect the

system from modification operating system from
modification
Question: BitLocker provides full volume encryption. What

does this mean?
Answer: Full volume encryption means: 1) the entire

Windows operating system volume can be encrypted, and 2)
fixed data volumes can be encrypted (with the requirement
that the OS volume is also encrypted).
BitLocker Requirements

In Windows 7, drives are automatically prepared for use by
BitLocker; as a result, there is no need to create
separate partitions before turning BitLocker on. This is
an improvement over previous Windows versions, which
required that users manually partition their hard drive.
The system partition on the hard drive is automatically
created by Windows 7. This partition does not have a drive
letter, so it is not visible in Windows Explorer and data
files will not be written to it inadvertently. In a
default installation, a computer will have a separate
system partition and an operating system drive. The system
partition is smaller in Windows 7 than in Windows Vista,
requiring only 100 MB of space.
BitLocker can be used to encrypt operating system drives,
fixed data drives, and removable data drives in Windows 7
and Windows Server 2008 R2. When BitLocker is used with
data drives, the drive can be formatted with the exFAT,
FAT16, FAT32, or NTFS file system and must have at least
64 MB of available disk space. When BitLocker is used with

operating system drives, the drive must be formatted with
the NTFS file system.

Because BitLocker stores its own encryption and decryption
key in a hardware device that is separate from the hard
disk, you must have one of the following:
• A computer with Trusted Platform Module (TPM) version
1.2.
• A removable Universal Serial Bus (USB) memory device,
such as a USB flash drive.
On computers that do not have TPM version 1.2, you can
still use BitLocker to encrypt the Windows operating
system volume. However, this implementation requires the
user to insert a USB startup key to start the computer or
resume from hibernation, and it does not provide the pre-
startup system integrity verification offered by BitLocker
that is working with a TPM.
In addition, BitLocker offers the option to lock the
normal startup process until the user supplies a personal
identification number (PIN) or inserts a removable USB
device, such as a flash drive, that contains a startup
key. These additional security measures provide
multifactor authentication and assurance that the computer
will not start or resume from hibernation until the
correct PIN or startup key is presented.
Hardware Requirements
To turn on BitLocker Drive Encryption, the computer's hard
drive must meet the following requirements:
• Have the space necessary for Windows 7 to create the
two disk partitions: one for the system volume and one
for the operating system volume.
• System volume: This partition includes the drive on
which Windows is installed; BitLocker encrypts this
drive, which no longer needs a drive letter.
• Operating system volume: A second partition is
created as needed when BitLocker is enabled in
Windows 7. This partition must remain unencrypted so

that you can start the computer. This partition must
be 100 megabytes and set as the active partition.
• Have a Basic Input/Output System (BIOS) that is
compatible with TPM or supports USB devices during
computer startup. The BIOS must be:

• Trusted Computing Group (TCG) compliant.
• Set to start first from the hard disk, and not the
USB or CD drives.
• Able to read from a USB flash drive during startup.
Determine if a Computer has a TPM Version 1.2 Chip

A TPM is not required for BitLocker; however, only a
computer with a TPM can provide the additional security of
pre-startup system integrity verification. Perform the
following steps to determine if a computer has a TPM
version 1.2 chip:
1. Click Start, click Control Panel, and then click

BitLocker Drive Encryption.
2. In the lower left corner, click TPM Administration. The

Trusted Platform Module (TPM) Management on Local
Computer console opens. If the computer does not have
the TPM 1.2 chip, the message Compatible TPM cannot be
found appears.
BitLocker Modes
BitLocker can run on two types of computers:

• Those that are running Trusted Platform Module (TPM)
version 1.2x
• Those without TPM version 1.2, but that have a
removable Universal Serial Bus (USB) memory device.
This topic provides an in-depth examination of these two
BitLocker modes.
Computers with TPM Version 1.2

The most secure implementation of BitLocker leverages the
enhanced security capabilities of TPM version 1.2. The TPM
is a hardware component installed in many newer computers
by the computer manufacturers. It works with BitLocker to
help protect user data and to ensure that a computer
running Windows 7 has not been tampered with while the
system was offline.
BitLocker supports TPM version 1.2, but it does not

support older TPMs. Version 1.2 TPMs provide increased
standardization, security enhancement, and improved
functionality over previous versions. Windows 7 was
designed with these TPM improvements in mind.
On computers that have a TPM version 1.2, BitLocker uses

the enhanced security capabilities of the TPM to help
ensure that your data is accessible only if the computer's
boot components appear unaltered and the encrypted disk is
located in the original computer.
If you enable BitLocker on a Windows 7 computer that has a
TPM version 1.2, you can add the following additional
factors of authentication to the TPM protection:
• BitLocker offers the option to lock the normal boot
process until the user supplies a personal
identification number (PIN) or inserts a USB device
(such as a flash drive) that contains a BitLocker
startup key
• Both the PIN and the USB device can be required.
In a scenario that uses a TPM with an advanced startup
option, you can add a second factor of authentication to
the standard TPM protection: a PIN or a startup key on a
USB flash drive. To use a USB flash drive with a TPM, the
computer must have a BIOS that can read USB flash drives
in the pre-operating system environment (at startup). Your
BIOS can be checked by the hardware test near the end of
the BitLocker setup wizard.
These additional security measures provide multifactor
authentication and helps ensure that the computer will not
start or resume from hibernation until the correct
authentication method is presented.
How TPM works

On computers equipped with a TPM, each time the computer
starts, each of the early startup components (such as the
BIOS, the boot sector, and the boot manager code) examines
the code about to be run, calculates a hash value, and
stores the value in the TPM. Once stored in the TPM, that
value cannot be replaced until the system is restarted. A

combination of these values is recorded.
These recorded values can also be used to protect data by

using the TPM to create a key that is tied to these
values. When this type of key is created, the TPM encrypts
it, and only that specific TPM can decrypt it. Each time
the computer starts, the TPM compares the values generated
during the current startup with the values that existed
when the key was created. It decrypts the key only if
those values match. This process is called "sealing" and
"unsealing" the key.
As part of its system integrity verification process,
BitLocker examines and seals keys to the measurements of
the following:
• The Core Root of Trust (CRTM)
• The BIOS and any platform extensions
• Option read-only memory (ROM) code
• MBR code
• The NTFS boot sector
• The boot manager
If any of these items are changed unexpectedly, BitLocker
locks the drive to prevent it from being accessed or
decrypted.
Computers without TPM version 1.2

By default, BitLocker is configured to look for and use a
TPM. You can use Group Policy to allow BitLocker to work
without a TPM and store keys on an external USB flash
drive; however, BitLocker cannot then verify the early
startup components.
You can enable BitLocker on a computer without a TPM
version 1.2, provided that the BIOS has the ability to
read from a USB flash drive in the boot environment. This
is because BitLocker will not unlock the protected volume
until BitLocker's own volume master key is first released
by either the computer's TPM or by a USB flash drive
containing the BitLocker startup key for that computer.

However, computers without TPMs will not be able to use
the system integrity verification that BitLocker can also
provide.
If the startup key is located on a USB flash drive, your
computer must have a BIOS that can read USB flash drives

in the pre-operating system environment (at startup). Your
BIOS can be checked by the hardware test near the end of
the BitLocker setup wizard.
To help determine whether a computer can read from a USB
device during the boot process, use the BitLocker System
Check as part of the BitLocker setup process. This system
check performs tests to confirm that the computer can
properly read from the USB devices at the appropriate time
and that the computer meets other BitLocker requirements.
To enable BitLocker on a computer without a TPM, use Group
Policy to enable the advanced BitLocker user interface.
With the advanced options enabled, the non-TPM settings
appear in the BitLocker setup wizard.
Group Policy Settings for BitLocker

BitLocker in Windows 7 introduces several new Group Policy

settings that permit straightforward feature management.
For example, administrators are able to:
• Require that all removable drives be BitLocker-protected
before data can be saved on them.
• Require or disallow specific methods for unlocking
BitLocker-protected drives.
• Configure methods to recover data from BitLocker-
protected drives if the user's unlock credentials are
not available.
• Require or prevent different types of recovery password
storage, or to make them optional.
• Prevent BitLocker from being enabled if the keys cannot
be backed up to Active Directory.
In addition to recovery passwords, administrators can use

Group Policy to configure a domain-wide public key called
a data recovery agent that will permit an administrator to
unlock any drive encrypted with BitLocker. Before a data
recovery agent can be used, it must be added from the
Public Key Policies item in either the Group Policy

Management Console (GPMC) or the Local Group Policy
Editor.
To use a data recovery agent with BitLocker, you must
enable the appropriate Group Policy setting for the drives
that you are using with BitLocker. These settings are:
• Configure how BitLocker-protected operating system
drives can be recovered.
• Configure how BitLocker-protected removable data drives
can be recovered.
• Configure how BitLocker-protected fixed data drives can
be recovered.
• Configure how BitLocker-protected drives can be
recovered (Windows Server 2008 and Windows 7).
When you enable the policy setting, select the Enable data
recovery agent check box. There is a policy setting for
each type of drive, so you can configure individual
recovery policies for each type of drive on which you
enable BitLocker.
You must also enable and configure the Provide the unique
identifiers for your organization policy setting to
associate a unique identifier to a new drive that is
protected with BitLocker. Identification fields are
required for management of data recovery agents on
BitLocker-protected drives. BitLocker will manage and
update data recovery agents only when an identification
field is present on a drive and is identical to the value
configured on the computer.
Using these policy settings helps enforce standard
deployment of BitLocker Drive Encryption in your
organization. Group Policy settings that affect BitLocker
are located in Computer Configuration\Administrative
Templates\Windows Components\BitLocker Drive Encryption.
Globally applied BitLocker Group Policy settings are

located in this folder. Subfolders for fixed data drives,
operating system drives, and removable drives support

configuration of policy settings specific to those drives.
Note: If you want to use BitLocker to protect an operating system drive on a computer
that does not have a Trusted Platform Module (TPM), you must enable the Require
additional authentication at startup Group Policy setting, and then within that setting,
click Allow BitLocker without a compatible TPM.
Summarized Group Policy Settings

Group Policy settings that affect BitLocker are located in
Computer Configuration/Administrative Templates/Windows
Components/BitLocker Drive Encryption.
The following table summarizes these settings.
Setting name Default Description

Turn on BitLocker backup Disabled This policy setting controls whether
to Active Directory Domain BitLocker recovery information is backed
Services (AD DS) up in AD DS. If enabled, it also can control
whether backup is required or optional
and whether only a recovery password or
a full recovery package is saved.
Control Panel Setup: None (User This policy setting specifies a default
Configure recovery folder selects) location that is shown to the user to save
recovery keys. This can be a local or
network location. The user is free to
choose other locations.
Control Panel Setup: None (User This policy setting allows you to configure
Configure recovery options selects) whether the BitLocker Drive Encryption
setup wizard will ask the user to save
BitLocker recovery options.
Two recovery options can unlock access to
BitLocker-encrypted data. The user can
type a random 48-digit numerical recovery
password, or insert a USB flash drive
containing a random 256-bit recovery key.
Each of these can be required or
disallowed. If you disallow both options,

backup to AD DS must be enabled.
Control Panel Setup: Disabled This policy setting allows you to configure
Enable advanced startup whether BitLocker can be enabled on
options computers without a TPM, and whether

multi-factor authentication may be used
on computers with a TPM.
Configure encryption AES 128 bit This policy setting configures the length of
method with Diffuser the AES encryption key and whether the
Diffuser is used or not.
Prevent memory overwrite Disabled BitLocker keys can persist in memory

on restart (memory will between restarts if the computer is not
be powered off. Therefore, BitLocker instructs
overwritten) the BIOS to wipe all memory on "warm"
restarts. This can result in a noticeable
delay on systems with large amounts of
memory. Enabling this setting can improve
restart performance, but does increase
security risk.
Configure TPM platform PCRs 0, 2, 4, Configures which of the TPM platform

validation profile 8, 9, 11 measurements stored in platform control
registers (PCRs) are used to seal BitLocker
keys.
Group Policy Settings and TPM

Group Policy settings that control TPM behavior are
located in Computer Configuration/Administrative
Templates/System/Trusted Platform Module services.
The following table summarizes these settings.

Turn on TPM backup to Disabled This policy setting controls whether TPM
Active Directory Domain owner password information is backed up
Services (AD DS) in AD DS. If enabled, it also can control
whether backup is required or optional.
Configure the list of None This policy allows specific TPM functions
blocked TPM commands to be disabled or enabled, but the next

two settings can restrict which commands
are available. Group Policy–based lists
override local lists. Local lists can be
configured in the TPM Management
console.
Ignore the default list of Disabled By default, certain TPM commands are
blocked TPM commands blocked. To enable these commands, this
policy setting must be enabled.
Ignore the local list of Disabled By default, a local administrator can block
blocked TPM commands commands in the TPM Management
console. This setting can be used to
prevent that behavior.
Configuring BitLocker

In Windows 7, you can enable BitLocker from either System
and Settings in Control Panel or by right-clicking the
volume to be encrypted. This initiates the BitLocker Setup
Wizard, and the BitLocker Drive Preparation tool validates
system requirements. During the preparation phase, the
second partition is created if it does not already exist.
Administration
IT Professionals can manage BitLocker using the BitLocker
control panel, accessible from the Security item in the
Windows 7 Control Panel. A command-line management tool,
manage-bde.wsf, is also available for IT Professionals to
perform scripting functionality remotely.
Once the volume has been encrypted and protected with
BitLocker, the Manage Keys page in the BitLocker control
panel enables local and domain administrators to duplicate
keys and reset the PIN.
Turning on BitLocker with TPM Management

The BitLocker control panel displays BitLocker's status
and provides the functionality to enable or disable

BitLocker. If BitLocker is actively encrypting or
decrypting data due to a recent installation or uninstall
request, the progress status appears. IT Professionals can
also use the BitLocker control panel to access the TPM
management MMC.
Perform the following steps to turn on BitLocker Drive
Encryption:
1. Click Start, click Control Panel, click Security, and
then click BitLocker Drive Encryption.
2. If the User Account Control dialog box appears, confirm
that the action it displays is what you want and then
click Continue.
3. On the BitLocker Drive Encryption page, click Turn On
BitLocker on the operating system volume. A message
appears, warning that BitLocker encryption might have a
performance impact on your server.
If your TPM is not initialized, the Initialize TPM
Security Hardware wizard appears. Follow the directions
to initialize the TPM and restart or shut down your
computer.
4. The Save the recovery password page shows the following
options:
• Save the password on a USB drive: Saves the password
to a USB flash drive.
• Save the password in a folder: Saves the password to
a folder on a network drive or other location.
• Print the password: Prints the password.
Use one or more of these options to preserve the
recovery password. For each, select the option and
follow the wizard steps to set the location for saving
or printing the recovery password.
When you have finished saving the recovery password,
click Next.
5. On the Encrypt the selected disk volume page, confirm

that the Run BitLocker System Check check box is
selected, and then click Continue.
Confirm that you want to restart the computer by
clicking Restart Now. The computer restarts and
BitLocker verifies whether the computer is BitLocker-

compatible and ready for encryption. If it is not, an
error message will alert you to the problem.
6. If the computer is ready for encryption, the Encryption
in Progress status bar is displayed. You can monitor
the ongoing completion status of the disk volume
encryption by dragging your mouse cursor over the
BitLocker Drive Encryption icon in the notification
area at the bottom of your screen.
By completing this procedure, you have encrypted the
operating system volume and created a recovery password
unique to this volume. The next time you log on, you will
see no change. If the TPM ever changes or cannot be
accessed, if there are changes to key system files, or if
someone tries to start the computer from a product CD or
DVD to circumvent the operating system, the computer will
switch to recovery mode until the recovery password is
supplied.
Turning on BitLocker without TPM Management

Use the following procedure to change your computer's
Group Policy settings so that you can turn on BitLocker
Drive Encryption without a TPM. Instead of a TPM, you will
use a startup key to authenticate yourself. The startup
key is located on a USB flash drive inserted into the
computer before the computer is turned on.
For this scenario, you must have a BIOS that will read USB
flash drives in the pre-operating system environment (at
startup). Your BIOS can be checked by the System Check in
the final step of the BitLocker wizard.
Before you start:
• You must be logged on as an administrator.
• BitLocker must be installed on this server.
• You must have a USB flash drive to save the recovery

password.
• Try using a second USB flash drive to store the startup

key separate from the recovery password.
Perform the following steps to turn on BitLocker Drive
Encryption on a computer without a compatible TPM:
1. Click Start, type “gpedit.msc” in the Start Search box,
and then press ENTER.
click Continue.
3. In the Local Group Policy Editor console tree, click
Local Computer Policy, click Administrative Templates,
click Windows Components, and then click BitLocker
Drive Encryption.
4. Double-click the Control Panel Setup: Enable Advanced
Startup Options setting.
5. Select the Enabled option, select the Allow BitLocker
without a compatible TPM check box, and then click OK.
You have changed the policy setting so that you can use
a startup key instead of a TPM.
7. To force Group Policy to apply immediately, you can
click Start, type “gpupdate.exe /force” in the Start
Search box, and then press ENTER.
8. Click Start, click Control Panel, click Security, and
then click BitLocker Drive Encryption.
click Continue.
10. On the BitLocker Drive Encryption page, click Turn
On BitLocker. This will only appear with the operating
system volume.
11. On the Set BitLocker Startup Preferences page,
select the Require Startup USB Key at every startup
option. This is the only option available for non-TPM

configurations. This key must be inserted each time
before you start the computer.
12. Insert your USB flash drive in the computer, if it
is not already there.

13. On the Save your Startup Key page, choose the
location of your USB flash drive, and then click Save.
14. The following options are available on the Save the
recovery password page:
• Save the password on a USB drive: saves the password
to a USB flash drive.
• Save the password in a folder: saves the password to
a folder on a network drive or other location.
• Print the password: prints the password.
Use one or more of these options to preserve the
recovery password. For each, select the option and
follow the wizard steps to set the location for saving
or printing the recovery password. Do not store the
recovery password and the startup key on the same
media.
When you have finished saving the recovery password,
click Next.
15. On the Encrypt the selected disk volume page,
confirm that the Run BitLocker System Check check box
is selected and then click Continue.
Confirm that you want to restart the computer by
clicking Restart Now. The computer restarts and
BitLocker verifies whether the computer is BitLocker-
compatible and ready for encryption. If it is not, you
will see an error message alerting you to the problem
before encryption starts.
16. If the computer is ready for encryption, the
Encryption in Progress status bar is displayed. You can
monitor the ongoing completion status of the disk
volume encryption by dragging your mouse cursor over
the BitLocker Drive Encryption icon in the notification
area at the bottom of your screen or clicking on the

Encryption icon.
By completing this procedure, you have encrypted the

operating system volume and created a recovery password
unique to that volume. The next time you turn your
computer on, the USB flash drive with the startup key must
be plugged into a USB port on the computer. If it is not,
you will not be able to access data on your encrypted
volume.
If you do not have the USB flash drive containing your
startup key, then to access the data, you will need to use
recovery mode and supply the recovery password.
Upgrading a BitLocker-Enabled Computer

The following steps are necessary to upgrade a BitLocker-
enabled computer.
• Temporarily turn off BitLocker by placing it into
disabled mode.
• Upgrade the system or the BIOS.
• Turn BitLocker back on.
Forcing BitLocker into disabled mode keeps the volume
encrypted, but the volume master key is encrypted with a
symmetric key that is stored unencrypted on the hard disk.
The availability of this unencrypted key disables the data
protection offered by BitLocker but ensures that
subsequent computer startups succeed without further user
input. When BitLocker is re-enabled, the unencrypted key
is removed from the disk and BitLocker protection is
turned back on. Additionally, the volume master key is
identified and encrypted again.
Moving a BitLocker-Enabled Computer

Moving the encrypted volume (that is, the physical disk)
to another BitLocker-enabled computer requires that you
temporarily turn off BitLocker. No additional steps are
required because the key protecting the volume master key
is stored unencrypted on the disk.
Note: Exposing the volume master key even for a brief period is a security risk because
it is possible that an attacker might have accessed the volume master key and full
volume encryption key when these keys were exposed by the clear key.
Computer Decommissioning and Recycling

Many personal computers are reused by people other than
the computer's initial owner or user. In enterprise
scenarios, computers may be redeployed to other
departments, or they might leave the company as part of a
standard computer hardware refresh cycle.
On unencrypted drives, data may remain readable even after
the drive has been formatted. Enterprises often use
multiple overwrites or physical destruction to reduce the
risk of exposing data on decommissioned drives.
BitLocker can help create a simple, cost-effective
decommissioning process. Leaving data encrypted by
BitLocker and then removing the keys results in an
enterprise permanently reducing the risk of exposing this
data. It becomes nearly impossible to access BitLocker-
encrypted data after removing all BitLocker keys because
this requires solving 128-bit or 256-bit AES encryption.
Note: Perform the procedures described in this section only if you do not want or need
the data in the future. The data in the encrypted volume will not be recoverable.
An IT Professional can remove a volume’s BitLocker keys by

formatting that volume from Windows 7. The “format”
command has been updated to support this operation. To
format the operating system volume, you can open a command
prompt using the recovery environment included in the
Windows 7 installation DVD.
Alternatively, an administrator can create a script that
effectively removes all BitLocker key protectors. Running
such a script will leave all BitLocker-encrypted data
unrecoverable when you restart the computer. As a safety
measure, BitLocker requires that an encrypted volume have
at least one key protector. Given this requirement, you
can decommission the drive by creating a new external key
protector, not saving the created external key

information, and then removing all other key protectors on
the volume
Once the BitLocker keys have been removed from the volume,
follow-up tasks are needed to complete the decommissioning
process. For example, reset the TPM to its factory
defaults by clearing the TPM, and discard saved recovery
information for the volume such as printouts, files stored
on USB devices, and information stored in Active
Directory.
Question: When turning on BitLocker on a computer with TPM

version 1.2, what is the purpose of saving the recovery
password?
Answer: If the TPM ever changes or cannot be accessed, if

there are changes to key system files, or if someone tries
to start the computer from a product CD or DVD to
circumvent the operating system, the computer will switch
to recovery mode and will remain there until the user
provides the recovery password. Storing the recovery
password so that it is accessible to the user allows the
user to complete the startup process.
Configuring BitLocker to Go

BitLocker To Go protects data on removable data drives. It
allows you to configure BitLocker Drive Encryption on USB
flash drives and external hard drives. Design goals for
BitLocker To Go called for the feature to be simple to
use, work on existing drives, allow for the recovery of
data if necessary, and enable the data to be usable on
Windows Vista and Windows XP systems.
BitLocker includes several new management features, the
most noticeable of which is a new Group Policy setting
that lets you configure removable drives as read-only
unless they are encrypted with BitLocker To Go. This helps
to ensure that critical corporate data is protected when a
USB flash drive is misplaced by an employee.
The option is available by simply right-clicking on a
drive in Windows Explorer to enable BitLocker protection.
With BitLocker To Go, you can encrypt removable storage
devices, such USB flash drives. All you need to do is
right-click on the drive you want to protect, select the
Turn on BitLocker menu option, and follow the basic

wizard.
BitLocker To Go Scenario
Consider the following scenario. An administrator
configures Group Policy to require that data can only be
saved on data volumes protected by BitLocker.
Specifically, the administrator enables the Deny write
access to removable data drives not protected by BitLocker
policy and deploys it to the domain.
Meanwhile, an end user inserts a USB flash drive. Since
the USB flash drive is not protected with BitLocker,
Windows 7 displays an informational dialog indicating that
the device must be encrypted with BitLocker. From this
dialog, the user chooses to launch the BitLocker Wizard to
encrypt the volume or continues working with the device as
read-only.
If the user decides to implement the device as read-only
and then attempts to save a document to the flash drive,
an access denied error message appears. At this time, the
user can enable BitLocker by right-clicking the drive in
Windows Explorer, and then clicking Turn On BitLocker.
Configuring BitLocker To Go
When you select the Turn On BitLocker menu option, the
ensuing wizard requires that you specify how you want to
unlock the drive. You can select one of the following
methods:
• A Recovery Password or passphrase (complexity is
configurable in Group Policy)
• A Smart Card
• Always auto-unlock this device on this PC
Once the device is configured to use BitLocker, the user
saves documents to the external drive without error. When
the user inserts the USB flash drive on a different PC,
the computer detects that the portable device is BitLocker
protected; the user is prompted to specify the passphrase.
At this time, the user can specify to unlock this volume

automatically on the second PC.
Note: It is not required that the second PC be encrypted with BitLocker.

If a user forgets the passphrase for the device, there is
an option from the BitLocker Unlock wizard, I forgot my
passphrase, to assist. Clicking this option displays a
recovery password ID that can be supplied to an
administrator. The administrator uses the password ID to
obtain the recovery password for the device. This recovery
password can be stored in Active Directory and recovered
with the BitLocker Recovery Password tool.
Question: How do you enable BitLocker To Go for a USB

flash drive?
Answer: Insert the drive, and in Windows Explorer, right-

click the drive and then click Turn On BitLocker.
Recovering BitLocker Encrypted Drives

When a BitLocker-enabled computer starts, BitLocker checks

the operating system for conditions that may indicate a
security risk. If such a condition is detected, BitLocker
does not unlock the system drive and enters recovery mode.
When a computer enters recovery mode, the user must enter
the correct recovery password to continue. The recovery
password is tied to a particular TPM or computer, not to
individual users, and does not usually change.
Save the recovery information on a USB flash drive or in
Active Directory using one of these formats:
• A 48-digit number divided into eight groups. During
recovery, use the function keys to type this password
into the BitLocker recovery console.
• A recovery key in a format that can be read directly by
the BitLocker recovery console.
Locating a BitLocker Recovery Password

The BitLocker recovery password is a 48-digit password and
is used to unlock a system in recovery mode. The recovery
password is unique to a particular BitLocker encryption
and can be stored in Active Directory.

The recovery password will be required in the event the
encrypted drive must be moved to another computer, or
changes are made to the system startup information. This
password is so important that it is recommended that you
make additional copies of the password and store it in
safe places to ensure access to your data.
You will need your recovery password to unlock the
encrypted data on the volume if BitLocker enters a locked
state. This recovery password is unique to this particular
BitLocker encryption. You cannot use it to recover
encrypted data from any other BitLocker encryption
session.
A computer's password ID is a 32-character password unique
to a computer name. Find the password ID under a
Computer's properties, which you can use to locate
passwords stored in Active Directory. To locate a
password, the following conditions must be true:
• You must be a domain administrator or have delegate
permissions
• The client's BitLocker recovery information is
configured to be stored in Active Directory
• The client’s computer has been joined to the domain
• BitLocker Drive Encryption must have been enabled on the
client's computer
Prior to searching for and providing a recovery password
to a user, confirm that the person is the account owner
and is authorized to access data on the computer in
question.
Search for the password in Active Directory Users and
Computers by using either one of the following:
• Drive Label
• Password ID
When you are searching by drive label, after locating the
computer, right-click the drive label, click Properties,

and then click the BitLocker Recovery tab to view
associated passwords.
To search by password ID, right-click the domain container
and then select Find BitLocker Recovery Password. In the
Find BitLocker Recovery Password dialog box, enter the
first eight characters of the password ID in the Password
ID field and then click Search.
Examine the returned recovery password to ensure it
matches the password ID that the user provided. Performing
this step helps to verify that you have obtained the
unique recovery password.
Data Recovery Agent Support

Windows 7 BitLocker adds Data Recovery Agent (DRA) support
for all protected volumes. This provides users with the
ability to recover data from any BitLocker and BitLocker
To Go device when the data is inaccessible. This
technology assists in the recovery of corporate data on a
portable drive using the key created by the enterprise.
DRA support allows IT professionals to dictate that all
BitLocker protected volumes (operating system, fixed, and
the new portable volumes) are encrypted with an
appropriate DRA. The DRA is a new key protector that is
written to each data volume so that authorized IT
administrators will always have access to BitLocker
protected volumes.
Question: What is the difference between the recovery

password and the password ID?
Answer: The recovery password is a 48-digit password and

is used to unlock a system in recovery mode. The recovery
password is unique to a particular BitLocker encryption
and can be stored in Active Directory. A computer's
password ID is a 32-character password unique to a
Computer Name. Find the password ID under a Computer's

properties, which you can use to locate recovery passwords
stored in Active Directory.

Lesson 4
Configuring Application Restrictions
The ability to control which applications a user, or set

of users, can run offers significant increases in the
reliability and security of enterprise desktops. Overall,
an application lockdown policy can lower the total cost of
computer ownership in an enterprise. Windows 7 and Windows
Server 2008 R2 adds Windows AppLocker™, a new feature that
controls application execution and simplifies the ability
to author an enterprise application lockdown policy.
AppLocker reduces administrative overhead and helps
administrators control how users access and use files,
such as .exe files, scripts, Windows Installer files (.msi
and .msp files), and .dll files. Because AppLocker
replaces the software restriction policies (SRP) feature
in prior Windows versions, this lesson examines the
benefits of AppLocker in comparison to SRP.
What is AppLocker?

Today’s organizations face a number of challenges in
controlling which applications run on client computers,
including:
• The packaged and custom applications to which the user
can access
• Which users are allowed to install new software
• Which versions of applications are allowed to run and
for which users
Users who run unauthorized software can experience a
higher incidence of malware infections and generate more
help desk calls. However, it can be difficult for IT
professionals to ensure that user desktops are running
only approved, licensed software.
Windows Vista addressed this issue by supporting Software
Restriction Policy, which IT professionals used to define
the list of applications that users were allowed to run.
Windows 7 builds upon this security layer with AppLocker,

which provides administrators the ability to control how
users run all types of applications, such as executables

(.exe files), scripts, Windows Installer files (.msi and
.msp), and dynamic link-libraries (.dll).
AppLocker Benefits
IT professionals can use AppLocker to specify exactly what
is allowed to run on user desktops. This allows users to
run the applications, installation programs, and scripts
they need to be productive while still providing the
security, operational, and compliance benefits of
application standardization.
AppLocker can help organizations that want to:
• Limit the number and type of files that are allowed to
run by preventing unlicensed or malicious software from
running and by restricting the ActiveX controls that are
installed.
• Reduce the total cost of ownership by ensuring that
workstations are homogeneous across their enterprise and
that users are running only the software and
applications that are approved by the enterprise.
• Reduce the possibility of information leaks from
unauthorized software.
Question: What are some of the applications that are good

candidates for applying an AppLocker rule?
Answer: The suggestions from the class will vary.

AppLocker Rules

Whether you are dealing with users in your work
environment or children at home, being able to control
what applications a user can run can prevent a lot of
problems. AppLocker lets you do just this by creating
rules that specify exactly what applications a user is
allowed to run and that are resilient to application
updates.
Because AppLocker is an additional Group Policy mechanism,
IT professionals and system administrators need to be
comfortable with Group Policy creation and deployment.
This makes AppLocker ideal for organizations that
currently use Group Policy to manage their Windows 7
computers or have per-user application installations.
To author AppLocker rules, there is a new AppLocker MMC
snap-in in the Group Policy Object Editor that offers an
incredible improvement in the process of creating
AppLocker rules. There is one wizard that allows you to
create a single rule, and another wizard that
automatically generates rules for you based on your rule

preferences and the folder that you select.
You can review the files analyzed and remove them from the
list before rules are created for them. You can even get
useful statistics about how often a file has been blocked
or test AppLocker policy for a given computer.
Accessing AppLocker
To access AppLocker, click Start and type “Gpedit.msc.”
Then navigate to Computer Configuration, Windows Settings,
Security Settings, and then Application Control Policies.
Expand the Application Control Policies node and highlight
AppLocker.
In AppLocker you can configure Executable Rules, Windows
Installer Rules, and Script Rules. For example, highlight
the Executable Rules node and right-click to select Create
New Rule. You can then create a rule allowing or denying
access to an executable based on such criteria as the file
path or publisher.
And in case you are in a hurry, AppLocker will let you
apply both default and automatically generated rules.
Creating Default AppLocker Rules

Many organizations are implementing standard user
policies, which allow users to log on to their computers
only as a standard user. With Windows 7, this task became
simpler. However, more independent software vendors (ISVs)
are creating per-user applications that do not require
administrative rights to be installed and that are
installed and run in the user profile folder. As a result,
standard users can install many applications and
circumvent the application lockdown policy. With
AppLocker, you can prevent users from installing and
running per-user applications by creating a set of default
AppLocker rules. The default rules also ensure that the
key operating system files are allowed to run for all
users.
Note: Before you manually create new rules or automatically generate rules for a
specific folder, you must create the default AppLocker rules.
Specifically, the default rules enable the following:

• All users to run files in the default Program Files

directory.
• All users to run all files signed by the Windows
operating system.
• Members of the built-in Administrators group to run all
files.
Perform the following steps to create the default
AppLocker rules:
1. To open the Local Security Policy MMC snap-in, click
Start, type “secpol.msc” in the Search programs and
files box, and then press ENTER.
2. In the console tree, double-click Application Control
Policies and then double-click AppLocker.
3. Right-click Executable Rules and then click Create
Default Rules.
By creating these rules, you have also automatically
prevented all non-administrator users from being able to
run programs that are installed in their user profile
directory. You can recreate the rules at any time.
Note: Without the default rules, critical system files might not run. Once you have
created one or more rules in a rule collection, only applications that are affected by
those rules are allowed to run. If the default rules are not created and you are blocked
from performing administrative tasks, restart the computer in safe mode, add the
default rules and delete any deny rules that are preventing access, and then refresh the
computer policy.
Automatically Generate AppLocker Rules

Once the default rules are created, you can create custom
application rules. To facilitate creating sets or
collections of rules, AppLocker includes a new
Automatically Generate Rules wizard that is accessible
from the Local Security Policy console. This wizard

simplifies the task of creating rules from a user-
specified folder. By running this wizard on reference

computers and specifying a folder that contains the .exe
files for applications that you want to create rules for,
you can quickly create AppLocker policies automatically.
When a rule is manually created, choose whether it is an
Allow or Deny rule. Allow rules enable applications to run
while Deny rules prevent applications from running. The
Automatically Generate Rules wizard creates only Allow
rules.
Note: After you create one or more rules in a rule collection, only applications that are
affected by those rules are allowed to run. For this reason, always create the default
AppLocker rules for a rule collection first. If you did not create the default rules and are
prevented from performing administrative tasks, restart the computer in Safe Mode, add
the default rules, delete any deny rules that are preventing access, and then refresh the
computer policy.
You can create exceptions for .exe files. For example, you
can create a rule that allows all Windows processes to run
except regedit.exe and then use audit-only mode to
identify files that will not be allowed to run if the
policy is in effect.
You can automatically create rules by running the wizard
and specifying a folder that contains the .exe files for
applications for which to create rules.
Note: Do not select a folder that contains one or more user profiles. Creating rules to
allow .exe files in user profiles might not be secure.
Before you create the rules at the end of the wizard,

review the analyzed files and view information about the
rules that will be created. Once the rules are created,
edit them to make them more or less specific. For example,
if you selected the Program Files directory as the source
for automatically generating the rules and also created
the default rules, there is an extra rule in the
Executable Rules collection.
Automatically Generate Rules

To automatically generate rules from a reference folder
1. Ensure that the Local Security Policy MMC snap-in is
open.
2. In the console tree under Application Control

Policies\AppLocker, right-click Executable Rules, and
then click Automatically Generate Rules.
3. On the Folder and Permissions page, click Browse.
4. In the Browse for Folder dialog box, select the folder
that contains the .exe files that you want to create
the rules for.
5. Type a name to identify the rules and then click Next.
To help sort the rules in the MMC list view, the name
that you provide is used as a prefix for the name of
each rule that is created.
6. On the Rule Preferences page, click Next without
changing any of the default values. The Rule generation
progress dialog box is displayed while the files are
processed.
7. On the Review Rules page, click Create. The wizard
closes, and the rules are added to the Executable Rules
details pane.
After automatically generating rules based on your
preferences, you can edit the rules to make them more or
less detailed.
Create Rules Allowing Only Signed Applications to Run

With the advent of new heuristic identification
technologies in Web browsers and operating systems, more
ISVs are using digital signatures to sign their
applications. These signatures simplify an organization’s
ability to identify applications as genuine and to create
a better and more trustworthy user experience.
Creating rules based on the digital signature of an
application helps make it possible to build rules that
survive application updates. For example, an organization
can create a rule to "allow all versions greater than 9.0
of a program to run if it is signed by the software

publisher." In this way, when the program is updated, IT
professionals can safely deploy the application update

without having to build another rule.
Note: Before performing the following procedure, ensure that you created the default
rules.
Perform the following steps to allow only signed

applications to run:
1. To open the Local Security Policy MMC snap-in, click
Start, type “secpol.msc” in the Search programs and
files box, and then press ENTER.
2. In the console tree, double-click Application Control
Policies, and then double-click AppLocker.
3. Right-click Executable Rules and then click Create New
Rule.
4. On the Before You Begin page, click Next.
5. On the Permissions page, click Next to accept the
default settings.
6. On the Conditions page, click Next.
7. On the Publisher page, note that the default setting is
to allow any signed file to run, and then click Next.
8. On the Exceptions page, click Next.
9. On the Name and Description page, accept the default
name or enter a custom name and description, and then
click Create.
By using this rule and ensuring that all applications are
signed within your organization, you are assured that
users are running only applications from known publishers.
Note: This rule prevents unsigned applications from running. Before implementing this
rule, ensure that all of the files that you want to run in your organization are digitally
signed. If any applications are not signed, consider implementing an internal signing
process to sign unsigned applications with an internal signing key.
Delete Unnecessary Rules

If you created the default rules and then selected the
Program Files folder as the source to automatically
generate rules, there are one or more extraneous rules in
the Executable Rules collection. When you create the
default rules, a path rule is added to allow any .exe file

in the entire Program Files folder to run. This rule is
added to ensure that users are not prevented by default
from running applications. Because this rule conflicts
with rules that were automatically generated, delete this
rule to ensure that the policy is more specific. The name
of the default rule is (Default Rule) Microsoft Windows
Program Files Rule.
Perform the following steps to delete a rule:
1. Ensure that the Local Security Policy MMC snap-in is
open.
2. In the console tree under Application Control
Policies\AppLocker, click Executable Rules.
3. In the details pane, right-click (Default Rule)
Microsoft Windows Program Files Rule and then click
Delete.
4. In the AppLocker dialog box, click Yes.
To determine if any applications are excluded from the
rule set, enable the Audit only enforcement mode.
Question: When testing AppLocker, you must carefully

consider how you will organize rules between linked GPOs.
What do you do if a GPO does not contain the default
AppLocker rules?
Answer: If a GPO does not contain the default rules, then

either add the rules directly to the GPO or add them to a
GPO that links to it.
Demonstration: Configuring AppLocker Rules

This demonstration shows how to create a custom AppLocker

rule, and how to automatically generate rules.
Create a New Executable Rule



Security Settings.
4. Expand Application Control Policies, and then double-

click AppLocker.
5. Click Executable Rules, and then right-click and select

Create New Rule.
6. Click Next.
7. On the Permissions screen, select Deny, and then click

the Select… button.
8. In the Select User or Group dialog box, in the Enter

the object names to select (examples) box, type
“Contoso\Marketing”, click Check Names, and then click
OK.
9. Click Next.
10. On the Conditions screen, select Path and then click

Next.
11. Click the Browse Files… button and then click Local
Disk (C:).
12. Double-click Windows, select Regedit, and then click

Open.
13. Click Next.
14. Click Next again and then click Create.
15. Click Yes when prompted to create default rules.
Create a New Windows Installer Rule

1. Select Windows Installer Rules and then right-click and
select Create New Rule.
2. Click Next.
3. On the Permissions screen, click Deny and then click

Next.
4. On the Conditions screen, select Publisher and then

click Next.
5. Click the Browse… button, click Local Disk (C:), select

Microsoft Article Authoring Add-In, and then click
Open.
6. On the Publisher screen, move the slide bar up by three

settings, so that the rule scope is set to Applies to
all files signed by the specified publisher.
7. Click Next.
8. Click Next again and then click Create.
Automatically Generate the Script Rules

1. Select Script Rules and then right-click and select the
Automatically Generate Rules… option.
2. In Automatically Generate Script Rules, on the Folder

and Permissions screen, click Next.
3. Click Next again.
4. Click Create.
6. Close the Local Group Policy Editor and then log off.
Demonstration: Enforcing AppLocker Rules

After you create new AppLocker rules, you must configure
enforcement for the rule collections and refresh the
computer's policy. Enforcement is configured in the Local
Security Policy console in the Configure Rule Enforcement
area. The following table outlines the three enforcement
options for each rule type.
Enforcement mode Description
Enforce rules with Group Policy Default setting. If linked GPOs contain a
inheritance different setting, that setting is used. If any
rules are present in the corresponding rule
collection, they are enforced.
Enforce rules Rules are enforced.
Audit only Rules are audited, but not enforced.

To view information about applications that are affected

AppLocker rules, use the Event viewer. Each event in the
AppLocker operational log contains detailed information

such as the following:
• Which file was affected and the path of that file
• Whether the file was allowed or blocked
• The rule type: Path, File Hash, or Publisher
• The rule name
• The security identifier (SID) for the user that is
targeted in the rule
Review the entries in the log to determine if any
applications were not included in the rules. The following
table identifies three events to use to determine which
applications are affected.
Event ID Level Event Text Description
8002 Informational Access to <file Specifies that the

name> is allowed file is allowed by an
by an administrator. AppLocker rule.
8003 Warning Access to <file Applied only when

name> is in the Audit only
monitored by an enforcement mode.
administrator. Specifies that the
file will be blocked
if the Enforce rules
enforcement mode
is enabled.
8004 Error Access to <file Applied only when

name> is restricted the Enforce rules
by an administrator. enforcement mode
is either directly or
indirectly (through
Group Policy
inheritance) set. The
file cannot run.
Demonstration
This demonstration will show the different enforcement
options, in addition to how to configure the enforcement
for the rule that was created in the previous
demonstration. The demonstration will then verify the
enforcement with gpupdate.

Enforce AppLocker Rules

type “gpedit.msc” and then press ENTER.

Security Settings.
4. Expand Application Control Policies.
5. Click AppLocker and then right-click and select

Properties.
6. On the Enforcement tab, under Executable rules, click

the Configured check box and then select Enforce rules.
7. On the Enforcement tab, under Windows Installer rules,

click the Configured check box and then select Audit
only.
8. Click OK.
Confirm the Executable Rule Enforcement

type “cmd”, and then press ENTER.
2. In the Command Prompt window, type “gpupdate /force”
and then press ENTER. Wait for the policy to be
updated.
3. Click Start, and then right-click Computer and click

Manage.
4. Expand Event Viewer and then expand Windows Logs.

5. Click System.
6. In the result pane, locate and click the latest event
with Event ID 1502.
7. Review event message details under the General tab.
8. Expand Services and Applications and then click
Services.
9. Right-click Application Identity service in the main
window pane, and then click Start.
10. Close the Command Prompt.
11. In the Event Viewer, expand Application and Services
Logs, then expand Microsoft
12. Expand Windows, then expand AppLocker, and then
click EXE and DLL.
13. Review the entries in the results pane
15. Log off
Question: What is the command to update the computer's

policy and where is it run?
Answer: The command is gpupdate /force and it is run as an

administrator in the command prompt.
What are Software Restriction Policies?

Viruses and Trojan horses often intentionally misrepresent
themselves to trick users into running them. Many non-
malicious software applications also cause problems. Any
software not known and supported by an organization can
conflict with other applications or change crucial
configuration information. For end users, it can be
difficult to make safe choices about which software they
must run.
To address this situation, Windows XP and Windows Server
2003 included software restriction policies (SRP), which
helped organizations control not just hostile code, but
any unknown code—malicious or otherwise. Software
Restriction Policies were the predecessor to Windows
AppLocker.
With software restriction policies in previous Windows
versions, administrators were able to:
• Protect their computing environment from non-trusted or

unknown software by identifying and specifying which
software is allowed to run.

• Define a default security level of Unrestricted or
Disallowed for a Group Policy object (GPO) so that
software was either allowed or not allowed to run by
default.
• Make exceptions to this default security level by
creating software restriction policy rules for specific
software. For example, if the default security level
was set to Disallowed, administrators created rules
that allowed specific software to run.
Software restriction policies consisted of the default
security level and all the rules that applied to a GPO. In
addition, these software restriction policies:
• Were applied across a domain, to local computers, or to
individual users.
• Provided a way to define a list of what is trusted code
versus what is not.
• Provided a flexible, policy-based approach for
regulating scripts, executables, and ActiveX controls.
• Enforced the policy automatically.
In Windows 7, AppLocker replaces the Software Restriction
Policies feature found in prior Windows versions (although
the Software Restriction Policies snap-in is included in
Windows 7 computers for compatibility purposes).
AppLocker Enhancements over SRP

When implementing Software Restriction Policies in
previous Windows versions, it was particularly difficult
to create policies that were secure but also did not break
from software updates. This was due to the lack of
granularity of certificate rules and the fragility of hash
rules that broke when an application binary was updated.
To address this issue, AppLocker enables you to create a
rule that combines a certificate and a product name, file
name, and file version. This simplifies your ability to
specify that anything signed by a particular vendor for a

specific product name can run.
Certificate rules in SRP allow you to trust all software
signed by a specific publisher; however, AppLocker gives
you much greater flexibility. When creating publisher
rules, you can trust the publisher, and also drill down to

the product level, the executable level, and even the
version.
For example, with SRP, you can create a rule that
affectively reads “Trust all content signed by Microsoft”.
With AppLocker, you can create a rule that says “Trust the
Office 2007 Suite if it is signed by Microsoft and the
version is greater than 12.0.0.0”.
The AppLocker enhancements over the SRP feature can be
summarized as follows:
• The ability to define rules based on attributes derived
from a file’s digital signature, including the
publisher, product name, file name, and file version.
SRP supports certificate rules, but they are less
granular and more difficult to define.
• A more intuitive enforcement model; only a file that is
specified in an AppLocker rule is allowed to run.
• A new, more accessible user interface that is accessed
through a new Microsoft Management Console® (MMC) snap-
in extension to the Local Policy snap-in and Group
Policy Management snap-in.
• An audit-only enforcement mode that allows
administrators to determine which files will be
prevented from running if the policy were in effect.
AppLocker does not include the following SRP rule types:
• Internet Zone rules
• Per-machine rules
• Registry path rules
AppLocker and SRP in Windows 7

Prior to Windows 7, Windows operating systems were only
able to use SRP rules. In Windows 7, you can apply SRP or

AppLocker rules, but not both. This allows you to upgrade
an existing implementation to Windows 7 and still take
advantage of the SRP rules defined in group policies.
However, if Windows 7 has both AppLocker and SRP rules
applied in a group policy, then only the AppLocker rules
are enforced and the SRP rules are ignored.
Note: When you add a single AppLocker rule in Windows 7, all processing of SRP rules
stops. Therefore, if you are replacing SRP rules with AppLocker rules, then you must
implement all AppLocker rules that you require at one time. If you implement the
AppLocker rules incrementally, then you will lose the functionality provided by SRP rules
that have not yet been replaced with corresponding AppLocker rules.
Question: Why must AppLocker rules be defined in a GPO

separate from SRP rules?
Answer: AppLocker rules are completely separate from SRP

rules and cannot be used to manage pre-Windows 7
computers. The two policies are also separate. If
AppLocker rules have been defined in a Group Policy Object
(GPO), only those rules are applied. Therefore, define
AppLocker rules in a separate GPO to ensure
interoperability between SRP and AppLocker policies.
Lesson 5
Configuring User Account Control

When logged in as a local administrator, a user can
install and uninstall applications and adjust system and
security settings at will. As a result, IT departments
often cannot gauge the holistic health and security of
their PC environments. In addition, every application that
these users launch can potentially use their accounts’
administrative-level access to write to system files and
the registry and to modify system-wide data. Common tasks
like browsing the Web and checking e-mail can become
unsafe in this scenario. In addition, all of these
elements increase an organization’s total cost of
ownership.
IT departments must be given a solution that is both
resilient to attack and protective of data
confidentiality, integrity, and availability. For this
reason, the Windows development team chose to redesign the
way that the Windows’ core security infrastructure and

applications interact. User Account Control was the
outcome of this redesign process.

What is UAC?

User Account Control (UAC) is a security feature that
provides a way for each user to “elevate” his or her
status from a standard user account to an administrator
account without logging off, switching users, or using Run
as. Windows 7 continues the investment in UAC with changes
that enhance the user experience, increase user control of
the prompting experience, increase security, and improve
total cost of ownership.
UAC is a collection of features rather than just a prompt.
These features - which include File and Registry
Redirection, Installer Detection, the UAC prompt, the
ActiveX Installer Service, and more - allow Windows users
to run with user accounts that are not members of the
Administrators group. These accounts are generally
referred to as Standard Users and are broadly described as
“running with least privilege.” The key is that when users
run with Standard User accounts, the experience is
typically much more secure and reliable.
UAC in Windows 7
Windows 7 includes a number of new features to improve the
Standard User experience, and new configuration settings

provides users more control over the User Account Control
prompt when they run in Administrator Approval Mode. The
goal of the Windows 7 features is to improve usability
while continuing to clarify to independent software
vendors that the default security context they need to
target is that of a Standard User. In practice, these
changes mean that users are not prompted for common
administrative tasks in Windows 7. This is the setting
that says "Notify me only when programs try to make
changes to my computer".
In Windows 7, the number of operating system applications
and tasks that require elevation is reduced, so standard
users can do more while experiencing fewer elevation
prompts. This improves the interaction with the UAC while
upholding high security standards.
When changes are going to be made to your computer that
require administrator-level permission, UAC notifies you
as follows:
• If you are an administrator, you can click Yes to
continue.
• If you are not an administrator, someone with an
administrator account on the computer will have to enter
his or her password for you to continue.
If you are a standard user, providing permission
temporarily gives you administrator rights to complete the
task and then your permissions are returned back to
standard user when you are finished. This makes it so that
even if you are using an administrator account, changes
cannot be made to your computer without you knowing about
it, which can help prevent malicious software (malware)
and spyware from being installed on or making changes to
your computer.
How UAC Works

There are two general types of user groups in Windows 7:
standard users and administrative users. User Account
Control (UAC) simplifies users’ ability to run as standard
users and perform all their necessary daily tasks.
Administrative users also benefit from UAC because
administrative privileges are available only after UAC
requests permission from the user for that instance.
Standard Users
In previous Windows versions, many users were configured
to use administrative privileges rather than standard user
permissions. This was done because previous Windows
versions required administrator permissions to perform
basic system tasks such as adding a printer, or
configuring the time zone. In Windows 7, many of these
tasks no longer require administrative privileges.
When users have administrative permissions to their
computers, they are able to install additional software.
Despite corporate policies against installing unauthorized

software, many users do install unauthorized software,
which may make their systems less stable and drive up

support costs.
When UAC is enabled and a user needs to perform a task
that requires administrative permissions, UAC prompts the
user for the credentials of a user with administrative
privileges. In a corporate environment, the Help desk can
give the user temporary credentials that have local
administrative privileges to complete the task.
The default UAC setting allows a standard user to perform
the following tasks without receiving a UAC prompt:
• Install updates from Windows Update.
• Install drivers from Windows Update or those that are
included with the operating system.
• View Windows settings. (However, a standard user is
prompted for elevated privileges when changing Windows
settings.)
• Pair Bluetooth devices with the computer.
• Reset the network adapter and perform other network
diagnostic and repair tasks.
Administrative Users
Administrative users automatically have:
• Read/Write/Execute permissions to all resources
• All Windows privileges
While it may seem clear that all users will not be able to
read, alter, and delete any Windows resource, many
enterprise IT departments that are running earlier Windows
versions had no other option but to assign all of their
users to the local Administrators group.
One of the benefits of UAC is that it allows users with
administrative privileges to run as standard users most of
the time. When users with administrative privileges
perform a task that requires administrative privileges,
UAC prompts the user for permission to complete the task.
When the user grants permission, the task in question is

performed using full administrative rights, and then the
account reverts to a lower level of privilege.
UAC Elevation Prompts

Many applications require users to be administrators by

default, because they check administrator group membership
before running the application. No user security model
existed for Windows® 95 and Windows® 98. As a result,
developers designed applications assuming that they will
be installed and run by users with administrator
permissions. A user security model was created for
Windows® NT, but all users were created as administrators
by default. In addition, a standard user on a Windows XP
computer must use Run as or log on with an administrator
account to install applications and perform other
administrative tasks.
The following table details some of the tasks that a
standard user can perform and what tasks require elevation
to an administrator account.
Standard Users Administrators

Establish a Local Area Network connection Install and uninstall applications
Establish and configure a wireless Install a driver for a device, such as a

connection digital camera driver
Modify Display Settings Install Windows updates
Users cannot defragment the hard drive, Configure Parental Controls

but a service does this on their behalf
Play CD/DVD media (configurable with Install an ActiveX control

Group Policy)
Burn CD/DVD media (configurable with Open the Windows Firewall Control Panel
Group Policy)
Change the desktop background for the Change a user's account type
current user
Open the Date and Time Control Panel Modify UAC settings in the Security Policy
and change the time zone Editor snap-in (secpol.msc)
Standard Users Administrators
Use Remote Desktop to connect to Configure Remote Desktop access

another computer
Change user's own account password Add or remove a user account
Configure battery power options Copy or move files into the Program Files
or Windows directory
Configure Accessibility options Schedule Automated Tasks
Restore user's backed-up files Restore system backed-up files
Set up computer synchronization with a Configure Automatic Updates

mobile device (smart phone, laptop, or
PDA)
Connect and configure a Bluetooth device Browse to another user's directory
When UAC is enabled, members of the local Administrators

group run with the same access token as standard users.
Only when a member of the local Administrators group gives
approval can a process use the administrator’s full access
token.
This process is the basis of the Admin Approval Mode
principle. Users elevate only to perform tasks that
require an administrator access token. When a standard
user attempts to perform an administrative task, UAC
prompts the user to enter valid credentials for an
administrator account. This is the default for standard
user prompt behavior.
The elevation prompt displays contextual information about
the executable that is requesting elevation. The context
is different depending on whether the application is
Authenticode signed. The elevation prompt has two
variations: the consent prompt and the credential prompt.
Elevation Prompt Description
Consent Prompt Displayed to administrators in Admin

Approval Mode when they attempt to
perform an administrative task. It requests
Elevation Prompt Description

approval to continue from the user.
Credential Prompt Displayed to standard users when they

attempt to perform an administrative task.

Note: Elevation entry points do not remember that elevation has occurred; for example,
when you return from a shielded location or task. As a result, the user must re-elevate to
enter the task again.
While the number of UAC elevation prompts for a standard

user performing an everyday task has been reduced in
Windows 7, there are times when it is appropriate for an
elevation prompt to be returned. For example, viewing
firewall settings does not require elevation; however,
changing the settings does require elevation because the
changes have a system wide impact.
Types of Elevation Prompts

When your permission or password is needed to complete a
task, UAC will notify you with one of four different types
of dialog boxes. The following table describes the
different types of dialog boxes used to notify you and
guidance on how to respond to them.
Type of Elevation Prompt Description
This item has a valid digital signature that

verifies that Microsoft is the publisher of
this item. If you get this type of dialog box,
A setting or feature that is part of
it is usually safe to continue. If you are
Windows needs your permission to start.
unsure, check the name of the program or
function to decide if it is something you
want to run.
This program has a valid digital signature,

which helps to ensure that the program is
A program that is not part of Windows what it claims to be and verifies the
needs your permission to start. identity of the publisher of the program. If
you get this type of dialog box, make sure
the program is the one that you want to
Type of Elevation Prompt Description

run and that you trust the publisher.
This program does not have a valid digital

signature from its publisher. This does not
necessarily indicate danger, since many
older, legitimate programs lack signatures.
However, use extra caution and only allow
A program with an unknown publisher
a program to run if you obtained it from a
needs your permission to start.
trusted source, such as the original CD or a
publisher's Web site. If you are unsure,
look up the name of the program on the
Internet to determine if it is a known
program or malicious software.
This program has been blocked because it

You have been blocked by your system is known to be untrusted. To run this
administrator from running this program. program, you need to contact your system
administrator.
It is recommended that most of the time you log on to your

computer with a standard user account. You can browse the
Internet, send e-mail, and use a word processor, all
without an administrator account. When you want to perform
an administrative task, such as installing a new program
or changing a setting that will affect other users, you do
not have to switch to an administrator account; Windows
will prompt you for permission or an administrator
password before performing the task. Another
recommendation is that that you create standard user
accounts for all the people that use your computer.
In Windows 7, you can adjust how often UAC notifies you
when changes are made to your computer.
Question: What are the differences between a consent

prompt and a credential prompt?
Answer: A consent prompt is displayed to administrators in

Admin Approval Mode when they attempt to perform an
administrative task. It requests approval from the user to
continue with the task being performed. A credential

prompt is displayed to standard users when they attempt to
perform an administrative task.

Demonstration: Configuring Group Policy Settings for

UAC
Prior to the implementation of UAC, standard users working

on a personal computer or in a network setting often had
the option of installing applications. Although
administrators at the time were able to create Group
Policy settings to limit application installations, they
did not have access to limit application installations for
standard users as a default setting.
UAC improves upon this experience by allowing
administrators to define a default setting that limits
application installations for standard users.
Additionally, administrators can use Group Policy to
define an approved list of devices and deployment.
UAC Security Settings are configurable in the local
Security Policy Manager (secpol.msc) or the Local Group
Policy Editor (gpedit.msc). In most corporate
environments, Group Policy is preferred because it can be

centrally managed and controlled.
There are nine Group Policy object (GPO) settings that can
be configured for UAC. The following table identifies the
different UAC GPO settings in Windows 7 and provides
recommendations.

Setting Description Default Value
User Account Control: • Enabled - the built-in • Disabled for new

Admin Approval Administrator is run as an installations and for
Mode for the built-in administrator in Admin Approval upgrades where the
Administrator Mode. built-in
account. • Disabled - the administrator runs Administrator is not
with a full administrator access the only local active
token. administrator on the
computer. The built-
in Administrator
account is disabled
by default for
installations and
upgrades on
domain-joined
computers.
• Enabled for
upgrades when
Windows 7
determines that the
built-in
Administrator
account is the only
active local
administrator on the
computer. If
Windows 7
determines this, the
built-in
Administrator
account is also kept
enabled following
the upgrade. The
built-in
Administrator
account is disabled

by default for
installations and
upgrades on
domain-joined
computers.
User Account Control: • Elevate without prompting (all Prompt for consent for
Behavior of the applications elevate silently) non-windows signed
elevation prompt for • Prompt for credentials on the binaries
administrators in desktop
Admin Approval
Mode
• Prompt for consent on the desktop
• Prompt for credentials without the
secure desktop
• Prompt for consent without the
desktop
• Prompt for consent for non-
Windows signed binaries
User Account Control: • Automatically deny elevation • Home: Prompt for

Behavior of the requests credentials
elevation prompt for • Prompt for credentials on the • Enterprise: Prompt
standard users desktop for credentials
• Prompt for credentials
User Account Control: • Enabled - the user is prompted for Enabled
Detect application consent or credentials when
installations and Windows 7 detects an installer.
prompt for elevation • Disabled - application installations
silently fail or fail in a non-
deterministic manner. Enterprises
that are running standard users'
desktops that leverage delegated
installation technologies like
Group Policy Software Installation
(GPSI) or Systems Management
Server (SMS) will disable this
feature. In this case, installer
detection is unnecessary and
therefore not required.
User Account Control: • Enabled - only signed executable Disabled

Only elevate files run. This policy enforces
executables that are Public Key Infrastructure (PKI)
signed and validated signature checks on any interactive
application that requests elevation.

Enterprise administrators can
control the administrative
application allowed list through
certificate population in the local
computers' Trusted Publisher
Store.
• Disabled - both signed and
unsigned code are run.
User Account Control: • Enabled - the system only gives Enabled

Only elevate UIAccess UIAccess privileges and user rights
applications that are to executables that are launched
installed in secure from %ProgramFiles% or
locations %windir%. UIAccess executables
launched from other locations will
launch without additional
privileges.
• Disabled - the location checks are
not done. All UIAccess applications
are launched with the user's full
access token upon user approval.
User Account Control: • Enabled - both administrators and Enabled

Run all administrators standard users are prompted when
in Admin Approval they attempt to perform
Mode administrative operations. The
prompt style is dependent on
policy.
• Disabled - UAC is essentially
"turned off" and the Asset
Inventory Service (AIS) is disabled
from automatically starting. The
Windows Security Center notifies
the logged on user that the
operating system's overall security
has been reduced and gives the
user the ability to self- enable

UAC.
User Account Control: • Enabled - displays the UAC Enabled

Switch to the secure elevation prompt on the secure
desktop when desktop. The secure desktop can
prompting for only receive messages from
elevation Windows processes, which
eliminates messages from
malicious software.
• Disabled - the UAC elevation
prompt is displayed on the
interactive (user) desktop.
User Account Control: • Enabled - this policy enables the Enabled

Virtualize file and redirection of pre-Windows 7
registry write failures application write failures to
to each user locations defined locations in both the
registry and file system. This
feature mitigates applications that
historically ran as administrator
and wrote runtime application
data to %ProgramFiles%,
%Windir%, %Windir%\system32,
or HKLM\Software\. Keep this
setting enabled in environments
that utilize applications that lack
an application compatibility
database entry or a requested
execution level marking in the
application manifest.
• Disabled - virtualization facilitates
the running of pre-Windows 7
applications that historically failed
to run as a standard user. An
administrator that is running only
Windows 7 compliant applications
may choose to disable this feature
because it is unnecessary. Non-
UAC compliant applications that
attempt to write %ProgramFiles%,
%Windir%, %Windir%\system32,
or HKLM\Software\ silently fail if
this setting is disabled.
Note: Modifying the "User Account Control: Run all administrators in Admin Approval
Mode" setting requires a computer restart before the setting becomes effective. All
other UAC Group Policy settings are dynamic and do not require a restart.
Demonstration

This demonstration shows the different UAC group policy
settings in the Local Group Policy Editor (gpedit.msc)
snap-in and additionally shows how to configure some of
them.
Create a UAC Group Policy Setting preventing Access

Elevation

3. In the Local Group Policy Editor, under Computer

Configuration, expand Windows Settings, expand Security
Settings, expand Local Policies, and then click
Security Options.
4. In the results pane, double-click User Account Control:

Behavior of the elevation prompt for standard users.
5. In the User Account Control: Behavior of the elevation

prompt for standard users dialog box, click
Automatically deny elevation requests then click OK.
6. Close Local Group Policy Editor console.
7. Log off.
Test the UAC Settings

of Pa$$w0rd.
2. Click Start, right-click Computer, and then select

Manage.
3. Click OK when prompted.
4. Log off.
Create a UAC Group Policy Setting prompting for

Credentials

3. In the Local Group Policy Editor, under Computer

Configuration, expand Windows Settings, expand Security
Settings, expand Local Policies, and then click
Security Options.
4. In the results pane, double-click User Account Control:

Behavior of the elevation prompt for standard users.
5. In the User Account Control: Behavior of the elevation

prompt for standard users dialog box, click Prompt for
credentials and then click OK.
6. Close Local Group Policy Editor console.
7. Log off.
Test the UAC Settings

of Pa$$w0rd.
2. Click Start, right-click Computer, and then select

Manage.
3. Type “Administrator” in the User name field.
4. Type “Pa$$w0rd” in the Password field.

5. Click Yes.
6. Close the Computer Management console.
7. Log off.

Question: Which User Account Control detects when an
application is being installed in Windows 7?
Answer: User Account Control: Detect application

installations and prompt for elevation.
Configuring UAC Notification Settings

With Windows 7, the "on or off only" approach of Windows

Vista is changed. The following table identifies the four
settings that enable customization of the elevation prompt
experience. These notification settings can be maintained
through the Action Center.
Prompt Description
Never notify UAC is off.
Notify me only when programs try to When a program makes a change, a

make changes to my computer (do not prompt appears, but the desktop is not
dim my desktop) dimmed. Otherwise, the user is not
prompted.
Notify me only when programs try to When a program makes a change, a

make changes to my computer prompt appears, and the desktop is
dimmed to provide a visual cue that
installation is being attempted. Otherwise,
the user is not prompted.
Prompt Description
Always notify me The user is always prompted when

changes are made to the computer.
Because the user experience can be configured with Group

Policy, there can be different user experiences, depending
on policy settings. The configuration choices made in your
environment affect the prompts and dialog boxes that
standard users, administrators, or both, can view.
For example, you may require administrative permissions to
change the UAC setting to "Always notify me" or "Always
notify me and wait for my response." With this type of
configuration, a yellow notification appears at the bottom
of the User Account Control Settings page indicating the
requirement.
Question: What two configuration options are combined to

produce the end user elevation experience?
Answer: User Account Control security settings configured

in Local Security Policy and User Account Control settings
configured in the Action Center in Control Panel.
Lesson 6
Configuring Windows Firewall
Windows Firewall is a host-based, stateful firewall

included in Windows 7. It drops incoming traffic that does
not correspond to traffic sent in response to a request
(solicited traffic) or unsolicited traffic that has been
specified as allowed (accepted traffic). Windows Firewall
helps provide protection from malicious users and programs
that rely on unsolicited incoming traffic to attack
computers. Windows Firewall can also drop outgoing traffic
and is configured using the Windows Firewall with Advanced
Security snap-in, which integrates rules for both firewall
behavior and traffic protection with Internet Protocol
security (IPsec).
Discussion: What is a Firewall?

A firewall is software or hardware that checks information
coming from the Internet or a network, and then either
blocks it or allows it to pass through to a computer. A
firewall helps prevent hackers or malicious software from
gaining access to the computer through a network or the
Internet. A firewall can also help stop a computer from
sending malicious software to other computers.
Firewalls are the equivalent of door locks, employee
badges, and security systems. Just as you use locks to
secure a car and home, you use firewalls to protect
computers and networks. No firewall makes a computer
impenetrable to an attack. Firewalls, like locks, create
barriers, and they make it difficult for attackers to get
into the computer. As a result, the computer becomes less
attractive to attackers. Firewalls effectively block most
intrusions.
The two main firewall types are network firewalls and

host-based firewalls. Network firewalls are located at the
network's perimeter, and host-based firewalls are located

on individual hosts within the network.
Network Perimeter Firewalls

Network perimeter firewalls are either hardware-based,
software-based, or a combination of both and provide a
variety of services, including the following:
• Management and control of network traffic: performs
dynamic packet filtering (also known as stateful
inspection), connection monitoring, and application-
level filtering.
• Stateful connection analysis: inspects the state of all
communications between hosts and storing connection
data in state tables.
• Virtual private network (VPN) gateway functionality:
provides IPsec authentication and encryption together
with Network Address Translation-Traversal (NAT-T),
allowing permitted IPsec traffic to traverse the
firewall with public to private IPv4 address
translation.
Host-based Firewalls
Network perimeter firewalls cannot provide protection for
traffic generated inside a trusted network. For this
reason, host-based firewalls that run on individual
computers are needed. Host-based firewalls, such as
Windows Firewall with Advanced Security, protect a host
from unauthorized access and attack, and can often be
configured to block specific types of outgoing traffic.
Host-based firewalls provide an extra layer of security in
a network and function as integral components in a
complete defense strategy.
Question: What type of firewall does your organization
currently use?
Question: What are the reasons that it was selected?
Answer: Answers will vary.
Configuring the Basic Firewall Settings

In Windows 7 basic firewall information is centralized in
Control Panel in the Network and Sharing Center and System
and Security. In System and Security, you can configure
basic Windows Firewall settings and access the Action
Center to view notifications for firewall alerts. In the
Network and Sharing Center, you can configure all types of
network connections; for example, changing the network
location profile.
Network Location Profiles

The first time that a computer connects to a network,
users must select a network location. This automatically
sets appropriate firewall and security settings for that
type of network. When users are connecting to networks in
different locations, choosing a network location can help
ensure that the computer is always set to an appropriate
security level. There are three network locations:
• Home or work (private) networks: networks at home or

work where you know and trust the people and devices on
the network. When Home or work (private) networks is

selected, Network Discovery is turned on. Computers on
a home network can belong to a HomeGroup.
• Domain networks: networks at a workplace that are
attached to a domain. This option is used automatically
for any network that allows communication with a domain
controller. Network Discovery is on by default and you
cannot create or join a HomeGroup.
• Public networks: networks in public places. This
location is designed to keep the computer from being
visible to other computers. When Public place is the
selected network location, HomeGroup is not available
and Network Discovery is turned off.
You can modify the firewall settings for each type of
network location from the main Windows Firewall page.
Click Turn Windows Firewall on or off, select the network
location, and then make your selection. You can also
choose to modify the following options:
• Block all incoming connections, including those in the
list of allowed programs
• Notify me when Windows Firewall blocks a new problem
Note: Some settings may be managed by your system administrator depending on

Group Policy configurations.
The Public networks location blocks certain programs and

services from running to help protect the computer from
unauthorized access. If you are connected to a Public
network and Windows Firewall is turned on, some programs
or services might ask you to allow them to communicate
through the firewall so that they work properly.
Firewall Exceptions
When you add a program to the list of allowed programs or
open a firewall port, you are allowing that program to
send information to or from the computer. Continuing with
the scenario from the previous topic, allowing a program

to communicate through a firewall is like unlocking a door
in the firewall. Each time the door is opened, the
computer becomes less secure.
It is generally safer to add a program to the list of
allowed programs than to open a port. If you open a port,

the door is unlocked and open. It stays open until you
close it, whether a program is using it or not. If you add
a program to the list of allowed programs, you are
unlocking the door, but not opening it. The door is open
only when required for communication.
To add, change, or remove allowed programs and ports,
click Allow a program or feature through Windows Firewall
in the left pane of the Windows Firewall page and then
click Change. For example, to view performance counters
from a remote computer, the Performance Logs and Alerts
firewall exception must be enabled on the remote computer.
To help decrease security risks when opening
communications, consider the following:
• Only allow a program or open a port when required
• Remove programs from the allowed programs or close
ports when they are not required
• Never allow a program you do not recognize to
communicate through the firewall
Multiple Active Firewall Policies

In Windows Vista, only one firewall profile can be active
at once. If multiple profiles exist, Windows Firewall
enforces the most restrictive profile. When remote users
try to connect through a VPN, a cumbersome workaround is
required. An administrator must deploy multiple firewall
rules for the same application. One profile is designed
for a public profile and one is designed for a private
profile, with both restricted to their corresponding VPN
interface type.
Windows 7 alleviates this problem with multiple active
firewall policies. These firewall policies enable
computers to obtain and apply domain firewall profile
information, regardless of the networks that are active on

the computers. IT professionals can maintain a single set
of rules for remote clients and clients that are

physically connected to the corporate network. To set up
or modify network location profile settings, click Change
advanced sharing settings in the left pane of the Network
and Sharing Center.
Windows Firewall Notifications

In addition to the notification setting available when you
turn Windows Firewall on or off, you can display firewall
notifications in the taskbar. In the All Control Panel
Items area of Control Panel, click Notification Area
Icons. Alternatively, click the up arrow in the taskbar
and then click Customize. Select the firewall icon and
then choose the desired behavior:
• Show icon and notifications
• Hide icon and notifications
• Only Show notifications
Notifications are also displayed in the Action Center in
Control Panel. You can modify notifications settings in
this area by clicking Change Action Center settings.
Question: List the three network locations. Where do you

modify them, and what feature of Windows 7 allows you to
use more than one?
Answer: The three network locations are as follows:
• Home or work (private) networks: for networks at home

or work where you know and trust the people and devices
on the network. When Home or work (private) networks is
selected, Network Discovery is turned on. Computers on
a home network can belong to a HomeGroup.
• Domain networks: for networks at a workplace that are
attached to a domain. When this option is selected,
Network Discovery is on by default and you cannot

create or join a HomeGroup.
• Public networks: for networks in public places. This
location is designed to keep the computer from being
visible to other computers. When Public place is the
selected network location, HomeGroup is not available

and Network Discovery is turned off.
You can modify the firewall settings for each type of
network location from the main Windows Firewall page. To
set up or modify network location profile settings, click
Change advanced sharing settings in the left pane of the
Network and Sharing Center.
Multiple active firewall policies enable computers to
obtain and apply domain firewall profile information,
regardless of the networks that are active on the
computers.
Windows Firewall with Advanced Security Settings

Windows Firewall with Advanced Security is a host-based

firewall that filters incoming and outgoing connections
based on its configuration. While typical end-user
configuration still takes place through Windows Firewall
in Control Panel, advanced configuration now takes place
in Windows Firewall with Advanced Security. This snap-in
is accessible in Control Panel from the Windows Firewall
page by clicking Advanced Settings in the left pane. The
snap-in provides an interface for configuring Windows
Firewall locally, on remote computers, and by using Group
Policy.
Windows Firewall with Advanced Security is an example of a
network-aware application. You can create a profile for
each network location type, with each profile containing
different firewall policies. For example, you can allow
incoming traffic for a specific desktop management tool
when the computer is on domain networks but block traffic
when the computer is connected to public or private

networks.
In this way, network awareness provides flexibility on the
internal network without sacrificing security when users
travel. A public network profile must have stricter
firewall policies to protect against unauthorized access.

A private network profile might have less restrictive
firewall policies to allow file and print sharing or peer-
to-peer discovery.
Windows Firewall with Advanced Security Properties

Use the Windows Firewall with Advanced Security Properties
page to configure basic firewall properties for domain,
private, and public network profiles. A firewall profile
is a way of grouping settings, including firewall rules
and connection security rules. Use the IPsec Settings tab
to configure the default values for IPsec configuration
options. The options that you can configure for each of
the three network profiles are:
• Firewall State: turn on or off independently for each
profile.
• Inbound Connections: configure to block connections
that do not match any active firewall rules, block all
connections regardless of inbound rule specifications,
or allow inbound connections that do not match an
active firewall rule.
• Outbound Connections: configure to allow connections
that do not match any active firewall rules or block
outbound connections that do not match an active
firewall rule.
• Settings: configure display notifications, unicast
responses, local firewall rules, and local connection
security rules.
• Logging: configure the following logging options.
Windows Firewall with Advanced Security Rules

Rules are a collection of criteria that define which
traffic you will allow, block, or secure with the

firewall. You can configure different types of rules:
• Inbound
• Outbound
• Connection Security
Inbound Rules
Inbound rules explicitly allow or block traffic that
matches criteria in the rule. For example, you can
configure a rule to allow traffic secured by IPsec for
Remote Desktop through the firewall, but block the same
traffic if it is not secured by IPsec.
When Windows is first installed, all unsolicited inbound
traffic is blocked. To allow a certain type of unsolicited
inbound traffic, you must create an inbound rule that
describes that traffic. For example, if you want to run a
Web server, then you must create a rule that allows
unsolicited inbound network traffic on TCP port 80. You
can configure the default action that Windows Firewall
with Advanced Security takes whether connections are
allowed or blocked when no inbound rule applies.
Outbound Rules
Windows Firewall allows all outbound traffic unless a rule
blocks it. Outbound rules explicitly allow or deny traffic
originating from the computer that matches the criteria in
the rule. For example, you can configure a rule to
explicitly block outbound traffic to a computer (by IP
address) through the firewall, but allow the same traffic
for other computers.
Inbound and Outbound Rule Types

There are four different types of inbound and outbound
rules:
• Program rules: control connections for a program. Use
this type of firewall rule to allow a connection based
on the program that is trying to connect. These rules

are useful when you are not sure of the port or other
required settings since you only specify the path to
the program executable (.exe) file.
• Port rules: control connections for a TCP or User
Datagram Protocol (UDP) port. Use this type of firewall

rule to allow a connection based on the TCP or UDP port
number over which the computer is trying to connect.
You specify the protocol and individual or multiple
local ports.
• Predefined rules: control connections for a Windows
experience. Use this type of firewall rule to allow a
connection by selecting one of the programs or
experiences from the list. Network aware programs that
you install typically add their own entries to this
list so that you can enable and disable them as a
group.
• Custom rules: can be configured as needed. Use this
type of firewall rule to allow a connection based on
criteria not covered by the other types of firewall
rules.
Consider this scenario: You want to create and manage
tasks on a remote computer by using the Task Scheduler
user interface. Before connecting to the remote computer
you must enable the Remote Scheduled Tasks Management
firewall exception on the remote computer. This can be
done by using the predefined rule type on an inbound rule.
Alternatively, you may want to block all Web traffic on
the default TCP Web server port, 80. In this scenario you
create an outbound port rule that blocks the specified
port. Well-Known Ports such as port 80 are discussed in
the “Well-Known Ports Used by Applications” topic.
Connection Security Rules

Firewall rules and connection security rules are
complementary, and both contribute to a defense-in-depth
strategy to help protect your computer. Connection
security rules secure traffic by using IPsec while it
crosses the network. Use connection security rules to
specify that connections between two computers must be

authenticated or encrypted. Connection security rules
specify how and when authentication occurs, but they do

not allow connections. To allow a connection, create an
inbound or outbound rule. After a connection security rule
is in place, you can specify that inbound and outbound
rules apply only to specific users or computers.
You can create the following connection security rule
types:
• Isolation rules: isolate computers by restricting
connections based on authentication criteria, such as
domain membership or health status. Isolation rules
allow you to implement a server or domain isolation
strategy.
• Authentication exemption rules: designate connections
that are not required to authenticate. You can
designate computers by specific IP address, an IP
address range, a subnet, or a predefined group such as
gateway.
This rule type is typically used to grant access to

infrastructure computers, such as Active Directory
domain controllers, certification authorities, or DHCP
servers.
• Server-to-server rules: protect connections between
specific computers. When you create the rule, specify
the network endpoints between which communications are
protected. Then, designate requirements and the type of
authentication you want to use, such as Kerberos. You
might use this rule to authenticate the traffic between
a database server and a business-layer computer.
• Tunnel rules: secure communications that are traveling
between two computers by using tunnel mode in IPsec
instead of transport mode. Tunnel mode embeds the
entire network packet into one that is routed between
two defined endpoints.
For each endpoint, specify a single computer that

receives and consumes the network traffic sent, or
specify a gateway computer that connects to a private

network onto which the received traffic is routed after
extracting it from the tunnel.
• Custom rules: can be configured as needed. They
authenticate connections between two endpoints when you
cannot set up authentication rules by using the other

rule types.
Monitoring
Windows Firewall uses the monitoring interface to display
information about current firewall rules, connection
security rules, and security associations. The Monitoring
overview page shows which profiles are active (domain,
private, or public) and the settings for the active
profiles.
Note: When you view the Windows Firewall with Advanced Security snap-in within the
Group Policy Editor snap-in, the Monitoring node does not display.
The Windows Firewall with Advanced Security events are

also available in Event Viewer. For example, the
ConnectionSecurity operational event log is a resource
that you can use to view IPsec related events. The
operational log is always on and contains events for
connection security rules.
Question: There are three types of rules that can be

created in Windows Firewall with Advanced Security. List
each type and the types of rules that can be created for
each.
Answer: The three types with their associated types are as

follows:
• Inbound and Outbound rules

• Program rules
• Port rules
• Predefined rules
• Custom rules
• Connection Security Rules

• Isolation rules
• Authentication exemption rules
• Server-to-server
• Tunnel rules
• Custom rules
Well-Known Ports Used by Applications

Before you configure either inbound or outbound firewall
rules, you must understand how applications communicate on
a TCP/IP network. At a high level, when an application
wants to establish communications with an application on a
remote host, it creates a TCP or UDP socket.
The socket identifies the transport protocol that the
application uses, either TCP or UDP. The socket next
identifies the IPv4 or IPv6 address of the source and
destination hosts. Finally, to ensure that communication
takes place successfully between the appropriate
applications on the two communicating hosts, the socket
identifies the TCP or UDP port number that the
applications are using. Ports are used in TCP or UDP
communications to name the ends of logical connections
that transfer data. This combination of transport
protocol, IP address, and port creates the socket.
Well-Known Ports
Well-known ports are assigned by the Internet Assigned
Numbers Authority (IANA) and on most systems can only be

used by system processes or by programs executed by
privileged users. Ports receive a number between 0 and
65,535 and are divided into three ranges:
• Well-known ports are those from 0 through 1023.
• Registered ports are those from 1024 through 49151.
• Dynamic and private ports are those from 49152 through
65535.
Well-known ports are assigned to specific applications so
that client applications can locate them on remote
systems. To the extent possible, the same port assignments
are used with TCP and UDP. The table identifies some well-
known ports.
Port Protocol Application

80 TCP HTTP used by a Web server
443 TCP HTTPS for secured Web server
110 TCP Post Office Protocol version 3 (POP3) used for e-mail retrieval
from e-mail clients
25 TCP Simple Mail Transfer Protocol (SMTP) that e-mail servers and
clients use to send e-mail
53 UDP Domain Name System (DNS)
53 TCP DNS
21 TCP File Transfer Protocol (FTP)
It typically is not necessary to configure applications to

use specific ports. However, you must be aware of the
ports that applications are using to ensure that the
required ports are open through your firewall when you use
a port rule.
Remember, when you add a TCP or UDP port to the rules

list, the port is open whenever Windows Firewall with
Advanced Security is running, whether there is a program
or system service listening for incoming traffic on the
port. For this reason, if you need to allow unsolicited
incoming traffic, create a program rule instead of a port

rule. With a program rule, the port is dynamically opened
and closed as required by the program. You also do not
need to be aware of the port number that the application
is using. If you change the application port number the
firewall automatically continues communication on the new
port.
Question: What is the TCP port used by HTTP by a Web

server?
Answer: The TCP port is 80.

Demonstration: Configuring Inbound, Outbound, and

Connection Security Rules
This demonstration shows how to configure inbound and

outbound rules, create a connection security rule, and
review monitoring in Windows Firewall with Advanced
Security.
Configure an Inbound Rule

2. Click Start, and then click Control Panel.
3. Click System and Security.
4. Click Windows Firewall.
5. In the left window pane, click Advanced settings.
6. In Windows Firewall with Advanced Security, select

Inbound Rules in the left pane.
7. Review the existing inbound rules, right-click Inbound

Rules, and click New Rule.
8. On the Rule Type page of the New Inbound Rule wizard,

select Predefined and then select Remote Scheduled
Tasks Management from the dropdown menu.

9. Click Next.
10. Select both of the Remote Scheduled Tasks Management

(RPC) rules, and then click Next.
11. Select Block the connection, and then click Finish.
Configure an Outbound Rule

1. On LON-CL1, click Start, and then click All Programs.
2. Click Internet Explorer.
3. If prompted by the Welcome to Internet Explorer 8
wizard, click Ask me later.
4. Type “http://LON-DC1” into the Address field and then
press ENTER to connect to the default Web site on LON-
DC1.
5. Close Internet Explorer.
6. In the Windows Firewall with Advanced Security console,

select Outbound Rules in the left pane.
7. Review the existing Outbound rules, right-click

Outbound Rules, and then click New Rule.
8. On the Rule Type page of the New Outbound Rule wizard,

select Port, and then click Next.
9. Select TCP, select Specific remote ports and then type

“80”.
10. Click Next.
11. Select Block the connection and then click Next.

12. On the Profile page, click Next.

13. Type “HTTP – TCP 80” in the Name field and then
click Finish.
Test the Outbound Rule

1. On LON-CL1, click Start, and then click All Programs.
2. Click Internet Explorer.
3. Type “http://LON-DC1” into the Address field and then
press ENTER to attempt to connect to the default Web
site on LON-DC1.
Create a Connection Security Rule

Connection Security Rules in the left pane.
2. Right-click Connection Security Rules and then select

the New Rule… option.
3. Select Server-to-server and then click Next.
4. On the Endpoints page, click Next.
5. Select Require authentication for inbound and outbound

connections and then click Next.
6. Select Advanced and then click the Customize… button.
7. Under First authentication, click the Add… button.
8. In the Add First Authentication Method dialog box,

select Computer (Kerberos V5), and then click OK.
9. Under Second authentication, click the Add… button.
10. In the Add Second Authentication Method dialog box,

select User (Kerberos V5) and then click OK.
11. In the Customize Advanced Authentication Methods,

click OK.
12. Click Next and then click Next again.
13. Type “Kerberos Connection Security Rule” and then

click Finish.
Review Monitoring Settings in Windows Firewall

Monitoring in the left pane.
2. Expand Monitoring, and then select Firewall.
3. Click Connection Security Rules.
4. Click Security Associations.
5. Select Outbound Rules in the left pane.
6. Select the HTTP – TCP 80 rule, right-click and select

Disable Rule.
7. Select Connection Security Rules.
8. Select Kerberos Connection Security Rule, right-click

and then click Disable Rule.
9. Close Windows Firewall with Advanced Security.
10. Log off.

Lesson 7
Configuring Security Settings in Windows
Internet Explorer 8
Firewalls and filters are one of the first things that IT

professionals put into place on networks. A browser is
like any other application; it can be well managed and
secure or poorly managed. If a browser is poorly managed,
IT professionals and enterprises risk spending more time
and money supporting users and dealing with security
infiltrations, malware, and loss of productivity.
Windows Internet Explorer® 8 helps users browse more
safely, which in turn helps maintain customer trust in the
Internet and helps protect the IT environment from the
evolving threats presented on the Web.
Internet Explorer 8 specifically helps users maintain
their privacy with features such as InPrivate™ Browsing
and InPrivate Filtering. The new SmartScreen® Filter
provides protection against social engineering attacks by

identifying malicious Web sites trying to trick people
into providing personal information or installing
malicious software, blocking the download of malicious
software, and providing enhanced anti-malware support.
Internet Explorer 8 helps prevent the browser from

becoming an attack agent; it is built with the Secure
Development Lifecycle (SDL) and provides more granular
control over the installation of ActiveX® controls with
per-site and per-user ActiveX features. The Cross Site
Scripting Filter protects against attacks against Web
sites.
Discussion: Compatibility Features in Internet Explorer

8
None of the improvements in Internet Explorer 8 matter if

Web sites look bad or work poorly. Internet Explorer 8
includes advancements in compliance with Web standards,
enabling Web sites to be created more efficiently and
operate more predictably. Microsoft embraces new Web
standards; however, they also have a responsibility to
maintain compatibility with existing Web sites. Internet
Explorer 8 includes multiple layout engines, putting the
decision on whether Internet Explorer 8 needs to support
legacy behaviors or strict standards in the hands of Web
developers, who can specify which layout engine to use on
a page-by-page basis.
Internet Explorer 8 provides a Compatibility View that
uses the Internet Explorer 7 engine to display Web pages.
This helps improve compatibility with applications written
for Internet Explorer 7. In addition, new events are being
added to the Application Compatibility Toolkit (ACT) to

help IT professionals detect and resolve issues between
Internet Explorer 8 and custom internal applications and
Web sites.
Compatibility View

Internet Explorer 8 has a Compatibility View that helps
display a Web page as it is meant to be viewed. This view
provides a straightforward way to fix display problems
such as out-of-place menus, images, and text. The main
features in Compatibility View are as follows:
• Internet Web sites display in Internet Explorer 8
Standards Mode by default. Use the Compatibility View
button to fix sites that render differently than
expected.
• Internet Explorer 8 remembers sites that have been set
to Compatibility View so that the button only needs to
be pressed once for a site. After that, the site is
always rendered in Compatibility View unless it is
removed from the list.
• Internet Explorer 8 ships with a list of sites provided
by Microsoft known to require the Compatibility View.
This list is periodically updated through Windows
Update or Automatic Updates.
• Intranet Web sites display in Internet Explorer 7
Standards Mode by default. This means that internal Web
sites created for Internet Explorer 7 will work.
• IT professionals can use Group Policy to set a list of
Web sites to be rendered in Compatibility View.
• Switching in and out of Compatibility View occurs
without requiring the browser to be restarted.
The Compatibility View button only displays if is not
clearly stated how the Web site is to be rendered. In
other cases, such as viewing intranet sites or viewing
sites with a <META> tag / HTTP header indicating Internet
Explorer 7 or Internet Explorer 8 Standards, the button is
hidden.
When Compatibility View is activated, the page refresh

will appear, depending on the speed of the computer. A
balloon tip indicates that the site is now running in

Compatibility View.
Configuring Compatibility View

A new entry on the Tools menu allows for advanced
configuration of the Compatibility View which enables IT
professionals to customize the view to meet enterprise
requirements. For example, IT professionals can configure
it so that all Intranet sites display in Internet Explorer
8 mode instead of the default Internet Explorer 7 mode.
Or, a policy can be configured so that every site is
viewed in Compatibility View.
Application Compatibility Tools

The Application Compatibility Tools (ACT) is a set of
tools to help IT professionals identify potential
application compatibility issues. The Internet Explorer
Compatibility Evaluator component of ACT is designed to
help identify potential compatibility issues with Web
sites. For Internet Explorer 8, new events have been added
to ACT to help detect and resolve potential issues between
Internet Explorer 8 and internal applications and Web
sites. In addition, Group Policy settings are provided to
help IT administrators control settings that impact
compatibility with a high degree of granularity.
When ACT runs, a log of compatibility events is created.
Events that are now logged include those for the:
• Cross-Site Scripting Filter
• Standards Mode
• Windows Reuse Navigation Restriction
• MIME restrictions
• File name restriction
• Control Block
• DEP/NX
• ActiveX control blocking
• Intranet integrity
• Codepage sniffing
• Web Proxy handling changes
• AJAX navigation

In Internet Explorer 8, an error message is displayed
when there is a compatibility event and a link is provided
to a white paper that describes compatibility issues,
mitigations, and fixes. Use the information from the white
paper to help resolve compatibility issues.
Question: What compatibility issues do you think you may

encounter when updating Internet Explorer?
Answer: Answers can vary.

Enhanced Privacy Features in Internet Explorer 8

One of the biggest concerns for users and organizations is

the issue of security and privacy when using the Internet.
Internet Explorer 8 helps users maintain their security
and privacy. For enterprises that need users to be able to
browse without collecting browsing history, Internet
Explorer 8 has a privacy mode that allows them to surf the
Web without leaving a trail. There is also a privacy mode
that helps prevent third-party sites from tracking user
actions. Delete Browsing History has been improved to
allow users to delete browsing history without losing site
functionality.
InPrivate Browsing
InPrivate Browsing helps protect data and privacy by
preventing browsing history, temporary Internet files,
form data, cookies, usernames, and passwords from being
stored or retained locally by the browser. This leaves
virtually no evidence of browsing or search history as the
browsing session does not store session data.
From the enterprise and IT professional perspective,

InPrivate Browsing is inherently more secure than using
Delete Browsing History to maintain privacy because there
are no logs kept or tracks made during browsing. InPrivate
Browsing is a proactive feature because it enables IT
professionals to control what is tracked in a browsing

session.
InPrivate Browsing can be used by some in an attempt to
conceal their tracks when browsing to prohibited or non-
work Web sites. However, IT professionals have full
manageability control and can use Group Policies to
configure how InPrivate Browsing is used in their
enterprise. Default configuration settings can be
specified in the Internet Explorer Administration Kit for
Internet Explorer 8.
InPrivate Filtering
Most Web sites today contain content from several
different sites; the combination of these sites is
sometimes referred to as a mashup. People begin to expect
this type of integration, from something like an embedded
map from a mapping site, to greater integration of ads, or
multi-media elements. Organizations try to offer more of
these experiences because it draws customers to their
site. This capability is making the Web more robust, but
it also provides an opportunity for malicious users to
create and exploit vulnerabilities.
Every piece of content that a browser requests from a Web
site discloses information to that site, sometimes even if
the user has blocked all cookies. Often, users are not
fully aware that their Web browsing activities are tracked
by Web sites other than those they have consciously chosen
to visit.
InPrivate Filtering is designed to monitor the frequency
of all third-party content as it appears across all Web
sites visited by the user. An alert or frequency level is
configurable and is initially set to three. Third-party
content that appears with high incidence is blocked when
the frequency level is reached. InPrivate Filtering does
not discriminate between different types of third-party
content. It blocks content only when it appears more than

the predetermined frequency level.
Enhanced Delete Browsing History

Cookies and cookie protection are one aspect of online
privacy. Some organizations write scripts to clean up
cookies and browsing history at the end of a browsing
session. This type of environment might be needed for
sensitive data, regulatory or compliance reasons, or
private data in the healthcare industry.
Enhanced Delete Browsing History in Internet Explorer 8
enables users and organizations to selectively delete
browsing history. For example, history can be removed for
all Web sites except those in the user‘s Favorites. This
feature is switched on and off in the Delete Browsing
History dialog box and is called Preserve Favorites
website data.
Administrators can configure Delete Browsing History
options through Group Policy or the Internet Explorer
Administration Kit. Administrators can also configure
which sites are automatically included in favorites. This
allows them to create policies that ensure security
without impacting daily user interactions with his or her
preferred and favorite Web sites. The Delete Browser
History on Exit check box in Internet Options allows IT
professionals to automatically delete the browsing history
when Internet Explorer 8 closes.
Question: Describe the difference between InPrivate

Browsing and InPrivate filtering.
Answer: InPrivate Browsing helps protect data and privacy

by preventing browsing history, temporary Internet files,
form data, cookies, usernames, and passwords from being
stored or retained locally by the browser. InPrivate
Filtering is designed to monitor the frequency of all
third-party content as it appears across all Web sites
visited by the user.
The SmartScreen Filter in Internet Explorer 8

Businesses put a lot of effort into protecting computer
assets and resources. Phishing attacks, otherwise known as
social engineering attacks, can evade those protections
and result in users giving up personal information. The
majority of phishing scams target individuals in an
attempt to extort money or perform identity theft.
With the introduction of the SmartScreen Filter, Internet
Explorer 8 builds on the Phishing Filter technology
introduced in Internet Explorer 7. The Phishing Filter was
designed to warn users when they attempt to visit known
phishing sites. The SmartScreen Filter replaces the
Phishing Filter and helps protect against phishing Web
sites, other deceptive sites, and sites known to
distribute malware.
SmartScreen Filter Improvements

The SmartScreen Filter improves upon the Phishing Filter
by providing:
• An improved user interface

• Faster performance
• New heuristics and enhanced telemetry

• Anti-Malware support
• Improved Group Policy support
How the SmartScreen Filter Works

The SmartScreen Filter relies on a Web service backed by a
Microsoft-hosted URL reputation database. The SmartScreen
Filter’s reputation-based analysis works alongside other
signature-based anti-malware technologies like the
Malicious Software Removal Tool, Windows Defender, and
Windows Live™ OneCare™ to provide comprehensive protection
against malicious software.
With the SmartScreen Filter enabled, Internet Explorer 8
performs a detailed examination of the entire URL string
and compares the string to a database of sites known to
distributed malware, then the browser checks with the Web
service. If the Web site is known to be unsafe, it is
blocked and the user is notified with a bold SmartScreen
blocking page that offers clear language and guidance to
help avoid known,unsafe Web sites.
The Go to my homepage link helps users navigate away from
an unsafe Web site and start browsing again from a trusted
location. If a user decides to ignore the warning by
clicking the Disregard and continue link, the address bar
remains red as a persistent warning that the site is
unsafe. The Disregard and Continue link can be disabled in
Group Policy. This removes the user’s ability to ignore
the warning.
New, unsafe sites can be reported by using the Report
Unsafe Website option on the Tools menu. User feedback
about unknown sites is evaluated to block new phish as
they are discovered.
In the unlikely event that a site is incorrectly
identified as malicious, users can provide feedback by
using the Report that this is not an unsafe Web site link
on the blocking page or by clicking the Unsafe Website

flyout in the address bar.
Configure the SmartScreen Filter

By default, the SmartScreen Filter is enabled in the
Internet, Trusted, and Restricted Zones, and disabled in

the Intranet Zone. Zone checking can be turned off and
users can create a custom list of trusted sites.
Administrators can also add a list of sites that the
company has decided are trusted.
To add to Internet Explorer Trusted sites zone and turn
off SmartScreen in this zone:
1. On the Internet Explorer Tools menu, click Internet
Options.
2. Click the Security tab.
3. Click the Trusted sites icon, and then click Sites.
4. In the Add this website to the zone dialog box, enter
the Web site URL and then click Add.
5. Close the dialog box.
6. On the Security tab, click Custom level, and then under
Use SmartScreen Filter, select Disable.
7. Click OK.
Note: To prevent users from disabling the filter and to enforce a SmartScreen mode,
enable the Turn off Managing SmartScreen Filter policy setting in Group Policy
Administrative Templates.
Question: What Internet Explorer 7 feature does the

SmartScreen Filter replace in Internet Explorer 8?
Answer: The SmartScreen Filter replaces the Phishing

Filter from Internet Explorer 7.
Other Security Features in Internet Explorer 8

Additional security features in Internet Explorer 8

• IT professionals can increase security and trust
through improvements in ActiveX controls that enable
command of how and where an ActiveX control loads and
which users can load them.
• The XSS Filter in Internet Explorer 8 helps block
Cross-Site Scripting (XSS) attacks, one of the most
common Web site vulnerabilities today.
• Data Execution Prevention (DEP) is enabled by default
to help prevent system attacks where malicious data
exploits memory-related vulnerabilities to execute
code.
ActiveX Controls and Management

ActiveX controls are relatively straightforward to create
and deploy, and provide extra functionality beyond regular
Web pages. Organizations cannot control the inclusion of

ActiveX controls or how they are written. Therefore,
businesses need a browser that provides flexibility in
dealing with ActiveX controls so that they are usable,
highly secure, and pose as small a threat as possible.

Per-User ActiveX
Like Internet Explorer 7, Internet Explorer 8 by default
employs ActiveX Opt-In, which disables most controls on a
user's machine. In Internet Explorer 8, per-user ActiveX
makes it possible for standard users to install ActiveX
controls in their own user profile, without requiring
administrative privileges. This helps organizations
realize the full benefit of User Account Control by giving
standard users the ability to install ActiveX controls
that are necessary in their daily browsing.
In most situations if a user happens to install a
malicious ActiveX control, the overall system remains
unaffected because the control is only installed under the
user‘s account. Since installations are restricted to a
user profile, the cost and risk of a compromise are
significantly lowered.
When a Web page attempts to install a control, an
Information Bar is displayed to the user. Users choose to
install the control machine-wide or only for their user
account. The options in the ActiveX menu vary depending on
the user’s rights (as managed by Group Policy settings)
and if the control has been packaged to allow per-user
installation.
IT professionals can choose to disable this feature in
Group Policy.
Per-Site ActiveX
When a user navigates to a Web site containing an ActiveX
control, Internet Explorer 8 performs a number of checks,
including a determination of where a control is permitted
to run. If a control is installed but is not permitted to
run on a specific site, an Information Bar appears asking
the user’s permission to run on the current Web site or on
all Web sites.
Use Group Policy to preset allowed controls and their

related domains.
Cross-Site Scripting Filter

Most sites have a combination of content from local site
servers and content obtained from other sites or
partnering organizations. XSS attacks exploit
vulnerabilities in Web applications and enable an attacker
to control the relationship between a user and a Web site
or Web application that they trust. Cross-site scripting
can enable attacks such as:
• Cookie theft, including session cookies, which can lead
to account hijacking
• Monitoring keystrokes
• Performing actions on the victim Web site on behalf of
the victim user
• Cross-site scripting can use a victim‘s Web site to
subvert a legitimate Web site
Internet Explorer 8 includes a filter that helps protect
against XSS attacks. The XSS Filter has visibility into
all requests and responses flowing through the browser.
When the filter discovers likely XSS in a request, it
identifies and neutralizes the attack if it is replayed in
the server’s response. The XSS filter helps protect users
from Web site vulnerabilities; it does not ask difficult
questions that users are unable to answer, nor does it
harm functionality on the Web site.
Data Execution Prevention

Internet Explorer 7 introduced a Control Panel option to
enable memory protection to help mitigate online attacks,
DEP or No-Execute (NX). DEP/NX helps thwart attacks by
preventing code from running in memory that is marked non-
executable, such as a virus disguised as a picture or
video. DEP/NX also makes it harder for attackers to
exploit certain types of memory-related vulnerabilities,
such as buffer overruns.
DEP/NX protection applies to both Internet Explorer and

the add-ons it loads. No additional user interaction is
required to activate this protection, and unlike Internet
Explorer 7, this feature is enabled by default for
Internet Explorer 8 on Windows 7, Windows Server 2008, and
Windows Vista SP1 and later.

Question: Describe how the XXS Filter works?
Answer: The XSS Filter has visibility into all requests

and responses flowing through the browser. When the filter
discovers likely XSS in a request, it identifies and
neutralizes the attack if it is replayed in the server’s
response. The XSS filter helps protect users from Web site
vulnerabilities; it does not ask difficult questions that
users are unable to answer, nor does it harm functionality
on the Web site.
Demonstration: Configuring Security in Internet

Explorer 8
This demonstration shows how to configure security in

Internet Explorer 8, including enabling the compatibility
view, configuring browsing history, InPrivate Browsing,
and InPrivate Filtering. The demonstration also shows the
add-on management interface.
Enable Compatibility View for All Web Sites

2. Click the Internet Explorer icon on the taskbar.
3. If the Set Up Windows Internet Explorer 8 window comes
up, click Ask me later.
4. On the Tools menu, click Compatibility View Settings.
5. Click to select the Display all websites in
Compatibility View check box and then click Close.
Delete Browsing History

1. On the Tools menu, click Internet Options.
2. On the General tab, under Browsing history, click
Delete.
3. Select Preserve Favorites website data and History.

Deselect all other options.
4. Click Delete.
5. Click OK and then close Internet Explorer.
Configure InPrivate Browsing

1. On LON-CL1, click the Internet Explorer icon on the
taskbar.
2. Type “http://LON-DC1” into the Address bar and then
press ENTER.
3. Click on the down arrow next to the Address bar to
confirm that the address you typed into it is stored.
4. In Internet Explorer, click the Tools button and then
click Internet Options.
5. Click the General tab. Under Browsing History, click
Delete.
6. In the Delete Browsing History dialog box, clear
Preserve Favorites website data, select Temporary
Internet Files, Cookies, History, and then click
Delete.
7. Click OK to close Internet Options.
8. Confirm that there are no addresses stored in the
Address bar by clicking on the down arrow next to the
Address bar.
9. On the Safety menu, click InPrivate Browsing.
10. Type “http://LON-DC1” into the Address bar and then
press ENTER.
11. Confirm the address you typed in is not stored by
clicking on the down arrow next to the Address bar.
12. Close the InPrivate Browsing window.

Configure InPrivate Filtering

2. On the Safety menu, click InPrivate Filtering.
3. Click Let me choose which providers receive my
information to choose content to block or allow.
4. On the InPrivate Filtering settings window, click
Automatically block.
5. Click OK.
View Add-on Management Interface

1. On the Tools menu, click Manage Add-ons.
2. Ensure that Toolbars and Extensions is selected and
then click Research.
3. Click Search Providers.
4. Click Live Search.
5. Click Accelerators.
6. Scroll down to show all available accelerators.
7. Click InPrivate Filtering.
8. Click Close.
9. Close Internet Explorer and then log off.
Lesson 8
Configuring Windows Defender

Windows Defender helps protect you from spyware and other
forms of malicious software. In Windows 7, Windows
Defender is improved in several ways. It is integrated
with Action Center to provide a consistent means of
alerting you when action is required, and provides an
improved user experience when you are scanning for spyware
or manually checking for updates. In addition, in Windows
7, Windows Defender has less impact on overall system
performance while continuing to deliver continuous, real-
time monitoring.
What is Malicious Software?

Malicious software, such as viruses, worms and Trojan

horses, is designed to deliberately harm a computer and is
sometimes referred to as malware. Spyware is a general
term used to describe software that performs certain
behaviors such as advertising, collecting personal
information, or changing the configuration of the
computer, generally without appropriately obtaining
consent first. Other kinds of spyware make changes to the
computer that are annoying and cause the computer to slow
down or stop responding.
There are a number of ways spyware or other unwanted
software appears on a computer, including software flaws
and some Web browsers. A common method is to covertly
install the software during the installation of other
software that you want to install. Preventing the
installation of malicious software requires that you
understand the purpose of the software you intend to
install, and you have agreed to install the software on
the computer. When you install an application, read all

disclosures, the license agreement, and privacy statement.
Sometimes the inclusion of unwanted software is
documented, but it might appear at the end of a license
agreement or privacy statement.
Consider the following scenario: You are deploying Windows

7 throughout the organization. To decide upon which
operating system features to implement, you need to
understand security risks that might be relevant to the
organization. Take part in a class discussion about this
scenario.
Question: What are common security risks that you must
consider when deploying a new operating system?
Answer: During a desktop deployment, it is important to
address any security risks that affect application
compatibility, data loss, and user functionality. Some of
the more common security risks are categorized as follows:
• Malware risks: Viruses, Trojan horses, spyware
• Data risks: Stolen laptops or removable universal
serial bus (USB) hard drives
• Web browser risks: Malicious Web sites, phishing
• Network risks: Internal worm attacks, internal
workstations that do not comply with organizational
security policies
Question: How can you be sure that you have addressed the
appropriate security risks before and after a desktop
deployment?
Answer: Conduct a structured security risk management
process that will help you to identify and assess risk,
identify and evaluate control solutions, implement the
controls, and then measure the effectiveness of the
mitigation. Identifying security risks before a desktop
deployment helps you to be proactive in mitigating and
implementing solutions.
What is Windows Defender?

Windows Defender helps protect you from spyware and

malicious software. Windows Defender is not anti-virus
software. Windows Defender offers three ways to help keep
spyware from infecting the computer:
• Real-time protection (RTP) is the mechanism that
actively monitors for malware and alerts you when
potentially unwanted software attempts to install
itself or to run on the computer. It also alerts you
when programs attempt to change important Windows
settings.
• The SpyNet community helps you see how other people
respond to software that has not yet been classified
for risks. When you participate, your choices are added
to the community ratings to help other people choose
what to do.
• Scanning options are used to scan for unwanted software
on the computer, to schedule scans on a regular basis,
and to automatically remove any malicious software that

is detected during a scan.
Windows Defender Overview

When you open Windows Defender from Control Panel, the
Home page displays current notifications, the status of

the last scan, when the next scan is scheduled, if real-
time protection is on or off, and when the antispyware
definitions were last updated (including the version).
Click the Scan button to run a Quick scan, or click the
arrow to select an alternative scan type, either full or
custom.
After a scan is complete, review actions taken on
potentially unwanted software on the History page. History
is categorized by software that is permitted to run on the
computer and software that is prevented from running on
the computer. You can delete accumulated history by
clicking View and then clicking Clear History.
Configure scan Options by clicking the Tools button. On
the Tools and Settings page, you can:
• Join the online Microsoft SpyNet community
• Remove or restore quarantined items that were prevented
from running
• View software that is allowed to run without being
monitored
• Access the Windows Defender Web site and Microsoft
Malware Protection Center, which provides current
information about definitions and malware
Antispyware Definitions
Antispyware definitions are files that act like an ever-
growing encyclopedia of potential software threats.
Windows Defender uses definitions to determine if software
it detects is unwanted and to alert you to potential
risks. To help keep definitions up to date, Windows
Defender works with Windows Update to automatically
install new definitions as they are released. You can set
Windows Defender to check online for updated definitions
before scanning. Alternatively, you can manually check for

definition updates by clicking the arrow next to the Help
icon and then clicking Check for updates.
Scan Options
In Windows Defender, run a quick, full, or custom scan. If
you suspect spyware has infected a specific area of the
computer, customize a scan by selecting specific drives
and folders. Additional information about scan options is
available in the “Scanning Options in Windows Defender”
topic.
Monitoring Agents
You can choose the software and settings that Windows
Defender monitors, including real-time protection options,
called agents. When an agent detects potential spyware
activity, it stops the activity and raises an alert. The
following table identifies Windows Defender monitoring
agents.
Real-time protection
agent Purpose
Downloaded files and Monitors files and programs that work with Internet
attachments Explorer, such as ActiveX controls and software installation
programs. These files can be downloaded, installed, or run
by the browser itself. Unwanted software can be included
with these files and installed without your knowledge.
Monitors when programs start and any operations they

perform while running. Unwanted software can use
Programs that run on your
vulnerabilities in programs to run without your knowledge.
computer
For example, spyware can run itself in the background when
you start a program that is frequently used.
Alert Levels and Responses

Alert levels help you determine how to respond to spyware
and unwanted software. Windows Defender recommends that
you remove spyware; however, not all software that is
detected is malicious or unwanted. The information in the
table helps you decide what to do if potentially unwanted
software is detected on the computer.
Alert level What it means What to do
Widespread or exceptionally
malicious programs, similar to
viruses or worms, which negatively
Severe Remove this software immediately.
affect your privacy and the security
of the computer, and can damage

the computer.
Programs that might collect your

personal information and negatively
affect your privacy or damage the
High computer, for example, by Remove this software immediately.
collecting information or changing
settings, typically without your
knowledge or consent.
Programs that might affect your Review the alert details to see why
privacy or make changes to the the software was detected. If you do
computer that can negatively not like what the software does or if
Medium
impact your computing experience, you do not recognize and trust the
for example, by collecting personal publisher, consider blocking or
information or changing settings. removing the software.
Potentially unwanted software that This software is typically benign when

might collect information about you it runs on the computer, unless it was
or the computer or change how the installed without your knowledge. If
Low computer works, but is operating in you are not sure if to allow it, review
agreement with licensing terms the alert details or check to
displayed when you installed the determine if you recognize and trust
software. the publisher of the software.
You can configure Windows Defender behavior when a scan

identifies unwanted software. The following table
identifies the software removal options.
Action Description
Quarantine When software is quarantined, it is moved to another location on the
computer, and is then prevented from running until you choose to
restore it or remove it from the computer.
Remove Windows Defender permanently removes the item from the computer.
Allow This action adds the software to the allowed list and allows it to run on
Action Description
the computer. Windows Defender stops alerting you to risks that the
software might pose to your privacy or the computer. Add software to

the allowed list only if you trust the software and the software publisher.
You are also alerted if software attempts to change

important Windows settings. Because the software is
already running on the computer, choose one of these
actions:
• Permit: allows the software to change security-related
settings on the computer.
• Deny: prevents the software from changing security-
related settings on the computer.
Configuration Options
To help prevent spyware and other unwanted software from
running on the computer, turn on Windows Defender real-
time protection and select all real-time protection
options. You are alerted if programs attempt to install,
run on the computer, or change important Windows settings.
Turn on real-time protections by clicking Tools, clicking
Options, and then clicking Real-time protection. In the
Options area, perform the following additional tasks:
• Configure automatic scanning
• Specify default actions for specific alert levels
• Customize a scan by excluding files, folders, and file
types
• Use the Advanced options to scan archived files, email,
and removable drives, and to use heuristics and create
a restore point.
• Select whether to use Windows Defender and what
information to display to all users of the computer.
History, Allowed items, and Quarantined items are
hidden by default to protect user privacy.
Question: List the four Windows Defender alert levels.
What are the possible responses?
Answer: The four alert levels are Severe, High, Medium,

and Low. Possible responses are Quarantine, Remove, and
Allow. For potential changes to Windows Settings, possible
responses are Permit and Deny.

Scanning Options in Windows Defender

Windows Defender includes automatic scanning options that

provide regular spyware scanning and on-demand scanning.
The following table identifies scanning options.
Scanning
Option Description
Quick Scan Checks areas on a hard disk that spyware is most likely to infect.
Full Scan Checks all critical areas, including all files, the registry, and all
applications that are currently running.
Custom Scan Enables users to scan specific drives and folders.
It is recommended that you schedule a daily quick scan. At

any time, if you suspect that spyware has infected the
computer, run a full scan.
Advanced Scanning Options

When scanning the computer, you can choose from five
additional options:
• Scan archive files: scanning these locations might
increase the time required to complete a scan, but

spyware and other unwanted software can install itself
and attempt to "hide" in these locations.
• Scan e-mail: use this option to scan the contents of
e-mail messages and files that are attached to e-mail
messages.
• Scan removable drives: use this option to scan the
contents of removable drives, such as USB flash drives.
• Use heuristics: Windows Defender uses definition files
to identify known threats, but it can also detect and
alert you about potentially harmful or unwanted
behavior by software that is not yet listed in a
definition file.
• Create a restore point before applying actions to
detected items: because you can set Windows Defender to
automatically remove detected items, selecting this
option allows you to restore system settings.
When you run a scan, progress displays on the Windows
Defender Home page. Once the scan is complete choose to
remove or restore quarantined items and maintain the
allowed list. A list of Quarantined items is available
from the Tools and Settings page. Click View to see all
items. Review each item, and individually remove or
restore each. Alternatively, if you want to remove all
quarantined items, click Remove All.
Note: Do not restore software with severe or high alert ratings because it can put your
privacy and the security of the computer at risk.
If you trust software that has been detected, stop Windows

Defender from alerting you to risks that the software
might pose by adding it to the allowed list. If you decide
to monitor the software later, remove it from the allowed

list.
The next time Windows Defender alerts you about software

that you want included in the allowed list, in the Alert
dialog box, on the Action menu, click Allow, and then
click Apply actions. Review and remove software from the
allowed list from the Tools and Settings page.
Question: Why might you consider creating a restore point

before applying actions to detected items?
Answer: Because Windows Defender can be set to

automatically remove detected items and selecting this
option allows you to restore system settings in case you
want to use software that you did not intend to remove.
Demonstration: Configuring Windows Defender

Settings

This demonstration shows how to configure Windows Defender
settings, such as scanning options, frequency, default
actions, and quarantine settings. Also shown is the
Windows Defender Web site and the Microsoft SpyNet
community.
Set Windows Defender Options

2. Click Start, click Search programs and files, type
“Windows Defender”, and press ENTER.
3. In Windows Defender, on the menu, click Tools.
4. In Tools and Settings, click Options.
5. In Options, select Automatic scanning.
6. In the main window, ensure that the Automatically scan

my computer (recommended) check box is selected.
7. Set Frequency to Monday.

8. Set Approximate time to 6:00 AM.
9. Set type to Quick scan.
10. Ensure the Check for updated definitions before
scanning check box is selected.
11. In Options, select Default actions.
12. Set Severe alert items to Remove.
13. Set Low alert items to Allow.
14. Ensure the Apply recommended actions check box is
selected.
15. In Options, select Real-time protection.
16. In Options, select Excluded files and folders.
17. In Options, select Excluded file types.
18. In Options, select Advanced.
19. Click Scan e-mail.
20. Click Scan removable drives.
21. In Options, select Administrator.
22. Click Save.
View Quarantine Items

1. In Tools and Settings, click Quarantined Items.
2. Click View.
3. Click the back arrow in the top menu bar.
Microsoft SpyNet
1. In Tools and Settings, click Microsoft SpyNet.
2. Select Join with a basic membership.
3. Click Save.
Windows Defender Web Site

1. In Tools and Settings, point out the Windows Defender
Website link.
2. Review and discuss the content of the Windows Defender
Web site.


Review Questions
1. Question: When User Account Control is implemented,
what happens to standard users and administrative users
when they perform a task requiring administrative
privileges?
Answer: For standard users, UAC prompts the user for

the credentials of a user with administrative
privileges. For administrative users, UAC prompts the
user for permission to complete the task.
2. Question: What are the requirements for Windows
BitLocker to store its own encryption and decryption
key in a hardware device that is separate from the hard
disk?
Answer: A computer with Trusted Platform Module (TPM)

or a removable Universal Serial Bus (USB) memory
device, such as a USB flash drive. If your computer

does not have TPM version 1.2 or higher, BitLocker
stores its key on the memory device.
3. Question: When implementing Windows AppLocker, what
must you do before manually creating new rules or
automatically generating rules for a specific folder?

Answer: Create the default rules
4. Question: What network firewall shortcoming does the
Windows Firewall with Advanced Security address?
Answer: Network firewalls cannot provide protection for

traffic generated inside a trusted network.
5. Question: You decide to deploy a third-party messaging
application on your company’s laptop computers. This
application uses POP3 to retrieve e-mail from the
corporate mail server, and SMTP to send mail to the
corporate e-mail relay. Which ports must you open in
Windows Firewall?
Answer: You must enable inbound POP3, which uses TCP

port 110, and outbound SMTP, which uses port TCP 25.
You can configure the firewall rules by using specific
port assignments or by specifying the program.
6. Question: Describe how the SmartScreen Filter works in
Internet Explorer 8.
Answer: With the SmartScreen Filter enabled, Internet

Explorer 8 performs a detailed examination of the
entire URL string and compares the string to a database
of sites known to distributed malware, then the browser
checks with the Web service. If the Web site is known
to be unsafe, it is blocked and the user is notified
with a bold SmartScreen blocking page that offers clear
language and guidance to help avoid known-unsafe Web
sites.
7. Question: What does Windows Defender do to software
that it quarantines?
Answer: Windows Defender moves the software to another

location on your computer, and then prevents the
software from running until you choose to restore it or

remove it from your computer.
8. Question: What configuration options are available with
Windows Defender, where do you set them, and why?
Answer: To help prevent spyware and other unwanted

software from running on the computer, turn on Windows
Defender real-time protection and select all real-time
protection options. You are alerted if programs attempt
to install, run on the computer, or change important
Windows settings.
Turn on real-time protections by clicking Tools,
clicking Options, and then clicking Real-time
protection. In the Options area, perform the following
additional tasks:
• Configure automatic scanning
• Specify default actions for specific alert levels
• Customize a scan by excluding files, folders, and
file types
• Use the Advanced options to scan archived files,
email, and removable drives, and to use heuristics
and create a restore point.
Select whether to use Windows Defender and what
information to display to all users of the computer.
History, Allowed items, and Quarantined items are
hidden by default to protect user privacy.
Real-World Issues and Scenarios

1. An administrator configures Group Policy to require
that data can only be saved on data volumes protected
by BitLocker. Specifically, the administrator enables
the Deny write access to removable data drives not
protected by BitLocker policy and deploys it to the
domain. Meanwhile, an end user inserts a USB flash
drive that is not protected with BitLocker. What
happens, and how can the user resolve the situation?
Answer: Since the USB flash drive is not protected with

BitLocker, Windows 7 displays an informational dialog
indicating that the device must be encrypted with
BitLocker. From this dialog, the user chooses to launch
the BitLocker Wizard to encrypt the volume or continues

working with the device as read-only.
2. Trevor has implemented Windows AppLocker. Before he
created the default rules, he created a custom rule
that allowed all Windows processes to run except for
Regedit.exe. Because he did not create the default
rules first, he is blocked from performing
administrative tasks. What does he need to do to
resolve the issue?
Answer: Trevor needs to restart the computer in safe

mode, add the default rules, delete any deny rules that
are preventing access, and then refresh the computer
policy.
3. A server has multiple network interface cards (NICs),
but one of the NICs is not connected. In Windows Vista,
this caused the machine to be stuck in the public
profile (the most restrictive rule). How is this issue
resolved in Windows 7?
Answer: The new multiple active firewall profile

feature in Windows 7 solves the problem by applying the
appropriate rules to the appropriate network; in this
case, the profile associated with the connected NIC
will be applied.
Common Issues Related to Internet Explorer 8 Security

Settings
IT professionals must familiarize themselves with the
common issues that are related to Internet Explorer 8
security settings.
Diagnose Connection Problems Button

The Diagnose Connections Problems button helps users find
and resolve issues potentially without involving the
Helpdesk. When Internet Explorer 8 is unable to connect to

a Web site, it shows a Diagnose Connection Problem button.
Clicking the button helps the user resolve the problem by

providing information to troubleshoot the problem. This
option was available in Internet Explorer 7 but is now
simpler to find in Internet Explorer 8.
Resetting Internet Explorer 8 settings

If Internet Explorer 8 on a user's computer is in an
unstable state, you can use the Reset Internet Explorer
Settings (RIES) feature in Internet Explorer 8 to restore
the default settings of many browser features. These
• Search scopes
• Appearance settings
• Toolbars
• ActiveX controls (reset to opt-in state, unless they
are pre-approved)
• Branding settings created by using IEAK 8
You can choose to reset personal settings by using the
Delete Personal Settings option for the following:
• Home pages
• Browsing history
• Form data
• Passwords
RIES disables all custom toolbars, browser extensions, and
customizations that have been installed with Internet
Explorer 8. To use any of these disabled customizations,
you must selectively enable each customization through the
Manage Add-ons dialog box.
RIES does not do the following:
• Clear the Favorites list
• Clear the RSS Feeds
• Clear the Web Slices
• Reset connection or proxy settings

• Affect Administrative Template Group Policy settings
that you apply
Note: Unless you enable the Group Policy setting titled “Internet Explorer Maintenance

policy processing”, Normal mode settings on the browser created by using IEM are lost
after you use RIES.
To use RIES in Internet Explorer 8, follow these steps:

1. Click the Tools menu and then click Internet Options.
2. On the Advanced tab, click Reset.
3. In the Reset Internet Explorer Settings dialog box,
click Reset. To remove personal settings, select the
Delete Personal Settings check box. To remove branding,
select the Remove Branding check box.
4. When Internet Explorer 8 finishes restoring the default
settings, click Close, and then click OK twice.
5. Close Internet Explorer 8. The changes take effect the
next time you open Internet Explorer 8.
Note: To prevent users from using the RIES feature, enable the Do not allow resetting
Internet Explorer settings policy in Group Policy Administrative Templates.
Best Practices for User Account Control

• UAC Security Settings are configurable in the local
Security Policy Manager (secpol.msc) or the Local Group
Policy Editor (gpedit.msc). However, in most corporate
environments, Group Policy is preferred because it can
be centrally managed and controlled. There are nine
Group Policy object (GPO) settings that can be
configured for UAC.
• Because the user experience can be configured with
Group Policy, there can be different user experiences,
depending on policy settings. The configuration choices
made in your environment affect the prompts and dialog
boxes that standard users, administrators, or both, can
view.
For example, you may require administrative permissions

to change the UAC setting to "Always notify me" or
"Always notify me and wait for my response." With this
type of configuration, a yellow notification appears at
the bottom of the User Account Control Settings page
indicating the requirement.
Best Practices for Windows BitLocker

• Because BitLocker stores its own encryption and
decryption key in a hardware device that is separate
from the hard disk, you must have one of the following:
• A computer with Trusted Platform Module (TPM).
• A removable Universal Serial Bus (USB) memory
device, such as a USB flash drive. If your computer
does not have TPM version 1.2 or higher, BitLocker
stores its key on the memory device.
• The most secure implementation of BitLocker leverages
the enhanced security capabilities of Trusted Platform
Module (TPM) version 1.2.
• On computers that do not have a TPM version 1.2, you
can still use BitLocker to encrypt the Windows
operating system volume. However, this implementation
will require the user to insert a USB startup key to
start the computer or resume from hibernation and does
not provide the pre-startup system integrity
verification offered by BitLocker that is working with
a TPM.
Best Practices for Windows AppLocker

• Before manually creating new rules or automatically
generating rules for a specific folder, create the
default rules. The default rules ensure that the key
operating system files are allowed to run for all
users.
• When testing AppLocker, carefully consider how you will
organize rules between linked GPOs. If a GPO does not
contain the default rules, then either add the rules
directly to the GPO or add them to a GPO that links to

it.
• After creating new rules, enforcement for the rule
collections must be configured and the computer's
policy refreshed.

• By default, AppLocker rules do not allow users to open
or run any files that are not specifically allowed.
Administrators must maintain a current list of allowed
applications.
• If AppLocker rules are defined in a Group Policy Object
(GPO), only those rules are applied. To ensure
interoperability between Software Restriction Policies
rules and AppLocker rules, define Software Restriction
Policies rules and AppLocker rules in different GPOs.
• When an AppLocker rule is set to Audit only, the rule
is not enforced. When a user runs an application that
is included in the rule, the application is opened and
runs normally and information about that application is
added to the AppLocker event log.
• At least one Windows Server 2008 R2 domain controller
is required to host the AppLocker rules.
Best Practices for Windows Defender

• When using Windows Defender, you must have current
definitions.
• To help keep your definitions current, Windows Defender
works with Windows Update to automatically install new
definitions as they are released. You can also set
Windows Defender to check online for updated
definitions before scanning.
• When scanning your computer, it is recommended that you
select the advanced option to Create a restore point
before applying actions to detected items. Because you
can set Windows Defender to automatically remove
detected items, selecting this option allows you to
restore system settings in case you want to use
software that you did not intend to remove.
Configuration Guidelines for Windows Firewall with

Advanced Security
• You can configure Windows Firewall with Advanced

Security in the following ways:
• Configure a local or remote computer by using either
the Windows Firewall with Advanced Security snap-in
or the “Netsh advfirewall” command.
• Configure Windows Firewall with Advanced Security
settings by using the Group Policy Management
Console (GPMC) or using the “Netsh advfirewall”
command.
• If you are configuring the firewall by using Group
Policy, you need to ensure that the Windows Firewall
service has explicit write access by its service
security identifier (SID) to the location that you
specify.
• If you deploy Windows Firewall with Advanced
Security by using Group Policy and then block
outbound connections, ensure that you enable the
Group Policy outbound rules and do full testing in a
test environment before deploying. Otherwise, you
might prevent all of the computers that receive the
policy from updating the policy in the future,
unless you manually intervene.
Resources for Internet Explorer 8

Use the information in the following table to assist as
needed:
Task Reference
For more information about IANA

port-assignment standards, visit the http://www.iana.org/assignments/port-numbers
IANA Web site
Windows Internet Explorer 8

Technology Overview for Enterprise http://go.microsoft.com/fwlink/?LinkId=153907
and IT Pros
Internet Explorer 8 Support page http://go.microsoft.com/fwlink/?LinkId=122867

Task Reference
Internet Explorer 8 Solution Center http://go.microsoft.com/fwlink/?LinkId=110328
Internet Explorer 8 Frequently Asked

Questions

Internet Explorer 8 newsgroups http://go.microsoft.com/fwlink/?LinkId=110585
Internet Explorer 8 Forum on

TechNet
Internet Explorer 8 on the Microsoft

Knowledge Base
The new Application Compatibility

Toolkit (ACT) with support for
Internet Explorer 8 is available from
MSDN
The Application Compatibility Toolkit

is accompanied by a white paper
http://go.microsoft.com/fwlink/?LinkId=153908F
that explains compatibility issues
identified by the tool
Information about anti-phishing

http://go.microsoft.com/fwlink/?linkid=69167
strategies
Information about the RIES feature • Internet Explorer 8 Help

• Microsoft Knowledge Base article 923737
Optimizing and Maintaining Windows 7 Client Computers 7-1
Module 7
Optimizing and Maintaining Windows 7
Client Computers
Contents:
Lesson 1: Maintaining Performance Using the Windows 7 Performance
Tools 7-3
Lesson 2: Maintaining Reliability by Using the Windows 7 Diagnostic
Tools 7 -6
Lesson 3: Backing Up and Restoring Data by Using Windows Backup7-42
Lesson 4: Restoring a Windows 7 System by Using System Restore
Points 7-52
Lesson 5: Configuring Windows Update 7-57
Module Overview

Given the expectations that users have for technology,
performance is a key issue in today’s business
environment.. Therefore, it is important to consistently
optimize and manage your systems performance.
The Windows® 7 operating system includes several
monitoring and configuration tools that you can use to
obtain information about a system’s performance.
To maintain and optimize the performance in Windows 7, you
should use the performance management tools. From here you
can maintain the reliability of Windows 7 with the
diagnostic tools, backup and restore data, restore the
Windows 7 system with the system restore points, and
configure Windows Update to always have optimized computer
performance.
Lesson 1
Maintaining Performance by Using the
Windows 7 Performance Tools
A computer system that performs at a low efficiency level

can cause problems in the work environment. It could lead
to reduced productivity and increased user frustration.
Windows 7 helps you determine the potential cause of poor
performance, and then provides the appropriate tools to
resolve the performance issues.
Discussion: What Are Performance and Reliability

Problems?

Poor system performance and lack of reliability are two of
the most common user complaints. Computers respond slowly
for several reasons. For example, performance can be
affected by disorganized files, unnecessary software that
consumes resources, too many startup programs, or perhaps
even a virus attack. In addition, the software that you
install can have additional operational problems,
incompatible drivers, and operating system failures. All
these issues can affect your system’s reliability.
Performance is a measure of how quickly a computer
finishes application and system tasks. Performance
problems can occur when available resources are lacking.
The following factors can influence performance:
• The access speed of the physical hard disks
• The memory available to all running processes

• The processor’s fastest speed
• The maximum throughput of the network interfaces

• The resources that the individual applications consume
• Faulty or poorly configured components that consume
resources
Poor reliability is defined as how often a system deviates
from configured or expected behavior. Reliability problems
occur from the following occurrences:
• Application failures
• Service freezes and restarts
• Driver initialization failures
• Operating system failures
• Failing hardware
Performance Information and Tools

The Performance Information and Tools is accessed from
Control Panel and lists information about the computers
speed and performance.
The Performance Information and Tools lists your
computer's Windows Experience Index (WEI) base score. This
is a measurement of the performance and overall capability
of your computer's hardware.
The Performance Information and Tools can also be used to
view the options of the performance-related tools that
Windows 7 provides. The following options are available:
• Adjust visual effects, is used to adjust the settings
to make text and images on the screen appear larger.
• Adjust indexing options, performs a fast search of the
most common files on your computer.
• Adjust power settings, can limit the speed of the
process and cause slow performance.
• Open Disk Cleanup, is calculation that display how

much free space is on the computer.
Advance Tools can be used to obtain additional performance

information and it list current performance issues. You
can view the following advanced options about the
computers performance:
• Clear all WinEI scores

• Performance-related events in Event log
• Performance Monitor
• Resource Monitor
• Task Manager
• System Information
• Adjust appearance and performance
• Disk Defragmenter
• Generate a system health report
Windows Experience Index

You can check your computer’s Windows Experience Index
(WEI) base score from the Performance and Information
Tools. The WEI indicates the capability of your computer's
hardware and software configuration.
WEI benchmarks are optimized for Windows 7 so that a
system will have a different WEI score than if it was
running Vista.
WEI measures each of your computer’s key components. The
following table lists the information that Windows
measures for each component:
Component What Is Rated

Processor Calculations per second
Memory Memory operations per second

Component What Is Rated
Graphics Desktop performance for Windows Aero® desktop

experience
Gaming graphics Three-dimensional (3-D) business and gaming

graphics performance

Primary hard disk Disk data-transfer rate
Each hardware component receives an individual subscore.

Your computer's base score is determined by the lowest
subscore. For example, if the lowest subscore of an
individual hardware component is 2.6, then the base score
is 2.6.
A greater base score generally means that a computer runs
better and faster than a computer that has a lower base
score, especially when it performs more advanced and
resource-intensive tasks.
You can use the base score to confidently buy programs and
other software that is matched to your computer's base
score.
Base scores currently range from 1 to 7.9. The Windows
Experience Index is designed to accommodate advances in
computer technology. As hardware speed and performance
improves, greater base scores will be introduced.
A computer that has a base score of 1 or 2 usually has
sufficient performance to do most general computing tasks,
such as run office productivity applications and search
the Internet. However, a computer that has this base score
is generally not powerful enough to run Windows Aero®, or
the advanced multimedia experiences that are available
with Windows 7.
A computer that has a base score of 3 can run Windows Aero
and many new features of Windows 7 at a basic level. Some
new Windows 7 advanced features might not have all the
functionality available. For example, a computer that has
a base score of 3 can display the Windows 7 theme at a
resolution of 1280 × 1024, but might struggle to run the
theme on multiple monitors. Or, it can play digital TV

content but might struggle to play high-definition
television (HDTV) content.

A computer that has a base score of 4 or 5 can run all new
features of Windows 7 with full functionality, and it can
support high-end, graphics-intensive experiences, such as
multiplayer and 3-D gaming and recording and playback of
HDTV content. Computers that have a base score of 5 were
the highest performing computers available when Windows 7
was released.
When you update or upgrade your computer hardware, in
order to optimize Windows 7 you must run Update my score
to check whether the base score has changed.
Note You can also use the WinSAT command line to perform this assessment. Windows
stores the WEI reports as XML files in the C:\Windows\Performance\WinSAT\DataStore
folder. When you run WinSAT the first time on a computer, Windows creates a report
that uses the name ending as (Initial).
Performance Monitor and Data Collector Sets

Performance Monitor is a Microsoft Management Console
(MMC) snap-in used to obtain system performance
information. You can use this tool to analyze the
performance affect of applications and services. You can
use Performance Monitor for an overview of system
performance or collect detailed information for
troubleshooting.
The Performance Monitor includes the following features:
• Monitoring Tool
• Data Collector Sets
• Reports
You can also access Resource Monitor from Performance

Monitor.
Monitoring Tool
Monitoring Tools contains the Performance Monitor. It
provides a visual display of built-in Windows performance
counters, either in real time or as a way to review
historical data.
The Performance Monitor includes the following features:
• Multiple graph views
• Custom views that you can export as data collector sets
Performance Monitor uses performance counters to measure
the system state or activity.
Performance Counters can be included in the operating
system or can be part of individual applications.
Performance Monitor requests the current value of
performance counters at specified time intervals.
You can add performance counters to the Performance
Monitor by dragging and dropping the counters or by
creating a custom data collector set.
Performance Monitor features multiple graph views that
enable you to visually review performance log data. You
can create custom views in Performance Monitor that can be
exported as Data Collector Sets for use with performance
and logging features.
Data Collector Sets

The data collector set is a custom set of performance
counters, event traces and system configuration data.
After you have created a combination of data collectors
that describe useful system information, you can save them
as a data-collector set and then run and view the results.
A data collector set organizes multiple data-collection
points into a single, portable component. You can use a
data collector set on its own, group it with other data
collector sets and incorporate it into logs, or view it in
the Performance Monitor. You can configure a data
collector set to generate alerts when it reaches

thresholds, and so that third-party applications can use
it.
You can also configure a data collector set to run at a
scheduled time, for a specific length of time, or until it
reaches a predefined size. For example, you can run the

data collector set for 10 minutes every hour of the time
during which you work to create a performance baseline.
You can also set the data collector to restart when set
limits are reached so that a separate file will be created
for each interval.
The Data Collector Sets and Performance Monitor tools
enable you to organize multiple data-collection points
into a single component that you can use to review or log
performance.
Performance Monitor also includes default Data Collector
Set templates to help system administrators start to
collect performance data that is specific to a server role
or monitoring scenario.
Reports
Use reports to view and create reports from a set of
counters that you create by using Data Collector Sets.
Resource Monitor
Use this view to monitor the use and performance of CPU,
disk, network, and memory resources in real time. This
allows for resource conflicts and bottlenecks to be
identified and resolved.
By expanding the monitored elements, system administrators
can identify which processes are using which resources. In
previous Windows versions, this real-time process-specific
data was available only in a limited form in Task Manager.
Question: Which resources can cause performance problems

if you have a shortage of them?
Answer: Central processing unit (CPU), random access
memory (RAM), disk, and network.
Demonstration: Using the Resource Monitor


In this demonstration, you will see how to use the
Resource Monitor.
2. Click Start, in the search box, type res, and then

click Resource Monitor. The Overview tab shows CPU
usage, disk I/O, network usage, and memory usage
information for each process. Summary information is
provided in a bar above each section.
3. Click the down arrow in the Disk section to expand it.

4. Click the Views button and then click Medium. This

controls the size of the graphs that display CPU usage,
disk I/O, network usage, and memory activity.
5. Click the CPU tab. This tab has more detailed CPU
information that you can filter that is based on the

process.
6. In the Processes area, select the check box for a
process. And then expand the Associated Handles area.
This shows the files that are used by this process. It
also keeps the selected process at the top of the list
for easier monitoring.
7. Click the Memory tab. This tab provides detailed
information about memory usage for each process. Notice
that the previously selected process is still selected
so that you can easily review multiple kinds of
information about a process as you switch between tabs.
8. Click the Disk tab. This tab shows processes with
recent disk activity.
9. Expand the Disk Activity area and clear the Image check
box to remove the filter and show all processes with
current disk activity. The Disk Activity area provides
detailed information about the files in use. The
Storage area provides general information about each
logical disk.
10. Click the Network tab. This tab provides information
about all processes with current network activity.
11. Expand the TCP Connections area. This shows current
TCP connections and information about those
connections.
12. Expand the Listening Ports area. This shows the
processes that are listening for network connections
and the ports they are listening on. The firewall
status for those ports is also shown.
13. Close the Resource Monitor.
Question: How can you simplify monitoring the activity of

a single process when it spans different tabs?
Answer: If you select the check box for a process, then

that process will be at the top of the list when you move
between tabs. This makes it easier to view different
characteristics of a single process and can be useful when
you are trying to find the resource that is a performance
bottleneck for a process.
Demonstration: Analyzing System Performance by

Using Data Collector Sets and Performance Monitor

In this demonstration, we will show how to analyze system
performance by using Data Collector Sets and Performance
Monitor.
2. Click Start, in the search box, type per, and then

click Performance Monitor.
3. In the Performance Monitor window, click the

Performance Monitor node. Notice that only % Processor
Time is displayed by default.
4. Click the “+” symbol in the toolbar to add an

additional counter.
5. In the Available counters area, expand PhysicalDisk and

then click % Idle Time.
6. In the Instances of selected object box, click 0 C:,

click Add, and then OK.
7. Right-click % Idle Time and then click Properties.
8. In the Color box, click green and then OK.

9. In the left pane, expand Data Collector Sets and then
click User Defined.
10. Right-click User Defined, point to New, and then
click Data Collector Set.
11. In the Name box, type CPU and Disk Activity and then
click Next.
12. In the Template Data Collector Set box, click Basic,
and then click Next. Using a template is recommended.
13. Click Next to accept the default storage location
for the data.
14. Click Open properties for this data collector set
and then click Finish. On the General tab, you can
configure general information about the data collector
set and the credentials that are used when it is
running.
15. Click the Directory tab. This tab lets you define
information on how the collected data is stored.
16. Click the Security tab. This tab lets you configure
which users can change this data collector set.
17. Click the Schedule tab. This tab lets you define
when the data collector set is active and collecting
data.
18. Click the Stop Condition tab. This tab lets you
define when data collection is stopped based on time or
data that is collected.
19. Click the Task tab. This tab lets you to run a
scheduled task when the data collector set stops. This
could be used to process the collected data.
20. Click Cancel.
21. Notice that there are three kinds of logs listed in

the right pane.
• Performance Counter collects data that can be viewed
in the Performance Monitor.
• Kernel Trace collects detailed information about
system events and activities.
• Configuration records changes to registry keys.
22. In the right pane, double-click Performance Counter.
Notice that all Processor counters are collected by
default.
23. Click Add.
24. In the Available counters area, click PhysicalDisk,
Add, and then OK. All the counters for the PhysicalDisk
object are now added.
25. Click OK.
26. In the left pane, right-click CPU and Disk Activity,
and then click Start.
27. Wait a few moments and the data collector set will
stop automatically.
28. Right-click CPU and Disk Activity and then click
Latest Report. This report shows the data that is
collected by the data collector set.
29. Close the Performance Monitor.
Question: How can Performance Monitor be used for
troubleshooting?
Answer: You can use Performance Monitor to monitor
resources when running an application that is having
problems. If a problem is occurring at a specific time,
you can schedule a data collector set to run at that time
and collect additional information about resource usage

when this problem occurs.
Considerations for Monitoring System Performance in

Windows 7

Monitor the current system resource by using Resource
Monitor
Resource Monitor provides at-a-glance data for CPU, disk,
network, and memory resources. Therefore, it is a good
starting point for monitoring or troubleshooting tasks.
Resource Monitor shows you what happens with your current
Windows system. You can view which processes are consuming
CPU and disk activity and you can also view the current
activity of the network adapter. You can view more details
by going to each tab.
For example, if you suspect high consumption of your CPU
processing, you can view the CPU tab and see exactly what
processes are actually executing on your machine, how many
threads that they are executing and how much CPU
utilization is taking place. You can also view the
installed memory in your system, how much the operating
system can use, how much it is used currently and how much
is reserved for hardware. From the Disk view, you can see
all the disk I/O and detailed information on disk

activity. You can view processes with network activity in
the Network view and you can monitor which processes is
running and consuming much bandwidth.
With Resource Monitor, you can investigate which product,
which tool or which application is running and consuming
CPU, disk, network and memory resources at current time.
Create a performance baseline by using Performance

Monitor and Data Collector Sets
To evaluate your computer’s workload, you should monitor
system resources, notice changes and trends in resource
usage, test configuration changes, and diagnose problems.
You can set up a Baseline in Performance Monitor to
perform these tasks.
By using data collector sets, you can establish a baseline
to use as a standard for comparison. You can create a
baseline when you first configure the computer, at regular
intervals of typical usage, and when you make any changes
to the computer’s hardware or software configuration. If
you have appropriate baselines, you can determine which
resources are affecting your computer’s performance.
You can monitor remotely; however, use of the counters
across a network connection for an extended period of time
can congest traffic on the network. If you have disk space
on the server for the performance log files, we recommend
that you record performance log information locally.
Because of performance impacts related to the number of
counters being sampled and the frequency with which
sampling occurs, it is important to test the number of
counters and the frequency of data collection so that you
can determine the balance that meets the needs of your
environment while still providing useful performance
information. For the initial performance baseline,
however, we recommend that you use the highest number of
counters possible and the highest frequency available. The
following table shows the commonly used performance

counters:
Counter Usage
LogicalDisk\% Free Space This measures the percentage of free space on the
selected logical disk drive. Take note if this falls

below 15 percent, as you risk running out of free
space for the OS to store critical files. One obvious
solution here is to add more disk space.
PhysicalDisk\% Idle Time This measures the percentage of time the disk was
idle during the sample interval. If this counter falls
below 20 percent, the disk system is saturated. You
may consider replacing the current disk system with
a faster disk system.
PhysicalDisk\Avg. Disk Sec/Read This measures the average time, in seconds, to read
data from the disk. If the number is larger than 25
milliseconds (ms), that means the disk system is
experiencing latency when reading from the disk.
PhysicalDisk\Avg. Disk Sec/Write This measures the average time, in seconds, it takes
to write data to the disk. If the number is larger
than 25 ms, the disk system experiences latency
when writing to the disk.
PhysicalDisk\Avg. Disk Queue This indicates how many I/O operations are waiting
Length for the hard drive to become available. If the value
here is larger than the two times the number of
spindles, that means the disk itself may be the
bottleneck.
Memory\Cache Bytes This indicates the amount of memory being used

for the file system cache. There may be a disk
bottleneck if this value is greater than 300MB.
Memory\% Committed Bytes in This measures the ratio of Committed Bytes to the
Use Commit Limit—in other words, the amount of
virtual memory in use. This indicates insufficient
memory if the number is greater than 80 percent.
Counter Usage
Memory\Available Mbytes This measures the amount of physical memory, in

megabytes, available for running processes. If this

value is less than 5 percent of the total physical
RAM, that means there is insufficient memory, and
that can increase paging activity.
Memory\Free System Page Table This indicates the number of page table entries not
Entries currently in use by the system. If the number is less
than 5,000, there may well be a memory leak.
Memory\Pool Non-Paged Bytes This measures the size, in bytes, of the non-paged
pool. This is an area of system memory for objects
that cannot be written to disk but instead must
remain in physical memory as long as they are
allocated. There is a possible memory leak if the
value is greater than 175MB (or 100MB with the
/3GB switch).
Memory\Pool Paged Bytes This measures the size, in bytes, of the paged pool.
This is an area of system memory used for objects
that can be written to disk when they are not being
used. There may be a memory leak if this value is
greater than 250MB (or 170MB with the /3GB
switch).
Memory\Pages per Second This measures the rate at which pages are read
from or written to disk to resolve hard page faults.
If the value is greater than 1,000, as a result of
excessive paging, there may be a memory leak.
Processor\% Processor Time This measures the percentage of elapsed time the
processor spends executing a non-idle thread. If
the percentage is greater than 85 percent, the
processor is overwhelmed and the server may
require a faster processor.
Processor\% User Time This measures the percentage of elapsed time the
processor spends in user mode. If this value is high,
the server is busy with the application.
Counter Usage
Processor\% Interrupt Time This measures the time the processor spends
receiving and servicing hardware interruptions
during specific sample intervals. This counter
indicates a possible hardware issue if the value is
greater than 15 percent.

System\Processor Queue Length This indicates the number of threads in the
processor queue. The server doesn't have enough
processor power if the value is more than two times
the number of CPUs for an extended period of
time.
Network Interface\Bytes This measures the rate at which bytes are sent and
Total/Sec received over each network adapter, including
framing characters. The network is saturated if you
discover that more than 70 percent of the interface
is consumed.
Network Interface\Output Queue This measures the length of the output packet
Length queue, in packets. There is network saturation if the
value is more than 2.
Process\Handle Count This measures the total number of handles that are
currently open by a process. This counter indicates
a possible handle leak if the number is greater than
10,000.
Process\Thread Count This measures the number of threads currently

active in a process. There may be a thread leak if
this number is more than 500 between the
minimum and maximum number of threads.
Process\Private Bytes This indicates the amount of memory that this

process has allocated that cannot be shared with
other processes. If the value is greater than 250
between the minimum and maximum number of
threads, there may be a memory leak.
Plan the monitoring strategy carefully

Monitoring lots of data collector sets that sample data at
frequent intervals creates both a load on the system that
you are monitoring, and a large log files to analyze. Plan
monitoring the counters and sampling intervals carefully
to make sure that the data that you collect accurately

represents system performance.
Lesson 2
Maintaining Reliability by Using the
Windows 7 Diagnostic Tools

The Windows Diagnostic Infrastructure (WDI) is a set of
diagnostic tools. The WDI infrastructure identifies
existing disk, memory, and network problems, detects
impending failures, and alerts you to take corrective or
mitigating action.
Problems That Windows Diagnostic Tools Can Help

Solve
You can only solve computer problems effectively and

reliably by accurately diagnosing the problems. If you
understand the capabilities of the Windows 7 diagnostics
tools, you can determine where you can find the
information that you must have to troubleshoot existing
problems and prevent future ones.
The WDI includes diagnostic tools that you can use to
troubleshoot network-related issues, startup problems, and
problems with unreliable memory.
Memory
Memory problems are especially frustrating to troubleshoot
because they frequently manifest themselves as application
issues. Failing memory can cause application failures,
operating system faults, and stop errors. Failing memory
can be difficult to identify because problems can be
intermittent. For example, a memory chip might function

perfectly when you test it in a controlled environment.
However, it can start to fail when it is used in a hot
computer.
Failing memory chips return data that differs from what
the operating system originally stored. This could lead to

secondary problems, such as corrupted files. Frequently,
administrators take extreme steps to repair the problem
such as reinstalling applications or the operating system,
only to have the failures persist.
Network
Network errors frequently cause an inability to access
network resources and can be difficult to diagnose.
Network interfaces that you do not configure correctly,
incorrect IP addresses, hardware failures, and many other
problems can affect connectivity. Operating-system
features, such as cached credentials, enable users to log
on as domain users even when a network connection is not
present. This feature can make it appear as if the user
has successfully logged on to the domain even when they
have not. Although this feature is useful, it does add
another layer to the process of troubleshooting network
connections.
Startup
Diagnosing startup problems is especially difficult
because you do not have access to Windows 7
troubleshooting and monitoring tools when your computer
does not start. Malfunctioning memory, incompatible or
corrupted device drivers, missing or corrupted startup
files or a corrupted disk data can all cause startup
failures.
The Windows Memory Diagnostics Tool

The Windows Memory Diagnostics Tool (WMDT) works with

Microsoft Online Crash Analysis to monitor computers for
defective memory, and determines whether defective
physical memory is causing program crashes. If the Windows
Memory Diagnostics tool identifies a memory problem,
Windows 7 avoids using the affected part of physical
memory so that the operating system can start successfully
and avoid application failures.
In most cases, Windows automatically detects possible
problems with your computer’s memory and displays a
notification that asks whether you want to run the Memory
Diagnostics Tool.
You can also start the Windows Memory Diagnostics tool
from the System and Security location’s Administrative
Tools option which is in Control Panel.
How Does the Windows Memory Diagnostics Tool Run

If the Windows Memory Diagnostics tool detects any
problems with physical memory, Microsoft Online Crash
Analysis automatically prompts you to run the tool.
You can decide whether to restart your computer and check

for problems immediately, or to schedule the tool to run
when the computer next restarts.
When the computer restarts, Windows Memory Diagnostics
tests the computer’s memory. When the Memory Diagnostics
Tool runs, show a progress bar that indicates the status
of the test. It may take several minutes for the tool to
finish checking your computer's memory. As soon as the
test is finished, Windows restarts again automatically.
When the test is finished, Windows Memory Diagnostics
gives you an easy-to-understand report detailing the
problem. It also writes information to the event log so
that it can be analyzed.
You can also run the Windows Memory Diagnostics tool
manually. You have the same choices: to run the tool
immediately or to schedule it to run when the computer
restarts. Additionally, you can start Windows Memory
Diagnostics from the installation media.
Advanced Options
To access advanced diagnostic options, press F1 while the
test is running. Advanced options include the following:
• Test mix: select what kind of test to run.
• Cache: select the cache setting for each test.
• Pass Count: type the number of times the test mix
repeats the tests.
Press the Tab key to move between the advanced options.
When you finish selecting your options, press F10 to start
the test.
Windows Network Diagnostics Tool

The Windows Network Diagnostics tool provides an advanced

way to resolve network-related issues. When a user cannot
connect to a network resource, the user receives clear
repair options instead of error messages, which can be
difficult to understand. By understanding the repair
options that the Windows Network Diagnostics tool
presents, you can troubleshoot network-related issues
effectively.
You can start the Windows Network Diagnostic tool by
clicking Fix a Network Problem in the Network and Sharing
Center.
From this page, you can troubleshoot different network
problems. Some of these problems are as follows:
• Internet Connections: connections to the Internet or
to a particular Web site
• Connection to a Shared Folder: access shared files and

folders on other computers
• HomeGroup: view the computers or shared files in a
homegroup for workgroup configured computers.
• Network Adapter: troubleshoot Ethernet, Wireless, or

other network adapters
• Incoming Connections to This Computer: allow for other
computers to connect to this computer
• Printing: you can also troubleshoot problems on printer
connections.
How Does the Windows Network Diagnostics Tool Run

The Windows Network Diagnostics tool runs automatically
when it detects a problem. You can also decide to run the
tool manually by using the Diagnose option on the Local
Area Connections Status property sheet.
If Windows 7 detects a problem that it can repair
automatically, it will do so. If Windows 7 cannot repair
the problem automatically, it directs the user to perform
simple steps to resolve the problem without having to call
support.
Reliability Monitor and Problems Reports and Solutions

Tool
The Reliability Monitor review the computer’s reliability

and problem history. The Reliability Monitor can be used
to obtain several kinds of reports and charts that can
help you identify the source of reliability issues.
You can access the Reliability Monitor, by clicking View

System History on the Maintenance tab in the Action
Center.
The following topics explain the main features of the

Reliability Monitor in more detail.
System Stability Chart

The System Stability Chart summarizes system stability,
for the past year, in daily increments. This chart
indicates any information, error, or warning messages, and

makes it easy to identify issues and the date on which
they occurred.
Installation and Failure Reports

The System Stability Report also provides information

about each event in the chart. These reports include the
following events:
• Software Installs
• Software Uninstalls
• Application Failures
• Hardware Failures
• Windows Failures
• Miscellaneous Failures
Records Key Events in a Timeline

The Reliability Monitor tracks key events about the system
configuration, such as the installation of new
applications, operating-system patches, and drivers. It
also tracks the following events which helps you identify
the reasons for reliability issues:
• Memory problems
• Hard-disk problems
• Driver problems
• Application failures
• Operating system failures
The Reliability Monitor is a useful tool that provides a
timeline of system changes and reports the system’s
reliability. You can use this timeline to determine
whether a particular system change correlates with the
start of system instability.
Problem Reports and Solution Tool

The Problem Reports and Solutions feature in Reliability
Monitor helps users track problem reports and any solution

information that they have received.
Problem Reports and Solutions only helps the user to store
information. All Internet communication related to problem
reports and solutions is handled by Windows Error
Reporting.
The Problem Report and Solution Tool provide a list of the
attempts made to diagnose your computer’s problems.
If an error occurs while an application is running,
Windows Error Reporting Services prompts the user to
select whether to send error information to Microsoft over
the Internet. If information that can help the user
resolve this problem is available, Windows displays a
message to the user who has a link to it.
You can use the Problem Reports and Solutions tool to
track this information and recheck to find new solutions.
You can start the Problem Reports and Solutions tools from
the Reliability Monitor, the following tools are
available:
• Save Reliability history

• View Problems and Responses
• Check for Solutions to all problems
• Clear the solution and problem history
Windows Startup and Recovery

The Startup and Recovery options is accessed from the
Advanced tab in the System Properties. In the System
startup you can Specify the default operating system for
startup.
You also select the number of seconds that you want the
list of recovery options to be display before the default
recovery option is automatically selected.
Under System Failure you can specify what happens when the
system stops unexpectedly:
• Write an event to the System log: specifies that event

information will be recorded in the System log.
• Automatically restart: specifies that Windows will

automatically restart your computer.
Under Write debugging information, you select the type of

information that you want Windows to record when the
system stops unexpectedly, you have three options:
• Small memory dump: records the smallest amount of

information that will help identify the problem. This
option requires a paging file of at least 2 MB on the
boot volume of your computer. If you select this
option, Windows creates a new file (64 KB in size)
every time that the system stops unexpectedly.
• Kernel memory dump: records only kernel memory, which

stores more information than small memory dump but
takes less time to complete than the complete memory
dump when the system stops unexpectedly.
• Complete memory dump: records all the contents of

system memory when the system stops unexpectedly. If
you select this option, you must have a paging file on
the boot volume large enough to hold all the physical
RAM plus one megabyte (MB).
The debugging information file is stored in the folder

that is listed under Dump file.
Boot Options for Troubleshooting Startup Problems

To troubleshoot difficulties that may occur when you try
to start Windows, you can access the advanced Boot
Options. The advanced Boot Options are used to either,
change the registry, load drivers, or remove drivers.
The Advanced Boot Options are as follows:
• Repair Your Computer
• Safe Mode
• Safe Mode with Networking
• Safe Mode with Command Prompt
• Enable Boot Logging
• Enable Low-resolution video (640x480)
• Last Known Good Configuration (advanced)
• Directory Services Restore Mode

• Debugging Mode
• Disable Automatic restart on system failure
• Disable Driver Signature Enforcement

• Start Windows Normally
Startup Repair Tool

Use the Startup Repair Tool to fix many common problems
automatically, and quickly diagnose and repair more
complex startup problems. When you run the Startup Repair
tool, it scans your computer for source of the problem,
and then it tries to fix the problem so that your computer
can start correctly.
How to Use the Startup Repair Tool

When a system detects a startup failure, it goes into the
Startup Repair tool. This performs diagnostics and
analyzes startup log files to determine the cause of the
failure. After the Startup Repair tool determines the
cause of failure, it tries to fix the problem
automatically.
The Startup Repair tool can repair the following problems
automatically:
• Incompatible drivers
• Missing or corrupted startup-configuration settings
• Corrupted disk metadata
After the Startup Repair tool repairs the operating
system, Windows 7 notifies you of the repairs and provides
a log so that you can determine the steps the Startup
Repair tool performed.
If the Startup Repair tool cannot resolve startup errors,
Windows 7 rolls the system back to the last known working
state. If the Startup Repair tool cannot recover the
system automatically, it provides diagnostic information
and support options to make additional troubleshooting
easier.
You can start the Startup Repair tool manually from the
Windows 7 installation DVD. After you start the computer
from the DVD, you can access the manual repair tools from
the menus that display.
Demonstration: Resolving Startup Related Problems

In this demonstration, you will see how to resolve startup
related problems.
1. Connect the DVD in LON-CL1 to the Windows 7
installation DVD.
• C:\Program Files\Microsoft
Learning\6292\drives\Windows7_32bit.iso
2. Restart LON-CL1 and press a key to boot from the DVD

when you are prompted.
3. On the Windows 7 page, click Next.
4. Click Repair your computer.
5. In the System Recovery Options window, read the list of
operating systems found and then click Next.
6. Read the options that are listed.
• Startup Repair tries to automatically repair a

Windows system that is not booting correctly.
• System Restore is used to restore system

configuration settings based on a restore point.
• System Image Recovery is used to perform a full
restore from Windows backup.
• Windows Memory Diagnostic is used to test physical
memory for errors.
• Command Prompt lets you manually access the local
hard disk and perform repairs.
7. Click Command Prompt.
8. At the command prompt, type C: and press Enter.
9. At the command prompt, type dir and press Enter. Notice
that there are no files on the C: drive.
10. At the command prompt, type E: and press Enter.
11. At the command prompt, type dir and press Enter.
Notice that this drive is the C: drive when Windows 7
is running.
12. Close the command prompt and then click Restart.
Question: When would you use the command prompt to perform
system repairs manually?
Answer: You would use the command prompt to perform system
repairs manually if the automated tools cannot repair the
system.
Lesson 3
Backing Up and Restoring Data by Using
Windows Backup

It is important to protect data on computer systems from
accidental loss or corruption. Additionally, to recover
from a problem, it is frequently easier to restore system
settings than to reinstall the operating system and
applications. By using the Windows Backup, you can perform
backups, and when it is necessary, perform restores to
recover damaged or lost files, or to repair corrupted
system settings.
Windows Backup lets you capture all files, specific files,
and system files, and schedule the backup to occur
automatically. This eliminates the need for you to perform
the backup manually. Additionally, you can roll back in
time and find past versions or revisions of files.
The Startup Repair tool is automated and used to diagnose

and recover systems that do not start. It is automatically
installed onto the operating system partition. After an

unsuccessful start, Windows 7 automatically loads the
Startup Repair tool which scans the computer for issues,
automatically repairs an issue when it is possible, and
then restarts the computer.
Discussion: Need for Backing Up Data

Although computers are very reliable, and most operating
systems are robust and recoverable, problems do occur.
Sometimes these problems can result in data loss.
A computer contains different types of data that it stores
in different locations. Computer data types include
operating-system configuration files, application program
settings, user-related settings, and user data files. This
includes documents, images, and spreadsheets.
A computer that is running Windows 7 stores these data and
settings files in several locations.
Make sure that you protect these data files and settings
so that if a computer problem occurs, no data is lost. One
way of protecting these data files and settings is to
perform regular backups by copying your files to other
media.
Back and Restore Tool

Windows 7 provides many tools that you can use to protect

your data, settings, and files, and recover your computer
from data loss and system failure.
The Backup and Restore Tool

The Backup and Restore options in Control Panel provide
access to all backup related setup procedures and tasks.
This includes managing backup space for both file and
system image backups.
Windows Backup lets you make copies of data files for all
people who use the computer. You can let Windows select
what to back up or you can select the individual folders,
libraries, and drives that you want to back up. By
default, your backups are created on a regular schedule.
You can change the schedule and manually create a backup
at any time. As soon as you set up Windows Backup, Windows
keeps track of the files and folders that are new or
changed and adds them to your backup .
You can back up files to an external hard disk, to a

writeable DVD, or to a network location. You have to have
elevated, or administrative, permissions to perform a
backup.
If something goes wrong that requires restoring data from
a backup, you can select whether to restore individual

files, selected folders, or all personal files.
System Restore helps you restore your computer's system
files to an earlier point in time. It is a way to undo
system changes to your computer without affecting your
personal files, such as E-mail, documents, or photos.
System Restore is not intended for backing up personal
files. Therefore, it cannot help you recover a personal
file that was deleted or damaged. You should regularly
back up your personal files and important data by using a
backup program.
Set up Windows Backup

To back up your files, locate the Backup and Restore
Center, click Set up backup, specify the destination drive
to back up, and then select the file types to back up.
Windows scans your computer for the file types that you
specify, and then backs them upon the target media in a
series of compressed folders and related catalog files.
Image Backup
The Windows Backup option does not back up system files,
program files, files that are on File Allocation Table
(FAT) volumes, temporary files, and user profile files. If
you want to protect these file types, you must use the
Image Backup.
A System Image Backup is a copy of the system drivers
required for Windows to run. It can also include
additional drives. A system image can be used to restore
your computer if your hard disk or computer stops working.
However, you cannot select individual items to restore.
System Recovery Disc

A System recovery disc is used to boot your computer. It
contains Windows System recovery tools to help recover

Windows from a serious error or to restore your computer
from a System Image.
Demonstration: Performing a Backup

In this demonstration, you will see how to perform a
backup.
2. Click Start and then click Documents.
3. In the Documents window, right-click an open area,

point to New, and then click Text Document.
4. Type Important Document and then press Enter.
5. Double-click Important Document, enter some text in the

document, and then close Notepad.
6. Click Save to save the file and then close the

Documents window.
7. Click Start, point to All Programs, click Maintenance,

and then Backup and Restore.
8. Click Set up backup.

9. Click Allfiles (E:) and then Next.
10. Click Let me choose and then Next. Notice that by
default, both the libraries for all users and a system
image are selected.
11. Clear all checkboxes in the window, select the
bolded Administrator’s Libraries checkbox, and then
click Next.
12. Click Change schedule.
13. Ensure that the Run backup on a schedule
(recommended) checkbox is selected; review the
available options for How often, What day, and What
time, and then click OK.
14. Click Save settings and Run Backup.
15. Watch as the backup completes. Click View Details to
see detailed progress.
16. Close the Backup and Restore.
Question: What files should you backup on a computer?
Answer: You should backup all data files on a computer.
Also, a full system image will help restore your computer
if a hard disk should fail.
Demonstration: Restoring Data

In this demonstration, you will see how to restore data.

and then Backup and Restore.
3. Click Restore my files and then Browse for files.
4. In the Browse the backup for file window, click
administrator.CONTOSO’s backup, and then in the right
pane, double-click Documents, click Important Document,
and then Add files.
5. Click Next.
6. Click In the original location and then click Restore.
7. When prompted that the file already exists, click Copy
and Replace.
8. Click Finish.
9. Close the Backup and Restore.
Question: When should you restore to an alternate

location?
Answer: You should restore to an alternate location to
keep the current version of a file and also get a copy of
an older version for comparison. For example, a file may
have had some information added and some deleted since a
backup was performed. If you want to keep the new
information that was added and get the information that
was deleted, you must have both versions of the file.
Lesson 4
Restoring a Windows 7 System by Using
System Restore Points

Windows 7 provides System Restore to monitor and record
changes that are made to the core Windows system files and
to the registry.
If your computer is not functioning correctly, the System
Restore tool can return your computer to a previous state,
by using System Restore Points.
System Restore is often quicker and easier than using
backup media.
How System Restore works

System Restore helps you restore all system files and

leaves data files intact, or performs a complete restore
to a specific date and time. It is a way to undo system
changes to your computer without affecting your personal
files. All of the necessary system files and folders are
restored to the state they were in when you created the
restore point.
System Restore uses a feature known as System Protection
to regularly create and save restore points on your
computer. Restore points are automatically created by
System Restore weekly and when System Restore detects the
beginning of a change to your computer, such as when you
install a program or a driver. These restore points
contain information about registry settings and other
system information that Windows uses. You can also create
restore points manually.
A restore point is a representation of a stored state of

your computer system files. System restore points back up
most system files and file settings, such as:
• Registry
• Dllcache folder

• User profile
• COM+ and WMI information
• IIS metabase
• Certain monitored system files
System Restore is not intended for backing up personal
files. Therefore, it cannot help you recover a personal
file that was deleted or damaged. You should regularly
back up your personal files and important data by using a
backup program.
Using System Restore

You run the System Restore in Windows 7 from the following
locations:
• The System Protection tab of the System Properties
• The Accessories program group at the System Tools
folder
In the System Restore window, you can see the Date and
Time, Description and Type of the Restore Points that is
created. This will help you select the Restore point that
you want to restore your computer to. The system restore
will only take several minutes.
After the system is restored to the selected restore
point, you must restart your computer. The next time that
you start System Restore, you will see an option to undo
the last restoration. This is available in case the
Restore Point that you rolled back to, does not correct
the original problem that you were having. Therefore, you
can easily return to the point in time where you started
troubleshooting.
Note System Restore does not affect any of your documents, pictures, or other personal
data. However, recently installed programs and drivers may be uninstalled.
Question: What are the situations when you would need to

use System Restore?
Answer: If your computer is running slowly or is not

working properly, you can use System Restore to return
your computer’s system files and settings to an earlier
point in time, using a restore point.
Question: When would you restore a file from a restore

point rather than a backup?
Answer: You will use System Restore when you need to

restore all system files in the computer to a specific
date and time. System Restore will only restore system
files and will not recover any personal file that was
deleted or damaged.
What Are Previous Versions of Files?

Previous versions are either copies of files and folders
that are created by Windows Backup or copies of files and
folders that Windows automatically saves as part of a
restore point. You can use previous versions to restore
files and folders that you accidentally changed or
deleted, or that were damaged. Depending on the type of
file or folder, you can open, save to a different
location, or restore a previous version.
Previous versions are automatically saved as part of a
restore point. If system protection is turned on, Windows
automatically creates previous versions of files and
folders that were modified since the last restore point
was made.
Typically, restore points are made one time per day. If
your disk is partitioned or if you have more than one hard
disk on your computer, you have to turn on system
protection for the other partitions or disks. Previous
versions are also created by Windows Backup when you back

up your files.
Note: If you modify a file several times in one day, only the version that was current
when the restore point or backup was made is saved as a previous version.
Previous versions of files let you recover an earlier

version of a data file even if you never run any back up.
This feature recovers the earlier version from a volume
shadow copy. The Volume Shadow Copy Service (VSS) is the
infrastructure within Windows to create a point in time
image (shadow copy) of one or more volumes.
VSS automatically creates a point when a restore point is
taken. VSS is automatically turned on in Windows 7 and
creates copies on a scheduled basis of files that have
changed. Because only incremental changes are saved,
minimal disk space is used for shadow copies, but also a
file may not be recoverable after file corruption or disk
failure.
Shadow copies provide both file system consistency and
application consistency and can be used for a range of
applications ranging from backup and restore programs to
data mining.
A system restore point represents a stored state of the
computer’s system files. Restore points are created by
System Restore at specific intervals and when System
Restore detects the beginning of a change to the computer.
After you enable System Protection, you can use both the
previous versions feature and system restore points.
Restore points can be created manually at any time.
Question: What are the benefits of maintaining previous
versions of files?
Answer: If you accidentally change or delete a file or a
folder you can restore it to an earlier version that is
saved as part of a restore point.
Configuring System Protection Settings

With System Protection you can keep copies of the system
settings and earlier versions of files.
You access System Protection tab in the System Properties
window. This is accessed from System Menu in the System
and Security page in Control Panel.
To restore the system, you click configure in the System
Protection tab. The following options are available:
• Restore system settings and previous versions of files:
this option creates a full System Restore.
• Only restore previous versions of files: you will be
unable to use System Restore to undo unwanted System
Changes.
• Turn off system protection: this option will delete
existing restore points on the disk and new restore
points will not be created.
Disk Space Usage

You can adjust the maximum disk space that is used

for system protection. As space fills up, older restore
points will be deleted to make room for new restore
points.
Create a restore point

To configure a restore point click Create on the System
Protection tab, when you are prompted enter a description
for the restore point. This will help you identify the
restore point. Date and time are added automatically. The
computer has now crested a restore point.
Demonstration: Restoring a System

In this demonstration, you will see how to restore a
system.
3. Double-click Important Document, enter some new text,

and then close Notepad.
4. Click Save and then close the Documents window.
5. Click Start, right-click Computer and then click

Properties.
6. In the System window, click System protection.

7. In the Protection settings area, click Local Disk (C:)

(System) and then Configure.
8. In the Restore Settings area, click Restore system

settings and previous versions of files and then click
OK.
9. In the Protection settings area, click Allfiles (E:)

and then Configure.
10. In the Restore settings area, click Restore system

settings and previous versions of files and then OK.
11. In the System Properties window, click Create. This

is typically done automatically by the system before
software installation is performed rather than
manually.
12. In the System Protection window, type Restore Point

1 and then click Create.
13. When the creation of the restore point is finished,

click Close.
14. In the System Properties window, click OK and then

close the System window.
15. Click Start, and then Documents.
16. Right-click Important Document and click Restore

previous versions. This version of the file was created
during the restore point creation.
17. Click Cancel and close the Documents window.
18. Click Start, point to All Programs, click

Accessories, System Tools, and then System Restore.
19. In the Restore system files and settings window,
click Next.
20. Click Restore Point 1 and then Next.
21. On the Confirm your restore point page, click

Finish.
22. Click Yes to continue. Be aware that this restores
only system files, not data files.

24. Read the message in the System Restore window and
click Close.
Question: When would the previous version of a file not

be available?
Answer: The previous version of a file would not be
available if it is stored on the local hard disk. If the
local hard disk fails or becomes corrupted, then you must
restore this data from a backup.
Lesson 5
Configuring Windows Update
To keep computers that are running Windows operating

systems remain stable and secure, you must update them
regularly with the latest security updates and fixes.
Windows Update enables you to download and install
important and recommended updates automatically, instead
of visiting the Windows Update Web site.
As a Windows 7 Technology Specialist, you must be aware of
the configuration options that Windows Update has
available and you should be able to guide users on how to
configure these options.
What is Windows Update?

Windows® Update is a service that provides software
updates that keep your computer up-to-date and more
secure. You can configure Windows Update to download and
install updates for you automatically, or you can decide
to install updates manually.
Windows Update is an online catalog used to support
computers that are running Windows 7. The catalog contains
updates for Windows 7, Microsoft applications, critical
updates for drivers, Help files, and Internet products.
Windows Update scans the user’s computer and provides a
customized selection of updates that apply only to the
software and hardware on that specific computer.
Updates are organized into categories such as critical
updates and recommended updates.
Windows Update enables users to select updates for their
computer's operating system and hardware. New content is
added to the Windows Update Web site regularly. Therefore,

users can always access the most recent and secure updates
and solutions
Windows Update provides two types of updates:
• Important updates, including security updates and
critical performance updates.
• Recommended updates that help fix or prevent problems.
Important updates can be downloaded and installed
automatically or manually. Recommended are optional
updates and have to be selected manually.
Microsoft Windows Server Update Services

Microsoft Windows Server Update Services (WSUS) enables
administrators to manage and deploy updates across the
organization more easily. WSUS works by downloading
updates to an internal server where an administrator can
test and approve them before you deploy the updates to the
whole organization.
Question: How is the Automatic Updates feature useful?
Answer: It is an online catalog that ensures that your
computer always is up-to-date.
Configuring Windows Update Settings

In the Windows Update page, you can see the important and
optional updates that are available for your computer.
You should configure computers that are running Windows 7
to download and install updates automatically. Therefore,
make sure that the computer has the most up-to-date and
secure configuration possible.
You can turn on Automatic Updates during the initial
Windows 7 setup, or you can configure it later.
Windows Update downloads your computer’s updates in the
background while you are online. If your Internet
connection is interrupted before an update downloads
fully, the download process resumes when the connection
become available.
The Automatic Updates feature of Windows Update downloads
and installs Important updates, including security updates
and critical performance updates. Recommended and optional

updates have to be selected manually.
The time of installation depends on the configuration

options that you select. Most updates occur seamlessly,
with the following exceptions:
• If an update requires a restart to complete
installation, you can schedule it for a specific time.
• When a software update applies to a file that is being
used, Windows 7 can save the application’s data, close
the application, update the file, and then restart the
application. Windows 7 might prompt the user to accept
Microsoft Software License Terms as the application
restarts.
When you configure Windows Update, consider the following:
• Use the recommended settings to download and install
updates automatically. The recommended settings
download and install updates automatically at 3:00 a.m.
daily, if the computer is turned off, the installation
will be done the next time that the computer is turned
on). By using the recommended settings, the users do
not have to search for critical updates or worry that
critical fixes may be missing from their computers.
• Use Windows Server Update Services (WSUS) in a
corporate environment.
• Use System Center Configuration Manager (SCCM) for
larger environments (more than 100 systems) that
require a more customized and schedulable patch
delivery method.
Change Settings
From the Windows Update page, you also have access to the
Change settings features. On the Change Settings page, you
select three settings:
• Install updates automatically (recommended)
• Download updates but let me choose whether to install
them
• Check for updates but let me choose whether to download

and install them
Install updates automatically is recommended, to have
Windows install important updates as they become
available.

But if you do not want updates to be installed or
downloaded automatically, you can select instead to be
notified when updates apply to your computer so that you
can download and install them yourself, for example if you
have a slow Internet connection or your work interrupted,
you can have Windows to check for updates, but download
and install them yourself.
View Update History

From this page, you can review your update history. In the
status column, you can make sure that all important
updates were installed successful.
Restore Hidden Updates Page

If you select to restore an update, you can open this page
to install them.
Windows Update Group Policy Settings

Windows Group Policy is an administrative tool for

managing user settings and computer settings over a
network.
There are three group Policy settings for Windows Update:
• Do not display the Install Updates and Shut Down option
in the Shut Down Windows dialog box.
• Do not adjust the default option to Install Updates and
Shut Down in the Shut Down Windows dialog box.
• Remove access to use all Windows Update Features.
The first policy setting lets you manage whether the
Install Updates and Shut Down option is displayed in the
Shut Down Windows dialog box.
If you enable this policy setting, Install Updates and
Shut Down will not appear as a choice in the Shut Down
Windows dialog box, even if updates are available for
installation when the user selects the Shut Down option on

the Start menu.
The second policy setting lets you manage whether the
Install Updates and Shut Down option can be the default
choice in the Shut Down Windows dialog box.

If you enable this policy setting, the user's last shut
down choice (Hibernate, Restart, and so on) is the default
option in the Shut Down Windows dialog box, regardless of
whether the 'Install Updates and Shut Down' option is
available in the What do you want the computer to do?
If you disable or do not configure this policy setting,
the Install Updates and Shut Down option will be the
default option in the Shut Down Windows dialog box if
updates are available for installation at the time that
the user selects the Shut Down option on the Start menu.
The last setting lets you remove access to Windows Update.
If you enable this setting, all Windows Update features
are removed. This includes blocking access to the Windows
Update Web site. Windows automatic updating is also
disabled. You will not be notified of or will you receive
critical updates from Windows Update. This setting also
prevents Device Manager from automatically installing
driver updates from the Windows Update Web site.
If the last setting is enabled you can configure one of
the following notification options:
• 0 = Do not show any notifications: this setting removes
all access to Windows Update features and no
notifications will be shown.
• 1 = Show restart required notifications: this setting
shows notifications about restarts that are required to
complete an installation.
Note: This setting is sometimes used on critical system that cannot be rebooted or
changed without first being scheduled. If this setting is enabled another method of
patch delivery should be implemented to make sure these systems are kept up to date.
Question: What is the benefit of configuring Windows

update by using Group Policy rather by using Control
Panel?
Answer: Using a group policy allows you to apply the configuration settings to multiple
computers by performing a single action. It also prevent users from overriding the settings.

Review Questions
1. You have problems with your computers performance, how
can you create a data collector set to analyze a
performance problem?
2. You have received an E-mail from an unknown person and
suddenly you have a virus and must restore your
computer.
a. What kind of system restore do you need to perform?
b. Will the computer restore to software you have
installed two days ago?,
c. How long are restore points saved?
d. What if System Restore does not fix the problem?
Review Answers
1. You can create a Data Collector Set from counters in
the Performance Monitor display, you can use a template

or you can do it manually.
2.
a. You need to create a system restore, to return you
files to a point before you got the virus.
b. Yes, a restore point is automatically created before
a significant system event.
c. Restore points are saved until the disk space System
restore reserves is filled up. As new restore point
are created, old ones are deleted.
d. If System restore does not fix the problem, you can
undo the system restore or try to choosing a
different restore point.
Tools

Performance • List information for speed and Control Panel
Information and performance
Tools
Performance • Multiple graph views of Administrative Tools

Monitor performance
Resource Monitor • Monitor use and Performance for Advanced tools in

CPU, disk, network and memory Performance
Information and tools
Windows • Measure the computers key Performance Information

Experience Index components and Tools
Monitoring Tools • Performance Monitor Performance monitor
Data Collector Set • Performance Counters Performance monitor

• Event Traces and system
configuration data
Windows Memory • Check your computer for memory Administrative tools


Diagnostic problems
Fix a Network • Troubleshoots Network problems Network and Sharing

Problem Center

Reliability Monitor • Review your computers reliability Action center
and problem history
Problem reports • Choose when to check for Action Center

and Solution tool solutions to problems reports
Startup Repair • Scan the computer for startup Windows 7 DVD

Tool problems
Backup and • Back up or restore user and System and Security

Restore Tool system files
Image Backup • A copy of the drivers required for Backup and Restore
Windows to run
System Repair Disc • Used to boot the computer Backup and Restore
System restore • Restore the computer to an Control Panel

earlier point in time
Previous versions • Copies of files and folders that System Properties

of files Windows automatically saves as
part of a restore point.
Restore Point • A stored state of the computers System Properties

system files.
Disk Space Usage • Adjust maximum disk space used System Properties
for system protection
Windows Update • Service that provides software System and Security

updates
Change Update • Change settings for windows Windows Update

Settings update
View update • Review the computers update Windows Update

History history
Configuring Mobile Computers and Remote Access in Windows 7 8-1
Module 8
Configuring Mobile Computers and Remote
Access in Windows 7
Contents:
Lesson 1: Configuring Mobile Computer and Device Settings 8-4
Lesson 2: Configuring Remote Desktop and Remote Assistance for
Remote Access 8-26
Lesson 3: Configuring DirectAccess for Remote Access 8-35
Lesson 4: Configuring BranchCache for Remote Access 8-50
8-2 Installing and Configuring Windows 7
Module Overview

Mobile computers are available in many types and
configurations. This module helps you to identify and
configure the appropriate mobile computer for your needs.
It describes mobile devices, and how to synchronize them
with a computer running the Windows® 7 operating system.
Additionally, this module describes various power options
that you can configure in Windows 7.
Windows 7 helps end users to be productive, regardless of
where they are or where the data they need resides. With
Windows DirectAccess, mobile users can access corporate
resources when they are out of the office. IT
professionals can administer updates and patches remotely
to improve connectivity for remote users.
For those who want use Virtual Private Networks (VPNs) to
connect to enterprise resources, the new features in the
Windows 7 environment and in Windows Server 2008 create a
seamless experience for the user. They do not need to

logon to the VPN if they temporarily lose a connection.
Users in branch offices are more productive when they use

Windows BranchCache™ to cache frequently accessed files
and Web pages. This helps reduce latency and bandwidth
traffic.
Lesson 1
Configuring Mobile Computer and Device
Settings

This lesson defines common mobile computing terminology
and provides an overview of the related configuration
settings to modify in Windows 7. It also provides
guidelines for applying these configuration settings to
computers running Windows 7.
Discussion: Types of Mobile Computers and Devices

Computers play an important part in our daily lives, and

the ability to carry out computing tasks at any time and
in any place has become a necessity for many users. A
mobile computer is a device that you can continue to use
for work while away from your office.
As a Windows 7 Technology Specialist, you must be able to
answer users’ questions about mobile computers and assist
users and other IT support staff in choosing appropriate
mobile computers for their organization. There are
different types of mobile computer available:
• Laptops and notebook computers
• Tablet PCs
• Ultra-Mobile computers
• PDA
• Windows media Players
• Portable Media Players
Laptop and Notebook Computers

People often use the terms laptop and notebook
interchangeably. However, the term notebook computer
refers to a computer that is lighter or smaller than a

laptop. A laptop computer is a portable computer that
contains an integrated screen, a battery, a keyboard, and
a pointing device. A laptop computer may also contain a
CD-ROM or DVD-ROM drive. Many organizations are
implementing laptop computers instead of desktop computers
for their employees so that they can work from home.
Hardware manufacturers are responding to this demand by
producing laptops with equivalent or better specifications
than many desktop computers.
Tablet PCs
The Tablet PC is a fully functional laptop computer with a
sensitive screen designed to interact with a complementary
pen-shaped stylus. Tablet PC screens turn and fold onto
the keyboard and you can use the stylus directly on the
screen just as you use a mouse to select, drag, and open
files. You can use the stylus in place of a keyboard to
hand write notes and communications. Unlike a touch
screen, the Tablet PC screen only receives information
from the stylus. It will not take information from your
finger or your shirtsleeve. Therefore, you can rest your
wrist on the screen and write naturally.
The Tablet PC uses a digitizer device that interprets the
movements of the stylus and converts those into mouse or
cursor movements. Many organizations are replacing
traditional clipboards, jotters, and other forms of paper
and pen input with the several applications that are now
available for the Tablet PC. For example, the Writing
Tools option in Microsoft Office® OneNote® 2007 let you
use any pointing device, such as a drawing pad stylus or a
Tablet PC pen, to add handwritten text or freehand
drawings to your notes.
Ultra-Mobile Computers
A typical Ultra-Mobile computer features a 7-inch diagonal
display or smaller, weighs around 2 pounds or 1 kilogram

(kg), has an integrated touch panel, and has both Wi-Fi
and Bluetooth enabled. An Ultra-Mobile computer is
approximately the size and shape of a paperback book.
Manufacturers build specialized components for ultra-
mobile computers such as the ultra-low-voltage processors
from Intel, which help to optimize battery life and
minimize cooling requirements.
Recently, manufacturers have begun producing Ultra-Mobile
computers. These computers are typically equipped with 1
gigabytes (GB) random access memory (RAM) and a solid-
state hard disk drive. These Ultra-Mobile computers are
called netbooks, and they offer significant improvements
in power consumption over more traditional laptops, in
addition to providing the necessary applications for the
mobile user.
Mobile Devices
You must be able to assist users with connecting their
mobile devices to computers running Windows 7. A mobile
device is a computing device optimized for specific mobile
computing tasks. Mobile devices typically synchronize with
desktop or mobile computers to obtain data. The following
types of mobile devices are available.
Personal Digital Assistant (PDA)

A PDA is a handheld device that can range in functionality
from a simple personal organizer to a full-function mobile
computer. You usually use a stylus and touch screen to
input information in a PDA, although you can also use a
keyboard on some devices.
Windows Mobile Device

Windows Mobile devices are available as either Pocket PCs
or Smartphones. These devices feature the familiar Windows
user interface and applications that are part of the
Microsoft Windows 7 operating system and Microsoft Office.
Windows Mobile devices also include Windows Media® Player
and typically feature mobile phone, Bluetooth, and Wi-Fi

capability. You usually use a stylus and touch screen to
input in a mobile device, although you can also use a
keyboard on some devices. The Windows Mobile operating
system supports voice commands.

Note: Bluetooth is a wireless communications protocol that uses shortwave radio
signals to replace cables and still allow compatible devices to communicate with each
other. Bluetooth uses a low-powered radio signal in the unlicensed 2.4 gigahertz (GHz)
to 2.485 GHz spectrum, also known as the Industrial, Scientific, and Medical (ISM)
band.
Bluetooth employs a technology called Adaptive Frequency Hopping, which allows

devices to switch frequencies within the ISM band. Bluetooth allows compatible devices
to switch frequencies up to 1,600 times a second within the ISM band to maintain
optimum connectivity.
Portable Media Player

A portable media player is a small, battery-powered device
containing either flash memory or a hard disk drive on
which you can play digital media files. Some of these
devices have a screen. The computer running Windows copies
the media to the device; you can use media stored on your
own CD and DVD collection or you can buy and download
media from numerous online media services.
Mobile Phone
A mobile phone, also known as a cellular phone, is a
portable telephone that uses a form of radio connectivity.
Many mobile phones now have some PDA and media player
functionality. You typically use a numerical keypad as the
input for this device.
Tools for Configuring Mobile Computer and Device Settings

While selecting a mobile computer operating system, you

should ensure that the mobile computer can adapt to a
variety of scenarios. Windows 7 provides you with the
opportunity to change configuration settings quickly and
easily based on specific requirements. .
You can access and configure mobile computer settings by
using the new Mobile Computer category of configuration
settings in Control Panel. You can access various settings
such as Power Management, Windows Mobility Center, Sync
Center, and Presentation Settings.
Power Management
Windows 7 power management includes an updated, easy-to-
find battery meter that tells you at a glance how much
battery life is remaining and what the current power plan
is. With the battery meter, you can easily access and
change the power plan to meet your needs. For example, you
might want to conserve power by limiting the CPU or
determine when the hard drive is turned off to preserve

battery power.
By using power plans, you can adjust the performance and
power consumption of the computer.
To access Power Plans in Windows 7, Right-click the

Battery Icon in the Taskbar and select Power Options. You
can also choose the Battery Status in the Windows Mobility
Center.
Windows Mobility Center

In Windows 7, the key mobile-related system configuration
settings are all collected in the Windows Mobility Center.
By using the Windows Mobility Center, you can adapt a
mobile computer to meet different requirements as you
change locations, networks, and activities. Windows
Mobility Center includes settings for display brightness,
power plan, volume, wireless networking toggle, external
display, display orientation, and synchronization status.
Computer manufacturers can customize the Windows Mobility
Center to include other hardware-specific settings, such
as Bluetooth or auxiliary displays.
To access the Widows Mobility Center choose Adjust your
computer’s settings in the Control Panel and then choose
Adjust commonly used mobility settings. Another way you
can access the Windows Mobility Center is from the Start
Menu /Accessories
Sync Center
The Windows 7 Sync Center provides a single interface to
manage data synchronization in several scenarios: between
multiple computers, between corporate network servers and
computers, and with devices you connect to the computer,
such as a PDA, a mobile phone, and a music player.
Because different devices synchronize by using different
procedures depending on the data source, there is no easy
way to manage all of the individual sync relationships in
earlier versions of Windows. The Sync Center enables you
to initiate a manual synchronization, stop in-progress
synchronizations, see the status of current
synchronization activities, and receive notifications to

resolve sync conflicts.
A Sync Partnership is a set of rules that tells the Sync

Center how and when to synchronize files or other
information between two or more locations. A Sync
Partnership typically controls how files are synchronized
between your computer and mobile devices, network servers,
or compatible programs.
For example, you might create a Sync Partnership that
instructs the Sync Center to copy every new file in the My
Documents folder to a USB hard disk each time you plug the
device into the computer. You might create a more complex
Sync Partnership to keep a wide variety of files, folders,
and other information synchronized between the computer
and a network server.
To access the Sync Center is to choose Sync Center from
the Windows Mobility Center screen or from the Start Menu
click Accessories and then click Sync Center
Windows Mobile Device Center

Windows Mobile Device Center is the new name for
ActiveSync® in Windows 7. ActiveSync is a data
synchronization program developed by Microsoft for use
with its Microsoft Windows XP and mobile devices to
synchronize ActiveSync provides users of Microsoft Windows
a way to transport documents, calendars, contact lists and
email between their desktop computer and a mobile device,
such as a Handheld PC, mobile phone, or any other portable
devices that support the ActiveSync protocol.
Windows Mobile Device Center provides overall device

management features for Windows Mobile-based devices in
Windows 7, including Smartphones and Pocket PCs.
To access the Windows Mobile Device Center go to the
Control Panel.
Presentation Settings
Mobile users often have to reconfigure their computer
settings for meeting or conference presentations, such as
changing the screen saver timeouts or desktop wallpaper.
To improve the end-user experience and avoid this

inconvenience, Windows 7 includes a group of presentation
settings that you can apply when connecting to a display
device.
To access the Presentation Settings, choose Presentation
Settings in the Windows Mobility Center in Control Panel.

When you finish the presentation, return to the previous
settings by clicking the notification area icon.
Question: Aside from USB, how can you establish a

connection for synchronizing a Windows Mobile device?
Answer: You can establish a connection for synchronizing a

Windows Mobile Device with Serial, Bluetooth, Wireless and
Infrared connections.
What are Mobile Device Sync Partnerships?

You might need to assist users in establishing mobile

device Sync Partnerships. A mobile device Sync Partnership
updates information about the mobile device and the host
computer. It typically synchronizes calendar information,
clocks, and e-mail messages, as well as Microsoft Office
documents and media files on supported devices. You can
create mobile device Sync Partnerships with PDAs, mobile
phones, Windows Mobile devices, and portable media
players.
Creating a Mobile Device Sync Partnership

Creating a Sync Partnership with a portable media player
is straightforward. The following steps describe how to
connect a portable media player to a computer running
Windows 7, create a Sync Partnership, and synchronize
media to the device.
1. Connect the device to a computer running Windows 7 and
open Sync Center. Windows 7 includes drivers for many
common devices, but you can also obtain drivers from

the CD that came with the device or from Windows
Update™.
2. Set up a Sync Partnership by clicking Set up for a
media device Sync Partnership. This opens Windows Media
Player version 11.

3. Select some media files or a playlist to synchronize to
the device. To select media, simply drag it onto the
sync dialog box on the right side of Windows Media
Player.
4. Click Start Sync. When your chosen media has
transferred to the device, disconnect the device from
the computer and close Windows Media Player.
Using Windows Mobile Device Center

Windows Mobile Device Center is the new name for
ActiveSync® in Windows 7. ActiveSync is a data
synchronization program developed by Microsoft for use
with its Microsoft Windows XP and mobile devices to
synchronize ActiveSync provides users of Microsoft Windows
a way to transport documents, calendars, contact lists and
email between their desktop computer and a mobile device,
such as a Handheld PC, mobile phone, or any other portable
devices that support the ActiveSync protocol.
Windows Mobile Device Center provides overall device
management features for Windows Mobile-based devices in
Windows 7, including Smartphones and Pocket PCs. All of
the features previously available in ActiveSync are
available in Windows 7, including synchronization and
partnership setup.
The default options of Windows Mobile Device Center
include only core device connectivity components. These
components enable the operating system to identify that a
Windows Mobile-based device is connected and then load the
appropriate device drivers and services. The Windows
Mobile Device Center base application enables some basic
functionality, including the ability to browse the
contents of the device, use desktop pass-through to
synchronize with Microsoft Exchange Server and change some
general computer and connection settings. You can download

all Windows Mobile Device Center’s features from the
Microsoft Download Web site.

Demonstration: Creating a Sync Partnership

Key Points
This demonstration shows how to configure the Windows
Mobile Device Center, and how to synchronize a Windows
Mobile device.
Create Some Appointments and Contacts in Outlook

1. Log on to LON-CL1 as Contoso\Amy with the password
Pa$$w0rd.
2. Click Start, point to All Programs, click Microsoft
Office, and then click Microsoft Office Outlook 2007.
3. In the Outlook 2007 Startup wizard, click Next.
4. On the E-mail accounts page, click No, and then click
Next.
5. On the Create Data File page, select the Continue with

no e-mail support check box, and then click Finish.
6. In the User Name dialog box, click OK.

7. If prompted, in the Welcome to the 2007 Microsoft
Office System, click Next, click I don’t want to use
Microsoft Update, and then click Finish.
8. If prompted, in the Microsoft Office Outlook dialog
box, click No.
9. In Outlook, on the left, click Calendar.
10. In the results pane, click the Month tab, and then
double-click tomorrow.
11. In the Untitled – Event dialog box, in the Subject
field, type “Quarterly meeting”.
12. In the Location field, type “Meeting room 1”, and
then click Save & Close.
13. If prompted with a reminder for the appointment,
click Dismiss.
14. In Outlook, on the left, click Contacts.
15. On the menu, click New.
16. In the Untitled – Contact dialog field, in the Full
Name field, type “Amy Rusko”.
17. In the Job title box, type “Production Manager”, and
then click Save & Close.
18. Close Outlook.
Configure Windows Mobile Device Center

1. Click Start, point to All Programs, and then click
Windows Mobile Device Center.
2. In the Windows Mobile Device Center dialog box, click
Accept.
Mobile Device Settings, and then click Connection
settings.
4. In the Connection Settings dialog box, in the Allow

connections to one of the following list, click DMA,
and then click OK.
5. In the User Account Control dialog box, in the User
name box, type administrator.

6. In the Password box, type Pa$$w0rd, and then click Yes.
7. Close Windows Mobile Device Center.
Connect the Windows Mobile Device
1. Click Start, point to All Programs, click Windows
Mobile 6 SDK, click Standalone Emulator Images, click
US English, and then click WM 6.1.4 Professional.
2. Wait until the emulator has completed startup.
Mobile 6 SDK, click Tools, and then click Device
Emulator Manager.
4. In the Device Emulator Manager dialog box, click the
play symbol.
5. From the menu, click Actions, and then click Cradle.
6. Close Device Emulator Manager.
Synchronize the Windows Mobile Device

1. In the Windows Mobile Member Center dialog box, click
Don’t Register.
2. In Windows Mobile Device Center, click Set up your
device.
3. In the Set up Windows Mobile Partnership wizard, on the
What kinds of items do you want to sync? page, click
Next.
4. On the Ready to set up the Windows Mobile partnership
page, click Set Up.
5. After synchronization is complete, close Windows Mobile
Device Center.
Verify that data has been synchronized

1. On the Windows Mobile Device, click Start, and then
click Calendar.
2. Click tomorrow’s date. Is the Quarterly Meeting
showing?
3. Click Start, and then click Contacts. Are there
contacts listed?
4. Close all open Windows. Do not save changes.
Power Plans and Power Saving Options in Windows 7

Maintaining an optimum system performance, while
conserving battery life on a mobile computer has always
been a requirement of mobile users. To advise users on how
to conserve battery life without impacting the system
performance, as Windows 7 Technology Specialist, you must
be familiar with the various factors that affect the power
consumption and the power plans and power saving options
available in Windows 7
By using Windows 7 power options, you can conserve a

mobile computer’s battery. The user can change various
performance options, such as:
• CPU speed
• Display brightness
By using the CPU speed option, you can lower the speed of
the computer processor which reduces its power
consumption. Screen brightness requires power; lowering

the brightness reduces power usage.
Power Plans
In Windows 7, Power Plans help you maximize computer and
battery performance. By using power plans, with a single
click, you can change a variety of system settings to
optimize power or battery usage, depending on the
scenario. There are three default power plans
• Power saver: This plan saves power on a mobile
computer by reducing system performance. Its primary
purpose is to maximize battery life.
• High performance: This plan provides the highest
level of performance on a mobile computer by
adapting processor speed to your work or activity
and by maximizing system performance.
• Balanced: This plan balances energy consumption and
system performance by adapting the computer’s
processor speed to your activity.
The balanced plan provides the best balance between power
and performance. The power saver plan reduces power usage
by lowering the performance. The high performance plan
consumes more power by increasing system performance. Each
plan provides alternate settings for AC or DC power.
You can customize or create additional power plans by
using Power Options in Control Panel. Some hardware
manufacturers supply additional power plans and power
options. When you create additional power plans, be aware
that the more power the computer consumes, the less time
it runs on a single battery charge. By using Power Options
you can configure settings such as Choose what closing the
lid does.
In addition to considering power usage and performance, as
a Windows 7 Technology Specialist, you must also consider
the following three options for turning a computer on and
off:
• Shut down
• Hibernate
• Sleep
Shut Down
When you shut down the computer, Windows 7 does the
following:

• Saves all open files to the hard disk
• Saves the memory contents to the hard disk or
discards them as appropriate
• Clears the page file
• Closes all open applications
Windows 7 then logs out the active user, and turns off the
computer.
Hibernate
When you put the computer in hibernate mode, Windows 7
saves the system state, along with the system memory
contents to a file on the hard disk, and then shuts down
the computer. No power is required to maintain this state
because the data is stored on the hard disk.
Windows 7 supports hibernation at the operating system
level without any additional drivers from the hardware
manufacturer. The hibernation data is stored on a hidden
system file called Hiberfil.sys. This file is the same
size as the physical memory contained in the computer and
is normally located in the root of the system drive.
Sleep
Sleep is a power-saving state that saves work and open
programs to memory. This provides very fast resume
capability, typically within several seconds. Sleep does
consume a small amount of power to maintain.
Windows 7 automatically goes into Sleep mode when you
click the Shut Down button on the Start menu. If the
battery power of the computer is low, Windows 7 puts the
computer in hibernate mode.
Alternatively, you can enable hybrid sleep. With hybrid

sleep, data is saved to hard disk and to memory. If a
power failure occurs on a computer when it is in a hybrid

sleep state, data is not lost. Hybrid sleep can be used as
an alternative to hibernation. Hybrid sleep uses the same
Hiberfil.sys hidden system file as hibernation.
Demonstration: Configuring Power Plans

This demonstration, shows you show how to configure a
power plan.
Create a power plan for Amy’s laptop

1. On LON-CL1, click Start, and then click Control Panel.
2. Click System and Security, click Power Options, and
then on the left click Create a power plan.
3. On the Create a power plan page, click Power saver.
4. In the Plan name box, type “Amy’s plan”, and then click
Next.
5. On the Change settings for the plan: Amy’s plan page,
in the Turn off the display box, clicks 5 minutes, and
then clicks Create.
Configure Amy’s power plan

1. In Power Options, under Amy’s plan, click Change plan
settings.
click Change advanced power settings.
3. Configure the following properties for the plan, and
then click OK.
• Turn off hard disk after: 10 minutes
• Wireless Adapter Settings, Power Saving Mode:
Maximum Power Saving
• Power buttons and lid, Power button action: Shut
down
click Cancel.
5. Close Power Options.
Question: Why are options such as what to do when I shut

the power lid not configurable in the Wireless Adapter
Settings, Power Saving Mode?
Answer: This virtual machine emulates a desktop computer,

and those options are unavailable on desktop computers.
Lesson 2
Configuring Remote Desktop and Remote
Assistance for Remote Access

Many organizations use remote management and
troubleshooting to lessen the time that troubleshooting
takes, and to reduce travel costs for support staff.
Remote troubleshooting allows support staff to operate
effectively from a central location.
What Are Remote Desktop and Remote Assistance?

The Windows 7 operating system supports remote

troubleshooting capabilities, such as Remote Desktop,
Remote Assistance, and other remote administrative tools.
Remote Desktop uses the Remote Desktop Protocol (RDP) to
allow users to access files on their office computer from
another computer, such as one located at their home.
Additionally, Remote Desktop allows administrators to
connect to multiple Windows Server sessions for remote
administration purposes.
While a Remote Desktop session is active, Remote Desktop
locks the target computer, prohibiting interactive logons
for the session’s duration.
Note: Remote Desktop is not available in Windows 7 Home editions.

Remote Assistance
Remote Assistance allows a user to request help from a
remote administrator. To access Remote Assistance, run the
Windows Remote Assistance tool. Using this tool, you can
do the following actions:
•

Invite someone who is trustworthy to help you
• Offer to help someone
• View the remote user’s desktop
• Chat with the remote user by using text chat
• Send a file to the remote computer
• If permissions allow, request to take remote control
of the remote desktop
Users can send remote assistance invitations by using e-
mail or saving a request to a file that the remote
administrator can then read and take action upon.
Windows Firewall
Windows 7 prevents remote troubleshooting tools from
connecting to the local computer by using Windows
Firewall. However, Windows Firewall will allow remote
access and remote assistance traversal of the Windows
Firewall by default.
To enable support for other applications complete the
following steps:
1. Open Windows Firewall from Control Panel.
2. Click Allow a program or feature through the Windows
Firewall and select what you want to enable an
exception for.
Configuring Remote Desktop

To access a remote computer from a source computer by

using the Remote Desktop feature, you need to configure
certain Remote Desktop settings on both the computers.
On the remote computer, you need to perform the following

steps to enable remote access to the computer:
1. In Control Panel, click System and Security, click

System, and then click Remote Settings.
2. In the Remote tab of the System Properties dialog
box, you can select one of the following options:
• Don’t allow connections to this computer

• Allow connections from computers running any
version of Remote Desktop. This is a less secure
option.
• Allow connections only from computers running

Remote Desktop with Network Level Authentication.
This is a more secure option.
3. Click Select Users. If you are prompted for an

administrator password or confirmation, type the

password or provide confirmation.
4. If you are an administrator on the computer, your
current user account will automatically be added to
the list of remote users and you can skip the next
two steps.
5. In the Remote Desktop Users dialog box, click Add.
6. In the Select Users or Groups dialog box, do the
following:
A. To specify the location to search for the remote

user, click Locations, and then select the
location you want to search.
B. In Enter the object names to select, type the
name of the user that you want to add as a remote
user, and then click OK.
On the source computer, you need to perform the following

to access the remote computer:
1. Start Remote Desktop.
2. Before connecting, enter the logon credentials on
the General tab and make desired changes to the
options in the Display, Local Resources, Programs,
Experience, and Advanced tabs.
• Display - Choose the Remote desktop display
size. You have the option of running the
remote desktop in full screen mode.
• Local Resources - Configure local resources
for use by the remote computer such as
clipboard and printer access.
• Programs - Specify which programs you want to
start when you connect to the remote computer.
• Experience - Choose connection speeds as well
as other visual options.
• Advanced - Provide security credentialed

options.
3. Save these settings for future connections by

clicking Save on the General tab.
4. Then click Connect to connect to the remote
computer.
Demonstration: Configuring Remote Assistance

This demonstration shows how to enable and use Remote
Assistance. Amy needs help with a Microsoft Office Word®
feature. She requests assistance, and you provide guidance
on the feature by using Remote Assistance.
Create a Microsoft Office Word 2007 Document

1. If necessary, log on to the LON-CL1 virtual machine as
Contoso\Amy with a password of Pa$$w0rd.
2. Click Start, point to All Programs, click Microsoft
Office, and then click Microsoft Office Word 2007.
3. In the Document window, type “This is my document”, and
then click the Office button.
4. Click Save, and then click Save again.
Request Remote Assistance

1. Click Start, and in the Search box, type “remote
assistance”.
2. In the Programs list, click Windows Remote Assistance.

3. In the Windows Remote Assistance wizard, click Invite
someone you trust to help you.

4. On the How do you want to invite someone to help you
page, click Save this invitation as a file.
5. On the Save as page, in the File name box, type “\\LON-
dc1\users\Public\Amy’s-Invitation.msrcincident”, and
then click Save.
6. Note the password.
Provide Remote Assistance

1. Switch to the 6292A-LON-DC1 virtual machine and log on
as Administrator with the password of Pa$$w0rd.
2. Open Windows Explorer and navigate to C:\Users\Public
and double-click Amy’s-Invitation.msrcincident.
3. In the Remote Assistance dialog box, in the Enter
password box, type the password you noted in the
previous task, and then click OK.
4. Switch to the LON-CL1 virtual machine.
5. In the Windows Remote Assistance dialog box, click Yes.
6. Switch to the LON-DC1 virtual machine.
7. On the menu, click Request control.
9. In the Windows Remote Assistance dialog box, click Yes.
11. In Word, click the Review menu, and select the text
in the document window.
12. In the menu, click New Comment, and then type “This
is how you place a comment a document”.
13. Click the cursor elsewhere in the document window.
14. In the Windows Remote Assistance – Helping Amy menu,
click Chat.
15. In the Chat window, type “Does that help?”, and then
press ENTER.
17. Observe the message.
18. Type “Yes, thanks”, press ENTER, and then in the

Menu, click Stop sharing.
20. Discard the file changes and then log off of LON-
CL1.
22. Close all open windows and then log off of LON-DC1.
Question: Under what circumstances would one use Remote

Desktop Connection or Remote Assistant?
Answer: Use Remote Desktop to access one computer from
another remotely. For example, you can use Remote Desktop
to connect to your work computer from home. You will have
access to all of your programs, files, and network
resources, as if you were sitting at your work computer.
Use Remote Assistance to give or receive assistance
remotely. For example, a friend or a technical support
person can remotely access your computer to help you with
a computer problem or show you how to do something. You
can help someone else the same way. In either case, both
you and the other person see the same computer screen and
will both be able to control the mouse pointer.
Lesson 3
Configuring DirectAccess for Remote Access
Advances in mobile computers and wireless broadband have

helped enable users to be more productive while away from
the office. Users are becoming more mobile, and IT
professionals must provide an infrastructure to allow them
to remain productive.
The changing structure of business puts more pressure on

IT professionals to provide a high-performance and secure
infrastructure for connecting remote users, while managing
remote users and minimizing costs.
VPN connections use the connectivity of the Internet plus

a combination of tunneling and data encryption
technologies to connect remote clients and remote offices.
VPN Reconnect enhances the connectivity experience for
those who rely on VPN connections.
DirectAccess, a new feature in Windows 7 and Windows

Server 2008 R2, provides remote users with seamless access
to internal network resources whenever they are connected
to the Internet.

What is a VPN Connection?

Virtual Private Networks (VPNs) are point-to-point

connections across a private or public network such as the
Internet. A VPN client uses special TCP/IP-based
protocols, called tunneling protocols, to make a virtual
call to a virtual port on a VPN server.
In a typical VPN deployment, a client initiates a virtual
point-to-point connection to a remote access server (RAS)
over the Internet. The RAS answers the call and passes the
credentials of the client to the domain controller for
authentication. If authentication is successful, the RAS
manages the data transfer between the VPN client and the
private network of the organization.
Authentication
There are three types of VPN connection authentication:
• User authentication
• Computer authentication
• Data authentication and integrity
With user authentication, the VPN server authenticates the
connecting VPN client and verifies that the client has the
appropriate permissions. If mutual authentication is used,

the VPN client also authenticates the VPN server. This
provides protection against masquerading VPN servers. The
user is authenticated using Point-to-Point based user
authentication Protocols (PPPs) such as the following:
• Extensible Authentication Protocol-Transport Layer
Security (EAP-TLS)
• Challenge-Handshake Authentication Protocol (CHAP)
• Microsoft® Challenge-Handshake Authentication Protocol
version 2 (MS-CHAP v2)
• Password Authentication Protocol (PAP)
When using computer authentication with Layer Two
Tunneling Protocol/Internet Protocol security
(L2TP/IPsec), L2TP/IPsec connections use IPsec to verify
that the remote access client computer is trusted. Windows
7 uses either certificates or a pre-shared key to
authenticate the computer connection. An incorrectly
configured Certificate Services infrastructure or an
incorrectly specified pre-shared key causes the VPN
connection to fail.
Data authentication and integrity verifies that the data
being sent on an L2TP/IPsec VPN connection originated at
the other end of the connection, and was not modified in-
transit. L2TP/IPsec packets include a cryptographic
checksum based on an encryption key known only to the
sender and the receiver.
Tunneling Protocols
VPN connections use either a Point-to-Point Tunneling
Protocol (PPTP) or L2TP/IPsec over an intermediate
network, such as the Internet.
Tunneling is a method of using a network infrastructure to
transfer data for one network over another network. The
data (or payload) to be transferred can be the frames (or

packets) of another protocol. Instead of sending a frame
as it is produced by the originating node, the tunneling

protocol encapsulates the frame in an additional header.
The additional header provides routing information so that
the encapsulated payload can traverse the intermediate
network.
Tunneling protocols establish endpoints through which data
can be transferred securely. To emulate a private link,
the data being sent is encrypted for confidentiality.
Packets that are intercepted on the public network are
indecipherable without the encryption keys. The
authentication and encryption protocols used in both PPTP
and L2TP VPN connections are strengthened in Windows 7.
PPTP
PPTP allows multiple types of protocol traffic to be
encrypted and then encapsulated in an IP header that is
sent across an IP network such as the Internet. PPTP
encapsulates PPP frames in IP datagrams for transmission
over the network. The PPTP uses PPP authentication methods
to authenticate the VPN session.
PPTP uses a TCP connection for tunnel management, and a
modified version of Generic Routing Encapsulation (GRE) to
encapsulate PPP frames for tunneled data. The encapsulated
PPP frame payloads can be encrypted, compressed, or both.
For VPN connections, the Routing and Remote Access service
uses Microsoft Point-to-Point Encryption (MPPE) with PPTP.
The following figure shows the structure of a PPTP packet
containing an IP datagram.
L2TP
L2TP encapsulates PPP frames to be sent over IP, X.25
packet-switching protocol, frame relay, or asynchronous
transfer mode (ATM) networks. When configured to use IP as
its datagram transport, you can use L2TP as a tunneling
protocol over the Internet. L2TP uses PPP authentication.

In the Microsoft L2TP implementation, IPsec encapsulating
security payload (ESP) in transport mode encrypts L2TP
traffic. Windows 7 includes support for more secure
encryption algorithms with support for the Advanced
Encryption Standard (AES) using 128-bit, 192-bit, and 256-
bit keys. Support for the weaker Data Encryption Standard
(DES) algorithm with Message-Digest algorithm 5 (MD5) for
L2TP/IPsec is not included. If your VPN server is set to
use the DES encryption method, Windows 7 is not able to
successfully connect.
The result after applying ESP to an IP packet containing
an L2TP message is shown in the following figure.
Creating a VPN Connection

Creation of a VPN in the Windows7 system environment

requires Windows Server 2008. The steps for creating the
VPN connection from Windows 7 computer are as follows:
1. From Control Panel, select Network and Internet to
access the Network and Sharing Center.
2. From the Network and Sharing Center choose Set up a new
connection or wizard.
3. In the Set Up a Connection or Network choose Connect to
a workplace
4. In the Connect to a Workplace page answer the question:
Do you want to use a connection that you already have?
Choose to create a new connection or choose an existing
connection.
5. On the next page choose to Use my Internet connection
(VPN).
6. At the next screen choose your VPN connection or you

can specify the Internet Address for the VPN Server and
a Destination Name. You can also specify the options
to use a Smart card for authentication, Allow other
people to use this connection and Don’t connect now ,
just set up so I can connect later.

What is DirectAccess?
DirectAccess provides users transparent access to internal

network resources whenever they are connected to the
Internet. Traditionally, users connect to internal network
resources with a VPN connection. Using a VPN connection
can be time consuming because connecting takes several
steps and the user needs to wait for authentication. For
organizations that check the health of a computer before
allowing the connection, establishing a VPN connection can
take several minutes.
Avoiding VPN and using technologies that provide access to
limited internal resources offers a partial solution. For
example, with Microsoft Office Outlook® Web Access (OWA),
users retrieve internal e-mail without establishing a VPN
connection. However, when they try to open a document on
the internal network (often linked from an e-mail), they
are denied access because the internal resources are
inaccessible behind the firewall.
With DirectAccess, authorized users on Windows 7 computers

can access corporate shares, view intranet Web sites, and
work with intranet applications without going through a
VPN. DirectAccess benefits IT professionals by enabling
them to manage remote computers outside of the office.
Each time a remote computer connects to the Internet,

before the user logs on, DirectAccess establishes a bi-
directional connection that enables the client computer to
remain current with company policies and to receive
software updates.
Additional security and performance features of
DirectAccess include the following:
• Support of multifactor authentication methods, such
as a smart card authentication.
• IPv6 to provide globally routable IP addresses for
remote access clients.
• Encryption across the Internet using IPsec.
Encryption methods include DES, which uses a 56-bit
key, and 3DES, which uses three 56-bit keys.
• Integrates with Network Access Protection (NAP) to
perform compliance checking on client computers
before allowing them to connect to internal
resources.
• Configures the DirectAccess server to restrict which
servers, users, and individual applications are
accessible.
How DirectAccess Works

The Windows® Server 2008 R2 operating system includes a

new feature called DirectAccess that enables seamless
remote access to enterprise resources. Unlike traditional
VPNs which require user intervention to initiate, DA
allows any application on the client computer to have
complete access to enterprise resources while allowing the
administrator to specify those resources or even client-
side applications that must be restricted.
Direct Access is installed on a Windows Server 2008 R2
computer that client computers outside the enterprise use
to connect to company resources for which they are
authorized and authenticated.
DirectAccess helps reduce unnecessary traffic on the
corporate network by not sending traffic destined for the
Internet through the DirectAccess server. DirectAccess
clients can connect to internal resources by using one of
the following methods:
• Selected server access

• Full enterprise network access
The connection method is configured using the DirectAccess
console or may be configured manually by using IPsec
policies. For the highest security level, deploy IPv6 and

IPsec throughout the organization, upgrade application
servers to Windows Server® 2008 R2, and enable selected
server access. This allows end-to-end authentication and
encryption from the DirectAccess client to the internal
resources.
Alternatively, organizations can use full enterprise
network access, where the IPsec session is established
between the DirectAccess client and server, but IPsec is
not used for communications across the internal network.
Full enterprise network access closely resembles VPN and
can be more straightforward to deploy.
DirectAccess clients use the following process to connect
to intranet resources:
1. The DirectAccess client computer running Windows 7
detects that it is connected to a network.
2. The DirectAccess client computer attempts to connect to
an intranet Web site that an administrator specified
during DirectAccess configuration.
3. The DirectAccess client computer connects to the
DirectAccess server using IPv6 and IPsec.
4. If a firewall or proxy server prevents the client
computer using 6to4 or Teredo from connecting to the
DirectAccess server, the client automatically attempts
to connect using the IP-HTTPS protocol, which uses a
Secure Sockets Layer (SSL) connection to ensure
connectivity.
5. As part of establishing the IPsec session, the
DirectAccess client and server authenticate each other
using computer certificates for authentication.
6. By validating Active Directory group memberships, the
DirectAccess server verifies that the computer and user
are authorized to connect using DirectAccess.
If Network Access Protection (NAP) is enabled and

configured for health validation, the DirectAccess client
obtains a health certificate from a Health

DirectAccess Requirements

DirectAccess requires the following:
• One or more DirectAccess servers running Windows
Server® 2008 R2 with two network adapters
• At least one domain controller and DNS server running
Windows Server 2008 or Windows Server 2008 R2
• A Public Key Infrastructure (PKI)
• IPsec policies
• IPv6 transition technologies available for use on the
DirectAccess server
• Windows 7 Enterprise on the client computers
Organizations not ready to fully deploy IPv6 can use IPv6
transition technologies such as ISATAP, 6to4, and Teredo
to enable clients to connect across the IPv4 Internet and
to access IPv4 resources on the enterprise network.
Question: What is the certificate used for in

DirectAccess?
Answer: To provide for authentication.

Lesson 4
Configuring BranchCache for Remote Access

Branch offices are often connected to enterprises with a
low-bandwidth link. Therefore, accessing corporate data
located in the enterprise is slow. Even in a smaller
business, different departments have unique needs.
Additionally, companies are investing in opening more
branch offices to provide a work environment for mobile
employees and to reach more customers. This trend
generates challenges for end users and IT professionals.
BranchCache helps to resolve these challenges by caching
content from remote file and Web servers so that users in
branch offices can access corporate information more
quickly. The cache can be hosted centrally on a server in
the branch location, or it can be distributed across user
computers. If the cache is distributed, the branch users'
computer automatically checks the cache pool to determine
if the data has already been cached. If the cache is
hosted on a server, the branch users' computer checks the

branch server to access data. Each time a user tries to
access a file, his or her access rights are authenticated

against the server in the data center to ensure that the
user has access to the file and is accessing the latest
version.
What is BranchCache?

BranchCache helps reduce WAN link utilization and helps
improve the responsiveness of network applications for
branch office workers that are accessing main office
servers. The main benefit of branch caching for users is
the reduction in file transfer time but improvement in
application responsiveness. These benefits are transparent
to end-users and provide an experience at branch offices
that closely resembles being on the same Local Area
Network (LAN) as servers.
Consider the following scenario. A company posts a large
training presentation on a file share and sends an e-mail
to all employees. Arvind opens the presentation and waits
several minutes for the file to download. After the file
is downloaded, Windows 7 stores it in the cache for others
to use. When Luciana downloads the file from another
computer on the network, Windows 7 retrieves it from the
cache and she opens it in less time.
For IT professionals, the benefits of BranchCache are

numerous:
• Supports commonly used protocols such as HTTP,

HTTPS, SMB, signed SMB, and BITS
• Maintains compatibility with end-to-end security
protocols such as SSL and IPsec
• Supports end-to-end encryption between clients and
servers
• Optimizes traffic flows between Windows 7 clients
and Windows Server 2008 R2 computers
• Remains transparent to the user
• Cached content is encrypted.
The following table describes the protocols that

BranchCache uses.
Protocol Description
Hypertext Transfer Protocol The communication protocols used to transfer
(HTTP) and Hypertext Transfer information on intranets and the Internet.

Protocol over Secure Socket Layer These protocols are used by Web browsers
(HTTPS) and many other applications, such as Internet
Explorer® and Windows Media®. HTTPS is a
secure HTTP connection.
Server Message Block (SMB) A network file sharing protocol and as
including signed SMB traffic implemented in Microsoft Windows is known
as Microsoft SMB Protocol. This protocol is a
client-server implementation and consists of a
set of data packets, each containing a request
sent by the client or a response sent by the
server.
SMB packet signing is a security mechanism
that protects the data integrity of SMB traffic
between client computers and servers, and
prevents man-in-the-middle attacks by
providing a form of mutual authentication.
Background Intelligent Transfer A service that transfers files (downloads or
Service (BITS) uploads) between a client and server and
provides progress information related to the
transfers.
How BranchCache Works

BranchCache can operate in one of two modes:

• Distributed Caching Mode
• Hosted Caching Mode
In the distributed caching mode, cache is distributed
across client computers in the branch. The content server
authenticates and authorizes the client, and the server
returns an identifier that the client uses to search for
the file on the local network.
In this mode, Arvind downloads data from the main office
server. Luciana also downloads identifiers from the main
office server and then searches the local network for data
and downloads from Arvind.
Using this type of peer-to-peer architecture, content is
cached on Windows 7 clients’ after it is retrieved from a
Windows Server 2008 R2. Then it is sent directly to other
Windows 7 clients, as they need it, without those clients
having to retrieve the same content over the WAN link. A

distributed cache is the best choice for branches that do
not have a local computer running Windows Server 2008 R2.
When you use the hosted caching mode, cache resides on a
Windows Server 2008 R2 server that is deployed in the
branch office. Arvind downloads data from the main office

server and then the Hosted Cache pulls content from
Arvind's computer. After Luciana downloads identifiers
from the main office server, she downloads from the Hosted
Cache.
Using this type of client/server architecture, Windows 7
clients copy content to a local computer (Hosted Cache)
running Windows Server 2008 R2 that has BranchCache
enabled. Other client computers that need the same content
retrieve it directly from the Hosted Cache.
Compared to distributed cache, hosted cache increases
cache availability because content is available even when
the client that originally requested the data is offline.
Additionally, hosted cache works across subnets and
reduces multicast traffic on the local network. Typically,
administrators can configure an existing computer running
Windows Server 2008 R2 to act as the Hosted Cache since it
does not require a dedicated server.
Malicious users are unable to access content that they are
not authorized to view because cached content is
encrypted. A computer must obtain the identifier that
describes a piece of content to decrypt that content after
downloading. The identifiers, provided by the server,
include a digest of the content. After downloading from
the cache, the client computer verifies that the content
matches the digest in the identifier. If a client
downloads an identifier from the server, but cannot find
the data cached on any computers in the branch, the client
returns to the server for a full download.
BranchCache Requirements
BranchCache supports the same network protocols that are

commonly used in enterprises, for example HTTP(S) and SMB.
It also supports network security protocols (SSL and
IPsec), ensuring that only authorized clients can access
requested data. Windows Server 2008 R2 is required either
in the main server location or at the branch office,
depending on the type of caching being performed. Windows
7 Enterprise is required on the client PC.
On Windows 7 clients, BranchCache is off by default.
Client configurations can be performed through Group
Policy or done manually. The following are common
configuration settings:
• Set the caching mode to cooperative or hosted.
• Set the hostname of hosted cache server.
• Set the client cache size to percentage of the disk or
maximum size in bytes.
• Set the cache location on the disk.

• Set firewall rules as follows:
• Content discovery: UDP 3702 (WS-Discovery protocol)
• Content download: TCP 80 (HTTP protocol)

On the Windows Server 2008 R2, BranchCache is not
automatically installed. After it is installed, you can
configure BranchCache by using Group Policy and by using
the following guidelines:
• The BranchCache for Remote Files role service of the
File Services server role needs to be installed before
you can enable BranchCache for any file shares
• Enable for all, file shares on a computer or on a file
share by file share basis.
• Enable on a Web server (it must be enabled for all Web
sites).
• Equip Hosted Cache with a certificate trusted by client
computers that is suitable for Transport Layer Security
(TLS).
Network Requirements
BranchCache supports Secure Sockets Layer (SSL) as
available through HTTPS and IPv6 IPsec.
If client computers are configured to use the Distributed
Cache mode, the cached content is distributed among client
computers on the branch office network. No infrastructure
or services are required in the branch office beyond
client computers running Windows 7.
Client Configuration
BranchCache is disabled by default on client computers.
Take the following steps to enable BranchCache on client
computers:
1. Turn on BranchCache.
2. Enable either the Distributed Cache mode or Hosted
Cache mode.
3. Configure the client firewall to enable BranchCache

protocols.
Enabling the Distributed Cache or Hosted Cache mode

(step 2) without explicitly enabling the overall
BranchCache feature (step 1) leaves BranchCache disabled
on a client computer.
It is possible to enable BranchCache on a client computer
(step 1) without enabling Hosted Cache mode or Distributed
Cache mode (step 2). In this configuration, the client
computer only uses the local cache and does not attempt to
download from peers or from a Hosted Cache server.
Multiple users of a single computer benefit from a shared
local cache in this local caching mode.
Configuration can be automated using Group Policy or can
be achieved manually by using the netsh command.
Demonstration: Configuring BranchCache on a Windows 7

Client Computer

In this demonstration, you show how to enable and
configure BranchCache
Create and Secure a Shared Folder

1. Log on to the LON-DC1 virtual machine as
2. Click Start, click Computer, and double-click Local
Disk (C:).
3. In the menu, click New folder.
4. Type BranchCache and press ENTER.
5. Right-click BranchCache and then click Properties.
6. In the BranchCache Properties dialog box, on the
Sharing tab, click Advanced Sharing.
7. In the Advanced Sharing dialog box, select the Share

this folder check box, and then click Permissions.
8. Click Remove, and then click Add.

9. In the Select Users, Computers, Service Accounts, or
Groups dialog box, in the Enter the object names to
select (examples) field, type authenticated users,
click Check Names, and then click OK.
10. In the Permissions for Authenticated Users list,
select the Allow check box next to Full Control, and
then click OK.
11. In the Advanced Sharing dialog box, click Caching.
12. Select the Enable BranchCache check box, and then
click OK.
13. In the Advanced Sharing dialog box, click OK.
14. In the BranchCache Properties dialog box, click the
Security tab.
15. Click Edit, and then click Add.
select (examples) field, type “Authenticated Users”,
click Check Names, and then click OK.
17. In the Permissions for Authenticated Users list,
select the Allow check box next to Full Control, and
then click OK.
18. In the BranchCache Properties dialog box, click the
Close.
Configure BranchCache Group Policy settings

1. On LON-DC1, click Start, point to Administrative Tools,
and then click Group Policy Management.
2. In Group Policy Management, expand Forest: Contoso.com,
expand Domains, expand Contoso.com, click BranchCache,
right-click BranchCache, and then click Edit.
3. Expand Computer Configuration, expand Policies, expand

Administrative Templates, expand Network, and then
click BranchCache.
4. Double-click Turn on BranchCache, click Enabled, and
then click OK.

5. Double-click Set BranchCache Distributed Cache mode,
click Enabled, and then click OK.
6. Double-click Configure BranchCache for network files,
click Enabled, under Options type “0”, and then click
OK.
7. Double-click Set percentage of disk space used for
client computer cache, click Enabled, under Options,
type “10”, and then click OK.
8. Close Group Policy Management Editor.
9. Close Group Policy Management.
Configure the Client

1. Switch to the LON-CL1 computer and log on as
2. Click Start, click Control Panel, click System and
Security, and then click Windows Firewall.
3. In Windows Firewall, click Allow a program or feature
through Windows Firewall.
4. Under Allowed programs and features, in the Name list,
select the following check boxes and then click OK.
Also ensure that the check box under Domain is
selected.
• BranchCache – Content Retrieval (Uses HTTP)
• BranchCache – Peer Discovery (Uses WSD)
5. Close Windows Firewall.
7. At the Command Prompt, type “gpupdate /force” and then
press ENTER.
8. At the Command Prompt, type “netsh branchcache set

service mode=DISTRIBUTED” and then press ENTER.
Verify the status of BranchCache

• At the Command Prompt, type “netsh branchcache show
status” and then press ENTER.
Question: What is the effect of configuring the Configure

BranchCache for network files value to zero (0)?
Answer: This is the acceptable round-trip delay time

before caching is enabled. If you set a high value, then
caching might not occur at all. Setting the value of zero
means that all files in a share are cached, irrespective
of the delay.

Review Questions
1. Amy wants to connect to the network wirelessly but is

unable to, so she checks the Windows Mobility Center to
turn on her wireless network adapter. She does not see
it in the Windows Mobility Center. Why is that?
2. You have purchased a computer with Windows 7 Home
edition. When you choose to use Remote Desktop to
access another computer you cannot find it in the OS.
What is the problem?
3. You have some important files on your desktop work
computer that you need to retrieve when you are at a
client’s location with your laptop computer. What do
you need to do on your desktop computer to ensure that
you can download your files when you are at a customer
site?
4. Your company recently purchased a Windows Server 2008

computer. You have decided to convert from a database
server to a DirectAccess Server. What do you need to

do before you can configure this computer with
DirectAccess?
5. Amy needs to configure her Windows 7 client computer to
access take advantage of Branchcache. How can Amy
configure the client to do this?
Review Answers
1. If a setting does not appear in the Windows Mobility

Center it might be because the requested hardware (such
as a wireless network adapter) or drivers is missing
2. Remote Desktop is not available in Windows7 Home
editions
3. You need to configure remote access on your desktop
computer. Select one of the access options in the
Remote Settings tab of System from System and Security
in Control panel.
4. You will need to upgrade to Windows Server 2008 R2 and
maybe upgrade to an IPv6 infrastructure and possibly
install a second network adapter in the server.
5. On Windows 7 Branchcache is off by default. Client
configurations can be performed through Group Policy or
manually on per client computer basis.
Common Issues
BytesAddedToCache does • The client computer may be
not increase on the
retrieving content from the
first client when
accessing the Internet Explorer cache. Be
BranchCache-enabled sure to clear the IE cache by
server. selecting Internet Options
from the Tools menu, and

clicking Delete.
Ensure that BranchCache is
enabled on the first client

using the netsh branchcache
show status command.
If attempting to access a file
share, verify that the latency
between the client and server
is higher than the minimum
threshold.
Ensure that the BranchCache
feature is installed on the
server and is enabled for the
protocol under test.
Check that the peerdistsvc
server has started on both the
client and the server.
An intermediate proxy may
alter the HTTP request coming
from the client. Verify that
the proxy does not modify the
ACCEPT-ENCODING HTTP header.
An intermediate proxy may
downgrade the outgoing request
from HTTP 1.1 to HTTP 1.0.
If the symptom is specific to
file traffic, ensure that the
file is not in the transparent
cache. Transparent cache is a
secondary cache where the file
is stored in addition to the

BranchCache. Storing the file

in the transparent cache
enables subsequent reads of
the file to be satisfied
locally improving end-user
response times and savings on
WAN bandwidth. To delete
transparently cached data,
search for Offline Files
applet in Control Panel. Click
the Disk Usage tab, and then
click Delete Temporary Files.
Note that this will not clear
the BranchCache cache.
BytesAddedToCache does Ensure that BranchCache is

increase on the first
enabled and that both clients
client when accessing
the BranchCache enabled are configured to use the same
server. BytesFromCache caching mode using the netsh
does not increase on branchcache show status
the second client when command.
accessing the
BranchCache enabled Ensure that the correct
server. Deployment is firewall exceptions are set on
Distributed Cache mode. both clients using the netsh
branchcache show status
command.
Ensure that both clients are
connected to the same subnet
using the ipconfig command.
Make sure the client cache is
not full using netsh
branchcache show status ALL.
BytesAddedToCache does Ensure that BranchCache is

increase on the first
client when accessing enabled and that both clients
the BranchCache enabled are configured to use the same
server. BytesFromCache caching mode using the netsh

does not increase on branchcache show status
the second client when
accessing the command.
BranchCache enabled Verify basic connectivity from
server. Deployment is
both client computers to the
Hosted Cache mode.
Hosted Cache using the ping
command.
Ensure that the correct
firewall exceptions are set on
both clients using the netsh
branchcache show status
command.
Ensure that the correct
firewall exceptions are set on
the Hosted Cache server using
the netsh branchcache show
status command.
Ensure that the certificate is
properly installed and bound
to port 443 on the Hosted
Cache computer.
Netsh shows BranchCache Netsh checks the predefined

firewall rules have not BranchCache firewall rule
been set, even though group. If you have not
they have been enabled the default
configured using Group exceptions defined for
Policy. BranchCache on Windows 7,
Netsh will not report your
configuration correctly.
This is likely to happen if

you defined firewall rules

for clients using Group
Policy and you defined the
Group Policy object on a
computer running an
operating system older than
Windows 7 or Windows
Server 2008 R2 (which would
not have the BranchCache
firewall rule group). Note
that this does not mean
BranchCache will not
function.
A client computer is Many computers drawing large

running slowly. Is amounts of content from one
BranchCache at fault? client in a short time period
may impact desktop performance.
Use performance monitor to
check for high service rates
to peers. Examine
BytesServedToPeers relative
to BytesFromCache and
BytesFromServer.
The BranchCache service runs
isolated in its own service
host. Examine the CPU and
memory consumption of the
service host process housing
the branch caching service.
Sustained high rates of
service to peers may be
evidence of a configuration
problem in the branch office.
Check to make sure that the
other clients in the branch

office are capable of service
data.
Clear the cache on the

affected client using the
netsh branchcache flush
command or reduce the cache
size on the affected client.
A page fails to load or When BranchCache is unable to

a share cannot be retrieve data from a peer or
accessed. from the Hosted Cache, the upper
layer protocol will return to
the server for content. If a
failure occurs in the Branch
Caching component, the upper
layer protocol should seamlessly
download content from the
server. No BranchCache
misconfiguration or failure
should prevent the display of a
webpage or connection to a
share. If a failure does occur,
use the Network Diagnostic
Framework Diagnose button
provided by Windows Explorer or
Internet Explorer.
The client computer is • If the client computer is

unable to access the
unable to access a file share
file share even when
connected to the on the server due to the
server. error Offline (network
disconnected), reboot the
client computer and access
the share again.
If the client computer is
unable to access a file share

on the server due to the

error Offline (slow
connection), delete the
temporarily cached data,
reboot the computer and
access the share. To delete
temporarily cached data (the
same as the transparent cache
described above), search for
Offline Files applet in
Control Panel. Click the Disk
Usage tab, and then click
Delete Temporary Files
Course Evaluation

Your evaluation of this course will help Microsoft
understand the quality of your learning experience.
Please work with your training provider to access the
course evaluation form.
Microsoft keeps your answers to this survey private and
confidential, and uses your responses to improve your
future learning experience. Your open and honest feedback
is valuable and appreciated.
Lab: Installing and Configuring Windows 7 L1-1
Module 1: Installing and Configuring Windows 7

Lab: Installing and Configuring

Windows 7
Computers in this lab
Before you begin the lab, you must start the virtual machines. The virtual machines
used at the start of this lab are:
• 6292-LON-DC1
• 6292-LON-CL1
• 6292-LON-VS1
Start the virtual machines

1. On the host computer, click Start, point to Administrative Tools, and click
Hyper-V Manager.
2. In the Virtual Machines pane, click the virtual machine name. In the Actions
pane, under the virtual machine name, click Start.
3. To connect to the virtual machine, click the virtual machine name, and in the
Actions pane, under the virtual machine name, click Connect.
Exercise 1: Migrating Settings by Using Windows Easy

Transfer
Task 1: Place Windows Easy Transfer on a network share
2. Click Start, point to All Programs, click Accessories, click System Tools, and
then click Windows Easy Transfer.
3. In the Windows Easy Transfer window, click Next.
6. Click No, because the files have not been saved from the source computer yet.
7. Click I need to install it now.
L1-2 Module 1: Installing and Configuring Windows 7
8. Click External hard disk or shared network folder.

9. In the Folder box, type \\LON-DC1\Data and then click OK.
Task 2: Create a user profile for Don on LON-VS1

1. Log on to the LON-VS1 virtual machine as Contoso\Don with a password of
Pa$$w0rd.

2. Close the Welcome Center.
3. On the Desktop, right-click an open area, point to New, and click Text Document.
4. Type Don’s To Do List and press Enter. This renames the document.
5. Log off of LON-VS1.
Task 3: Capture settings from LON-VS1

1. Log on to the LON-VS1 virtual machine as Contoso\Administrator with a
2. Click Start, and then in the Start Search box, type \\LON-DC1\Data\, and then
press Enter.
3. Double-click the Windows Easy Transfer shortcut.
4. In the Windows Easy Transfer window, click Next.
6. Click This is my old computer.
7. Clear all of the checkboxes except for CONTOSO\Don and then click Next.
8. In the Password and Confirm Password boxes, type Pa$$w0rd and then click
Save.
9. In the Save your Easy Transfer file window, in the File name box, type \\LON-
DC1\Data\DonProfile and then click Save.
10. Click Next.
11. Click Next and then click Close.
11. Log off of LON-VS1.
Task 4: Import the configuration settings on LON-CL1

1. On LON-CL1, in Windows Easy Transfer, click Next.
2. Click Yes to indicate that the settings from the old computer have been saved.
3. In the Open an Easy Transfer File window, in the File name box, type \\LON-
DC1\Data\DonProfile.MIG and then click Open.
4. Type the password of Pa$$0wrd and then click Next.

5. Click Transfer to begin importing Don’s profile.
6. Wait until the transfer completes.
7. Click Close.
Task 5: Verify the migration

1. On LON-CL1, log on as CONTOSO\Don with a password of Pa$$w0rd.
2. Notice that Don’s To Do List is on the desktop because of the migration.
3. Shut down LON-CL1.
Exercise 2: Configuring a reference image

Task 1: Configure a dynamic IP address to prepare a reference image
for imaging
1. Start and then log on to the LON-CL2 virtual machine as Contoso\Administrator
with a password of Pa$$w0rd.
2. Click Start and click Control Panel.
3. Under Network and Internet, click View network status and tasks.
4. Click Local Area Connection 3.
5. In the Local Area Connection 3 Status window, click Properties.
6. In the Local Area Connection 3 Properties window, click Internet Protocol
Version 4 (TCP/IPv4) and then click Properties.
7. Click Obtain an IP address automatically, click Obtain DNS server address
automatically, and then click OK.
8. In the Local Area Connection 3 Properties window, click Close.
9. In the Local Area Connection 3 Status window, click Close.
10. Close Network and Sharing Center.
Task 2: Generalize a reference image with sysprep

2. Browse to C:\Windows\System32\sysprep and then double-click sysprep.
3. In the System Cleanup Action box, click Enter System Out-of-Box Experience
(OOBE).

4. Select the Generalize checkbox.
5. In the Shutdown Options box, click Shutdown.
6. Click OK. LON-CL2 shuts down after several minutes.
Task 3: Prepare the virtual machine for imaging

1. On your host computer, click Start, point to Administrative Tools, and click
Hyper-V Manager.
2. Right-click 6292A-LON-CL2 and click Settings.
3. In the left pane, click DVD Drive.
4. In the right pane, click Image file, and click Browse.
5. Browse to C:\Program Files\Microsoft Learning\6292\Drives, click
winpe_amd64.iso, and then click Open.
7. In the left pane, click Add Hardware.
8. In the right pane, click Legacy Network Adapter and then click Add.
9. In the Network box, click Private Network.
10. Click OK.
11. Close Hyper-V Manager.
Task 4: Copy the reference image to a share

Note: Steps 1 and 2 must be performed quickly to ensure that you are able to boot from
the virtual DVD rather than the hard disk. If the operating system starts to boot
because you do not complete the steps quickly enough, then click the Reset button
in the virtual machine window to try again. You may want to take a snapshot of
the virtual machine before attempting to boot from the DVD.
1. In the virtual machine window for 6292A-LON-CL2, click the Start button in the
toolbar.
2. Click in the virtual machine window, and press a key when prompted to press a
key to boot from CD or DVD.
3. At the command prompt, type ipconfig and the press Enter. Verify that an IP
address in the 10.10.0.0 range is assigned. This confirms that Windows PE
obtained an IP address from the DHCP server.

4. At the command prompt, type net use i: \\lon-dc1\data
/user:contoso\administrator Pa$$w0rd.
5. At the command prompt, type d: and press Enter. This is the original C: drive on
the reference computer.
6. At the command prompt, type dir and then press Enter.
7. At the command prompt, type e: and press Enter. This is a drive created in
memory by Windows PE.
8. At the command prompt, type dir and then press Enter.
9. At the command prompt, type imagex /capture d: i:\Reference.wim “Reference
Image for Windows 7” /compress fast and then press Enter.
Note: While the image creation completes, begin working on Exercise 3.
Exercise 3: Deploying a Windows 7 Image

Task 1: Capture configuration settings with USMT
1. Log on the LON-VS1 virtual machine as Contoso\Administrator with a password
of Pa$$w0rd. Close the Welcome Center.
2. Click Start, type cmd, and press Enter.
3. At the command prompt, type net use i: \\lon-dc1\data and then press Enter.
4. At the command prompt, type i: and then press Enter.
5. At the command prompt, type cd \usmt\x86 and then press Enter.
6. At the command prompt, type md \usmtdata and then press Enter.
7. At the command prompt, type scanstate i:\usmtdata and then press Enter.
8. After the capture is complete, shut down LON-VS1.
Task 2: Start Windows PE on the new computer

1. On your host computer, click Start, point to Administrative Tools, and click
Hyper-V Manager.
2. Right-click 6292A-LON-CL3 and click Settings.
3. In the left pane, click DVD Drive.

4. In the right pane, click Image file, and click Browse.
5. Browse to C:\Program Files\Microsoft Learning\6292\Drives, click
winpe_amd64.iso, and then click Open.
6. Click OK.

7. Right-click 6292A-LON-CL3 and click Connect.
8. In the virtual machine window, click the Start button in the toolbar.
9. At the command prompt, type ipconfig and the press Enter. Verify that an IP
address in the 10.10.0.0 range is assigned. This confirms that Windows PE
obtained an IP address from the DHCP server.
10. At the command prompt, type net use i: \\lon-dc1\data
/user:contoso\administrator Pa$$w0rd.
Task 3: Partition the disk on the new computer

1. On LON-CL3, at the command prompt type diskpart and press Enter.
2. Type select disk 0 and then press Enter.
3. Type clean and then press Enter.
4. Type create partition primary size=30000 and then press Enter.
5. Type select partition 1 and then press Enter.
6. Type format fs=ntfs label=Windows quick and then press Enter.
7. Type assign letter=c and then press Enter.
8. Type active and then press Enter.
9. Type exit and then press Enter.
Task 4: Apply the image to the new computer

1. On LON-CL3, at the command prompt, type d: and then press Enter.
2. At the command prompt, type imagex /apply i:\reference.wim “Reference
Image for Windows 7” c: and then press Enter.
3. After applying the image is complete, type bcdboot c:\windows and then press
Enter.
Task 5: Perform initial operating system configuration for the new

computer
1. Restart LON-CL3 by closing the command prompt. Do not start from CD or DVD.
2. If prompted, select Start Windows normally and press Enter. The computer will
restart before asking for any input.
3. In the Set Up Windows box, click Next to accept the default country, time and
currency format, and keyboard layout.
4. In the Type a user name box, type LocalAdmin.
5. In the Type a computer name box, type LON-CL3 and then click Next.
6. In the Type a password and Retype your password boxes, type Pa$$w0rd.
7. In the Type a password hint box, type Local Admin and then click Next.
8. Clear the Automatically activate Windows when I’m online checkbox and then
click Next.
8. Select the I accept the license terms checkbox and then click Next.
9. Click Ask me later to delay the implementation of Windows updates.
10. Click Next to accept the default settings for time zone and date.
11. Click Work network to select your computer’s current location.
12. Click Start, right-click Computer, and click Properties.
13. Under Computer name, domain, and workgroup settings, click Change
settings.
14. In the System Properties window, click Change.
15. In the Computer Name/Domain Changes window, click Domain, type
contoso.com, and then click OK.
16. Authenticate as Administrator with a password of Pa$$w0rd.
17. Click OK to close the welcome message.
18. Click OK to close the message about restarting.
19. In the System Properties window, click Close.
20. Click Restart Now.
Task 6: Apply the captured setting to the new computer

1. Log on to the LON -CL3 virtual machine as Contoso\Administrator with a
2. Click Start, type cmd, and press Enter.
3. At the command prompt, type net use i: \\lon-dc1\data and then press Enter.

4. At the command prompt, type i: and then press Enter.
5. At the command prompt, type cd \usmt\x86 and then press Enter.
6. At the command prompt, type loadstate i:\usmtdata and then press Enter.
Task 7: Verify the application of user settings on LON-CL3

1. Click Start, right-click Computer, and then click Properties.
2. Click Advanced system settings.
3. In the User Profiles area, click Settings.
4. Read the list of user profiles and verify that several have been created, including
one for CONTOSO\Don.
5. In the User Profiles window, click Cancel.
6. In the System Properties window, click Cancel.
7. Close the System window.
Task 8: Virtual Machine Shutdown

When you finish the lab, you should shut down the virtual machines and revert each
virtual machine back to its initial state. To do this, complete the following steps:
1. On the host computer, start Hyper-V Manager.
2. Right-click each virtual machine name in the Virtual Machines list, and then click
Revert.
3. In the Revert Virtual Machine dialog box, click Revert.
Lab: Configuring Disks and Device Drivers L2-1
Module 2: Configuring Disks and Device Drivers

Lab: Configuring Disks and Device

Drivers
• 6292-LON-DC1
• 6292-LON-CL1

1. On the host computer, click Start, point to Administrative Tools, and click
Hyper-V Manager.
2. In the Virtual Machines pane, click the virtual machine name. In the Actions
pane, under the virtual machine name, click Start.
3. To connect to the virtual machine, click the virtual machine name, and in the
Actions pane, under the virtual machine name, click Connect.
Exercise 1: Configuring Disks

Task 1: Create a simple volume by using disk management
4. In the Initialize Disk dialog box, click OK.
5. In Disk Management, on Disk 2, right-click Unallocated, and then click New

Simple Volume.
6. In the New Simple Volume Wizard, click Next.
7. On the Specify Volume Size page, in the Simple volume size in MB box, type
100, and then click Next.
L2-2 Module 2: Configuring Disks and Device Drivers
9. On the Format Partition page, in the Volume label box, type Simple, click Next,
and then click Finish.
Task 2: Create a simple volume by using diskpart.exe

1. Click Start, point to All Programs, click Accessories, right-click Command
Prompt, and then click Run as administrator.
2. At the command prompt, type diskpart, and then press ENTER.
3. At the DISKPART> prompt, type list disk, and then press ENTER.
4. At the DISKPART> prompt, type select disk 3, and press ENTER.
5. At the DISKPART> prompt, type create partition primary size=100, and press
ENTER.
6. At the DISKPART> prompt, type list partition, and press ENTER.
7. At the DISKPART> prompt, type select partition 1, and press ENTER.
8. At the DISKPART> prompt, type format fs=ntfs label=simple2 quick , and press
ENTER.
9. At the DISKPART> prompt, type Assign, and press ENTER.
Task 3: Resize a simple volume

1. Switch to Disk Management.
2. In Disk Management, on Disk 2, right-click Simple (F:), and then click Extend
Volume.
3. In the Extend Volume Wizard, click Next.
100, click Next, and then click Finish.
Task 4: Resize a simple volume with diskpart.exe

1. Switch to the Command Prompt window.
2. At the DISKPART> prompt, type list disk, and press ENTER.

3. At the DISKPART> prompt, type select disk 2, and press ENTER.

4. At the DISKPART> prompt, type list partition, and press ENTER.
5. At the DISKPART> prompt, type select partition 1, and press ENTER.
6. At the DISKPART> prompt, type shrink desired = 100, and press ENTER.
7. At the DISKPART> prompt, type exit, and press ENTER.
Task 5: Create a spanned volume

1. Switch to Disk Management.
2. In Disk Management, on Disk 2, right-click Simple (F:), and then click Delete
Volume.
3. In the Delete simple volume dialog box, click Yes.
4. In Disk Management, on Disk 3, right-click simple2 (G:), and then click Delete
Volume.
5. In the Delete simple volume dialog box, click Yes.
6. In Disk Management, on Disk 2, right-click Unallocated, and then click New

Spanned Volume.
7. In the New Spanned Volume wizard, click Next.
8. On the Select Disks page, in the Select the amount of space in MB box, type 100
9. In the Available list, click Disk 3, and then click Add >.
10. In the Selected list, click Disk 3, and in the Select the amount of space in MB
box, type 150, and then click Next.
12. On the Format Partition page, in the Volume label box, type Spanned, click
13. In the Disk Management dialog box, click Yes.

Task 6: Create a striped Volume

1. In Disk Management, right-click Disk 2, and then click New Striped Volume.
2. In the New Striped Volume wizard, click Next.
3. On the Select Disks page, in the Available list, click Disk 3, and then click Add

>.
1024, and then click Next.
6. On the Format Partition page, in the Volume label box, type Striped, click
Exercise 2: Configuring Disk Quotas

Task 1: Create quotas on a volume
2. Right-click Striped (G:), and then click Properties.
3. In the Striped (G:) Properties dialog box, click the Quota tab.
4. On the Quota tab, select the Enable quota management check box.
5. Select the Deny disk space to users exceeding quota limit check box.
6. Click Limit disk space to, in the adjacent box, type 10, and in the KB list, click
MB.
7. In the Set warning level to box, type 5, and in the KB list, click MB.
8. Select the Log event when a user exceeds their warning level check box, and
then click OK.
9. In the Disk Quota dialog box, review the message, and then click OK.
Task 2: Create test files

1. Switch to the Command Prompt window.
2. At the command prompt, type G: , and then press ENTER.
3. At the command prompt, type fsutil file createnew 1mb-file 1048576, and then
press ENTER.
4. At the command prompt, type fsutil file createnew 1kb-file 1024, and then press
ENTER.
These filenames enable you to identify them later as being 1 megabyte (MB) and 1
kilobyte (KB), respectively.
5. Close the Command Prompt window.
Task 3: Test the configured quotas by using a standard user account to

create files
1. Log off, and then log on to the LON-CL1 virtual machine as contoso\Amy with a
2. Click Start, click Computer, and then double-click Striped (G:).
3. In the toolbar, click New Folder.
4. Type Amy’s files, and then press ENTER.
5. In the file list, right-click 1mb-file and drag it to Amy’s files, and then click Copy
here.
6. Double-click Amy’s files.
7. Right-click 1mb-file, and then click Copy.
8. Press CTRL+V four times.
9. In the Address bar, click Striped (G:).
10. In the file list, right-click 1kb-file and drag it to Amy’s files, and then click Copy
here.
11. Double-click Amy’s files.
12. Right-click 1mb-file, and then click Copy.
13. Press CTRL+V four times.
14. Press CTRL+V again.

15. In the Copy Item dialog box, review the message, and then click Cancel.
Task 4: Review quota alerts and event-log messages

1. Log off, and then log on to the LON-CL1 virtual machine as
contoso\administrator with a password of Pa$$w0rd.
3. Right-click Striped (G:), and then click Properties.
4. In the Striped (G:) Properties dialog box, click the Quota tab, and then click
Quota Entries.
5. In the Quota Entries for Striped (G:), in the Logon Name column, double-click
contoso\amy.
6. In the Quota Settings for Amy Rusko (CONTOSO\amy) dialog box, click OK.
7. Close Quota Entries for Striped (G:).
8. Close Striped (G:) Properties.
9. Click Start, and in the Search box, type Event.
10. In the Programs list, click Event Viewer.
11. In the Event Viewer (Local) list, expand Windows Logs, and then click System.
12. Right-click System, and then click Filter Current Log.
13. In the <All Events IDs> box, type 36, and then click OK.
14. Examine the listed entry.

Exercise 3: Updating a Device Driver

Task 1: Update a device driver

3. Expand Mice and other pointing devices, right-click Microsoft PS/2 Mouse, and
then click Update Driver Software.
4. In the Update Driver Software – Microsoft PS/2 Mouse dialog box, click
Browse my computer for driver software.
5. On the Browse for driver software on your computer page, click Let me pick
from a list of device drivers on my computer.
6. In the Show compatible hardware list, click PS/2 Compatible Mouse, and then
click Next.
7. Click Close.
8. In the System Settings Change dialog box, click Yes to restart the computer.
Task 2: Rollback a device driver

1. Log on to the LON-CL1 virtual machine as contoso\administrator with a
4. Expand Mice and other pointing devices, right-click PS/2 Compatible Mouse,
and then click Properties.
5. In the PS/2 Compatible Mouse Properties dialog box, click the Driver tab.
6. Click Roll Back Driver.
8. Click Close, and then in the System Settings Change dialog box, click Yes to
restart the computer.
9. Log on to the LON-CL1 virtual machine as contoso\administrator with a


12. Expand Mice and other pointing devices, and then click Microsoft PS/2 Mouse.
13. Verify that you have successfully rolled back the driver.

Revert.
Lab: Configuring File Access and Printers on Windows 7 Client Computers L3-1
Module 3: Configuring File Access and Printers

on Windows 7 Client Computers
Lab: Configuring File Access and

Printers on Windows 7 Client
Computers
• 6292-LON-DC1
• 6292-LON-CL1
• 6292-LON-CL2

On the host computer, click Start, point to Administrative Tools, and click Hyper-V
Manager.
In the Virtual Machines pane, click the virtual machine name. In the Actions pane,
under the virtual machine name, click Start.
To connect to the virtual machine, click the virtual machine name, and in the Actions
pane, under the virtual machine name, click Connect.
Exercise 1: Create and configure a public shared folder for

all users
Task 1: Create a folder
1. Log on to LON-CL1 as Contoso\Administrator with the password of Pa$$w0rd.
2. Click Start, click Computer, double-click Local Disk (C:).
3. Right-click in the empty space below the Name column, point to New, then click
Folder.
4. Type Public in the folder name and then press ENTER.
L3-2 Module 3: Configuring File Access and Printers on Windows 7 Client Computers
Task 2: Share the folder

1. Right-click the Public folder and point to Share with and then click Specific
people.
2. In the File Sharing box, click the arrow beside the text box, and click Everyone
and then click Add.

3. Select Everyone, then under Permission Level select Read/Write. Click Share.
4. Click Done to close the File Sharing dialog box.
Task 3: Log on to LON-CL2 as Contoso\Ryan

1. Log on to LON-CL2 as Contoso\Ryan with a password Pa$$w0rd.
2. Click Start, click Computer.
Task 4: Access shared folder

1. Click Map Network Drive on the top menu.
2. Ensure Drive is set to Z, then type \\LON-CL1\public in the Folder field, and
click Finish.
3. Right click in an empty space below the Name column, point to New, click Text
Document, and then type Test File and press ENTER.
Exercise 2: Configuring Shared Access to Files for Specific

Users
Task 1: Create a folder
1. Log on to LON-CL1 as Contoso\Administrator.
2. Click Start, click Computer, double-click Local Disk (C:).
3. Right-click in the empty space below the Name column, point to New, then click
Folder.
4. Type Restricted in the folder name, and then press ENTER.
Task 2: Share the folder with restricted permissions

1. Right click the Restricted folder and point to Share with and then click Specific
people.
2. In the File Sharing box, click the arrow beside the text box, and then click Find
people.
3. In the Select Users or Groups dialog box, type Contoso\Terri, click Check
Names, and then click OK.
4. Under Permission Level, click the down arrow and select Read/Write. Click
Share.
5. Click Done to close the File Sharing dialog box.
Task 3: Configure NTFS permissions on a folder

1. On LON-CL1, right-click C:\Restricted, and click Properties.
3. Click Edit.
4. In the Permissions for Restricted dialog box, click Terri Chudzik.
5. Review all permissions.
6. Next to Full Control, remove the check mark under Allow. Click OK.
7. Click Advanced, and then review all permissions. Notice that none are inherited.
Click OK.
8. Click OK again to close the Restricted Permissions dialog box.
9. Double click the Restricted folder.
10. Right click in an empty space below the Name column, point to New, and then
click Microsoft Office Excel Worksheet.
11. Type Personal Finances in the file name, and then press ENTER.
12. Right click in an empty space below the Name column, point to New, and then
click Microsoft Office Excel Worksheet.
13. Type Public Finances in the file name, and then press ENTER.
14. Right-click Personal Finances, click Properties.
16. Click Advanced and review all inherited permissions.
17. Click Change Permissions.
18. Remove the check mark next to Include inheritable permissions from this
object’s parent, and then click Add when prompted.
19. Once again review all permissions. Notice that they are no longer inherited.
20. In Permission entries, click Terri Chudzik, then click Edit.
21. Uncheck all permissions under Allow, except the following: Traverse
folder/execute file, List folder/read data, Read attributes, Read extended attributes,
Read permissions. Click OK.

22. Click OK, and then click OK again. Click OK to close the Personal Finances
Properties dialog box.
23. Right-click Public Finances, and click Properties.
25. Click Advanced and review all inherited permissions.
26. Click OK, close all windows, and log off of LON-CL1.
Task 4: Log on to LON-CL2 as Contoso\Terri

1. Log on to LON-CL2 as Contoso\Terri with a password Pa$$w0rd.
Task 5: Test Terri’s permissions to the shared folder

1. Click Map Network Drive on the top menu.
2. Ensure Drive is set to Z, then type \\LON-CL1\Restricted in the Folder field, and
click Finish.
3. In the Restricted folder, right-click in the details pane and then point to New, and
then click Text Document.
4. Notice that you have permission to create files.
5. Double-click Public Finances. Click OK at the User Name prompt.
6. Type “I can modify this document”, then save and close the document.
7. Double click Personal Finances.
8. Type “I cannot modify this document”, and then try to save the document.
9. Click OK when prompted with a warning, then click Cancel.
10. Close the document without saving changes.
Exercise 3: Creating and Sharing a Printer

Task 1: Add and share local printer

1. Log on to LON-CL1 as Contoso\Administrator with the password Pa$$w0rd.
2. Click Start, and then click Devices and Printers.
3. Click Add a Printer.
4. In the Add Printer wizard, click Add a local printer.
5. On the Choose a printer port page, make sure the Use an existing port is selected
then click Next
6. On the Install the printer driver page, select HP from the Manufacturer list, then
select HP Photosmart D7400 series from the Printers list.
7. Click Next.
8. Accept the default printer name and click Next.
9. Leave the share name as HP Photosmart D7400 series, then click Next.
10. Click Finish.
11. Right click on the new printer, and then click Printer Properties.
Task 2: Configure printer security

2. Click Add and then in the Select Users, Computers, Service Accounts, or
Groups dialog box, in the Enter the object names to select (examples) box, type
Contoso\Adam, click Check Names, and then click OK.
3. In the Group or user names box, click Adam Carter (Contoso\Adam).
4. In the Permissions for Adam Carter dialog box, next to Manage this printer,
select the Allow check box.
5. Click the Sharing tab.
6. Click the check box next to List in the directory.
7. Click OK.
Task 3: Log on to LON-CL2 as Contoso\Adam

1. Log on to LON-CL2 as Contoso\Adam with the password of Pa$$w0rd.
Task 4: Add network printer

1. Click Start, and then click Devices and Printers.
2. Click Add a Printer.
3. In the Add Printer wizard, click Add a network, wireless or Bluetooth printer.

4. On the Add Printer page, click The printer that I want isn’t listed.
5. On the Find a printer by name or TCP/IP address, click Find a printer in the
directory, based on location or feature. Click Next.
6. In the Find Printers box, click HP Photosmart D7400 series, then click OK.
7. Click Next, and then click Finish to complete.

Revert.
Lab: Configuring Network Connectivity L4-1
Module 4: Configuring Network Connectivity

Lab: Configuring Network
Connectivity
Before you begin the lab, you must start the virtual
machines. The virtual machines used at the start of this
lab are:
• 6292-LON-DC1
• 6292-LON-CL1

1. On the host computer, click Start, point to
Administrative Tools, and click Hyper-V Manager.
2. In the Virtual Machines pane, click the virtual machine
name. In the Actions pane, under the virtual machine
name, click Start.
3. To connect to the virtual machine, click the virtual
machine name, and in the Actions pane, under the
virtual machine name, click Connect.
Exercise 1: Configuring IPv4 Addressing

Task 1: Verify the current IPv4 configuration
3. At the command prompt, type ipconfig /all and then
press Enter.
4. What is the current IPv4 address?
10.10.0.50
5. What is the subnet mask?
L4-2 Module 4: Configuring Network Connectivity
255.255.0.0
6. To which IPv4 network does this host belong?
10.10.0.0
7. Is DHCP enabled?

No
Task 2: Configure the computer to obtain an IPv4 address

automatically
and tasks.
3.
Properties.
5. Click Internet Protocol Version (TCP/IPv4) and then
click Properties.
6. Click Obtain an IP address automatically, click Obtain
DNS server address automatically, and then click OK.
7. Click Close.
Task 3: Verify the new IPv4 configuration

Details.
2. What is the current IPv.4 address?
10.10.10.1
255.255.0.0
4. To Which IPv4 network does this host belong?
10.10.0.0
5. Is DHCP enabled?
Yes
6. When does the DHCP lease expire?
Eight days from now.

7. Click the Close button.
Task 4: Deactivate the DHCP scope

1. On the LON-DC1 virtual machine, log on as
2. Click Start, point to Administrative Tools, and then
click DHCP.
3. Expand lon-dc1.contoso.com, expand IPv4, and then click
Scope [10.10.0.0] LondonScope.
4. Right-click Scope [10.10.0.0] LondonScope and then
click Deactivate.
5. Click Yes to confirm deactivation of the scope.
6. Close the DHCP window.
Task 5: Obtain a new IPv4 address

1. On LON-CL1, at the command prompt, type ipconfig
/release and then press Enter.
2. At the command prompt, type ipconfig /renew, and then

press Enter.
3. At the command prompt, type ipconfig /all, and then

press Enter.
Answers will vary, but the address will be 169.254.x.x
255.255.0.0
169.254.0.0
7. What kind of address is this?
An APIPA address
Task 6: Configure an alternate IPv4 address

Properties.

2. Click Internet Protocol Version 4 (TCP/IPv4) and then
click Properties.
3. Click the Alternate Configuration tab, click User
configured, and then enter the following:
• IP address: 10.10.11.1
• Subnet mask: 255.255.0.0
• Preferred DNS server: 10.10.0.10
4. Clear the Validate settings, if changed, upon exit
checkbox and then click OK to save the settings.
5. In the Local Area Connection 3 Properties window, click
Close.
6. At the command prompt, type ipconfig /release and then
press Enter.
7. At the command prompt, type ipconfig /renew, and then

press Enter.
8. At the command prompt, type ipconfig /all, and then

press Enter
10.10.11.1
255.255.0.0
10.10.0.0
12. What kind of address is this?
An alternate configuration address
Task 7: Configure a static IPv4 address

Properties.
click Properties.
3. Click Use the following IP address and type the
following:
• IP address: 10.10.0.50
• Subnet mask: 255.255.0.0
• Preferred DNS server: 10.10.0.10
4. Click OK.
Close.
Exercise 2: Configuring IPv6 Addressing

Task 1: Verify the current IPv6 configuration
1. On LON-CL1, click Start, point to All Programs, click
Accessories, and then click Command Prompt.
press Enter.
Answers will vary, but will begin with fe80::
5. What type of IPv6 address is this?
Link-local
Task 2: Configure the computer with a static IPv6 address

and tasks.

Contoso.com domain network, click Local Area Connection
3.
Properties.

click Properties.
6. Click Use the following IPv6 address and enter the
following:
• IPv6 address:
2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A
• Subnet prefix length: 64
7. In the Internet Protocol Version 6 (TCP/IPv6)
Properties window, click OK.
Close.
Task 3: Verify the new IPv6 configuration

Details
2. Is the static address you configured listed?
Yes
3. Close the Network Connection Details window.
Task 4: Enable the DHCPv6 scope

1. On LON-DC1, click Start, point to Administrative Tools,
and then click DHCP.
2. Expand lon-dc1.contoso.com, expand IPv6, and then click
Scope [fc00:1234:1234:1234::] LondonIPv6Scope.
3. Right-click Scope [fc00:1234:1234:1234::]
LondonIPv6Scope and then click Activate.
4. Close the DHCP window.
Task 5: Configure the computer with a dynamic IPv6 address

Properties.
click Properties.
3. Click Obtain an IPv6 address automatically, click
Obtain DNS server address automatically, and then click
OK.
Close.
Task 6: Verify the dynamic IPv6 address

Details
2. Is an IPv6 address listed?
Yes, starting with FC00:1234:1234:1234 from the scope
activated on the DHCP server. Note that it may take a
few minutes to be visible.
3. Close the Network Connection Details window.
Exercise 3: Troubleshooting Network Connectivity

Task 1: Verify connectivity to LON-DC1
1. On LON-CL1, click Start, right-click Computer, and then
click Map network drive.
2. In the Drive box, select P:.
3. In the Folder box, type \\LON-DC1\Data and then click
Finish.
4. Close the Data window.
Task 2: Prepare for troubleshooting.

1. On LON-CL1, click Start and then click Control Panel.

and tasks.
3.

Properties.
5. Clear the Internet Protocol Version 6 (TCP/IPv6)
checkbox and then click OK.
Close and then close Network and Sharing Center.
7. Run Mod4Script.bat located in the
E:\6292\LabFiles\Mod04 folder.
8. Close the Mod04 Window.
Task 3: Test Connectivity to LON-DC1

1. Click Start and click Computer.
2. Double-click Data(\\lon-dc1)(P:).
3. Click OK to clear the error message.
4. Are you able to access mapped drive P:?
No
Task 4: Gather information about the problem

2. At the command prompt, type ping lon-dc1 and then press
Enter.
3. At the command prompt, type ping 10.10.0.10 and then
press Enter.
press Enter.
5. What IP address is the computer using?
10.10.0.50
6. What subnet mask is the computer using?

255.255.255.255
7. What network is the computer on?

10.10.0.50
Task 5: Resolve the first problem

and tasks.
3.
Properties.
Internet Protocol Version 4 (TCP/IPv4) and the click
Properties.
6. In the Subnet mask box, type 255.255.0.0 and then click
OK.
Close.
Task 6: Test the first resolution

1. In the Computer window, double-click Data(\\lon-
dc1)(P:).
2. Click OK to clear the error message.
No
4. At the command prompt, type ping lon-dc1 and then press
Enter.
5. At the command prompt, type ping 10.10.0.10 and then
press Enter.
press Enter.
7. What DNS server is the computer using?

10.10.10.10
Task 7: Resolve the second problem


Properties.
Internet Protocol Version 4 (TCP/IPv4) and the click
Properties.
3. In the Preferred DNS server box, type 10.10.0.10 and
then click OK.
Close.
Task 8: Test the second resolution

1. In the Computer window, double-click data(\\lon-
dc1)(P:).
Yes

When you finish the lab, you should shut down the virtual
machines and revert each virtual machine back to its
initial state. To do this, complete the following steps:
2. Right-click each virtual machine name in the Virtual
Machines list, and then click Revert.
Lab: Configuring Wireless Network Connections L5-1
Module 5: Configuring Wireless Network

Connections
Lab: Configuring Wireless Network

Connections
Exercise 1: Determine the appropriate configuration for a
wireless network
Contoso Corporation Production Plant Wireless Network Requirements
Document Reference Number: AR-09-15-01
Document Author Amy Rusko
Date September 15th
Requirement Overview
I would like to deploy wireless networks across all of the production plants in the UK,
starting with the largest in Slough.
Security is critical, and we must deploy the strongest security measures available.
Some of our older computer equipment supports earlier wireless standards only.
Cordless telephones are in use at the plants.
Some of the production plants are located in busy trading districts with other commercial
organizations located nearby – again, it is important that the Contoso network is not
compromised.
Additional Information
What technical factors will influence the purchasing decision for the WAPs that Amy
should consider?
Answers will vary, but should include at least the following points:
Coverage of a WAP
Use of overlapping coverage and the same Service Set Identifier (SSID)
Security options:
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)/Wi-Fi Protect Access version 2 (WPA2)
802.1x
Wireless technology 802.11b or 802.11g
L5-2 Module 5: Configuring Wireless Network Connections
Contoso Corporation Production Plant Wireless Network Requirements

How many WAPs does Amy need to purchase?
Answers will vary, but how much area each WAP must cover is a consideration
Where would you advise Amy to place the WAPs?

In the ceiling, to increase coverage area, and away from sources of interference,

like generators or lift motors.
Which security measures will you recommend to Amy?
Answers will vary, but might include the strongest possible security measures.
Proposals
Answers will vary, but here is a suggested proposal:
Deploy only WAPs that support WPA2-Enterprise authentication, and use
additional infrastructure to provide this authentication. This will involve
deploying additional server roles in the Windows Server 2008 enterprise.
Specifically, the Network Policy and Access Services role.
WAPs must support 802.11b because of the legacy hardware deployed at some of
the production plants.
It is possible that interference from cordless telephones might be an issue, so the
choice of WAP should consider the ability to support a range of channels and,
depending on 802.11 modes, the frequencies.
The proximity of other businesses does pose a risk, and we must ensure accurate
placement of hubs, and directionality of antennae to mitigate this. So long as
appropriate security is in-place, the risk should be low. Again, support of
enterprise (802.1X) authentication is critical here.
Exercise 2: Troubleshooting Wireless Connectivity

Incident Record
Incident Reference Number: 501235
Date of Call October 21st
Time of Call 10:45
User Amy Rusko (Production Department)
Status OPEN
Incident Details
Intermittent connection problems from computers connecting to the Slough production
department.
Some users can connect to the Slough wireless access points from the parking lot.
Lab: Configuring Wireless Network Connections L5-3
Incident Record
How will you verify that these problems are occurring?

Attend the location with a laptop running Windows 7.
What do you suspect is causing these problems?

Answers will vary, but might include a WAP that has been misplaced or moved
How will you rectify these problems?

Identify the current locations of the WAPs, and situate them accordingly
Plan of action
Answers will vary, but here is a suggested proposal:
Check the placement of all WAPs to ensure that they are not adjacent to any
forms of interference.
Lab A: Configuring UAC, Local Security Policies, EFS, and AppLocker L6-1
Module 6: Securing Windows 7 Desktops

Lab A: Configuring UAC, Local
Security Policies, EFS, and

AppLocker
lab are:
• 6292-LON-DC1
• 6292-LON-CL1

name, click Start.
Exercise 1: Using Action Center

Task 1: Configure Action Center features
2. Click Start, and then click Control Panel
3. In Control Panel, click System and Security, and then
click Action Center.
4. Under Virus protection (Important), click the Turn off
messages about virus protection link.
L6-2 Module 6: Securing Windows 7 Desktops
5. Click the Action Center icon in the system tray. Notice

that there is no message related to virus protection.
Task 5: Configure and test UAC settings

1. Click Change User Account Control settings in the left
window pane.

2. Set the slide bar to the top setting.
3. Click OK.
4. Click Change User Account Control Settings in the left
window pane.
5. Set the slide bar two settings down from the top to
Notify me only when programs try to make changes to my
computer (do not dim my desktop).
6. Click OK.
7. Close the Action Center.
Exercise 2: Configuring Local Security Policies

Task 1: Configure local policies for multiple users
2. Click Start and then in the Search programs and files
box, type mmc and press ENTER. In Console1 – [Console
Root], on the menu, click File, and then click
Add/Remove Snap-in.
Editor, and then click Add.
Browse.
Group Policy list, click Administrators, and then click
OK.

Finish.

Editor, and then click Add.
Browse.
Group Policy list, click Non-Administrators, and then
click OK.
Finish.
13. In the Add or Remove Snap-ins dialog box, click OK.
14. In Console1 – [Console Root], on the menu, click
File, and then click Save.
15. In the Save As dialog box, click Desktop.
16. In the File name box, type Custom Group Policy
Editor, and then click Save.
17. In Custom Group Policy Editor– [Console Root], in
the tree, expand Local Computer\Non-Administrators
Policy.
18. Expand User Configuration, expand Administrative
Templates, and then click Start Menu and Taskbar.
19. In the results pane, double-click Remove Music icon
from Start Menu.
20. In the Remove Music icon from Start Menu dialog box,
click Enabled, and then click OK
21. In the results pane, double-click Remove Pictures
icon from Start Menu.
22. In the Remove Pictures icon from Start Menu dialog
box, click Enabled, and then click OK
23. In Custom Group Policy Editor– [Console Root], in

the tree, expand Local Computer\Administrators Policy.
24. Expand User Configuration, expand Administrative
Templates, and then click Start Menu and Taskbar.
25. In the results pane, double-click Remove Documents

icon from Start Menu.
26. In the Remove Documents icon from Start Menu dialog
box, click Enabled, then click OK.
Task 2: Test multiple local group policies

1. Log on to LON-CL1 as Contoso\Adam with a password of
Pa$$w0rd.
2. Click Start and confirm there is no Pictures or Music
icons.
5. Click Start and confirm there is no Documents icon.
Exercise 3: Encrypting Data

Task 1: Secure files by using EFS
Log on to the LON-CL1 as Contoso\Administrator with a
4. Right-click an empty space in the Name column, point to
New, and then select Folder.
5. Type Confidential in the folder name and press ENTER.
6. Double-click Confidential, then right-click an empty

space in the Name column, point to New, and then click

7. Type Personal, and then press ENTER.
8. Click the left arrow in the menu bar to return to Local
Disk (C:).
9. Right-click on the Confidential folder, and then click
Properties.
11. Select the Encrypt contents to secure data check
box, and then click OK.
12 In the Properties dialog box, click OK, and then in the
Confirm Attribute Changes dialog box, click Apply
changes to this folder, subfolders and files.
13. Click OK
14. Click OK to close the properties dialog box
15. Log off
16. Log on to the LON-CL1 as Contoso\Adam with a
17.. Click Start, click Computer
20. Double-click the Confidential folder.
21. Double-click Personal.
22. Click OK at all prompts.
23. Close the file.
24. Log off.
Exercise 4: Configuring AppLocker

Task 1: Configure an AppLocker rule

2. Click Start, in the Search programs and files box, type
gpedit.msc, and then press ENTER.
Security Settings.
4. Expand Application Control Policies, and then double-
click AppLocker.
5. Select Executable Rules, then right-click and select
Create New Rule.
6. Click Next.
7. On the Permissions screen, select Deny, then click
Select.
8. In the Select User or Group dialog box, in the Enter
the object names to select (examples) box, type
Contoso\Research, click Check Names, and then click OK.
9. Click Next.
10. On the Conditions screen, select Path, and then
click Next.
11. Click Browse Files…, and then click Computer.
12. Double click Local Disk (C:).
13. Double-click Program Files, then double-click
Windows Media Player, and then select wmplayer and
click Open.
14. Click Next.
15. Click Next again, then click Create.
16. Click Yes if prompted to create default rules.

Security Settings.
18. Expand Application Control Policies.
19. Click AppLocker, and then right-click and select
Properties.
20. On the Enforcement tab, under Executable rules,
click the Configured checkbox and select Enforce rules.
21. Click OK.
22. Click Start, in the Search programs and files box,
type cmd, and then press ENTER.
23. In the Command Prompt window, type gpupdate /force
and press ENTER. Wait for the policy to be updated.
24. Click Start, right-click Computer and click Manage.
25. Expand Services and Applications, and then click
Services.
26. Right-click Application Identity service in the main
window pane, then click Properties.
27. Set the Startup type to Automatic, and then click
Start.
28. Click OK once the service starts.
29. Log off.
Task 2: Test the AppLocker rule

1. Log on to the LON-CL1 as Contoso\Alan with a password
of Pa$$w0rd.
2. Click Start, click All programs, then click Windows
Media Player.
3. Click OK when prompted with a message.
4. Log off.
Lab B: Configuring Windows

Firewall, Internet Explorer 8
Security Settings, and Windows
Defender

Exercise 1: Configuring and testing inbound and
outbound rules in Windows Firewall
Task 1: Configure an inbound rule
1. Log on to the LON-DC1 as Contoso\Administrator with a
2. Click Start, click All Programs
3. Click Accessories, then click Remote Desktop Connection
4. Type LON-CL1 into the Computer field, then click
Connect
5. Were you prompted for credentials?
6. In Windows Security, click Cancel
7. Close the Remote Desktop Connection dialog box
9. Click Start, click Control Panel.
12. In the left window pane, click Advanced settings
Inbound Rules.
14. Review the existing inbound rules, and then right-
click Inbound Rules and click New Rule.
Lab B: Configuring Windows Firewall, Internet Explorer 8 Security Settings, and Windows Defender L6-9
15. On the Rule Type page of the New Inbound Rule

wizard, select Predefined, then select Remote Desktop
from the dropdown menu.

16. Click Next.
17. Select the Remote Desktop (TCP-In) rule, and then
click Next.
18. Select Block the connection, then click Finish.
Task 2: Test the inbound rule

1. On LON-DC1, click Start, click All Programs
3. Type LON-CL1 into the Computer field, then click
Connect
5. Click OK.
6. Log off.

Task 3 Configure an outbound rule

1. On LON-CL1, click Start, click All Programs.
3. Type LON-DC1 into the Computer field, then click
Connect
5. In Windows Security, click Cancel.
6. Close the Remote Desktop Connection dialog box.
7. Click Start, click Control Panel.
10. In the left window pane, click Advanced settings

Outbound Rules.
12. Review the existing outbound rules, then right-click
Outbound Rules and click New Rule.

13. On the Rule Type page of the New Outbound Rule
wizard, select Port, then click Next.
14. Select TCP, then select Specific remote ports and
type 3389.
15. Click Next.
16. Select Block the connection, then click Next.
17. Click Next.
18. Type Remote Desktop – TCP 3389 in the Name field,
then click Finish.
Task 4: Test the outbound rule

1. On LON-CL1, click Start, click All Programs.
2. Click Accessories, then click Remote Desktop
Connection.
3. Type LON-DC1 into the Computer field, then click
Connect.
5. Click OK.
6. Close the Remote Desktop Connection dialog box.
Exercise 2: Configuring and testing security settings in

Internet Explorer 8.0
Task 1: Enable Compatibility View in IE8
3. If prompted by the Set Up Windows Internet Explorer 8

dialog box, click Ask me later.
4. On the Tools menu, click Compatibility View Settings.

5. Click to select the Display all websites in
Compatibility View check box, and then click Close.
Task 2: Configure inPrivate Browsing

1. Type http://LON-DC1 into the Address bar and press
ENTER
2. Click on the down arrow next to the Address bar to
confirm that the address you typed into the Address bar
is stored.
3. In Internet Explorer, click the Tools button, and then
click Internet Options.
4. Click the General tab. Under Browsing History, click
Delete.
5. In the Delete Browsing History dialog box, deselect
Preserve Favorites website data, select Temporary
Internet Files, Cookies, History, and then click
Delete.
6. Click OK to close the Internet Options box.
7. Confirm there are no addresses stored in the Address
bar by clicking on the down arrow next to the Address
bar.
Task 3: Test inPrivate Browsing

1. On the Safety menu, click inPrivate Browsing.
2. Type http://LON-DC1 into the Address bar and press
ENTER.
3. Confirm the address you typed in is not stored by
clicking on the down arrow next to the Address bar.
Task 4: Configure inPrivate Filtering to automatically block all

sites
6. On the Safety menu, click inPrivate Filtering.

7. Click Block for me to block websites automatically.
Task 5: Configure inPrivate Filtering to choose content to block

or allow
1. On the Safety menu, click inPrivate Filtering Settings.
2. On the InPrivate Filtering settings window, click
Choose content to block or allow, then click OK.
Exercise 3: Configuring scan settings and default

actions in Windows Defender
Task 1 Perform a quick scan
2. Click Start, click Search programs and files, then type
Windows Defender and press ENTER.
3. In Windows Defender, on the menu, click Scan.
Task 2: Schedule a full scan

3. In Options, select Automatic scanning.
4. In the main window, ensure that the Automatically scan
my computer (recommended) checkbox is selected.
5. Set Frequency to Sunday.
6. Set Approximate time to 10:00 PM.
7. Set type to Full scan.

8. Ensure that the Check for updates definitions before
scanning checkbox is selected.

9. Click Save.
Task 3: Set default actions to quarantine severe alert items

3. In Options, select Default actions.
4. Set Severe alert items to Quarantine.
5. Ensure that the Apply recommended actions checkbox is
selected.
Task 4: View the allowed items
2. In Tools and Settings, view Allowed items.
3. Close Windows Defender.
4. Log off

Lab: Optimizing and Maintaining Windows 7 Client Computers L7-1
Module 7: Optimizing and Maintaining

Windows 7 Client Computers
Lab: Optimizing and Maintaining

Windows 7 Client Computers
lab are:
• 6292-LON-DC1
• 6292-LON-CL1

name, click Start.
Exercise 1: Monitoring System Performance

Task 1: Review the running processes by using Resource Monitor
click System Tools, and then click Resource Monitor.
3. If necessary, click the Overview tab.
4. Is any process causing high CPU utilization?
No, overall CPU utilization is low.
L7-2 Module 7: Optimizing and Maintaining Windows 7 Client Computers
5. Is any process causing high disk I/O?

No, overall disk I/O is low.
6. Is any process causing high network utilization?
No, overall network utilization is low.

7. Is any process causing high memory utilization?
No, overall memory utilization is low.
8. Close Resource Monitor.
Task 2: Create a data collector set

1. Click Start, type per, and then click Performance
Monitor.
2. In the left pane, expand Data Collector Sets and then
click User Defined.
3. Right click User Defined, point to New, and then click
Data Collector Set.
4. In the Name box, type Bottleneck and then click Next.
5. In the Template Data Collector Set box, click System
Performance and then click Finish.
Task 3: Configure the data collector set schedule and stop

condition
1. In the Performance Monitor window, right-click
Bottleneck and click Properties.
2. Review the keywords listed on the General tab.
3. Click the Schedule tab and then click Add.
4. In the Beginning date box, verify that today’s date is
listed.
5. Select the Expiration date checkbox and then select a
date one week from today.
6. In the Launch area, in the Start time box, select 1:05
pm.
7. Verify that all days of the week are selected and then
click OK.
8. Click the Stop Condition tab.

9. In the Overall duration box, verify that 1 minute is
selected.
10. In the Limits area, select the Maximum size
checkbox, type 10 and then click OK.
Task 4: Review the data collector set counters

Performance Counter and then click Properties.
2. Review the counters listed in the Performance counters
box.
3. Click Cancel.
Task 5: Test the data collector set

Bottleneck and click Start.
2. Wait for Bottleneck to finish running.
3. Right-click Bottleneck and then click Latest Report.
4. Review the information listed under Performance.
5. Is there any resource that appears to be a bottleneck
at this time?
No, utilization of all resources is low.
6. Expand the CPU bar and then expand the Process bar and
review the CPU utilization information.
7. Close Performance Monitor.
Exercise 2: Backing Up and Restoring Data

Task 1: Create a data file to be backed up
1. On LON-CL1, click Start and then click Documents.
2. In the Documents library area, right-click an open
area, point to New, and then click Text Document.
3. To rename the document, type Important Document and
then press Enter.
4. Double-click Important Document to open it.

5. Type This is my important document and then close
Notepad.
6. Click Save.
7. Close the Documents window.

Task 2: Create a backup job for all user data
and then click Backup and Restore.
2. Click Set up backup.
3. Click Allfiles (E:) and then click Next.
4. Click Let me choose and then click Next.
5. Under Data Files, select all checkboxes.
6. Under Computer, clear all checkboxes.
7. Clear the Include a system image of drives: System
Reserved, (C:) checkbox and then click Next.
8. On the Review your backup settings page, click Change
schedule.
9. Clear the Run backup on a schedule box and then click
OK.
10. Click Save settings and run backup.
11. When the backup is complete, close Backup and
Restore.
Task 3: Delete a backed up data file

1. On LON-CL1, click Start and then click Documents.
2. In the Documents library area, right-click Important
Document and then click Delete.
3. Click Yes to confirm and then close the Documents
window.
Task 4: Restore the deleted data file

and then click Backup and Restore.

2. Click Restore my files and then click Search.
3. In the Search for box, type Important and then click
Search.
4. Select the Important Document checkbox and then click
OK.
5. Click Next.
6. Click Restore to restore the file in the original
location.
7. Click Finish and then close Backup and Restore.
Task 5: Verify that the data file is restored

2. Verify that Important Document is present.
3. Close the Documents window.
Exercise 3: Configuring System Restore Points

Task 1: Enable restore points for all disks except the backup disk
1. On LON-CL1, click Start, right-click Computer and then
click Properties.
2. In the System window, click System protection.
3. In the Protection settings area, click Local Disk (C:)
(System) and then click Configure.
OK.
5. In the Protection settings area, click Allfiles (E:)
and then click Configure.
OK.
Task 2: Create a restore point

1. In the System Properties window, click Create.
2. In the System Protection window, type Restore Point
Test and then click Create.
3. When restore point creation is complete, click Close.

4. In the System Properties window, click OK and then
close the System window.
Task 3: Edit the contents of a file

1. Click Start and click Documents.
2. Double-click Important Document.
3. In Notepad, delete the contents of the file and then
close Notepad.
4. Click Save to save the modified file.
Task 4: Verify the previous version of a file

1. Right-click Important Document and then click Restore
previous versions.
2. Review the versions available to be restored. Notice
that both the backup and restore point are listed.
3. Click the previous version in the Restore point and
then click Restore.
4. Click Restore to confirm.
5. In the Previous Versions window, click OK and then
click Cancel.
6. Double-click Important Document. and then read the
contents. Notice that the contents have been restored.
7. Close Notepad and then close the Documents window.
Task 5: Restore a restore point

click System Tools, and then click System Restore.
2. Click Next to begin.
3. Click Restore Point Test and then click Next.

4. Click Finish and then click Yes.
5. Wait for the computer to restart and then log on as

6. In the System Restore window, click Close.
Exercise 4: Configuring Windows Update

Task 1: Verify that automatic updates are disabled
2. Click System and Security and then click Windows
Update.
3. Click Change settings and review the available
settings.
4. Click Cancel and then close the Windows Update
window.
Task 2: Enable automatic updates in a group policy.

2. Click Start, point to Administrative Tools, and then
click Group Policy Management.
3. If necessary, expand Forest: Contoso.com, expand
Domains, and then click Contoso.com.
4. Right-click Default Domain Policy and click Edit.
5. Under Computer Configuration, expand Policies, expand
Administrative Templates, expand Windows Components,
and then click Windows Update.
6. In the right pane, double-click Configure Automatic
Updates.
7. In the Configure Automatic Updates window, click
Enabled.
8. In the Configure automatic updating box, click 4 – Auto
download and schedule the install.
9. Click OK and then close the Group Policy Management

Editor window.
10. Close the Group Policy Management window.
Task 3: Verify that the automatic updates setting from the group
policy is being applied

1. On LON-CL1, Click Start, type gpupdate and then press
Enter.
3. Click System and Security and then click Windows
Update.
4. Click Change settings and review the available
settings. Notice that you can no longer change the
settings because they are being enforced by the group
policy.
5. Click Cancel and then close the Windows Update
window.

Lab: Configuring Mobile Computing and Remote Access in Windows 7 L8-1
Module 8: Configuring Mobile Computing

and Remote Access in Windows 7
Lab: Configuring Mobile

Computing and Remote Access
in Windows 7
Incident Record—suggested answer
Incident Record
Incident Reference Number: 502509
Date of Call November 5th
Time of Call 08:45
User Amy Rusko (Production Department)
Status OPEN
Incident Details
Amy would like you to establish a sync partnership with her Windows Mobile device.
Amy needs the power options to be configured for optimal battery life when she is
traveling.
Amy wants to enable remote desktop on her desktop computer in the office for her own
user account so she can connect remotely to her desktop from her laptop.
Amy wants to be able to access documents from the head-office and enable others at
the plant to access those files without delay.
Amy’s laptop is running Windows 7 Enterprise.
The Slough plant has no file-server at present.
Resolution
1. You have synchronized the Windows Mobile device with Windows 7.
2. Amy’s laptop has an appropriate power plan.
3. Amy’s laptop has Remote Desktop enabled for Contoso\Amy.
4. BranchCache Distributed Cache mode configured and enabled on the Slough Plant
shared folder. Amy’s computer tested – BranchCache successfully enabled.
LX-2 Module 8: Configuring Mobile Computing and Remote Access in Windows 7

lab are:
• 6292-LON-DC1

• 6292-LON-CL1

On the host computer, click Start, point to Administrative
Tools, and click Hyper-V Manager.
In the Virtual Machines pane, click the virtual machine
name, click Start.
To connect to the virtual machine, click the virtual
Exercise 1: Creating a Sync Partnership

Task 1: Create Items in Outlook
1. Log on to the LON-CL1 virtual machine as Contoso\Amy
with a password of Pa$$w0rd.
Click Start, point to All Programs, click Microsoft
Office, and then click Microsoft Office Outlook 2007.
In the Outlook 2007 Startup wizard, click Next.
On the E-mail accounts page, click No, and then click
Next.
On the Create Data File page, select the Continue with no
e-mail support check box, and then click Finish.
In the User Name dialog box, click OK.
If prompted, in the Welcome to the 2007 Microsoft Office
System, click Next, click I don’t want to use Microsoft
Update, and then click Finish.
If prompted, in the Microsoft Office Outlook dialog box,

click No.
In Outlook, on the left, click Calendar.

In the results pane, click the Month tab, and then double-
click tomorrow.
In the Untitled – Event dialog box, in the Subject field,
type “Production department meeting”.
In the Location field, type “Conference room 1”, and then
click Save & Close.
If prompted with a reminder for the appointment, click
Dismiss.
In Outlook, on the left, click Contacts.
On the menu, click New.
In the Untitled – Contact dialog field, in the Full Name
field, type “Andrea Dunker”.
In the Job title box, type “IT Department”, and then click
Save & Close.
Close Outlook.
Task 2: Configure Windows Mobile Device Center

1. Click Start, point to All Programs, and then click
Windows Mobile Device Center.
Accept.
Mobile Device Settings, and then click Connection
settings.
4. In the Connection Settings dialog box, in the Allow
connections to one of the following list, click DMA,
and then click OK.
5. In the User Account Control dialog box, in the User
name box, type administrator.
6. In the Password box, type Pa$$w0rd, and then click Yes.
7. Close Windows Mobile Device Center.
Task 3: Connect the Windows Mobile Device

Mobile 6 SDK, click Standalone Emulator Images, click
US English, and then click WM 6.1.4 Professional.

2. Wait until the emulator has completed startup.
Mobile 6 SDK, click Tools, and then click Device
Emulator Manager.
4. In the Device Emulator Manager dialog box, click the
play symbol.
5. From the menu, click Actions, and then click Cradle.
6. Close Device Emulator Manager.
Task 4: Synchronize the Windows Mobile Device

1. In the Windows Mobile Member Center dialog box, click
Don’t Register.
2. In Windows Mobile Device Center, click Set up your
device.
3. In the Set up Windows Mobile Partnership wizard, on the
What kinds of items do you want to sync? page, click
Next.
4. On the Ready to set up the Windows Mobile partnership
page, click Set Up.
5. After synchronization is complete, close Windows Mobile
Device Center.
6. On the Windows Mobile Device, click Start, and then
click Calendar.
7. Click tomorrow’s date. Is the Production Department
meeting displayed?
8. Click Start, and then click Contacts. Are there
contacts listed?
9. Close all open Windows. Do not save changes. Log off of
LON-CL1.
10. Update the resolution section of incident record

502509 with the information about the successful
creation of a sync partnership.
Exercise 2: Configuring Power Options

Task 1: Create a power plan for Amy’s laptop
2. Click Start, and then click Control Panel.
4. Click Power Options.
5. On the left, click Create a power plan.
6. On the Create a power plan page, click Power saver.
7. In the Plan name box, type Amy’s plan, and then click
Next.

in the Turn off the display box, click 3 minutes, and
then click Create.
Task 2: Configure Amy’s power plan

1. In Power Options, under Amy’s plan, click Change plan
settings.

click Change advanced power settings.
3. Configure the following properties for the plan, and

then click OK.
• Turn off hard disk after: 5 minutes
• Wireless Adapter Settings, Power Saving Mode:

Maximum Power Saving
• Power buttons and lid, Power button action: Shut

down

click Cancel.

Task 3: Update the incident record with the power plan changes
1. Update the resolution section of incident record 502509
with the information about the successful configuration
of a power plan for Amy’s laptop.
2. Close Power Options.
Exercise 3: Enabling Remote Desktop

Task 1: Enable remote desktop through the firewall
1. On LON-CL1, click Start, and in the Search box, type
Firewall.
2. In the Programs list, click Windows Firewall.
3. In the Windows Firewall dialog box, click Allow a

program or feature through Windows Firewall.
4. In the Name list, select the Remote Desktop check box,

and then select the check boxes for the Domain,
Home/Work, and Public profiles. Click OK.
6. Click Start, right-click Computer, and then click

Properties.
7. Click Remote settings.
8. Under Remote Desktop, click Allow connections from

computers running any version of Remote Desktop (less
secure).
9. Click Select Users, click Add.

10. In the Select Users or Groups dialog box, in the

Enter the object names to select (examples) box, type
Amy, click Check Names, and then click OK.
11. In the Remote Desktop Users dialog box, click OK.
12. In the System Properties dialog box, click OK.
Task 2: Use remote desktop

1. Switch to the LON-DC1 virtual machine and then log on
as Administrator with the password of Pa$$w0rd.
2. Click Start, point to All Programs, point to

Accessories, and then click Remote Desktop Connection.
3. In the Remote Desktop Connection dialog box, in the

Computer box, type lon-cl1, and then click Options.
4. Click the Advanced tab.
5. Under Server authentication, in the If server

authentication fails list, click Connect and don’t warn
me.
6. Click Connect.
7. In the Windows Security dialog box, in the Password

box, type Pa$$w0rd, and then click OK.
8. Click Start, right-click Computer, and then click

Properties.
9. Notice the computer name.
10. Close the remote desktop session.

13. Notice you have been logged off.
14. Log on as Contoso\Administrator with a password of

Pa$$w0rd.
Task 3: Update the incident record with the remote desktop

changes
remote desktop for Amy’s laptop.
Exercise 4: Enabling BranchCache

Task 1: Create a Production plant shared folder
2. Click Start, click Computer, and double-click Local

Disk (C:).
3. In the menu, click New folder.
4. Type Slough Plant and press ENTER.
5. Right-click Slough Plant and then click Properties.
6. In the Slough Plant Properties dialog box, on the

Sharing tab, click Advanced Sharing.
7. In the Advanced Sharing dialog box, select the Share

this folder check box, and then click Permissions.
8. Click Remove, and then click Add.

select (examples) box, type production, click Check
10. In the Permissions for Production list, select the

Allow check box next to Full Control, and then click
OK.
Task 2: Enable BranchCache on the Production plant shared

folder
1. In the Advanced Sharing dialog box, click Caching.
2. Select the Enable BranchCache check box, and then click
OK.
3. In the Advanced Sharing dialog box, click OK.
Task 3: Configure NTFS file permissions for the shared folder

1. In the Slough Plant Properties dialog box, click the
Security tab.
2. Click Edit, and then click Add.
select (examples) box, type production, click Check
4. In the Permissions for Production list, select the
Allow check box next to Full Control, and then click
OK.
5. In the Slough Plant Properties dialog box, click the
Close.
Task 4: Configure client-related BranchCache Group Policy

settings
1. Click Start, point to Administrative Tools, and click
Group Policy Management.
2. In Group Policy Management, expand Forest: Contoso.com,
expand Domains, expand Contoso.com, click BranchCache,
right-click BranchCache and then click Edit.
3. Expand Computer Configuration, expand Policies, expand
Administrative Templates, expand Network, and then
click BranchCache.
4. Double-click Turn on BranchCache, click Enabled, and

then click OK.
5. Double-click Set BranchCache Distributed Cache mode,
click Enabled, and then click OK.
6. Double-click Configure BranchCache for network files,

click Enabled, under Options type 0, and then click OK.
7. Double-click Set percentage of disk space used for
client computer cache, click Enabled, under Options,
type 10, and then click OK.
8. Close Group Policy Management Editor.
9. Close Group Policy Management.
Task 5: Configure the client firewall

1. Switch to the LON-CL1 computer.
2. If necessary, log on as Contoso\Administrator with a
3. Click Start, click Control Panel, click System and
Security, and then click Windows Firewall.
4. In Windows Firewall, click Allow a program or feature
through Windows Firewall.
5. Under Allowed programs and features, in the Name list,
select the following check boxes and then click OK.
a. BranchCache – Content Retrieval (Uses HTTP)
b. BranchCache – Peer Discovery (Uses WSD)
Task 6: Configure the client for BranchCache distributed mode

2. At the Command Prompt, type gpupdate /force and then
press ENTER.
3. At the Command Prompt, type netsh branchcache set
service mode=DISTRIBUTED and then press ENTER.
Task 7: Verify BranchCache Client Configuration

4. At the Command Prompt, type netsh branchcache show
status and then press ENTER.
Task 8: Update the incident record with the remote desktop

changes
of BranchCache.

Right-click each virtual machine name in the Virtual
In the Revert Virtual Machine dialog box, click Revert.
Appendix: Starting Out in Windows PowerShell™ 2.0 A-1
Appendix
Starting Out in Windows PowerShell™ 2.0
Contents:
Lesson 1: Introduction to Windows PowerShell 2.0 A-3
Lesson 2: Remoting with Windows Power Shell 2.0 A-17
Lesson 3: Using Windows PowerShell Cmdlets for Group Policy A-27
A-2 Installing and Configuring Windows 7
Appendix Overview
Windows PowerShell™ enables IT professionals to automate

repetitive tasks, helping them increase consistency and be
more productive. For example, remoting capabilities enable
IT professionals to connect with multiple, remote
computers at one time to run commands. With Windows® 7, IT
professionals can use Windows PowerShell and its graphical
scripting editor to write comprehensive scripts that
access underlying technologies.
Lesson 1
Introduction to Windows PowerShell 2.0
Windows PowerShell is a task-based command-line shell and

scripting language designed especially for system
administration. Built on the .NET™ Framework, Windows
PowerShell helps IT professionals and users control and
automate the administration of the Windows operating
system and the applications that run on Windows.
Built-in Windows PowerShell commands, called cmdlets,
allow IT professionals to manage the computers in their
enterprise from the command line. Windows PowerShell
providers enable access to data stores, such as the
registry and certificate store, in the same way the file
system is accessed. Additionally, Windows PowerShell has a
rich expression parser and a fully developed scripting
language.
Overview of Windows PowerShell
Scripting is a flexible and powerful automation tool for

IT professionals. Windows 7 includes an improved version
of the Windows scripting environment in Windows PowerShell
2.0. Unlike traditional programming languages designed for
developers, the scripting language in Windows PowerShell
2.0 is designed for IT professionals and systems
administrators.
Command-line tools can be called from Windows PowerShell,
which allows control over aspects of the system that
support management. Windows PowerShell leverages the .NET
Framework, providing access to thousands of objects.
Windows PowerShell includes the following features:
• Cmdlets for performing common system administration
tasks, such as managing the registry, services,
processes, and event logs, and using Windows Management
Instrumentation (WMI). Cmdlets are not case-sensitive.
• A task-based scripting language and support for

existing scripts and command-line tools.
• Shared data between cmdlets. The output from one cmdlet
can be used as the input to another cmdlet.
• Command-based navigation of the operating system, which
lets consumers navigate the registry and other data
stores by using the same techniques that they use to
navigate the file system.
• Object manipulation capabilities. Windows PowerShell
accepts and returns .NET objects. These objects can be
directly manipulated or sent to other tools or
databases.
• Extensible interface, enabling independent software
vendors and enterprise developers to build custom tools
and utilities to administer their software.
New Features in Windows PowerShell 2.0
IT professionals can create, distribute, and run Windows

PowerShell scripts on computers that are running Windows 7
without having to deploy or service additional software
across the organization.
The following are changes in Windows PowerShell 2.0 for
Windows 7:
• New cmdlets: Windows PowerShell 2.0 includes hundreds
of new cmdlets, including Get-Hotfix, Send-MailMessage,
Get-ComputerRestorePoint, New-WebServiceProxy, Debug-
Process, Add-Computer, Rename-Computer, Reset-
ComputerMachinePassword, and Get-Random.
• Remote management: Commands can be run on one or
multiple computers by establishing an interactive
session from a single computer. Additionally, you can
establish a session that receives remote commands from
multiple computers.
• Windows PowerShell Integrated Scripting Environment

(ISE): Windows PowerShell ISE is a graphical user
interface where you can run commands and write, edit,
run, test, and debug scripts in the same window. It
includes a built-in debugger, multiline editing,
selective execution, syntax colors, line and column
numbers, and context-sensitive Help.
• Background jobs: Run commands asynchronously and in the
background while continuing to work in your session.
You can run background jobs on a local or remote
computer and store the results locally or remotely.
• Debugger: The Windows PowerShell debugger helps debug
functions and scripts. You can set and remove
breakpoints, step through code, check the values of
variables, and display a call-stack trace.
• Modules: Use Windows PowerShell modules to organize
your Windows PowerShell scripts and functions into
independent, self-contained units and package them to
be distributed to other users. Modules can include
audio files, images, Help files, and icons, and they
run in a separate session to avoid name conflicts.
• Transactions: Transactions enable you to manage a set
of commands as a logical unit. A transaction can be
committed or it can be completely undone so that the
affected data is not changed by the transaction.
• Events: The new event infrastructure helps you create
events, subscribe to system and application events, and
then listen, forward, and act on events synchronously
and asynchronously.
• Advanced functions: Advanced functions behave like
cmdlets, but they are written in the Windows PowerShell
scripting language instead of Visual C#®.
• Script internationalization: Scripts, functions,
display messages, and Help text is available in
multiple languages.
• Online Help: In addition to Help at the command line,
the Get-Help cmdlet has a new online parameter that
opens a complete and updated version of each Help topic

on Microsoft TechNet.
Windows PowerShell 2.0 includes cmdlets, providers, and
tools that you can add to Windows PowerShell to manage
other Windows technologies such as:
• Active Directory® Domain Services
• Windows® BitLocker™ Drive Encryption
• DHCP Server service
• Group Policy
• Remote Desktop Services
• Windows Server Backup
Windows PowerShell 2.0 System and Feature

Requirements
Windows PowerShell has the following system and feature
requirements:
• Windows PowerShell requires the Microsoft .NET
Framework 2.0.
• Windows PowerShell ISE requires the Microsoft .NET
Framework 3.5 with Service Pack 1.
• The Out-GridView cmdlet requires the Microsoft .NET
Framework 3.5 with Service Pack 1.
• The Get-WinEvent cmdlet requires Windows Vista® or
later Windows versions and the Microsoft .NET Framework
3.5.
• The Export-Counter cmdlet runs only on Windows 7.
• Several cmdlets work only when the current user is a
member of the Administrators group on the computer or
when the current user provides the credentials of a
member of the Administrators group. This requirement is
explained in the Help topics for the affected cmdlets.
Cmdlets in Windows PowerShell 2.0
Windows PowerShell 2.0 includes hundreds of new cmdlets.

For example, you can:
• Manage client computers and servers
• Edit the registry and file system
• Perform WMI calls
• Connect to the .NET Framework development environment
Windows PowerShell cmdlets have a specific naming format:
a verb and a noun separated by a dash (-), such as Get-
Help, Get-Process, and Start-Service. Slashes (/ and \)
are not used with parameters in Windows PowerShell.
Cmdlets are designed to be used in combination with other
cmdlets, for example the following types of cmdlets can be
combined to take multiple actions:
• Get cmdlets only retrieve data.
• Set cmdlets only establish or change data.
• Format cmdlets only format data.

• Out cmdlets only direct the output to a specified
destination.
Each cmdlet has a help file that you can access by typing
the following:
get-help <cmdlet-name> -detailed
The detailed view of the cmdlet help file includes a

description of the cmdlet, the command syntax,
descriptions of the parameters, and an example that
demonstrates the use of the cmdlet.
All cmdlets support a set of parameters that are called
common parameters. This feature provides a consistent
interface to Windows PowerShell. When a cmdlet supports a
common parameter, the use of the parameter does not cause
an error. However, the parameter might not have any effect
in some cmdlets. For a description of the common
parameters, type the following:
get-help about_commonparameters
Some parameter names are optional, meaning that you can

use the parameter by typing a parameter value without
typing the parameter name. The parameter value must appear
in the same position in the command as it appears in the
syntax diagram. For example, the Get-Help cmdlet has a
Name parameter that specifies the name of a cmdlet or
concept. You can type either of the following to include
in the parameter:
get-help -name get-alias

get-help get-alias
Optional parameter names appear in square brackets, such

as:
Get-Help [[-Name] <string>]
To list the cmdlets in your shell, use Get-Command without
specifying any command parameters. Three columns of
information are returned:
• CommandType
• Name
• Definition
The Definition column displays the syntax of the cmdlet.
Note: Windows PowerShell 2.0 is fully backward compatible. Cmdlets, providers, snap-
ins, scripts, functions, and profiles designed for Windows PowerShell 1.0 work on
Windows PowerShell 2.0 without changes.
What is Windows PowerShell Eventing?
Many applications support immediate notifications of

important actions or events, which is commonly referred to
as eventing. Windows exposes helpful notifications around
file activity, services, and processes. These events form
the foundation of many diagnostic and system management
tasks.
In Windows 7, Windows PowerShell 2.0 supports eventing by
listening, acting on, and forwarding management and system
events. IT professionals can create Windows PowerShell
scripts that respond synchronously or asynchronously to
system events. When registering for an event through
remoting, event notifications can be automatically
forwarded to a centralized computer.
The following are eventing examples that IT professionals
can use:
• Create a script that performs directory management when
files are added to or removed from a specific location.
• Create a script that performs a management task only

when a specific event is added multiple times, or if
different events occur within a specified amount of
time.
• Create scripts that respond to events produced by
internal applications and perform management tasks
specific to organizational requirements.
Eventing supports WMI and .NET Framework events that
provide more detailed notifications than those available
in the standard event logs.
Overview of the Windows PowerShell 2.0 Integrated

Scripting Environment (ISE)
Windows 7 includes the new Windows PowerShell 2.0

Integrated Scripting Environment (ISE), a graphical
PowerShell development environment with debugging
capabilities and an interactive console. The Windows
PowerShell ISE requires Microsoft .NET Framework version
3.0 or later and provides the following features to
simplify script development:
• Integrated environment: A one-stop shop for interactive
shell tasks, and for editing, running, and debugging
scripts.
• Syntax coloring: Keywords, objects, properties,
cmdlets, variables, strings, and other tokens appear in
different colors to improve readability and reduce
errors.
• Unicode support: Unlike the command line, the ISE fully

supports Unicode, complex script, and right-to-left
languages.
• Selective invocation: Select any portion of a
PowerShell script, run it, and view the results in the
Output pane.
• Multiple sessions: Start up to eight independent
sessions (PowerShell tabs) within the ISE. This enables
IT professionals to manage multiple servers, each in
its own environment, from within the same application.
• Script Editor: Use the script editor to compose, edit,
debug and run functions, scripts, and script cmdlets.
The script editor includes tab completion, automatic
indenting, line numbers, search-and-replace, and go-to
line, among other features.
• Multi-line editing: Use the multiline editing feature
to type or paste several lines of code into the Command
pane at once. Press the up arrow to recall the previous
command; all lines in the command are recalled. To type
another line of code, press SHIFT+ENTER and a blank
line appears under the current line.
• Debugging: The integrated visual script debugger allows
the user to set breakpoints, step through the script,
check the call stack, and hover over variables to
inspect their value.
• Object model: The ISE comes with a complete object
model, which allows the user to write Windows
PowerShell scripts to manipulate the ISE.
• Customizability: The ISE is customizable, from the size
and placement of the panes to the text size and the
background colors.
Using the Windows PowerShell ISE Editor
The Windows PowerShell Integrated Scripting Environment

(ISE) provides a graphical environment to write, debug,
and execute Windows PowerShell scripts. There are two ways
to start Windows PowerShell ISE:
• From the Start menu, point to All Programs, point to
Windows PowerShell 2.0, and then click Windows
PowerShell ISE.
• In the Windows PowerShell console, type Cmd.exe, or in
the Run box, type powershell_ise.exe.
The results of commands and scripts are displayed in the
Windows PowerShell ISE Output pane. Move or copy the
results from the Output pane by using shortcut keys or the
Output toolbar and paste them anywhere in Windows. Then,
you can clear the Output pane display by clicking Clear
Output, by typing “clear-host”, or by typing "cls".
Customize the Windows PowerShell ISE by:
• Moving and resizing the Command pane, Output pane, and

Script pane
• Showing or hiding the Script pane
• Changing the text size in all panes of Windows
PowerShell ISE
Windows PowerShell ISE Profile

Windows PowerShell ISE has its own Windows PowerShell
profile: Microsoft.PowerShell_ISE_profile.ps1. Use this
profile to store functions, aliases, variables, and
commands that you use in Windows PowerShell ISE.
Items in the Windows PowerShell AllHosts profiles
<CurrentUser\AllHosts and AllUsers\AllHosts> are available
in Windows PowerShell ISE, just as they are in any Windows
PowerShell host program. However, items in the Windows
PowerShell console profiles are not available in Windows
PowerShell ISE.
Instructions for moving and reconfiguring profiles are
available in Windows PowerShell ISE Help and
about_profiles.
Lesson 2
Remoting with Windows PowerShell 2.0
In the past, managing a remote computer meant having to

connect to it using Remote Desktop. This made large-scale
or automated management difficult. Windows PowerShell 2.0
addresses this issue with the introduction of remote
administration, also known as remoting. Remoting lets you
run Windows PowerShell commands for automated or
interactive remote group policy management by using the
standard management protocol WS-Management (WS-MAN). This
allows you to:
• Create scripts that run on one or many remote computers
• Take control of a remote Windows PowerShell session to
run commands directly on that computer
• Create a System Restore point to restore the computer
to a previous state if necessary
• Collect reliability data across the network
• Change firewall rules to protect computers from a newly

discovered vulnerability
Overview of Windows PowerShell Remoting
When you use remoting, you can run individual commands or

create a persistent connection ("session") to run a series
of related commands. You can start an interactive session
with a remote computer so that the commands run directly
on the remote computer. When you are working remotely, the
commands you type on one computer (the "local computer")
are run on another computer (the “remote computer").
Remoting Requirements
The remoting features of Windows PowerShell are built on
Windows Remote Management (WinRM), the Microsoft
implementation of the WS-Management protocol. WinRM is a
standard SOAP-based, firewall-compatible communications
protocol. It uses the WS-Management protocol with a
special SOAP payload designed specifically for Windows
PowerShell commands.
To work remotely, the local and remote computers must have
Windows PowerShell 2.0, Microsoft .NET Framework 2.0 or
higher, and the WinRM service. Any files and other

resources that are needed to run a particular command must
be on the remote computer; the remoting commands do not
copy any resources. IT professionals must have permission
to:
• Connect to the remote computer
• Run Windows PowerShell
• Access data stores and the registry on the remote
computer
Types of Remoting
Two types of remoting are supported:
• Fan-out remoting provides one-to-many capabilities that
allow IT professionals to run management scripts across
multiple computers from a single console.
• One-to-one interactive remoting enables IT
professionals to remotely troubleshoot a specific
computer.
Connecting to a Remote Computer
There are two ways to create a connection to a remote

computer:
• Create a temporary connection (telnet into)
• Create a persistent connection
Temporary connections are made by specifying the name of
the remote computer (or its NetBIOS name of IP address).
Persistent connections are made by opening a Windows
PowerShell session on the remote computer and then
connecting to it.
Creating a Temporary Connection

For a temporary connection, the session is started,
commands are run, and then you end the session. Variables
or functions defined in the command are no longer
available after the connection is closed. This is an
efficient method for running a single command or several
unrelated commands, even on a large number of remote

computers.
To create a temporary connection, use the Invoke-Command
cmdlet with the ComputerName parameter to specify the
remote computers and the ScriptBlock parameter to specify
the command. For example, the following command runs a
Get-Culture command on the Server01 computer:
invoke-command -computername Server01 -scriptblock {get-culture}
Creating a Persistent Connection

To create a persistent connection with another computer,
open a new Windows PowerShell session (PSSession) on the
remote computer, connect to the computer, and then enter
the session. The New-PSSession cmdlet creates the
PSSession and the Enter-PSSession cmdlet connects you to
it. For example, the following command creates sessions on
two remote computers and saves the sessions in the $s
variable:
$s = new-pssession -computername Server01, Server02
Use the Enter-PSSession cmdlet to connect to and start an

interactive session. For example, after a new session is
opened on Server01, the following command starts an
interactive session with the computer:
Enter-PSSession server01
Once you enter a session, the Windows PowerShell command

prompt on your local computer changes to indicate the
connection, for example:
Server01\PS>
The interactive session remains open until you close it.

This allows you to run as many commands as required. To
end the interactive session, type “Exit-PSSession”.
How Remote Commands are Processed
When you connect to a remote computer and send it a remote

command, the command is transmitted across the network to
the Windows PowerShell client on the remote computer. The
command is then run on the remote computer's Windows
PowerShell client. The command results are sent back to
the local computer and appear in the Windows PowerShell
session on the local computer.
All of the local input to a remote command is collected
before any of it is sent to the remote computer. However,
the output is returned to the local computer as it is
generated.
When you connect to a remote computer, the system uses the
user name and password credentials on the local computer
to authenticate you as a user on the remote computer. The
credentials and all other transmission are encrypted.
Additional protection is provided by the UseSSL parameter
of Invoke-Command, New-PSSession, and Enter-PSSession.
This parameter uses HTTPS instead of HTTP and is designed

for use with basic authentication, where passwords might
be delivered in plain text.
To support remoting, the following new cmdlets have been
added:
• Invoke-Command
• Enter-PSSession
• Exit-PSSession
When running commands on multiple computers, be aware of
differences between the remote computers, such as
differences in operating systems, file system structure,
and the system registry. For example, the default home
folder is different depending on the version of Windows
that is installed. This location is stored in the
%homepath% environment variable ($env:homepath) and the
Windows PowerShell $home variable. On Windows 7 if no home
folder is assigned, the system assigns a default local
home folder to the user account (on the root directory
where the operating system files are installed as the
initial version).
Running Remote Commands
With a PSSession, you can run a series of remote commands

that share data, like functions, aliases, and the values
of variables. To run commands in a PSSession, use the
Session parameter of the Invoke-Command cmdlet. The
following command uses the Invoke-Command cmdlet to run a
Get-Process command in the PSSession on the Server01 and
Server02 computers. The command saves the processes in a
$p variable in each PSSession.
invoke-command -session $s -scriptblock {$p = get-process}
Because the PSSession uses a persistent connection, you

can run another command in the same PSSession and use the
$p variable. The following command counts the number of
processes saved in $p:
invoke-command -session $s -scriptblock {$p.count}

To interrupt a command, press Ctrl+C. The interrupt

request is passed to the remote computer where it
terminates the remote command.
Using the ComputerName Parameter

Several cmdlets have a ComputerName parameter that lets
you retrieve objects from remote computers. Because these
cmdlets do not use Windows PowerShell remoting to
communicate, you can use the ComputerName parameter of
these cmdlets on any computer that is running Windows
PowerShell. The computers do not have to be configured for
Windows PowerShell remoting or fulfill the system
requirements for remoting.
The following table provides more information about the
ComputerName parameter.
Command Description
get-help * -parameter Finds cmdlets that use the ComputerName
ComputerName parameter.
get-help <cmdlet-name> - Determine whether the ComputerName

parameter ComputerName parameter requires Windows PowerShell
remoting.
Result: You see a statement similar to “This
parameter does not rely on Windows PowerShell
remoting. You can use the ComputerName
parameter even if your computer is not configured
to run remote commands.”
How to Run a Remote Command on Multiple Computers

You can run commands on more than one remote computer at a
time. For temporary connections, the Invoke-Command
accepts multiple computer names. For persistent
connections, the Session parameter accepts multiple
PSSessions. The number of remote connections is limited by
the resources of the computers and their capacity to
establish and maintain multiple network connections.
To run a remote command on multiple computers, include all
computer names in the ComputerName parameter of the
Invoke-Command; separate the names with commas:
invoke-command -computername Server01, Server02, Server03 -scriptblock

{get-culture}
You can also run a command in multiple PSSessions. The

following commands create PSSessions on Server01,
Server02, and Server03, and then run a Get-Culture command
in each PSSession:
$s = new-pssession -computername Server01, Server02, Server03
invoke-command -session $s -scriptblock {get-culture}
To include the local computer in the list of computers,

type the name of the local computer, a dot (.) or
"localhost".
To help manage resources on the local computer, Windows
PowerShell includes a per-command throttling feature that
limits the number of concurrent remote connections
established for each command. The default is 32 or 50
connections depending on the cmdlet. You can use the
ThrottleLimit parameter to set a custom limit.
The throttling feature is applied to each command and not
to the entire session or to the computer. When you are
running commands concurrently in several temporary or
persistent connections, the number of concurrent
connections is the sum of the concurrent connections in
all sessions. To find cmdlets with a ThrottleLimit
parameter, use the following script:
get-help * -parameter ThrottleLimit
How to Run a Script on Remote Computers

To run a local script on remote computers, use the
FilePath parameter of the Invoke-Command. The following
command runs the Sample.ps1 script on the Server01 and
Server02 computers:
invoke-command - computername Server01, Server02 -filepath

C:\Test\Sample.ps1
The results of the script are returned to the local

computer. By using the FilePath parameter, you do not need
to copy any files to the remote computers.
Some tasks performed by IT professionals that use Windows
PowerShell 2.0 include:
• Running a command on all computers to check if the
Anti-Virus software service is stopped, and to
automatically restart it if necessary.
• Modifying the security rights on files or shares.
• Opening a data file and passing the contents into a
pre-formatted output file like an HTML page or
Microsoft® Office Excel® spreadsheet.
• Searching output specific information from Event Logs.
• Remotely creating a System Restore point prior to
troubleshooting.
• Remotely querying for installed updates.
• Editing the registry using transactions.
• Remotely examining system stability data from the
reliability database.
Lesson 3
Using Windows PowerShell Cmdlets for
Group Policy
Because IT professionals need to create many Group Policy

Objects (GPOs) that define a wide range of computer
settings, Microsoft provides the Group Policy Object
Editor and the Group Policy Management Console (GPMC)
tools. These tools allow administrators to create and
update GPOs.
However, since there are thousands of possible computer
settings, updating multiple GPOs can be time-consuming,
repetitive, and error-prone. Prior to Windows 7,
automating GPOs was limited to the management of the GPOs
themselves. Accessing the GPMC application programming
interfaces (APIs) also required the skill set of an
application developer. Windows 7 addresses these issues in
Windows PowerShell 2.0.
New Cmdlets for Group Policy Administration
You can use Windows PowerShell to automate the management

of GPOs and the configuration of registry-based settings.
To help perform these tasks are 25 cmdlets. You can use
the Group Policy cmdlets to perform the following tasks
for domain-based GPOs:
• Maintain GPOs: GPO creation, removal, backup, and
import.
• Associate GPOs with Active Directory® containers: Group
Policy link creation, update, and removal.
• Set inheritance flags and permissions on Active
Directory organizational units and domains.
• Configure registry-based policy settings and Group
Policy Preferences Registry settings: Update,
retrieval, and removal.
• Create and edit Starter GPOs.
Group Policy Requirements and Settings for Windows

PowerShell 2.0
To use the Windows PowerShell Group Policy cmdlets, you

must be running one of the following:
• Windows Server® 2008 R2 on a domain controller or on a
member server that has the GPMC installed
• Windows 7 with RSAT installed. RSAT includes the GPMC
and its cmdlets.
To run Windows PowerShell Group Policy cmdlets on a
Windows 7 client computer, you must use the Import-Module
grouppolicy command to import the Group Policy module.
This must be imported before you use the cmdlets at the
beginning of every script that is using them and at the
beginning of every Windows PowerShell session.
You can use the GPRegistryValue cmdlets to change
registry-based policy settings and the GPPrefRegistryValue
cmdlets to change registry preference items. For more
information about the Group Policy cmdlets, use the “Get-

Help<cmdlet-name>” and “Get-Help<cmdlet_name>-detailed”
cmdlets.
The following table displays the new group policy
settings. These group policy settings allow you to specify
whether Windows PowerShell scripts run before non-Windows
PowerShell scripts during user computer startup and
shutdown, and user logon and logoff. By default, Windows
PowerShell scripts run after non-Windows PowerShell
scripts.
Default
Setting name Location value Possible value
Run Windows Computer Not Not Configured, enabled, disabled
PowerShell Configuration\ Configured • This policy setting determines
scripts first at Administrative whether Windows PowerShell
computer Templates\ scripts will run before non-
startup, System\Scripts\ PowerShell scripts during
shutdown computer startup and shutdown.
By default, PowerShell scripts
run after non-PowerShell scripts.
• If you enable this policy setting,
within each applicable Group
Policy object (GPO), PowerShell
scripts will run before non-
PowerShell scripts during
computer startup and shutdown.
Run Windows Computer Not Not Configured, enabled, disabled

PowerShell Configuration\ Configured • This policy setting determines
scripts first at Administrative whether Windows PowerShell
user logon, Templates\ scripts will run before non-
logoff System\Scripts\ PowerShell scripts during user
logon and logoff. By default,
PowerShell scripts run after non-
PowerShell scripts.
• If you enable this policy setting,
within each applicable Group
Policy object (GPO), PowerShell
scripts will run before non-
PowerShell scripts during user
logon and logoff.
Default
Setting name Location value Possible value
Startup Computer Not Not Configured, Run Windows
(PowerShell Configuration\ Configured PowerShell scripts first, Run
Scripts tab) Windows Windows PowerShell scripts last
Settings\Scripts
(Startup/Shutdo
wn)\
Shutdown Computer Not Not Configured, Run Windows

Scripts tab) Policies\Window Windows PowerShell scripts last
s
Settings\Scripts
(Startup/Shutdo
wn)\
Logon User Not Not Configured, Run Windows

s
Settings\Scripts
(Logon/Logoff)\
Logoff User Not Not Configured, Run Windows

s Settings\
Scripts
(Logon/Logoff)\

6292A-En - Student Companion Content

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

6292A-En - Student Companion Content

Transféré par

Droits d'auteur :

Formats disponibles

OFF IC IAL M ICRO SOFT LE ARNING PRO DUCT

Product Number: 6292A

Part Number: 6292A

Module 1: Installing, Upgrading, and Migrating to Windows 7

Module 2: Configuring Disks and Device Drivers

Module 3: Configuring File Access and Printers on Windows 7 Clients

Module 4: Configuring Network Connectivity

Module 5: Configuring Network Connections

Module 6: Securing Windows 7 Desktops

BETA COURSEWARE EXPIRES 11/15/2009

Module 7: Optimizing and Maintaining Windows 7 Client Computers

Module 8: Configuring Mobile Computing and Remote Access in

Lab Answer Keys

Appendix: Starting Out in Windows PowerShell™ 2.0

Lesson 1: Introduction to Windows PowerShell 2.0 A-3

Lesson 3: Using Windows PowerShell Cmdlets for Group Policy A-27

About This Course

To provide additional comments or feedback on the course, send e-mail to

Virtual Machine Environment

Virtual Machine Configuration

Virtual machine Role

6292A-LON-CL1 Windows® 7 computer in the Contoso.com domain

6292A-LON-CL2 Windows® 7 computer in the Contoso.com domain

6292A-LON-CL3 Virtual machine with no operating system installed

6292A-LON-VS1 Windows Vista computer in the Contoso.com

• Windows Vista, SP1

Course Hardware Level

BETA COURSEWARE EXPIRES 11/15/2009

Key Features of Windows 7

BETA COURSEWARE EXPIRES 11/15/2009

User Account Control (UAC) in Windows 7 adds security by limiting administrator-

Multi-tiered Data Protection

Reliability and Performance

BETA COURSEWARE EXPIRES 11/15/2009

• Microsoft Windows PowerShellTM 2.0, which enables IT professionals to easily

• Group Policy scripting, which enables IT professionals to manage Group Policy

• BranchCacheTM, which increases network responsiveness of applications and gives

BETA COURSEWARE EXPIRES 11/15/2009

BETA COURSEWARE EXPIRES 11/15/2009

Note: Microsoft also produces an N edition of Windows 7 Starter. Windows 7 Starter N

Windows 7 Home Basic

Note: Similar to Windows 7 Starter N, Windows 7 Home Basic N excludes Windows

Windows 7 Home Premium

• Windows® Touch (Multi-touch and handwriting support)

• DVD Video playback and authoring

Note: Similar to Windows 7 Starter N, Windows 7 Professional N excludes Windows

Note: Windows 7 Enterprise is available exclusively to Microsoft Software Assurance

BETA COURSEWARE EXPIRES 11/15/2009

Hardware Requirements for Installing Windows 7

Hardware Requirements for Specific Features

BETA COURSEWARE EXPIRES 11/15/2009

Question: What is the typical computer specification within your organization

Advantages of Using 64-bit Editions of Windows 7

BETA COURSEWARE EXPIRES 11/15/2009

Windows 7 Edition Memory

Professional / Professional N 128 GB or more

Enterprise / Ultimate 128 GB or more

Improved Device Support

Limitations of the 64-bit Editions

Options for Installing Windows 7

BETA COURSEWARE EXPIRES 11/15/2009

BETA COURSEWARE EXPIRES 11/15/2009

Discussion: Considerations for a Clean Installation