6292A ENU Companion

O F F I C I A L M I C R O S O F T L E A R N I N G P R O D U C T

6292A Installing and Configuring Windows 7

Companion Content

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies. The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links may be provided to third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement of Microsoft of the site or the products contained therein.

© 2009 Microsoft Corporation. All rights reserved.

Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners.

Product Number: 6292A

Released: 10/2009

http://www.microsoft.com/about/legal/en/us/IntellectualProperty/Trademarks/EN-US.aspx

Installing, Upgrading, and Migrating to Windows 7 1-1

Module 1 Installing, Upgrading, and Migrating to Windows 7

Contents: Lesson 1: Preparing to Install Windows 7 2

Lesson 2: Performing a Clean Installation of Windows 7 5

Lesson 3: Upgrading and Migrating to Windows 7 9

Lesson 4: Performing an Image-Based Installation of Windows 7 11

Lesson 5: Configuring Application Compatibility 16

Module Reviews and Takeaways 18

Lab Review Questions and Answers 21

1-2 Installing and Configuring Windows 7

Lesson 1

Preparing to Install Windows 7 Contents: Question and Answers 3


Question and Answers Key Features of Windows 7

Question: What are the key features of Windows 7 that will help your organization?

Answer: The answer may vary, but in general all the key features of Windows 7 will help users in terms of usability, security, manageability, deployment, and productivity.

Editions of Windows 7

Question 1: Which edition of Windows 7 might you choose in the following scenarios?

Scenario 1: There are a few users in your organization. Currently, you do not have a centralized file server and all of the computers are not joined to a domain.

Scenario 2: Your organization has more than one hundred users who are located in several offices across the country. In addition, you have several users that travel frequently.

Answer: Choose Windows 7 Professional for Scenario 1 and Windows 7 Enterprise for Scenario 2.

Scenario 1: For a business environment, choose either Windows 7 Professional or Windows 7 Enterprise. Windows 7 Home Premium, Windows 7 Home Basic, and Windows 7 Starter are targeted for home users. Because you only have few users, Windows 7 Professional will be the best fit.

Scenario 2: Choose Windows 7 Enterprise and take the advantage of features such as BranchCache and DirectAccess to increase the productivity of your mobile users.

Question 2: What is the difference between the Enterprise and the Ultimate edition of Windows 7?

Answer: There is no difference in terms of features between the Enterprise and Ultimate editions. Windows 7 Enterprise is available through Microsoft Software Assurance with Volume Licensing and Windows 7 Ultimate is available through the retail channel. There is no upgrade path between the two.

Hardware Requirements for Installing Windows 7

Question: What is the typical computer specification within your organization currently? Contrast that specification to what was typically available when Windows Vista was released. Do you think Windows 7 can be deployed to the computers within your organization as they currently are?

Answer: The answer may vary. Several years ago, when Windows Vista was released, the hardware requirements were considered quite high. Since Windows 7 hardware requirements are the same with Windows Vista, computers in most organizations will be able to install Windows 7.

Options for Installing Windows 7

Question: Which type of installation do you use in the following scenarios?


Scenario 1: Your users have computers that are at least three years old and your organization plans to deploy Windows 7 to many new computers.

Scenario 2: There are only a few users in your organization, their computers are mostly new, but they have many applications installed and a lot of data stored in their computers.

Answer: The answers may vary. Your selection of the type of installation may not be decided by just these factors. In general, it is recommended that you perform a clean installation followed by migration of user settings and data. Avoid selecting upgrade, unless it only involves a few users or computers. In Scenario 1, you may want to purchase new hardware for your organization, perform a clean installation of Windows 7, and migrate the necessary user settings and data. In Scenario 2, you may want to perform an in-place upgrade to Windows 7.


Lesson 2

Performing a Clean Installation of Windows 7 Contents: Question and Answers 6

Detailed Demo Steps 8


Question and Answers Discussion: Considerations for a Clean Installation

Question: When do you typically perform a clean installation of Windows?

Answer: The answer may vary, but in general, consider the following circumstances.

Clean installation considerations

You must perform a clean installation in the following circumstances:

• No operating system is installed on the computer.

• The installed operating system does not support an upgrade to Windows 7.

• The computer has more than one partition and needs to support a multiple-boot configuration that uses Windows 7 and the current operating system.

A clean installation is the preferred installation method. Performing a clean installation ensures that all of your systems begin with the same configuration and all applications, files, and settings are reset.

Methods for Performing Clean Installation

Question: In what situation will you use each method of performing a clean installation of Windows operating system?

Answer: Running Windows installation from the product DVD is the most straightforward. Generally, this method is used in a home or small business environment or to install a reference computer. You can place the installation files in a network share so that you can run the Windows installation from the network to computers that do not have a DVD drive. Having the Windows installation in a network share also saves you the trouble of keeping the installation media. If you are installing Windows in a large organization and want to standardize the environment, install Windows by using an image.

Discussion: Common Installation Errors

Question: What potential issues might you encounter when installing Windows?

Answer: The answers may vary. The following table describes several installation problems and solutions that can be used to identify and solve specific problems.

Problem Solution

Installation media is damaged. Test the CD or DVD on another system.

BIOS upgrade is needed. Check your computer supplier’s Internet site to determine whether a basic input/output system (BIOS) upgrade is available for Windows 7.

Hardware is installed improperly. Check any messages that appear during the boot phase. Install add-on hardware properly, such as


video cards and memory modules.

Hardware fails to meet minimum requirements.

Use Windows Catalog to locate products designed for Microsoft Windows and ensure that your hardware meets the minimum requirements for the edition of Windows 7 that you want to install.

Error messages appear during setup. Carefully note any messages and search the Microsoft Knowledge Base for an explanation.

Demonstration: Configuring the Computer Name and Domain/Work

Group Settings

Question: When will you configure the primary DNS suffix to be different from the Active Directory domain?

Answer: In most cases, you will not configure the primary DNS suffix to be different from the Active Directory domain. This is typically done in large organizations with a complex DNS structure that is independent of the Active Directory DNS structure. An example of why you might configure a different primary DNS suffix is to support applications that need to search in an alternate DNS domain.


Detailed Demo Steps Demonstration: Configuring the Computer Name and Domain/Work Group Settings

Detailed demonstration steps 1. Log on to the 6292-LON-CL1 virtual machine as CONTOSO\Administrator with a password

of Pa$$w0rd.

2. Click Start and then click Control Panel.

3. Click System and Security and then click System.

4. In the Computer name, domain, and workgroup settings area, click Change settings.

5. In the System Properties window, click the Change button. Note that the Network ID button performs the same task with a wizard.

6. In the Computer Name/Domain Changes window, click Workgroup and type “WORKGROUP”. This is the name of the workgroup to be joined.

7. Click OK.

8. Click OK to acknowledge the warning.

9. Click OK to close the welcome message.

10. Click OK to close the message about restarting.

11. In the System Properties window, click the Change button. Note that the Network ID button performs the same task with a wizard.

12. In the Computer Name/Domain Changes window, click Domain and type “Contoso.com”. This is the name of the domain to be joined.

13. Click the More button. Use this primary DNS suffix to have the computer search DNS domains other than the Active Directory® domain that it is joined to. The NetBIOS name is used for backward compatibility with older applications.

14. Click the Cancel button.

15. In the Computer Name/Domain Changes window, click OK.

16. When prompted, in the Windows Security box, type “Administrator” with a password of Pa$$w0rd.

17. Click OK three times and then click Close.

18. Click Restart Now.

19. After the system restarts, log on as Contoso\Administrator with a password of Pa$$w0rd.


Lesson 3

Upgrading and Migrating to Windows 7 Contents: Question and Answers 10


Question and Answers Considerations for Upgrading and Migrating to Windows 7

Question: You are deploying Windows 7 throughout your organization. Given the following scenarios, which do you choose, upgrade or migration?

Scenario 1: Your organization has a standardized environment. You have several servers dedicated as storage space and the computers in your organization are no later than two years old.

Scenario 2: Your organization has a standardized environment. You have several servers dedicated as storage space and plan to replace existing computers, which are more than three years old.

Scenario 3: You do not have extra storage space and the computers in your organization are less than two years old. In addition, there are only five users in your organization and you do not want to reinstall existing applications to your user computers.

Answer: Scenario 1: Perform a wipe and load migration. To achieve a standardized environment, perform a clean installation, followed by a migration. In this scenario, you have storage space, but you do not plan to replace the existing hardware.

Scenario 2: Perform a side-by-side migration. To achieve a standardized environment, perform a clean installation, followed by a migration. In this scenario, you have storage space and plan to replace the existing hardware.

Scenario 3: Perform an in-place upgrade. In this scenario, you do not have the storage space required to perform migration. Also, migration requires that you to reinstall all existing applications.

Tools for Migrating User Data and Settings

Question: How do you migrate applications to Windows 7?

Answer: You can migrate application settings but not the application itself. You have to re-install your application before restoring the application settings in your destination computer.


Lesson 4

Performing an Image-Based Installation of Windows 7 Contents: Question and Answers 12



Question and Answers Demonstration: Building an Answer File by Using Windows SIM

Question: Why might you use an answer file rather than manually completing the installation of Windows 7?

Answer: An answer file is used to automate the installation process for speed and consistency. When you use an answer file, you are assured that each installation is the same. Automating the installation process is more efficient when multiple computers are configured at once.

Demonstration: Creating a Bootable Windows PE Media

Question: After you have created the iso file, what do you do with it?

Answer: Typically, the next step is to burn the iso file as a bootable CD or DVD. It can then be used to perform imaging operations.

Demonstration: Configuring VHDs

Question: Given that a Windows 7 based VHD is configured to run in a Virtual PC, can you configure the same VHD to run in native boot?

Answer: Yes. However, before a Windows 7-based VHD that is configured to run in Virtual PC can be used to run in native boot, you must remove system-specific data from the Windows installation by using Sysprep.


Detailed Demo Steps Demonstration: Building an Answer File by Using Windows SIM

Detailed demonstration steps

Build an answer file by using Windows SIM

1. Log on to the 6292-LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start, point to All Programs, click Microsoft Windows AIK, and then click Windows System Image Manager.

3. In the Windows Image area, right-click Select a Windows image or catalog file and then click Select Windows Image.

4. Browse to E:\Labfiles\Mod01\Sources\, click install_Windows 7 ENTERPRISE.clg, and then click Open.

Note: If a catalog file does not exist for this edition of Windows 7, then you will be prompted to create a catalog file. The creation process takes several minutes. In this demonstration, you are not prompted to create a catalog file because it has already been created for you.

5. In the Answer File area, right-click Create or open an answer file, and then click New Answer File.

6. In the Windows Image area, expand Components and scroll down and expand x86_Microsoft-Windows-Setup. This group of settings is primarily used in the windowsPE stage of an unattended installation. Notice that it includes Disk Configuration.

7. Expand UserData and right-click ProductKey. Notice that this setting can only be applied in the windowsPE stage. This is used for an unattended installation where Windows 7 is installed from the install.wim file on the Windows 7 installation DVD.

8. Scroll down and click x86_Microsoft-Windows-Shell-Setup. Notice that the option for the product key is available here and shown in the Properties area.

9. Right-click x86_Microsoft-Windows-Shell-Setup and click Add setting to Pass 4 specialize. These settings are applied after an operating system has been generalized by using Sysprep.

10. In the Microsoft-Windows-Shell-Setup Properties area, in the ProductKey box, type “11111-22222-33333-44444-55555” and press Enter. Placing a product key in this answer file prevents the need to enter the product key during the installation of a new image.

11. Close Windows System Image Manager and do not save any changes.

Note: For more information, please refer to Windows SIM Technical Reference at http://go.microsoft.com/fwlink/?LinkID=154216.

http://go.microsoft.com/fwlink/?LinkID=154216


Demonstration: Creating a Bootable Windows PE Media


Create a bootable Windows PE media

1. Log on to the 6292-LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start, point to All Programs, click Microsoft Windows AIK, and then click Deployment Tools Command Prompt.

3. At the command prompt, type “copype.cmd amd64 E:\winpe_amd64” and press Enter. This command copies the necessary files to the E:\winpe_amd64 folder. If the folder does not exist, it is created.

4. At the command prompt, type “copy “C:\Program Files\Windows AIK\Tools\amd64\imagex.exe” E:\winpe_amd64\iso” and then press Enter. This adds the ImageX tool to the files that will be added to the iso.

5. At the command prompt, type “oscdimg –n –bE:\winpe_amd64\etfsboot.com E:\winpe_amd64\iso E:\winpe_amd64\winpe_amd64.iso” and then press ENTER. This command creates the iso file with Windows PE.

Note: For more information on copype, copy, and oscdimg, refer to:




Demonstration: Modifying Images by Using DISM


Modify images by using DISM

1. Log on to the 6292A-LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start, point to All Programs, click Microsoft Windows AIK, and then click Deployment Tools Command Prompt.

3. At the command prompt, type “dism” and press Enter. This displays help information for the command.

4. At the command prompt, type “md C:\img” and then press Enter.

5. At the command prompt, type “dism /mount-wim /wimfile:E:\Labfiles\Mod01\Sources\install.wim /name:”Windows 7 ENTERPRISE” /mountdir:C:\img” and press Enter.

6. When the image mounting is complete, at the command prompt, type “dism /get-mountedwiminfo” and press Enter. This displays information about the mounted image. Notice that an index number is displayed instead of the name.





7. Type “cd C:\img” and press Enter.

8. At the command prompt, type “dir” and press Enter. You can see the installation files for Windows 7 ENTERPRISE and modify them.

9. At the command prompt, type “cd \” and press Enter.

10. At the command prompt, type “dism /image:C:\img /?” and press Enter. This displays the available options for servicing an image such as adding a driver or adding a feature.

11. At the command prompt, type “dism /image:C:\img /add-driver /driver:E:\LabFiles\Mod01\vx6000\vx6000.inf” and press Enter. This adds the driver for the VX6000 Lifecam to the image so that it is available for all computers configured with this image.

12. At the command prompt, type “dism /unmount-wim /mountdir:C:\img /discard” and press Enter. Use the /commit option to save changes.

13. Close all open Windows.


Lesson 5

Configuring Application Compatibility Contents: Question and Answers 17


Question and Answers Updating Shims

Question: When do you use compatibility fix?

Answer: The answer may vary. You use compatibility fix in several scenarios, such as when a compatibility issue exists on an application from a vendor that no longer exists, on an internally created application, on an application for which a compatible version is to be released in the near future, or an application that is non-critical to the organization, regardless of its version.


Module Reviews and Takeaways Review questions You have decided to deploy Windows 7 in your organization. You are working from the organization’s head office. Your organization has five branch offices in the same country, and each branch office has less than ten users. In total, there are one hundred users in your organization’s head office. In addition, there are several users that work from home or on-the-go, all over the country. Your organization also has plans to grow to neighboring countries in the near future. This introduces languages that differ from your organization’s head office.

Your organization has a standardized and managed IT environment with Windows Servers 2008 R2 and Active Directory in place. Almost all of the users are running Windows XP with Service Pack 3 and a few are running Windows Vista with Service Pack 2.

Question 1: Which edition of Windows 7 is best suited for your organization?

Answer: In business scenarios, select either Windows 7 Professional or Windows 7 Enterprise. These two editions are business-focused and support domain join and Active Directory.

You have several branch offices and several mobile employees. In this scenario, select Windows 7 Enterprise to take advantage of features—such as DirectAccess, BranchCache, and VPN Reconnect—that will increase the productivity of your branch office and mobile employees.

Also, Windows 7 Enterprise supports all worldwide interface languages, which may be beneficial when your organization expands to the neighboring countries.

Question 2: Which installation method do you choose?

Answer: Your organization has a standardized and managed IT environment and there are significant numbers of computers involved in this deployment. Although some of your users—who are running Windows Vista with Service Pack 2—can upgrade directly to Windows 7, you still need to perform a clean installation of Windows 7 followed by migration to preserve user settings and data. This ensures that all of your users begin with the same configuration, and all applications, files, and settings are reset.

Consider performing the clean installation by using a standard image and follow the image-based installation of Windows. You can deploy the image by using deployment tools such as Windows Deployment Services (WDS) or Microsoft Deployment Toolkit (MDT).

Question 3: If migration is involved, which migration tool do you use?

Answer: You are dealing with significant numbers of computers in this scenario. Select User State Migration Tool (USMT) to help you migrate user settings and data.

Common issues for installing Windows 7

Problem Troubleshooting Tips

Installation media is damaged. Test the CD or DVD on another system.

BIOS upgrade is needed. Check your computer supplier’s Internet site to determine whether a basic input/output system (BIOS) upgrade is available for Windows 7.

Hardware is installed improperly. Check any messages that appear during the boot phase.


Install add-on hardware properly, such as video cards and memory modules.

Hardware fails to meet minimum requirements.

Use Windows Catalog to locate products designed for Microsoft Windows and ensure that your hardware meets the minimum requirements for the edition of Windows 7 that you want to install.

Error messages appear during setup. Carefully note any messages and search the Microsoft Knowledge Base for an explanation.

Common issues related to application compatibility problems


Application cannot be installed or run in Windows 7.

Application can be installed and run, but does not perform as it needs to.

• Upgrade the application to a compatible version.

• Apply updates or service packs to the application.

• Use application compatibility features.

• Modify the application configuration by creating application fixes.

• Run the application in a virtualized environment.

• Select another application that performs the same business function.

Best practices for installing, upgrading, and migrating to Windows 7

• Always back up your data before performing an upgrade of operating system.

• Install Windows by using an image to achieve a standardized computer environment.

• Evaluate system requirements and application compatibility before upgrading the operating system.

• Run Sysprep /generalize before transferring a Windows image to another computer.

• When capturing an image, use the ImageX /flags option to create the Metadata to apply to the image.

• Create architecture-specific sections for each configuration pass in an answer file.


Tools

Tool Use for Where to find it

Windows Setup Installing Windows or upgrading previous Windows versions Windows 7 Product DVD

Windows Upgrade Advisor

Assessing the feasibility of an upgrade to Windows 7 Microsoft Download Center

Microsoft Assessment and Planning Toolkit

Assessing organization readiness for Windows 7 Microsoft Download Center

Windows Easy Transfer

Migrating user settings and data in side-by-side migration for a single or few computers

Windows 7 Windows 7 Product DVD

Windows Automated Installation Kit (Windows AIK)

Supporting the deployment of Windows operating system Microsoft Download Center

User State Migration Tool

Migrating user settings and data for a large number of computers Windows AIK

Windows SIM Creating unattended installation answer files Windows AIK

ImageX Capturing, creating, modifying, and applying the WIM file Windows AIK

Windows PE Installing and deploying Windows operating system Windows 7 Product DVD

Sysprep Preparing Windows installation for disk imaging, system testing, or delivery

Windows AIK

Diskpart Configuring the hard disk Windows 7

WDS Deploying Windows over the network

Microsoft Download Center for Windows Server 2003 SP1 Server Role in Windows Server 2008 and Windows Server 2008 R2

DISM Servicing and managing Windows images Windows 7 Windows AIK

Application Compatibility Toolkit

Inventorying and analyzing organization application compatibility

Microsoft Download Center

Compatibility Administrator Tool Creating application fixes ACT


Lab Review Questions and Answers Question: Why do you use Sysprep before capturing an image?

Answer: Sysprep is used to generalize the operating system. This removes hardware specific information such as drivers, so that they can be redetected when the image is placed on new hardware. Computer specific operating system configuration settings such as SID numbers and the computer name are also removed. This prevents conflicts on the network.

Question: Why is Windows PE required as part of the imaging process?

Answer: When you are taking or applying an operating system image, ImageX needs full access to the hard drive. Windows PE runs independently of the operating system installed on the computer and allows full access to the hard drive. If you did not use Windows PE, some operating system files will be in use when you attempted to create or apply an image and the process would fail.

Configuring Disks and Device Drivers 2-1

Module 2 Configuring Disks and Device Drivers

Contents: Lesson 1: Partitioning Disks in Windows 7 2

Lesson 2: Managing Disk Volumes 5

Lesson 3: Maintaining Disks in Windows 7 9

Lesson 4: Installing and Configuring Device Drivers 13




Lesson 1

Partitioning Disks in Windows 7 Contents: Question and Answers 3



Question and Answers What Is an MBR Disk?

Question: What are three restrictions of an MBR partitioned disk? Have you encountered these limitations in your organization, and if so, what did you do to work around them?

Answer: The restrictions are that MBR partitioned disks are limited to four partitions, a 2 TB maximum partition size, and there is no data redundancy provided.

What Is a GPT Disk?

Question: How does a GPT partitioned disk on a 64-bit Windows 7 operating system use an MBR?

Answer: On a GPT partitioned disk, Sector 0 contains a legacy protective MBR. The protective MBR contains one primary partition covering the entire disk. The protective MBR protects GPT disks from previously released MBR disk tools such as Microsoft MS-DOS FDISK or Microsoft Windows NT Disk Administrator. These tools view a GPT disk as having a single encompassing (possibly unrecognized) partition by interpreting the protected MBR, rather than mistaking the disk for one that is unpartitioned. Legacy software that does not know about GPT interprets only the protected MBR when it accesses a GPT disk.

Disk Management Tools

Question: What is the effect on existing data when you convert a basic disk to a dynamic disk and vice versa?

Answer: Basic disks can be converted to dynamic disks without data loss. However, converting a dynamic disk to basic is not possible without deleting all the volumes first.

Demonstration: Converting an MBR Partition to a GPT Partition

Question: Which tool do you prefer to use to convert a new disk to GPT, the Disk Management snap-in or the diskpart.exe command-line tool?

Answer: Emphasize that both will work, but the students might express a preference.


Detailed Demo Steps Demonstration: Converting an MBR Partition to a GPT Partition


Convert a disk to GPT by using Diskpart.exe

1. Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password, Pa$$w0rd.

2. Click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

3. At the command prompt, type “diskpart” and then press ENTER.

4. At the DISKPART> prompt, type “list disk” and then press ENTER.

5. At the DISKPART> prompt, type “select disk 2” and then press ENTER.

6. At the DISKPART> prompt, type “convert gpt” and then press ENTER.

7. At the DISKPART> prompt, type “exit” and then press ENTER.

Convert Disk 3 to GPT by using Disk Management

1. Click Start, right-click Computer, and then click Manage.

2. In the Computer Management (Local) list, click Disk Management.

3. In the Initialize Disk dialog box, click GPT (GUID Partition Table) and then click OK.

Verify the disk type

1. In Disk Management, right-click Disk 2 and verify its type.

2. In Disk Management, right-click Disk 3 and verify its type.

3. Click outside the context menu.


Lesson 2

Managing Disk Volumes Contents: Question and Answers 6



Question and Answers Demonstration: Creating a Simple Volume

Question: In what circumstances will you use less than all the available space on a disk in a new volume?

Answer: Answers vary, but include partitioning a disk to support dual-boot scenarios.

What Are Spanned and Striped Volumes?

Question: Describe scenarios when you create a spanned volume and when you create a striped volume.

Answer: Create a spanned volume when you want to encompass several areas of unallocated space on two or more disks. Create a striped volume when you want to improve the I/O performance of the computer.

Demonstration: Creating Spanned and Striped Volumes

Question: What is the advantage of using striped volumes, and conversely what is the major disadvantage?

Answer: Performance is the advantage at the potential cost of reduced fault tolerance.

Demonstration: Resizing a Volume

Question: When might you need to reduce the size of the system partition?

Answer: Answers will vary – but to enable BitLocker, a non-encrypted partition must be available. In some circumstances, this might not be present on a computer and reducing the system volume size might prove useful. It might be worth mentioning that fragmentation and the placement of certain types of files on the disks (such as the Master File Table (MFT)) can prevent you from realizing all the available free space as a new volume.


Detailed Demo Steps Demonstration: Creating a Simple Volume


Create a simple volume by using Disk Management

1. If necessary, on LON-CL1 click Start, right-click Computer, and then click Manage.

2. In the Computer Management (Local) list, click Disk Management.

3. In Disk Management on Disk 2, right-click Unallocated and then click New Simple Volume.

4. In the New Simple Volume Wizard, click Next.

5. On the Specify Volume Size page, in the Simple volume size in MB box, type “100” and then click Next.

6. On the Assign Drive Letter or Path page, click Next.

7. On the Format Partition page, in the Volume label box, type “Simple”, click Next, and then click Finish.

Create a simple volume by using Diskpart.exe

1. If necessary, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

2. At the command prompt, type “diskpart” and then press ENTER.

3. At the DISKPART> prompt, type “list disk” and then press ENTER.

4. At the DISKPART> prompt, type “select disk 3” and then press ENTER.

5. At the DISKPART> prompt, type “create partition primary size=100” and then press ENTER.

6. At the DISKPART> prompt, type “list partition” and then press ENTER.

7. At the DISKPART> prompt, type “select partition 2” and then press ENTER.

8. At the DISKPART> prompt, type “format fs=ntfs label=simple2 quick” and then press ENTER.

9. At the DISKPART> prompt, type “Assign” and then press ENTER.

Demonstration: Creating Spanned and Striped Volumes


Create a spanned volume

1. On LON-CL1 in Disk Management on Disk 2, right-click Unallocated and then click New Spanned Volume.

2. In the New Spanned Volume wizard, click Next.

3. On the Select Disks page, in the Select the amount of space in MB box, type “100”.

4. In the Available list, click Disk 3 and then click Add >.

5. In the Selected list, click Disk 3, and in the Select the amount of space in MB box, type “250” and then click Next.



7. On the Format Partition page, in the Volume label box, type “Spanned”, click Next and then click Finish.

8. In the Disk Management dialog box, click Yes.

Create a striped volume

1. In Disk Management, right-click Disk 2 and then click New Striped Volume.

2. In the New Striped Volume wizard, click Next.

3. On the Select Disks page, in the Available list, click Disk 3 and then click Add >.

4. On the Select Disks page, in the Select the amount of space in MB box, type “512” and then click Next.


6. On the Format Partition page, in the Volume label box, type “Striped”, click Next, and then click Finish.

Demonstration: Resizing a Volume


Shrink a volume by using Diskpart.exe

1. On LON-CL1, switch to the Command Prompt window.

2. At the DISKPART> prompt, type “list disk”, and then press ENTER.

3. At the DISKPART> prompt, type “select disk 2”, and then press ENTER.

4. At the DISKPART> prompt, type “list volume”, and then press ENTER.

5. At the DISKPART> prompt, type “select volume 6”, and then press ENTER.

6. At the DISKPART> prompt, type “shrink desired = 50”, and then press ENTER.

7. At the DISKPART> prompt, type “exit”, and then press ENTER.

8. Switch to Disk Management, and view the new volume size.

Extend a volume by Disk Management

1. In Disk 2, right-click Simple (F:) and then click Extend Volume.

2. In the Extend Volume Wizard, click Next.

3. In the Select the amount of disk space in MB box, type “50”, click Next, and then click Finish.

4. Close all open windows.

Note: For more information about diskpart, refer to http://go.microsoft.com/fwlink/?LinkId=153231.

http://go.microsoft.com/fwlink/?LinkId=153231


Lesson 3

Maintaining Disks in Windows 7 Contents: Question and Answers 10



Question and Answers What are Disk Quotas?

Question: How do you increase free disk space after exceeding the quota allowance?

Answer: The following are ideas to increase free disk space after exceeding the quota allowance:

• Delete unnecessary files

• Have another user claim ownership of non-user specific files

• Increase the quota allowance as volume size and policy permits

Demonstration: Configuring Disk Quotas (Optional)

Question: Will Quota management be useful in your organizations?

Answer: Answers will vary. In most cases there is no need to limit disk usage on computers running Windows 7. However, it might be useful when multiple users share the same computer or when peer-to-peer networking is performed in a workgroup. It is more common to implement quotas on servers.


Detailed Demo Steps Demonstration: Configuring Disk Quotas (Optional)


Create quotas on a volume

1. On LON-CL1, click Start and then click Computer.

2. Right-click Striped (I:) and then click Properties.

3. In the Striped (I:) Properties dialog box, click the Quota tab.

4. On the Quota tab, select the Enable quota management check box.

5. Select the Deny disk space to users exceeding quota limit check box.

6. Click Limit disk space to, in the adjacent box type “6”, and then in the KB list, click MB.

7. In the Set warning level to box, type “4”, and then in the KB list click MB.

8. Select the Log event when a user exceeds their warning level check box and then click OK.

9. In the Disk Quota dialog box, review the message and then click OK.

Create test files

1. Open a Command Prompt.

2. At the command prompt, type “I:” and then press ENTER.

3. At the command prompt, type “fsutil file createnew 2mb-file 2097152” and then press ENTER.

4. At the command prompt, type “fsutil file createnew 1kb-file 1024” and then press ENTER.

5. Close the Command Prompt window.

Test the configured quotas by using a standard user account to create files

1. Log off and then log on to the LON-CL1 virtual machine as Contoso\Alan with a password of Pa$$w0rd.

2. Click Start, click Computer, and then double-click Striped (I:).

3. On the toolbar, click New Folder.

4. Type “Alan’s files” and then press ENTER.

5. In the file list, right-click 2mb-file, drag it to Alan’s files, and then click Copy here.

6. Double-click Alan’s files.

7. Right-click 2mb-file and then click Copy.

8. Press CTRL+V.

9. In the Address bar, click Striped (I:).

10. In the file list, right-click 1kb-file, drag it to Alan’s files, and then click Copy here.

11. Double-click Alan’s files.

12. Right-click 2mb-file and then click Copy.


13. Press CTRL+V.

14. In the Copy Item dialog box, review the message and then click Cancel.

Review quota alerts and event log messages

1. Log off and then log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start and then click Computer.

3. Right-click Striped (I:) and then click Properties.

4. In the Striped (I:) Properties dialog box, click the Quota tab and then click Quota Entries.

5. In the Quota Entries for Striped (I:), in the Logon Name column, double-click Contoso\Alan.

6. In the Quota Settings for Alan Brewer (CONTOSO\alan) dialog box, click OK.

7. Close Quota Entries for Striped (I:).

8. Close Striped (I:) Properties.

9. Click Start, and in the Search box, type “event”.

10. In the Programs list, click Event Viewer.

11. In the Event Viewer (Local) list, expand Windows Logs and then click System.

12. Right-click System and then click Filter Current Log.

13. In the <All Events IDs> box, type “36” and then click OK.

14. Examine the listed entry.



Lesson 4

Installing and Configuring Device Drivers Contents: Question and Answers 14



Question and Answers Installing Devices and Drivers

Question: What are the steps to install a driver in the driver store by using the Pnputil.exe tool?

Answer: The steps are as follows:

1. Identify the name of the device driver.

2. Start the Pnputil.exe tool from an elevated command prompt.

3. Use the –a parameter along with the path to the driver and name of the driver to perform the addition to the driver store.

4. Make note of the newly assigned driver name, including the number.

Demonstration: Managing Drivers

Question: If your computer does not startup normally due a device driver issue, what options are there for performing driver roll back?

Answer: Try starting into Safe mode and then rolling the driver back.


Detailed Demo Steps Demonstration: Managing Drivers


Update a device driver

1. On LON-CL1 click Start, right-click Computer and then click Manage.

2. In Computer Management, click Device Manager.

3. Expand Keyboards, right-click Standard PS/2 Keyboard, and then click Update Driver Software.

4. In the Update Driver Software – Standard PS/2 Keyboard dialog box, click Browse my computer for driver software.

5. On the Browse for driver software on your computer page, click Let me pick from a list of device drivers on my computer.

6. In the Show compatible hardware list, click PC/AT Enhanced PS/2 Keyboard (101/102 Key) and then click Next.

7. Click Close.

8. In the System Settings Change dialog box, click Yes to restart the computer.

Roll back a device driver

1. Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.



4. Expand Keyboards, right-click PC/AT Enhanced PS/2 Keyboard (101/102 Key) and then click Properties.

5. In the PC/AT Enhanced PS/2 Keyboard (101/102 Key) Properties dialog box, click the Driver tab.

6. Click Roll Back Driver.

7. In the Driver Package rollback dialog box, click Yes.

8. Click Close, and then in the System Settings Change dialog box, click Yes to restart the computer.




12. Expand Keyboards and then click Standard PS/2 Keyboard.

13. Verify that you have successfully rolled back the driver.

14. Close Computer Management.


Install a driver into the driver store

1. Click Start, point to All Programs, click Accessories, and then right-click Command Prompt.

2. Click Run as administrator.

3. At the Command Prompt, type “E:”, and then press ENTER.

4. At the Command Prompt, type “pnputil –a “E:\Labfiles\Mod02\HP Deskjet 960c series\hpf960k.inf””, and then press ENTER.

5. In the Command Prompt, type “pnputil –e”, and then press ENTER. Take note of the driver version and date for the driver you just installed into the store.


Module Reviews and Takeaways Review questions Question 1: You are implementing 64-bit Windows 7 and need to partition the disk to support 25 volumes, some of which will be larger than 2 TB. Can you implement this configuration using a single hard disk?

Answer: Yes, you can format the disk for GPT rather than MBR. A GPT disk supports up to 128 volumes, each much larger than 2 TB. In addition, you can boot 64-bit Windows 7 from a GPT disk.

Question 2: You have created a volume on a newly installed hard disk by using diskpart.exe. Now, you want to continue using diskpart.exe to perform the following tasks:

• Format the volume for NTFS

• Assign the next available drive letter.

• Assign a volume label of “sales-data”

What two commands must you use for these tasks?

Answer: The two commands are as follows:

format fs=ntfs label=sales-data

assign

Question 3: Your organization has recently configured Windows Update to automatically update the Accounting department’s computers at 03:00. This conflicts with the weekly defragmentation of the computers on Wednesday mornings. You must reconfigure the scheduled defragmentation task to occur at midnight on Tuesdays instead. List the steps to modify the defragmentation schedule.

Answer: Follow these steps to modify the defragmentation schedule:

1. Right-click the volume in Windows Explorer, click Properties, click the Tools tab, and then click Defragment Now.

2. In the Disk Defragmenter window, click Configure schedule.

3. In the Disk Defragmenter: Modify Schedule window, change Choose day to Tuesday, and change Choose time to 12:00 AM (midnight). Click OK.

4. Click Close on the Disk Defragmenter window, and OK on the Properties window.

Question 4: You recently upgraded to Windows 7 and are experiencing occasional problems with the shortcut keys on your keyboard. Describe the first action you might take to the resolve the issue and list the steps to perform the action.

Answer:

1. Update the device driver for the keyboard. To manually update the driver used for the keyboard, follow these steps in Device Manager:

2. Double-click the Keyboard category of devices.

3. Right-click the device and then click Update Driver Software.


4. Follow the instructions in the Update Driver Software wizard.

Common issues Identify the causes for the following common issues and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module and the course companion CD content.

Issue Troubleshooting tip

Configuring disk quotas on multiple volumes

Once a quota is created, you can export it and then import it for a different volume. In addition to establishing quota settings on an individual computer by using the methods outlined above, you can also use Group Policy settings to configure quotas. This enables administrators to configure multiple computers with the same quota settings.

Exceeding the quota allowance

To increase free disk space after exceeding the quota allowance, the user can try the following:

• Delete unnecessary files

• Have another user claim ownership of non-user specific files

• Increase the quota allowance as volume size and policy permits

If you have a hardware problem, it can be caused by hardware or a device driver. Troubleshooting hardware problems often starts by troubleshooting device drivers.

To identify a device driver problem, answer the questions:

• Did you recently upgrade the device driver or other software related to the hardware? If so, roll back the device driver to the previous version.

• Are you experiencing occasional problems, or is the device not compatible with the current version of Windows? If so, upgrade the device driver.

• Did the hardware suddenly stop working? If so, upgrade the device driver. If that does not solve the problem, reinstall the device driver. If the problem continues, try troubleshooting the hardware problem.

Verify a disk requires defragmentation

To verify that a disk requires defragmentation, in Disk Defragmenter select the disk you want to defragment and then click Analyze disk. Once Windows is finished analyzing the disk, check the percentage of fragmentation on the disk in the Last Run column. If the number is high, defragment the disk.

View shadow copy storage information

To view shadow copy storage information, use the Volume Shadow Copy Service administrative command-line tool. Start an elevated Command Prompt and then type “vssadmin list shadowstorage”. The used, allocated, and maximum shadow copy storage space is listed for each volume.

Best practices Supplement or modify the following best practices for your own work situations:

• Every time a change is made to a computer, record it. It can be recorded in a physical notebook attached to the computer, or in a spreadsheet or database available on a centralized share that is backed up nightly.


If you keep a record of all changes made to a computer, you can trace the changes to troubleshoot problems and offer support professionals correct configuration information. The Reliability Monitor can be used to track changes to the system such as application installs or uninstalls.

• When deciding what type of volume to create, consider the following questions:

• How critical is the data or information on the computer?

• Can automatic replication be set up quickly and easily?

• If the computer became unbootable, what will be the impact on your business?

• Is the computer handling multiple functions?

• Is the data on the computer being backed up on a regular basis?

• Use the information in the following table to assist as needed.

Task Reference

Add a new disk http://go.microsoft.com/fwlink/?LinkId=64100

Best Practices for Disk Management http://go.microsoft.com/fwlink/?LinkId=153231

Confirm that you are a member of the Backup Operators group or the Administrators group

Search Help and Support for “standard account“ and “administrator account“. For information about groups: http://go.microsoft.com/fwlink/?LinkId=64099

Create partitions or volumes



Device Management and Installation http://go.microsoft.com/fwlink/?LinkId=143990

For information about driver signing, including requirements, review the “Driver Signing Requirements for Windows” page in Windows Hardware Developer Central


Format volumes on the disk




Overview of Disk Management http://go.microsoft.com/fwlink/?LinkId=64098

Performance tuning http://go.microsoft.com/fwlink/?LinkId=121171














guidelines

Windows 7 Springboard Series http://go.microsoft.com/fwlink/?LinkId=147459

Windows Device Experience http://go.microsoft.com/fwlink/?LinkId=132146

Best Practices for Disk Management http://go.microsoft.com/fwlink/?LinkId=153231

Tools


Defrag.exe Performing disk defragmentation tasks from the command-line Command Prompt

Device Manager

Viewing and updating hardware settings, and driver software for devices such as internal hard drives, disc drives, sound cards, video or graphics cards, memory, processors, and other internal computer components

Control Panel

Device Stage

Help when interacting with any compatible device connected to the computer. From Device Stage, you can view the device’s status and run common tasks from a single window. There are pictures of the devices which helps make it simpler to view what is there.

Taskbar

Devices and Printers

Provides users a single location to find and manage all the devices connected to their Windows 7 -based computers. Also provides quick access to device status, product information, and key functions such as faxing and scanning to enhance and simplify the customer experience with a Windows 7 - connected device.

Control Panel

Disk Defragmenter

Rearranging fragmented data so that disks and drives can work more efficiently

In Windows Explorer, right-click a volume, click Properties, click the Tools tab, and then click Defragment Now.

Disk Management Managing disks and volumes, both basic and dynamic, locally or on remote computers.

Click Start, type “diskmgmt.msc” in the search box, and then click diskmgmt.msc in the results list.

Diskpart.exe Managing disks, volumes, and partitions from the Open a command prompt





command-line or from Windows PE and then type “diskpart”

Fsutil.exe

Performing tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume

Command Prompt (elevated)

Pnputil.exe Adding drivers to and managing drivers in the device store


Quota Settings Tracking and restricting disk consumption

In Windows Explorer, right-click a volume, click Properties, click Quota, and then click Show Quota Settings.

File Signature Verification (Sigverf.exe)

Use to check if unsigned device drivers are in the system area of a computer Start menu

Volume Shadow Copy Service (Vssadmin.exe)

Viewing and managing shadow copy storage space


Windows Update

Automatically applying updates that are additions to software that can help prevent or fix problems, improve how your computer works, or enhance your computing experience.

Online

Common terms, definitions, and descriptions

Term Definition

Basic disk A disk initialized for basic storage. A basic disk contains basic volumes, such as primary partitions, extended partitions, and logical drives.

Dynamic disk A disk initialized for dynamic storage. A dynamic disk contains dynamic volumes, such as simple volumes, spanned volumes, striped volumes, mirrored volumes, and RAID-5 volumes.

Volume

A storage unit made from free space on one or more disks. It can be formatted with a file system and assigned a drive letter. Volumes on dynamic disks can have any of the following layouts: simple, spanned, mirrored, striped, or RAID-5. All volumes on a physical disk must be either basic or dynamic, and each disk must be partitioned. You can view the contents of a volume by clicking its icon in Windows Explorer or in My Computer. A single hard disk can have multiple volumes, and volumes can also span multiple disks.

System volume

The disk volume that contains the hardware-specific files that are needed to start Windows. On x86 computers, the system volume must be a primary volume that is marked as active. This requirement can be fulfilled on any drive on the computer that the system BIOS searches when the operating system starts. The system volume can be the same volume as the boot volume; this configuration is not required.


There is only one system volume.

Boot volume

The disk volume that contains the Windows operating system files and the supporting files. The boot volume can be the same volume as the system volume; this configuration is not required. There is one boot volume for each operating system in a multi-boot system.

Partition A contiguous space of storage on a physical or logical disk that functions as though it were a physically separate disk.

Disk partitioning

The process of dividing the storage on a physical disk into manageable sections that support the requirements of a computer operating system.

Logical Block Address (LBA)

A method of expressing a data address on a storage medium. Used with SCSI and IDE disk drives to translate specifications of the drive into addresses that can be used by enhanced BIOS. LBA is used with drives that are larger than 528MB.


Lab Review Questions and Answers Question: In Exercise 1, you used the assign command in diskpart to assign a drive letter to a newly created volume. Instead of assigning a drive letter, what else can you do?

Answer: Students can mount the volume into an empty folder on an existing NTFS volume. The advantage of this is that it enables you to circumvent the 26 driver letter limitation imposed by the alphabet.

Question: In Exercise 2, you used local disk quotas to manage disk consumption. Although this is a useful local management tool, in an enterprise network based on Windows Server® 2008, what other disk space management tools can you use?

Answer: The File Server Resource Manager File Services role enables you to manage disk quotas, and in addition provides quota templates, file screens, and storage reporting facilities.

Question: In Exercise 3, you used driver roll back to reverse a driver update you made. If your computer will not start properly, how can you address a driver-related problem?

Answer: You can start the computer in Safe Mode and then access Device Manager to use the driver roll back feature. Alternatively, if that is unsuccessful, you might use Windows RE to attempt to resolve the problem.

Configuring File Access and Printers on Windows® 7 Clients 3-1

Module 3 Configuring File Access and Printers on Windows® 7 Clients

Contents: Lesson 1: Overview of Authentication and Authorization 2

Lesson 2: Managing File Access in Windows 7 4

Lesson 3: Managing Shared Folders 9

Lesson 4: Configuring File Compression 11

Lesson 5: Managing Printing 14




Lesson 1

Overview of Authentication and Authorization Contents: Question and Answers 3


Question and Answers Authentication and Authorization Process

Question: Which authentication method is used when a client computer running the Windows 7 operating system logs on to Active Directory?

Answer: Kerberos version 5 protocol is used unless smart cards are being used. If smart cards are being used, then certificate mapping is the authentication method.

New Authentication Features in Windows 7

Question: What are some of the ways that fingerprint biometric devices are used in Windows 7?

Answer: Answers can vary, but the three primary uses include:

• Log on to computers.

• Grant elevation privileges through User Account Control (UAC).

• Perform basic management of fingerprint devices in Group Policy settings by enabling, limiting, or blocking their use.


Lesson 2

Managing File Access in Windows 7 Contents: Question and Answers 5



Question and Answers What Are NTFS Permissions?

Question: Do you have to apply permissions to keep other people from accessing your files?

Answer: No. The default NTFS permissions do not allow standard users to read the documents that other users have stored in their My Documents folder. However, administrators are able to access all files on the system. If you need to prevent administrators from accessing a file, you must use an additional security measure such as encryption.

What Is Permission Inheritance?

Question 1: Why does permission inheritance reduce administration time?

Answer: Administrators can change permissions at the parent level and have the same permissions propagate throughout all the sub-folders without having to reassign permissions to each of those folders individually.

Question 2: If NTFS permission is denied to a group for a particular resource while allowing the same permission to another group for that resource, what will happen to the permissions of an individual who is a member of both groups?

Answer: The user will be denied access.

Impact of Copying and Moving Files and Folders on Set Permissions

Question: Why is administration time reduced when files and folders are moved within the same partition?

Answer: Answers can vary. Possible answers include: Administrators do not need to be concerned about permissions being changed or altered because the permissions are kept if files and folders are moved within the same partition. Likewise, administrators do not need to change the permissions of the destination folder, which can have ramifications on other files and subfolders within the folder.

What Are Effective Permissions?

Question: If a group is assigned Modify permission to a folder and a user that is a member of that group is denied Modify permission for the same folder, what is the user’s effective permission for the folder?

Answer: Because the Deny permission takes precedence over the Allow permission, the user is denied the Modify permission for the folder.

Discussion: Determining Effective Permissions

Question 1: The Users group has Write permission, and the Sales group has Read permission for Folder1. What permissions does User1 have for Folder1?

Answer: User1 has Write and Read permissions for Folder1, because User1 is a member of the Users group, which has Write permission, and the Sales group, which has Read permission.


Question 2: The Users group has Read permission for Folder1. The Sales group has Write permission for Folder2. What permissions does User1 have for File2?

Answer: User1 has Read and Write permissions for File2, because User1 is a member of the Users group, which has Read permission for Folder1, and the Sales group, which has Write permission for Folder2. File2 inherits permissions from both Folder2 and Folder1.

Question 3: The Users group has Modify permission for Folder1. File2 is accessible only to the Sales group, and they are only able to read File2. What do you do to ensure that the Sales group has only Read permission for File2?

Answer: Prevent permissions inheritance for Folder2 or File2. Remove the permissions for Folder2 or File2 that Folder2 has inherited from Folder1. Grant only Read permission to the Sales group for Folder2 or File2.


Detailed Demo Steps Demonstration: Configuring NTFS Permissions for Files and Folders


Create a folder and a document file

1. Log on to the LON-CL1 as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start, click Computer, and then double-click Local Disk (C:).

3. On the toolbar, click New folder.

4. Type “Project Documents” in the folder name.

5. Double-click to open the Project Documents folder.

6. Right-click an empty space in the Name column, point to New, and then click Microsoft Office Word Document.

7. Type “Deliverables” and then press ENTER.

Grant selected users write access to the file

1. Right-click the Deliverables file and then click Properties.

2. In the Deliverables Properties dialog box, on the Security tab, click Edit.

3. In the Permissions for Deliverables dialog box, click Add.

4. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type “Contoso\Adam”, click Check Names, and then click OK.

5. In the Group or user names box, click Adam Carter (Contoso\Adam).

6. In the Permissions for Deliverables dialog box, next to Write, select the Allow check box and then click OK.

7. In the Deliverables Properties dialog box, click OK.

Deny selected users the ability to modify the file

1. Right-click the Deliverables file and then click Properties.

2. In the Deliverables Properties dialog box, on the Security tab, click Edit.

3. In the Permissions for Deliverables dialog box, click Add.

4. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type “Contoso\Martin”, click Check Names, and then click OK.

5. In the Group or user names box, click Martin Berka (Contoso\Martin).

6. In the Permissions for Deliverables dialog box, next to Modify, select the Deny check box and then click OK.

7. In the Windows Security dialog box, click Yes.



Verify the deny permissions on the file

1. In the Project Documents folder, right-click Deliverables and then click Properties.

2. In the Deliverables Properties dialog box, on the Security tab, click Advanced.

3. In the Advanced Security Settings for Deliverables dialog box, on the Effective Permissions tab, click Select.

4. In the Select User, Computer, Service Account or Group dialog box, type “Contoso\Martin”, click Check Names, and then click OK.

5. Verify that none of the attributes are available as permissions.

6. In the Advanced Security Settings for Deliverables dialog box, on the Effective Permissions tab, click Select.

7. In the Select User, Computer, Service Account or Group dialog box, type “Contoso\Adam”, click Check Names, and then click OK.

8. Verify that all attributes are selected except for Full control, Change permissions, and Take ownership.

9. In the Advanced Security Settings for Deliverables dialog box, click OK.


11. Close the Project Documents window.


Lesson 3

Managing Shared Folders Contents: Question and Answers 10


Question and Answers What Are Shared Folders?

Question: What is a benefit of sharing folders across a network?

Answer: Sharing folders across a network keeps information up-to-date for a group of users and decreases the chance of file duplication because all files for a user account can be stored in a shared central repository.

Methods of Sharing Folders

Question 1: When is it necessary to avoid using Public folder sharing?

Answer: Avoid using Public folder sharing when security or privacy is a concern. Remember, you cannot restrict people to viewing just some of the files in the Public folder. Because it is an all or nothing situation, users can access all files in a public share.

Question 2: Do you have to apply permissions to share your files with other users on your computer?

Answer: No. A recommended method of sharing files is to share from an individual folder or by moving files to the Public folder. Depending on how you choose to share the file or folder, you might be able to apply permissions to some of your files.

Discussion: Combining NTFS and Share Permissions

Question 1: If a user is assigned Full Control NTFS permission to a file but is accessing the file through a share with Read permission, what will be the effective permission the user will have on the file?

Answer: The user will have only Read access to the file when accessing it over the network through the share (because Read access is more restrictive than Full Control). If the user is logged on to the console of the computer storing the file and accessing it locally, then the user has Full Control.

Question 2: If you want a user to view all files in a shared folder but can modify only certain files in the folder, what permissions do you give the user?

Answer: The share permissions will have to allow the user to modify all files (this opens the folder window wide, but it will get locked down with NTFS permissions). You must set the NTFS permissions for the folder to allow the user Read access only (which flows to all the files). Then on the individual files in the folder that you want the user to modify, assign the Modify NTFS permission.

Question 3: Identify a scenario at your organization where it might be necessary to combine NTFS and Share permissions. What is the reason for combining permissions?

Answer: Answers will vary based on the experiences of each student.


Lesson 4

Configuring File Compression Contents: Detailed Demo Steps 12


Detailed Demo Steps Demonstration: Compressing Files and Folders


Create folders in the Project Documents folder

1. On LON-CL1, click Start, and then click Computer.

2. In the Computer folder, double-click Local Disk (C:).

3. In the Local Disk (C:) folder, double-click Project Documents.

4. On the Project Documents folder menu, click New Folder.

5. Type “Compressed Files” and then press ENTER.

6. On the Project Documents folder menu, click New Folder.

7. Type “Uncompressed Files” and then press ENTER.

Compress the C:\Project Documents\Compressed Files folder

1. In the Project Documents folder, right-click Compressed Files and then click Properties.

2. In the Compressed Files Properties dialog box, click Advanced.

3. Select the Compress contents to save disk space check box and then click OK.

4. In the Compressed Files Properties dialog box, click OK.

Copy files into the C:\Project Documents\Compressed Files folder

1. Click Start, and in the Search programs and files box, type “C:\Program Files\Microsoft Office\CLIPART\PUB60COR” and then press ENTER.

2. Select the following files, right-click on them, and then click Copy:

• AG00004_

3. AG00011_

4. Close the PUB60COR folder.

5. Switch back to the C:\Project Documents folder.

6. Right-click Compressed Files folder and then click Paste.

7. Double-click Compressed Files folder.

8. Right-click AG00004_ and then click Properties.

9. Click Advanced.

10. Click Cancel and then click Cancel again to close the properties dialog box.

Move compressed files into the C:\Project Documents\Uncompressed Files folder





4. In the Project Documents folder, double-click Uncompressed Files.

5. Right-click the Taskbar and then click Show Windows Side by Side.

6. In the Compressed Files folder, drag AG00004_ to the Uncompressed Files folder.

Copy compressed files into the C:\Project Documents\Uncompressed Files folder

1. In the Compressed Files folder, right-click and then drag AG00011_ to the Uncompressed Files folder.

2. Click Copy Here.

Compress a folder by using the Compressed (zipped) Folder feature




4. Right-click Uncompressed Files, click Send To, and then click Compressed (zipped) Folder.

5. Type “Zipped Data” and then press ENTER.

6. Drag the Zipped Data file to the Compressed Files folder.

7. Double-click the Compressed Files folder.

8. Press CTRL+Z to undo the move operation.

9. Click the left arrow in the menu bar to go back to the Project Documents folder.

10. Right-click Zipped Data and then drag it to the Compressed Files folder.

11. Click Copy Here.

12. Double-click Compressed Files.



Lesson 5

Managing Printing Contents: Detailed Demo Steps 15


Detailed Demo Steps Demonstration: Installing and Sharing a Printer


Create and share a local printer

1. On LON-CL1, click Start, click Control Panel, and then click View devices or printers.

2. In the menu, click Add a printer.

3. In the Add Printer wizard, click Add a local printer.

4. On the Choose a printer port page, in the Use an existing port list, click LPT1: (Printer Port) and then click Next.

5. On the Install the printer driver page, in the Manufacturer list, click Epson, and in the Printers list, click Epson Stylus Photo RX630 (M) and then click Next.

6. On the Type a printer name page, click Next.

7. On the Printer Sharing page, accept the defaults and click Next.

8. Click Finish to complete the wizard.

Set permissions and advanced options for the printer

1. In Devices and Printers, right-click Epson Stylus Photo RX630 (M) and then click Printer properties.

2. Click the Security tab and then click Add.

3. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) box, type “Contoso\IT”, click Check Names, and then click OK.

4. In the Group or user names box, click IT (Contoso\IT).

5. In the Permissions for IT dialog box, next to Manage this printer, select the Allow check box.

6. In the Permissions for IT dialog box, next to Manage documents, select the Allow check box and then click Apply.

7. Click the Advanced tab.

8. Select the Hold mismatched documents check box.

9. Click the General tab.

10. In the Location field, type “Headquarters”.

11. Click Preferences.

12. Set Quality Option to Best Photo.

13. Click OK and then click OK again to close the dialog box.

14. Click OK to close the Epson Stylus Photo RX630 (M) Properties box.


Maintaining printer properties

In the Printer Properties dialog box updated in this demonstration, the following permissions can be maintained:

• Print

• Manage this printer

• Manage documents

The Printer Properties dialog box also included the following printer options that can be maintained.

Location Printer Option

General tab Printing Preferences, such as portrait/landscape orientation option and print quality

Ports tab Configure Printer Port

Advanced tab Assign printer driver

Advanced tab Print spooling options

Advanced tab Hold mismatch documents option

Advanced tab Enable advanced printing features


Module Reviews and Takeaways Review questions Question 1: You decided to share a folder containing the Scoping Assessment document and other planning files created for your upcoming Microsoft Dynamics® CRM implementation at Fabrikam, Inc. However, now you do not want any of these planning files available offline. Which advanced sharing options must you configure to enforce this requirement?

Answer: You must configure the caching options, which determine how offline versions of shared files will be made available, if at all. By default, users must specify which files and programs are available offline.

Question 2: Contoso is installing Microsoft Dynamics® GP and they have contracted with a vendor to provide some custom programming work. Contoso asked Joseph, their senior IT desktop specialist, to configure the NTFS permissions for the GP planning files it will be accumulating. Contoso has asked that all IT users be assigned Modify permissions to the GP Implementation Planning folder. However, Contoso only wants the subfolder titled Vendor Contracts to be available for viewing by a select group of managers. How can Joseph accomplish this by taking into account permission inheritance?

Answer: Joseph can take a three step approach. First, he can assign the IT user group the Modify permission for the GP Implementation Planning folder. Next, he can block inherited permissions on the Vendor Contract subfolder. Third, he can restrict access to the subfolder by providing Read access to the selected list of managers identified by Contoso. Question 3: Peter is an IT professional working at Fabrikam. He is having trouble accessing a particular file and suspects it has something to do with his NTFS permissions associated with the file. How can he view his effective file permissions?

Answer: From the file’s property sheet, Peter can click the Security tab and then click Advanced. From the Effective Permissions tab, he can enter his user alias and then view his effective permissions.

Question 4: Robin recently created a spreadsheet in which she explicitly assigned it NTFS file permissions that restricted file access to just herself. Following the system reorganization, the file moved to a folder on another NTFS partition and Robin discovered that other users were able to access the spreadsheet. What is the probable cause of this situation?

Answer: When moving a file to a folder on a different NTFS partition, the file inherits the new folder’s permissions. In this case, it is the new folder that the spreadsheet moved to allowed access by other user groups.

Question 5: Contoso recently installed Windows 7 on its client computers. Because many of their sales staff travel and work from various branch offices throughout any given month, Contoso decided to take advantage of the location-aware printing functionality in Windows 7. Michael, a sales representative, was pleased that he no longer had to configure printers each time he needed to print a document at a branch office. However, to Michael’s dismay, on his last trip he tried to connect to the company network using Terminal Services and found that he still had to manually select the printer when he wanted to print a file. Why did the system not automatically recognize the printer for Michael?

Answer: Because location-aware printing does not work when you connect to a network through Remote Desktop (Terminal Services).

Best practices related to authentication and authorization Supplement or modify the following best practices for your own work situations:


• When setting up a computer, you are required to create a user account. This account is an administrator account used to set up your computer and install any required programs.

Once you are finished setting up the computer, it is recommended to use a standard user account for your daily computing.

It is safer to use a standard user account instead of an administrator account because it can prevent users from making changes that affect everyone who uses the computer, especially if your user account logon credentials are stolen.

• Considerations when taking ownership of a file or folder include:

• An administrator can take ownership of any file on the computer.

• Assigning ownership of a file or folder might require elevating your permissions through User Access Control.

• The Everyone group no longer includes the Anonymous Logon group.

Best practices related to NTFS permissions Supplement or modify the following best practices for your own work situations:

• To simplify the assignment of permissions, you can grant the Everyone group Full Control share permission to all shares and use only NTFS permissions to control access. Restrict share permissions to the minimum required to provide an extra layer of security in case NTFS permissions are configured incorrectly.

• When permissions inheritance is blocked, you have the option to copy existing permissions or begin with blank permissions. If you only want to restrict a particular group or user, then copy existing permissions to simplify the configuration process.

Best practices related to managing shared folders Supplement or modify the following best practices for your own work situations:

• If the guest user account is enabled on your computer, the Everyone group includes anyone. In practice, remove the Everyone group from any permission lists and replace it with the Authenticated Users group.

• Using a firewall other than that supplied with Windows 7 can interfere with the Network Discovery and file-sharing features.


Tools Use the following Command Prompt tools to manage file and printer sharing.

Tool Description

Net share Share folders from the Command Prompt

Net use Connect to shared resources from the Command Prompt

Cacls.exe Configure NTFS file and folder permissions from the Command Prompt

Compact.exe Compress NTFS files and folders from the Command Prompt

Pnputil.exe Preinstall printer drivers into the driver store


Lab Review Questions and Answers Question: You created the shared folder for all users. How can you simplify the process for users to access the folder from their computers?

Answer: You can create a short cut on the user desktop for the shared folder or show the users how to map a network drive to the shared folder. In a domain environment, you can also use Group Policy settings to map the drive.

Question: You need to ensure that only specific users can access a shared folder across the network when they are logged on the computer with the shared folder. How do you configure the permissions?

Answer: You will have to use NTFS permissions. Shared folder permissions are applied only when users access the folder from across the network.

Question: You need to ensure that users can manage only the print jobs that they have sent to a shared printer. Members of the HelpDesk group must be able to delete all print jobs. How do you configure the printer permissions?

Answer: By default, everyone has permission to print to a printer and to manage their own print jobs. You will have to assign the Manage documents permission to the HelpDesk group.

Configuring Network Connectivity 4-1

Module 4 Configuring Network Connectivity

Contents: Lesson 1: Configuring IPv4 Network Connectivity 2

Lesson 2: Configuring IPv6 Network Connectivity 5

Lesson 3: Implementing Automatic IP Address Allocation 8

Lesson 5: Troubleshooting Network Issues 10




Lesson 1

Configuring IPv4 Network Connectivity Contents: Question and Answers 3



Question and Answers What Are Public and Private IPv4 Addresses?

Question: Which of the following is not a private IP address?

a. 16.16.254

b. 16.18.5

c. 168.1.1

d. 255.255.254

Answer: A and B.

Demonstration: Configuring an IPv4 Address

Question: When might you need to change a computer’s IPv4 address?

Answer: You must ensure that all computers on your network have a unique IPv4 address. If two computers have the same IPv4 address, then you must change the IPv4 address on one of the two computers.


Detailed Demo Steps Demonstration: Configuring an IPv4 Address

Detailed demonstration steps 1. Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of

Pa$$w0rd.

2. Click Start, point to All Programs, click Accessories, and then click Command Prompt.

3. At the command prompt, type “ipconfig /all” and then press ENTER. This displays the configuration for all network connections on the computer.

4. Close the command prompt.


6. Under Network and Internet, click View network status and tasks.

7. In Network and Sharing Center, to the right of the Contoso.com Domain network, click Local Area Connection 3. (Note: The local Area Connection number may be different in some cases.)

8. In the Local Area Connection 3 Status window, click Details. This window shows the same configuration information for this adapter as the ipconfig command.

9. In the Network Connection Details windows, click Close.

10. In the Local Area Connection 3 Status window, click Properties. This window allows you to configure protocols.

11. Click Internet Protocol Version 4 (TCP/IPv4) and then click Properties. You can configure the IP address, subnet mask, default gateway and DNS servers in this window.

12. Click Advanced. The Advanced TCP/IP Settings window allows you to configure additional settings such as additional IP addresses, DNS settings, and WINS servers for NetBIOS name resolution.

13. Close all open windows without modifying any settings.


Lesson 2

Configuring IPv6 Network Connectivity Contents: Question and Answers 6



Question and Answers Demonstration: Configuring an IPv6 Address

Question: Do you typically manually assign IPv6 addresses to a computer?

Answer: IPv6 is designed so that in most circumstances it must be configured dynamically. Link-local addresses allow communication on the same IPv6 network without any configuration. However, to control access to resources based on IPv6 addresses, you may need to assign a static IPv6 address.


Detailed Demo Steps Demonstration: Configuring an IPv6 Address


Pa$$w0rd.


3. At the command prompt, type “ipconfig /all” and then press ENTER. This displays all network connections for the computer. Notice that a link-local IPv6 address has been assigned.




7. In Network and Sharing Center, to the right of the Contoso.com Domain network, click Local Area Connection 3.

Note: The local Area Connection number may be different in some cases.

8. In the Local Area Connection 3 Status window, click Details. This window shows the same configuration information for this adapter and the ipconfig command.

9. In the Network Connection Details windows, click Close.


11. Click Internet Protocol Version 6 (TCP/IPv6) and then click Properties. You can configure the IPv6 address, subnet prefix length, default gateway, and DNS servers in this window.

12. Click Use the following IPv6 address and enter the following:

• IPv6 address: 2001:0DB8:0000:0000:02AA:00FF:FE28:9C5A

• Subnet prefix length: 64

13. Click Advanced. The Advanced TCP/IP Settings window allows you to configure additional setting such as additional IP addresses and DNS settings.

14. In the Advanced TCP/IP Settings window, click Cancel.

15. In the Internet Protocol Version 6 (TCP/IPv6) Properties window, click OK.

16. In the Local Area Connection 3 Properties window, click Close.

17. In the Local Area Connection 3 Status window, click Details. Verify that the new IPv6 address has been added.



Lesson 3

Implementing Automatic IP Address Allocation Contents: Detailed Demo Steps 9


Detailed Demo Steps Demonstration: Configuring a Computer to Obtain an IPv4 Address Dynamically


Pa$$w0rd.


3. At the command prompt, type “ipconfig /all” and then press ENTER. This displays all network connections for the computer.




7. In Network and Sharing Center, to the right of the Contoso.com Domain network, click Local Area Connection 3.


9. Click Internet Protocol Version (TCP/IPv4) and then click Properties.

10. Click Obtain an IP address automatically. Notice that the Alternate Configuration tab becomes available when you do this.

11. Click Obtain DNS server address automatically.

12. Click the Alternate Configuration tab. Configuration information on this tab is used when no DHCP server is available.

13. Click OK to save the changes.

14. In the Local Area Connection 3 Properties window, click Close.

15. In the Local Area Connection 3 Status window, click Details. Notice that DHCP is enabled and the IP address of the DHCP server is displayed.



Lesson 5

Troubleshooting Network Issues Contents: Question and Answers 11



Question and Answers Demonstration: Troubleshooting Common Network Related Problems

Question: How is the ping command useful for troubleshooting?

Answer: The ping command can be used to verify connectivity between hosts. However, be aware that firewall can block ping packets but still allow the packets for other applications. If you obtain a response to a ping attempt, the host is definitely running. However, if you do not obtain a response to a ping attempt, the host may still be functional.


Detailed Demo Steps Demonstration: Troubleshooting Common Network Related Problems


Pa$$w0rd.


3. At the command prompt, type “ipconfig /all” and then press ENTER. This displays all network connections for the computer. This shows all network adapter configuration information.

4. At the command prompt, type “ipconfig /displaydns” and then press ENTER. This displays the contents of the DNS cache.

5. At the command prompt, type “ipconfig /flushdns” and then press ENTER. This clears the contents of the DNS cache.

6. At the command prompt, type “ping 127.0.0.1” and then press ENTER. This pings the local host.

7. At the command prompt, type “ping 10.10.0.10” and then press ENTER. This verifies connectivity to LON-DC1 by using an IPv4 address.

8. At the command prompt, type “ping LON-DC1” and then press ENTER. This verifies connectivity to LON-DC1 by using a host name.

9. At the command prompt, type “nslookup –d1 LON-DC1” and then press ENTER. This provides detailed information about the host name resolution. You can use the –d2 option for even more detail.



Module Reviews and Takeaways Review questions Question 1: After starting her computer, Amy notices that she is unable to access her normal Enterprise Resources. What tool can she use to determine if she has a valid IP address?

Answer: Run IPConfig /All or Ping your domain controller’s IP Address

Question 2: When transmitting Accounts Receivable updates to the billing partner in China, Amy notices that the files are being transmitted slowly. What tool can she use to determine the network path and latency of the network?

Answer: Use Windows Diagnostics to identify the problem or use Pathping.exe to check for latency

Question 3: Amy notices that she cannot access normal Enterprise Web sites. She knows that she has a valid IP address but wants to troubleshoot the DNS access of her computer. What tool must she use?

Answer: Use NSLookup.exe to troubleshoot DNS access issues

Question 4: What is the IPv6 equivalent of an IPv4 APIPA address?

Answer: IPv6 link-local addresses

Question 5: You are troubleshooting a network-related problem and you suspect a name resolution issue. Before conducting tests, you want to purge the DNS resolver cache. How do you do that?

Answer: Use IPCongfig /flushdns to clear the DNS Resolver Cache

Question 6: You are troubleshooting a network-related problem. The IP address of the host you are troubleshooting is 169.254.16.17. What is a possible cause of the problem?

Answer: The DHCP server is unavailable to the host

Common issues related to network connectivity Identify the causes for the following common issues and fill in the troubleshooting tips. For answers, refer to relevant lessons in the module and the course companion CD content.


Window 7 host cannot connect to a SharePoint site Use Windows Diagnostics to Identify the problem

Windows 7 host cannot access the database server Use IPConfig tool to view, renew ,or release an IP Address

Windows 7 Host cannot connect to the internet Use Ping to test the connectivity to the DNS Server

DNS server is not resolving FQDNS correctly Use the flushdns option with IPConfig


Tools You can use the following tools to troubleshoot network connectivity issues.

Tool Description

Network and Sharing Center

The Network and Sharing Center informs you about your network and verifies whether your PC can successfully access the Internet; then, it summarizes this info in the form of a Network Map.

Netsh.exe A command that you can use to configure network properties from the command-line.

Pathping.exe A command-line tool that combines the functionality of Ping and Tracert, and that you can use to troubleshoot network latency and provide information about path data.

Nslookup.exe A command-line tool that you can use to test and troubleshoot DNS and name resolution issues.

IPConfig.exe A general IP configuration and troubleshooting tool.

Ping.exe A basic command-line tool that you can use for verifying IP connectivity.

Tracert.exe Similar to Pathping, which provides information about network routes.


Lab Review Questions and Answers Question: How are APIPA addresses for IPv4 similar to link-local addresses in IPv6?

Answer: Both APIPA addresses are designed to allow computers to communicate on the local network automatically without the use of a DHCP server or any other IP address configuration. However, an APIPA address is only used when a DHCPv4 server is unavailable. An IPv6 link-local address is always generated for a host using IPv6. Additional IPv6 addresses can still be obtained for communication outside the local network.

Question: How can you update a Windows 7 computer to use the correct information after a host record is updated in DNS, but the Windows 7 computer is still resolving the name to the previous IP address?

Answer: When a computer resolves a name to an IP address by using DNS, the name and IP address are cached locally. You can clear this cache at a command prompt with the command ipconfig /flushdns.

Configuring Wireless Network Connections 5-1

Module 5 Configuring Wireless Network Connections

Contents: Lesson 2: Configuring a Wireless Network 2




Lesson 2

Configuring a Wireless Network Contents: Question and Answers 3



Question and Answers Demonstration: Connecting to a Wireless Network

Question: What advanced wireless settings do you consider that improve security?

Answer: A list of MAC addresses allowed connecting to the WAP.

Question: Can a user connect a computer to an unlisted network if he or she does not know the SSID?

Answer: Yes, the user can scan for networks and some tools provide information about unlisted networks. Hiding or not broadcasting the SSID only provides basic protection.

Question: What are possible issues that arise when you connect to unsecured networks?

Answer: Your information can be viewed by other parties on the network.

Improving the Wireless Signal Strength

Question: What devices can interfere with a wireless network signal?

Answer: The IEEE 802.11b and the IEEE 802.11g standard use the S-Band Industrial, Scientific and Medical (ISM) frequency range, which ranges from 2.4 to 2.5 GHz. This frequency range is also used by devices such as microwave ovens, cordless phones, baby monitors, wireless video cameras, and Bluetooth adapters, which may cause interference to the wireless network signal.

The IEEE 802.11a uses the C-Band ISM, which ranges from 5.725 to 5.875 GHz. Therefore, fewer devices will cause interference with a wireless network using this standard.


Detailed Demo Steps Demonstration: Connecting to a Wireless Network


How to configure a wireless AP

The following are the various steps in the demonstration:

1. Click Start and then click Network to view a list of devices available.

2. Right-click the wireless AP and click View device webpage to configure the device.

3. Enter the required credentials. These usually come from the device’s manufacturer. It is recommended to change these credentials after the initial configuration of the wireless AP.

4. Click Wireless Settings. This is a Netgear router. Note that other devices may have different administrative interfaces, but they contain similar settings.

5. Enter ADATUM in Name (SSID) to change the default SSID to something relevant to your organization.

6. You can change the channel to avoid interference from other devices.

7. Select g only for mode to configure the 802.11 mode. If you have older 802.11b devices, you can enable support for them.

8. Clear Allow Broadcast of Name (SSIS) to prevent the wireless AP to broadcast its SSID.

9. Select WPA2 with PSK. The particular security options vary between manufacturers, but typically include the ones offered here: WEP, WPA and WPA2, and support for both PSK and Enterprise options.

Note: If you select an enterprise option, you must provide additional information about how authentication is handled within your organization. For example, the name of a RADIUS server and other settings.

10. Enter Pa$$w0rd in the Network Key.

11. Click Apply to save the settings. Most wireless APs have a separate persistent save which means that the device remembers the settings even after you power it down and start again.

12. Most wireless APs also provide options for more advanced settings. These include MAC address filtering and bridging and are out of the scope of this demonstration.

13. Close all opened Windows.

How to connect to an unlisted wireless network


1. Right-click the wireless network icon on the system tray and click Open Network and Sharing Center.


2. Click Manage wireless networks.

3. Click Add to launch the wizard to guide you through the process of defining the properties of the network.

4. Click Manually create a network profile to configure an infrastructure network.

5. Enter ADATUM in Network name, select WPA2-Personal for Security type, select AES for Encryption type, and enter Pa$$w0rd for Security Key/Passphrase to define the appropriate SSID and the security settings that correspond to those defined on the wireless AP.

Note: The specifics of the settings vary from network to network. In addition, the options available may be restricted by Group Policy. Your ability to create a network connection may be restricted.

6. Click Next to connect to the network and then click Close.

7. Right-click the wireless network icon on the system tray and click Open Network and Sharing Center. Click Wireless Network Connection (ADATUM) to view the status of the network.

8. Click Close to close the Wireless Network Connection Status dialog box.

9. By default, all networks are placed in the Public network profile, which is the most restrictive. From the Network and Sharing Center, click Public network.

10. Click Work Network and then click Close. Once you define a network location profile for a network connection, Windows remembers it for subsequent connections to that network.

11. Close all opened Windows.

How to connect to a public wireless network


1. Right-click the wireless network icon on the system tray and click Open Network and Sharing Center to view the available networks. You can also click the wireless network icon on the system tray to view the available networks.

2. Notice that there is a wireless network available; the shield icon next to the wireless signal icon denotes that the wireless network is open. This is can cause a possible security issue. Always be careful when connecting to public networks.

3. Click the wireless network, select Connect Automatically, and then click Connect. This connects you to the wireless network.

4. Windows prompts the user to define the network location profile. Select public.

5. Click Close and then close the Network and Sharing Center.


Module Reviews and Takeaways Common issues related to finding wireless networks and improving signal strength

The following table lists common issues related to finding wireless networks and improving signal strength


Proximity or physical obstruction

• Ensure that your client computer is as close as possible to the wireless AP.

• If you are unable to get closer to the wireless AP, consider installing an external antenna to your wireless network adapter.

• Check for physical objects that may cause interference, such as a thick wall or metal cabinet and consider removing the physical objects or repositioning the wireless AP or the client.

• Add wireless APs to the wireless network whenever applicable.

Interference from other signal

• Check for devices that may cause interference, such as cordless phones, Bluetooth devices or any other wireless devices. Turn them off or move them farther away.

• Consider changing the wireless AP settings to use a different wireless channel, or set the channel to be selected automatically if it is set to a fixed channel number.

Cannot detect wireless network

• Check that your wireless network adapter has the correct driver and its working properly.

• Check your computer for an external switch for the wireless network adapter.

• Check that the wireless AP is turned on and working properly.

• Check whether the wireless AP is configured to advertise its SSID.

Windows is not configured to connect to the right type of network

• Check the information that came with the router or access point to find out what connection mode the device is set to. The mode must be either ad hoc (when devices communicate directly without going through a router or access point) or infrastructure (when devices communicate by going through a router or access point). Make sure the setting in Windows for this network matches the setting on the device.

The router or wireless AP is busy

• If you have other computers that are connecting to the network, try temporarily disconnecting them.

The wireless network adapter is in monitor mode

• If a network monitoring program is running on your computer, the wireless network adapter will be set to monitor mode, which prevents Windows from connecting to wireless networks. To connect to a wireless network, close the network monitoring program or follow the instructions in the program to exit monitor mode.


Real-world issues and scenarios

Question 1: You are implementing wireless networking in your organization. Which wireless network technology standards and which type of security (authentication and encryption) will you choose?

Answer: There are two main considerations that you need to take into account when choosing a wireless network technology standard: speed and cost. If possible, choose the latest standard, which is 802.11n because it gives you the best signal strength and the highest maximum speed.

One of the drawbacks of this standard is that it is still under development. Even so, many devices already support this standard based on the Draft 2 proposal. Another consideration is that devices that support this standard tend to be more expensive than the ones that support 802.11g.

Always choose the highest level of security available. In this case, WPA and WPA2 both enable secure authentication and encryption. Select the Enterprise mode for WPA/WPA2 because it offers centralized management of authentication with RADIUS servers.

Question 2: Your organization already has a wireless network in place. Your users are complaining that the performance of the wireless network is not as good as the wired network. What can you do to increase the performance of the wireless network?

Answer: Consider three main areas that can improve the performance of your wireless network: proximity, obstruction, and interference. Based on these areas, you can implement one or more solutions, such as adding wireless APs or removing obstruction and interference. Refer to the “Improving the Wireless Signal Strength” topic for more information. Tools

Tool Use to Where to find it

Network and Sharing Center Configure network settings Control Panel Systray

Connect to a Network

Configure Windows 7-based client to connect to a wireless network

Network and Sharing Center Systray

Netsh Configure local or remote network settings Command prompt

Windows Network Diagnostics Troubleshoot access to wireless networks Network and Sharing

Center Systray


Lab Review Questions and Answers Question: In the lab, you were tasked with making the wireless network as secure as possible. Is this appropriate in situations where you want to make the wireless network accessible to anyone, for example, in a coffee shop? How will you go about configuring the wireless infrastructure to support access in this way?

Answer: No, using the settings in the lab results in the network being inaccessible to anyone except specifically authorized users and computers. To make the network accessible for anyone, enable broadcast of the SSID to make the network more visible. In addition, configure the network for Open security – that is, no certificate or shared key or other authentication mechanism is required to connect.

Question: Is it advisable to connect this less-restricted wireless network to your corporate network?

Answer: No, it is ill advised. Since you have little control over who connects to the network, or the status of their computer, enabling unrestricted access to the corporate network introduces security challenges.

Question: Can you think of a way in which legitimate users from your organization can connect wirelessly to your infrastructure from the same coffee shop area, while not providing the same access to anonymous users?

Answer: Provide two wireless access points,and configure your users’ computers with GPO to only connect to the defined wireless networks; these networks require the high-level authentication settings discussed in the lab. Conversely, anonymous users will see only the open network. Care must be taken to avoid interference between the two networks.

Securing Windows® 7 Desktops 6-1

Module 6 Securing Windows® 7 Desktops

Contents: Lesson 1: Overview of Security Management in Windows 7 2

Lesson 2: Securing a Windows 7 Client Computer by Using Local Security Policy Settings 4

Lesson 3: Securing Data by Using EFS and BitLocker 10

Lesson 4: Configuring Application Restrictions 15

Lesson 5: Configuring User Account Control 20

Lesson 6: Configuring Security Settings in Windows Internet Explorer 8 24

Lesson 7: Configuring Windows Defender 29

Lesson 8: Configuring Windows Defender 33




Lesson 1

Overview of Security Management in Windows 7 Contents: Detailed Demo Steps 3


Detailed Demo Steps Demonstration: Configuring Action Center Settings


Change Action Center Settings



3. In Control Panel, click System and Security and then click Action Center.

4. Click the down arrow next to Security and scroll down to review the settings.

5. Click Change Action Center Settings in the left window pane.

6. Under Maintenance Messages, ensure that the Windows Troubleshooting and Windows Backup check boxes are cleared and then click OK.

Change User Control Settings

1. Click Change User Account Control Settings in the left window pane.

2. Move the slide bar down by one setting and then click OK.

View archived messages

1. Select View archived messages in the left window pane.

2. View any archived messages about computer problems and then click OK.

3. Close the Action Center window.


Lesson 2

Securing a Windows 7 Client Computer by Using Local Security Policy Settings Contents: Question and Answers 5



Question and Answers How Multiple Local Group Policies Work

Question: An administrator disables the setting titled “Disable the Security page” in the Local Group Policy object. The administrator then enables the same setting in a user-specific Local Group Policy object. The user logging on to the computer is not an administrator. Which policy setting will be applied to this Local Group Policy object?

Answer: Windows reads the Local Group Policy object first, followed by the Non-Administrators Local Group Policy object, and then the user-specific Local Group Policy object. The state of the policy setting is disabled when Windows reads the Local Group Policy object. The policy setting is not configured in the Non-Administrators Local Group Policy object. This has no affect on the state of the setting, so it remains enabled. The policy setting is enabled in the user-specific Local Group Policy object. This changes the state of the setting to Enabled. Windows reads the user-specific Local Group Policy object last; therefore, it has the highest precedence. The Local Computer Policy has a lower precedence.


Detailed Demo Steps Demonstration: Creating Multiple Local Group Policies


Create a custom management console

1. Log on to LON-CL1 as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start, in the Search programs and files box, type “mmc” and then press ENTER.

3. In Console1 – [Console Root], click File and then click Add/Remove Snap-in.

4. In the Add or Remove Snap-ins dialog box, in the Available snap-ins list, click Group Policy Object Editor and then click Add.

5. In the Select Group Policy Object dialog box, click Finish.


7. In the Select Group Policy Object dialog box, click Browse.

8. In the Browse for a Group Policy Object dialog box, click the Users tab.

9. In the Local Users and Groups compatible with Local Group Policy list, click Administrators and then click OK.



12. In the Select Group Policy Object dialog box, click Browse.

13. In the Browse for a Group Policy Object dialog box, click the Users tab.

14. In the Local Users and Groups compatible with Local Group Policy list, click Non-Administrators and then click OK.


16. In the Add or Remove Snap-ins dialog box, click OK.

17. In Console1 – [Console Root], on the menu, click File and then click Save.

18. In the Save As dialog box, click Desktop.

19. In the File name box, type “Multiple Local Group Policy Editor” and then click Save.

Configure the Local Computer Policy

1. In Multiple Local Group Policy Editor – [Console Root], in the tree, expand Local Computer Policy.

2. Expand User Configuration, expand Windows Settings, and then click Scripts (Logon/Logoff).

3. In the results pane, double-click Logon.

4. In the Logon Properties dialog box, click Add.

5. In the Add a Script dialog box, click Browse.


6. In the Browse dialog box, right-click in the empty folder, point to New, click Text Document, and then press ENTER.

7. Right-click New Text Document, and then click Edit.

8. Type “msgbox “Default Computer Policy” ”, click File, click Save As.

9. Type “ComputerScript.vbs”, change Save as type: to All Files, and then click Save.

10. Close ComputerScript.vbs.

11. In the Browse dialog box, click on the ComputerScript file and then click Open.

12. In the Add a Script dialog box, click OK.

13. In the Logon Properties dialog box, click OK.

Configure the Local Computer Administrators Policy

1. In Multiple Local Group Policy Editor – [Console Root], in the tree, expand Local Computer\Administrators Policy.





6. In the Browse dialog box, right-click in the empty folder, click New, click Text Document, and then press ENTER.

7. Right-click New Text Document and then click Edit.

8. Type “msgbox “Default Administrator’s Policy” ”, click File, and then click SaveAs.

9. Type “AdminScript.vbs”, change Save as type: to All Files, and then click Save.

10. Close AdminScript.vbs.

11. In the Browse dialog box, click on the AdminScript file and then click Open.



Configure the Local Computer Non-Administrators Policy

1. In Multiple Local Group Policy Editor – [Console Root], in the tree, expand Local Computer\Non-Administrators Policy.





6. In the Browse dialog box, right-click in the empty folder, click New, click Text Document, and then press ENTER.

7. Right-click New Text Document and then click Edit.


8. Type “msgbox “Default User’s Policy” ”, click File, and then click SaveAs.

9. Type “UserScript.vbs”, change Save as type: to All Files, and then click Save.

10. Close UserScript.vbs.

11. In the Browse dialog box, click on the UserScript file and then click Open.



14. Log off of LON-CL1.

Test Multiple Local Group Policies

1. Log on to LON-CL1 as Contoso\Adam with a password of Pa$$w0rd.

2. Click OK when prompted by the message box and then click OK again.

3. Log off.


5. Click OK when prompted by the message box and then click OK again.

6. On the desktop, right-click Multiple Local Group Policy Policy Editor and then click Open.

7. In Multiple Local Group Policy Editor – [Console Root], in the tree, expand Local Computer\Non-Administrators Policy.



10. In the Logon Properties dialog box, click Remove and then click OK.

11. In Multiple Local Group Policy Editor – [Console Root], in the tree, expand Local Computer\Administrators Policy.




15. In Multiple Local Group Policy Editor – [Console Root], in the tree, expand Local Computer Policy.




19. Close the Multiple Local Group Policy Editor – [Console Root] snap-in.

20. Click Yes if prompted to save.

21. Log off.


Demonstration: Configuring Local Security Policy Settings


Review the local security group policy settings


2. Click Start, and in the Search programs and files box, type “gpedit.msc” and then press ENTER.

3. In the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, and then expand Security Settings.

4. Expand Account Policies and then click Password Policy.

5. Click Account Lockout Policy.

6. In the left pane, click and expand Local Policies and then click Audit Policy.

7. In the main window, right-click Audit account management and then select Properties.

8. In the Audit account management Properties dialog box, select Success and Failure and then click OK.

9. Click User Rights Assignments.

10. Click Security Options.

11. In the left pane, click and expand Windows Firewall with Advanced Security and then click Windows Firewall with Advanced Security – Local Group Policy Object.

12. In the left pane, click Network List Manager Policies.

13. In the left pane, click and expand Public Key Policies and then click Encrypting File System.

14. Click BitLocker Drive Encryption.

15. In the left pane, click Software Restriction Policies.

16. In the left pane, click and expand Application Control Policies.

17. Click and expand AppLocker.

18. In the left pane, click IP Security Policies on Local Computer.

19. In the left pane, click and expand Advanced Audit Policy Configuration.

20. Click and expand System Audit Policies – Local Group Policy Object.

21. Close the Local Group Policy Editor.

22. Log off LON-CL1.


Lesson 3

Securing Data by Using EFS and BitLocker Contents: Question and Answers 11



Question and Answers What Is EFS?

Question: Explain why system folders cannot be marked for encryption.

Answer: EFS keys are not available during the startup process; therefore, if system files are encrypted, the system file cannot start.

What Is BitLocker?

Question: BitLocker provides full volume encryption. What does this mean?

Answer: Full volume encryption means: 1) the entire Windows operating system volume can be encrypted, and 2) fixed data volumes can be encrypted (with the requirement that the OS volume is also encrypted).

BitLocker Modes

Question: What is a disadvantage of running BitLocker on a computer that does not contain TPM 1.2?

Answer: Computers without TPMs will not be able to use the system integrity verification during boot-up that BitLocker can also provide.

Configuring BitLocker

Question: When turning on BitLocker on a computer with TPM version 1.2, what is the purpose of saving the recovery password?

Answer: If the TPM ever changes or cannot be accessed, if there are changes to key system files, or if someone tries to start the computer from a product CD or DVD to circumvent the operating system, the computer will switch to recovery mode and will remain there until the user provides the recovery password. Storing the recovery password so that it is accessible to the user allows him or her to complete the startup process.

Configuring BitLocker to Go

Question: How do you enable BitLocker To Go for a USB flash drive?

Answer: Insert the drive, and in Windows Explorer, right-click the drive and then click Turn On BitLocker.

Recovering BitLocker Encrypted Drives

Question: What is the difference between the recovery password and the password ID?

Answer: The recovery password is a 48-digit password and is used to unlock a system in recovery mode. The recovery password is unique to a particular BitLocker encryption and can be stored in Active Directory. A computer’s password ID is a 32-character password unique to a Computer Name.


Find the password ID under a Computer’s properties, which you can use to locate recovery passwords stored in Active Directory.


Detailed Demo Steps Demonstration: Encrypting and Decrypting Files and Folders by Using EFS


Encrypt files and folders



3. Double-click Local Disk (C:).

4. Right-click an empty space in the Name column, point to New, and then click Folder.

5. Type “Encrypted” in the folder name and then press ENTER.

6. Double-click Encrypted, and then right-click an empty space in the Name column, point to New, and then click Microsoft Office Word Document.

7. Type “Private” and then press ENTER.

8. Click the left arrow in the menu bar to return to Local Disk (C:).

9. Right-click the Encrypted folder and then click Properties.

10. On the General tab, click Advanced.

11. Select the Encrypt contents to secure data check box and then click OK.

12. In the Encrypted Properties dialog box, click OK, and then in the Confirm Attribute Changes dialog box, click Apply changes to this folder, subfolders and files.

13. Click OK.

14. Click OK to close the Encrypted Properties dialog box and then log off.

Confirm that the files and folders are encrypted

1. Log on to the LON-CL1 as Contoso\Adam with a password of Pa$$w0rd.



4. Double-click the Encrypted folder.

5. Double-click Private.

6. Click OK when prompted with a message.

7. Click OK to close the User Name box.

8. Close the file.

9. Log off.

Decrypt files and folders


2. Click Start, click Computer, and then double-click Local Disk (C:).


3. Right-click the Encrypted folder and then click Properties.

4. On the General tab, click Advanced.

5. Clear the Encrypt contents to secure data check box and then click OK.

6. Click OK to close the Encrypted Properties dialog box.

7. In the Confirm Attribute Changes dialog box, click OK.

8. Log off.

Confirm that the files and folders are decrypted




4. Double-click the Encrypted folder.

5. Double-click Private.

6. Type “decrypted” in the file.

7. Save and close the file.

8. Log off.


Lesson 4

Configuring Application Restrictions Contents: Question and Answers 16



Question and Answers What Is AppLocker?

Question: What are some of the applications that are good candidates for applying an AppLocker rule?

Answer: The suggestions from the class will vary.

AppLocker Rules

Question: When testing AppLocker, you must carefully consider how you will organize rules between linked GPOs. What do you do if a GPO does not contain the default AppLocker rules?

Answer: If a GPO does not contain the default rules, then either add the rules directly to the GPO or add them to a GPO that links to it.

Demonstration: Enforcing AppLocker Rules

Question: What is the command to update the computer’s policy and where is it run?

Answer: The command is gpupdate /force and it is run as an administrator in the command prompt.

What Are Software Restriction Policies?

Question: Why must AppLocker rules be defined in a GPO separate from SRP rules?

Answer: AppLocker rules are completely separate from SRP rules and cannot be used to manage pre-Windows 7 computers. The two policies are also separate. If AppLocker rules have been defined in a Group Policy Object (GPO), only those rules are applied. Therefore, define AppLocker rules in a separate GPO to ensure interoperability between SRP and AppLocker policies.


Detailed Demo Steps Demonstration: Configuring AppLocker Rules


Create a new executable rule




4. Expand Application Control Policies and then double-click AppLocker.

5. Click Executable Rules and then right-click and select Create New Rule.

6. Click Next.

7. On the Permissions screen, select Deny and then click the Select… button.

8. In the Select User or Group dialog box, in the Enter the object names to select (examples) box, type “Contoso\Marketing”, click Check Names, and then click OK.

9. Click Next.

10. On the Conditions screen, select Path and then click Next.

11. Click the Browse Files… button and then click Local Disk (C:).

12. Double-click Windows, select Regedit, and then click Open.

13. Click Next.

14. Click Next again and then click Create.

15. Click Yes when prompted to create default rules.

Create a new Windows Installer Rule

1. Select Windows Installer Rules and then right-click and select Create New Rule.

2. Click Next.

3. On the Permissions screen, click Deny and then click Next.

4. On the Conditions screen, select Publisher and then click Next.

5. Click the Browse… button, browse to E:\Labfiles\Mod06, select Microsoft Article Authoring Add-In, and then click Open.

6. On the Publisher screen, move the slide bar up by three settings so that the rule scope is set to Applies to all files signed by the specified publisher.

7. Click Next.

8. Click Next again and then click Create.



Automatically generate the Script Rules

1. Select Script Rules and then right-click and select the Automatically Generate Rules… option.

2. In Automatically Generate Script Rules, on the Folder and Permissions screen, click Next.

3. Click Next again.

4. Click Create.


6. Close the Local Group Policy Editor and then log off.

Demonstration: Enforcing AppLocker Rules


Enforce AppLocker rules




4. Expand Application Control Policies.

5. Click AppLocker and then right-click and select Properties.

6. On the Enforcement tab, under Executable rules, click the Configured check box and then select Enforce rules.

7. On the Enforcement tab, under Windows Installer rules, click the Configured check box and then select Audit only.

8. Click OK.

9. Close the Local Group Policy Editor.

Confirm the executable rule enforcement

1. Click Start, and in the Search programs and files box, type “cmd” and then press ENTER.

2. In the Command Prompt window, type “gpupdate /force” and then press ENTER. Wait for the policy to be updated.

3. Click Start, and then right-click Computer and click Manage.

4. Expand Event Viewer and then expand Windows Logs.

5. Click System.

6. In the result pane, locate and click the latest event with Event ID 1502.

7. Review event message details under the General tab.

8. Expand Services and Applications and then click Services.

9. Right-click Application Identity service in the main window pane and then click Start.

10. Close the Command Prompt.

11. In the Event Viewer, expand Application and Services Logs and then expand Microsoft.


12. Expand Windows, expand AppLocker, and then click EXE and DLL.

13. Review the entries in the results pane.

14. Close Computer Management.

15. Log off.


Lesson 5

Configuring User Account Control Contents: Question and Answers 21



Question and Answers How UAC Works

Question: What are the differences between a consent prompt and a credential prompt?

Answer: A consent prompt is displayed to administrators in Admin Approval Mode when they attempt to perform an administrative task. It requests approval from the user to continue with the task being performed. A credential prompt is displayed to standard users when they attempt to perform an administrative task.

Demonstration: Configuring Group Policy Settings for UAC

Question: Which User Account Control detects when an application is being installed in Windows 7?

Answer: User Account Control: Detect application installations and prompt for elevation.

Configuring UAC Notification Settings

Question: What two configuration options are combined to produce the end user elevation experience?

Answer: User Account Control security settings configured in Local Security Policy and User Account Control settings configured in the Action Center in Control Panel.


Detailed Demo Steps Demonstration: Configuring Group Policy Settings for UAC


Create a UAC Group Policy setting preventing access elevation



3. In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

4. In the results pane, double-click User Account Control: Behavior of the elevation prompt for standard users.

5. In the User Account Control: Behavior of the elevation prompt for standard users dialog box, click Automatically deny elevation requests then click OK.

6. Close Local Group Policy Editor console.

7. Log off.

Test the UAC settings


2. Click Start, right-click Computer, and then select Manage.

3. Click OK when prompted.

4. Log off.

Create a UAC Group Policy setting prompting for credentials



3. In the Local Group Policy Editor, under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.

4. In the results pane, double-click User Account Control: Behavior of the elevation prompt for standard users.

5. In the User Account Control: Behavior of the elevation prompt for standard users dialog box, click Prompt for credentials and then click OK.

6. Close Local Group Policy Editor console.

7. Log off.

Test the UAC settings


2. Click Start, right-click Computer, and then select Manage.


3. Type “Administrator” in the User name field.

4. Type “Pa$$w0rd” in the Password field.

5. Click Yes.

6. Close the Computer Management console.

7. Log off.


Lesson 6

Configuring Security Settings in Windows Internet Explorer 8 Contents: Question and Answers 25



Question and Answers Discussion: What Is a Firewall?

Question: What type of firewall does your organization currently use?

Answer: Answers will vary

Question: What are the reasons that it was selected?

Answer: Answers will vary

Configuring the Basic Firewall Settings

Question: List the three network locations. Where do you modify them, and what feature of Windows 7 allows you to use more than one?

Answer: The three network locations are as follows:

• Home or work (private) networks: for networks at home or work where you know and trust the people and devices on the network. When Home or work (private) networks is selected, Network Discovery is turned on. Computers on a home network can belong to a HomeGroup.

• Domain networks: for networks at a workplace that are attached to a domain. When this option is selected, Network Discovery is on by default and you cannot create or join a HomeGroup.

• Public networks: for networks in public places. This location keeps the computer from being visible to other computers. When Public place is the selected network location, HomeGroup is not available and Network Discovery is turned off.

You can modify the firewall settings for each type of network location from the main Windows Firewall page. To set up or modify network location profile settings, click Change advanced sharing settings in the left pane of the Network and Sharing Center.

Multiple active firewall policies enable computers to obtain and apply domain firewall profile information, regardless of the networks that are active on the computers.

Windows Firewall with Advanced Security Settings

Question: There are three types of rules that can be created in Windows Firewall with Advanced Security. List each type and the types of rules that can be created for each.

Answer: The three types with their associated types are as follows:

• Inbound and Outbound rules

• Program rules

• Port rules

• Predefined rules


• Custom rules

• Connection Security Rules

• Isolation rules

• Authentication exemption rules

• Server-to-server

• Tunnel rules

• Custom rules

Well-Known Ports Used by Applications

Question: What is the TCP port used by HTTP by a Web server?

Answer: The TCP port is 80.


Detailed Demo Steps Demonstration: Configuring Group Policy Settings for UAC


Configure an Inbound Rule



3. Click System and Security.

4. Click Windows Firewall.

5. In the left window pane, click Advanced settings.

6. In Windows Firewall with Advanced Security, select Inbound Rules in the left pane.

7. Review the existing inbound rules, right-click Inbound Rules, and click New Rule.

8. On the Rule Type page of the New Inbound Rule wizard, select Predefined and then select Remote Scheduled Tasks Management from the dropdown menu.

9. Click Next.

10. Select both of the Remote Scheduled Tasks Management (RPC) rules and then click Next.

11. Select Block the connection and then click Finish.

Configure an Outbound Rule

1. On LON-CL1, click Start and then click All Programs.

2. Click Internet Explorer.

3. If prompted by the Welcome to Internet Explorer 8 wizard, click Ask me later.

4. Type “http://LON-DC1” into the Address field and then press ENTER to connect to the default Web site on LON-DC1.

5. Close Internet Explorer.

6. In the Windows Firewall with Advanced Security console, select Outbound Rules in the left pane.

7. Review the existing Outbound rules, right-click Outbound Rules, and then click New Rule.

8. On the Rule Type page of the New Outbound Rule wizard, select Port and then click Next.

9. Select TCP, select Specific remote ports and then type “80”.

10. Click Next.

11. Select Block the connection and then click Next.

12. On the Profile page, click Next.

13. Type “HTTP – TCP 80” in the Name field and then click Finish.

Test the Outbound Rule

1. On LON-CL1, click Start and then click All Programs.


2. Click Internet Explorer.

3. Type “http://LON-DC1” into the Address field and then press ENTER to attempt to connect to the default Web site on LON-DC1.


Create a Connection Security Rule

1. In Windows Firewall with Advanced Security, select Connection Security Rules in the left pane.

2. Right-click Connection Security Rules and then select the New Rule… option.

3. Select Server-to-server and then click Next.

4. On the Endpoints page, click Next.

5. Select Require authentication for inbound and outbound connections and then click Next.

6. Select Advanced and then click the Customize… button.

7. Under First authentication, click the Add… button.

8. In the Add First Authentication Method dialog box, select Computer (Kerberos V5) and then click OK.

9. Under Second authentication, click the Add… button.

10. In the Add Second Authentication Method dialog box, select User (Kerberos V5) and then click OK.

11. In the Customize Advanced Authentication Methods, click OK.

12. Click Next and then click Next again.

13. Type “Kerberos Connection Security Rule” and then click Finish.

Review monitoring settings in Windows Firewall

1. In Windows Firewall with Advanced Security, select Monitoring in the left pane.

2. Expand Monitoring and then select Firewall.

3. Click Connection Security Rules.

4. Click Security Associations.

5. Select Outbound Rules in the left pane.

6. Select the HTTP – TCP 80 rule and then right-click and select Disable Rule.

7. Select Connection Security Rules.

8. Select Kerberos Connection Security Rule, right-click and then click Disable Rule.

9. Close Windows Firewall with Advanced Security.

10. Log off.


Lesson 7

Configuring Windows Defender Contents: Question and Answers 30



Question and Answers Discussion: Compatibility Features in Internet Explorer 8

Question: What compatibility issues do you think you may encounter when updating Internet Explorer?

Answer: Answers can vary.

Enhanced Privacy Features in Internet Explorer 8

Question: Describe the difference between InPrivate Browsing and InPrivate filtering.

Answer: InPrivate Browsing helps protect data and privacy by preventing browsing history, temporary Internet files, form data, cookies, usernames, and passwords from being stored or retained locally by the browser. InPrivate Filtering monitors the frequency of all third-party content as it appears across all Web sites visited by the user.

The SmartScreen Feature in Internet Explorer 8

Question: What Internet Explorer 7 feature does the SmartScreen Filter replace in Internet Explorer 8?

Answer: The SmartScreen Filter replaces the Phishing Filter from Internet Explorer 7.

Other Security Features in Internet Explorer 8

Question: Describe how the XSS Filter works.

Answer: The XSS Filter has visibility into all requests and responses flowing through the browser. When the filter discovers likely XSS in a request, it identifies and neutralizes the attack if it is replayed in the server’s response. The XSS filter helps protect users from Web site vulnerabilities; it does not ask difficult questions that users are unable to answer, nor does it harm functionality on the Web site.


Detailed Demo Steps Demonstration: Configuring Security in Internet Explorer 8


Enable compatibility view for all Web sites


2. Click the Internet Explorer icon on the taskbar.

3. If the Set Up Windows Internet Explorer 8 window comes up, click Ask me later.

4. On the Tools menu, click Compatibility View Settings.

5. Click to select the Display all websites in Compatibility View check box and then click Close.

Delete Browsing History

1. On the Tools menu, click Internet Options.

2. On the General tab, under Browsing history, click Delete.

3. Select Preserve Favorites website data and History. Clear all other options.

4. Click Delete.

5. Click OK and then close Internet Explorer.

Configure InPrivate Browsing

1. On LON-CL1, click the Internet Explorer icon on the taskbar.

2. Type “http://LON-DC1” into the Address bar and then press ENTER.

3. Click on the down arrow next to the Address bar to confirm that the address you typed into it is stored.

4. In Internet Explorer, click the Tools button and then click Internet Options.

5. Click the General tab. Under Browsing History, click Delete.

6. In the Delete Browsing History dialog box, clear Preserve Favorites website data, select Temporary Internet Files, Cookies, History, and then click Delete.

7. Click OK to close Internet Options.

8. Confirm that there are no addresses stored in the Address bar by clicking on the down arrow next to the Address bar.

9. On the Safety menu, click InPrivate Browsing.

10. Type “http://LON-DC1” into the Address bar and then press ENTER.

11. Confirm the address you typed in is not stored by clicking on the down arrow next to the Address bar.

12. Close the InPrivate Browsing window.



Configure InPrivate Filtering

1. Click the Internet Explorer icon on the taskbar.

2. On the Safety menu, click InPrivate Filtering.

3. Click Let me choose which providers receive my information to choose content to block or allow.

4. On the InPrivate Filtering settings window, click Automatically block.

5. Click OK.

View add-on management interface

1. On the Tools menu, click Manage Add-ons.

2. Ensure that Toolbars and Extensions is selected and then click Research.

3. Click Search Providers.

4. Click Bing.

5. Click Accelerators.

6. Scroll down to show all available accelerators.

7. Click InPrivate Filtering.

8. Click Close.

9. Close Internet Explorer and then log off.


Lesson 8

Configuring Windows Defender Contents: Question and Answers 34



Question and Answers What Is Malicious Software?

Question: What are common security risks that you must consider when deploying a new operating system?

Answer: During a desktop deployment, it is important to address any security risks that affect application compatibility, data loss, and user functionality. Some of the more common security risks are categorized as follows:

• Malware risks: Viruses, Trojan horses, spyware

• Data risks: Stolen laptops or removable universal serial bus (USB) hard drives

• Web browser risks: Malicious Web sites, phishing

• Network risks: Internal worm attacks, internal workstations that do not comply with organizational security policies

Question: How can you be sure that you have addressed the appropriate security risks before and after a desktop deployment?

Answer: Conduct a structured security risk management process that will help you to identify and assess risk, identify and evaluate control solutions, implement the controls, and then measure the effectiveness of the mitigation. Identifying security risks before a desktop deployment helps you to be proactive in mitigating and implementing solutions.

What Is Windows Defender?

Question: List the four Windows Defender alert levels. What are the possible responses?

Answer: The four alert levels are Severe, High, Medium, and Low. Possible responses are Quarantine, Remove, and Allow. For potential changes to Windows Settings, possible responses are Permit and Deny.

Scanning Options in Windows Defender

Question: Why might you consider creating a restore point before applying actions to detected items?

Answer: Because Windows Defender can be set to automatically remove detected items and selecting this option allows you to restore system settings in case you want to use software that you did not intend to remove.


Detailed Demo Steps Demonstration: Configuring Windows Defender Settings


Set Windows Defender options


2. Click Start, click Search programs and files, type “Windows Defender”, and press ENTER.

3. In Windows Defender, on the menu, click Tools.

4. In Tools and Settings, click Options.

5. In Options, select Automatic scanning.

6. In the main window, ensure that the Automatically scan my computer (recommended) check box is selected.

7. Set Frequency to Monday.

8. Set Approximate time to 6:00 AM.

9. Set type to Quick scan.

10. Ensure the Check for updated definitions before scanning check box is selected.

11. In Options, select Default actions.

12. Set Severe alert items to Remove.

13. Set Low alert items to Allow.

14. Ensure the Apply recommended actions check box is selected.

15. In Options, select Real-time protection.

16. In Options, select Excluded files and folders.

17. In Options, select Excluded file types.

18. In Options, select Advanced.

19. Click Scan e-mail.

20. Click Scan removable drives.

21. In Options, select Administrator.

22. Click Save.

View Quarantine Items

1. In Tools and Settings, click Quarantined Items.

2. Click View.

3. Click the back arrow in the top menu bar.

Microsoft SpyNet

1. In Tools and Settings, click Microsoft SpyNet.


2. Select Join with a basic membership.

3. Click Save.

Windows Defender Web site

1. In Tools and Settings, point out the Windows Defender Website link.

2. Review and discuss the content of the Windows Defender Web site.


Module Reviews and Takeaways Review questions Question 1: When User Account Control is implemented, what happens to standard users and administrative users when they perform a task requiring administrative privileges?

Answer: For standard users, UAC prompts the user for the credentials of a user with administrative privileges. For administrative users, UAC prompts the user for permission to complete the task.

Question 2: What are the requirements for Windows BitLocker to store its own encryption and decryption key in a hardware device that is separate from the hard disk?

Answer: A computer with Trusted Platform Module (TPM) or a removable Universal Serial Bus (USB) memory device, such as a USB flash drive. If your computer does not have TPM version 1.2 or higher, BitLocker stores its key on the memory device.

Question 3: When implementing Windows AppLocker, what must you do before manually creating new rules or automatically generating rules for a specific folder?

Answer: Create the default rules

Question 4: You decide to deploy a third-party messaging application on your company’s laptop computers. This application uses POP3 to retrieve e-mail from the corporate mail server, and SMTP to send mail to the corporate e-mail relay. Which ports must you open in Windows Firewall?

Answer: You must enable inbound POP3, which uses TCP port 110, and outbound SMTP, which uses port TCP 25. You can configure the firewall rules by using specific port assignments or by specifying the program.

Question 5: Describe how the SmartScreen Filter works in Internet Explorer 8.

Answer: With the SmartScreen Filter enabled, Internet Explorer 8 performs a detailed examination of the entire URL string and compares the string to a database of sites known to distributed malware, then the browser checks with the Web service. If the Web site is known to be unsafe, it is blocked and the user is notified with a bold SmartScreen blocking page that offers clear language and guidance to help avoid known-unsafe Web sites.

Question 6: What does Windows Defender do to software that it quarantines?

Answer: Windows Defender moves the software to another location on your computer, and then prevents the software from running until you choose to restore it or remove it from your computer.

Question 7: What configuration options are available with Windows Defender, where do you set them, and why?

Answer: To help prevent spyware and other unwanted software from running on the computer, turn on Windows Defender real-time protection and select all real-time protection options. You are alerted if programs attempt to install, run on the computer, or change important Windows settings.

Turn on real-time protections by clicking Tools, clicking Options, and then clicking Real-time protection. In the Options area, perform the following additional tasks:

• Configure automatic scanning

• Specify default actions for specific alert levels

• Customize a scan by excluding files, folders, and file types


• Use the Advanced options to scan archived files, email, and removable drives, and to use heuristics and create a restore point.

Select whether to use Windows Defender and what information to display to all users of the computer. History, Allowed items, and Quarantined items are hidden by default to protect user privacy.

Real-world issues and scenarios

Question 1: An administrator configures Group Policy to require that data can only be saved on data volumes protected by BitLocker. Specifically, the administrator enables the Deny write access to removable drives not protected by BitLocker policy and deploys it to the domain. Meanwhile, an end user inserts a USB flash drive that is not protected with BitLocker. What happens, and how can the user resolve the situation?

Answer: Since the USB flash drive is not protected with BitLocker, Windows 7 displays an informational dialog indicating that the device must be encrypted with BitLocker. From this dialog, the user chooses to launch the BitLocker Wizard to encrypt the volume or continues working with the device as read-only.

Question 2: Trevor has implemented Windows AppLocker. Before he created the default rules, he created a custom rule that allowed all Windows processes to run except for Regedit.exe. Because he did not create the default rules first, he is blocked from performing administrative tasks. What does he need to do to resolve the issue?

Answer: Trevor needs to restart the computer in safe mode, add the default rules, delete any deny rules that are preventing access, and then refresh the computer policy.

Question 3: A server has multiple network interface cards (NICs), but one of the NICs is not connected. In Windows Vista, this caused the machine to be stuck in the public profile (the most restrictive rule). How is this issue resolved in Windows 7?

Answer: The new multiple active firewall profile feature in Windows 7 solves the problem by applying the appropriate rules to the appropriate network; in this case, the profile associated with the connected NIC will be applied.

Common issues related to Internet Explorer 8 security settings

IT professionals must familiarize themselves with the common issues that are related to Internet Explorer 8 security settings.

Diagnose Connection Problems button

The Diagnose Connections Problems button helps users find and resolve issues potentially without involving the Helpdesk. When Internet Explorer 8 is unable to connect to a Web site, it shows a Diagnose Connection Problem button. Clicking the button helps the user resolve the problem by providing information to troubleshoot the problem. This option was available in Internet Explorer 7 but is now simpler to find in Internet Explorer 8.

Resetting Internet Explorer 8 settings

If Internet Explorer 8 on a user’s computer is in an unstable state, you can use the Reset Internet Explorer Settings (RIES) feature in Internet Explorer 8 to restore the default settings of many browser features. These include the following:


• Search scopes

• Appearance settings

• Toolbars

• ActiveX controls (reset to opt-in state, unless they are pre-approved)

• Branding settings created by using IEAK 8

You can choose to reset personal settings by using the Delete Personal Settings option for the following:

• Home pages

• Browsing history

• Form data

• Passwords

RIES disables all custom toolbars, browser extensions, and customizations that have been installed with Internet Explorer 8. To use any of these disabled customizations, you must selectively enable each customization through the Manage Add-ons dialog box.

RIES does not do the following:

• Clear the Favorites list

• Clear the RSS Feeds

• Clear the Web Slices

• Reset connection or proxy settings

• Affect Administrative Template Group Policy settings that you apply

Note: Unless you enable the Group Policy setting titled “Internet Explorer Maintenance policy processing”, Normal mode settings on the browser created by using IEM are lost after you use RIES.

To use RIES in Internet Explorer 8, follow these steps:

1. Click the Tools menu and then click Internet Options.

2. On the Advanced tab, click Reset.

3. In the Reset Internet Explorer Settings dialog box, click Reset. To remove personal settings, select the Delete Personal Settings check box. To remove branding, select the Remove Branding check box.

4. When Internet Explorer 8 finishes restoring the default settings, click Close, and then click OK twice.

5. Close Internet Explorer 8. The changes take effect the next time you open Internet Explorer 8.


Note: To prevent users from using the RIES feature, enable the Do not allow resetting Internet Explorer settings policy in Group Policy Administrative Templates.

Best practices for User Account Control

• UAC Security Settings are configurable in the local Security Policy Manager (secpol.msc) or the Local Group Policy Editor (gpedit.msc). However, in most corporate environments, Group Policy is preferred because it can be centrally managed and controlled. There are nine Group Policy object (GPO) settings that can be configured for UAC.

• Because the user experience can be configured with Group Policy, there can be different user experiences, depending on policy settings. The configuration choices made in your environment affect the prompts and dialog boxes that standard users, administrators, or both, can view.

For example, you may require administrative permissions to change the UAC setting to “Always notify me“ or “Always notify me and wait for my response.“ With this type of configuration, a yellow notification appears at the bottom of the User Account Control Settings page indicating the requirement.

Best practices for Windows BitLocker

• Because BitLocker stores its own encryption and decryption key in a hardware device that is separate from the hard disk, you must have one of the following:

• A computer with Trusted Platform Module (TPM).

• A removable Universal Serial Bus (USB) memory device, such as a USB flash drive. If your computer does not have TPM version 1.2 or higher, BitLocker stores its key on the memory device.

• The most secure implementation of BitLocker leverages the enhanced security capabilities of Trusted Platform Module (TPM) version 1.2.

• On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system volume. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation and does not provide the pre-startup system integrity verification offered by BitLocker that is working with a TPM.

Best practices for Windows AppLocker

• Before manually creating new rules or automatically generating rules for a specific folder, create the default rules. The default rules ensure that the key operating system files are allowed to run for all users.

• When testing AppLocker, carefully consider how you will organize rules between linked GPOs. If a GPO does not contain the default rules, then either add the rules directly to the GPO or add them to a GPO that links to it.

• After creating new rules, enforcement for the rule collections must be configured and the computer’s policy refreshed.

• By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators must maintain a current list of allowed applications.


• If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs.

• When an AppLocker rule is set to Audit only, the rule is not enforced. When a user runs an application that is included in the rule, the application is opened and runs normally and information about that application is added to the AppLocker event log.

• At least one Windows Server 2008 R2 domain controller is required to host the AppLocker rules.

Best practices for Windows Defender • When using Windows Defender, you must have current definitions.

• To help keep your definitions current, Windows Defender works with Windows Update to automatically install new definitions as they are released. You can also set Windows Defender to check online for updated definitions before scanning.

• When scanning your computer, it is recommended that you select the advanced option to Create a restore point before applying actions to detected items. Because you can set Windows Defender to automatically remove detected items, selecting this option allows you to restore system settings in case you want to use software that you did not intend to remove.

Best practices for the Encrypted File System (EFS)

The following is a list of standard best practices for EFS users:

• Users should export their certificates and private keys to removable media and store the media securely when it is not in use. For the greatest possible security, the private key must be removed from the computer whenever the computer is not in use. This protects against attackers who physically obtain the computer and try to access the private key. When the encrypted files must be accessed, the private key can easily be imported from the removable media.

• Encrypt the My Documents folder for all users (User_profile\My Documents). This makes sure that the personal folder, where most documents are stored, is encrypted by default.

• Users should encrypt folders rather than individual files. Programs work on files in various ways. Encrypting files consistently at the folder level makes sure that files are not unexpectedly decrypted.

• The private keys that are associated with recovery certificates are extremely sensitive. These keys must be generated either on a computer that is physically secured, or their certificates must be exported to a .pfx file, protected with a strong password, and saved on a disk that is stored in a physically secure location.

• Recovery agent certificates must be assigned to special recovery agent accounts that are not used for any other purpose.

• Do not destroy recovery certificates or private keys when recovery agents are changed. (Agents are changed periodically). Keep them all, until all files that may have been encrypted with them are updated.

• Designate two or more recovery agent accounts per organizational unit (OU), depending on the size of the OU. Designate two or more computers for recovery, one for each designated recovery agent account. Grant permissions to appropriate administrators to use the recovery agent


accounts. It is a good idea to have two recovery agent accounts to provide redundancy for file recovery. Having two computers that hold these keys provides more redundancy to allow recovery of lost data.

• Implement a recovery agent archive program to make sure that encrypted files can be recovered by using obsolete recovery keys. Recovery certificates and private keys must be exported and stored in a controlled and secure manner. Ideally, as with all secure data, archives must be stored in a controlled access vault and you must have two archives: a master and a backup. The master is kept on-site, while the backup is located in a secure off-site location.

• Avoid using print spool files in your print server architecture, or make sure that print spool files are generated in an encrypted folder.

• The Encrypting File System does take some CPU overhead every time a user encrypts and decrypts a file. Plan your server usage wisely. Load balance your servers when there are many clients using Encrypting File System (EFS).

Configuration guidelines for Windows Firewall with Advanced Security

• You can configure Windows Firewall with Advanced Security in the following ways:

• Configure a local or remote computer by using either the Windows Firewall with Advanced Security snap-in or the “Netsh advfirewall” command.

• Configure Windows Firewall with Advanced Security settings by using the Group Policy Management Console (GPMC) or using the “Netsh advfirewall” command.

• If you are configuring the firewall by using Group Policy, you need to ensure that the Windows Firewall service has explicit write access by its service security identifier (SID) to the location that you specify.

• If you deploy Windows Firewall with Advanced Security by using Group Policy and then block outbound connections, ensure that you enable the Group Policy outbound rules and do full testing in a test environment before deploying. Otherwise, you might prevent all of the computers that receive the policy from updating the policy in the future, unless you manually intervene.

Resources for Internet Explorer 8

Use the following information as needed:

• For more information about IANA port-assignment standards, visit the IANA Web site

• Windows Internet Explorer 8 Technology Overview for Enterprise and IT Pros

• Internet Explorer 8 Support page

• Internet Explorer 8: Home Page

• Internet Explorer 8 Frequently Asked Questions

• Internet Explorer 8 newsgroups

• Internet Explorer 8 Forum on TechNet

• Internet Explorer 8: Help and Support

• The new Application Compatibility Toolkit (ACT) with support for Internet Explorer 8 is available from MSDN

http://www.iana.org/assignments/port-numbers











• The Application Compatibility Toolkit is accompanied by a white paper that explains compatibility issues identified by the tool

• Information about anti-phishing strategies

• Information about the RIES feature

• Internet Explorer Application Compatibility



http://go.microsoft.com/fwlink/?linkid=69167




Lab Review Questions and Answers Question: What are the types of rules you can configure in Windows Firewall?

Answer: You can create inbound and outbound firewall rules based on connections to a program, TCP/UDP port, predefined and custom.

Question: What are some of the new security settings in Internet Explorer 8?

Answer: The new security settings available in Internet Explorer 8 include the compatibility view, InPrivate Browsing and InPrivate Filtering.

Question: Will the default Windows Defender settings allow to check for new definitions, regularly scan for spyware and other potentially unwanted software?

Answer: Yes, Windows Defender is by default configured to check for new definitions and perform regular scans. You also have an option of configuring your own settings is required

Question: What are some of the types of scans Windows Defender can perform to detect malicious and unwanted software?

Answer: Windows Defender can be used to scan e-mails, archives, compressed files, and content of removable drives.

Optimizing and Maintaining Windows 7 Client Computers 7-1

Module 7 Optimizing and Maintaining Windows 7 Client Computers

Contents: Lesson 1: Maintaining Performance by Using the Windows 7 Performance Tools 2

Lesson 2: Maintaining Reliability by Using the Windows 7 Diagnostic Tools 7

Lesson 3: Backing Up and Restoring Data by Using Windows Backup 10

Lesson 4: Restoring a Windows 7 System by Using System Restore Points 14

Lesson 5: Configuring Windows Update 17




Lesson 1

Maintaining Performance by Using the Windows 7 Performance Tools Contents: Question and Answers 3



Question and Answers Performance Monitor and Data Collector Sets

Question: Which resources can cause performance problems if you have a shortage of them?

Answer: Central processing unit (CPU), random access memory (RAM), disk, and network.

Demonstration: Using the Resource Monitor

Question: How can you simplify the task of monitoring the activity of a single process when it spans different tabs?

Answer: If you select the check box for a process, then that process will be at the top of the list when you move between tabs. This will simplify your ability to view different characteristics of a single process and can be useful when you are trying to find the resource that is a performance bottleneck for a process.

Demonstration: Analyzing System Performance by Using Data Collector Sets and Performance Monitor

Question: How can you use Performance Monitor for troubleshooting?

Answer: You can use Performance Monitor to monitor resources when running an application that is having problems. If a problem is occurring at a specific time, you can schedule a data collector set to run at that time and collect additional information about resource usage when this problem occurs.


Detailed Demo Steps Demonstration: Using the Resource Monitor

Detailed demonstration steps This demonstration shows how to use the Resource Monitor.

Log on to the LON-CL1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.

1. Click Start. In the search box, type “res” and then click Resource Monitor. The Overview tab shows CPU usage, disk I/O, network usage, and memory usage information for each process. Summary information is provided in a bar above each section.

2. Click the down arrow in the Disk section to expand it.

3. Click the Views button and then click Medium. This controls the size of the graphs that display CPU usage, disk I/O, network usage, and memory activity.

4. Click the CPU tab. This tab has more detailed CPU information that you can filter so that it is based on the process.

5. In the Processes area, select the check box for a process and then expand the Associated Handles area. This shows the files that are used by this process. It also keeps the selected process at the top of the list for effortless monitoring.

6. Click the Memory tab. This tab provides detailed information about memory usage for each process. Notice that the previously selected process is still selected so that you can review multiple kinds of information about a process as you switch between tabs.

7. Click the Disk tab. This tab shows processes with recent disk activity.

8. Expand the Disk Activity area and clear the Image check box to remove the filter and show all processes with current disk activity. The Disk Activity area provides detailed information about the files in use. The Storage area provides general information about each logical disk.

9. Click the Network tab. This tab provides information about all processes with current network activity.

10. Expand the TCP Connections area. This shows current TCP connections and information about those connections.

11. Expand the Listening Ports area. This shows the processes that are listening for network connections and the ports they are listening on. The firewall status for those ports is also shown.

12. Close the Resource Monitor.

Demonstration: Analyzing System Performance by Using Data Collector Sets and Performance Monitor

Detailed demonstration steps This demonstration shows how to analyze system performance by using Data Collector Sets and Performance Monitor.


2. Click Start, and in the search box, type “per”, and then click Performance Monitor.


3. In the Performance Monitor window, click the Performance Monitor node. Notice that only % Processor Time is displayed by default.

4. Click the “+” symbol in the toolbar to add an additional counter.

5. In the Available counters area, expand PhysicalDisk and then click % Idle Time.

6. In the Instances of selected object box, click 0 C:, click Add, and then click OK.

7. Right-click % Idle Time and then click Properties.

8. In the Color box, click green and then click OK.

9. In the left pane, expand Data Collector Sets and then click User Defined.

10. Right-click User Defined, point to New, and then click Data Collector Set.

11. In the Name box, type CPU and Disk Activity and then click Next.

12. In the Template Data Collector Set box, click Basic and then click Next. Using a template is recommended.

13. Click Next to accept the default storage location for the data.

14. Click Open properties for this data collector set and then click Finish. On the General tab, you can configure general information about the data collector set and the credentials that are used when it is running.

15. Click the Directory tab. This tab lets you define information on how the collected data is stored.

16. Click the Security tab. This tab lets you configure which users can change this data collector set.

17. Click the Schedule tab. This tab lets you define when the data collector set is active and collecting data.

18. Click the Stop Condition tab. This tab lets you define when data collection is stopped based on time or data that is collected.

19. Click the Task tab. This tab lets you to run a scheduled task when the data collector set stops. This can be used to process the collected data.

20. Click Cancel.

21. Notice that there are three kinds of logs listed in the right pane.

• Performance Counter collects data that can be viewed in the Performance Monitor.

• Kernel Trace collects detailed information about system events and activities.

• Configuration records changes to registry keys.

22. In the right pane, double-click Performance Counter. Notice that all Processor counters are collected by default.

23. Click Add.

24. In the Available counters area, click PhysicalDisk, click Add, and then click OK. All the counters for the PhysicalDisk object are now added.

25. In the left pane, right-click CPU and Disk Activity and then click Start.

26. Wait a few moments and the data collector set will stop automatically.


27. Right-click CPU and Disk Activity and then click Latest Report. This report shows the data that is collected by the data collector set.

28. Close the Performance Monitor.


Lesson 2

Maintaining Reliability by Using the Windows 7 Diagnostic Tools Contents: Question and Answers 8



Question and Answers Demonstration: Resolving Startup Related Problems

Question: When do you use the command prompt to perform system repairs manually?

Answer: You use the command prompt to perform system repairs manually if the automated tools cannot repair the system.


Detailed Demo Steps Demonstration: Resolving Startup Related Problems

Detailed demonstration steps This demonstration shows how to resolve startup related problems.

1. Connect the DVD Drive in LON-CL1 to the Windows 7 installation DVD.

• C:\Program Files\Microsoft Learning\6292\drives\Windows7_32bit.iso

2. Restart LON-CL1 and press a key to start from the DVD when you are prompted.

3. On the Windows 7 page, click Next.

4. Click Repair your computer.

5. In the System Recovery Options window, read the list of operating systems found and then click Next.

6. Read the options that are listed.

• Startup Repair tries to automatically repair a Windows system that is not starting correctly.

• System Restore is used to restore system configuration settings based on a restore point.

• System Image Recovery is used to perform a full restore from Windows backup.

• Windows Memory Diagnostic is used to test physical memory for errors.

• Command Prompt lets you manually access the local hard disk and perform repairs.

7. Click Command Prompt.

8. At the command prompt, type “C:” and press Enter.

9. At the command prompt, type “dir” and press Enter. Notice that there are no files on the C: drive.

10. At the command prompt, type “E:” and press Enter.

11. At the command prompt, type “dir” and press Enter. Notice that this drive is the C: drive when Windows 7 is running.

12. Close the command prompt and then click Restart.


Lesson 3

Backing Up and Restoring Data by Using Windows Backup Contents: Question and Answers 11



Question and Answers Demonstration: Perform a Backup

Question: What files do you need to back up on a computer?

Answer: Back up all data files on a computer. Also, a full system image will help restore your computer if a hard disk fails.

Demonstration: Restoring Data

Question: When do you need to restore to an alternate location?

Answer: Restore to an alternate location to keep the current version of a file and also get a copy of an older version for comparison. For example, a file may have had some information added and some deleted since a backup was performed. If you want to keep the new information that was added and get the information that was deleted, you must have both versions of the file.


Detailed Demo Steps Demonstration: Perform a Backup

Detailed demonstration steps This demonstration shows how to perform a backup.


2. Click Start and then click Documents.

3. In the Documents window, right-click an open area, point to New, and then click Text Document.

4. Type “Important Document” and then press ENTER.

5. Double-click Important Document, enter some text in the document, and then close Notepad.

6. Click Save to save the file and then close the Documents window.

7. Click Start, point to All Programs, click Maintenance, and then Backup and Restore.

8. Click Set up backup.

9. Click Allfiles (E:) and then Next.

10. Click Let me choose and then Next. Notice that by default, both the libraries for all users and a system image are selected.

11. Clear all check boxes in the window, select the bolded Administrator’s Libraries check box, and then click Next.

12. Click Change schedule.

13. Ensure that the Run backup on a schedule (recommended) check box is selected; review the available options for How often, What day, and What time, and then click OK.

14. Click Save settings and Run Backup.

15. Watch as the backup completes. Click View Details to see detailed progress.

16. Close the Backup and Restore window

Demonstration: Restoring Data

Detailed demonstration steps This demonstration shows how to restore data.


2. Click Start, point to All Programs, click Maintenance, and then Backup and Restore.

3. Click Restore my files and then Browse for files.

4. In the Browse the backup for file window, click administrator.CONTOSO’s backup, and then in the right pane, double-click Documents, click Important Document, and then Add files.

5. Click Next.

6. Click In the original location and then click Restore.

7. When prompted that the file already exists, click Copy and Replace.


8. Click Finish.

9. Close Backup and Restore.


Lesson 4

Restoring a Windows 7 System by Using System Restore Points Contents: Question and Answers 15



Question and Answers How System Restore Works

Question: What are the situations when you might need to use System Restore?

Answer: If your computer is running slowly or is not working properly, you can use System Restore to return your computer’s system files and settings to an earlier point in time, using a restore point.

Question: When do you restore a file from a restore point rather than a backup?

Answer: You will use System Restore when you need to restore all system files in the computer to a specific date and time. System Restore will only restore system files and will not recover any personal files that were deleted or damaged.

What Are Previous Versions of Files?

Question: What are the benefits of maintaining previous versions of files?

Answer: If you accidentally change or delete a file or a folder, you can restore it to an earlier version that is saved as part of a restore point.

Demonstration: Restoring a System

Question: When will the previous version of a file be unavailable?

Answer: The previous version of a file will not be available if it is stored on the local hard disk. If the local hard disk fails or becomes corrupted, then you must restore this data from a backup.


Detailed Demo Steps Demonstration: Restoring a System

Detailed demonstration steps This demonstration shows how to restore a system.



3. Double-click Important Document, enter some new text, and then close Notepad.

4. Click Save and then close the Documents window.

5. Click Start, right-click Computer, and then click Properties.

6. In the System window, click System protection.

7. In the Protection settings area, click Local Disk (C:) (System) and then Configure.

8. In the Restore Settings area, click Restore system settings and previous versions of files and then click OK.

9. In the Protection settings area, click Allfiles (E:) and then Configure.

10. In the Restore settings area, click Restore system settings and previous versions of files and then OK.

11. In the System Properties window, click Create. The system typically performs this automatically, rather than manually, before software installation is performed.

12. In the System Protection window, type “Restore Point 1” and then click Create.

13. When the creation of the restore point is finished, click Close.

14. In the System Properties window, click OK and then close the System window.


16. Right-click Important Document and click Restore previous versions. This version of the file was created during the restore point creation.

17. Click Cancel and close the Documents window.

18. Click Start, point to All Programs, click Accessories, System Tools, and then System Restore.

19. In the Restore system files and settings window, click Next.

20. Click Restore Point 1 and then Next.

21. On the Confirm your restore point page, click Finish.

22. Click Yes to continue. Be aware that this restores only system files, not data files.


24. Read the message in the System Restore window and click Close.


Lesson 5

Configuring Windows Update Contents: Question and Answers 18


Question and Answers What Is Windows Update?

Question: How is the Automatic Updates feature useful?

Answer: It is an online catalog that ensures that your computer is always up-to-date.

Windows Update Group Policy Settings

Question: What is the benefit of configuring Windows update by using Group Policy rather than by using Control Panel?

Answer: Using a group policy allows you to apply the configuration settings to multiple computers by performing a single action. It also prevents users from overriding the settings.


Module Reviews and Takeaways Review questions

Question 1: You have problems with your computer’s performance, how can you create a data collector set to analyze a performance problem?

Answer: You can create a Data Collector Set from counters in the Performance Monitor display, use a template, or do it manually.

Question 2: You have received an e-mail message from an unknown person and suddenly you have a virus and must restore your computer.

1. What kind of system restore do you need to perform?

2. Will the computer restore to software that you installed two days ago?

3. How long are restore points saved?

4. What if System Restore does not fix the problem?

Answer:

1. You need to create a system restore to return your files to a point before you got the virus.

2. Yes, a restore point is automatically created before a significant system event.

3. Restore points are saved until the disk space System restore reserves are filled up. As new restore points are created, old ones are deleted.

4. If System restore does not fix the problem, you can undo the system restore or try choosing a different restore point.

Tools


Performance Information and Tools

• Lists information for speed and performance Control Panel

Performance Monitor • Multiple graph views of performance Administrative Tools

Resource Monitor • Monitor use and Performance for CPU, disk, network, and memory

Advanced tools in Performance Information and tools

Windows Experience Index

• Measure the computer’s key components Performance Information and Tools

Monitoring Tools • Performance Monitor Performance monitor

Data Collector Set • Performance Counters Performance monitor


• Event Traces and system configuration data

Windows Memory Diagnostic

• Check your computer for memory problems Administrative tools

Fix a Network Problem • Troubleshoots Network problems Network and Sharing Center

Reliability Monitor • Review your computer’s reliability and problem history

Action center

Problem reports and Solution tool

• Choose when to check for solutions to problems reports

Action Center

Startup Repair Tool • Scan the computer for startup problems Windows 7 DVD

Backup and Restore Tool

• Back up or restore user and system files System and Security

Image Backup • A copy of the drivers required for Windows to run

Backup and Restore

System Repair Disc • Used to start the computer Backup and Restore

System restore • Restore the computer to an earlier point in time

Control Panel

Previous versions of files

• Copies of files and folders that Windows automatically saves as part of a restore point.

System Properties

Restore Point • A stored state of the computer’s system files. System Properties

Disk Space Usage • Adjust maximum disk space used for system protection

System Properties

Windows Update • Service that provides software updates System and Security

Change Update Settings

• Change settings for windows update Windows Update

View update History • Review the computer’s update history Windows Update


Lab Review Questions and Answers

Question: What are the benefits of creating a data collector set?

Answer: When you configure a data collector set, you can customize the information that will be included in the data collector set, and you can customize when the data will be collected. This is useful if you need to analyze a specific computer performance issue at a specific time.

Question: Under what circumstances might you choose to disable system restore points on all Windows 7 computers in your environment?

Answer: You might choose to disable system restore points on the Windows 7 computers if you have a centrally managed process for managing data and for restoring computers in the event of a computer failure. For example, if all users are required to store their files on a file server, you do not need to use system restore points to recover user data. As an alternative to restoring computers from system restore points, your organization may choose to just rebuild Windows 7 computers from an image rather than spend the time restoring system files.

Configuring Mobile Computers and Remote Access in Windows® 7 8-1

Module 8 Configuring Mobile Computers and Remote Access in Windows® 7

Contents: Lesson 1: Configuring Mobile Computer and Device Settings 2

Lesson 2: Configuring Remote Desktop and Remote Assistance for Remote Access 7

Lesson 3: Configuring DirectAccess for Remote Access 11

Lesson 4: Configuring BranchCache for Remote Access 13




Lesson 1

Configuring Mobile Computer and Device Settings Contents: Question and Answers 3



Question and Answers Tools for Configuring Mobile Computer and Device Settings

Question: Aside from USB, how can you establish a connection for synchronizing a Windows Mobile device?

Answer: You can establish a connection for synchronizing a Windows Mobile Device with Serial, Bluetooth, Wireless, and Infrared connections.

Demonstration: Configuring Power Plans

Question: Why are options such as what to do when I shut the power lid not configurable in the Wireless Adapter Settings, Power Saving Mode?

Answer: This virtual machine emulates a desktop computer, and those options are unavailable on desktop computers.


Detailed Demo Steps Demonstration: Creating a Sync Partnership

Detailed demonstration steps This demonstration shows how to configure the Windows Mobile Device Center and how to synchronize a Windows Mobile device.

Start the LON-DC1 and the LON-CL1 virtual machines. Leave them running throughout the duration of the module.

Create appointments and contacts in Outlook

1. Log on to LON-CL1 as Contoso\Administrator with the password Pa$$w0rd.

2. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Outlook 2007.

3. In the Outlook 2007 Startup wizard, click Next.

4. On the E-mail accounts page, click No, and then click Next.

5. On the Create Data File page, select the Continue with no e-mail support check box and then click Finish.

6. In the User Name dialog box, click OK.

7. If prompted, in the Welcome to the 2007 Microsoft Office System, click Next, click I don’t want to use Microsoft Update, and then click Finish.

8. If prompted, in the Microsoft Office Outlook dialog box, click No.

9. In Outlook, on the left, click Calendar.

10. In the results pane, click the Month tab and then double-click tomorrow.

11. In the Untitled – Event dialog box, in the Subject field, type “Quarterly meeting”.

12. In the Location field, type “Meeting room 1” and then click Save & Close.

13. If prompted with a reminder for the appointment, click Dismiss.

14. In Outlook, on the left, click Contacts.

15. On the menu, click New.

16. In the Untitled – Contact dialog field, in the Full Name field, type “Amy Rusko”.

17. In the Job title box, type “Production Manager” and then click Save & Close.

18. Close Outlook.

Configure Windows Mobile Device Center 1. Click Start, point to All Programs, and then click Windows Mobile Device Center.

2. In the Windows Mobile Device Center dialog box, click Accept.

3. In the Windows Mobile Device Center dialog box, click Mobile Device Settings and then click Connection settings.


4. In the Connection Settings dialog box, in the Allow connections to one of the following list, click DMA and then click OK.

5. In the User Account Control dialog box, in the User name box, type “administrator”.

6. In the Password box, type “Pa$$w0rd” and then click Yes.

7. Close Windows Mobile Device Center.

Connect the Windows Mobile device

1. Click Start, point to All Programs, click Windows Mobile 6 SDK, click Standalone Emulator Images, click US English, and then click WM 6.1.4 Professional.

2. Wait until the emulator has completed startup.

3. Click Start, point to All Programs, click Windows Mobile 6 SDK, click Tools, and then click Device Emulator Manager.

4. In the Device Emulator Manager dialog box, click the play symbol.

5. From the menu, click Actions and then click Cradle.

6. Close Device Emulator Manager.

Synchronize the Windows Mobile device

1. In the Windows Mobile Member Center dialog box, click Don’t Register.

2. In Windows Mobile Device Center, click Set up your device.

3. In the Set up Windows Mobile Partnership wizard, on the What kinds of items do you want to sync? page, click Next.

4. On the Ready to set up the Windows Mobile partnership page, click Set Up.

5. After synchronization is complete, close Windows Mobile Device Center.

Verify that data has been synchronized

1. On the Windows Mobile Device, click Start and then click Calendar.

2. Click tomorrow’s date. Is the Quarterly Meeting showing?

3. Click Start and then click Contacts. Are there contacts listed?

4. Close all open Windows. Do not save changes.

Demonstration: Configuring Power Plans

Detailed demonstration steps This demonstration shows how to configure a power plan.

Create a power plan for Amy’s laptop

1. On LON-CL1, click Start and then click Control Panel.

2. Click System and Security, click Power Options, and then on the left, click Create a power plan.

3. On the Create a power plan page, click Power saver.

4. In the Plan name box, type “Amy’s plan” and then click Next.


5. On the Change settings for the plan: Amy’s plan page, in the Turn off the display box, click 5 minutes and then click Create.

Configure Amy’s power plan

1. In Power Options, under Amy’s plan, click Change plan settings.

2. On the Change settings for the plan: Amy’s plan page, click Change advanced power settings.

3. Configure the following properties for the plan and then click OK.

• Turn off hard disk after: 10 minutes

• Wireless Adapter Settings, Power Saving Mode: Maximum Power Saving

• Power buttons and lid, Power button action: Shut down

4. On the Change settings for the plan: Amy’s plan page, click Cancel.

5. Close Power Options.


Lesson 2

Configuring Remote Desktop and Remote Assistance for Remote Access Contents: Question and Answers 8



Question and Answers Demonstration: Configuring Remote Assistance

Question: Under what circumstances does one use Remote Desktop Connection or Remote Assistant?

Answer: Use Remote Desktop to access one computer from another remotely. For example, you can use Remote Desktop to connect to your work computer from home. You will have access to all of your programs, files, and network resources, as if you were sitting at your work computer.

Use Remote Assistance to give or receive assistance remotely. For example, a friend or a technical support person can remotely access your computer to help you with a computer problem or show you how to do something. You can help someone else the same way. In either case, both you and the other person see the same computer screen and will both be able to control the mouse pointer.


Detailed Demo Steps Demonstration: Configuring Remote Assistance

Detailed demonstration steps This demonstration shows how to enable and use Remote Assistance. Amy needs help with a Microsoft® Office Word feature. She requests assistance, and you provide guidance on the feature by using Remote Assistance.

Create a Microsoft Office Word 2007 document

1. If necessary, log on to the LON-CL1 virtual machine as Contoso\Don with a password of Pa$$w0rd.

2. Click Start, point to All Programs, click Microsoft Office, and then click Microsoft Office Word 2007.

3. In the Document window, type “This is my document”, and then click the Office button.

4. Click Save and then click Save again.

Request Remote Assistance

1. Click Start, and in the Search box, type “remote assistance”.

2. In the Programs list, click Windows Remote Assistance.

3. In the Windows Remote Assistance wizard, click Invite someone you trust to help you.

4. On the How do you want to invite someone to help you page, click Save this invitation as a file.

5. On the Save as page, in the File name box, type “\\LON-dc1\users\Public\Don’s-Invitation.msrcincident” and then click Save.

6. Note the password.

Provide Remote Assistance 1. Switch to the 6292A-LON-DC1 virtual machine and log on as Administrator with the password of

Pa$$w0rd.

2. Open Windows Explorer, navigate to C:\Users\Public, and then double-click Don’s-Invitation.msrcincident.

3. In the Remote Assistance dialog box, in the Enter password box, type the password you noted in the previous task and then click OK.

4. Switch to the LON-CL1 virtual machine.

5. In the Windows Remote Assistance dialog box, click Yes.

6. Switch to the LON-DC1 virtual machine.

7. On the menu, click Request control.


9. In the Windows Remote Assistance dialog box, click Yes.



11. In Word, click the Review menu and select the text in the document window.

12. In the menu, click New Comment and then type “This is how you place a comment in a document”.

13. Click the cursor elsewhere in the document window.

14. In the Windows Remote Assistance – Helping Don menu, click Chat.

15. In the Chat window, type “Does that help?” and then press ENTER.


17. Observe the message.

18. Type “Yes, thanks”, press ENTER, and then in the Menu, click Stop sharing.


20. Discard the file changes and then log off of LON-CL1.


22. Close all open windows and then log off of LON-DC1.


Lesson 3

Configuring DirectAccess for Remote Access Contents: Question and Answers 12


Question and Answers DirectAccess Requirements

Question: What is the certificate used for in DirectAccess?

Answer: To provide authentication.

Question: List three ways to deploy DirectAccess.

Answer: Three ways to deploy DirectAccess are as follows:

• DirectAccess Deployment Wizard - simplifies deployment. The wizard can create and export scripts, which can be reviewed, further customized, and applied manually.

• Custom Scripts - primarily uses netsh.exe and is more complex, but provides vast design flexibility.

• Group Policy - only supported for configuring clients, not DirectAccess servers.


Lesson 4

Configuring BranchCache for Remote Access Contents: Question and Answers 14



Question and Answers What Is BranchCache?

Question: How does BranchCache prevent malicious users from accessing content?

Answer: Malicious users are unable to access content that they are not authorized to view because cached content is encrypted.

How BranchCache Works

Question: Which BranchCache caching mode has a peer-to-peer architecture?

Answer: The distributed or cooperative caching mode has a peer-to-peer type of architecture; content is cached on Windows 7 clients’ after it is retrieved from a Windows Server 2008 R2. Then it is sent directly to other Windows 7 clients, as they need it, without those clients having to retrieve the same content over the WAN link.

BranchCache Requirements

Question: Which of the following operating systems is a requirement on client computers using BranchCache?

Answer: The answer(s) are in bold.

• Windows Server® 2008 R2

• Windows Vista®

• Windows® 7

• Windows XP®

Demonstration: Configuring BranchCache on a Windows 7 Client Computer

Question: What is the effect of having the Configure BranchCache for network files value set to zero (0)?

Answer: This is the acceptable round-trip delay time before caching is enabled. If you set a high value, then caching might not occur at all. Setting the value of zero means that all files in a share are cached, regardless of the delay.


Detailed Demo Steps Demonstration: Configuring BranchCache on a Windows 7 Client Computer

Detailed demonstration steps This demonstration shows how to enable and configure BranchCache.

Create and secure a shared folder

1. Log on to the LON-DC1 virtual machine as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start, click Computer, and double-click Local Disk (C:).

3. In the menu, click New folder.

4. Type “BranchCache” and press ENTER.

5. Right-click BranchCache and then click Properties.

6. In the BranchCache Properties dialog box, on the Sharing tab, click Advanced Sharing.

7. In the Advanced Sharing dialog box, select the Share this folder check box and then click Permissions.

8. Click Remove and then click Add.

9. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) field, type “authenticated users”, click Check Names, and then click OK.

10. In the Permissions for Authenticated Users list, select the Allow check box next to Full Control and then click OK.

11. In the Advanced Sharing dialog box, click Caching.

12. Select the Enable BranchCache check box and then click OK.

13. In the Advanced Sharing dialog box, click OK.

14. In the BranchCache Properties dialog box, click the Security tab.

15. Click Edit and then click Add.

16. In the Select Users, Computers, Service Accounts, or Groups dialog box, in the Enter the object names to select (examples) field, type “Authenticated Users”, click Check Names, and then click OK.

17. In the Permissions for Authenticated Users list, select the Allow check box next to Full Control and then click OK.

18. In the BranchCache Properties dialog box, click the Close button.

Configure BranchCache Group Policy settings

1. On LON-DC1, click Start, point to Administrative Tools, and then click Group Policy Management.


2. In Group Policy Management, expand Forest: Contoso.com, expand Domains, expand Contoso.com, expand Group Policy Objects, click BranchCache, right-click BranchCache, and then click Edit.

3. Expand Computer Configuration, expand Policies, expand Administrative Templates, expand Network, and then click BranchCache.

4. Double-click Turn on BranchCache, click Enabled, and then click OK.

5. Double-click Set BranchCache Distributed Cache mode, click Enabled, and then click OK.

6. Double-click Configure BranchCache for network files, click Enabled, under Options type “0”, and then click OK.

7. Double-click Set percentage of disk space used for client computer cache, click Enabled, under Options, type “10”, and then click OK.

8. Close Group Policy Management Editor.

9. Close Group Policy Management.


Configure the client

1. Switch to the LON-CL1 computer and log on as Contoso\Administrator with a password of Pa$$w0rd.

2. Click Start, click Control Panel, click System and Security, and then click Windows Firewall.

3. In Windows Firewall, click Allow a program or feature through Windows Firewall.

4. Under Allowed programs and features, in the Name list, select the following check boxes and then click OK. Also ensure that the check box under Domain is selected.

• BranchCache – Content Retrieval (Uses HTTP)

• BranchCache – Peer Discovery (Uses WSD)

5. Close Windows Firewall.

6. Open a Command Prompt.

7. At the Command Prompt, type “gpupdate /force” and then press ENTER.

8. At the Command Prompt, type “netsh branchcache set service mode=DISTRIBUTED” and then press ENTER.

Verify the status of BranchCache

At the Command Prompt, type “netsh branchcache show status” and then press ENTER.


Module Reviews and Takeaways Review questions

Question 1: Amy wants to connect to the network wirelessly but is unable to, so she checks the Windows Mobility Center to turn on her wireless network adapter. She does not see it in the Windows Mobility Center. Why is that?

Answer: If a setting does not appear in the Windows Mobility Center, it might be because the requested hardware (such as a wireless network adapter) or drivers are missing

Question 2: You have purchased a computer with Windows 7 Home edition. When you choose to use Remote Desktop to access another computer, you cannot find it in the OS. What is the problem?

Answer: Remote Desktop is not available in Windows7 Home editions

Question 3: You have some important files on your desktop work computer that you need to retrieve when you are at a client’s location with your laptop computer. What do you need to do on your desktop computer to ensure that you can download your files when at a customer site?

Answer: You need to configure remote access on your desktop computer. Select one of the access options in the Remote Settings tab of System from System and Security in Control panel.

Question 4: Your company recently purchased a Windows Server 2008 computer. You have decided to convert from a database server to a DirectAccess Server. What do you need to do before you can configure this computer with DirectAccess?

Answer: You will need to upgrade to Windows Server 2008 R2 and maybe upgrade to an IPv6 infrastructure and possibly install a second network adapter in the server.

Question 5: Amy needs to configure her Windows 7 client computer to access take advantage of BranchCache. How can Amy configure the client to do this?

Answer: In Windows 7, BranchCache is off by default. Client configurations can be performed through Group Policy or manually on a per-client computer basis.

Common issues


BytesAddedToCache does not increase on the first client when accessing the BranchCache-enabled server.

The client computer may be retrieving content from the Internet Explorer cache. Be sure to clear the IE cache by selecting Internet Options from the Tools menu and clicking Delete. Ensure that BranchCache is enabled on the first client using the netsh branchcache show status command. If attempting to access a file share, verify that the latency between the client and server is higher than the minimum threshold. Ensure that the BranchCache feature is installed on the server and is enabled for the protocol under test. Check that the peerdistsvc server has started on


both the client and the server. An intermediate proxy may alter the HTTP request coming from the client. Verify that the proxy does not modify the ACCEPT-ENCODING HTTP header. An intermediate proxy may downgrade the outgoing request from HTTP 1.1 to HTTP 1.0. If the symptom is specific to file traffic, ensure that the file is not in the transparent cache. Transparent cache is a secondary cache where the file is stored in addition to the BranchCache. Storing the file in the transparent cache enables subsequent reads of the file to be satisfied locally improving end-user response times and savings on WAN bandwidth. To delete transparently cached data, search for Offline Files applet in Control Panel. Click the Disk Usage tab and then click Delete Temporary Files. Note that this will not clear the BranchCache cache.

BytesAddedToCache does increase on the first client when accessing the BranchCache enabled server. BytesFromCache does not increase on the second client when accessing the BranchCache enabled server. Deployment is Distributed Cache mode.

Ensure that BranchCache is enabled and that both clients are configured to use the same caching mode using the netsh branchCache show status command. Ensure that the correct firewall exceptions are set on both clients using the netsh branchcache show status command. Ensure that both clients are connected to the same subnet using the ipconfig command. Make sure the client cache is not full by using the netsh branchcache show status ALL.

BytesAddedToCache does increase on the first client when accessing the BranchCache enabled server. BytesFromCache does not increase on the second client when accessing the BranchCache enabled server. Deployment is Hosted Cache mode.

Ensure that BranchCache is enabled and that both clients are configured to use the same caching mode using the netsh branchcache show status command. Verify basic connectivity from both client computers to the Hosted Cache using the ping command. Ensure that the correct firewall exceptions are set on both clients using the netsh branchcache show status command. Ensure that the correct firewall exceptions are set on the Hosted Cache server using the netsh branchcache show status command. Ensure that the certificate is properly installed and bound to port 443 on the Hosted Cache computer.

Netsh shows BranchCache firewall rules have not been set, even though they have been configured using Group Policy.

Netsh checks the predefined BranchCache firewall rule group. If you have not enabled the default exceptions defined for BranchCache on Windows 7, Netsh will not report your configuration correctly. This is likely to happen if you defined firewall rules for clients using Group Policy and you defined the Group Policy object on a computer running an operating system older than Windows 7 or Windows Server 2008 R2 (which will not have the BranchCache firewall rule group). Note that this does not mean BranchCache will not function.

A client computer is running slowly. Is Many computers drawing large amounts of content from one


BranchCache at fault? client in a short time period may impact desktop performance. Use performance monitor to check for high service rates to peers. Examine BytesServedToPeers relative to BytesFromCache and BytesFromServer. The BranchCache service runs isolated in its own service host. Examine the CPU and memory consumption of the service host process housing the branch caching service. Sustained high rates of service to peers may be evidence of a configuration problem in the branch office. Check to make sure that the other clients in the branch office are capable of service data. Clear the cache on the affected client using the netsh branchcache flush command or reduce the cache size on the affected client.

A page fails to load or a share cannot be accessed.

When BranchCache is unable to retrieve data from a peer or from the Hosted Cache, the upper layer protocol will return to the server for content. If a failure occurs in the Branch Caching component, the upper layer protocol must seamlessly download content from the server. No BranchCache misconfiguration or failure will prevent the display of a Web page or connection to a share. If a failure does occur, use the Network Diagnostic Framework Diagnose button provided by Windows Explorer or Internet Explorer.

The client computer is unable to access the file share even when connected to the server.

If the client computer is unable to access a file share on the server due to the error Offline (network disconnected), restart the client computer and access the share again. If the client computer is unable to access a file share on the server due to the error Offline (slow connection), delete the temporarily cached data, restart the computer, and access the share. To delete temporarily cached data (the same as the transparent cache described above), search for Offline Files applet in Control Panel. Click the Disk Usage tab, and then click Delete Temporary Files


Lab Review Questions and Answers

Question: In exercise 2, you enabled the Remote Desktop feature through the firewall by editing the local firewall settings. Is there an alternative way in which you can make this change?

Answer: Yes, you can configure the settings through Group Policy on a domain controller. This enables you to apply the settings to a larger group of computers in a single administrative step.

Question: If you attempted to connect to Don’s computer from a computer out on the Internet somewhere, what additional settings must you consider?

Answer: It is likely that in addition to Don’s computer’s firewall settings, you will need to configure–or request configuration of–the corporate firewall. You will need to enable TCP port 3389 to support remote desktop. It is possible to use different ports over which to connect using Remote Desktop, but this must be configured at the computer to which you want to connect.

Question: In exercise 3, you established the necessary settings to support BranchCache in Distributed cache mode. If the Slough plant installed a file server, what other way can you implement BranchCache?

Answer: In Hosted cache mode, where the local server can be used to store cached documents for subsequent retrieval. The file server must be running Windows Server 2008.

Installing and Configuring Windows 7 R-1

Resources Contents: Microsoft Learning 2

Technet and MSDN Content 3

Communities 4

R-2 Installing and Configuring Windows 7

Microsoft Learning This section describes various Microsoft Learning programs and offerings.

• Microsoft Skills Assessments

Describes the skills assessment options available through Microsoft.

• Microsoft Learning

Describes the training options available through Microsoft — face-to-face or self-paced.

• Microsoft Certification Program

Details how to become a Microsoft Certified Professional, Microsoft Certified Database Administrators, and more.

• Microsoft Learning Support

• To provide comments or feedback about the course, send e-mail to [email protected].

• To ask about the Microsoft Certification Program (MCP), send e-mail to [email protected]

http://www.microsoft.com/learning/assessment/

http://www.microsoft.com/learning/

http://www.microsoft.com/learning/mcp/default.asp

mailto:[email protected]



Technet and MSDN Content • Device Management and Installation

• Windows 7 Springboard Series

• Windows Internet Explorer 8 Technology Overview for Enterprise and IT Pros

• Microsoft Application Compatibility Toolkit (ACT) Version 5.5

• Best practices for Disk Management

• Search Help and Support for “standard account“ and “administrator account“. For information about groups

• Adding a Disk

• Choosing a file system: NTFS, FAT, or FAT32

• Format a basic volume

• Partition Styles

• Format a Dynamic Volume

• Create Partition or Logical Drive

• Windows System Image Manager Technical Reference

• Walkthrough: Create a Custom Windows PE Image

• Copy

• Oscdimg Command-Line Options

• Best Practices for Disk Management

MSDN This section includes content from MSDN for this course.

• Performance Tuning Guidelines for Windows Server 2008

• Windows Device Class Fundamentals

• Driver Signing Requirements for Windows

• The new Application Compatibility Toolkit (ACT) with support for Internet Explorer 8 is available from MSDN

• Internet Explorer Application Compatibility

























R-4 Installing and Configuring Windows 7

Communities This section includes content from Communities for this course.

• Windows 7 hardware requirements

• List of the Device Stage experiences

• ACT 5.5

• Driver Signing Requirements for Windows

• Windows Hardware Requirements

• Internet Explorer 8: Home page

• Internet Explorer 8 newsgroups

• Internet Explorer 8 FAQ

• Information about anti-phishing strategies

• Internet Explorer 8: Help and Support

• Internet Explorer 8 Forum on TechNet

• Internet Explorer 8 Help Microsoft Knowledge Base article 923737

• Port Numbers









http://go.microsoft.com/fwlink/?linkid=69167




http://www.iana.org/assignments/port-numbers


Send Us Your Feedback You can search the Microsoft Knowledge Base for known issues at Microsoft Help and Support before submitting feedback. Search using either the course number and revision, or the course title.

Note Not all training products will have a Knowledge Base article – if that is the case, please ask your instructor whether or not there are existing error log entries.

Courseware Feedback Send all courseware feedback to [email protected]. We truly appreciate your time and effort. We review every e-mail received and forward the information on to the appropriate team. Unfortunately, because of volume, we are unable to provide a response but we may use your feedback to improve your future experience with Microsoft Learning products.

Reporting Errors When providing feedback, include the training product name and number in the subject line of your e-mail. When you provide comments or report bugs, please include the following:

• Document or CD part number

• Page number or location

• Complete description of the error or suggested change

Please provide any details that are necessary to help us verify the issue.

Important All errors and suggestions are evaluated, but only those that are validated are added to the product Knowledge Base article.



Date post:	31-Aug-2014
Category:	Documents
Upload:	patience-baats
View:	345 times
Download:	4 times